diff --git a/app/controllers/admin/user.php b/app/controllers/admin/user.php
index b6a40486eab5c094ff86cd2ce996d80eec5d4ed3..d66a730561b103da8b5bb32246362070d15c86b2 100644
--- a/app/controllers/admin/user.php
+++ b/app/controllers/admin/user.php
@@ -978,6 +978,7 @@ class Admin_UserController extends AuthenticatedController
*/
public function change_password_action($user_id)
{
+ CSRFProtection::verifyUnsafeRequest();
// mail address did not change, so skip this check
$GLOBALS['MAIL_VALIDATE_BOX'] = false;
$UserManagement = new UserManagement($user_id);
@@ -989,7 +990,7 @@ class Admin_UserController extends AuthenticatedController
PageLayout::postError(_('Die Änderungen konnten nicht gespeichert werden.'), $details);
}
if (Request::int('from_index')) {
- $this->redirect('admin/user');
+ $this->relocate('admin/user');
} else {
$this->redirect('admin/user/edit/' . $user_id);
}
@@ -1031,7 +1032,7 @@ class Admin_UserController extends AuthenticatedController
}
if (Request::int('from_index')) {
- $this->redirect('admin/user');
+ $this->relocate('admin/user');
} else {
$this->redirect('admin/user/edit/' . $user_id);
}
@@ -1044,6 +1045,7 @@ class Admin_UserController extends AuthenticatedController
*/
public function unlock_action($user_id)
{
+ CSRFProtection::verifyUnsafeRequest();
$user = User::find($user_id);
$user->locked = 0;
@@ -1063,7 +1065,7 @@ class Admin_UserController extends AuthenticatedController
}
if (Request::int('from_index')) {
- $this->redirect('admin/user');
+ $this->relocate('admin/user');
} else {
$this->redirect('admin/user/edit/' . $user_id);
}
@@ -1146,6 +1148,7 @@ class Admin_UserController extends AuthenticatedController
*/
public function delete_studycourse_action($user_id, $fach_id, $abschlus_id)
{
+ CSRFProtection::verifyUnsafeRequest();
$user_stc = UserStudyCourse::find([$user_id, $fach_id, $abschlus_id]);
$deleted = false;
if ($user_stc) {
@@ -1167,19 +1170,19 @@ class Admin_UserController extends AuthenticatedController
*/
public function delete_institute_action($user_id, $institut_id)
{
+ CSRFProtection::verifyUnsafeRequest();
if ($GLOBALS['perm']->have_studip_perm("admin", $institut_id)) {
$groups = GetAllStatusgruppen($institut_id);
$group_list = GetRoleNames($groups, 0, '', true);
if (is_array($group_list) && count($group_list) > 0) {
- $query = "DELETE FROM statusgruppe_user
- WHERE statusgruppe_id IN (?) AND user_id = ?";
- $statement = DBManager::get()->prepare($query);
- $statement->execute([array_keys($group_list), $user_id]);
+ StatusgruppeUser::deleteBySQL(
+ "`statusgruppe_id` IN (?) AND `user_id` = ?",
+ [array_keys($group_list), $user_id]
+ );
}
- $db = DBManager::get()->prepare("DELETE FROM user_inst WHERE user_id = ? AND Institut_id = ?");
- $db->execute([$user_id, $institut_id]);
- if ($db->rowCount() == 1) {
+ $count = InstituteMember::deleteBySQL("`user_id` = ? AND `Institut_id` = ?", [$user_id, $institut_id]);
+ if ($count === 1) {
StudipLog::log('INST_USER_DEL', $institut_id, $user_id);
NotificationCenter::postNotification('UserInstitutionDidDelete', $institut_id, $user_id);
InstituteMember::ensureDefaultInstituteForUser($user_id);
