Project

General

Profile

1
<?php
2
/**
3
 *
4
 * @category        admin
5
 * @package         preferences
6
 * @author          WebsiteBaker Project
7
 * @copyright       Ryan Djurovich
8
 * @copyright       WebsiteBaker Org. e.V.
9
 * @link            http://websitebaker.org/
10
 * @license         http://www.gnu.org/licenses/gpl.html
11
 * @platform        WebsiteBaker 2.8.3
12
 * @requirements    PHP 5.3.6 and higher
13
 * @version         $Id: save.php 2 2017-07-02 15:14:29Z Manuela $
14
 * @filesource      $HeadURL: svn://isteam.dynxs.de/wb/2.10.x/branches/main/admin/preferences/save.php $
15
 * @lastmodified    $Date: 2017-07-02 17:14:29 +0200 (Sun, 02 Jul 2017) $
16
 *
17
 */
18

    
19

    
20
// Print admin header
21

    
22
if ( !defined( 'WB_PATH' ) ){ require( dirname(dirname((__DIR__))).'/config.php' ); }
23
if ( !class_exists('admin', false) ) { require(WB_PATH.'/framework/class.admin.php'); }
24
// suppress to print the header, so no new FTAN will be set
25
$admin = new admin('Preferences','start', false);
26

    
27
function save_preferences( $admin, $database)
28
{
29
    global $MESSAGE;
30
    $err_msg = array();
31
    $iMinPassLength = 6;
32
    $bPassRequest = false;
33
    $bMailHasChanged = false;
34
// first check form-tan
35
    if(!$admin->checkFTAN()){ $err_msg[] = $MESSAGE['GENERIC_SECURITY_ACCESS']; }
36
    $sLanguagesAddonDefaultFile = WB_PATH.'/account/languages/EN.php';
37
    if (is_readable($sLanguagesAddonDefaultFile)){include $sLanguagesAddonDefaultFile;}
38
    $sLanguagesAddonFile = WB_PATH.'/account/languages/'.LANGUAGE.'.php';
39
    if (is_readable($sLanguagesAddonFile)){include $sLanguagesAddonFile;}
40
// Get entered values and validate all
41
    // remove any dangerouse chars from display_name
42
//    $display_name     = $admin->add_slashes(strip_tags(trim($admin->get_post('display_name'))));
43
    $display_name = strip_tags( $admin->StripCodeFromText($admin->get_post('display_name')));
44
    $display_name     = ( $display_name == '' ? $admin->get_display_name() : $display_name );
45
    // check that display_name is unique in whoole system (prevents from User-faking)
46
    $sql  = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` ';
47
    $sql .= 'WHERE `user_id` <> '.(int)$admin->get_user_id().' AND `display_name` LIKE "'.$display_name.'"';
48
    if( $database->get_one($sql) > 0 ){ $err_msg[] = ( @$MESSAGE['USERS_DISPLAYNAME_TAKEN']?:$MESSAGE['MEDIA_BLANK_NAME'].' ('.$TEXT['DISPLAY_NAME'].')'); }
49
// language must be 2 upercase letters only
50
    $language         = strtoupper($admin->get_post('language'));
51
    $language         = (preg_match('/^[A-Z]{2}$/', $language) ? $language : DEFAULT_LANGUAGE);
52
    $user_time = true;
53
// timezone must be between -12 and +13  or -20 as system_default
54
    $timezone         = $admin->get_post('timezone');
55
    $timezone         = (is_numeric($timezone) ? $timezone : DEFAULT_TIMEZONE/3600);
56
    $timezone         = (($timezone >= -12 && $timezone <= 13) ? $timezone : DEFAULT_TIMEZONE/3600) * 3600;
57

    
58
// date_format must be a key from /interface/date_formats
59
    $date_format      = $admin->get_post('date_format');
60
    $date_format_key  = str_replace(' ', '|', $date_format);
61
    include( ADMIN_PATH.'/interface/date_formats.php' );
62
    $date_format = (array_key_exists($date_format_key, $DATE_FORMATS) ? $date_format : 'system_default');
63
    $date_format = ($date_format == 'system_default' ? '' : $date_format);
64
    unset($DATE_FORMATS);
65
// time_format must be a key from /interface/time_formats
66
    $time_format      = $admin->get_post('time_format');
67
    $time_format_key  = str_replace(' ', '|', $time_format);
68
    $user_time = true;
69
    include( ADMIN_PATH.'/interface/time_formats.php' );
70
    $time_format = (array_key_exists($time_format_key, $TIME_FORMATS) ? $time_format : 'system_default');
71
    $time_format = ($time_format == 'system_default' ? '' : $time_format);
72
    unset($TIME_FORMATS);
73

    
74
// email should be validatet by core
75
    $email = trim( $admin->get_post('email') == null ? '' : $admin->get_post('email') );
76
    if( (!$admin->validate_email($email)) )
77
    {
78
        $email = '';
79
        $err_msg[] = $MESSAGE['USERS_INVALID_EMAIL'];
80
    }else {
81
        if($email != '') {
82
            $sql = 'SELECT `email` FROM `'.TABLE_PREFIX.'users` '
83
                 . 'WHERE `user_id` = '.(int)$admin->get_user_id().' AND `email` LIKE \''.$email.'\'';
84
            $IsOldMail = $database->get_one($sql);
85
        // check that email is unique in whoole system
86
            $email = $admin->add_slashes($email);
87
            $sql = 'SELECT `email` FROM `'.TABLE_PREFIX.'users` '
88
                 . 'WHERE `user_id` <> '.(int)$admin->get_user_id().' AND `email` LIKE \''.$email.'\'';
89
            $checkMail = $database->get_one($sql);
90

