From 29502222f6162894a76fadec67615b9785e8d2d0 Mon Sep 17 00:00:00 2001
From: mad <mad@nativenet.ch>
Date: Wed, 15 Aug 2018 17:38:14 +0200
Subject: [PATCH] some user fixes

---
 web/index.php | 33 ++++++++++++++++++++++++---------
 1 file changed, 24 insertions(+), 9 deletions(-)

diff --git a/web/index.php b/web/index.php
index c63472b..25eacd7 100644
--- a/web/index.php
+++ b/web/index.php
@@ -63,15 +63,18 @@ while ($row = $res->fetchArray(SQLITE3_ASSOC)){
         session_unset(); 
         session_destroy();
         session_start();
+        echo "killed inituser!";
     }
 }
+
 if ($usersfound=="no"){
+    $_SESSION['username']="inituser";
+    $_SESSION['isadmin']="1";
     if (!isset($_POST['newusername'])){
         echo "<h1>You have no users in the datbase!</h1></br>";
 //    echo "Aborting....";
 //    exit;
-        $_SESSION['username']="inituser";
-        $_SESSION['isadmin']="1";
+
         $mode="usermgmt";
     }
 } elseif ((isset($_POST['login']))&&(isset($_POST['username']))&&(isset($_POST['password']))){
@@ -84,10 +87,11 @@ if ($usersfound=="no"){
             $_SESSION['username']=$user;
             $_SESSION['isadmin']=$row['admin'];
         } else {
-            echo "Password not correct! $pass";
+            echo "Password not correct!";
         }
     }
 }
+
 if (isset($_SESSION['username'])){
     if ((isset($_POST['deletevm']))&&(isset($_POST['deletename']))){
         if($_SESSION['isadmin']!=1){
@@ -162,12 +166,14 @@ if (isset($_SESSION['username'])){
 //usermanagement
     if ((isset($_POST['usermgmt']))||($mode=="usermgmt")){
         $mode="usermgmt";
-        if (($_SESSEION['username']=="inituser")||($_SESSION['isadmin']=="1")){
+        if (($_SESSION['username']=="inituser")||($_SESSION['isadmin']=="1")){
             $sql="SELECT * FROM users";
             $res = $db_handle->query($sql);
             echo "</br>";
         //echo "<div class=row><div class=col>Username</div><div class=col>Is Admin</div><div class=col>New Password</div></div>"; 
-            echo "<h2>Existing users</h2>";
+            if ($_SESSION['username']!="inituser"){
+                echo "<h2>Existing users</h2>";
+            }
             while ($row = $res->fetchArray(SQLITE3_ASSOC)){
                 echo "<form id=uform$row[id] action=? method=post><div class=row><div class=col style=text-align:right><input class=form-control name=changeusername value=$row[username]></div>";
                 if ($row['admin']=="1"){
@@ -196,7 +202,11 @@ if (isset($_SESSION['username'])){
 //start vm
     if (isset($_REQUEST['start'])){
         $vmname = clean($_REQUEST['start']);
-        $sql="SELECT * FROM vms WHERE vmname='$vmname'";
+        $sqllimit="";
+        if($_SESSION['isadmin']!="1"){
+            $sqllimit="WHERE username='$_SESSION[username]'";
+        }
+        $sql="SELECT * FROM vms WHERE vmname='$vmname' $sqllimit";
         $res = $db_handle->query($sql);
         while ($row = $res->fetchArray(SQLITE3_ASSOC)){
             $shellout = shell_exec("/usr/bin/wrap-nlvmi start $vmname bla");
@@ -205,7 +215,10 @@ if (isset($_SESSION['username'])){
     }
     if (isset($_REQUEST['stop'])){
         $vmname = clean($_REQUEST['stop']);
-        $sql="SELECT * FROM vms WHERE vmname='$vmname'";
+        if($_SESSION['isadmin']!="1"){
+            $sqllimit="WHERE username='$_SESSION[username]'";
+        }
+        $sql="SELECT * FROM vms WHERE vmname='$vmname' $sqllimit";
         $res = $db_handle->query($sql);
         while ($row = $res->fetchArray(SQLITE3_ASSOC)){
             if(checkvm($vmname)){
@@ -331,8 +344,9 @@ if (isset($_SESSION['username'])){
             $sqlv = rtrim($sqlv, ',');
             $sqlv.=")";
             $sql = "$sqls$sqlc$sqlv";
-            echo $sql;
+            //echo $sql;
             $result = $db_handle->exec($sql);
+            $mode="";
         } elseif ($_REQUEST['mode']=="editvm"){
             $mode="editvm";
             $sql="UPDATE vms SET ";
@@ -372,13 +386,14 @@ if (isset($_SESSION['username'])){
                 $button = "stop";
                 $buttonc = "btn-warning";
             }
-            echo "<div class=col style=\"border:solid 1px;max-width:320px;\">$row[vmname]</br><a class=\"btn btn-primary\" href=# onclick=\"post('?', {edit: '$row[id]'});\">edit</a> ";
+            echo "<div class=col style=\"margin:10px;border:solid 1px;max-width:320px;\">$row[vmname]</br><a class=\"btn btn-primary\" href=# onclick=\"post('?', {edit: '$row[id]'});\">edit</a> ";
             echo "<a href=# onclick=\"post('?', {'$button': '$row[vmname]'});\"class=\"btn $buttonc\">$button</a> ";
             echo "<button class=\"btn btn-danger\" data-delete-text=\"Delete VM $row[vmname]!\" data-delete-vm=\"$row[id]\" data-delete-name=\"$row[vmname]\" data-toggle=\"modal\" data-target=\"#confirm-delete\">Delete VM</button> ";
             $server = gethostname();
             if (preg_match('/stop/', $button)) {
                 echo "<a target=_blank href=novnc/vnc.html?port=$row[websocket]&path=&host=$server class=\"btn btn-success\">VNC</a></div>";
             }
+            echo "</div>";
         }
     }
     echo "</div></div></body></html>";