From a465231effa826f2b98f6aa0517e47f2ba2a22da Mon Sep 17 00:00:00 2001
From: Fluffy-Bean <michal-gdula@protonmail.com>
Date: Tue, 20 Sep 2022 10:12:32 +0000
Subject: [PATCH] Account deletion, password reset fixes

---
 account.php                    |  81 +++++++++----
 app/account/account.php        | 212 +++++++++++++++++++++++++++++++++
 app/account/password_reset.php | 136 ---------------------
 app/server/conn.php            |  14 ++-
 css/main.css                   |   1 +
 css/main.scss                  |   2 +
 password-reset.php             |   4 +-
 7 files changed, 285 insertions(+), 165 deletions(-)
 delete mode 100644 app/account/password_reset.php

diff --git a/account.php b/account.php
index 8e7337f..f47ba5f 100644
--- a/account.php
+++ b/account.php
@@ -28,7 +28,44 @@
 				<br>
 				<p>Don't leave! I'm with the science team!</p>
 				<a class='btn btn-bad' href='app/account/logout.php'><img class='svg' src='assets/icons/sign-out.svg'>Logout</a>
+				<br>
+				<p>Be carefull!</p>
+				<button class="btn btn-bad" onclick="deleteAccount()">Delete account</button>
 			</div>
+			<script>
+				function deleteAccount() {
+					var header = "Are you very very sure?";
+					var description = "This CANNOT be undone, be very carefull with your decition... There is no second warning!";
+					var actionBox = "<form id='userDelete' method='POST'>\
+					<button id='accountDeleteSubmit' class='btn btn-bad' type='submit'><img class='svg' src='assets/icons/trash.svg'>Delete account (keep posts)</button>\
+					</form>\
+					<form id='userDeleteFull' method='POST'>\
+					<button id='accountDeleteSubmit' class='btn btn-bad' type='submit'><img class='svg' src='assets/icons/trash.svg'>Delete account (delete posts)</button>\
+					</form>";
+
+					flyoutShow(header, description, actionBox);
+					
+					$("#userDelete").submit(function(event) {
+						event.preventDefault();
+						var accountDeleteSubmit = $("#accountDeleteSubmit").val();
+						$("#sniffle").load("app/account/account.php", {
+							delete_id: <?php echo $_SESSION['id']; ?>,
+							full: false,
+							account_delete_submit: accountDeleteSubmit
+						});
+					});
+					$("#userDeleteFull").submit(function(event) {
+						event.preventDefault();
+						var accountDeleteSubmit = $("#accountDeleteSubmit").val();
+						$("#sniffle").load("app/account/account.php", {
+							delete_id: <?php echo $_SESSION['id']; ?>,
+							full: true,
+							account_delete_submit: accountDeleteSubmit
+						});
+					});
+				}
+			</script>
+
 			<?php
 				if ($user_info->is_admin($conn, $_SESSION['id'])) {
 				?>
@@ -55,7 +92,7 @@
 						<div class="tabs">
 							<button class="btn btn-neutral tablinks" onclick="openTab(event, 'logs')">Logs</button>
 							<button class="btn btn-neutral tablinks" onclick="openTab(event, 'bans')">Bans</button>
-							<button class="btn btn-neutral tablinks" onclick="openTab(event, 'users')">User settings</button>
+							<button class="btn btn-neutral tablinks" onclick="openTab(event, 'users')">Users</button>
 						</div>
 
 						<div id="logs" class="logs tabcontent">
@@ -182,49 +219,51 @@
 										var confirm_password = $("#userConfirmPassword").val();
 										var submit = $("#userPasswordSubmit").val();
 										var userId = $("#userPasswordSubmit").val();
-										$("#sniffle").load("app/account/password_reset.php", {
+										$("#sniffle").load("app/account/account.php", {
 											new_password: new_password,
 											confirm_password: confirm_password,
 											id: userId,
-											submit: submit
+											password_reset_submit: submit
 										});
 									});
 								}
 								function userDelete(id, username) {
 									var header = "Are you very very sure?";
-									var description = "This CANNOT be undone, be very carefull with your decition...";
-									var actionBox = "<form id='' action='app/image/edit_description.php' method='POST'>\
-									<button class='btn btn-bad' type='submit' value='"+id+"'><img class='svg' src='assets/icons/trash.svg'>Delete user "+username+" (keep posts)</button>\
+									var description = "This CANNOT be undone, be very carefull with your decition... There is no second warning!";
+									var actionBox = "<form id='userDelete' method='POST'>\
+									<button id='userDeleteSubmit' class='btn btn-bad' type='submit' value='"+id+"'><img class='svg' src='assets/icons/trash.svg'>Delete user "+username+" (keep posts)</button>\
 									</form>\
-									<form id='' action='app/image/edit_description.php' method='POST'>\
-									<button class='btn btn-bad' type='submit' value='"+id+"'><img class='svg' src='assets/icons/trash.svg'>Delete user "+username+" (delete posts)</button>\
+									<form id='userDeleteFull' method='POST'>\
+									<button id='userDeleteSubmit' class='btn btn-bad' type='submit' value='"+id+"'><img class='svg' src='assets/icons/trash.svg'>Delete user "+username+" (delete posts)</button>\
 									</form>";
 