@@ -1203,6 +1206,7 @@ class Admin_UserController extends AuthenticatedController
*/
public function delete_userdomain_action($user_id)
{
+ CSRFProtection::verifyUnsafeRequest();
$domain_id = Request::get('domain_id');
UserDomain::find($domain_id)->removeUser($user_id);
$result = AutoInsert::instance()->saveUser($user_id);
@@ -1221,11 +1225,12 @@ class Admin_UserController extends AuthenticatedController
}
/**
- * Reset notfication for user
+ * Reset notification for user
* @param $user_id
*/
public function reset_notification_action($user_id)
{
+ CSRFProtection::verifyUnsafeRequest();
$resetted = CourseMemberNotification::deleteBySQL("user_id = ?", [$user_id]);
PageLayout::postSuccess(sprintf(_('Die Benachrichtigungseinstellungen für %s Veranstaltungen wurden zurück gesetzt.'), $resetted));
$this->redirect('admin/user/edit/' . $user_id);
@@ -1237,6 +1242,7 @@ class Admin_UserController extends AuthenticatedController
*/
public function reset_tfa_action($user_id)
{
+ CSRFProtection::verifyUnsafeRequest();
if (TFASecret::deleteByUser_id($user_id)) {
PageLayout::postSuccess(_('Die Zwei-Faktor-Authentifizierung wurde für diese Person deaktiviert.'));
}
@@ -1688,7 +1694,7 @@ class Admin_UserController extends AuthenticatedController
_('Personenaccount entsperren'),
$this->url_for("admin/user/unlock/{$this->user->id}"),
Icon::create('lock-unlocked')
- );
+ )->asButton();
} else {
$user_actions->addLink(
_('Personenaccount sperren'),
@@ -1703,7 +1709,7 @@ class Admin_UserController extends AuthenticatedController
_('Passwortlink zusenden'),
$this->url_for("admin/user/change_password/{$this->user->id}"),
Icon::create('key')
- );
+ )->asButton();
}
$user_actions->addLink(
_('Person löschen'),
@@ -1716,7 +1722,7 @@ class Admin_UserController extends AuthenticatedController
_('Benachrichtigungen zurücksetzen'),
$this->url_for("admin/user/reset_notification/{$this->user->id}"),
Icon::create('refresh')
- );
+ )->asButton();
}
if ($this->action === 'activities') {
@@ -1724,7 +1730,7 @@ class Admin_UserController extends AuthenticatedController
_('Alle Dateien des Nutzers aus Veranstaltungen und Einrichtungen als ZIP herunterladen'),
$this->url_for("admin/user/download_user_files/{$this->user->user_id}"),
Icon::create('folder-full')
- );
+ )->asButton();
}
if ($this->user->id !== $GLOBALS['user']->id && TFASecret::exists($this->user->id)) {
@@ -1732,7 +1738,7 @@ class Admin_UserController extends AuthenticatedController
_('Zwei-Faktor-Authentifizierung deaktivieren'),
$this->url_for("admin/user/reset_tfa/{$this->user->id}"),
Icon::create('code-qr')
- );
+ )->asButton();
}
$sidebar->insertWidget($user_actions, 'actions', 'user_actions');
diff --git a/app/views/admin/user/_results.php b/app/views/admin/user/_results.php
index 4770e2068f555e12d67f4d0f00f1c39da3948373..dc996fbf3acf0f563129819de1067c260c6b3457 100644
--- a/app/views/admin/user/_results.php
+++ b/app/views/admin/user/_results.php
@@ -170,10 +170,13 @@
);
if ($user->locked) {
- $actionMenu->addLink(
- $controller->url_for("admin/user/unlock/{$user->id}", ['from_index' => 1]),
+ $actionMenu->addButton(
+ 'unlock',
_('Nutzeraccount entsperren'),
- Icon::create('lock-unlocked')
