Project

General

Profile

« Previous | Next » 

Revision 1804

Added by Dietmar about 12 years ago

  1. fixed Illegal string offset 'time' in \framework\SecureForm.mtab.php
    ! add delete Outdated Confirmations in backend
    ! show waiting Activations if exists in user management
  2. fixed html validaton errors in user management
    ! security fixes in admin/preferences/
    ! update form modul, change text "unknown#" to "Guest"
    in view_submission and emailheader email_fromname

View differences:

branches/2.8.x/CHANGELOG
13 13

  
14 14

  
15 15

  
16
02 Nov-2012 Build 1804 Dietmar Woellbrink (Luisehahne)
17
# fixed Illegal string offset 'time' in \framework\SecureForm.mtab.php
18
! add delete Outdated Confirmations in backend
19
! show waiting Activations if exists in user management
20
# fixed html validaton errors in user management
21
! security fixes in admin/preferences/
22
! update form modul, change text "unknown#" to "Guest"
23
  in view_submission and emailheader email_fromname
16 24
01 Nov-2012 Build 1803 Dietmar Woellbrink (Luisehahne)
17 25
! update submission form with designer friendly css classes  
18 26
31 Oct-2012 Build 1802 Dietmar Woellbrink (Luisehahne)
branches/2.8.x/wb/admin/start/index.php
3 3
 *
4 4
 * @category        admin
5 5
 * @package         start
6
 * @author          Ryan Djurovich, WebsiteBaker Project
6
 * @author          Ryan Djurovich (2004-2009), WebsiteBaker Project
7 7
 * @copyright       2009-2012, WebsiteBaker Org. e.V.
8 8
 * @link			http://www.websitebaker2.org/
9 9
 * @license         http://www.gnu.org/licenses/gpl.html
......
19 19
//$regex = "/(pages)+[a-z]*[_]([a-z_0-9]+)[^,]/im";
20 20
//preg_match_all ($regex, $string, $output);
21 21
//
22
require('../../config.php');
23
require_once(WB_PATH.'/framework/class.admin.php');
22

  
23
$config_file = realpath('../../config.php');
24
if(file_exists($config_file) && !defined('WB_URL'))
25
{
26
	require_once($config_file);
27
}
28

  
29
if(!class_exists('admin', false)){ include(WB_PATH.'/framework/class.admin.php'); }
30

  
24 31
$admin = new admin('Start','start');
25 32
// ---------------------------------------
26 33
//	$database = WbDatabase::getInstance();
......
118 125
	}
119 126
}
120 127

  
128
/**
129
 * delete Outdated Confirmations
130
 */
131
$sql = 'DELETE FROM `'.TABLE_PREFIX.'users` WHERE `confirm_timeout` BETWEEN 1 AND '.time();
132
WbDatabase::getInstance()->query($sql);
133

  
121 134
// ---------------------------------------
122 135
// Setup template object, parse vars to it, then parse it
123 136
// Create new template object
branches/2.8.x/wb/admin/skel/themes/htt/users.htt
18 18
{FTAN}
19 19

  
20 20
<button type="button" name="status" title="{TEXT_USERS}" style="width: 30px; background: {STATUS_ICON} no-repeat center" value="{USER_STATUS}" onclick="javascript: window.location = 'index.php?status={USER_STATUS}';" class="status {DISPLAY_MODIFY}" >&nbsp;</button>
21
<select name="user_id" style="width: 500px;">
21
<select name="user_id" class="user-list" style="width: 500px;">
22 22
<!-- BEGIN list_block -->
23 23
	<option value="{VALUE}" {STATUS}>{NAME}</option>
24 24
<!-- END list_block -->
......
27 27
<input type="submit" name="modify" style="width: 100px;" value="{TEXT_MODIFY}" class="{DISPLAY_MODIFY}" />
28 28
<input type="submit" name="delete" style="width: 100px;" value="{TEXT_DELETE}" onclick="return confirm('{CONFIRM_DELETE}');" class="{DISPLAY_DELETE}" />
29 29

  
30
<!-- BEGIN show_confirmed_activation_block -->
31
<h3 class="bold">{DISPLAY_WAITING_ACTIVATION}</h3>
32
     <select name="user_id_activation_id" class="user-activation" style="width: 500px; margin-left: 34px;">
33
    <!-- BEGIN list_confirmed_activation_block -->
34
    	<option value="{VALUE}" {STATUS}>{NAME}</option>
35
    <!-- END list_confirmed_activation_block -->
36
    </select>
37
    <input type="submit" name="delete_outdated" style="width: 100px;" value="{TEXT_DELETE}" onclick="return confirm('{CONFIRM_DELETE}');" class="{DISPLAY_DELETE}" />
38
<!-- END show_confirmed_activation_block -->
39