 									flyoutShow(header, description, actionBox);
 									
-									/*$("#descriptionConfirm").submit(function(event) {
+									$("#userDelete").submit(function(event) {
 										event.preventDefault();
-										var descriptionInput = $("#descriptionInput").val();
+										var id = $("#userDeleteSubmit").val();
 										var userDeleteSubmit = $("#userDeleteSubmit").val();
-										$("#sniffle").load("path/to/.php", {
-											id: id,
-											submit_delete: userDeleteSubmit
+										$("#sniffle").load("app/account/account.php", {
+											delete_id: id,
+											full: false,
+											account_delete_submit: userDeleteSubmit
 										});
-									});*/
-									/*$("#descriptionConfirm").submit(function(event) {
+									});
+									$("#userDeleteFull").submit(function(event) {
 										event.preventDefault();
-										var descriptionInput = $("#descriptionInput").val();
+										var id = $("#userDeleteSubmit").val();
 										var userDeleteSubmit = $("#userDeleteSubmit").val();
-										$("#sniffle").load("path/to/.php", {
-											id: id,
-											submit_delete: userDeleteSubmit
+										$("#sniffle").load("app/account/account.php", {
+											delete_id: id,
+											full: true,
+											account_delete_submit: userDeleteSubmit
 										});
-									});*/
+									});
 								}
 								function userToggleAdmin(id, username) {
 									var header = "With great power comes great responsibility...";
 									var description = "Do you trust this user? With admin permitions they can cause a whole lot of damage to this place, so make sure you're very very sure";
-									var actionBox = "<form id='toggleAdminConfirm' action='app/image/edit_description.php' method='POST'>\
+									var actionBox = "<form id='toggleAdminConfirm' method='POST'>\
 									<button id='toggleAdminSubmit' class='btn btn-bad' type='submit' value='"+id+"'>Make "+username+" powerfull!</button>\
 									</form>";
 
