From 62e4c56658ea15705b27c9ba8f73e07a3211b8a6 Mon Sep 17 00:00:00 2001
From: Furentes <Furentes@users.noreply.github.com>
Date: Thu, 16 May 2019 13:25:21 +0200
Subject: [PATCH] Added many stuff Too lazy to write what

---
 index.php           |  10 +++
 lib/Bloggr/auth.php | 204 +++++++++++++++++++++++++++++++++++++++++++-
 lib/autoload.php    |   2 +
 lib/config.php      |   2 +-
 lib/sql/db.sql      |  11 +++
 lib/sql/posts.sql   |  73 ----------------
 post.php            |  46 +++++++---
 register.php        |   2 +-
 settings.php        |  63 ++++++++++++++
 users.php           |  74 ++++++++++++++++
 10 files changed, 400 insertions(+), 87 deletions(-)
 delete mode 100644 lib/sql/posts.sql
 create mode 100644 settings.php
 create mode 100644 users.php

diff --git a/index.php b/index.php
index 2aab7b9..8b06e59 100644
--- a/index.php
+++ b/index.php
@@ -13,6 +13,13 @@ $posts = $auth->getAllPosts();
 </head>
 <body>
   <?php
+  if ($auth->hasRole([ \Bloggr\Roles::ADMIN ])) {
+  ?>
+  <p>
+    <a href="/users.php">Users</a>
+  </p>
+  <?php
+  }
   if ($auth->hasRole([ \Bloggr\Roles::ADMIN, \Bloggr\Roles::AUTHOR ])) {
   ?>
   <p>
@@ -31,6 +38,9 @@ $posts = $auth->getAllPosts();
   <?php
   } else {
   ?>
+  <p>
+    <a href="/settings.php">Einstellungen</a>
+  </p>
   <p>
     <a href="/logout.php">Logout</a>
   </p>
diff --git a/lib/Bloggr/auth.php b/lib/Bloggr/auth.php
index b04ac86..034a3db 100644
--- a/lib/Bloggr/auth.php
+++ b/lib/Bloggr/auth.php
@@ -241,8 +241,30 @@ class Auth
     }
     return $id;
   }
+  public function canEditPost($id) {
+    if (!$this->isLoggedIn()) return false;
+    if (!$this->hasRole(\Bloggr\Roles::ADMIN)) {
+      try {
+        $s = $this->pdo->prepare("SELECT id FROM posts WHERE id = :id AND user = :user LIMIT 1;");
+        $s->execute(array(
+          ':id' => $id,
+          ':user' => $this->getId(),
+        ));
+  
+        if ($s->rowCount() <= 0) {
+          return false;
+        }
+
+        return true;
+      } catch (\PDOException $e) {
+        return false;
+      }
+    }
+    return true;
+  }
   public function editPost($id, $title, $text) {
     if (!$this->isLoggedIn()) return false;
+    if (!$this->canEditPost($id)) return false;
 
     $errors = array();
     $title = htmlspecialchars(trim(filter_var($title, FILTER_SANITIZE_STRING)));
@@ -279,11 +301,12 @@ class Auth
       return $errors;
     }
     try {
-      $s = $this->pdo->prepare("UPDATE posts SET title = :title, text = :text, updated_at = :updated_at WHERE id = :id LIMIT 1;");
+      $s = $this->pdo->prepare("UPDATE posts SET title = :title, text = :text, updated_at = :updated_at, updated_by = :updated_by WHERE id = :id LIMIT 1;");
       $r = $s->execute(array(
         ':title' => $title,
         ':text' => $text,
         ':updated_at' => $updated_at,
+        ':updated_by' => $this->getId(),
         ':id' => $id,
       ));
       if(!$r) {
@@ -314,6 +337,9 @@ class Auth
 
       while ($row = $s->fetch()) {
         $row['user'] = $this->getUsernameById($row['user']);
+        if ($row['updated_by'] && $row['updated_by'] != 0) {
+          $row['updated_by'] = $this->getUsernameById($row['updated_by']);
+        }
         return $row;
       }
 
