Fossil SCM
Add the ability to delete users to the /setup_uedit webpage.
Commit
1e5cdd35cd0f3b12ecd5112edec3a5d332336063b7d9fec53fdd87be1a1269b6
Parent
6d04bab418cac24…
1 file changed
+49
-5
+49
-5
| --- src/setupuser.c | ||
| +++ src/setupuser.c | ||
| @@ -256,12 +256,12 @@ | ||
| 256 | 256 | */ |
| 257 | 257 | void user_edit(void){ |
| 258 | 258 | const char *zId, *zLogin, *zInfo, *zCap, *zPw; |
| 259 | 259 | const char *zGroup; |
| 260 | 260 | const char *zOldLogin; |
| 261 | - int doWrite; | |
| 262 | 261 | int uid, i; |
| 262 | + char *zDeleteVerify = 0; /* Delete user verification text */ | |
| 263 | 263 | int higherUser = 0; /* True if user being edited is SETUP and the */ |
| 264 | 264 | /* user doing the editing is ADMIN. Disallow editing */ |
| 265 | 265 | const char *inherit[128]; |
| 266 | 266 | int a[128]; |
| 267 | 267 | const char *oa[128]; |
| @@ -285,17 +285,48 @@ | ||
| 285 | 285 | if( P("can") ){ |
| 286 | 286 | /* User pressed the cancel button */ |
| 287 | 287 | cgi_redirect(cgi_referer("setup_ulist")); |
| 288 | 288 | return; |
| 289 | 289 | } |
| 290 | + | |
| 291 | + /* Check for requests to delete the user */ | |
| 292 | + if( P("delete") && cgi_csrf_safe(1) ){ | |
| 293 | + int n; | |
| 294 | + if( P("verifydelete") ){ | |
| 295 | + /* Verified delete user request */ | |
| 296 | + db_multi_exec("DELETE FROM user WHERE uid=%d", uid); | |
| 297 | + cgi_redirect(cgi_referer("setup_ulist")); | |
| 298 | + return; | |
| 299 | + } | |
| 300 | + n = db_int(0, "SELECT count(*) FROM event" | |
| 301 | + " WHERE user=%Q AND objid NOT IN private", | |
| 302 | + P("login")); | |
| 303 | + if( n==0 ){ | |
| 304 | + zDeleteVerify = mprintf("Check this box and press \"Delete User\" again"); | |
| 305 | + }else{ | |
| 306 | + zDeleteVerify = mprintf( | |
| 307 | + "User \"%s\" has %d or more artifacts in the block-chain. " | |
| 308 | + "Delete anyhow?", | |
| 309 | + P("login")/*safe-for-%s*/, n); | |
| 310 | + } | |
| 311 | + } | |
| 290 | 312 | |
| 291 | 313 | /* If we have all the necessary information, write the new or |
| 292 | 314 | ** modified user record. After writing the user record, redirect |
| 293 | 315 | ** to the page that displays a list of users. |
| 294 | 316 | */ |
| 295 | - doWrite = cgi_all("login","info","pw") && !higherUser && cgi_csrf_safe(1); | |
| 296 | - if( doWrite ){ | |
| 317 | + if( !cgi_all("login","info","pw","apply") ){ | |
| 318 | + /* need all of the above properties to make a change. Since one or | |
| 319 | + ** more are missing, no-op */ | |
| 320 | + }else if( higherUser ){ | |
| 321 | + /* An Admin (a) user cannot edit a Superuser (s) */ | |
| 322 | + }else if( zDeleteVerify!=0 ){ | |
| 323 | + /* Need to verify a delete request */ | |
| 324 | + }else if( !cgi_csrf_safe(1) ){ | |
| 325 | + /* This might be a cross-site request forgery, so ignore it */ | |
| 326 | + }else{ | |
| 327 | + /* We have all the information we need to make the change to the user */ | |
| 297 | 328 | char c; |
| 298 | 329 | char zCap[70], zNm[4]; |
| 299 | 330 | zNm[0] = 'a'; |
| 300 | 331 | zNm[2] = 0; |
| 301 | 332 | for(i=0, c='a'; c<='z'; c++){ |
| @@ -575,11 +606,11 @@ | ||
| 575 | 606 | @ Enable Debug%s(B('D'))</label> |
| 576 | 607 | @ </ul></div> |
| 577 | 608 | @ </td> |
| 578 | 609 | @ </tr> |
| 579 | 610 | @ <tr> |
| 580 | - @ <td class="usetupEditLabel">Selected Cap.:</td> | |
| 611 | + @ <td class="usetupEditLabel">Selected Cap:</td> | |
| 581 | 612 | @ <td> |
| 582 | 613 | @ <span id="usetupEditCapability">(missing JS?)</span> |