diff --git a/app/account/account.php b/app/account/account.php
index 4269257..2c08129 100644
--- a/app/account/account.php
+++ b/app/account/account.php
@@ -486,4 +486,216 @@ if (isset($_POST['toggle_admin'])) {
             </script>
         <?php      
     }
+}
+
+
+/*
+ |-------------------------------------------------------------
+ | Password Reset
+ |-------------------------------------------------------------
+ | I want to make it possible to reset the password without
+ | access to the account directly with an email reset link or
+ | something. I also want to confirm the password change with
+ | the old password in the future, as people forget passwords
+ | and people can get onto accounts. For now this is a shitty
+ | little system thats inplace for those who need it. Hopefully
+ | I can make something better in the future...
+ |-------------------------------------------------------------
+*/
+if (isset($_POST['password_reset_submit'])) {
+    $error = 0;
+
+    // Validate new password
+    if (empty(trim($_POST["new_password"]))) {
+        ?>
+            <script>
+                sniffleAdd('Meep', 'Enter a new password!', 'var(--red)', 'assets/icons/cross.svg');
+                flyoutClose();
+            </script>
+        <?php
+        $error += 1;
+    } elseif(strlen(trim($_POST["new_password"])) < 6) {
+        ?>
+            <script>
+                sniffleAdd('Not long enough...', 'Password, must be 6 or more characters in length uwu', 'var(--red)', 'assets/icons/cross.svg');
+                flyoutClose();
+            </script>
+        <?php
+        $error += 1;
+    } else {
+        $new_password = trim($_POST["new_password"]);
+    }
+    
+    // Validate confirm password
+    if (empty(trim($_POST["confirm_password"]))) {
+        ?>
+            <script>
+                sniffleAdd('Meep', 'You must confirm the password!!!!', 'var(--red)', 'assets/icons/cross.svg');
+                flyoutClose();
+            </script>
+        <?php
+        $error += 1;
+    } else {
+        $confirm_password = trim($_POST["confirm_password"]);
+        if(empty($error) && ($new_password != $confirm_password)) {
+            ?>
+                <script>
+                    sniffleAdd('AAAA', 'Passwords do not match!!!', 'var(--red)', 'assets/icons/cross.svg');
+                    flyoutClose();
+                </script>
+            <?php
+            $error += 1;
+        }
+    }
+
+    if (isset($_POST['id']) && $user_info->is_admin($conn, $_SESSION["id"])) {
+        $user_id = $_POST['id'];
+    } elseif (empty($_POST['id'])) {
+        $user_id = $_SESSION["id"];
+    } else {
+        ?>
+            <script>
+                sniffleAdd('Oopsie', 'An error occured while figuring out which user to change the password of... Are you an admin?', 'var(--red)', 'assets/icons/cross.svg');
+                flyoutClose();
+            </script>
+        <?php
+        $error += 1;
+    }
+
+    // Check for errors
+    if ($error <= 0) {
+        // Prepare for wack
+        $sql = "UPDATE users SET password = ? WHERE id = ?";
+    
+        if ($stmt = mysqli_prepare($conn, $sql)) {
+            mysqli_stmt_bind_param($stmt, "si", $param_password, $param_id);
+    
+            // Setting up Password parameters
+            $param_password = password_hash($new_password, PASSWORD_DEFAULT);
+            $param_id = $user_id;
+    
+            // Attempt to execute (sus)
+            if (mysqli_stmt_execute($stmt)) {
+                // Password updated!!!! Now goodbye
+                if ($user_id == $_SESSION["id"]) {
+                    // Check if password reset was done by user
+                    session_destroy();
+                    ?>
+                        <script>
+                            sniffleAdd('Password updated', 'Now goodbye.... you will be redirected in a moment', 'var(--green)', 'assets/icons/check.svg');
+                            setTimeout(function(){window.location.href = "account/login.php";}, 2000);
+                        </script>
+                    <?php
+                } else {
+                    // An admin has changed the password
+                    ?>
+                        <script>
+                            sniffleAdd('Password updated', 'Password has been reset for user! But their session may still be active', 'var(--green)', 'assets/icons/check.svg');
+                            flyoutClose();
+                        </script>
+                    <?php
+                }
+            } else {
+                ?>
+                    <script>
+                        sniffleAdd('Bruh', 'Something happened on our end, sowwy', 'var(--red)', 'assets/icons/cross.svg');
+                        flyoutClose();
+                    </script>
+                <?php
+            }
+        }
+    }
+}
+
+/*
+    Account deletion
+
+    I hate dealing with stuffs being deleted
+*/
+if (isset($_POST['account_delete_submit'])) {
+    $error = 0;
+
+    if (isset($_POST['delete_id'])) {
+        if ($_POST['delete_id'] == 1) {
+            ?>
+                <script>
+                    sniffleAdd('Sussy', 'You cannot delete the owners account!!!!!', 'var(--red)', 'assets/icons/cross.svg');
+                    flyoutClose();
+                </script>
+            <?php
+            $error += 1;
+        } elseif ($_POST['delete_id'] == $_SESSION['id']) {
+            $delete_id = $_SESSION['id'];
+        } elseif ($_POST['delete_id'] != $_SESSION['id'] && $_SESSION['id'] == 1) {
+            $delete_id = $_POST['delete_id'];
+        } else {
+            ?>
+                <script>
+                    sniffleAdd('Ono', 'You aren\'t privilaged enough to delete accounts!', 'var(--red)', 'assets/icons/cross.svg');
+                    flyoutClose();
+                </script>
+            <?php
+            $error += 1;
+        }
+    } else {
+        ?>
+            <script>
+                sniffleAdd('Oopsie', 'We couldn\'t find the account that was requested to be deleted', 'var(--red)', 'assets/icons/cross.svg');
+                flyoutClose();
+            </script>
+        <?php
+        $error += 1;
+    }
+
+    if (empty($_POST['full']) || !isset($_POST['full'])) {
+        ?>
+            <script>
+                sniffleAdd('Oopsie', 'Some error occured, unsure what to delete', 'var(--red)', 'assets/icons/cross.svg');
+                flyoutClose();
+            </script>
+        <?php
+        $error += 1;
+    }
+
+    if ($error <= 0) {
+        if ($_POST['full']) {
+            $image_request = mysqli_query($conn, "SELECT id, imagename FROM images WHERE author = '$delete_id'");
+
+            while ($image = mysqli_fetch_array($image_request)) {
+                if (is_file(dirname(__DIR__)."/images/".$image['imagename'])) {
+                    unlink(dirname(__DIR__)."/images/".$image['imagename']);
+                }
