From 1bacc3232ec8f5da9c458be98aa58d0670601563 Mon Sep 17 00:00:00 2001
From: cmaffio <cmaffioletti@esseweb.eu>
Date: Thu, 15 Oct 2015 13:40:45 +0200
Subject: [PATCH] Pannello gestione utenti/moduli

---
 core/function.php         |  68 ++++++++++++++++++++++-
 out.txt                   |   2 -
 permessiutenti.php        |  98 ---------------------------------
 proxy/index.php           |  17 ++++++
 updatepermessi.php        |  30 ----------
 utenti/dettlogutenti.php  |   3 +-
 utenti/index.php          |   3 +-
 utenti/logutenti.php      |   3 +-
 utenti/modutenti.php      |  36 +++++++++---
 utenti/out.txt            |  18 ++++++
 utenti/permessiutenti.php | 112 ++++++++++++++++++++++++++++++++++++++
 utenti/updatepermessi.php |  38 +++++++++++++
 12 files changed, 284 insertions(+), 144 deletions(-)
 delete mode 100644 out.txt
 delete mode 100755 permessiutenti.php
 create mode 100755 proxy/index.php
 delete mode 100755 updatepermessi.php
 create mode 100644 utenti/out.txt
 create mode 100755 utenti/permessiutenti.php
 create mode 100755 utenti/updatepermessi.php

diff --git a/core/function.php b/core/function.php
index 0f0884a..215d6a7 100755
--- a/core/function.php
+++ b/core/function.php
@@ -336,18 +336,29 @@ function lista_moduli () {
 			FROM
 				utenti
 			JOIN
-				permessi ON utenti.id = permessi.id_utenti
+				permessi ON utenti.id = permessi.id_utenti AND permessi.accesso > 0
 			JOIN
 				moduli ON moduli.id = permessi.id_moduli
 			WHERE
 				utenti.utente = '".$_SESSION['username']."'
+			AND
+				moduli.attivo = 1
 		";
 
 	$menu[] =	array("Home", $CONF['base_url']."/core/main.php");
 
 	if ($UTENTE['admin']) {
 		$menu[]	=	array("Configurazione", $CONF['base_url']."/core/conf.php");
-		$query .= " OR  moduli.superadmin = 1";
+		$query .= "	UNION DISTINCT SELECT
+					moduli.nome AS nome,
+					moduli.directory AS directory
+				FROM
+					moduli
+				WHERE
+					moduli.superadmin > 0
+				AND
+					moduli.attivo = 1
+			";
 	}
 
 	$res = mysql_query( $query, $DB_ID );
@@ -379,4 +390,57 @@ function lista_moduli () {
 <?php
 }
 
