| 3 |
3 |
*
|
| 4 |
4 |
* @category admin
|
| 5 |
5 |
* @package preferences
|
| 6 |
|
* @author Independend-Software-Team
|
| 7 |
6 |
* @author WebsiteBaker Project
|
| 8 |
|
* @copyright 2004-2009, Ryan Djurovich
|
| 9 |
|
* @copyright 2009-2011, Website Baker Org. e.V.
|
|
7 |
* @copyright 2009-2012, Website Baker Org. e.V.
|
| 10 |
8 |
* @link http://www.websitebaker2.org/
|
| 11 |
9 |
* @license http://www.gnu.org/licenses/gpl.html
|
| 12 |
10 |
* @platform WebsiteBaker 2.8.x
|
| ... | ... | |
| 28 |
26 |
{
|
| 29 |
27 |
global $MESSAGE;
|
| 30 |
28 |
$err_msg = array();
|
| 31 |
|
$min_pass_length = 6;
|
|
29 |
$iMinPassLength = 6;
|
| 32 |
30 |
// first check form-tan
|
| 33 |
31 |
if(!$admin->checkFTAN()){ $err_msg[] = $MESSAGE['GENERIC_SECURITY_ACCESS']; }
|
| 34 |
32 |
// Get entered values and validate all
|
| ... | ... | |
| 38 |
36 |
// check that display_name is unique in whoole system (prevents from User-faking)
|
| 39 |
37 |
$sql = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` ';
|
| 40 |
38 |
$sql .= 'WHERE `user_id` <> '.(int)$admin->get_user_id().' AND `display_name` LIKE "'.$display_name.'"';
|
| 41 |
|
if( $database->get_one($sql) > 0 ){ $err_msg[] = $MESSAGE['USERS']['USERNAME_TAKEN']; }
|
|
39 |
if( $database->get_one($sql) > 0 ){ $err_msg[] = $MESSAGE['USERS_USERNAME_TAKEN']; }
|
| 42 |
40 |
// language must be 2 upercase letters only
|
| 43 |
41 |
$language = strtoupper($admin->get_post('language'));
|
| 44 |
42 |
$language = (preg_match('/^[A-Z]{2}$/', $language) ? $language : DEFAULT_LANGUAGE);
|
| ... | ... | |
| 67 |
65 |
if( !$admin->validate_email($email) )
|
| 68 |
66 |
{
|
| 69 |
67 |
$email = '';
|
| 70 |
|
$err_msg[] = $MESSAGE['USERS']['INVALID_EMAIL'];
|
|
68 |
$err_msg[] = $MESSAGE['USERS_INVALID_EMAIL'];
|
| 71 |
69 |
}else {
|
| 72 |
70 |
if($email != '') {
|
| 73 |
71 |
// check that email is unique in whoole system
|
| 74 |
72 |
$email = $admin->add_slashes($email);
|
| 75 |
73 |
$sql = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` ';
|
| 76 |
74 |
$sql .= 'WHERE `user_id` <> '.(int)$admin->get_user_id().' AND `email` LIKE "'.$email.'"';
|
| 77 |
|
if( $database->get_one($sql) > 0 ){ $err_msg[] = $MESSAGE['USERS']['EMAIL_TAKEN']; }
|
|
75 |
if( $database->get_one($sql) > 0 ){ $err_msg[] = $MESSAGE['USERS_EMAIL_TAKEN']; }
|
| 78 |
76 |
}
|
| 79 |
77 |
}
|
| 80 |
78 |
// receive password vars and calculate needed action
|
| 81 |
|
$current_password = $admin->get_post('current_password');
|
| 82 |
|
$current_password = ($current_password == null ? '' : $current_password);
|
| 83 |
|
$new_password_1 = $admin->get_post('new_password_1');
|
| 84 |
|
$new_password_1 = (($new_password_1 == null || $new_password_1 == '') ? '' : $new_password_1);
|
| 85 |
|
$new_password_2 = $admin->get_post('new_password_2');
|
| 86 |
|
$new_password_2 = (($new_password_2 == null || $new_password_2 == '') ? '' : $new_password_2);
|
| 87 |
|
if($current_password == '')
|
| 88 |
|
{
|
| 89 |
|
$err_msg[] = $MESSAGE['PREFERENCES']['CURRENT_PASSWORD_INCORRECT'];