+                if (is_file(dirname(__DIR__)."/images/thumbnails/".$image['imagename'])) {
+                    unlink(dirname(__DIR__)."/images/thumbnails/".$image['imagename']);
+                }
+                if (is_file(dirname(__DIR__)."/images/previews/".$image['imagename'])) {
+                    unlink(dirname(__DIR__)."/images/previews/".$image['imagename']);
+                }
+
+                mysqli_query($conn, "DELETE FROM images WHERE id = ".$image['id']);
+            }
+
+            ?>
+                <script>
+                    sniffleAdd('Progress', 'Deleted all images from the user', 'var(--green)', 'assets/icons/warning.svg');
+                    flyoutClose();
+                </script>
+            <?php
+        }
+        
+        mysqli_query($conn, "DELETE FROM users WHERE id = ".$delete_id);
+
+        if ($_POST['full']) {
+            mysqli_query($conn,"INSERT INTO logs (ipaddress, action) VALUES('$user_ip','Deleted a user account and all their posts')");
+        } else {
+            mysqli_query($conn,"INSERT INTO logs (ipaddress, action) VALUES('$user_ip','Deleted a user account')");
+        }
+
+        ?>
+            <script>
+                sniffleAdd('Goodbye!', 'Successfully deleted the user!', 'var(--green)', 'assets/icons/check.svg');
+                flyoutClose();
+            </script>
+        <?php
+    }
 }
\ No newline at end of file
diff --git a/app/account/password_reset.php b/app/account/password_reset.php
deleted file mode 100644
index 362ed91..0000000
--- a/app/account/password_reset.php
+++ /dev/null
@@ -1,136 +0,0 @@
-<?php
-/*
- |-------------------------------------------------------------
- | Password Reset
- |-------------------------------------------------------------
- | I want to make it possible to reset the password without
- | access to the account directly with an email reset link or
- | something. I also want to confirm the password change with
- | the old password in the future, as people forget passwords
- | and people can get onto accounts. For now this is a shitty
- | little system thats inplace for those who need it. Hopefully
- | I can make something better in the future...
- |-------------------------------------------------------------
-*/
-// Initialize the session
-session_start();
-// Include server connection
-include dirname(__DIR__)."/server/conn.php";
-include dirname(__DIR__)."/app.php";
-
-use App\Account;
-
-$user_info = new Account();
-
-if (isset($_POST['submit'])) {
-    /*
-     |-------------------------------------------------------------
-     | Set error status to 0
-     |-------------------------------------------------------------
-     | if there are more than 0 error, then they cannot submit a
-     | request
-     |-------------------------------------------------------------   
-    */
-    $error = 0;
-
-    // Validate new password
-    if (empty(trim($_POST["new_password"]))) {
-        ?>
-            <script>
-                sniffleAdd('Meep', 'Enter a new password!', 'var(--red)', 'assets/icons/cross.svg');
-                flyoutClose();
-            </script>
-        <?php
-        $error += 1;
-    } elseif(strlen(trim($_POST["new_password"])) < 6) {
-        ?>
-            <script>
-                sniffleAdd('Not long enough...', 'Password, must be 6 or more characters in length uwu', 'var(--red)', 'assets/icons/cross.svg');
-                flyoutClose();
-            </script>
-        <?php
-        $error += 1;
-    } else {
-        $new_password = trim($_POST["new_password"]);
-    }
-    
-    // Validate confirm password
-    if (empty(trim($_POST["confirm_password"]))) {
-        ?>
-            <script>
-                sniffleAdd('Meep', 'You must confirm the password!!!!', 'var(--red)', 'assets/icons/cross.svg');
-                flyoutClose();
-            </script>
-        <?php
-        $error += 1;
-    } else {
-        $confirm_password = trim($_POST["confirm_password"]);
-        if(empty($error) && ($new_password != $confirm_password)) {
-            ?>
-                <script>
-                    sniffleAdd('AAAA', 'Passwords do not match!!!', 'var(--red)', 'assets/icons/cross.svg');
-                    flyoutClose();
-                </script>
-            <?php
-            $error += 1;
-        }
-    }
-
-    if (isset($_POST['id']) && $user_info->is_admin($conn, $_SESSION["id"])) {
-        $user_id = $_POST['id'];
-    } elseif (empty($_POST['id'])) {
-        $user_id = $_SESSION["id"];
-    } else {
-        ?>
-            <script>
-                sniffleAdd('Oopsie', 'An error occured while figuring out which user to change the password of... Are you an admin?', 'var(--red)', 'assets/icons/cross.svg');
-                flyoutClose();
-            </script>
-        <?php
-        $error += 1;
-    }
-
-    // Check for errors
-    if ($error <= 0) {
-        // Prepare for wack
-        $sql = "UPDATE users SET password = ? WHERE id = ?";
-    
-        if ($stmt = mysqli_prepare($conn, $sql)) {
-            mysqli_stmt_bind_param($stmt, "si", $param_password, $param_id);
-    
-            // Setting up Password parameters
-            $param_password = password_hash($new_password, PASSWORD_DEFAULT);
-            $param_id = $user_id;
-    
-            // Attempt to execute (sus)
-            if (mysqli_stmt_execute($stmt)) {
-                // Password updated!!!! Now goodbye
-                if ($user_id == $_SESSION["id"]) {
-                    // Check if password reset was done by user
-                    session_destroy();
-                    ?>
-                        <script>
-                            sniffleAdd('Password updated', 'Now goodbye.... you will be redirected in a moment', 'var(--green)', 'assets/icons/check.svg');
-                            setTimeout(function(){window.location.href = "account/login.php";}, 2000);
-                        </script>
-                    <?php
-                } else {
-                    // An admin has changed the password
-                    ?>
-                        <script>
-                            sniffleAdd('Password updated', 'Password has been reset for user! But their session may still be active', 'var(--green)', 'assets/icons/check.svg');
-                            flyoutClose();
-                        </script>
-                    <?php
-                }
-            } else {
-                ?>
-                    <script>
-                        sniffleAdd('Bruh', 'Something happened on our end, sowwy', 'var(--red)', 'assets/icons/cross.svg');
-                        flyoutClose();
-                    </script>
-                <?php
-            }
-        }
-    }
-}
\ No newline at end of file
diff --git a/app/server/conn.php b/app/server/conn.php
index 08cedde..e29e090 100644
--- a/app/server/conn.php
+++ b/app/server/conn.php
@@ -2,14 +2,16 @@
 /*
 	Connect to database
 
