diff --git a/modules/users/action_mysql.php b/modules/users/action_mysql.php index 942ad958da..8c8843d2a2 100755 --- a/modules/users/action_mysql.php +++ b/modules/users/action_mysql.php @@ -216,6 +216,7 @@ checknum varchar(50) NOT NULL DEFAULT '', users_info text, openid_info text, + idsite(8) unsigned NOT NULL DEFAULT '0', PRIMARY KEY (userid), UNIQUE KEY login (username), UNIQUE KEY md5username (md5username), diff --git a/modules/users/admin/config.php b/modules/users/admin/config.php index 23941754bf..3ad8edf2a0 100755 --- a/modules/users/admin/config.php +++ b/modules/users/admin/config.php @@ -35,14 +35,17 @@ function valid_name_config($array_name) $array_config = []; $oauth_config = $nv_Request->get_title('oauth_config', 'post,get'); +$checkss = md5(NV_CHECK_SESSION . '_' . $module_name . '_' . $op . '_' . $oauth_config); if (preg_match('/^([a-z0-9\-\_]+)$/', $oauth_config, $m) and file_exists(NV_ROOTDIR . '/modules/users/admin/config_' . $oauth_config . '.php')) { $page_title = sprintf($lang_module['oauth_config'], $oauth_config); require NV_ROOTDIR . '/modules/users/admin/config_' . $oauth_config . '.php'; } else { if ($nv_Request->isset_request('submit', 'post')) { + if ($checkss != $nv_Request->get_string('checkss', 'post')) { + nv_redirect_location(NV_BASE_ADMINURL . 'index.php?' . NV_LANG_VARIABLE . '=' . NV_LANG_DATA . '&' . NV_NAME_VARIABLE . '=' . $module_name . '&' . NV_OP_VARIABLE . '=' . $op . '&rand=' . nv_genpass()); + } $array_config['is_user_forum'] = $nv_Request->get_int('is_user_forum', 'post', 0); - $array_config['dir_forum'] = $nv_Request->get_string('dir_forum', 'post', 0); if (!$array_config['is_user_forum'] or !is_dir(NV_ROOTDIR . '/' . $array_config['dir_forum'] . '/nukeviet')) { $array_config['dir_forum'] = ''; @@ -235,6 +238,7 @@ function valid_name_config($array_name) 'index.html', '.htaccess' ); + $array_config['checkss'] = $checkss; $xtpl = new XTemplate('config.tpl', NV_ROOTDIR . '/themes/' . $global_config['module_theme'] . '/modules/' . $module_file); $xtpl->assign('FORM_ACTION', NV_BASE_ADMINURL . 'index.php?' . NV_LANG_VARIABLE . '=' . NV_LANG_DATA . '&' . NV_NAME_VARIABLE . '=' . $module_name . '&' . NV_OP_VARIABLE . '=' . $op); diff --git a/modules/users/admin/config_facebook.php b/modules/users/admin/config_facebook.php index 73deda2cf5..f15a3bdfd0 100644 --- a/modules/users/admin/config_facebook.php +++ b/modules/users/admin/config_facebook.php @@ -15,23 +15,25 @@ if ($nv_Request->isset_request('submit', 'post')) { $array_config['oauth_client_id'] = ( string )$nv_Request->get_title('oauth_client_id', 'post', ''); $array_config['oauth_client_secret'] = $nv_Request->get_title('oauth_client_secret', 'post', ''); + if ($checkss == $nv_Request->get_string('checkss', 'post')) { + $sth = $db->prepare("UPDATE " . NV_CONFIG_GLOBALTABLE . " SET config_value = :config_value WHERE lang = 'sys' AND module = 'site' AND config_name = :config_name"); - $sth = $db->prepare("UPDATE " . NV_CONFIG_GLOBALTABLE . " SET config_value = :config_value WHERE lang = 'sys' AND module = 'site' AND config_name = :config_name"); + $sth->bindValue(':config_name', 'facebook_client_id', PDO::PARAM_STR); + $sth->bindParam(':config_value', $array_config['oauth_client_id'], PDO::PARAM_STR); + $sth->execute(); - $sth->bindValue(':config_name', 'facebook_client_id', PDO::PARAM_STR); - $sth->bindParam(':config_value', $array_config['oauth_client_id'], PDO::PARAM_STR); - $sth->execute(); + $sth->bindValue(':config_name', 'facebook_client_secret', PDO::PARAM_STR); + $sth->bindParam(':config_value', $array_config['oauth_client_secret'], PDO::PARAM_STR); + $sth->execute(); - $sth->bindValue(':config_name', 'facebook_client_secret', PDO::PARAM_STR); - $sth->bindParam(':config_value', $array_config['oauth_client_secret'], PDO::PARAM_STR); - $sth->execute(); - - nv_insert_logs(NV_LANG_DATA, $module_name, $lang_module['config'], $page_title, $admin_info['userid']); - $nv_Cache->delAll(); + nv_insert_logs(NV_LANG_DATA, $module_name, $lang_module['config'], $page_title, $admin_info['userid']); + $nv_Cache->delAll(); + } nv_redirect_location(NV_BASE_ADMINURL . 'index.php?' . NV_LANG_VARIABLE . '=' . NV_LANG_DATA . '&' . NV_NAME_VARIABLE . '=' . $module_name . '&' . NV_OP_VARIABLE . '=' . $op . '&oauth_config=' . $oauth_config . '&rand=' . nv_genpass()); } else { $array_config['oauth_client_id'] = $global_config['facebook_client_id']; $array_config['oauth_client_secret'] = $global_config['facebook_client_secret']; + $array_config['checkss'] = $checkss; $xtpl = new XTemplate('config_oauth.tpl', NV_ROOTDIR . '/themes/' . $global_config['module_theme'] . '/modules/' . $module_file); $xtpl->assign('FORM_ACTION', NV_BASE_ADMINURL . 