Fixed some todos & added email validation

Author: Pryx

admin/index.php

@@ -9,8 +9,6 @@
   User::restore_session();
 }
 
-//TODO: CHeck if user deactivated
-
 if (!isset($_SESSION['user']))
 {
   if (isset($_GET['do']) && $_GET['do']=="lost-password")

admin/lost-password.php

@@ -13,7 +13,7 @@
       $user->change_password($_POST['token']);
       if (isset($message)){?>
       <p class="alert alert-danger"><?php echo $message?></p>
-      <a href="<?php echo WEB_URL;?>/admin/?do=lost-password<?php echo "&id=".$_POST['id']."&token=".$_POST['token'];?>"><?php echo _("Go back");?> </a>
+      <a href="<?php echo WEB_URL;?>/admin/?do=lost-password<?php echo "&amp;id=".$_POST['id']."&amp;token=".$_POST['token'];?>"><?php echo _("Go back");?> </a>
       <?php 
       }
         else{?>

admin/new-user.php

@@ -9,7 +9,7 @@
     <h2>Add new user</h2>
 </div>
 
-<form action="<?php echo WEB_URL;?>/admin/?do=new-user&new=user" method="POST" class="form-horizontal">
+<form action="<?php echo WEB_URL;?>/admin/?do=new-user&amp;new=user" method="POST" class="form-horizontal">
 	<?php if (isset($message))
     {?>
       <p class="alert alert-danger"><?php echo $message?></p>

admin/settings.php

@@ -22,7 +22,7 @@
 <section>
 <h3 class="pull-left"><?php echo _("Services");?></h3>
 <?php if ($user->get_rank() <= 1){?>
-<form action="?do=settings&new=service" method="post">
+<form action="?do=settings&amp;new=service" method="post">
 	<div class="input-group pull-right new-service">
 		<input class="form-control" name="service" placeholder="Name" type="text" value="<?php echo ((isset($_POST['service']))?htmlspecialchars($_POST['service']):''); ?>" maxlength="50" required>
 		<span class="input-group-btn">
@@ -52,7 +52,7 @@
 	echo "<td>".$result['name']."</td>";
 	if ($user->get_rank()<=1)
 	{
-		echo '<td><a href="'.WEB_URL.'/admin/?do=settings&delete='.$result['id'].'" class="pull-right delete-service"><i class="fa fa-trash"></i></a></td>';
+		echo '<td><a href="'.WEB_URL.'/admin/?do=settings&amp;delete='.$result['id'].'" class="pull-right delete-service"><i class="fa fa-trash"></i></a></td>';
 	}
 	echo "</tr>";
 }?>
@@ -74,7 +74,7 @@
 {
 	echo "<tr>";
 	echo "<td>".$result['id']."</td>";
-	echo "<td><a href='".WEB_URL."/admin/?do=user&id=".$result['id']."'>".$result['username']."</a></td>";
+	echo "<td><a href='".WEB_URL."/admin/?do=user&amp;id=".$result['id']."'>".$result['username']."</a></td>";
 	echo "<td>".$result['name']."</td>";
 	echo "<td>".$result['surname']."</td>";
 	echo "<td><a href=\"mailto:".$result['email']."\">".$result['email']."</a></td>";

classes/constellation.php

@@ -39,7 +39,7 @@ public function render_incidents($future=false, $offset=0, $limit = 5, $admin =
     {
       if ($offset) 
       {
-        echo '<noscript><div class="centered"><a href="'.WEB_URL.'/?offset='.($offset-$limit+1).'&timestamp='.$timestamp.'" class="btn btn-default">'._("Back").'</a></div></noscript>';
+        echo '<noscript><div class="centered"><a href="'.WEB_URL.'/?offset='.($offset-$limit+1).'&amp;timestamp='.$timestamp.'" class="btn btn-default">'._("Back").'</a></div></noscript>';
       }
       echo "<h3>"._("Past incidents")."</h3>";
     }
@@ -59,7 +59,7 @@ public function render_incidents($future=false, $offset=0, $limit = 5, $admin =
       }
       if ($show)
       {
-        echo '<div class="centered"><a href="'.WEB_URL.'/?offset='.($offset).'&timestamp='.$timestamp.'" id="loadmore" class="btn btn-default">'._("Load more").'</a></div>';
+        echo '<div class="centered"><a href="'.WEB_URL.'/?offset='.($offset).'&amp;timestamp='.$timestamp.'" id="loadmore" class="btn btn-default">'._("Load more").'</a></div>';
       }
     }
   }

