From 055bbcbd61a56e39408e7d2b9d83c47fc76daa20 Mon Sep 17 00:00:00 2001
From: vincent-peugnet <v.peugnet@free.fr>
Date: Mon, 24 Dec 2018 12:04:27 +0100
Subject: user admin protection

---
 app/class/application.php                |  2 +-
 app/class/controlleruser.php             | 11 ++++++++-
 app/class/modeluser.php                  |  8 ++-----
 app/view/templates/userconfirmdelete.php | 39 ++++++++++++++++++++++++++------
 4 files changed, 45 insertions(+), 15 deletions(-)

diff --git a/app/class/application.php b/app/class/application.php
index 39cdd8a..f4b2a84 100644
--- a/app/class/application.php
+++ b/app/class/application.php
@@ -49,7 +49,7 @@ class Application
                     $this->configform();
                     exit;
                 } else {
-                    if(!$this->usermanager->adminexist()) {
+                    if($this->usermanager->admincount() === 0) {
                         echo 'missing admin user';
                         $this->adminform();
                         exit;
diff --git a/app/class/controlleruser.php b/app/class/controlleruser.php
index 00b7246..9daf1fb 100644
--- a/app/class/controlleruser.php
+++ b/app/class/controlleruser.php
@@ -36,7 +36,16 @@ class Controlleruser extends Controller
     {
         if($_POST['action'] === 'delete') {
             $user = new User($_POST);
-            $this->showtemplate('userconfirmdelete', ['userdelete' => $user]);
+            $user = $this->usermanager->get($user);
+            if($user !== false) {
+                if($user->isadmin() && $this->usermanager->admincount() === 1) {
+                    $this->showtemplate('userconfirmdelete', ['userdelete' => $user, 'candelete' => false]);
+                } else {
+                    $this->showtemplate('userconfirmdelete', ['userdelete' => $user, 'candelete' => true]);
+                }
+            } else {
+                $this->routedirect('user');
+            }
         } elseif ($_POST['action'] == 'confirmdelete') {
             $user = new User($_POST);
             $this->usermanager->delete($user);
diff --git a/app/class/modeluser.php b/app/class/modeluser.php
index e4b7eee..613d13b 100644
--- a/app/class/modeluser.php
+++ b/app/class/modeluser.php
@@ -97,17 +97,13 @@ class Modeluser extends Modeldb
 		return $userlist;
     }
 
-    public function adminexist()
+    public function admincount()
     {
         $userdatalist = $this->repo->query()
 		->where('level', '==', 10)
 		->execute();
 
-        if($userdatalist->total() === 0) {
-            return false;
-        } else {
-            return true;
-        }
+        return $userdatalist->total();
     }
 
     public function passwordexist(string $pass)
diff --git a/app/view/templates/userconfirmdelete.php b/app/view/templates/userconfirmdelete.php
index 342775f..069f5de 100644
--- a/app/view/templates/userconfirmdelete.php
+++ b/app/view/templates/userconfirmdelete.php
@@ -1,17 +1,42 @@
 
+<?php
+if($candelete) {
+    ?>
 
-<h1>Delete User</h1>
 
-<h2>Id : <?= $userdelete->id() ?></h2>
-<h2>Level : <?= $userdelete->level() ?></h2>
+    <h1>Delete User</h1>
 
+    <h2>Id : <?= $userdelete->id() ?></h2>
+    <h2>Level : <?= $userdelete->level() ?></h2>
 
 
-<form action="<?= $this->url('userupdate') ?>" method="post">
 
-<input type="hidden" name="id" value="<?= $userdelete->id() ?>">
+    <form action="<?= $this->url('userupdate') ?>" method="post">
 
-<input type="submit" name="action" value="confirmdelete">
+    <input type="hidden" name="id" value="<?= $userdelete->id() ?>">
 
+    <input type="submit" name="action" value="confirmdelete">
 
-</form>
\ No newline at end of file
+
+    </form>
+
+
+
+
+
+    <?php
+} else {
+    ?>
+
+    <h1>You can't delete this user</h1>
+
+    <h2>You need at least one admin user to run the system.</h2>
+
+    <p>To delete this user, create at least another admin user, then retry to delete this one.</p>
+
+    <a href="<?= $this->url('user') ?>">Go back to users</a>
+
+
+    <?php
+}
+?>
\ No newline at end of file
-- 
cgit v1.2.3