'index.php?' . NV_LANG_VARIABLE . '=' . NV_LANG_DATA . '&' . NV_NAME_VARIABLE . '=' . $module_name . '&' . NV_OP_VARIABLE . '=' . $op . '&oauth_config=' . $oauth_config); diff --git a/modules/users/admin/config_google.php b/modules/users/admin/config_google.php index 74771156bf..8ef1ae9104 100644 --- a/modules/users/admin/config_google.php +++ b/modules/users/admin/config_google.php @@ -15,23 +15,25 @@ if ($nv_Request->isset_request('submit', 'post')) { $array_config['oauth_client_id'] = (string) $nv_Request->get_title('oauth_client_id', 'post', ''); $array_config['oauth_client_secret'] = $nv_Request->get_title('oauth_client_secret', 'post', ''); + if ($checkss == $nv_Request->get_string('checkss', 'post')) { + $sth = $db->prepare("UPDATE " . NV_CONFIG_GLOBALTABLE . " SET config_value = :config_value WHERE lang = 'sys' AND module = 'site' AND config_name = :config_name"); - $sth = $db->prepare("UPDATE " . NV_CONFIG_GLOBALTABLE . " SET config_value = :config_value WHERE lang = 'sys' AND module = 'site' AND config_name = :config_name"); + $sth->bindValue(':config_name', 'google_client_id', PDO::PARAM_STR); + $sth->bindParam(':config_value', $array_config['oauth_client_id'], PDO::PARAM_STR); + $sth->execute(); - $sth->bindValue(':config_name', 'google_client_id', PDO::PARAM_STR); - $sth->bindParam(':config_value', $array_config['oauth_client_id'], PDO::PARAM_STR); - $sth->execute(); + $sth->bindValue(':config_name', 'google_client_secret', PDO::PARAM_STR); + $sth->bindParam(':config_value', $array_config['oauth_client_secret'], PDO::PARAM_STR); + $sth->execute(); - $sth->bindValue(':config_name', 'google_client_secret', PDO::PARAM_STR); - $sth->bindParam(':config_value', $array_config['oauth_client_secret'], PDO::PARAM_STR); - $sth->execute(); - - nv_insert_logs(NV_LANG_DATA, $module_name, $lang_module['config'], $page_title, $admin_info['userid']); - $nv_Cache->delAll(); + nv_insert_logs(NV_LANG_DATA, $module_name, $lang_module['config'], $page_title, $admin_info['userid']); + $nv_Cache->delAll(); + } nv_redirect_location(NV_BASE_ADMINURL . 'index.php?' . NV_LANG_VARIABLE . '=' . NV_LANG_DATA . '&' . NV_NAME_VARIABLE . '=' . $module_name . '&' . NV_OP_VARIABLE . '=' . $op . '&oauth_config=' . $oauth_config . '&rand=' . nv_genpass()); } else { $array_config['oauth_client_id'] = $global_config['google_client_id']; $array_config['oauth_client_secret'] = $global_config['google_client_secret']; + $array_config['checkss'] = $checkss; $xtpl = new XTemplate('config_oauth.tpl', NV_ROOTDIR . '/themes/' . $global_config['module_theme'] . '/modules/' . $module_file); $xtpl->assign('FORM_ACTION', NV_BASE_ADMINURL . 'index.php?' . NV_LANG_VARIABLE . '=' . NV_LANG_DATA . '&' . NV_NAME_VARIABLE . '=' . $module_name . '&' . NV_OP_VARIABLE . '=' . $op . '&oauth_config=' . $oauth_config); diff --git a/modules/users/admin/config_single-sign-on.php b/modules/users/admin/config_single-sign-on.php index 6d8de4fd0b..b42d5b4e2d 100644 --- a/modules/users/admin/config_single-sign-on.php +++ b/modules/users/admin/config_single-sign-on.php @@ -43,25 +43,26 @@ $_cas_config['config_field'] = $nv_Request->get_array('config_field', 'post', ''); $_cas_config['config_field_lock'] = $nv_Request->get_array('config_field_lock', 'post', ''); - - $config_sso = serialize($_cas_config); - - try { - if (isset($global_config['config_sso'])) { - $sth = $db->prepare("UPDATE " . NV_CONFIG_GLOBALTABLE . " SET config_value = :config_value WHERE lang = 'sys' AND module = 'site' AND config_name = :config_name"); - } else { - $sth = $db->prepare("INSERT INTO " . NV_CONFIG_GLOBALTABLE . " (lang, module, config_name, config_value) VALUES ('sys', 'site', :config_name, :config_value)"); + if ($checkss == $nv_Request->get_string('checkss', 'post')) { + $config_sso = serialize($_cas_config); + + try { + if (isset($global_config['config_sso'])) { + $sth = $db->prepare("UPDATE " . NV_CONFIG_GLOBALTABLE . " SET config_value = :config_value WHERE lang = 'sys' AND module = 'site' AND config_name = :config_name"); + } else { + $sth = $db->prepare("INSERT INTO " . NV_CONFIG_GLOBALTABLE . " (lang, module, config_name, config_value) VALUES ('sys', 'site', :config_name, :config_value)"); + } + + $sth->bindValue(':config_name', 'config_sso', PDO::PARAM_STR); + $sth->bindParam(':config_value', $config_sso, PDO::PARAM_STR); + $sth->execute(); + } catch (PDOException $e) { + trigger_error($e->getMessage()); } - $sth->bindValue(':config_name', 'config_sso', PDO::PARAM_STR); - $sth->bindParam(':config_value', $config_sso, PDO::PARAM_STR); - $sth->execute(); - } catch (PDOException $e) { - trigger_error($e->getMessage()); + nv_insert_logs(NV_LANG_DATA, $module_name, $lang_module['config'], $page_title, $admin_info['userid']); + $nv_Cache->delAll(); } - - nv_insert_logs(NV_LANG_DATA, $module_name, $lang_module['config'], $page_title, $admin_info['userid']); - $nv_Cache->delAll(); nv_redirect_location(NV_BASE_ADMINURL . 