classes/incident.php

@@ -37,8 +37,20 @@ function __construct($data)
    * @param int ID
    */
   public static function delete($id){
-  	//TODO: This should check whether it's admin or their own post...
-    global $mysqli, $message;
+    global $mysqli, $message, $user;
+
+    if ($user->get_rank() > 1)
+    {
+      $stmt = $mysqli->prepare("SELECT count(*) as count FROM status WHERE id= ? AND user_id = ?");
+      $stmt->bind_param("ii", $id, $_SESSION['user']);
+      $stmt->execute();
+      $query = $stmt->get_result();
+      if (!$query->fetch_assoc()['count'])
+      {
+        $message = _("You don't have permission to do that!");
+        return;
+      }
+    }
 
     $stmt = $mysqli->prepare("DELETE FROM services_status WHERE status_id = ?");
     $stmt->bind_param("i", $id);
@@ -164,7 +176,7 @@ public function render($admin=0){
         <div class="panel-footer clearfix">
           <small><?php echo _("Posted by");?>: <?php echo $this->username; 
           if (isset($this->end_date)){?> 
-            <span class="pull-right"><?php echo strtotime($this->end_date)>time()?_("Ending"):_("Ended");?>:&nbsp;<time class="pull-right timeago" datetime="<?php echo $this->end_date; ?>"><?php echo $this->end_date; ?></time></span>
+            <span class="pull-right"><?php echo strtotime($this->end_date)>time()?_("Ending"):_("Ended");?>: <time class="pull-right timeago" datetime="<?php echo $this->end_date; ?>"><?php echo $this->end_date; ?></time></span>
             <?php } ?>
           </small>
         </div>

classes/user.php

@@ -97,7 +97,7 @@ public function toggle()
       $stmt->bind_param("i", $this->id);
       $stmt->execute();
       $stmt->close();
-      header("Location: ".WEB_URL."/admin/?do=user&id=".$id);
+      header("Location: ".WEB_URL."/admin/?do=user&id=".$id);
     }else{
       $message = _("You don't have the permission to do that!");
     }
@@ -138,6 +138,12 @@ public static function add()
         $username = $_POST['username'];
         $email = $_POST['email'];
         $pass = $_POST['password'];
+        
+        if (!filter_var($email, FILTER_VALIDATE_EMAIL))
+        {
+          $message = "Invalid email!";
+          return;
+        }
 
         $variables = array();
         if (strlen($name)>50){
@@ -153,6 +159,7 @@ public static function add()
           $variables[] = 'email: 60';
         }
 
+
         if (!empty($variables))
         {
           $message = _("Please mind the following character limits: ");
@@ -308,16 +315,16 @@ public function render_user_settings()
     </div>
     <div class="row">
       <div class="col-md-2 col-md-offset-2"><strong><?php echo _("Username");?></strong></div>
-      <div class="col-md-6"><?php echo $this->username."&nbsp;"; if ($this->id!=$_SESSION['user'] && $user->get_rank()<=1 && ($user->get_rank()<$this->rank))
+      <div class="col-md-6"><?php echo $this->username." "; if ($this->id!=$_SESSION['user'] && $user->get_rank()<=1 && ($user->get_rank()<$this->rank))
       {
-        echo "<a href='".WEB_URL."/admin/?do=user&id=".$this->id."&what=toggle'>";
+        echo "<a href='".WEB_URL."/admin/?do=user&amp;id=".$this->id."&amp;what=toggle'>";
         echo "<i class='fa fa-".($this->active?"check success":"times danger")."'></i></a>";
       }else{
         echo "<i class='fa fa-".($this->active?"check success":"times danger")."'></i>";
       }?></div>
     </div>
 
