From 6541972a3cae867d99301b0b8ea92f8e33a2a217 Mon Sep 17 00:00:00 2001
From: Josh North <josh.north@point808.com>
Date: Mon, 23 Feb 2015 03:09:15 -0500
Subject: [PATCH] password change implemented, 4+ char requirement

---
 includes/functions.inc.php | 14 +++++++++--
 index.php                  | 14 +++++------
 profile.php                | 50 +++++++++++++++++++++++---------------
 reports.php                |  4 +++
 users.php                  | 10 +++++---
 5 files changed, 59 insertions(+), 33 deletions(-)

diff --git a/includes/functions.inc.php b/includes/functions.inc.php
index d7e42e3..1b41ba3 100755
--- a/includes/functions.inc.php
+++ b/includes/functions.inc.php
@@ -17,7 +17,17 @@ $stmt->execute(array(
     ':userid' => $userid,
     ':firstname' => $firstname,
     ':lastname' => $lastname,
-    ':email' => $email
+    ':email' => $email,
+    ));
+}
+
+// Update user profile
+function updateUserPassword($yaptc_db, $userid, $password)
+{
+$stmt = $yaptc_db->prepare("UPDATE users SET password = :password WHERE id = :userid;");
+$stmt->execute(array(
+    ':userid' => $userid,
+    ':password' => $password,
     ));
 }
 
@@ -45,7 +55,7 @@ function killSession()
 function getSessionAccess($yaptc_db)
 {
     if (isset($_SESSION['user_id'])) {
-        $query3 = "SELECT users.id as userid, usertypes.typename AS usertype FROM users, usertypes WHERE users.id = :id";
+        $query3 = "SELECT users.id as userid, usertypes.typename AS usertype FROM yaptc.users INNER JOIN yaptc.usertypes ON users.usertype = usertypes.id WHERE users.id = :id";
         $stmt3  = $yaptc_db->prepare($query3);
         $stmt3->execute(array(
             ':id' => $_SESSION['user_id']
diff --git a/index.php b/index.php
index 054a256..1e2262f 100755
--- a/index.php
+++ b/index.php
@@ -24,17 +24,15 @@ else: ?>
 <h2 class="content-subhead">Quick Punch</h2>
 <p>Clicking the button below will immediately enter a new punch for you depending on your current status.  Any notes you enter will be attached to the punch for your administrator to review.</p>
 <form class="pure-form pure-form-stacked" action="index.php" method="post">
-<fieldset>
-<input class="pure-input-1" type="text" name="notes" placeholder="Enter notes if needed" maxlength="255" value="<?php if (isset($notes)): echo $notes; endif; ?>">
-<div class="pure-controls">
+<fieldset id="punch">
+<input type="text" name="notes" placeholder="Enter notes if needed" maxlength="255" value="<?php if (isset($notes)): echo $notes; endif; ?>">
 <?php if ($status == "In"): ?>
-    <button type="submit" class="pure-button button-xlarge button-success pure-button-disabled">Punch IN</button>
-    <button type="submit" class="pure-button button-xlarge button-error">Punch OUT</button>
+    <button type="submit" class="pure-button button-success pure-button-disabled">Punch IN</button>
+    <button type="submit" class="pure-button button-error">Punch OUT</button>
 <?php elseif ($status == "Out"): ?>
-    <button type="submit" class="pure-button button-xlarge button-success">Punch IN</button>
-    <button type="submit" class="pure-button button-xlarge button-error pure-button-disabled">Punch OUT</button>
+    <button type="submit" class="pure-button button-success">Punch IN</button>
+    <button type="submit" class="pure-button button-error pure-button-disabled">Punch OUT</button>
 <?php endif; ?>
-</div>
 </fieldset>
 </form>
 
diff --git a/profile.php b/profile.php
index 4bb01a0..ee9159c 100755
--- a/profile.php
+++ b/profile.php
@@ -11,8 +11,33 @@ else:
 //********** BEGIN CONTENT **********// ?>
 
 <?php
+if (!empty($_POST)):
+    if (empty($_POST['password']) && empty($_POST['newpassword2'])):
+        updateUserProfile($yaptc_db, $_SESSION['user_id'], $_POST['firstname'], $_POST['lastname'], $_POST['email']);
+        header('Location: ' . $_SERVER['PHP_SELF']);
+    elseif ($_POST['password'] != $_POST['newpassword2']):
+        $errors['newpassword2'] = "New passwords do not match.";
+    elseif (!empty($_POST['password']) && ($_POST['password'] = $_POST['newpassword2'])):
 require_once($yaptc_lib . "phpass-0.3/PasswordHash.php");
-$query = "SELECT users.id, users.password, users.created, users.username, users.firstname, users.lastname, users.email, usertypes.typename AS usertype FROM users, usertypes WHERE users.id = :id";
+    $hasher = new PasswordHash(8, FALSE);
+    $password = $hasher->HashPassword($_POST['password']);
+        updateUserPassword($yaptc_db, $_SESSION['user_id'], $password);
+        updateUserProfile($yaptc_db, $_SESSION['user_id'], $_POST['firstname'], $_POST['lastname'], $_POST['email']);
+echo $_POST['password'];
+echo $password;
+        header('Location: ' . $_SERVER['PHP_SELF']);
+
+
+    endif;
+
+
+endif;
+?>
+
+
+<?php
+
+$query = "SELECT users.id, users.password, users.created, users.username, users.firstname, users.lastname, users.email, usertypes.typename AS usertype FROM yaptc.users INNER JOIN yaptc.usertypes ON users.usertype = usertypes.id WHERE users.id = :id";
   $stmt = $yaptc_db->prepare($query);
   $stmt->execute(array(':id' => $_SESSION['user_id']));
   $user = $stmt->fetchObject();
@@ -24,7 +49,7 @@ $query = "SELECT users.id, users.password, users.created, users.username, users.
 