  
30 40
</form>
31 41

  
32
<br />
33
<h2 style="margin-top: 20px;" class="{DISPLAY_ADD} left">{HEADING_ADD_USER}</h2>
42
<h3 class="bold {DISPLAY_ADD}" style="margin-top: 20px;">{HEADING_ADD_USER}</h3>
34 43
</div>
35 44
<!-- END main_block -->
branches/2.8.x/wb/admin/skel/themes/htt/users_form.htt
45 45
	</td>
46 46
</tr>
47 47
<tr style="{DISPLAY_EXTRA}">
48
	<td class="right">&nbsp;</td>
49
	<td style="font-size: 10px;">
50
		{CHANGING_PASSWORD}
48
	<td colspan="2" style="">
49
		<div class="warning value_input" style="max-width:700px; margin-right: 20%; float: right;">{CHANGING_PASSWORD}</div>
51 50
	</td>
52 51
</tr>
53 52
<tr>
branches/2.8.x/wb/admin/interface/version.php
51 51

  
52 52
// check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled)
53 53
if(!defined('VERSION')) define('VERSION', '2.8.3');
54
if(!defined('REVISION')) define('REVISION', '1803');
54
if(!defined('REVISION')) define('REVISION', '1804');
55 55
if(!defined('SP')) define('SP', '');
branches/2.8.x/wb/admin/users/save.php
15 15
 *
16 16
 */
17 17

  
18
// Print admin header
19
require('../../config.php');
20
require_once(WB_PATH.'/framework/class.admin.php');
18
$config_file = realpath('../../config.php');
19
if(file_exists($config_file) && !defined('WB_URL'))
20
{
21
	require_once($config_file);
22
}
23

  
24
if(!class_exists('admin', false)){ include(WB_PATH.'/framework/class.admin.php'); }
25

  
21 26
// suppress to print the header, so no new FTAN will be set
22 27
$admin = new admin('Access', 'users_modify', false);
23 28

  
......
64 69
	                  $MESSAGE['USERS_USERNAME_TOO_SHORT'], $js_back);
65 70
}
66 71
if($password != "") {
67
	if(strlen($password) < 2) {
72
	if(strlen($password) < 6 ) {
68 73
		$admin->print_error($MESSAGE['USERS_PASSWORD_TOO_SHORT'], $js_back);
69 74
	}
70 75
	if($password != $password2) {
branches/2.8.x/wb/admin/users/users.php
13 13
 * @filesource		$HeadURL$
14 14
 * @lastmodified    $Date$
15 15
 *
16
*/
16
 */
17 17

  
18 18
 // Include config file and admin class file
19
require('../../config.php');
20
require_once(WB_PATH.'/framework/class.admin.php');
21 19

  
20
$config_file = realpath('../../config.php');
21
if(file_exists($config_file) && !defined('WB_URL'))
22
{
23
	require_once($config_file);
24
}
25

  
26
if(!class_exists('admin', false)){ include(WB_PATH.'/framework/class.admin.php'); }
27

  
22 28
$action = 'cancel';
23 29
// Set parameter 'action' as alternative to javascript mechanism
24 30
$action = (isset($_POST['modify']) ? 'modify' : $action );
25 31
$action = (isset($_POST['delete']) ? 'delete' : $action );
32
$action = (isset($_POST['delete_outdated']) ? 'delete_outdated' : $action );
26 33

  
27 34
switch ($action):
28 35
	case 'modify' :
......
51 58
			$template->set_block('main_block', 'show_modify_loginname_block', 'show_modify_loginname');
52 59
			$template->set_block('main_block', 'show_add_loginname_block', 'show_add_loginname');
53 60
			$template->set_var(	array(
54
								'ACTION_URL' => ADMIN_URL.'/users/save.php',
55
								'SUBMIT_TITLE' => $TEXT['SAVE'],
56
								'USER_ID' => $user['user_id'],
57
								'USERNAME' => $user['username'],
58
								'DISPLAY_NAME' => $user['display_name'],
59
								'EMAIL' => $user['email'],
60
								'ADMIN_URL' => ADMIN_URL,
61
								'WB_URL' => WB_URL,
62
								'THEME_URL' => THEME_URL
63
								)
64
						);
61
						'ACTION_URL' => ADMIN_URL.'/users/save.php',
62
						'SUBMIT_TITLE' => $TEXT['SAVE'],
63
						'USER_ID' => $user['user_id'],
64
						'DISPLAY_EXTRA' => '',
65
						'DISPLAY_HOME_FOLDERS' => '',
66
						'USERNAME' => $user['username'],
67
						'DISPLAY_NAME' => $user['display_name'],
68
						'EMAIL' => $user['email'],
69
						'ADMIN_URL' => ADMIN_URL,
70
						'WB_URL' => WB_URL,
71
						'THEME_URL' => THEME_URL
72
						)
73
				);
65 74

