raspap-webgui/includes/admin.php

<?php

require_once 'includes/status_messages.php';

function DisplayAuthConfig($username, $password)
{
    $status = new StatusMessages();
    if (isset($_POST['UpdateAdminPassword'])) {
        if (password_verify($_POST['oldpass'], $password)) {
            $new_username=trim($_POST['username']);
            if ($_POST['newpass'] !== $_POST['newpassagain']) {
                $status->addMessage('New passwords do not match', 'danger');
            } elseif ($new_username == '') {
                $status->addMessage('Username must not be empty', 'danger');
            } else {
                if (!file_exists(RASPI_ADMIN_DETAILS)) {
                    $tmpauth = fopen(RASPI_ADMIN_DETAILS, 'w');
                    fclose($tmpauth);
                }

                if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) {
                    fwrite($auth_file, $new_username.PHP_EOL);
                    fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL);
                    fclose($auth_file);
                    $username = $new_username;
                    $status->addMessage('Admin password updated');
                } else {
                    $status->addMessage('Failed to update admin password', 'danger');
                }
            }
        } else {
            $status->addMessage('Old password does not match', 'danger');
        }
    }

    echo renderTemplate("admin", compact("status", "username"));
}
Add simple authentication 2016-05-29 17:38:43 +02:00			`<?php`

Processed with phpcbf 2020-02-15 18:57:46 +01:00			`require_once 'includes/status_messages.php';`
Add simple authentication 2016-05-29 17:38:43 +02:00
Processed with phpcs for PSR-2 coding standard 2019-04-10 10:37:35 +02:00			`function DisplayAuthConfig($username, $password)`
			`{`
			`$status = new StatusMessages();`
			`if (isset($_POST['UpdateAdminPassword'])) {`
remove splattered, duplicated csrf validation code since we do that always and early, now. 2019-07-30 17:05:41 +02:00			`if (password_verify($_POST['oldpass'], $password)) {`
			`$new_username=trim($_POST['username']);`
			`if ($_POST['newpass'] !== $_POST['newpassagain']) {`
			`$status->addMessage('New passwords do not match', 'danger');`
			`} elseif ($new_username == '') {`
			`$status->addMessage('Username must not be empty', 'danger');`
			`} else {`
			`if (!file_exists(RASPI_ADMIN_DETAILS)) {`
			`$tmpauth = fopen(RASPI_ADMIN_DETAILS, 'w');`
			`fclose($tmpauth);`
			`}`
Escape client input, console output etc. before doing any echo. Signed-off-by: D9ping <D9ping@users.noreply.github.com> 2018-08-04 01:58:34 +02:00
remove splattered, duplicated csrf validation code since we do that always and early, now. 2019-07-30 17:05:41 +02:00			`if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) {`
			`fwrite($auth_file, $new_username.PHP_EOL);`
			`fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL);`
			`fclose($auth_file);`
			`$username = $new_username;`
			`$status->addMessage('Admin password updated');`
			`} else {`
			`$status->addMessage('Failed to update admin password', 'danger');`
Processed with phpcs for PSR-2 coding standard 2019-04-10 10:37:35 +02:00			`}`
			`}`
			`} else {`
remove splattered, duplicated csrf validation code since we do that always and early, now. 2019-07-30 17:05:41 +02:00			`$status->addMessage('Old password does not match', 'danger');`
Tabs to spaces 2016-07-09 02:00:53 +02:00			`}`
Add CSRF token to password change page 2016-06-24 23:39:39 +02:00			`}`
Add simple authentication 2016-05-29 17:38:43 +02:00
use template for admin page 2019-08-19 00:39:22 +02:00			`echo renderTemplate("admin", compact("status", "username"));`
			`}`