'index.php?' . NV_LANG_VARIABLE . '=' . NV_LANG_DATA . '&' . NV_NAME_VARIABLE . '=' . $module_name . '&' . NV_OP_VARIABLE . '=' . $op . '&oauth_config=' . $oauth_config . '&rand=' . nv_genpass()); } elseif (isset($global_config['config_sso'])) { $_cas_config = unserialize($global_config['config_sso']); @@ -110,7 +111,7 @@ $field_lock[$key]['oncreate'] = ($value == 'oncreate') ? 'selected="selected"' : ''; $field_lock[$key]['onlogin'] = ($value == 'onlogin') ? 'selected="selected"' : ''; } - +$_cas_config['checkss'] = $checkss; $xtpl = new XTemplate('config_single-sign-on.tpl', NV_ROOTDIR . '/themes/' . $global_config['module_theme'] . '/modules/' . $module_file); $xtpl->assign('FORM_ACTION', NV_BASE_ADMINURL . 'index.php?' . NV_LANG_VARIABLE . '=' . NV_LANG_DATA . '&' . NV_NAME_VARIABLE . '=' . $module_name . '&' . NV_OP_VARIABLE . '=' . $op . '&oauth_config=' . $oauth_config); $xtpl->assign('LANG', $lang_module); diff --git a/modules/users/admin/del.php b/modules/users/admin/del.php index cae06b592c..5c1567bfc0 100755 --- a/modules/users/admin/del.php +++ b/modules/users/admin/del.php @@ -20,71 +20,72 @@ $userids = array_filter(array_unique(array_map('intval', array_map('trim', explode(',', $userids))))); $error = ''; - -foreach ($userids as $userid) { - $sql = 'SELECT admin_id FROM ' . NV_AUTHORS_GLOBALTABLE . ' WHERE admin_id=' . $userid; - $admin_id = $db->query($sql)->fetchColumn(); - if ($admin_id) { - continue; - } - - $sql = 'SELECT group_id, username, first_name, last_name, email, photo, in_groups, idsite FROM ' . NV_MOD_TABLE . ' WHERE userid=' . $userid; - $row = $db->query($sql)->fetch(3); - if (empty($row)) { - continue; - } - - list($group_id, $username, $first_name, $last_name, $email, $photo, $in_groups, $idsite) = $row; - - if ($global_config['idsite'] > 0 and $idsite != $global_config['idsite']) { - continue; - } - - $query = $db->query('SELECT COUNT(*) FROM ' . NV_MOD_TABLE . '_groups_users WHERE group_id IN (1,2,3) AND userid=' . $userid); - if ($query->fetchColumn()) { - $error = $lang_module['delete_group_system']; - } else { - $userdelete = (!empty($first_name)) ? $first_name . ' (' . $username . ')' : $username; - - $result = $db->exec('DELETE FROM ' . NV_MOD_TABLE . ' WHERE userid=' . $userid); - if (!$result) { +if (md5(NV_CHECK_SESSION . '_' . $module_name . '_main') == $nv_Request->get_string('checkss', 'post')) { + foreach ($userids as $userid) { + $sql = 'SELECT admin_id FROM ' . NV_AUTHORS_GLOBALTABLE . ' WHERE admin_id=' . $userid; + $admin_id = $db->query($sql)->fetchColumn(); + if ($admin_id) { continue; } - $in_groups = explode(',', $in_groups); - - try { - // Giảm thống kê số thành viên trong nhóm - $db->exec('UPDATE ' . NV_MOD_TABLE . '_groups SET numbers = numbers-1 WHERE group_id IN (SELECT group_id FROM ' . NV_MOD_TABLE . '_groups_users WHERE userid=' . $userid . ' AND approved = 1)'); - } catch (PDOException $e) { - trigger_error($e->getMessage()); - } - try { - // Giảm thống kê số thành viên chính thức và số thành viên mới xuống - $db->query('UPDATE ' . NV_MOD_TABLE . '_groups SET numbers = numbers-1 WHERE group_id=' . (($group_id == 7 or in_array(7, $in_groups)) ? 7 : 4)); - } catch (PDOException $e) { - trigger_error($e->getMessage()); + $sql = 'SELECT group_id, username, first_name, last_name, email, photo, in_groups, idsite FROM ' . NV_MOD_TABLE . ' WHERE userid=' . $userid; + $row = $db->query($sql)->fetch(3); + if (empty($row)) { + continue; } - $db->query('DELETE FROM ' . NV_MOD_TABLE . '_groups_users WHERE userid=' . $userid); - $db->query('DELETE FROM ' . NV_MOD_TABLE . '_openid WHERE userid=' . $userid); - $db->query('DELETE FROM ' . NV_MOD_TABLE . '_info WHERE userid=' . $userid); - nv_insert_logs(NV_LANG_DATA, $module_name, 'log_del_user', 'userid ' . $userid, $admin_info['userid']); + list($group_id, $username, $first_name, $last_name, $email, $photo, $in_groups, $idsite) = $row; - if (!empty($photo) and is_file(NV_ROOTDIR . '/' . $photo)) { - @nv_deletefile(NV_ROOTDIR . '/' . $photo); + if ($global_config['idsite'] > 0 and $idsite != $global_config['idsite']) { + continue; } - if (sizeof($userids) < 5) { - $subject = $lang_module['delconfirm_email_title']; - $message = sprintf($lang_module['delconfirm_email_content'], $userdelete, $global_config['site_name']); - $message = nl2br($message); - nv_sendmail([$global_config['site_name'], $global_config['site_email']], $email, $subject, $message); + $query = $db->query('SELECT COUNT(*) FROM ' . NV_MOD_TABLE . '_groups_users WHERE group_id IN (1,2,3) AND userid=' . $userid); + if ($query->fetchColumn()) { + $error = $lang_module['delete_group_system']; + } else { + $userdelete = (!empty($first_name)) ? $first_name . ' (' . $username . ')' : $username; + + $result = $db->exec('DELETE FROM ' . NV_MOD_TABLE . ' WHERE userid=' . $userid); + if (!