@@ -342,5 +368,181 @@ class Auth
       return $posts;
     }
   }
+  public function commentPost($id, $comment) {
+    if (empty($id) || !\is_numeric($id)) {
+      return false;
+    }
+    if (!$this->isLoggedIn()) return false;
+
+    $errors = array();
+    $comment = htmlspecialchars(trim($comment, FILTER_SANITIZE_STRING));
+    $created_at = time();
+    if (strlen($comment) < 3) {
+      array_push($errors, 'Text is too short! Min. 3');
+    }
+    if (strlen($comment) > 256) {
+      array_push($errors, 'Text is too long! Max. 256');
+    }
+    if (count($errors) > 0) {
+      return $errors;
+    }
+    try {
+      $s = $this->pdo->prepare("INSERT INTO comments (post, user, comment, created_at) VALUES(:post, :user, :comment, :created_at);");
+      $r = $s->execute(array(
+        ':post' => $id,
+        ':user' => $this->getId(),
+        ':comment' => $comment,
+        ':created_at' => $created_at,
+      ));
+      if(!$r) {
+        array_push($errors, 'Something went wrong!');
+      }
+      if (count($errors) > 0) {
+        return $errors;
+      }
+      return true;
+    } catch (\PDOException $e) {
+      array_push($errors, 'Something went wrong!');
+    }
+    if (count($errors) > 0) {
+      return $errors;
+    }
+    return false;
+  }
+  public function getPostComments($id) {
+    if (empty($id) || !\is_numeric($id)) {
+      return false;
+    }
+
+    try {
+      $s = $this->pdo->prepare("SELECT * FROM comments WHERE post = :id ORDER BY id DESC;");
+      $s->execute(array(
+        ':id' => $id,
+      ));
+
+      if ($s->rowCount() <= 0) {
+        return false;
+      }
+      $rows = [];
+
+      while ($row = $s->fetch()) {
+        $row['user'] = $this->getUsernameById($row['user']);
+        array_push($rows, $row);
+      }
+      return $rows;
+
+      return false;
+    } catch (\PDOException $e) {
+      return false;
+    }
+  }
+  public function getAllUsers() {
+    try {
+      $users = [];
+      $sql = "SELECT * FROM users ORDER BY id ASC";
+      $result = $this->pdo->query($sql);
+
+      if (!$result) {
+        return false;
+      }
+
+      foreach ($result as $row) {
+        array_push($users, $row);
+      }
+
+      return $users;
+    } catch (\PDOException $e) {
+      return $users;
+    }
+  }
+  public function updateUserRole($id, $role = 0) {
+    if (!$this->isLoggedIn()) return false;
+    if (!$this->hasRole([ \Bloggr\Roles::ADMIN ])) {
+      return false;
+    }
+    if (empty($id) || !\is_numeric($id)) {
+      return false;
+    }
+    if (!isset($role) || !\is_numeric($role)) {
+      return false;
+    }
+
+    $errors = array();
+
+    try {
+      $s = $this->pdo->prepare("UPDATE users SET roles_mask = :role WHERE id = :id LIMIT 1;");
+      $r = $s->execute(array(
+        ':role' => $role,
+        ':id' => $id,
+      ));
+      if(!$r) {
+        array_push($errors, 'Something went wrong!');
+      }
+    } catch (\PDOException $e) {
+      array_push($errors, 'Something went wrong!');
+    }
+    if (count($errors) > 0) {
+      return $errors;
+    }
+    return true;
+  }
+  public function updatePassword($old, $new, $repeat) {
+    if (!$this->isLoggedIn()) return false;
+    $errors = array();
+    
+    $old = filter_var($old, FILTER_SANITIZE_STRING);
+    $new = filter_var($new, FILTER_SANITIZE_STRING);
+    $repeat = filter_var($repeat, FILTER_SANITIZE_STRING);
+
+    try {
+      $s = $this->pdo->prepare("SELECT id, username, email, password FROM users WHERE id = :id LIMIT 1;");
+      $s->execute(array(
+        ':id' => $this->getId()
+      ));
+      if ($s->rowCount() <= 0) {
+        array_push($errors, 'User not found!');
+      } else {
+        while ($row = $s->fetch()) {
+          if (!password_verify($old, $row['password'])) {
+            array_push($errors, 'Wrong password!');
+          }
+        }
+      }
+    } catch (\PDOException $e) {
+      array_push($errors, 'Something went wrong!');
+    }
+    if (count($errors) > 0) {
+      return $errors;
+    }
+    if ($new != $repeat) {
+      array_push($errors, 'Password repeat wrong!');
+    }
+    if (strlen(trim($new)) < 8) {
+      array_push($errors, 'Password is too short! Min 8');
+    }
+    if (count($errors) > 0) {
+      return $errors;
+    }
+    if (count($errors) > 0) {
+      return $errors;
+    }
+
+    try {
+      $s = $this->pdo->prepare("UPDATE users SET password = :password WHERE id = :id LIMIT 1;");
+      $r = $s->execute(array(
+        ':password' => password_hash($new, PASSWORD_DEFAULT),
+        ':id' => $this->getId(),
+      ));
+      if(!$r) {
+        array_push($errors, 'Something went wrong!');
+      }
+    } catch (\PDOException $e) {
+      array_push($errors, 'Something went wrong!');
+    }
+    if (count($errors) > 0) {
+      return $errors;
+    }
+    return true;
+  }
 }
 ?>
\ No newline at end of file
diff --git a/lib/autoload.php b/lib/autoload.php
index cb9579f..f7a54be 100644
--- a/lib/autoload.php
+++ b/lib/autoload.php
@@ -1,4 +1,6 @@
 <?php
+date_default_timezone_set("Europe/Berlin");
+
 spl_autoload_register(function ($class_name) {
   include $class_name . '.php';
 });
diff --git a/lib/config.php b/lib/config.php
index 5c75f8c..5644f5e 100644
--- a/lib/config.php
+++ b/lib/config.php
@@ -1,5 +1,5 @@
 <?php
-define('SITE_TITLE', 'A Bloggr Site');
+define('SITE_TITLE', 'Title of Doom');
 