|
|
79 |
$sCurrentPassword = $admin->get_post('current_password');
|
|
80 |
$sCurrentPassword = (is_null($sCurrentPassword) ? '' : $sCurrentPassword);
|
|
81 |
$sNewPassword = $admin->get_post('new_password_1');
|
|
82 |
$sNewPassword = (is_null($sNewPassword) ? '' : $sNewPassword);
|
|
83 |
$sNewPasswordRetyped = $admin->get_post('new_password_2');
|
|
84 |
$sNewPasswordRetyped= (is_null($sNewPasswordRetyped) ? '' : $sNewPasswordRetyped);
|
|
85 |
// Check existing password
|
|
86 |
$sql = 'SELECT `password` ';
|
|
87 |
$sql .= 'FROM `'.TABLE_PREFIX.'users` ';
|
|
88 |
$sql .= 'WHERE `user_id` = '.$admin->get_user_id();
|
|
89 |
if (md5($sCurrentPassword) != $database->get_one($sql)) {
|
|
90 |
// access denied
|
|
91 |
$err_msg[] = $MESSAGE['PREFERENCES_CURRENT_PASSWORD_INCORRECT'];
|
| 90 |
92 |
}else {
|
| 91 |
|
// if new_password is empty, still let current one
|
| 92 |
|
if( $new_password_1 == '' )
|
| 93 |
|
{
|
| 94 |
|
$new_password_1 = $current_password;
|
| 95 |
|
$new_password_2 = $current_password;
|
|
93 |
// validate new password
|
|
94 |
$sPwHashNew = false;
|
|
95 |
if($sNewPassword != '') {
|
|
96 |
if(strlen($sNewPassword) < $iMinPassLength) {
|
|
97 |
$err_msg[] = $MESSAGE['USERS_PASSWORD_TOO_SHORT'];
|
|
98 |
}else {
|
|
99 |
if($sNewPassword != $sNewPasswordRetyped) {
|
|
100 |
$err_msg[] = $MESSAGE['USERS_PASSWORD_MISMATCH'];
|
|
101 |
}else {
|
|
102 |
$pattern = '/[^'.$admin->password_chars.']/';
|
|
103 |
if (preg_match($pattern, $sNewPassword)) {
|
|
104 |
$err_msg[] = $MESSAGE['PREFERENCES_INVALID_CHARS'];
|
|
105 |
}else {
|
|
106 |
$sPwHashNew = md5($sNewPassword);
|
|
107 |
}
|
|
108 |
}
|
|
109 |
}
|
| 96 |
110 |
}
|
| 97 |
|
|
| 98 |
|
// is password lenght matching min_pass_lenght ?
|
| 99 |
|
if( $new_password_1 != $current_password )
|
|
111 |
// if no validation errors, try to update the database, otherwise return errormessages
|
|
112 |
if(sizeof($err_msg) == 0)
|
| 100 |
113 |
{
|
| 101 |
|
if( strlen($new_password_1) < $min_pass_length )
|
| 102 |
|
{
|
| 103 |
|
$err_msg[] = $MESSAGE['USERS']['PASSWORD_TOO_SHORT'];
|
|
114 |
$sql = 'UPDATE `'.TABLE_PREFIX.'users` ';
|
|
115 |
$sql .= 'SET `display_name`=\''.$display_name.'\', ';
|
|
116 |
if($sPwHashNew) {
|
|
117 |
$sql .= '`password`=\''.$sPwHashNew.'\', ';
|
| 104 |
118 |
}
|
| 105 |
|
$pattern = '/[^'.$admin->password_chars.']/';
|
| 106 |
|
if( preg_match($pattern, $new_password_1) )
|
|
119 |
if($email != '') {
|
|
120 |
$sql .= '`email`=\''.$email.'\', ';
|
|
121 |
}
|
|
122 |
$sql .= '`language`=\''.$language.'\', ';
|
|
123 |
$sql .= '`timezone`=\''.$timezone.'\', ';
|
|
124 |
$sql .= '`date_format`=\''.$date_format.'\', ';
|
|
125 |
$sql .= '`time_format`=\''.$time_format.'\' ';
|
|
126 |
$sql .= 'WHERE `user_id`='.(int)$admin->get_user_id();
|
|
127 |
if( $database->query($sql) )
|
| 107 |
128 |
{
|
| 108 |
|
$err_msg[] = $MESSAGE['PREFERENCES']['INVALID_CHARS'];
|
| 109 |
|
}
|
| 110 |
|
}
|
| 111 |
|
// is password lenght matching min_pass_lenght ?