    
91
            if( $checkMail == $email ){ $err_msg[] = $MESSAGE['USERS_EMAIL_TAKEN']; }
92
            $bMailHasChanged = ($email != $IsOldMail);
93
        }
94
    }
95
// receive password vars and calculate needed action
96
    $sCurrentPassword = $admin->get_post('current_password');
97
    $sCurrentPassword = (is_null($sCurrentPassword) ? '' : $sCurrentPassword);
98
    $sNewPassword = $admin->get_post('new_password_1');
99
    $sNewPassword = (is_null($sNewPassword) ? '' : $sNewPassword);
100
    $sNewPasswordRetyped = $admin->get_post('new_password_2');
101
    $sNewPasswordRetyped= (is_null($sNewPasswordRetyped) ? '' : $sNewPasswordRetyped);
102

    
103
    if($bMailHasChanged == true)
104
    {
105
        $bPassRequest = $bMailHasChanged;
106
    } else {
107
        $bPassRequest = ( ( $sCurrentPassword != '') || ($sNewPassword != '') || ($sNewPasswordRetyped != '') ) ? true : false;
108
    }
109

    
110
// Check existing password
111
    $sql  = 'SELECT `password` ';
112
    $sql .= 'FROM `'.TABLE_PREFIX.'users` ';
113
    $sql .= 'WHERE `user_id` = '.$admin->get_user_id();
114
    if ( $bPassRequest && md5($sCurrentPassword) != $database->get_one($sql)) {
115
// access denied
116
        $err_msg[] = $MESSAGE['PREFERENCES_CURRENT_PASSWORD_INCORRECT'];
117
    }else {
118
// validate new password
119
        $sPwHashNew = false;
120
        if($sNewPassword != '') {
121
            if(strlen($sNewPassword) < $iMinPassLength) {
122
                $err_msg[] = $MESSAGE['USERS_PASSWORD_TOO_SHORT'];
123
            }else {
124
                if($sNewPassword != $sNewPasswordRetyped) {
125
                    $err_msg[] = $MESSAGE['USERS_PASSWORD_MISMATCH'];
126
                }else {
127
                    $pattern = '/[^'.$admin->password_chars.']/';
128
                    if (preg_match($pattern, $sNewPassword)) {
129
                        $err_msg[] = $MESSAGE['PREFERENCES_INVALID_CHARS'];
130
                    }else {
131
                        $sPwHashNew = md5($sNewPassword);
132
                    }
133
                }
134
            }
135
        }
136
// if no validation errors, try to update the database, otherwise return errormessages
137
        if(sizeof($err_msg) == 0)
138
        {
139
            $sql  = 'UPDATE `'.TABLE_PREFIX.'users` ';
140
            $sql .= 'SET `display_name`=\''.$database->escapeString($display_name).'\', ';
141
            if($sPwHashNew) {
142
                $sql .=     '`password`=\''.$database->escapeString($sPwHashNew).'\', ';
143
            }
144
            if($email != '') {
145
                $sql .=     '`email`=\''.$database->escapeString($email).'\', ';
146
            }
147
            $sql .= '`language`=\''.$database->escapeString($language).'\', '
148
                  . '`timezone`=\''.$database->escapeString($timezone).'\', '
149
                  . '`date_format`=\''.$database->escapeString($date_format).'\', '
150
                  . '`time_format`=\''.$database->escapeString($time_format).'\' '
151
                  . 'WHERE `user_id`='.(int)$admin->get_user_id();
152
            if( $database->query($sql) )
153
            {
154
                // update successfull, takeover values into the session
155
                $_SESSION['DISPLAY_NAME'] = $display_name;
156
                $_SESSION['LANGUAGE'] = $language;
157
                $_SESSION['TIMEZONE'] = $timezone;
158
                $_SESSION['EMAIL'] = $email;
159
                // Update date format
160
                if($date_format != '') {
161
                    $_SESSION['DATE_FORMAT'] = $date_format;
162
                    if(isset($_SESSION['USE_DEFAULT_DATE_FORMAT'])) { unset($_SESSION['USE_DEFAULT_DATE_FORMAT']); }
163
                } else {
164
                    $_SESSION['USE_DEFAULT_DATE_FORMAT'] = true;
165
                    if(isset($_SESSION['DATE_FORMAT'])) { unset($_SESSION['DATE_FORMAT']); }
166
                }
167
                // Update time format
168
                if($time_format != '') {
169
                    $_SESSION['TIME_FORMAT'] = $time_format;
170
                    if(isset($_SESSION['USE_DEFAULT_TIME_FORMAT'])) { unset($_SESSION['USE_DEFAULT_TIME_FORMAT']); }
171
                } else {
172
                    $_SESSION['USE_DEFAULT_TIME_FORMAT'] = true;
173
                    if(isset($_SESSION['TIME_FORMAT'])) { unset($_SESSION['TIME_FORMAT']); }
174
                }
175
            }else {
176
                $err_msg[] = 'invalid database UPDATE call in '.__FILE__.'::'.__FUNCTION__.'before line '.__LINE__;
177
            }
178
        }
179
    }
180
    return ( (sizeof($err_msg) > 0) ? implode('<br />', $err_msg) : '' );
181
}
182
$retval = save_preferences($admin, $database);
183
if( $retval == '')
184
{
185
    // print the header
186
    $admin->print_header();
187
    $admin->print_success($MESSAGE['PREFERENCES_DETAILS_SAVED']);
188
    $admin->print_footer();
189
}else {
190
    // print the header
191
    $admin->print_header();
192
    $admin->print_error($retval);
193
}
(2-2/2)