-	Dunno what else to put here lol
+	Make sure to enter your correct database details,
+	else it may cause issues with loading the page
 */
-try {
-	$conn_ip = "192.168.0.79:3306";
-	$conn_username = "uwu";
-	$conn_password = "fennec621";
-	$conn_database = "gallery";
 
+$conn_ip = "192.168.0.79:3306";
+$conn_username = "uwu";
+$conn_password = "fennec621";
+$conn_database = "gallery";
+
+try {
 	$conn = @mysqli_connect($conn_ip, $conn_username, $conn_password , $conn_database);
 } catch (Exception $e) {
 	header("location: error.php?e=conn");
diff --git a/css/main.css b/css/main.css
index 4e65078..2d0dec7 100644
--- a/css/main.css
+++ b/css/main.css
@@ -1019,6 +1019,7 @@ body * {
 .btn:hover {
   outline: #E8E3E3 0.2rem solid;
   color: #E8E3E3;
+  cursor: pointer;
 }
 .btn:where(input[type=file])::-webkit-file-upload-button {
   margin: -0.25rem 0.5rem -0.25rem -0.25rem;
diff --git a/css/main.scss b/css/main.scss
index 01fe8a3..9082cdc 100644
--- a/css/main.scss
+++ b/css/main.scss
@@ -85,6 +85,8 @@ body {
     &:hover {
         outline: $white 0.2rem solid;
         color: $fg;
+
+        cursor: pointer;
     }
 
     &:where(input[type="file"])::file-selector-button {
diff --git a/password-reset.php b/password-reset.php
index 762799e..3f632b4 100644
--- a/password-reset.php
+++ b/password-reset.php
@@ -40,10 +40,10 @@
 			var new_password = $("#newPassword").val();
 			var confirm_password = $("#confirmPassword").val();
 			var submit = $("#passwordSubmit").val();
-			$("#sniffle").load("app/account/password_reset.php", {
+			$("#sniffle").load("app/account/account.php", {
 				new_password: new_password,
 				confirm_password: confirm_password,
-				submit: submit
+				password_reset_submit: submit
 			});
 		});
 	</script>