+function diritti () {
+	global $UTENTE, $DB_ID, $CONF;
+
+	preg_match ('/^'.preg_replace('/\//','\/',$CONF['base_url']).'\/([^\/]+)\/.*/', $_SERVER['REQUEST_URI'], $trovato);
+	$modulo = $trovato[1];
+
+	$query = "	SELECT 
+				permessi.accesso AS accesso
+			FROM
+				moduli
+			JOIN
+				permessi ON moduli.id = permessi.id_moduli AND permessi.id_utenti = ".$UTENTE['id']."
+			WHERE
+				moduli.directory = '$modulo'
+			AND
+				moduli.attivo = 1
+			UNION DISTINCT SELECT 
+				moduli.superadmin 
+			FROM 
+				moduli 
+			JOIN 
+				utenti ON utenti.id = ".$UTENTE['id']." AND utenti.admin = 1 
+			WHERE 
+				moduli.directory = '$modulo'
+		";
+
+	$res = mysql_query( $query, $DB_ID );
+	if ($dato = mysql_fetch_array ($res)) {
+		$risposta = $dato['accesso'];
+	} else {
+		$risposta = 0;
+	}
+
+	if ($risposta) {
+		return $risposta;
+	} else {
+		header("location: ".$CONF['base_url']."/index.php");
+		exit;
+	}
+}
+
+function get_levels () {
+	global $DB_ID;
+
+	$query = "SELECT nome, livello FROM livelli ORDER BY livello";
+	$res = mysql_query( $query, $DB_ID );
+	$livelli = array();
+	while ($dato = mysql_fetch_array ($res)) {
+		$livelli[$dato['livello']] = $dato['nome'];
+	}
+	return $livelli;
+
+}
 ?>
diff --git a/out.txt b/out.txt
deleted file mode 100644
index 30030e9..0000000
--- a/out.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-0
-DELETE FROM utenti2defrule WHERE idutente = 4 AND iddefrule = 10
diff --git a/permessiutenti.php b/permessiutenti.php
deleted file mode 100755
index e460163..0000000
--- a/permessiutenti.php
+++ /dev/null
@@ -1,98 +0,0 @@
-<?php
-include_once ("core/config.php");
-$UTENTE = login();
-isadmin();
-?>
-
-<?php include_once ("top.php");
-$querypermessi = "SELECT iddefrule FROM utenti2defrule WHERE idutente = ".$_GET['id'];
-$res = mysql_query( $querypermessi, $DB_ID );
-$permessiutente = array();
-while ($dato = mysql_fetch_array ( $res )) { $permessiutente[] = $dato['iddefrule']; }
-?>
-
-<script type="text/javascript" src="jquery/jquery-1.8.0.min.js"></script>
-<script type="text/javascript">
-$(function(){
-	$(".checkrule").click(function(){
-		var stato = $(this).is(':checked');
-		var id = $(this).val();
-		$.post("updatepermessi.php", {
-			stato: stato,
-			iddefrule: id,
-			idutente: <?php print $_GET['id'] ?>
-		});
-	});
-});
-</script>
-
-<table cellpadding="0" cellspacing="0" border="0" width="90%">
-	<tr>
-		<td width="5%"><img src="img/spazio.gif"></td>
-		<td>
-		<select name='device' onchange="window.location.href='?id=<?php print $_GET['id']?>&interfaccia='+this.options[this.selectedIndex].value;">
-			<option name='device' value='' >Selezionare interfaccia</option>
-<?php 	
-		$query = "SELECT id, device FROM interfacce";
-		$res = mysql_query( $query, $DB_ID );
-		while ($dato = mysql_fetch_array ( $res )) { ?>
-			<option name='device' value='<?php print $dato['id']?>' <?php if ($_GET['interfaccia'] == $dato['id']) { print "selected"; } ?>><?php print $dato['device'] ?></option>
-<?php		} ?>
-		</select>
-		</td>
-		<td><img src="img/spazio.gif"></td>
-	</tr>
-	<tr><td class="spaziov" colspan=5><img src="img/spazio.gif"></td></tr>
-
-	<table cellpadding="0" cellspacing="0" border="0" width="90%">
-<?php
-livelli ($_GET['interfaccia'], 0, 0, 10);
-?>
-
-</table>
-<img src="img/spazio.gif" width="1" height="20" alt="">
-<?php include_once ("footer.php"); ?>
-
-<?php
-function livelli ($device, $parent, $livello, $maxliv) {