| 583 | 614 | @ <a href="%R/setup_ucap_list">(key)</a> |
| 584 | 615 | @ </td> |
| 585 | 616 | @ </tr> |
| @@ -605,13 +636,26 @@ | ||
| 605 | 636 | @ <input type="radio" name="all" value="1"> |
| 606 | 637 | @ Apply changes to all repositories in the "<b>%h(zGroup)</b>" |
| 607 | 638 | @ login group.</td></tr> |
| 608 | 639 | } |
| 609 | 640 | if( !higherUser ){ |
| 641 | + if( zDeleteVerify ){ | |
| 642 | + @ <tr> | |
| 643 | + @ <td valign="top" align="right">Verify:</td> | |
| 644 | + @ <td><label><input type="checkbox" name="verifydelete">\ | |
| 645 | + @ Confirm Delete \ | |
| 646 | + @ <span class="loginError">← %h(zDeleteVerify)</span> | |
| 647 | + @ </label></td> | |
| 648 | + @ <tr> | |
| 649 | + } | |
| 610 | 650 | @ <tr> |
| 611 | 651 | @ <td> </td> |
| 612 | - @ <td><input type="submit" name="submit" value="Apply Changes" /></td> | |
| 652 | + @ <td><input type="submit" name="apply" value="Apply Changes"> | |
| 653 | + if( !login_is_special(zLogin) ){ | |
| 654 | + @ <input type="submit" name="delete" value="Delete User"> | |
| 655 | + } | |
| 656 | + @ <input type="submit" name="can" value="Cancel"></td> | |
| 613 | 657 | @ </tr> |
| 614 | 658 | } |
| 615 | 659 | @ </table> |
| 616 | 660 | @ </div></form> |
| 617 | 661 | @ </div> |
| 618 | 662 |
| --- src/setupuser.c | |
| +++ src/setupuser.c | |
| @@ -256,12 +256,12 @@ | |
| 256 | */ |
| 257 | void user_edit(void){ |
| 258 | const char *zId, *zLogin, *zInfo, *zCap, *zPw; |
| 259 | const char *zGroup; |
| 260 | const char *zOldLogin; |
| 261 | int doWrite; |
| 262 | int uid, i; |
| 263 | int higherUser = 0; /* True if user being edited is SETUP and the */ |
| 264 | /* user doing the editing is ADMIN. Disallow editing */ |
| 265 | const char *inherit[128]; |
| 266 | int a[128]; |
| 267 | const char *oa[128]; |
| @@ -285,17 +285,48 @@ | |
| 285 | if( P("can") ){ |
| 286 | /* User pressed the cancel button */ |
| 287 | cgi_redirect(cgi_referer("setup_ulist")); |
| 288 | return; |
| 289 | } |
| 290 | |
| 291 | /* If we have all the necessary information, write the new or |
| 292 | ** modified user record. After writing the user record, redirect |
| 293 | ** to the page that displays a list of users. |
| 294 | */ |
| 295 | doWrite = cgi_all("login","info","pw") && !higherUser && cgi_csrf_safe(1); |
| 296 | if( doWrite ){ |
| 297 | char c; |
| 298 | char zCap[70], zNm[4]; |
| 299 | zNm[0] = 'a'; |
| 300 | zNm[2] = 0; |
| 301 | for(i=0, c='a'; c<='z'; c++){ |
| @@ -575,11 +606,11 @@ | |
| 575 | @ Enable Debug%s(B('D'))</label> |
| 576 | @ </ul></div> |
| 577 | @ </td> |
| 578 | @ </tr> |
| 579 | @ <tr> |
| 580 | @ <td class="usetupEditLabel">Selected Cap.:</td> |
| 581 | @ <td> |
| 582 | @ <span id="usetupEditCapability">(missing JS?)</span> |
| 583 | @ <a href="%R/setup_ucap_list">(key)</a> |
| 584 | @ </td> |
| 585 | @ </tr> |
| @@ -605,13 +636,26 @@ | |
| 605 | @ <input type="radio" name="all" value="1"> |
| 606 | @ Apply changes to all repositories in the "<b>%h(zGroup)</b>" |
| 607 | @ login group.</td></tr> |
| 608 | } |
| 609 | if( !higherUser ){ |
| 610 | @ <tr> |
| 611 | @ <td> </td> |
| 612 | @ <td><input type="submit" name="submit" value="Apply Changes" /></td> |
| 613 | @ </tr> |
| 614 | } |
| 615 | @ </table> |
| 616 | @ </div></form> |
| 617 | @ </div> |
| 618 |
| --- src/setupuser.c | |
| +++ src/setupuser.c | |
| @@ -256,12 +256,12 @@ | |
| 256 | */ |
| 257 | void user_edit(void){ |
| 258 | const char *zId, *zLogin, *zInfo, *zCap, *zPw; |
| 259 | const char *zGroup; |
| 260 | const char *zOldLogin; |
| 261 | int uid, i; |