-    <form action="<?php echo WEB_URL;?>/admin/?do=user&id=<?php echo $this->id; ?>" method="POST">
+    <form action="<?php echo WEB_URL;?>/admin/?do=user&amp;id=<?php echo $this->id; ?>" method="POST">
       <div class="row">
         <div class="col-md-2 col-md-offset-2"><strong><?php echo _("Role");?></strong></div>
         <div class="col-md-6"><?php if ($user->get_rank() == 0 && $this->id != $_SESSION['user']){?> <div class="input-group"><select class="form-control" name="permission"><?php foreach ($permissions as $key => $value) {
@@ -477,11 +484,11 @@ public static function password_link()
 
     $token = Token::new($id, 'passwd', $time);
 
-    $link = WEB_URL."/admin/?do=lost-password&id=$id&token=$token";
+    $link = WEB_URL."/admin/?do=lost-password&amp;id=$id&amp;token=$token";
     $to      = $email;
     $user = new User($id);
     $subject = _('Reset password') . ' - '.NAME;
-    $msg = sprintf(_( "Hi %s!<br>Below you will find link to change your password. The link is valid for 24hrs. If you didn't request this, feel free to ignore it. <br><br><a href=\"%s\">RESET PASSWORD</a><br><br>If the link doesn't work, copy & paste it into your browser: <br>%s"), $user->get_name(), $link, $link);
+    $msg = sprintf(_( "Hi %s!<br>Below you will find link to change your password. The link is valid for 24hrs. If you didn't request this, feel free to ignore it. <br><br><a href=\"%s\">RESET PASSWORD</a><br><br>If the link doesn't work, copy &amp; paste it into your browser: <br>%s"), $user->get_name(), $link, $link);
     $headers = "Content-Type: text/html; charset=utf-8 ".PHP_EOL;
     $headers .= "MIME-Version: 1.0 ".PHP_EOL;
     $headers .= "From: ".MAILER_NAME.' <'.MAILER_ADDRESS.'>'.PHP_EOL;
@@ -503,10 +510,10 @@ public function email_link(){
     $token = Token::new($id, 'email;$email', $time);
 
 
-    $link = WEB_URL."/admin/?do=change-email&id=$id&token=$token";
+    $link = WEB_URL."/admin/?do=change-email&amp;id=$id&amp;token=$token";
     $to      = $email;
     $subject = _('Email change').' - '.NAME;
-    $msg = sprintf(_( "Hi %s!<br>Below you will find link to change your email. The link is valid for 24hrs. If you didn't request this, feel free to ignore it. <br><br><a href=\"%s\">CHANGE EMAIL</a><br><br>If the link doesn't work, copy & paste it into your browser: <br>%s"), $user->get_name(), $link, $link);
+    $msg = sprintf(_( "Hi %s!<br>Below you will find link to change your email. The link is valid for 24hrs. If you didn't request this, feel free to ignore it. <br><br><a href=\"%s\">CHANGE EMAIL</a><br><br>If the link doesn't work, copy &amp; paste it into your browser: <br>%s"), $user->get_name(), $link, $link);
     $headers = "Content-Type: text/html; charset=utf-8 ".PHP_EOL;
     $headers .= "MIME-Version: 1.0 ".PHP_EOL;
     $headers .= "From: ".MAILER_NAME.' <'.MAILER_ADDRESS.'>'.PHP_EOL;
@@ -581,7 +588,7 @@ public function change_permission(){
       $stmt = $mysqli->prepare("UPDATE users SET permission=? WHERE id=?");
       $stmt->bind_param("si", $permission, $id);
       $stmt->execute();  
-      header("Location: ".WEB_URL."/admin/?do=user&id=".$id);
+      header("Location: ".WEB_URL."/admin/?do=user&amp;id=".$id);
     }
     else{
       $message = _("You don't have permission to do that!");