-	global $DB_ID, $permessiutente;
-	$query = "SELECT * FROM defrule WHERE stato <> 3 AND idparent = '$parent' AND idinterfacce = $device ORDER BY priorita";
-	$res = mysql_query( $query, $DB_ID );
-	while ($dato = mysql_fetch_array ( $res )) {
-		$queryint = "SELECT count(id) AS figli FROM defrule WHERE stato<>3 AND idparent = ".$dato['id'];
-		$queryrule = "SELECT COUNT(id) AS numrule FROM rule WHERE iddefrule = ".$dato['id'];
-		$resint = mysql_query( $queryint, $DB_ID );
-		$resrule = mysql_query( $queryrule, $DB_ID );
-		$datofigli = mysql_fetch_array ( $resint );
-		$datorule = mysql_fetch_array ( $resrule );
-		$numfigli = $datofigli['figli'];
-		$numrule = $datorule['numrule'];
-?>
-	<tr>
-		<td class="spazioh" nowrap>
-<?php			if ($dato['attivo']) { ?>
-			<img border=0 src="img/attivo.gif" ALT="Disattiva regola" TITLE="Disattiva regola"></a>
-<?php			} else { ?>
-			<img border=0 src="img/non_attivo.gif" ALT="Attiva regola" TITLE="Attiva regola"></a>
-<?php			} ?>
-		</td>
-		<td class="defrulenome" nowrap>
-<?php 		for ($i=0; $i<$livello; $i++) { ?>
-			<img border=0 src="img/spaziocol.gif">
-
-<?php		} ?>
-			<?php printf ("%s",creanome($dato['id'])) ?>
-		</td>
-		<td class="spazioh"><img src="img/spazio.gif"></td>
-		<td class="defruletxt" nowrap><?php print $dato['descrizione'] ?></td>
-
-		<td class="spazioh">
-			<input class="checkrule" type="checkbox" value=<?php print $dato['id']?> <?php if (in_array($dato['id'], $permessiutente)) { print "checked=\"checked\""; } ?>>	
-		</td>
-
-	</tr>
-<?php	livelli ($device, $dato['id'], $livello+1, 10);
-	}
-
-}
-?>
diff --git a/proxy/index.php b/proxy/index.php
new file mode 100755
index 0000000..239edba
--- /dev/null
+++ b/proxy/index.php
@@ -0,0 +1,17 @@
+<?php
+include_once ("../core/config.php");
+$UTENTE = login();
+$DIRITTI = diritti();
+
+
+
+?>
+
+<?php include_once ("../core/top.php");?> 
+
+
+
+
+
+
+<?php include_once ("../core/footer.php"); ?>
diff --git a/updatepermessi.php b/updatepermessi.php
deleted file mode 100755
index 3965410..0000000
--- a/updatepermessi.php
+++ /dev/null
@@ -1,30 +0,0 @@
-<?php
-include_once ("core/config.php");
-$UTENTE = login();
-isadmin();
-
-if ($_POST['stato'] == 'true') {
-	$stato = 1;
-} else {
-	$stato = 0;
-}
-
-$iddefrule = $_POST['iddefrule'];
-$idutente = $_POST['idutente'];
-
-if ($stato) {
-	$query = "INSERT INTO utenti2defrule SET idutente = $idutente, iddefrule = $iddefrule";	
-} else {
-	$query = "DELETE FROM utenti2defrule WHERE idutente = $idutente AND iddefrule = $iddefrule";	
-}
-$res = mysql_query( $query, $DB_ID );
-
-/* Attivare solo per debug
-$fp = fopen('out.txt', 'w');
-fwrite($fp, $stato);
-fwrite($fp, "\n");
-fwrite($fp, $query);
-fwrite($fp, "\n");
-fclose($fp);
-*/
-?>
diff --git a/utenti/dettlogutenti.php b/utenti/dettlogutenti.php
index 940f9b2..3d48648 100755
--- a/utenti/dettlogutenti.php
+++ b/utenti/dettlogutenti.php
@@ -1,7 +1,8 @@
 <?php
 include_once ("../core/config.php");
 $UTENTE = login();
-isadmin();
+$DIRITTI = diritti();
+//isadmin();
 ?>
 <body>
 <link rel="stylesheet" type="text/css" href="<?php print $CONF['base_url'] ?>/css/stile.css" />
diff --git a/utenti/index.php b/utenti/index.php
index a95c847..c3e15c0 100755
--- a/utenti/index.php
+++ b/utenti/index.php
@@ -1,7 +1,8 @@
 <?php
 include_once ("../core/config.php");
 $UTENTE = login();
-isadmin();
+$DIRITTI = diritti();
+//isadmin();
 ?>
 
