From 6f4fd7bc28ee466e8ffbe1941ea4015c012a4460 Mon Sep 17 00:00:00 2001
From: FusionPBX <markjcrane@gmail.com>
Date: Wed, 11 Sep 2019 02:34:25 -0600
Subject: [PATCH] Update user_edit.php

---
 core/users/user_edit.php | 130 +++++++++++++++------------------------
 1 file changed, 51 insertions(+), 79 deletions(-)

diff --git a/core/users/user_edit.php b/core/users/user_edit.php
index cdc4df48fa..1ca78e87c0 100644
--- a/core/users/user_edit.php
+++ b/core/users/user_edit.php
@@ -35,7 +35,7 @@
 	$text = $language->get();
 
 //get user uuid
-	if ((is_uuid($_REQUEST["id"]) && permission_exists('user_edit')) || (is_uuid($_REQUEST["id"]) && $_REQUEST["id"] == $_SESSION['user_uuid']))  {
+	if ((is_uuid($_REQUEST["id"]) && permission_exists('user_edit')) || (is_uuid($_REQUEST["id"]) && $_REQUEST["id"] == $_SESSION['user_uuid'])) {
 		$user_uuid = $_REQUEST["id"];
 		$action = 'edit';
 	}
@@ -98,7 +98,7 @@
 
 		//redirect the user
 			message::add($text['message-update']);
-			header("Location: user_edit.php?id=".$user_uuid);
+			header("Location: user_edit.php?id=".urlencode($user_uuid));
 			exit;
 	}
 
@@ -144,10 +144,8 @@
 			if ($username == '') {
 				message::add($text['message-required'].$text['label-username'], 'negative', 7500);
 			}
-			if (
-				(permission_exists('user_edit') && $action == 'edit' && $username != $username_old && $username != '') ||
-				(permission_exists('user_add') && $action == 'add' && $username != '')
-				) {
+			if ((permission_exists('user_edit') && $action == 'edit' && $username != $username_old && $username != '') ||
+				(permission_exists('user_add') && $action == 'add' && $username != '')) {
 				$sql = "select count(*) from v_users where username = :username ";
 				if ($_SESSION["users"]["unique"]["text"] != "global") {
 					$sql .= "and domain_uuid = :domain_uuid ";
@@ -206,7 +204,6 @@
 
 		//return if error
 			if (message::count() != 0) {
-				$_SESSION['tmp'][$_SERVER['PHP_SELF']]['user'] = $_POST;
 				header("Location: user_edit.php".(permission_exists('user_edit') && $action != 'add' ? "?id=".urlencode($user_uuid) : null));
 				exit;
 			}
@@ -541,84 +538,59 @@
 			else {
 				message::add($text['message-add'],'positive');
 			}
-			header("Location: user_edit.php?id=".$user_uuid);
+			header("Location: user_edit.php?id=".urldecode($user_uuid));
 			exit;
 	}
 
-//populate the form with values from session variable
-	if (is_array($_SESSION['tmp'][$_SERVER['PHP_SELF']]['user']) && sizeof($_SESSION['tmp'][$_SERVER['PHP_SELF']]['user']) != 0) {
-		$domain_uuid = $_SESSION['tmp'][$_SERVER['PHP_SELF']]['user']["domain_uuid"];
-		$username = $_SESSION['tmp'][$_SERVER['PHP_SELF']]['user']["username"];
-		$password = $_SESSION['tmp'][$_SERVER['PHP_SELF']]['user']["password"];
-		$password_confirm = $_SESSION['tmp'][$_SERVER['PHP_SELF']]['user']["password_confirm"];
-		$api_key = $_SESSION['tmp'][$_SERVER['PHP_SELF']]['user']["api_key"];
-		$user_enabled = $_SESSION['tmp'][$_SERVER['PHP_SELF']]['user']["user_enabled"];
-		$contact_uuid = $_SESSION['tmp'][$_SERVER['PHP_SELF']]['user']["contact_uuid"];
-		$user_status = $_SESSION['tmp'][$_SERVER['PHP_SELF']]['user']["user_status"];
-		$password_confirm = $_SESSION['tmp'][$_SERVER['PHP_SELF']]['user']['password_confirm'];
-		$user_settings['domain']['language']['code'] = $_SESSION['tmp'][$_SERVER['PHP_SELF']]['user']['user_language'];
-		$user_settings['domain']['time_zone']['name'] = $_SESSION['tmp'][$_SERVER['PHP_SELF']]['user']['user_time_zone'];
-		$user_email = $_SESSION['tmp'][$_SERVER['PHP_SELF']]['user']['user_email'];
-		$contact_name_given = $_SESSION['tmp'][$_SERVER['PHP_SELF']]['user']['contact_name_given'];
-		$contact_name_family = $_SESSION['tmp'][$_SERVER['PHP_SELF']]['user']['contact_name_family'];
-		$contact_organization = $_SESSION['tmp'][$_SERVER['PHP_SELF']]['user']['contact_organization'];
-		$group_uuid_name = $_SESSION['tmp'][$_SERVER['PHP_SELF']]['user']['group_uuid_name'];
-		$user_settings["message"]["key"]["text"] = $_SESSION['tmp'][$_SERVER['PHP_SELF']]['user']['message_key'];
+//populate the form with values from db
+	if ($action == 'edit') {
+		$sql = "select * from v_users where user_uuid = :user_uuid ";
+		if (!permission_exists('user_all')) {
+			$sql .= "and domain_uuid = :domain_uuid ";
+			$parameters['domain_uuid'] = $domain_uuid;
+		}
+		$parameters['user_uuid'] = $user_uuid;
+		$database = new database;
+		$row = $database->select($sql, $parameters, 'row');
+		if (is_array($row) && sizeof($row) > 0) {
+			$domain_uuid = $row["domain_uuid"];
+			$user_uuid = $row["user_uuid"];
+			$username = $row["username"];
+			$user_email = $row["user_email"];
+			$api_key = $row["api_key"];
+			$user_enabled = $row["user_enabled"];
+			$contact_uuid = $row["contact_uuid"];
+			$user_status = $row["user_status"];
+		}
+		else {
+			message::add($text['message-invalid_user'], 'negative', 7500);
+			header("Location: user_edit.php?id=".$_SESSION['user_uuid']);
+			exit;
+		}
+		unset($sql, $parameters, $row);
 
