summaryrefslogtreecommitdiff
path: root/modules/user
diff options
context:
space:
mode:
Diffstat (limited to 'modules/user')
-rw-r--r--modules/user/controllers/admin_users.php6
-rw-r--r--modules/user/controllers/login.php4
-rw-r--r--modules/user/controllers/logout.php2
-rw-r--r--modules/user/controllers/password.php4
-rw-r--r--modules/user/helpers/user.php1
-rw-r--r--modules/user/views/admin_users.html.php2
-rw-r--r--modules/user/views/admin_users_group.html.php42
-rw-r--r--modules/user/views/login.html.php2
8 files changed, 45 insertions, 18 deletions
diff --git a/modules/user/controllers/admin_users.php b/modules/user/controllers/admin_users.php
index ac17c577..fe8061aa 100644
--- a/modules/user/controllers/admin_users.php
+++ b/modules/user/controllers/admin_users.php
@@ -28,6 +28,7 @@ class Admin_Users_Controller extends Controller {
public function add_user() {
access::verify_csrf();
+
$form = user::get_add_form_admin();
$valid = $form->validate();
$name = $form->add_user->inputs["name"]->value;
@@ -63,6 +64,7 @@ class Admin_Users_Controller extends Controller {
public function delete_user($id) {
access::verify_csrf();
+
if ($id == user::active()->id || $id == user::guest()->id) {
access::forbidden();
}
@@ -97,6 +99,7 @@ class Admin_Users_Controller extends Controller {
public function edit_user($id) {
access::verify_csrf();
+
$user = ORM::factory("user", $id);
if (!$user->loaded) {
kohana::show_404();
@@ -182,6 +185,7 @@ class Admin_Users_Controller extends Controller {
public function add_group() {
access::verify_csrf();
+
$form = group::get_add_form_admin();
$valid = $form->validate();
if ($valid) {
@@ -210,6 +214,7 @@ class Admin_Users_Controller extends Controller {
public function delete_group($id) {
access::verify_csrf();
+
$group = ORM::factory("group", $id);
if (!$group->loaded) {
kohana::show_404();
@@ -240,6 +245,7 @@ class Admin_Users_Controller extends Controller {
public function edit_group($id) {
access::verify_csrf();
+
$group = ORM::factory("group", $id);
if (!$group->loaded) {
kohana::show_404();
diff --git a/modules/user/controllers/login.php b/modules/user/controllers/login.php
index 6ee2e69d..54a7905e 100644
--- a/modules/user/controllers/login.php
+++ b/modules/user/controllers/login.php
@@ -26,6 +26,8 @@ class Login_Controller extends Controller {
}
public function auth_ajax() {
+ access::verify_csrf();
+
list ($valid, $form) = $this->_auth("login/auth_ajax");
if ($valid) {
print json_encode(
@@ -42,6 +44,8 @@ class Login_Controller extends Controller {
}
public function auth_html() {
+ access::verify_csrf();
+
list ($valid, $form) = $this->_auth("login/auth_html");
if ($valid) {
url::redirect("albums/1");
diff --git a/modules/user/controllers/logout.php b/modules/user/controllers/logout.php
index b43680d5..6ceb7192 100644
--- a/modules/user/controllers/logout.php
+++ b/modules/user/controllers/logout.php
@@ -19,6 +19,8 @@
*/
class Logout_Controller extends Controller {
public function index() {
+ access::verify_csrf();
+
$user = user::active();
user::logout();
log::info("user", t("User %name logged out", array("name" => $user->name)),
diff --git a/modules/user/controllers/password.php b/modules/user/controllers/password.php
index c3e66634..3b0eac66 100644
--- a/modules/user/controllers/password.php
+++ b/modules/user/controllers/password.php
@@ -19,6 +19,8 @@
*/
class Password_Controller extends Controller {
public function reset() {
+ access::verify_csrf();
+
if (request::method() == "post") {
$this->_send_reset();
} else {
@@ -27,6 +29,8 @@ class Password_Controller extends Controller {
}
public function do_reset() {
+ access::verify_csrf();
+
if (request::method() == "post") {
$this->_change_password();
} else {
diff --git a/modules/user/helpers/user.php b/modules/user/helpers/user.php
index 5d70b8c9..9e9d4ca1 100644
--- a/modules/user/helpers/user.php
+++ b/modules/user/helpers/user.php
@@ -123,6 +123,7 @@ class user_Core {
// upconvert into a user.