 <?php include_once ("../core/top.php");?> 
diff --git a/utenti/logutenti.php b/utenti/logutenti.php
index f2829fc..76ee161 100755
--- a/utenti/logutenti.php
+++ b/utenti/logutenti.php
@@ -1,7 +1,8 @@
 <?php
 include_once ("../core/config.php");
 $UTENTE = login();
-isadmin();
+$DIRITTI = diritti();
+//isadmin();
 ?>
 <body>
 <link rel="stylesheet" type="text/css" href="<?php print $CONF['base_url'] ?>/css/stile.css" />
diff --git a/utenti/modutenti.php b/utenti/modutenti.php
index 65600f5..c0a2d6b 100755
--- a/utenti/modutenti.php
+++ b/utenti/modutenti.php
@@ -1,7 +1,7 @@
 <?php
 include_once ("../core/config.php");
 $UTENTE = login();
-//isadmin();
+$DIRITTI = diritti();
 ?>
 <?php include_once ("../core/top.php"); ?>
 
@@ -16,6 +16,7 @@ if (isset($_GET['id'])) {
 } else if (isset ($_POST['id'])) {
 	$modifica = 2;
 	$id 		= $_POST['id'];
+	$rm 		= $_POST['rm'];
 	$utente 	= $_POST['utente'];
 	$password1 	= $_POST['password1'];
 	$password2	= $_POST['password2'];
@@ -33,7 +34,11 @@ if (isset($_GET['id'])) {
 		$querypwd = "";
 	}
 
-	if ($id > 0) {
+	if ( $rm == 1) {
+		$testo = "L'utente e' stato correttamente rimosso";
+		$query = "DELETE FROM permessi WHERE id_utenti = $id";
+		$query2 = "DELETE FROM utenti WHERE id = $id";
+	} elseif ($id > 0) {
 		$testo = "L'utente e' stato correttamente modificato";
 		$query = "UPDATE utenti SET $querypwd admin = $admin, attivo=$attivo, modifica = NOW(), mail='$mail'  WHERE `id`=$id";
 	} else {
@@ -47,7 +52,7 @@ if (isset($_GET['id'])) {
 	</tr>
 	<tr>
 		<td>
-<?php	if (mysql_query( $query, $DB_ID )) { ?>
+<?php	if (mysql_query( $query, $DB_ID ) && ((!is_null ($query2) && mysql_query( $query2, $DB_ID )) || (is_null ($query2)))) { ?>
 <?php print $testo ?><br>
 <?php	} else { ?>
 Non e' stato possibile eseguire l'operazione richiesta a causa di un errore: <?php print mysql_error() ?><br>
@@ -59,7 +64,7 @@ Non e' stato possibile eseguire l'operazione richiesta a causa di un errore: <?p
 		<td><img src="<?php print $CONF['base_url'] ?>/img/spazio.gif" width="1" height="5" alt=""></td>
 	</tr>
 	<tr>
-		<td><input type="button" value="Ok" onclick="location.href = 'utenti.php';"></button></td>
+		<td><input type="button" value="Ok" onclick="location.href = '<?php print $CONF['base_url'] ?>/utenti/index.php';"></button></td>
 	</tr>
 	<tr>
 		<td><img src="<?php print $CONF['base_url'] ?>/img/spazio.gif" width="1" height="10" alt=""></td>
@@ -74,13 +79,17 @@ Non e' stato possibile eseguire l'operazione richiesta a causa di un errore: <?p
 
 <?php if (($modifica == 0 || $modifica == 1) && !isset($_GET['rm'])) { ?>
 
-
 <script type="text/javascript" src="<?php print $CONF['base_url'] ?>/jquery/jquery.js"></script>
 <script type="text/javascript" src="<?php print $CONF['base_url'] ?>/jquery/jquery.validate.js"></script>
 <script type="text/javascript" src="<?php print $CONF['base_url'] ?>/jquery/jquery.validate.password.js"></script>
 <link rel="stylesheet" type="text/css" href="<?php print $CONF['base_url'] ?>/jquery/jquery.validate.password.css" />
 