$result) { + continue; + } + + $in_groups = explode(',', $in_groups); + + try { + // Giảm thống kê số thành viên trong nhóm + $db->exec('UPDATE ' . NV_MOD_TABLE . '_groups SET numbers = numbers-1 WHERE group_id IN (SELECT group_id FROM ' . NV_MOD_TABLE . '_groups_users WHERE userid=' . $userid . ' AND approved = 1)'); + } catch (PDOException $e) { + trigger_error($e->getMessage()); + } + try { + // Giảm thống kê số thành viên chính thức và số thành viên mới xuống + $db->query('UPDATE ' . NV_MOD_TABLE . '_groups SET numbers = numbers-1 WHERE group_id=' . (($group_id == 7 or in_array(7, $in_groups)) ? 7 : 4)); + } catch (PDOException $e) { + trigger_error($e->getMessage()); + } + $db->query('DELETE FROM ' . NV_MOD_TABLE . '_groups_users WHERE userid=' . $userid); + $db->query('DELETE FROM ' . NV_MOD_TABLE . '_openid WHERE userid=' . $userid); + $db->query('DELETE FROM ' . NV_MOD_TABLE . '_info WHERE userid=' . $userid); + + nv_insert_logs(NV_LANG_DATA, $module_name, 'log_del_user', 'userid ' . $userid, $admin_info['userid']); + + if (!empty($photo) and is_file(NV_ROOTDIR . '/' . $photo)) { + @nv_deletefile(NV_ROOTDIR . '/' . $photo); + } + + if (sizeof($userids) < 5) { + $subject = $lang_module['delconfirm_email_title']; + $message = sprintf($lang_module['delconfirm_email_content'], $userdelete, $global_config['site_name']); + $message = nl2br($message); + nv_sendmail([$global_config['site_name'], $global_config['site_email']], $email, $subject, $message); + } } } -} -$nv_Cache->delMod($module_name); + $nv_Cache->delMod($module_name); +} if ($error) { nv_htmlOutput('ERROR_' . $error); diff --git a/modules/users/admin/edit.php b/modules/users/admin/edit.php index b9bd5c92d0..d58332b78d 100755 --- a/modules/users/admin/edit.php +++ b/modules/users/admin/edit.php @@ -83,8 +83,14 @@ $access_passus = (isset($access_admin['access_passus'][$admin_info['level']]) and $access_admin['access_passus'][$admin_info['level']] == 1) ? true : false; $_user = $custom_fields = []; - +$checkss = md5(NV_CHECK_SESSION . '_' . $module_name . '_' . $op . '_' . $userid); if ($nv_Request->isset_request('confirm', 'post')) { + if ($checkss != $nv_Request->get_string('checkss', 'post')) { + nv_jsonOutput([ + 'status' => 'error', + 'mess' => 'Error Session, Please close the browser and try again' + ]); + } $_user['username'] = $nv_Request->get_title('username', 'post', '', 1); $_user['email'] = nv_strtolower($nv_Request->get_title('email', 'post', '', 1)); if ($access_passus) { @@ -364,6 +370,7 @@ $_user = $row; $_user['password1'] = $_user['password2'] = ''; $_user['in_groups'] = $array_old_groups; +$_user['checkss'] = $checkss; $sql = 'SELECT * FROM ' . NV_MOD_TABLE . '_info WHERE userid=' . $userid; $result = $db->query($sql); @@ -398,7 +405,6 @@ $xtpl->assign('FORM_ACTION', NV_BASE_ADMINURL . 'index.php?' . NV_LANG_VARIABLE . '=' . NV_LANG_DATA . '&' . NV_NAME_VARIABLE . '=' . $module_name . '&' . NV_OP_VARIABLE . '=edit&userid=' . $userid); $xtpl->assign('NV_BASE_SITEURL', NV_BASE_SITEURL); $xtpl->assign('NV_LANG_INTERFACE', NV_LANG_INTERFACE); - $xtpl->assign('NV_REDIRECT', $nv_redirect); if (defined('NV_IS_USER_FORUM')) { diff --git a/modules/users/admin/groups.php b/modules/users/admin/groups.php index 20fb17e179..eda4cd7691 100755 --- a/modules/users/admin/groups.php +++ b/modules/users/admin/groups.php @@ -529,6 +529,7 @@ if (defined('NV_IS_SPADMIN')) { $post = []; $post['id'] = $nv_Request->get_int('id', 'get'); + $checkss = md5(NV_CHECK_SESSION . '_' . $module_name . '_' . $op . '_' . $post['id']); if ($nv_Request->isset_request('edit', 'get')) { if (empty($post['id']) or !isset($groupsList[$post['id']]) or $groupsList[$post['id']]['idsite'] != $global_config['idsite']) { @@ -549,6 +550,9 @@ } if ($nv_Request->isset_request('save', 'post')) { + if ($checkss != $nv_Request->get_string('checkss', 'post')) { + die('Error Session, Please close the browser and try again'); + } // Sửa / Thêm full thông tin if (empty($post['id']) or $post['id'] > 9) { $post['title'] = $nv_Request->get_title('title', 'post', '', 1); @@ -752,7 +756,7 @@ if (!empty($post['group_avatar']) and is_file(NV_UPLOADS_REAL_DIR . '/' . $module_upload . '/' . $post['group_avatar'])) { $post['group_avatar'] = NV_BASE_SITEURL . NV_UPLOADS_DIR . '/' . $module_upload . '/' . $post['group_avatar']; } - + $post['checkss'] = $checkss; $xtpl->assign('CONFIG', $post['config']); $xtpl->assign('DATA', $post); diff --git a/modules/users/admin/main.php b/modules/users/admin/main.php index 9d7083d8eb..4722131460 100755 --- a/modules/users/admin/main.php +++ b/modules/users/admin/main.php @@ -259,6 +259,7 @@ $xtpl->assign('SEARCH_VALUE', nv_htmlspecialchars($methodvalue)); $xtpl->assign('TABLE_CAPTION', $table_caption); $xtpl->assign('HEAD', $head_tds); +$xtpl->assign('CHECKSESS', md5(NV_CHECK_SESSION . '_' . $module_name . '_' . $op)); if (defined('NV_IS_USER_FORUM')) { $xtpl->parse('main.is_forum'); @@ -299,7 +300,6 @@ } else { $u['active_obj'] = 'N/A'; } - $xtpl->assign('CONTENT_TD', $u); $xtpl->assign('NV_BASE_SITEURL', NV_BASE_SITEURL); $xtpl->assign('NV_ADMIN_THEME', $global_config['admin_theme']); diff --git a/modules/users/admin/setactive.php b/modules/users/admin/setactive.php index b7c79f3da0..1abd3ee72f 100755 --- a/modules/users/admin/setactive.php +++ b/modules/users/admin/setactive.php @@ -19,42 +19,43 @@ $userids = $nv_Request->get_title('userid', 'post', ''); $userids = array_filter(array_unique(array_map('intval', array_map('trim', explode(',', $userids))))); $setactive = $nv_Request->get_int('setactive', 'post', -1); - -foreach ($userids as $userid) { - if (!$userid or $admin_info['admin_id'] == $userid) { - continue; - } - - $sql = 'SELECT a.lev, b.username, b.active, b.idsite FROM ' . NV_AUTHORS_GLOBALTABLE . ' a, ' . NV_MOD_TABLE . ' b WHERE a.admin_id=' . $userid . ' AND a.admin_id=b.userid'; - $row = $db->query($sql)->fetch(3); - if (empty($row)) { - $level = 0; - $sql = 'SELECT username, active, idsite FROM ' . NV_MOD_TABLE . ' WHERE userid=' . $userid; - list($username, $active, $idsite) = $db->query($sql)->fetch(3); - } else { - list($level, $username, $active, $idsite) = $row; - $level = (int)$level; - } - - if (empty($level) or $admin_info['level'] < $level) { - if ($global_config['idsite'] > 0 and $idsite != $global_config['idsite']) { +if (md5(NV_CHECK_SESSION . '_' . $module_name . '_main') == $nv_Request->get_string('checkss', 'post')) { + foreach ($userids as $userid) { + if (!$userid or $admin_info['admin_id'] == $userid) { continue; } - if ($setactive < 0) { - $active = $active ? 0 : 1; - } elseif ($setactive == 0) { - $active = 0; + + $sql = 'SELECT a.lev, b.username, b.active, b.idsite FROM ' . NV_AUTHORS_GLOBALTABLE . ' a, ' . NV_MOD_TABLE . ' b WHERE a.admin_id=' . $userid . ' AND a.admin_id=b.userid'; + $row = $db->query($sql)->fetch(3); + if (empty($row)) { + $level = 0; + $sql = 'SELECT username, active, idsite FROM ' . NV_MOD_TABLE . ' WHERE userid=' . $userid; + list($username, $active, $idsite) = $db->query($sql)->fetch(3); } else { - $active = 1; + list($level, $username, $active, $idsite) = $row; + $level = (int)$level; } - $sql = 'UPDATE ' . NV_MOD_TABLE . ' SET active=' . $active . ' WHERE userid=' . $userid; - $result = $db->query($sql); - - $note = ($active) ? $lang_module['active_users'] : $lang_module['unactive_users']; - nv_insert_logs(NV_LANG_DATA, $module_name, $note, 'userid: ' . $userid . ' - username: ' . $username, $admin_info['userid']); + if (empty($level) or $admin_info['level'] < $level) { + if ($global_config['idsite'] > 0 and $idsite != $global_config['idsite']) { + continue; + } + if ($setactive < 0) { + $active = $active ? 0 : 1; + } elseif ($setactive == 0) { + $active = 0; + } else { + $active = 1; + } + + $sql = 'UPDATE ' . NV_MOD_TABLE . ' SET active=' . $active . ' WHERE userid=' . $userid; + $result = $db->query($sql); + + $note = ($active) ? $lang_module['active_users'] : $lang_module['unactive_users']; + nv_insert_logs(NV_LANG_DATA, $module_name, $note, 'userid: ' . $userid . ' - username: ' . $username, $admin_info['userid']); + } } -} -$nv_Cache->delMod($module_name); + $nv_Cache->delMod($module_name); +} nv_htmlOutput('OK'); diff --git a/modules/users/admin/siteterms.php b/modules/users/admin/siteterms.php index ffae9fdba0..da346b2133 100755 --- a/modules/users/admin/siteterms.php +++ b/modules/users/admin/siteterms.php @@ -29,12 +29,13 @@ $mode = 'edit'; } +$checkss = md5(NV_CHECK_SESSION . '_' . $module_name . '_' . $op . '_' . NV_LANG_DATA); if ($nv_Request->get_int('save', 'post') == 1) { $content = $nv_Request->get_editor('content', '', NV_ALLOWED_HTML_TAGS); if (empty($content)) { $error = $lang_module['error_content']; - } else { + } elseif ($checkss == $nv_Request->get_string('checkss', 'post')) { if ($mode == 'edit') { $stmt = $db->prepare("UPDATE " . NV_MOD_TABLE . "_config SET content= :content, @@ -62,6 +63,8 @@ $xtpl = new XTemplate('siteterms.tpl', NV_ROOTDIR . '/themes/' . $global_config['module_theme'] . '/modules/' . $module_file); $xtpl->assign('LANG', $lang_module); $xtpl->assign('GLANG', $lang_global); +$xtpl->assign('CHECKSS', $checkss); + $xtpl->assign('FORM_ACTION', NV_BASE_ADMINURL . 