 <h2 class="content-subhead">Profile Information</h2>
 <p>You may make changes to your user profile below if you wish. Updates will take effect immediately on pressing "Save".</p>
-<p>PASSWORD CHANGE IS NOT CURRENTLY IMPLEMENTED</p>
+<p>To change your password, enter a new password twice below and press save.</p>
 <form class="pure-form pure-form-stacked" action="profile.php" method="post">
 <fieldset id="update">
 <div class="pure-g">
@@ -45,11 +70,10 @@ $query = "SELECT users.id, users.password, users.created, users.username, users.
 <input type="text" name="email" maxlength="100" value="<?php echo $user->email; ?>">
 </div>
 <div class="pure-u-1 pure-u-md-1-3">
-<label for="newpassword1">New Password</label>
-<input type="password" name="newpassword1" maxlength="50" disabled>
+<label for="password">New Password</label>
+<input type="password" name="password" maxlength="50">
 <label for="newpassword2">Confirm Password</label>
-<input type="password" name="newpassword2" maxlength="50" disabled>
-<?php echo isset($errors['newpassword2']) ? $errors['newpassword2'] : ''; ?>
+<input type="password" name="newpassword2" maxlength="50">
 </div>
 <div class="pure-controls pure-u-1">
 <button type="submit" class="pure-input-1 pure-button button-success ">Save</button>
@@ -58,20 +82,6 @@ $query = "SELECT users.id, users.password, users.created, users.username, users.
 </fieldset>
 </form>
 
-<?php
-if (!empty($_POST)):
-    if (empty($_POST['newpassword1']) && empty($_POST['newpassword2'])):
-        updateUserProfile($yaptc_db, $_SESSION['user_id'], $_POST['firstname'], $_POST['lastname'], $_POST['email'], $_POST['newpassword1'], $_POST['newpassword2']);
-        header('Location: ' . $_SERVER['PHP_SELF']);
-    elseif (!empty($_POST['newpassword1']) || !empty($_POST['newpassword2'])):
-        $errors['newpassword2'] = "New passwords do not match.";
-    elseif ($_POST['newpassword1'] != $_POST['newpassword2']):
-        $errors['newpassword2'] = "New passwords do not match.";
-
-    endif;
-//otherwise what?
-endif;
-?>
 
 
 
diff --git a/reports.php b/reports.php
index 58dd5b1..350f301 100755
--- a/reports.php
+++ b/reports.php
@@ -10,6 +10,7 @@ killSession();
 else: ?>
 <!-- ********** BEGIN CONTENT ********** -->
 
+<?php if ($userLogged == true && $userAccess == "Administrator"): ?>
 <h2 class="content-subhead">Punch History</h2>
 <p>Below is your company punch history.  The below drop-down can be used to select pre-configured reports.  Other reports are currently being written.</p>
 <form class="pure-form pure-form-stacked" action="reports.php" method="post">
@@ -51,6 +52,9 @@ else: ?>
 <?php else: ?>
     <p>No query to display.  Please select from the dropdown above...</p>
 <?php endif; ?>
+<?php else: ?>
+<h2 class="content-subhead">NOT AUTHORIZED!</h2>
+<?php endif; ?>
 
 <!-- ********** END CONTENT ********** -->
 <?php endif; require_once($yaptc_inc . "footer.inc.php"); ?>
diff --git a/users.php b/users.php
index 01a2148..e8c5335 100755
--- a/users.php
+++ b/users.php
@@ -10,8 +10,9 @@ killSession();
 else: ?>
 <!-- ********** BEGIN CONTENT ********** -->
 
+<?php if ($userLogged == true && $userAccess == "Administrator"): ?>
 <h2 class="content-subhead">Add User</h2>
-<p>All fields are required!  Password must be 8+ characters.  Username and email must be unique.</p>
+<p>All fields are required!  Password must be 4+ characters.  Username and email must be unique.</p>
 <?php
 require_once($yaptc_lib . "phpass-0.3/PasswordHash.php");
 if (!empty($_POST['newuser']))
@@ -28,9 +29,9 @@ if (!empty($_POST['newuser']))
     {
         $errors['password'] = "Password cannot be empty.";
     }
-    if (strlen($_POST['password']) < 8)
+    if (strlen($_POST['password']) < 4)
     {
-        $errors['password'] = "Password must be at least 8 charcaters.";
+        $errors['password'] = "Password must be at least 4 charcaters.";
     }
     if (empty($_POST['password_confirm']))
     {
@@ -194,6 +195,9 @@ echo "<td>" . $row['usertype'] . "</td>";
 </tbody>
 </table>
 
+<?php else: ?>
+<h2 class="content-subhead">NOT AUTHORIZED!</h2>
+<?php endif; ?>
 
 <!-- ********** END CONTENT ********** -->
 <?php endif; require_once($yaptc_inc . "footer.inc.php"); ?>