# 
# 
# patch "www/common-ctrl.php"
#  from [525cce75f5c6b70486c58ac270facaa835e247f1]
#    to [5ea62c8285f5c48fad5e55441be84f6a8f484bec]
# 
# patch "www/user-ctrl.php"
#  from [a29daaaaceb7f4205cdcd36b9520e79446511d2a]
#    to [9f01d97b2c58c2a1b8c547782d105f3edf093260]
# 
============================================================
--- www/common-ctrl.php	525cce75f5c6b70486c58ac270facaa835e247f1
+++ www/common-ctrl.php	5ea62c8285f5c48fad5e55441be84f6a8f484bec
@@ -45,23 +45,19 @@
 		);
 
 if ($validuser) {
-	$fields = "give, upload, homepage, access, server, description";
-	$query = sprintf("SELECT %s FROM permissions WHERE ", $fields);
-	$query = $query . "username=? AND project=?";
+	$query = "SELECT give, upload, homepage, access, server, description";
+       	$query = $query . " FROM permissions WHERE username=? AND project=?";
 	$result = $db->Execute($query, array($username, $project));
 	if ($result) {
-		$rows = $result->RecordCount();
-		$permissions['rows'] = $rows;
 		$permissions['username'] = $username;
 		$permissions['project'] = $project;
-		if ($rows == 1) {
-			$row = $result->FetchRow();
-			$permissions['give']		= ($row[0] == 1);
-			$permissions['upload']		= ($row[1] == 1);
-			$permissions['homepage']		= ($row[2] == 1);
-			$permissions['access']		= ($row[3] == 1);
-			$permissions['server']		= ($row[4] == 1);
-			$permissions['description']	= ($row[5] == 1);
+		if ($result->RecordCount() == 1) {
+			$permissions['give']		= ($result->fields[0] == 1);
+			$permissions['upload']		= ($result->fields[1] == 1);
+			$permissions['homepage']	= ($result->fields[2] == 1);
+			$permissions['access']		= ($result->fields[3] == 1);
+			$permissions['server']		= ($result->fields[4] == 1);
+			$permissions['description']	= ($result->fields[5] == 1);
 		}
 	}
 }
============================================================
--- www/user-ctrl.php	a29daaaaceb7f4205cdcd36b9520e79446511d2a
+++ www/user-ctrl.php	9f01d97b2c58c2a1b8c547782d105f3edf093260
@@ -7,35 +7,43 @@
 		print $json->encode(array('error' => 'You are not permitted to do that.'));
 		exit;
 	}
+	$db->BeginTrans();
 	$db->Execute("DELETE FROM users WHERE username=?",
 		array($who));
 	$db->Execute("DELETE FROM permissions WHERE username=?",
 		array($who));
+	$db->CommitTrans();
 	print $json->encode(array('ok' => 'ok'));
 } else if ($action == 'chuserpass') {
 	if (! $administrator) {
 		print $json->encode(array('error' => 'You are not permitted to do that.'));
 		exit;
 	}
+	$db->BeginTrans();
 	$db->Execute("UPDATE USERS SET password=? WHERE username=?",
 		array(sha1($args->new_password), $who));
+	$db->CommitTrans();
 	print $json->encode(array('ok' => 'ok'));
 } else if ($action == 'op') {
 	if (! $administrator) {
 		print $json->encode(array('error' => 'You are not permitted to do that.'));
 		exit;
 	}
-	$db->Execute("UPDATE USERS SET admin=? WHERE username=?",
-		array(1, $who));
+	$db->BeginTrans();
+	$db->Execute("UPDATE USERS SET admin=1 WHERE username=?",
+		array($who));
+	$db->CommitTrans();
 	print $json->encode(array('ok' => 'ok'));
 } else if ($action == 'deop') {
 	if (! $administrator) {
 		print $json->encode(array('error' => 'You are not permitted to do that.'));
 		exit;
 	}
-	$db->Execute("UPDATE USERS SET admin=? WHERE username=?",
-		array(0, $who));
+	$db->BeginTrans();
+	$db->Execute("UPDATE USERS SET admin=0 WHERE username=?",
+		array($who));
+	$db->CommitTrans();
 	print $json->encode(array('ok' => 'ok'));
 } else
-	print $json->encode(array('error' => sprintf("I don't know how to '%s'.", $action)));
+	print $json->encode(array('error' => sprintf("I don't know how to '%s'.", strip_tags($action))));
 ?>