if ($user === 2) {
$user = model_cache::get("user", 2);
+ user::login($user);
$session->set("user", $user);
}
diff --git a/modules/user/views/admin_users.html.php b/modules/user/views/admin_users.html.php
index 859f3c8e..a99c9506 100644
--- a/modules/user/views/admin_users.html.php
+++ b/modules/user/views/admin_users.html.php
@@ -118,7 +118,7 @@
<div class="gBlockContent">
<ul>
<? foreach ($groups as $i => $group): ?>
- <li id="group-<?= $group->id ?>" class="gGroup">
+ <li id="group-<?= $group->id ?>" class="gGroup <?= ($group->special ? "gDefaultGroup" : "") ?>" />
<? $v = new View("admin_users_group.html"); $v->group = $group; ?>
<?= $v ?>
</li>
diff --git a/modules/user/views/admin_users_group.html.php b/modules/user/views/admin_users_group.html.php
index 820b3031..bfd79dba 100644
--- a/modules/user/views/admin_users_group.html.php
+++ b/modules/user/views/admin_users_group.html.php
@@ -1,28 +1,38 @@
<?php defined("SYSPATH") or die("No direct script access.") ?>
-<strong><?= p::clean($group->name) ?></strong>
-<? if (!$group->special): ?>
-<a href="<?= url::site("admin/users/delete_group_form/$group->id") ?>"
- title="<?= t("Delete %name", array("name" => p::clean($group->name))) ?>"
- class="gDialogLink gButtonLink ui-state-default ui-corner-all">
- <span class="ui-icon ui-icon-trash"><?= t("delete") ?></span></a>
-<? else: ?>
-<a title="<?= t("This group cannot be deleted") ?>"
- class="gDialogLink gButtonLink ui-state-disabled ui-corner-all ui-icon-left">
- <span class="ui-icon ui-icon-trash"><?= t("delete") ?></span></a>
-<? endif ?>
+<h4>
+ <?= p::clean($group->name) ?>
+ <? if (!$group->special): ?>
+ <a href="<?= url::site("admin/users/delete_group_form/$group->id") ?>"
+ title="<?= t("Delete the %name group", array("name" => p::clean($group->name))) ?>"
+ class="gDialogLink gButtonLink ui-state-default ui-corner-all">
+ <span class="ui-icon ui-icon-trash"><?= t("delete") ?></span></a>
+ <? else: ?>
+ <a title="<?= t("This default group cannot be deleted") ?>"
+ class="gDialogLink gButtonLink ui-state-disabled ui-corner-all ui-icon-left">
+ <span class="ui-icon ui-icon-trash"><?= t("delete") ?></span></a>
+ <? endif ?>
+</h4>
+
+<? if ($group->users->count() > 0): ?>
<ul>
<? foreach ($group->users as $i => $user): ?>
<li class="gUser">
<?= p::clean($user->name) ?>
<? if (!$group->special): ?>
<a href="javascript:remove_user(<?= $user->id ?>, <?= $group->id ?>)"
- class="gButtonLink ui-state-default ui-corner-all ui-icon-left">
- <span class="ui-icon ui-icon-closethick">
- <?= t("Remove %user from %group",
- array("user" => p::clean($user->name), "group" => p::clean($group->name))) ?>
- </span>
+ class="gButtonLink ui-state-default ui-corner-all ui-icon-left"
+ title="<?= t("Remove %user from %group group",
+ array("user" => p::clean($user->name), "group" => p::clean($group->name))) ?>">
+ <span class="ui-icon ui-icon-closethick"><?= t("remove") ?></span>
</a>
<? endif ?>
</li>
<? endforeach ?>
</ul>
+<? else: ?>
+<div>
+ <p>
+ <?= t("Drag &amp; drop users from the User Admin above into this group box to add group members.") ?>
+ </p>
+</div>
+<? endif ?>
diff --git a/modules/user/views/login.html.php b/modules/user/views/login.html.php
index cce2fb54..3889f06e 100644
--- a/modules/user/views/login.html.php
+++ b/modules/user/views/login.html.php
@@ -12,7 +12,7 @@
'" title="' . t("Edit Your Profile") .
'" id="gUserProfileLink" class="gDialogLink">' .
p::clean(empty($user->full_name) ? $user->name : $user->full_name) . '</a>')) ?></li>
- <li><a href="<?= url::site("logout?continue=" . url::current(true)) ?>"
+ <li><a href="<?= url::site("logout?csrf=$csrf&continue=" . url::current(true)) ?>"
id="gLogoutLink"><?= t("Logout") ?></a></li>
<? endif; ?>
</ul>
generated by cgit v1.2.3 (git 2.46.0) at 2025-10-17 03:51:53 +0000