'index.php?' . NV_LANG_VARIABLE . '=' . NV_LANG_DATA . '&' . NV_NAME_VARIABLE . '=' . $module_name . '&' . NV_OP_VARIABLE . '=' . $op); if (! empty($error)) { diff --git a/modules/users/admin/user_add.php b/modules/users/admin/user_add.php index 6e45c39dff..5468010a40 100755 --- a/modules/users/admin/user_add.php +++ b/modules/users/admin/user_add.php @@ -48,7 +48,15 @@ if ($nv_Request->isset_request('nv_redirect', 'post,get')) { $nv_redirect = nv_get_redirect(); } + +$checkss = md5(NV_CHECK_SESSION . '_' . $module_name . '_' . $op . '_' . $userid); if ($nv_Request->isset_request('confirm', 'post')) { + if ($checkss != $nv_Request->get_string('checkss', 'post')) { + nv_jsonOutput([ + 'status' => 'error', + 'mess' => 'Error Session, Please close the browser and try again' + ]); + } $_user['username'] = $nv_Request->get_title('username', 'post', '', 1); $_user['email'] = nv_strtolower($nv_Request->get_title('email', 'post', '', 1)); $_user['password1'] = $nv_Request->get_title('password1', 'post', '', 0); @@ -346,6 +354,7 @@ $_user['adduser_email'] = ''; $_user['view_mail'] = ''; $_user['is_email_verified'] = ' checked="checked"'; +$_user['checkss'] = $checkss; $groups = []; if (!empty($groups_list)) { diff --git a/modules/users/admin/user_waiting.php b/modules/users/admin/user_waiting.php index 8f3c81d324..df33c351bb 100755 --- a/modules/users/admin/user_waiting.php +++ b/modules/users/admin/user_waiting.php @@ -15,30 +15,33 @@ //Xoa thanh vien if ($nv_Request->isset_request('del', 'post')) { $userid = $nv_Request->get_absint('userid', 'post', 0); - - $sql = 'DELETE FROM ' . NV_MOD_TABLE . '_reg WHERE userid=' . $userid; - if ($global_config['idsite'] > 0) { - $sql .= ' AND idsite=' . $global_config['idsite']; - } - if ($db->exec($sql)) { - nv_delete_notification(NV_LANG_DATA, $module_name, 'send_active_link_fail', $userid); - die('OK'); + if (md5(NV_CHECK_SESSION . '_' . $module_name . '_' . $op . '_' . $userid) == $nv_Request->get_string('checkss', 'post')) { + $sql = 'DELETE FROM ' . NV_MOD_TABLE . '_reg WHERE userid=' . $userid; + if ($global_config['idsite'] > 0) { + $sql .= ' AND idsite=' . $global_config['idsite']; + } + if ($db->exec($sql)) { + nv_delete_notification(NV_LANG_DATA, $module_name, 'send_active_link_fail', $userid); + die('OK'); + } } die('NO'); } //Kich hoat thanh vien if ($nv_Request->isset_request('act', 'get')) { - $sql = 'SELECT count(*) FROM ' . NV_MOD_TABLE; - if ($global_config['idsite'] > 0) { - $sql .= ' WHERE idsite=' . $global_config['idsite']; - } - $user_number = $db->query($sql)->fetchColumn(); - if ($user_number >= $global_config['max_user_number']) { - $contents = sprintf($lang_global['limit_user_number'], $global_config['max_user_number']); - include NV_ROOTDIR . '/includes/header.php'; - echo nv_admin_theme($contents, $showheader); - include NV_ROOTDIR . '/includes/footer.php'; + if ($global_config['max_user_number']) { + $sql = 'SELECT count(*) FROM ' . NV_MOD_TABLE; + if ($global_config['idsite'] > 0) { + $sql .= ' WHERE idsite=' . $global_config['idsite']; + } + $user_number = $db->query($sql)->fetchColumn(); + if ($user_number >= $global_config['max_user_number']) { + $contents = sprintf($lang_global['limit_user_number'], $global_config['max_user_number']); + include NV_ROOTDIR . '/includes/header.php'; + echo nv_admin_theme($contents, $showheader); + include NV_ROOTDIR . '/includes/footer.php'; + } } $userid = $userid_reg = $nv_Request->get_int('userid', 'get', 0); @@ -49,7 +52,7 @@ } $row = $db->query($sql)->fetch(); - if (empty($row)) { + if (empty($row) or md5(NV_CHECK_SESSION . '_' . $module_name . '_' . $op . '_' . $userid) != $nv_Request->get_string('checkss', 'get')) { nv_redirect_location(NV_BASE_ADMINURL . 'index.php?' . NV_LANG_VARIABLE . '=' . NV_LANG_DATA . '&' . NV_NAME_VARIABLE . '=' . $module_name); } @@ -293,9 +296,9 @@ } foreach ($users_list as $u) { + $u['checkss'] = md5(NV_CHECK_SESSION . '_' . $module_name . '_' . $op . '_' . $u['userid']); $xtpl->assign('CONTENT_TD', $u); $xtpl->assign('ACTIVATE_URL', NV_BASE_ADMINURL . 'index.php?' . NV_LANG_VARIABLE . '=' . NV_LANG_DATA . '&' . NV_NAME_VARIABLE . '=' . $module_name . '&' . NV_OP_VARIABLE . '=user_waiting&act=1&userid=' . $u['userid']); - $xtpl->assign('EDIT_URL', NV_BASE_ADMINURL . 