| 262 | char *zDeleteVerify = 0; /* Delete user verification text */ |
| 263 | int higherUser = 0; /* True if user being edited is SETUP and the */ |
| 264 | /* user doing the editing is ADMIN. Disallow editing */ |
| 265 | const char *inherit[128]; |
| 266 | int a[128]; |
| 267 | const char *oa[128]; |
| @@ -285,17 +285,48 @@ | |
| 285 | if( P("can") ){ |
| 286 | /* User pressed the cancel button */ |
| 287 | cgi_redirect(cgi_referer("setup_ulist")); |
| 288 | return; |
| 289 | } |
| 290 | |
| 291 | /* Check for requests to delete the user */ |
| 292 | if( P("delete") && cgi_csrf_safe(1) ){ |
| 293 | int n; |
| 294 | if( P("verifydelete") ){ |
| 295 | /* Verified delete user request */ |
| 296 | db_multi_exec("DELETE FROM user WHERE uid=%d", uid); |
| 297 | cgi_redirect(cgi_referer("setup_ulist")); |
| 298 | return; |
| 299 | } |
| 300 | n = db_int(0, "SELECT count(*) FROM event" |
| 301 | " WHERE user=%Q AND objid NOT IN private", |
| 302 | P("login")); |
| 303 | if( n==0 ){ |
| 304 | zDeleteVerify = mprintf("Check this box and press \"Delete User\" again"); |
| 305 | }else{ |
| 306 | zDeleteVerify = mprintf( |
| 307 | "User \"%s\" has %d or more artifacts in the block-chain. " |
| 308 | "Delete anyhow?", |
| 309 | P("login")/*safe-for-%s*/, n); |
| 310 | } |
| 311 | } |
| 312 | |
| 313 | /* If we have all the necessary information, write the new or |
| 314 | ** modified user record. After writing the user record, redirect |
| 315 | ** to the page that displays a list of users. |
| 316 | */ |
| 317 | if( !cgi_all("login","info","pw","apply") ){ |
| 318 | /* need all of the above properties to make a change. Since one or |
| 319 | ** more are missing, no-op */ |
| 320 | }else if( higherUser ){ |
| 321 | /* An Admin (a) user cannot edit a Superuser (s) */ |
| 322 | }else if( zDeleteVerify!=0 ){ |
| 323 | /* Need to verify a delete request */ |
| 324 | }else if( !cgi_csrf_safe(1) ){ |
| 325 | /* This might be a cross-site request forgery, so ignore it */ |
| 326 | }else{ |
| 327 | /* We have all the information we need to make the change to the user */ |
| 328 | char c; |
| 329 | char zCap[70], zNm[4]; |
| 330 | zNm[0] = 'a'; |
| 331 | zNm[2] = 0; |
| 332 | for(i=0, c='a'; c<='z'; c++){ |
| @@ -575,11 +606,11 @@ | |
| 606 | @ Enable Debug%s(B('D'))</label> |
| 607 | @ </ul></div> |
| 608 | @ </td> |
| 609 | @ </tr> |
| 610 | @ <tr> |
| 611 | @ <td class="usetupEditLabel">Selected Cap:</td> |
| 612 | @ <td> |
| 613 | @ <span id="usetupEditCapability">(missing JS?)</span> |
| 614 | @ <a href="%R/setup_ucap_list">(key)</a> |
| 615 | @ </td> |
| 616 | @ </tr> |
| @@ -605,13 +636,26 @@ | |
| 636 | @ <input type="radio" name="all" value="1"> |
| 637 | @ Apply changes to all repositories in the "<b>%h(zGroup)</b>" |
| 638 | @ login group.</td></tr> |
| 639 | } |
| 640 | if( !higherUser ){ |
| 641 | if( zDeleteVerify ){ |
| 642 | @ <tr> |
| 643 | @ <td valign="top" align="right">Verify:</td> |
| 644 | @ <td><label><input type="checkbox" name="verifydelete">\ |
| 645 | @ Confirm Delete \ |
| 646 | @ <span class="loginError">← %h(zDeleteVerify)</span> |
| 647 | @ </label></td> |
| 648 | @ <tr> |
| 649 | } |
| 650 | @ <tr> |
| 651 | @ <td> </td> |
| 652 | @ <td><input type="submit" name="apply" value="Apply Changes"> |
| 653 | if( !login_is_special(zLogin) ){ |
| 654 | @ <input type="submit" name="delete" value="Delete User"> |
| 655 | } |
| 656 | @ <input type="submit" name="can" value="Cancel"></td> |
| 657 | @ </tr> |
| 658 | } |
| 659 | @ </table> |
| 660 | @ </div></form> |
| 661 | @ </div> |
| 662 |