 define('DB_HOST', 'localhost');
 define('DB_NAME', 'bloggr');
diff --git a/lib/sql/db.sql b/lib/sql/db.sql
index 4dd8924..e8c4bcf 100644
--- a/lib/sql/db.sql
+++ b/lib/sql/db.sql
@@ -23,5 +23,16 @@ CREATE TABLE `posts` (
   `text` longtext CHARACTER SET utf8mb4 NOT NULL,
   `created_at` int(10) UNSIGNED NOT NULL,
   `updated_at` int(10) UNSIGNED DEFAULT NULL,
+  `updated_by` int(11) UNSIGNED,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=latin1;
+
+
+CREATE TABLE `comments` (
+  `id` int(11) UNSIGNED NOT NULL AUTO_INCREMENT,
+  `post` int(11) UNSIGNED NOT NULL,
+  `user` int(11) UNSIGNED NOT NULL,
+  `comment` text NOT NULL,
+  `created_at` int(10) UNSIGNED NOT NULL,
   PRIMARY KEY (`id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
diff --git a/lib/sql/posts.sql b/lib/sql/posts.sql
deleted file mode 100644
index 61d8a41..0000000
--- a/lib/sql/posts.sql
+++ /dev/null
@@ -1,73 +0,0 @@
--- phpMyAdmin SQL Dump
--- version 4.8.5
--- https://www.phpmyadmin.net/
---
--- Host: 127.0.0.1
--- Generation Time: May 10, 2019 at 10:50 AM
--- Server version: 10.1.38-MariaDB
--- PHP Version: 7.3.3
-
-SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO";
-SET AUTOCOMMIT = 0;
-START TRANSACTION;
-SET time_zone = "+00:00";
-
-
-/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
-/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
-/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
-/*!40101 SET NAMES utf8mb4 */;
-
---
--- Database: `bloggr`
---
-
--- --------------------------------------------------------
-
---
--- Table structure for table `posts`
---
-
-CREATE TABLE `posts` (
-  `id` int(11) UNSIGNED NOT NULL,
-  `user` int(11) UNSIGNED NOT NULL,
-  `title` varchar(128) CHARACTER SET utf8mb4 NOT NULL,
-  `text` longtext CHARACTER SET utf8mb4 NOT NULL,
-  `created_at` int(10) UNSIGNED NOT NULL,
-  `updated_at` int(10) UNSIGNED DEFAULT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=latin1;
-
---
--- Dumping data for table `posts`
---
-
-INSERT INTO `posts` (`id`, `user`, `title`, `text`, `created_at`, `updated_at`) VALUES
-(1, 1, 'test', 'test title', 1557473772, NULL),
-(2, 1, 'test', 'test title', 1557473835, 1557476392),
-(3, 1, 'Title of doom', 'Lorem ipsum', 1557473940, 1557476222),
-(4, 1, 'awdswetf', ' wteawstrsw tws4e sw t  4aeswtg w4s      ', 1557474085, NULL);
-
---
--- Indexes for dumped tables
---
-
---
--- Indexes for table `posts`
---
-ALTER TABLE `posts`
-  ADD PRIMARY KEY (`id`);
-
---
--- AUTO_INCREMENT for dumped tables
---
-
---
--- AUTO_INCREMENT for table `posts`
---
-ALTER TABLE `posts`
-  MODIFY `id` int(11) UNSIGNED NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=5;
-COMMIT;
-
-/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
-/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
-/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
diff --git a/post.php b/post.php
index ee1effd..999c8f1 100644
--- a/post.php
+++ b/post.php
@@ -14,7 +14,11 @@ $data = [];
 $success = false;
 