|
| 112 |
|
if( $new_password_1 != $current_password && strlen($new_password_1) < $min_pass_length )
|
| 113 |
|
{
|
| 114 |
|
$err_msg[] = $MESSAGE['USERS']['PASSWORD_TOO_SHORT'];
|
| 115 |
|
}
|
| 116 |
|
// password_1 matching password_2 ?
|
| 117 |
|
if( $new_password_1 != $new_password_2 )
|
| 118 |
|
{
|
| 119 |
|
$err_msg[] = $MESSAGE['USERS']['PASSWORD_MISMATCH'];
|
| 120 |
|
}
|
| 121 |
|
}
|
| 122 |
|
$current_password = md5($current_password);
|
| 123 |
|
$new_password_1 = md5($new_password_1);
|
| 124 |
|
$new_password_2 = md5($new_password_2);
|
| 125 |
|
// if no validation errors, try to update the database, otherwise return errormessages
|
| 126 |
|
if(sizeof($err_msg) == 0)
|
| 127 |
|
{
|
| 128 |
|
$sql = 'UPDATE `'.TABLE_PREFIX.'users` ';
|
| 129 |
|
$sql .= 'SET `display_name` = "'.$display_name.'", ';
|
| 130 |
|
$sql .= '`password` = "'.$new_password_1.'", ';
|
| 131 |
|
if($email != '') {
|
| 132 |
|
$sql .= '`email` = "'.$email.'", ';
|
| 133 |
|
}
|
| 134 |
|
$sql .= '`language` = "'.$language.'", ';
|
| 135 |
|
$sql .= '`timezone` = "'.$timezone.'", ';
|
| 136 |
|
$sql .= '`date_format` = "'.$date_format.'", ';
|
| 137 |
|
$sql .= '`time_format` = "'.$time_format.'" ';
|
| 138 |
|
$sql .= 'WHERE `user_id` = '.(int)$admin->get_user_id().' AND `password` = "'.$current_password.'"';
|
| 139 |
|
if( $database->query($sql) )
|
| 140 |
|
{
|
| 141 |
|
$sql_info = mysql_info($database->db_handle);
|
| 142 |
|
if(preg_match('/matched: *([1-9][0-9]*)/i', $sql_info) != 1)
|
| 143 |
|
{ // if the user_id and password dosn't match
|
| 144 |
|
$err_msg[] = $MESSAGE['PREFERENCES']['CURRENT_PASSWORD_INCORRECT'];
|
| 145 |
|
}else {
|
| 146 |
129 |
// update successfull, takeover values into the session
|
| 147 |
130 |
$_SESSION['DISPLAY_NAME'] = $display_name;
|
| 148 |
131 |
$_SESSION['LANGUAGE'] = $language;
|
| ... | ... | |
| 164 |
147 |
$_SESSION['USE_DEFAULT_TIME_FORMAT'] = true;
|
| 165 |
148 |
if(isset($_SESSION['TIME_FORMAT'])) { unset($_SESSION['TIME_FORMAT']); }
|
| 166 |
149 |
}
|
|
150 |
}else {
|
|
151 |
$err_msg[] = 'invalid database UPDATE call in '.__FILE__.'::'.__FUNCTION__.'before line '.__LINE__;
|
| 167 |
152 |
}
|
| 168 |
|
}else {
|
| 169 |
|
$err_msg[] = 'invalid database UPDATE call in '.__FILE__.'::'.__FUNCTION__.'before line '.__LINE__;
|
| 170 |
153 |
}
|
| 171 |
154 |
}
|
| 172 |
155 |
return ( (sizeof($err_msg) > 0) ? implode('<br />', $err_msg) : '' );
|
| ... | ... | |
| 176 |
159 |
{
|
| 177 |
160 |
// print the header
|
| 178 |
161 |
$admin->print_header();
|
| 179 |
|
$admin->print_success($MESSAGE['PREFERENCES']['DETAILS_SAVED']);
|
|
162 |
$admin->print_success($MESSAGE['PREFERENCES_DETAILS_SAVED']);
|
| 180 |
163 |
$admin->print_footer();
|
| 181 |
164 |
}else {
|
| 182 |
165 |
// print the header
|
possible errors on 'save password' fixed. Minimum length of password set to 6 chars