-		$unsaved = true;
-		unset($_SESSION['tmp'][$_SERVER['PHP_SELF']]['user']);
-	}
-	else {
-		//populate the form with values from db
-		if ($action == 'edit') {
-			$sql = "select * from v_users where user_uuid = :user_uuid ";
-			if (!permission_exists('user_all')) {
-				$sql .= "and domain_uuid = :domain_uuid ";
-				$parameters['domain_uuid'] = $domain_uuid;
-			}
-			$parameters['user_uuid'] = $user_uuid;
-			$database = new database;
-			$row = $database->select($sql, $parameters, 'row');
-			if (is_array($row) && sizeof($row) > 0) {
-				$domain_uuid = $row["domain_uuid"];
-				$user_uuid = $row["user_uuid"];
-				$username = $row["username"];
-				$user_email = $row["user_email"];
-				$api_key = $row["api_key"];
-				$user_enabled = $row["user_enabled"];
-				$contact_uuid = $row["contact_uuid"];
-				$user_status = $row["user_status"];
-			}
-			else {
-				message::add($text['message-invalid_user'], 'negative', 7500);
-				header("Location: user_edit.php?id=".$_SESSION['user_uuid']);
-				exit;
-			}
-			unset($sql, $parameters, $row);
-
-			//get user settings
-			$sql = "select * from v_user_settings ";
-			$sql .= "where user_uuid = :user_uuid ";
-			$sql .= "and user_setting_enabled = 'true' ";
-			$parameters['user_uuid'] = $user_uuid;
-			$database = new database;
-			$result = $database->select($sql, $parameters, 'all');
-			if (is_array($result)) {
-				foreach($result as $row) {
-					$name = $row['user_setting_name'];
-					$category = $row['user_setting_category'];
-					$subcategory = $row['user_setting_subcategory'];
-					if (strlen($subcategory) == 0) {
-						//$$category[$name] = $row['domain_setting_value'];
-						$user_settings[$category][$name] = $row['user_setting_value'];
-					}
-					else {
-						$user_settings[$category][$subcategory][$name] = $row['user_setting_value'];
-					}
+		//get user settings
+		$sql = "select * from v_user_settings ";
+		$sql .= "where user_uuid = :user_uuid ";
+		$sql .= "and user_setting_enabled = 'true' ";
+		$parameters['user_uuid'] = $user_uuid;
+		$database = new database;
+		$result = $database->select($sql, $parameters, 'all');
+		if (is_array($result)) {
+			foreach($result as $row) {
+				$name = $row['user_setting_name'];
+				$category = $row['user_setting_category'];
+				$subcategory = $row['user_setting_subcategory'];
+				if (strlen($subcategory) == 0) {
+					//$$category[$name] = $row['domain_setting_value'];
+					$user_settings[$category][$name] = $row['user_setting_value'];
+				}
+				else {
+					$user_settings[$category][$subcategory][$name] = $row['user_setting_value'];
 				}
 			}
-			unset($sql, $parameters, $result, $row);
 		}
+		unset($sql, $parameters, $result, $row);
 	}
 
 //include the header
@@ -1063,4 +1035,4 @@
 //include the footer
 	require_once "resources/footer.php";
 
-?>
\ No newline at end of file
+?>