 if (isset($_GET['view'])) {
+  if (isset($_POST['comment'])) {
+    $result = $auth->commentPost($_GET['view'], $_POST['comment']);
+  }
   $result = $auth->getPost($_GET['view']);
+  $result_comments = $auth->getPostComments($_GET['view']);
   if(!$result) {
     array_push($errors, '404 Not Found');
   } else {
@@ -27,7 +31,8 @@ else if (isset($_GET['new'])) {
 }
 else if (isset($_GET['edit'])) {
   $action = 'edit';
-} else {
+}
+else {
   array_push($errors, '404 Not Found');
 }
 
@@ -62,15 +67,6 @@ if ($action == 'edit') {
     $data = $result;
   }
 }
-
-if (isset($_POST['login'])) {
-  $login = $auth->login($_POST['user'], $_POST['password']);
-  if (is_array($login)) {
-    $errors = $login;
-  } else {
-    header('Location: /');
-  }
-}
 ?>
 <!DOCTYPE html>
 <html>
@@ -96,13 +92,41 @@ if (isset($_POST['login'])) {
     if($success == true) {
       echo '<span style="color: green;">Post bearbeitet!</span><br>';
     }
-
     if ($action == 'view'):
+    if ($auth->canEditPost($data["id"]) == true) echo '<a href="post.php?edit='.$data["id"].'">Edit Post</a>';
     ?>
     <h2>Titel: <?= $data['title'] ?></h2>
     <p>Text: <?= nl2br($data['text']) ?></p>
     <p>Author: <?= $data['user'] ?></p>
     <?php
+    if($data['updated_by']):
+    ?>
+    <p>Last edit at <?= date('H:i d.m.Y',$data['updated_at']).' from '.$data['updated_by'] ?></p>
+    <?php
+    endif;
+
+    if ($auth->isLoggedIn()) {
+    ?>
+    <p>
+      <form action="<?= htmlspecialchars($_SERVER['REQUEST_URI']) ?>" method="post">
+        <textarea name="comment" id="comment" cols="30" rows="2"></textarea>
+        <input type="submit" value="Comment">
+      </form>
+    </p>
+    <?php
+    }
+
+    if(is_array($result_comments)) {
+    foreach($result_comments as $comment) {
+    ?>
+    <p>
+      <b><?= $comment['user']; ?></b> - <?= date('H:i d.m.Y',$comment['created_at']) ?><br>
+      <?= $comment['comment']; ?>
+    </p>
+    <?php
+    }
+    }
+
     endif;
 
     if ($action == 'new'):
diff --git a/register.php b/register.php
index 4352c71..0991562 100644
--- a/register.php
+++ b/register.php
@@ -30,7 +30,7 @@ if (isset($_POST['register'])) {
 </head>
 <body>
   <div>
-    <h2>Login</h2>
+    <h2>Register</h2>
 