'index.php?' . NV_LANG_VARIABLE . '=' . NV_LANG_DATA . '&' . NV_NAME_VARIABLE . '=' . $module_name . '&' . NV_OP_VARIABLE . '=user_waiting&del&userid=' . $u['userid']); $xtpl->parse('main.xusers'); } diff --git a/modules/users/admin/user_waiting_remail.php b/modules/users/admin/user_waiting_remail.php index ed6ee34c1b..05ace19f88 100644 --- a/modules/users/admin/user_waiting_remail.php +++ b/modules/users/admin/user_waiting_remail.php @@ -14,7 +14,7 @@ $page_title = $lang_module['userwait_resend_email']; $set_active_op = 'user_waiting'; - +$checkss = md5(NV_CHECK_SESSION . '_' . $module_name . '_' . $op . '_' . $set_active_op); if ($nv_Request->isset_request('ajax', 'post')) { $per_email = $nv_Request->get_int('per_email', 'post', 0); $offset = $nv_Request->get_int('offset', 'post', 0); @@ -27,7 +27,7 @@ 'useriddel' => '', ]; - if ($tokend == NV_CHECK_SESSION and $per_email > 0 and $offset >= 0) { + if ($tokend == $checkss and $per_email > 0 and $offset >= 0) { $sql = "SELECT * FROM " . NV_MOD_TABLE . "_reg"; if($global_config['idsite'] > 0){ $sql .= ' WHERE idsite=' . $global_config['idsite']; @@ -91,7 +91,7 @@ $xtpl = new XTemplate('user_waiting_remail.tpl', NV_ROOTDIR . '/themes/' . $global_config['module_theme'] . '/modules/' . $module_file); $xtpl->assign('LANG', $lang_module); $xtpl->assign('GLANG', $lang_global); -$xtpl->assign('TOKEND', NV_CHECK_SESSION); +$xtpl->assign('TOKEND', $checkss); $xtpl->parse('main'); $contents = $xtpl->text('main'); diff --git a/modules/users/funcs/avatar.php b/modules/users/funcs/avatar.php index 93d58d495b..8a247971f4 100755 --- a/modules/users/funcs/avatar.php +++ b/modules/users/funcs/avatar.php @@ -90,7 +90,7 @@ function deleteAvatar() $array['success'] = 0; $array['error'] = ''; $array['u'] = (isset($array_op[1]) and ($array_op[1] == 'upd' or $array_op[1] == 'opener' or $array_op[1] == 'src')) ? $array_op[1] : ''; -$array['checkss'] = NV_CHECK_SESSION; +$array['checkss'] = md5(NV_CHECK_SESSION . '_' . $module_name . '_' . $op); $checkss = $nv_Request->get_title('checkss', 'post', ''); //Xoa avatar diff --git a/modules/users/funcs/editinfo.php b/modules/users/funcs/editinfo.php index b2e29417eb..2ba61654a6 100755 --- a/modules/users/funcs/editinfo.php +++ b/modules/users/funcs/editinfo.php @@ -216,7 +216,7 @@ function nv_groups_list_pub2() } $array_data = []; -$array_data['checkss'] = NV_CHECK_SESSION; +$array_data['checkss'] = md5(NV_CHECK_SESSION . '_' . $module_name . '_' . $op . '_' . $user_info['userid']); $array_data['awaitinginfo'] = []; $array_data['editcensor'] = $global_users_config['active_editinfo_censor']; $checkss = $nv_Request->get_title('checkss', 'post', ''); diff --git a/modules/users/funcs/lostactivelink.php b/modules/users/funcs/lostactivelink.php index e46f6de669..ca5c168077 100755 --- a/modules/users/funcs/lostactivelink.php +++ b/modules/users/funcs/lostactivelink.php @@ -29,7 +29,7 @@ $key_words = $module_info['keywords']; $data = []; -$data['checkss'] = NV_CHECK_SESSION; +$data['checkss'] = md5(NV_CHECK_SESSION . '_' . $module_name . '_' . $op); $data['userField'] = nv_substr($nv_Request->get_title('userField', 'post', '', 1), 0, 100); $data['answer'] = nv_substr($nv_Request->get_title('answer', 'post', '', 1), 0, 255); $data['send'] = $nv_Request->get_bool('send', 'post', false); diff --git a/modules/users/funcs/lostpass.php b/modules/users/funcs/lostpass.php index 3b36163447..0ec457725c 100644 --- a/modules/users/funcs/lostpass.php +++ b/modules/users/funcs/lostpass.php @@ -73,7 +73,7 @@ function lost_pass_sendMail($row) } $data = array(); -$data['checkss'] = NV_CHECK_SESSION; +$data['checkss'] = md5(NV_CHECK_SESSION . '_' . $module_name . '_' . $op); $checkss = $nv_Request->get_title('checkss', 'post', ''); if ($checkss == $data['checkss']) { diff --git a/modules/users/funcs/register.php b/modules/users/funcs/register.php index 53ee788c48..c25cadafe6 100755 --- a/modules/users/funcs/register.php +++ b/modules/users/funcs/register.php @@ -181,7 +181,7 @@ function reg_result($array) $gfx_chk = (in_array($global_config['gfx_chk'], array(3, 4, 6, 7))) ? 