 <script type="text/javascript">
+function DoSubmit(){
+	document.getElementById("rm").value = '1';
+	return true;
+}
+
 $(document).ready(function() 
 {
 	$("#modulo").validate( {
@@ -136,9 +145,10 @@ $(document).ready(function()
 <form action="modutenti.php" method="post" id="modulo">
 <table cellpadding="0" cellspacing="0" border="0" width="90%">
 <?php if ($modifica == 1) { ?>
-<input type="hidden" name="id" value="<?php print $dato['id'] ?>">
+<input type="hidden" name="id" id="id" value="<?php print $dato['id'] ?>">
+<input type="hidden" name="rm" id="rm" value="0">
 <?php } else { ?>
-<input type="hidden" name="id" value="-1">
+<input type="hidden" name="id" d="id" value="-1">
 <?php } ?>
 <tr>
 	<td><img src="<?php print $CONF['base_url'] ?>/img/spazio.gif" width="30" height="1" alt=""></td>
@@ -158,7 +168,11 @@ $(document).ready(function()
 	<td><img src="<?php print $CONF['base_url'] ?>/img/spazio.gif" width="80" height="1" alt=""></td>
 	<td>Attivo <input name="attivo" type="checkbox" value=1 <?php if ($dato['attivo']) { print "checked=\"checked\""; } ?>></td>
 	<td><img src="<?php print $CONF['base_url'] ?>/img/spazio.gif" width="20" height="1" alt=""></td>
+<?php	if ($UTENTE['admin']) { ?>
 	<td>Admin <input name="admin" type="checkbox" value=1 <?php if ($dato['admin']) { print "checked=\"checked\""; } ?>></td>
+<?php	} else { ?>
+	<td>&nbsp;</td>
+<?php	} ?>
 	<td colspan="4"><img src="<?php print $CONF['base_url'] ?>/img/spazio.gif" width="250" height="1" alt=""></td>
 </tr>
 <tr><td colspan="9"><img src="<?php print $CONF['base_url'] ?>/img/spazio.gif" width="1" height="5" alt=""></td></tr>
@@ -195,7 +209,11 @@ $(document).ready(function()
 <tr><td align="center" colspan="9">
 	<input type="submit" value="<?php print $bottone ?>">
 	&nbsp;&nbsp;&nbsp;
-	<input type="button" value="Annulla" onclick="location.href = 'utenti.php';"></button>
+	<input type="button" value="Annulla" onclick="location.href = '<?php print $CONF['base_url'] ?>/utenti/index.php';"></button>
+<?php	if ($modifica == 1) { ?>
+	&nbsp;&nbsp;&nbsp;
+	<input type="submit" value="Rimuovi" onclick="DoSubmit()">
+<?php 	} ?>
 </td></tr>
 
 <tr><td colspan="9"><img src="<?php print $CONF['base_url'] ?>/img/spazio.gif" width="1" height="10" alt=""></td></tr>
@@ -203,4 +221,4 @@ $(document).ready(function()
 </form>
 <?php } ?>
 
