From 3fceb49e47c845f624b9defab861bb4ba046a60b Mon Sep 17 00:00:00 2001
From: Krehan Tim <mail@timkrehan.de>
Date: Fri, 9 Nov 2018 15:16:36 +0100
Subject: [PATCH] Added Password Change and implemented user change in php
 class

---
 bin/settings.js      | 41 +++++++++++++++++++++++++++++++++++++++++
 cont/settings.php    | 11 ++++++-----
 index.php            |  2 ++
 php/classes.user.php | 25 +++++++++++++++++++++++--
 php/edit-user.php    | 16 ++++++++++++++++
 5 files changed, 88 insertions(+), 7 deletions(-)
 create mode 100644 php/edit-user.php

diff --git a/bin/settings.js b/bin/settings.js
index 0b4768c..4693a12 100644
--- a/bin/settings.js
+++ b/bin/settings.js
@@ -10,6 +10,47 @@ function downloadObjectAsJson(exportObj, exportName){
 $(document).ready(function(){
   $("#username-input").focus(function(){$(this).css("color", "black");});
   $("#mail-input").focus(function(){$(this).css("color", "black");});
+
+  // change password
+  $("#old-password-input").focus(function(){$(this).css("color", "black");});
+  $("#new-password-input").focus(function(){$(this).css("color", "black");});
+  $("#check-password-input").focus(function(){$(this).css("color", "black");});
+  $(".password-input").on("input", function(){
+    if(
+      (($("#old-password-input").val()).length>0) &&
+      (($("#new-password-input").val()).length>0) &&
+      (($("#check-password-input").val()).length>0) &&
+      ($("#new-password-input").val()==$("#check-password-input").val())
+    ){
+      $("#passwordSaveButton").prop("disabled", false);
+      $("#passwordSaveButton").removeClass("button-disabled");
+    }
+    else{
+      $("#passwordSaveButton").prop("disabled", true);
+      $("#passwordSaveButton").addClass("button-disabled");
+    }
+  });
+  $("#passwordSaveButton").click(function(){
+    $.post("/php/edit-user.php",
+      {
+        function: "change-pw",
+        current: $("#old-password-input").val(),
+        new: $("#new-password-input").val()
+      },
+      function(data){
+        if(data==0){
+          $("#old-password-input").val("");
+          $("#new-password-input").val("");
+          $("#check-password-input").val("");
+          infoPopUp("Passwort erfolgreich geändert!");
+        }
+        else {
+          infoPopUp("Altes Passwort Falsch!");
+        }
+      }
+    );
+  });
+
   $("#export-recipe-button").click(function(){
     $.post("/php/edit-recipes.php", {function:"export"}, function(data){
       downloadObjectAsJson(JSON.parse(data), "recipes");
diff --git a/cont/settings.php b/cont/settings.php
index bf6f020..8e108e6 100644
--- a/cont/settings.php
+++ b/cont/settings.php
@@ -3,7 +3,8 @@
 <h1>Settings</h1>
 <?php
   include $_SESSION["docroot"].'/php/classes.user.php';
-  $user = new user($_COOKIE["token"]);
+  $user = new user;
+  $user->get_info($_COOKIE["token"]);
 ?>
 <div class="settings">
   <h2>User</h2>
@@ -17,11 +18,11 @@
   </div>
   <div class="userpassword-pane pane">
     <div class="userpassword">
-      <span><font class="attribute">Altes Passwort</font><input class="change-attribute-input" type="text" name="username" placeholder="********"></span>
-      <span><font class="attribute">Neues Passwort</font><input class="change-attribute-input" type="text" name="username" placeholder="********"></span>
-      <span><font class="attribute">Passwort bestätigen</font><input class="change-attribute-input" type="text" name="username" placeholder="********"></span>
+      <span><font class="attribute">Altes Passwort</font><input class="change-attribute-input password-input" id="old-password-input" type="password" name="username" placeholder="********"></span>
+      <span><font class="attribute">Neues Passwort</font><input class="change-attribute-input password-input" id="new-password-input" type="password" name="username" placeholder="********"></span>
+      <span><font class="attribute">Passwort bestätigen</font><input class="change-attribute-input password-input" id="check-password-input" type="password" name="username" placeholder="********"></span>
     </div>
-    <button class="button" id="passwordSaveButton">Speichern</button>
+    <button class="button button-disabled" id="passwordSaveButton" disabled>Speichern</button>
   </div>
   <div class="import-export-pane">
     <h2>Import / Export</h2>
diff --git a/index.php b/index.php
index 6cfadee..eec069c 100644
--- a/index.php
+++ b/index.php
@@ -23,6 +23,7 @@
         <link rel="shortcut icon" type="image/png" href="/pic/fav.ico"/>
         <link rel="stylesheet" href="/style/master.css">
         <script src="/bin/jquery.js"></script>
+        <script src="/bin/index.js" charset="utf-8"></script>
         <title>Einkaufsliste</title>
       </head>
       <body>
@@ -80,5 +81,6 @@
   echo "</div>";
   if($site && ($site!="login")){include $_SESSION["docroot"].'/cont/nav.php';}
 ?>
+        <div id="info-popup"><font id="info-popup-text"></font></div>
       </body>
     </html>
diff --git a/php/classes.user.php b/php/classes.user.php
index ac6cd03..cd89b33 100644
--- a/php/classes.user.php
+++ b/php/classes.user.php
@@ -1,15 +1,36 @@
 <?php
   Class user {
     public $uid, $username, $email, $last_login;
-    function user($session_id) {
+    private $salt;
+
+    function get_info($session_id) {
       include $_SESSION["docroot"].'/php/connect.php';
-      $query = "SELECT uid, username, email, last_login FROM `users` WHERE `uid` = (SELECT user FROM `sessions` WHERE `session_id` = \"$session_id\")";
+      $query = "SELECT uid, username, email, last_login, salt FROM `users` WHERE `uid` = (SELECT user FROM `sessions` WHERE `session_id` = \"$session_id\")";
       $result = $mysqli->query($query);
       $user = $result->fetch_assoc();
       $this->uid = $user["uid"];
       $this->username = $user["username"];
       $this->email = $user["email"];
       $this->last_login = $user["last_login"];
+      $this->salt = $user["salt"];
+      $mysqli->close();
+    }
+
+    function change_password($current, $new){
+      include $_SESSION["docroot"].'/php/hash.php';
+      include $_SESSION["docroot"].'/php/connect.php';
+      $current_pwhash = hash_password($current, $this->salt);
+      $query = "SELECT `uid` FROM `users` WHERE `uid` = $this->uid AND `password` = '$current_pwhash'";
+      $result = $mysqli->query($query);
+      if($result->num_rows===1){
+        $new_pwdhash = hash_password($new, $this->salt);
+        $mysqli->query("UPDATE `users` SET `password` = '$new_pwdhash' WHERE `users`.`uid` = $this->uid;");
+        $mysqli->close();
+        print_r("0");
+      }
+      else{
+        print_r("1");
+      }
     }
   }
 ?>
diff --git a/php/edit-user.php b/php/edit-user.php
new file mode 100644
index 0000000..48c4f5f
--- /dev/null
+++ b/php/edit-user.php
@@ -0,0 +1,16 @@
+<?php
+  session_start();
+  include $_SESSION["docroot"].'/php/classes.user.php';
+  $user = new user;
+  $user->get_info($_COOKIE["token"]);
+
+  switch ($_POST["function"]) {
+    case 'change-pw':
+      $user->change_password($_POST["current"], $_POST["new"]);
+      break;
+
+    default:
+      // code...
+      break;
+  }
+?>