1 : 0; $array_register = array(); -$array_register['checkss'] = NV_CHECK_SESSION; +$array_register['checkss'] = md5(NV_CHECK_SESSION . '_' . $module_name . '_' . $op); $array_register['nv_redirect'] = $nv_redirect; $checkss = $nv_Request->get_title('checkss', 'post', ''); diff --git a/themes/admin_default/js/users.js b/themes/admin_default/js/users.js index 9b00c9713e..1cacff83e8 100644 --- a/themes/admin_default/js/users.js +++ b/themes/admin_default/js/users.js @@ -151,7 +151,8 @@ function nv_add_question() { function nv_row_del(vid) { if (confirm(nv_is_del_confirm[0])) { - $.post(script_name + '?' + nv_name_variable + '=' + nv_module_name + '&' + nv_fc_variable + '=del&nocache=' + new Date().getTime(), 'userid=' + vid, function(res) { + var checkss = $("input[name='checkss']").val(); + $.post(script_name + '?' + nv_name_variable + '=' + nv_module_name + '&' + nv_fc_variable + '=del&nocache=' + new Date().getTime(), 'userid=' + vid + '&checkss=' + checkss, function(res) { if (res == 'OK') { window.location.href = window.location.href; } else { @@ -180,9 +181,9 @@ function nv_set_official(vid) { return false; } -function nv_waiting_row_del(uid) { +function nv_waiting_row_del(uid,checkss) { if (confirm(nv_is_del_confirm[0])) { - $.post(script_name + '?' + nv_name_variable + '=' + nv_module_name + '&' + nv_fc_variable + '=user_waiting&nocache=' + new Date().getTime(), 'del=1&userid=' + uid, function(res) { + $.post(script_name + '?' + nv_name_variable + '=' + nv_module_name + '&' + nv_fc_variable + '=user_waiting&nocache=' + new Date().getTime(), 'del=1&userid=' + uid + '&checkss=' + checkss, function(res) { if (res == 'OK') { window.location.href = window.location.href; } else { @@ -217,7 +218,8 @@ function nv_editcensor_row_accept(uid, msg) { function nv_chang_status(vid) { var nv_timer = nv_settimeout_disable('change_status_' + vid, 5000); - $.post(script_name + '?' + nv_name_variable + '=' + nv_module_name + '&' + nv_fc_variable + '=setactive&nocache=' + new Date().getTime(), 'userid=' + vid, function(res) { + var checkss = $("input[name='checkss']").val(); + $.post(script_name + '?' + nv_name_variable + '=' + nv_module_name + '&' + nv_fc_variable + '=setactive&nocache=' + new Date().getTime(), 'userid=' + vid + '&checkss=' + checkss, function(res) { if (res != 'OK') { alert(nv_is_change_act_confirm[2]); window.location.href = window.location.href; @@ -531,9 +533,10 @@ function nv_main_action(btn) { if (listid != '') { var action = $('#mainuseropt').val(); + var checkss = $("input[name='checkss']").val(); if (action == 'del') { if (confirm(nv_is_del_confirm[0])) { - $.post(script_name + '?' + nv_name_variable + '=' + nv_module_name + '&' + nv_fc_variable + '=del&nocache=' + new Date().getTime(), 'userid=' + listid, function(res) { + $.post(script_name + '?' + nv_name_variable + '=' + nv_module_name + '&' + nv_fc_variable + '=del&nocache=' + new Date().getTime(), 'userid=' + listid + '&checkss=' + checkss, function(res) { if (res == 'OK') { window.location.href = window.location.href; } else { @@ -554,7 +557,7 @@ function nv_main_action(btn) { if (action == 'active') { setactive = 1; } - $.post(script_name + '?' + nv_name_variable + '=' + nv_module_name + '&' + nv_fc_variable + '=setactive&nocache=' + new Date().getTime(), 'userid=' + listid + '&setactive=' + setactive, function(res) { + $.post(script_name + '?' + nv_name_variable + '=' + nv_module_name + '&' + nv_fc_variable + '=setactive&nocache=' + new Date().getTime(), 'userid=' + listid + '&setactive=' + setactive + '&checkss=' + checkss, function(res) { if (res != 'OK') { alert(nv_is_change_act_confirm[2]); btn.prop('disabled', false); diff --git a/themes/admin_default/modules/users/config.tpl b/themes/admin_default/modules/users/config.tpl index c5b94b3acc..92f5179209 100755 --- a/themes/admin_default/modules/users/config.tpl +++ b/themes/admin_default/modules/users/config.tpl @@ -125,7 +125,7 @@ - + diff --git a/themes/admin_default/modules/users/config_oauth.tpl b/themes/admin_default/modules/users/config_oauth.tpl index 3db246d125..fdf8e7e11d 100644 --- a/themes/admin_default/modules/users/config_oauth.tpl +++ b/themes/admin_default/modules/users/config_oauth.tpl @@ -8,7 +8,7 @@ - + diff --git a/themes/admin_default/modules/users/config_single-sign-on.tpl b/themes/admin_default/modules/users/config_single-sign-on.tpl index 057bd7cda1..d8a9167e27 100644 --- a/themes/admin_default/modules/users/config_single-sign-on.tpl +++ b/themes/admin_default/modules/users/config_single-sign-on.tpl @@ -4,7 +4,7 @@ - + diff --git a/themes/admin_default/modules/users/groups.tpl b/themes/admin_default/modules/users/groups.tpl index c1f83641f8..bd8bedd13d 100755 --- a/themes/admin_default/modules/users/groups.tpl +++ b/themes/admin_default/modules/users/groups.tpl @@ -137,7 +137,7 @@
- +

diff --git a/themes/admin_default/modules/users/main.tpl b/themes/admin_default/modules/users/main.tpl index f8e7567c70..d9d8547d41 100755 --- a/themes/admin_default/modules/users/main.tpl +++ b/themes/admin_default/modules/users/main.tpl @@ -107,6 +107,7 @@ +
+ {DATA}
diff --git a/themes/admin_default/modules/users/user_add.tpl b/themes/admin_default/modules/users/user_add.tpl index beeb658f82..1996074a20 100755 --- a/themes/admin_default/modules/users/user_add.tpl +++ b/themes/admin_default/modules/users/user_add.tpl @@ -225,6 +225,7 @@
+
+