  
66 75
			$template->set_var('FTAN', $admin->getFTAN());
67 76
			if($user['active'] == 1) {
77
                $template->set_var('DISABLED_CHECKED', '');
68 78
				$template->set_var('ACTIVE_CHECKED', ' checked="checked"');
69 79
			} else {
80
                $template->set_var('ACTIVE_CHECKED', '');
70 81
				$template->set_var('DISABLED_CHECKED', ' checked="checked"');
71 82
			}
72 83
			// Add groups to list
......
184 195
		case 'delete' :
185 196
			// Print header
186 197
			$admin = new admin('Access', 'users_delete');
198

  
187 199
			$user_id = intval($admin->checkIDKEY('user_id', 0, $_SERVER['REQUEST_METHOD']));
188 200
			// Check if user id is a valid number and doesnt equal 1
201

  
189 202
			if($user_id == 0){
190 203
			$admin->print_error($MESSAGE['GENERIC_FORGOT_OPTIONS'] );
191 204
            }
......
211 224
			// Print admin footer
212 225
			$admin->print_footer();
213 226
			break;
227
		case 'delete_outdated' :
228
			$admin = new admin('Access', 'users_delete');
229

  
230
			$user_id = intval($admin->checkIDKEY('user_id_activation_id', 0, $_SERVER['REQUEST_METHOD']));
231
			// Check if user id is a valid number and doesnt equal 1
232
			if($user_id == 0){
233
    			$admin->print_error($MESSAGE['GENERIC_FORGOT_OPTIONS'] );
234
            }
235
			if( ($user_id < 2 ) )
236
			{
237
				// if($admin_header) { $admin->print_header(); }
238
				$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'] );
239
			}
240
			$database->query("DELETE FROM `".TABLE_PREFIX."users` WHERE `user_id` = ".$user_id);
241
			if($database->is_error()) {
242
				$admin->print_error($database->get_error());
243
			} else {
244
				$admin->print_success($MESSAGE['USERS_DELETED']);
245
			}
246
			// Print admin footer
247
			$admin->print_footer();
248

  
249

  
250
			break;
214 251
	default:
215 252
			break;
216 253
endswitch;
branches/2.8.x/wb/admin/users/index.php
13 13
 * @filesource		$HeadURL$
14 14
 * @lastmodified    $Date$
15 15
 *
16
*/
16
 */
17 17

  
18
require('../../config.php');
19
require_once(WB_PATH.'/framework/class.admin.php');
18
$config_file = realpath('../../config.php');
19
if(file_exists($config_file) && !defined('WB_URL'))
20
{
21
	require_once($config_file);
22
}
23

  
24
if(!class_exists('admin', false)){ include(WB_PATH.'/framework/class.admin.php'); }
25

  
20 26
$admin = new admin('Access', 'users');
21 27

  
22 28
$iUserStatus = 1;
......
34 40
$template->set_var('ADMIN_URL', ADMIN_URL);
35 41
$template->set_var('FTAN', $admin->getFTAN());
36 42
$template->set_var('USER_STATUS', $iUserStatus );
43
$template->set_var('DISPLAY_ADD', '');
44
$template->set_var('DISPLAY_MODIFY', '');
45
$template->set_var('DISABLED_CHECKED', '');
46
$template->set_var('HEADING_MODIFY_USER', '');
47
$template->set_var('DISPLAY_HOME_FOLDERS', '');
37 48

  
38 49
$UserStatusActive = 'url('.THEME_URL.'/images/user.png)';
39 50
$UserStatusInactive = 'url('.THEME_URL.'/images/user_red.png)';
......
105 116
);
106 117
// Insert language text and messages
107 118
$template->set_var(array(
119
		'DISPLAY_WAITING_ACTIVATION' => '',
108 120
		'TEXT_MODIFY' => $TEXT['MODIFY'],
109 121
		'TEXT_DELETE' => $TEXT['DELETE'],
110 122
		'TEXT_MANAGE_GROUPS' => ( $admin->get_permission('groups') == true ) ? $TEXT['MANAGE_GROUPS'] : "**",
111 123
		'CONFIRM_DELETE' => (($iUserStatus == 1) ? $TEXT['ARE_YOU_SURE'] : $MESSAGE['USERS_CONFIRM_DELETE'])
112 124
		)
113 125
);
126

