From 81fcaf65d6f3bf4022c7a04e9143072d7fb823f9 Mon Sep 17 00:00:00 2001
From: Floorb <132411956+Neetpone@users.noreply.github.com>
Date: Wed, 5 Jul 2023 03:30:16 -0400
Subject: [PATCH] chore: move user actions to user_action.php

---
 includes/common.php           |  6 ++++-
 public/admin/common.php       |  3 +++
 public/admin/paste_action.php |  4 +++
 public/admin/user_action.php  | 46 +++++++++++++++++++++++++++++++++++
 public/user.php               | 28 +--------------------
 theme/bulma/user_profile.php  |  3 ++-
 6 files changed, 61 insertions(+), 29 deletions(-)
 create mode 100644 public/admin/user_action.php

diff --git a/includes/common.php b/includes/common.php
index e738d98..aa61b27 100644
--- a/includes/common.php
+++ b/includes/common.php
@@ -53,7 +53,11 @@ function urlForReport(Paste $paste) : string {
     return "/report.php?id={$paste->id}";
 }
 
-function urlForMember(User $user) : string {
+function urlForMember(int | User $user) : string {
+    if (is_int($user)) {
+        $user = User::find($user);
+    }
+
     if (PP_MOD_REWRITE) {
         return '/user/' . urlencode($user->username);
     }
diff --git a/public/admin/common.php b/public/admin/common.php
index 9762837..b3e954f 100644
--- a/public/admin/common.php
+++ b/public/admin/common.php
@@ -17,6 +17,9 @@ if (!isset($_SESSION['admin_login'])) {
     if (isset($_POST['paste_id'])) {
         flashError('You must authenticate to perform that action.');
         $_SESSION['redirect_back'] = urlForPaste($_POST['paste_id']);
+    } elseif (isset($_POST['user_id'])) {
+        flashError('You must authenticate to perform that action.');
+        $_SESSION['redirect_back'] = urlForMember($_POST['user_id']);
     }
 
     header('Location: .');
diff --git a/public/admin/paste_action.php b/public/admin/paste_action.php
index ab44a37..b69a9eb 100644
--- a/public/admin/paste_action.php
+++ b/public/admin/paste_action.php
@@ -17,6 +17,10 @@ if (!$paste) {
     die();
 }
 
+if (!verifyCsrfToken()) {
+    flashError('Invalid CSRF token (do you have cookies enabled?)');
+}
+
 if (isset($_POST['hide'])) {
     if (!can('hide', $paste)) {
         flashError('You do not have permission to hide this paste.');
diff --git a/public/admin/user_action.php b/public/admin/user_action.php
new file mode 100644
index 0000000..3355a88
--- /dev/null
+++ b/public/admin/user_action.php
@@ -0,0 +1,46 @@
+<?php
+define('IN_PONEPASTE', 1);
+require_once(__DIR__ . '/common.php');
+
+use PonePaste\Models\User;
+
+if (empty($_POST['user_id'])) {
+    echo "Error: No User ID specified.";
+    die();
+}
+
+$user = User::find((int) $_POST['user_id']);
+
+if (!$user) {
+    echo "Error: User not found.";
+    die();
+}
+
+if (!verifyCsrfToken()) {
+    flashError('Invalid CSRF token (do you have cookies enabled?)');
+}
+
+$can_administrate = can('administrate', $user);
+
+if (!$can_administrate) {
+    flashError('Error: You do not have permission to administrate this user.');
+} else {
+    if (isset($_POST['reset_password'])) {
+        $new_password = pp_random_password();
+        $user->password = pp_password_hash($new_password);
+        $user->save();
+
+        flashSuccess('Password reset to ' . $new_password);
+    } elseif (isset($_POST['change_role'])) {
+        if ($user->role === User::ROLE_MODERATOR) {
+            $user->role = 0;
+        } elseif ($user->role === 0) {
+            $user->role = User::ROLE_MODERATOR;
+        }
+
+        $user->save();
+        flashSuccess('Role changed.');
+    }
+}
+
+header('Location: ' . urlForMember($user));
diff --git a/public/user.php b/public/user.php
index d6081d0..0879710 100644
--- a/public/user.php
+++ b/public/user.php
@@ -28,35 +28,9 @@ if (!$profile_info) {
 
 $can_administrate = can('administrate', $profile_info);
 
-if ($can_administrate) {
-    if (isset($_POST['reset_password'])) {
-        if (!verifyCsrfToken()) {
-            flashError('Invalid CSRF token (do you have cookies enabled?)');
-        } else {
-            $new_password = pp_random_password();
-            $profile_info->password = pp_password_hash($new_password);
-            $profile_info->save();
-
-            flashSuccess('Password reset to ' . $new_password);
-        }
-    } elseif (isset($_POST['change_role'])) {
-        if (!verifyCsrfToken()) {
-            flashError('Invalid CSRF token (do you have cookies enabled?)');
-        } else {
-            if ($profile_info->role === User::ROLE_MODERATOR) {
-                $profile_info->role = 0;
-            } elseif ($profile_info->role === 0) {
-                $profile_info->role = User::ROLE_MODERATOR;
-            }
-            $profile_info->save();
-            flashSuccess('Role changed.');
-        }
-    }
-}
-
 $p_title = $profile_username . "'s Public Pastes";
 
-// There has to be a way to do the sum in SQL rather than PHP, but I can't figure out ho to do it in Eloquent.
+// There has to be a way to do the sum in SQL rather than PHP, but I can't figure out how to do it in Eloquent.
 $total_pfav = array_sum(
     array_column(
         Paste::select('id')
diff --git a/theme/bulma/user_profile.php b/theme/bulma/user_profile.php
index 69c7286..5ced9b2 100644
--- a/theme/bulma/user_profile.php
+++ b/theme/bulma/user_profile.php
@@ -52,8 +52,9 @@ if ($is_current_user && isset($_GET['tab']) && $_GET['tab'] === 'favourites') {
                     <?php if ($can_administrate): ?>
                         <div>
                             <p>Admin Actions:</p>
-                            <form method="post">
+                            <form method="post" action="/admin/user_action.php">
                                 <input type="hidden" name="csrf_token" value="<?= $csrf_token ?>">
+                                <input type="hidden" name="user_id" value="<?= $profile_info->id ?>">
                                 <button class="button is-small is-success" type="submit" name="reset_password">Reset
                                     Password
                                 </button>