+ Icon::create('lock-unlocked'),
+ [
+ 'formaction' => $controller->url_for("admin/user/unlock/{$user->id}", ['from_index' => 1])
+ ]
);
} else {
$actionMenu->addLink(
@@ -186,10 +189,13 @@
if ($user->auth_plugin !== 'preliminary' && ($GLOBALS['perm']->have_perm('root') || $GLOBALS['perm']->is_fak_admin() || !in_array($user->perms, words('root admin')))) {
if (!StudipAuthAbstract::CheckField('auth_user_md5.password', $user->auth_plugin)) {
- $actionMenu->addLink(
- $controller->url_for("admin/user/change_password/{$user->id}", ['from_index' => 1]),
+ $actionMenu->addButton(
+ 'change_password',
_('Passwortlink zusenden'),
- Icon::create('key')
+ Icon::create('key'),
+ [
+ 'formaction' => $controller->url_for("admin/user/change_password/{$user->id}", ['from_index' => 1])
+ ]
);
}
diff --git a/app/views/admin/user/edit.php b/app/views/admin/user/edit.php
index 8892d983176a2199ad45c1a2f34064fa72fde0c0..75ca932557f071a181c6c260f593260af8d1258a 100644
--- a/app/views/admin/user/edit.php
+++ b/app/views/admin/user/edit.php
@@ -256,7 +256,7 @@ use Studip\Button, Studip\LinkButton;
</label>
<label class="col-2">
- <?= Icon::create('accept', 'accept')->asImg([
+ <?= Icon::create('accept', Icon::ROLE_ACCEPT)->asImg([
'id' => 'pw_success',
'style' => 'display: none',
]) ?>
@@ -435,12 +435,14 @@ use Studip\Button, Studip\LinkButton;
htmlReady($usc->semester),
_('Fachsemester')
) ?>
- <a href="<?= $controller->url_for('admin/user/delete_studycourse/' . $user->user_id . '/' . $usc->fach_id . '/' . $usc->abschluss_id) ?>">
- <?= Icon::create('trash')->asImg([
+ <?= Icon::create('trash')->asInput(
+ [
'class' => 'text-bottom',
'title' => _('Diesen Studiengang löschen'),
- ]) ?>
- </a>
+ 'data-confirm' => _('Sind Sie sicher, dass Sie diesen Studiengang löschen wollen?'),
+ 'formaction' => $controller->delete_studycourseURL($user->user_id, $usc->fach_id, $usc->abschluss_id)
+ ]
+ )?>
<? $versionen = StgteilVersion::findByFachAbschluss($usc->fach_id, $usc->abschluss_id); ?>
<? $versionen = array_filter($versionen, function ($ver) {
return $ver->hasPublicStatus('genehmigt');
@@ -474,12 +476,14 @@ use Studip\Button, Studip\LinkButton;
<?= htmlReady($inst_membership->institute->name) ?>
<? if ($GLOBALS['perm']->have_studip_perm('admin', $inst_membership->institut_id)) : ?>
- <a href="<?= $controller->url_for('admin/user/delete_institute/' . $user->user_id . '/' . $inst_membership->institut_id) ?>">
- <?= Icon::create('trash')->asImg([
+ <?= Icon::create('trash')->asInput(
+ [
'class' => 'text-bottom',
'title' => _('Diese Einrichtung löschen'),
- ]) ?>
- </a>
+ 'data-confirm' => _('Sind Sie sicher, dass Sie diese Einrichtung löschen wollen?'),
+ 'formaction' => $controller->delete_instituteURL($user->user_id, $inst_membership->institut_id)
+ ]
+ )?>
<? endif; ?>
</li>
<? endforeach; ?>
@@ -504,7 +508,7 @@ use Studip\Button, Studip\LinkButton;
</option>
<? foreach ($available_institutes as $i) : ?>
<? if (InstituteMember::countBySql('user_id = ? AND institut_id = ?', [$user->user_id, $i['Institut_id']]) == 0
- && (!($i['is_fak'] && $user->perms == 'admin') || $GLOBALS['perm']->have_perm('root'))
