From 9de2fc0ad14aa32ed9e36940f1137b382d04bc4e Mon Sep 17 00:00:00 2001 From: Meteo Date: Sat, 13 Jun 2026 15:16:43 +0200 Subject: [PATCH] Users are not able to change their own name. --- pub/api/classes/API_users.php | 24 ++++++--- pub/api/v1/portal-management/users/index.php | 53 +++++++++++++------- pub/bin/pages/pageUserProfile_edit.php | 4 +- 3 files changed, 56 insertions(+), 25 deletions(-) diff --git a/pub/api/classes/API_users.php b/pub/api/classes/API_users.php index 52eafce..22cbcae 100644 --- a/pub/api/classes/API_users.php +++ b/pub/api/classes/API_users.php @@ -108,15 +108,27 @@ The Sentri gnomes'; $_GET['builder'] = [1 => ['where' => [0 => 'user_uuid', 1 => $this->data['user_uuid']]]]; $this->getUser(); - if ($this->getUserGroupWeight() < $_SESSION['user']['user_group_weight']) { - $this->apiOutput(400, ['error' => 'You cannot edit a user with an lower weight then yourself!']); + if (!isset($this->postedData['user_profile_change']) && $this->getUserGroupWeight() < $_SESSION['user']['user_group_weight']) { + $this->apiOutput(400, ['error' => 'You cannot edit a user with a lower weight than yourself!']); } - $query = "UPDATE system_users SET user_group_uuid = ?, user_email = ?, user_first_name = ?, user_last_name = ?, user_full_name = ?, user_phone_number = ?, user_status = ?, user_pref_language = ?, user_modified_timestamp = ?, user_stompable = ? WHERE user_uuid = ?"; - $stmt = $this->prepareStatement($query); - $stmt->bind_param('ssssssssiis', $this->data['user_group_uuid'], $this->data['user_email'], $this->data['user_first_name'], $this->data['user_last_name'], $this->data['user_full_name'], $this->data['user_phone_number'], $this->data['user_status'], $this->data['user_pref_language'], time(), $this->data['user_stompable'], $this->data['user_uuid']); + $data = $this->data; - $this->executeStatement($stmt); + $userUuid = $data['user_uuid']; + unset($data['user_uuid']); + + # always set timestamp + $data['user_modified_timestamp'] = time(); + + $set = []; + foreach ($data as $key => $value) { + $set[] = "$key = :$key"; + } + + $sql = sprintf("UPDATE system_users SET %s WHERE user_uuid = :user_uuid", implode(', ', $set)); + $stmt = $GLOBALS['pdo']->prepare($sql); + $data['user_uuid'] = $userUuid; + $stmt->execute($data); $this->apiOutput(200, ['success' => 'User successfully updated.']); } diff --git a/pub/api/v1/portal-management/users/index.php b/pub/api/v1/portal-management/users/index.php index 50dcdfb..5c9e324 100644 --- a/pub/api/v1/portal-management/users/index.php +++ b/pub/api/v1/portal-management/users/index.php @@ -48,29 +48,47 @@ if ($API_users->request_method === 'GET') { $API_users->createUser(); } elseif ($API_users->request_method === 'PUT') { - # Edit a user - $API_users->checkPermissions('admin-access-admins', 'RW'); + if (isset($API_users->postedData['user_profile_change'])) { # If the user is changing their own profile + $API_users->postedData['user_uuid'] = $_SESSION['user']['user_uuid']; # Make sure the user being changed is always its own user_uuid - $requiredFields = [ - 'user_uuid' => ['type' => 'uuid'], - 'user_group_uuid' => ['type' => 'uuid'], - 'user_email' => ['type' => 'email'], - 'user_first_name' => ['type' => 'string'], - 'user_last_name' => ['type' => 'string'], - 'user_full_name' => ['type' => 'string'], - 'user_status' => ['type' => 'enum', 'values' => ['active', 'inactive', 'banned', 'pending']], - 'user_pref_language' => ['type' => 'enum', 'values' => ['en', 'nl']], - ]; + $requiredFields = [ + 'user_uuid' => ['type' => 'uuid'], + 'user_email' => ['type' => 'email'], + 'user_first_name' => ['type' => 'string'], + 'user_last_name' => ['type' => 'string'], + 'user_full_name' => ['type' => 'string'], + 'user_pref_language' => ['type' => 'enum', 'values' => ['en', 'nl']], + ]; - $optionalFields = [ - 'user_phone_number' => ['type' => 'string'], - 'user_stompable' => ['type' => 'boolean'] - ]; + $optionalFields = [ + 'user_phone_number' => ['type' => 'string'] + ]; + + } else { + $API_users->checkPermissions('admin-access-admins', 'RW'); + + $requiredFields = [ + 'user_uuid' => ['type' => 'uuid'], + 'user_group_uuid' => ['type' => 'uuid'], + 'user_email' => ['type' => 'email'], + 'user_first_name' => ['type' => 'string'], + 'user_last_name' => ['type' => 'string'], + 'user_full_name' => ['type' => 'string'], + 'user_status' => ['type' => 'enum', 'values' => ['active', 'inactive', 'banned', 'pending']], + 'user_pref_language' => ['type' => 'enum', 'values' => ['en', 'nl']], + ]; + + $optionalFields = [ + 'user_phone_number' => ['type' => 'string'], + 'user_stompable' => ['type' => 'boolean'] + ]; + + $API_users->postedData['user_stompable'] = (bool)$API_users->postedData['user_stompable']; + } $API_users->postedData['user_full_name'] = trim($API_users->postedData['user_first_name'] . ' ' . $API_users->postedData['user_last_name']); $API_users->postedData['user_pref_language'] = $API_users->postedData['user_pref_language'] ?? 'en'; - $API_users->postedData['user_stompable'] = (bool)$API_users->postedData['user_stompable']; $API_users->validateData($requiredFields, $optionalFields); @@ -78,7 +96,6 @@ if ($API_users->request_method === 'GET') { } elseif ($API_users->request_method === 'DELETE') { - $API_users->return_url = false; $API_users->checkPermissions('admin-access-admins', 'RW'); diff --git a/pub/bin/pages/pageUserProfile_edit.php b/pub/bin/pages/pageUserProfile_edit.php index 18ad1d2..29cc6ac 100644 --- a/pub/bin/pages/pageUserProfile_edit.php +++ b/pub/bin/pages/pageUserProfile_edit.php @@ -51,8 +51,10 @@ $pageNavbar->outPutNavbar(); if ($user_data) { $formBuilder->startForm(); ?> -
+ + +