     <?php
     foreach ($errors as $key=>$value):
diff --git a/settings.php b/settings.php
new file mode 100644
index 0000000..8742a4a
--- /dev/null
+++ b/settings.php
@@ -0,0 +1,63 @@
+<?php
+include_once(__DIR__."/lib/autoload.php");
+
+if (!$auth->isLoggedIn()) {
+  header('Location: /');
+  die();
+}
+
+$errors = [];
+$action = '';
+$data = [];
+$view = false;
+$success = false;
+
+
+if(isset($_POST['update'])) {
+  $result = $auth->updatePassword($_POST['opassword'], $_POST['npassword'], $_POST['rpassword']);
+
+  if (is_array($result)) {
+    $errors = $result;
+  } else {
+    $success = true;
+  }
+}
+
+?>
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <meta http-equiv="X-UA-Compatible" content="ie=edge">
+  <title>Home - <?= (defined("SITE_TITLE")) ? SITE_TITLE : 'A Bloggr Site' ?></title>
+</head>
+<body>
+  <div>
+    <a href="/">Home</a>
+    <h2>Change Password</h2>
+    <?php
+    foreach ($errors as $key=>$value):
+    ?>
+    <span style="color: red;">
+      <?= $value ?>
+      </span><br>
+    <?php
+    endforeach;
+
+    if($success == true) {
+      echo '<span style="color: green;">Passwort aktualisiert!</span><br>';
+    }
+    ?>
+    <form action="/settings.php" method="post">
+      <label for="opassword">Altes Passwort</label>
+      <input type="password" name="opassword" id="opassword"><br>
+      <label for="npassword">Passwort</label>
+      <input type="password" name="npassword" id="npassword"><br>
+      <label for="rpassword">Passwort Wiederholen</label>
+      <input type="password" name="rpassword" id="rpassword"><br>
+      <input type="submit" name="update" value="Update">
+    </form>
+  </div>
+</body>
+</html>
diff --git a/users.php b/users.php
new file mode 100644
index 0000000..bc768e6
--- /dev/null
+++ b/users.php
@@ -0,0 +1,74 @@
+<?php
+include_once(__DIR__."/lib/autoload.php");
+
+if (!$auth->hasRole([ \Bloggr\Roles::ADMIN ])) {
+  header('Location: /');
+  die();
+}
+
+$errors = [];
+$action = '';
+$data = [];
+$view = false;
+
+
+if(isset($_GET['view'])) {
+  if (!empty($_GET['view']) && \is_numeric($_GET['view'])) {
+    $view = $_GET['view'];
+  }
+
+  if(isset($_POST['update'])) {
+    $update = $auth->updateUserRole($view, $_POST['role']);
+  }
+
+}
+
+$users = $auth->getAllUsers();
+?>
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <meta http-equiv="X-UA-Compatible" content="ie=edge">
+  <title>Home - <?= (defined("SITE_TITLE")) ? SITE_TITLE : 'A Bloggr Site' ?></title>
+</head>
+<body>
+  <div>
+    <a href="/">Home</a>
+    <h2>Users</h2>
+    <?php
+    if($view) {
+      echo '<a href="/users.php">Back</a><br>';
+      $found = false;
+      foreach ($users as $key => $value) {
+        if($value['id'] == $view) {
+          $found = true;
+          
+          ?>
+    <form action="<?= htmlspecialchars($_SERVER['REQUEST_URI']) ?>" method="post">
+      <label for="username"><?= $value['username'] ?></label><br>
+      <label for="email"><?= $value['email'] ?></label><br>
+      <label for="roles_mask">Role</label>
+      <select name="role" id="role">
+        <option value="0" <?= ($value['roles_mask'] == 0) ? 'selected' : '' ?>>Gast</option>
+        <option value="1" <?= ($value['roles_mask'] == 1) ? 'selected' : '' ?>>Admin</option>
+        <option value="2" <?= ($value['roles_mask'] == 2) ? 'selected' : '' ?>>Author</option>
+      </select><br>
+      <input type="submit" name="update" value="Update">
+    </form>
+          <?php
+        }
+      }
+      if (!$found) echo '404 Not Found';
+    } else {
+      $count = 0;
+      foreach ($users as $key => $value) {
+        echo '<a href="/users.php?view='.$value['id'].'">'.$value['id'].' - '.$value['username'].'</a><br>';
+        $count++;
+      }
+    }
+    ?>
+  </div>
+</body>
+</html>