  
127
$template->set_block('main_block', 'show_confirmed_activation_block', 'show_confirmed_activation');
128
if($admin->ami_group_member('1')) {
129
        $template->set_block('show_confirmed_activation_block', 'list_confirmed_activation_block', 'list_confirmed_activation');
130
    	$template->set_var('DISPLAY_WAITING_ACTIVATION', 'Users waiting for activation');
131
		$sql  = 'SELECT * FROM `'.TABLE_PREFIX.'users` ';
132
		$sql .= 'WHERE `confirm_timeout` != 0 ';
133
        $sql .=   'AND `active` = 0 ';
134
        $sql .=   'AND `user_id` != 1 ';
135
        if( ($oRes = $database->query($sql)) ) {
136
        	$template->set_var('DISPLAY_DELETE', '');
137
//        	$template->set_var('NAME', 'User waiting for activation');
138
//        	$template->set_var('STATUS', '' );
139
        	// Loop through users
140
            if($nNumRows = $oRes->numRows()) {
141
            	while($aUser = $oRes->fetchRow(MYSQL_ASSOC)) {
142
            		$template->set_var('VALUE',$admin->getIDKEY($aUser['user_id']));
143
               		$template->set_var('STATUS', '') ;
144
            		$template->set_var('NAME', $aUser['display_name'].' ('.$aUser['username'].')');
145
            		$template->parse('list_confirmed_activation', 'list_confirmed_activation_block', true);
146
            	}
147
            	$template->parse('show_confirmed_activation', 'show_confirmed_activation_block',true);
148
            }
149
        } else { $nNumRows = 0; }
150

  
151
}
152

  
153
if ( $nNumRows == 0){
154
	$template->parse('show_confirmed_activation', '');
155
}
156

  
114 157
if ( $admin->get_permission('groups') == true ) $template->parse("groups", "manage_groups_block", true);
115 158
// Parse template object
116 159
$template->parse('main', 'main_block', false);
......
126 169
$template->set_block('main_block', 'show_add_loginname_block', 'show_add_loginname');
127 170
$template->set_var('DISPLAY_EXTRA', 'display:none;');
128 171
$template->set_var('ACTIVE_CHECKED', ' checked="checked"');
172

  
173
$template->set_var('DISPLAY_ADD', '');
174
$template->set_var('DISPLAY_MODIFY', '');
175
$template->set_var('DISABLED_CHECKED', '');
176
$template->set_var('HEADING_MODIFY_USER', '');
177
$template->set_var('DISPLAY_HOME_FOLDERS', '');
129 178
$template->set_var('ACTION_URL', ADMIN_URL.'/users/add.php');
130 179
$template->set_var('SUBMIT_TITLE', $TEXT['ADD']);
131 180
$template->set_var('FTAN', $admin->getFTAN());
branches/2.8.x/wb/admin/preferences/save.php
15 15
 *
16 16
 */
17 17

  
18

  
19
// Print admin header
20
require('../../config.php');
21
require_once(WB_PATH.'/framework/class.admin.php');
22
// suppress to print the header, so no new FTAN will be set
23
$admin = new admin('Preferences','start', false);
24