-<?php include_once ("footer.php"); ?>
+<?php include_once ("../core/footer.php"); ?>
diff --git a/utenti/out.txt b/utenti/out.txt
new file mode 100644
index 0000000..7a74579
--- /dev/null
+++ b/utenti/out.txt
@@ -0,0 +1,18 @@
+
+	INSERT INTO
+			permessi
+		SET
+			id_utenti = 2,
+			id_moduli = (	SELECT
+						id
+					FROM
+						moduli
+					WHERE
+						nome = 'Utenti' AND attivo = 1
+					),
+			accesso = 1,
+			modifica = NOW()
+		ON DUPLICATE KEY UPDATE
+			accesso = 1,
+			modifica = NOW()
+
diff --git a/utenti/permessiutenti.php b/utenti/permessiutenti.php
new file mode 100755
index 0000000..05759e4
--- /dev/null
+++ b/utenti/permessiutenti.php
@@ -0,0 +1,112 @@
+<?php
+include_once ("../core/config.php");
+$UTENTE = login();
+$DIRITTI = diritti();
+
+include_once ("../core/top.php");
+$query = "	SELECT
+			id,
+			nome,
+			max(accesso) AS accesso
+		FROM
+			(SELECT
+				moduli.id AS id,
+				moduli.nome AS nome,
+				permessi.accesso AS accesso
+			FROM
+				permessi
+			JOIN
+				moduli ON permessi.id_moduli = moduli.id AND moduli.attivo = 1
+			WHERE
+				permessi.id_utenti = ".$_GET['id']."
+			UNION DISTINCT
+			SELECT 
+				moduli.id AS id,
+				moduli.nome AS nome,
+				0 AS accesso
+			FROM
+				moduli
+			WHERE
+				moduli.attivo = 1) s
+			GROUP BY
+				nome
+			ORDER BY
+				nome
+";
+
+$permessi = mysql_query( $query, $DB_ID );
+
+$query = "	SELECT 
+			utente, 
+			admin
+		FROM 
+			utenti
+		WHERE
+			id = ".$_GET['id']."
+		AND
+			attivo = 1
+";
+$res = mysql_query( $query, $DB_ID );
+$dato = mysql_fetch_array ($res);
+
+$livelli = get_levels();
+//$livelli = array(0=>"Negato", 5=>"Utente", 10=>"Admin");
+?>
+<script type="text/javascript" src="<?php print $CONF['base_url']?>/jquery/jquery-1.8.0.min.js"></script>
+
+<table cellpadding="0" cellspacing="0" border="0" width="40%">
+<tr>
+<?php	if ($dato['admin']) { ?>
+		<td rowspan=2 class="col3btn"><img border=0 src="<?php print $CONF['base_url'] ?>/img/admin.png" ALT="Admin" TITLE="Admin"></td>
+<?php	} else { ?>
+		<td rowspan=2 class="col3btn"><img border=0 src="<?php print $CONF['base_url'] ?>/img/utente.png" ALT="Utente" TITLE="Utente"></td>
+<?php	} ?>
+		<td class="col3campo2"><?php print $dato['utente'] ?></td>
+	
+</tr>
+</table>
+<img src="img/spazio.gif" width="1" height="20" alt="">
+
+<table cellpadding="0" cellspacing="0" border="0" width="60%">
+<?php while ($dato = mysql_fetch_array ( $permessi )) { ?>
+<tr>
+<td class="col3campo2"><?php print $dato['nome']?></td>
+<td>
+	<select name='<?php print $dato['nome']?>' class="cambio" >
+<?php 	foreach ($livelli as $i => $v) { ?>
+		<option name='<?php print $dato['nome']?>' value='<?php print $i ?>' <?php if ($i == $dato['accesso']) { print "selected"; } ?>><?php print $livelli[$i] ?></option>
+<?php } ?>
+	</select>
+</td>
+</tr>
+<tr><td colspan=2><img src="img/spazio.gif" width="1" height="5" alt=""></td></tr>
+
+<?php } ?>
+</table>
+
+<img src="img/spazio.gif" width="1" height="20" alt="">
+
+<script type="text/javascript">
+$(function(){
+	$('.cambio').on('change', function(){
+		var usr = <?php print $_GET['id'] ?>;
+		var acc = $(this).val();
+		var mod = $(this).attr('name');
+
+	$.ajax({
+		url: "updatepermessi.php",
+		dataType: "json",
+		data: {
+			user_id: usr,
+			accesso: acc,
+			modulo: mod
+		},
+		success: function(data) {
+//        data contiene i ritorni dalla pagina chiamata ma devono essere in json
+		}
+	}	);
+	});
+})
+</script>
+
+<?php include_once ("../core/footer.php"); ?>
diff --git a/utenti/updatepermessi.php b/utenti/updatepermessi.php
new file mode 100755
index 0000000..e2b866d
--- /dev/null
+++ b/utenti/updatepermessi.php
@@ -0,0 +1,38 @@
+<?php
+include_once ("../core/config.php");
+$UTENTE = login();
+$DIRITTI = diritti();
+
+$user_id = $_GET['user_id'];
+$accesso = $_GET['accesso'];
+$modulo = $_GET['modulo'];
+
+$query = "	INSERT INTO
+			permessi
+		SET
+			id_utenti = $user_id,
+			id_moduli = (	SELECT
+						id
+					FROM
+						moduli
+					WHERE
+						nome = '$modulo' AND attivo = 1
+					),
+			accesso = $accesso,
+			modifica = NOW()
+		ON DUPLICATE KEY UPDATE
+			accesso = $accesso,
+			modifica = NOW()
+";
+
+$res = mysql_query( $query, $DB_ID );
+
+/* Attivare solo per debug
+$fp = fopen('out.txt', 'w');
+fwrite($fp, $stato);
+fwrite($fp, "\n");
+fwrite($fp, $query);
+fwrite($fp, "\n");
+fclose($fp);
+*/
+?>