Topic: [extension release] pun_admin_add_user

Hi,

I don't know where I have to post this patch, so I decided to create this topic.

It allows to set the group and password of the user.
I didn't create the possibility to put a CSV file for mass import because I prefer to use a script in shell using curl in loop.

Index: lang/English/pun_admin_add_user.php
===================================================================
--- lang/English/pun_admin_add_user.php    (révision 1580)
+++ lang/English/pun_admin_add_user.php    (copie de travail)
@@ -19,7 +19,9 @@
     'There are some errors'                        =>    '<strong>Warning!</strong> There are some errors:',
     'Username'                                    =>    'Username',
     'E-mail'                                    =>    'E-mail',
+    'Password'                                    =>    'Password',
+    'Group'                                        =>    'Group',
     'Edit user identity'                        =>    'Edit User Identity'
 )
 
-?>
\ No newline at end of file
+?>
Index: manifest.xml
===================================================================
--- manifest.xml    (révision 1580)
+++ manifest.xml    (copie de travail)
@@ -36,9 +36,14 @@
     
                     $username = trim($_POST['req_username']);
                     $email = strtolower(trim($_POST['req_email']));
+                    $password = trim($_POST['req_passwd']);
     
                     // Validate the username
                     $errors_add_users = validate_username($username);
+
+                    // Validate the password's length
+                    if (utf8_strlen($password) < 4)
+                        $errors_add_users[] = $lang_profile['Pass too short'];
     
                     // ... and the e-mail address
                     require_once FORUM_ROOT.'include/email.php';
@@ -66,13 +71,12 @@
                     if (empty($errors_add_users))
                     {
                         $salt = random_key(12);
-                        $password = random_key(8, true);
                         $password_hash = sha1($salt.sha1($password));
     
                         $errors = add_user(
                             array(
                                 'username'                => $username,
-                                'group_id'                => ($forum_config['o_regs_verify'] == '0') ? $forum_config['o_default_user_group'] : FORUM_UNVERIFIED,
+                                'group_id'                => $_POST['req_group'],
                                 'salt'                    => $salt,
                                 'password'                => $password,
                                 'password_hash'            => $password_hash,
@@ -113,6 +117,8 @@
         <![CDATA[
             if ($forum_user['g_id'] == FORUM_ADMIN)
             {
+                require_once FORUM_ROOT.'lang/'.$forum_user['language'].'/profile.php';
+
                 if (file_exists($ext_info['path'].'/lang/'.$forum_user['language'].'/'.$ext_info['id'].'.php'))
                     require $ext_info['path'].'/lang/'.$forum_user['language'].'/'.$ext_info['id'].'.php';
                 else
@@ -120,6 +126,7 @@
 
                 $username = '';
                 $email = '';
+                $password = '';
                 $edit_identity = '';
                 $result_message = '';
 
@@ -131,6 +138,7 @@
                     {
                         $username = $_POST['req_username'];
                         $email = $_POST['req_email'];
+                        $password = $_POST['req_passwd'];
                         $edit_identity = isset($_POST['edit_identity']);
                     }
                 }
@@ -194,6 +202,46 @@
                                 </div>
                             </div>
 
+                            <div class="sf-set set4">
+                                <div class="sf-box text">
+                                    <label for="add_user_passwd">
+                                        <span><?php echo $lang_profile['Password'] ?></span>
+                                        <small>
+                                            <?php echo $lang_profile['Password help'] ?>
+                                        </small>
+                                    </label>
+                                    <span class="fld-input"><input type="text" id="add_user_passwd" name="req_passwd" size="35" value="<?php echo $password ?>" /></span>
+                                </div>
+                            </div>
+
+                            <div class="sf-set set5">
+                                <div class="sf-box select">
+                                    <label for="add_user_group"><span><?php echo $lang_admin_add_user['Group'] ?></span></label><br />
+                                    <span class="fld-input"><select id="add_user_group" name="req_group">
+            <?php
+
+                $query = array(
+                    'SELECT'    => 'g.g_id, g.g_title',
+                    'FROM'        => 'groups AS g',
+                    'WHERE'        => 'g.g_id!='.FORUM_GUEST,
+                    'ORDER BY'    => 'g.g_title'
+                );
+
+                ($hook = get_hook('aus_change_group_qr_get_groups')) ? eval($hook) : null;
+                $result = $forum_db->query_build($query) or error(__FILE__, __LINE__);
+                while ($cur_group = $forum_db->fetch_assoc($result))
+                {
+                    if ($cur_group['g_id'] == $forum_config['o_default_user_group'])    // Pre-select the default Members group
+                        echo "\t\t\t\t\t\t\t\t".'<option value="'.$cur_group['g_id'].'" selected="selected">'.forum_htmlencode($cur_group['g_title']).'</option>'."\n";
+                    else
+                        echo "\t\t\t\t\t\t\t\t".'<option value="'.$cur_group['g_id'].'">'.forum_htmlencode($cur_group['g_title']).'</option>'."\n";
+                }
+
+            ?>
+                                    </select></span>
+                                </div>
+                            </div>
+
                             <fieldset class="mf-set set3">
                                 <legend><span><?php echo $lang_admin_add_user['Edit user identity'] ?></span></legend>
                                 <div class="mf-box mf-yesno">

Charly.

2

Re: [extension release] pun_admin_add_user

This patch contain sql-inject vulnerability in part:

+                                'group_id'                => $_POST['req_group'],