+ && (!($i['is_fak'] && $user->perms === 'admin') || $GLOBALS['perm']->have_perm('root'))
) : ?>
<option class="<?= $i['is_fak'] ? 'nested-item-header' : 'nested-item' ?>"
value="<?= htmlReady($i['Institut_id']) ?>">
@@ -533,12 +537,14 @@ use Studip\Button, Studip\LinkButton;
'title' => _('Diese Einrichtung bearbeiten'),
]) ?>
</a>
- <a href="<?= $controller->url_for('admin/user/delete_institute/' . $user->user_id . '/' . $inst_membership->institut_id) ?>">
- <?= Icon::create('trash')->asImg([
+ <?= Icon::create('trash')->asInput(
+ [
'class' => 'text-bottom',
'title' => _('Diese Einrichtung löschen'),
- ]) ?>
- </a>
+ 'data-confirm' => _('Sind Sie sicher, dass Sie diese Einrichtung löschen wollen?'),
+ 'formaction' => $controller->delete_instituteURL($user->user_id, $inst_membership->institut_id)
+ ]
+ )?>
<? endif; ?>
</li>
<? endforeach; ?>
@@ -547,46 +553,49 @@ use Studip\Button, Studip\LinkButton;
<? endif;?>
</fieldset>
- <fieldset>
- <legend>
- <?= _('Nutzerdomänen') ?>
- </legend>
+ <? if (!empty($domains) || !empty($userdomains)) : ?>
+ <fieldset>
+ <legend>
+ <?= _('Nutzerdomänen') ?>
+ </legend>
- <? if (!empty($domains)) : ?>
- <label class="col-3">
- <?= _('Neue Nutzerdomäne') ?>
- <select name="new_userdomain" id="new_userdomain">
- <option selected value="none"><?= _('-- Bitte Nutzerdomäne auswählen --') ?></option>
- <? foreach ($domains as $domain) : ?>
- <option value="<?= $domain->id ?>">
- <?= htmlReady(my_substr($domain->name, 0, 50)) ?>
- </option>
- <? endforeach ?>
- </select>
- </label>
- <? endif ?>
+ <label class="col-3">
+ <?= _('Neue Nutzerdomäne') ?>
- <? if (count($userdomains) > 0): ?>
- <section class="col-3">
- <ol class="default">
- <? foreach ($userdomains as $i => $domain): ?>
- <li>
- <?= htmlReady($domain->name) ?>
+ <select name="new_userdomain" id="new_userdomain">
+ <option selected value="none"><?= _('-- Bitte Nutzerdomäne auswählen --') ?></option>
+ <? foreach ($domains as $domain) : ?>
+ <option value="<?= $domain->id ?>">
+ <?= htmlReady(my_substr($domain->name, 0, 50)) ?>
+ </option>
+ <? endforeach ?>
+ </select>
+ </label>
- <a href="<?= $controller->url_for('admin/user/delete_userdomain/' . $user->id, ['domain_id' => $domain->id]) ?>">
- <?= Icon::create('trash')->asImg([
- 'class' => 'text-bottom',
- 'title' => _('Aus dieser Nutzerdomäne austragen'),
- ]) ?>
- </a>
- </li>
- <? endforeach; ?>
- </ol>
- </section>
- <? endif; ?>
- </fieldset>
- <? endif; /* $user['perms'] !== 'root' */ ?>
+
+ <? if (count($userdomains) > 0): ?>
+ <section class="col-3">
+ <ol class="default">
+ <? foreach ($userdomains as $i => $domain): ?>
+ <li>
+ <?= htmlReady($domain->name) ?>
+ <?= Icon::create('trash')->asInput(
+ [
+ 'class' => 'text-bottom',
+ 'title' => _('Aus dieser Nutzerdomäne austragen'),
+ 'data-confirm' => _('Sind Sie sicher, dass sie die Person aus der Nutzerdomäne austragen wollen?'),
+ 'formaction' => $controller->delete_userdomainURL($user->id, ['domain_id' => $domain->id])
+ ]
+ )?>
+ </li>
+ <? endforeach; ?>
+ </ol>
+ </section>
+ <? endif; ?>
+ </fieldset>
+ <? endif ?>
+ <? endif;?>
<? if ($GLOBALS['perm']->have_perm('root') && count(LockRule::findAllByType('user')) > 0) : ?>
<fieldset>