diff options
| -rw-r--r-- | controllers/user.php | 8 | ||||
| -rw-r--r-- | views/admin/index.php | 7 | ||||
| -rw-r--r-- | views/user/delete/index.php | 2 | ||||
| -rw-r--r-- | views/user/index.php | 22 |
4 files changed, 28 insertions, 11 deletions
diff --git a/controllers/user.php b/controllers/user.php index ac906a0..bc3da70 100644 --- a/controllers/user.php +++ b/controllers/user.php @@ -65,8 +65,9 @@ function on_delete() { global $user_status; $user_status = ""; + $user = null; try { - Database\Cookie::fromDB($TOKEN); + $user = Database\Cookie::fromDB($TOKEN); } catch (Exception $e) { $user_status = 'Invalid token!'; @@ -82,6 +83,11 @@ function on_delete() { return; } + if ($user->UID !== $to_delete->UID && $user->Role !== 'Admin') { + $list_status = 'You have no permission to delete this user!'; + return; + } + $to_delete->delete(); header('Location: /'); diff --git a/views/admin/index.php b/views/admin/index.php index 69495d6..750a246 100644 --- a/views/admin/index.php +++ b/views/admin/index.php @@ -28,6 +28,13 @@ <input type="submit" value="Modify"> </form> + <h2>Delete</h2> + + <form action="/user/delete" method="GET" class="font-115"> + <input type="text" name="username" placeholder="Username"> + <input type="submit" value="Delete"> + </form> + <?php else: ?> <h2>Permission denied, you're not an admin!</h2> diff --git a/views/user/delete/index.php b/views/user/delete/index.php index d1ce8b9..cdc61ac 100644 --- a/views/user/delete/index.php +++ b/views/user/delete/index.php @@ -8,7 +8,7 @@ catch(Exception $e) {} ?> -<?php if ($to_delete !== null && $user->UID === $to_delete->UID): ?> +<?php if ($to_delete !== null && ($user->UID === $to_delete->UID || $user->Role === 'Admin')): ?> <h1>Are you sure you want to delete <?= $to_delete->Username ?>?</h1> <form action="#" method="POST" class="font-115 flex-col-centered max-width-20 center-margin"> diff --git a/views/user/index.php b/views/user/index.php index 82c95c8..40995d2 100644 --- a/views/user/index.php +++ b/views/user/index.php @@ -1,7 +1,9 @@ <?php $user = null; + $loggedin = null; try { $user = Database\User::fromDB($username); + $loggedin = Database\Cookie::fromDB($TOKEN); } catch(Exception $e) {} ?> @@ -15,16 +17,18 @@ <div class="user-blank-afterspace"></div> <section id="user-buttons" hidden> - <form action="/list/new" method="GET"> - <input type="submit" value="Create a new list"> - </form> - <form action="/user/settings" method="GET"> - <input type="submit" value="Account settings"> - </form> - <?php if ($user->Role === 'Admin'): ?> - <form action="/admin" method="GET"> - <input type="submit" value="Admin panel"> + <?php if ($user !== null && $loggedin !== null && $user->UID === $loggedin->UID): ?> + <form action="/list/new" method="GET"> + <input type="submit" value="Create a new list"> </form> + <form action="/user/settings" method="GET"> + <input type="submit" value="Account settings"> + </form> + <?php if ($user->Role === 'Admin'): ?> + <form action="/admin" method="GET"> + <input type="submit" value="Admin panel"> + </form> + <?php endif; ?> <?php endif; ?> </section> <script type="text/javascript"> |