  
25 18
function save_preferences( &$admin, &$database)
26 19
{
27 20
	global $MESSAGE;
28 21
	$err_msg = array();
29 22
	$iMinPassLength = 6;
23
	$bPassRequest = false;
24
	$bMailHasChanged = false;
30 25
// first check form-tan
31
	if(!$admin->checkFTAN()){ $err_msg[] = $MESSAGE['GENERIC_SECURITY_ACCESS']; }
26
	if(!$admin->checkFTAN()){
27
	   $err_msg[] = $MESSAGE['GENERIC_SECURITY_ACCESS'];
28
    } else {
32 29
// Get entered values and validate all
33 30
	// remove any dangerouse chars from display_name
34
	$display_name     = $admin->add_slashes(strip_tags(trim($admin->get_post('display_name'))));
35
	$display_name     = ( $display_name == '' ? $admin->get_display_name() : $display_name );
36
	// check that display_name is unique in whoole system (prevents from User-faking)
37
	$sql  = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` ';
38
	$sql .= 'WHERE `user_id` <> '.(int)$admin->get_user_id().' AND `display_name` LIKE "'.$display_name.'"';
39
	if( $database->get_one($sql) > 0 ){ $err_msg[] = $MESSAGE['USERS_USERNAME_TAKEN']; }
31
        $display_name = $admin->add_slashes(strip_tags($admin->StripCodeFromText($admin->get_post('display_name'),true)));
32
    	$display_name = ( $display_name == '' ? $admin->get_display_name() : $display_name );
33
// check that display_name is unique in whoole system (prevents from User-faking)
34
    	$sql  = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` ';
35
    	$sql .= 'WHERE `user_id` <> '.(int)$admin->get_user_id().' AND `display_name` LIKE "'.$display_name.'"';
36
    	if( $database->get_one($sql) > 0 ){ $err_msg[] = $MESSAGE['USERS_USERNAME_TAKEN']; }
40 37
// language must be 2 upercase letters only
41
	$language         = strtoupper($admin->get_post('language'));
42
	$language         = (preg_match('/^[A-Z]{2}$/', $language) ? $language : DEFAULT_LANGUAGE);
38
    	$language         = strtoupper($admin->get_post('language'));
39
    	$language         = (preg_match('/^[A-Z]{2}$/', $language) ? $language : DEFAULT_LANGUAGE);
43 40
// timezone must be between -12 and +13  or -20 as system_default
44
	$timezone         = $admin->get_post('timezone');
45
	$timezone         = (is_numeric($timezone) ? $timezone : -20);
46
	$timezone         = ( ($timezone >= -12 && $timezone <= 13) ? $timezone : -20 ) * 3600;
41
    	$timezone         = $admin->get_post('timezone');
42
    	$timezone         = (is_numeric($timezone) ? $timezone : -20);
43
    	$timezone         = ( ($timezone >= -12 && $timezone <= 13) ? $timezone : -20 ) * 3600;
47 44
// date_format must be a key from /interface/date_formats
48
	$date_format      = $admin->get_post('date_format');
49
	$date_format_key  = str_replace(' ', '|', $date_format);
50
	$user_time = true;
51
	include( ADMIN_PATH.'/interface/date_formats.php' );
52
	$date_format = (array_key_exists($date_format_key, $DATE_FORMATS) ? $date_format : 'system_default');
53
	$date_format = ($date_format == 'system_default' ? '' : $date_format);
54
	unset($DATE_FORMATS);
45
    	$date_format      = $admin->get_post('date_format');
46
    	$date_format_key  = str_replace(' ', '|', $date_format);
47
    	$user_time = true;
48
    	include( ADMIN_PATH.'/interface/date_formats.php' );
49
    	$date_format = (array_key_exists($date_format_key, $DATE_FORMATS) ? $date_format : 'system_default');
50
    	$date_format = ($date_format == 'system_default' ? '' : $date_format);
51
    	unset($DATE_FORMATS);
55 52
// time_format must be a key from /interface/time_formats
56
	$time_format      = $admin->get_post('time_format');
57
	$time_format_key  = str_replace(' ', '|', $time_format);
58
	$user_time = true;
59
	include( ADMIN_PATH.'/interface/time_formats.php' );
60
	$time_format = (array_key_exists($time_format_key, $TIME_FORMATS) ? $time_format : 'system_default');
61
	$time_format = ($time_format == 'system_default' ? '' : $time_format);
62
	unset($TIME_FORMATS);
53
    	$time_format      = $admin->get_post('time_format');
54
    	$time_format_key  = str_replace(' ', '|', $time_format);
55
    	$user_time = true;
56
    	include( ADMIN_PATH.'/interface/time_formats.php' );
57
    	$time_format = (array_key_exists($time_format_key, $TIME_FORMATS) ? $time_format : 'system_default');
58
    	$time_format = ($time_format == 'system_default' ? '' : $time_format);
59
    	unset($TIME_FORMATS);
63 60
// email should be validatet by core
64
	$email = trim( $admin->get_post('email') == null ? '' : $admin->get_post('email') );
65
	if( !$admin->validate_email($email) )
66
	{
67
		$email = '';
68
		$err_msg[] = $MESSAGE['USERS_INVALID_EMAIL'];
69
	}else {
70
		if($email != '') {
71
		// check that email is unique in whoole system
72
			$email = $admin->add_slashes($email);
73
			$sql  = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` ';
74
			$sql .= 'WHERE `user_id` <> '.(int)$admin->get_user_id().' AND `email` LIKE "'.$email.'"';
75
			if( $database->get_one($sql) > 0 ){ $err_msg[] = $MESSAGE['USERS_EMAIL_TAKEN']; }
76
		}
77
	}
61

  
62
//    	$email = trim( $admin->get_post('email') == null ? '' : $admin->get_post('email') );
63
        $email = $admin->add_slashes(strip_tags($admin->StripCodeFromText($admin->get_post('email'),true)));
64
    	if( !$admin->validate_email($email) )
65
    	{
66
    		$email = '';
67
    		$err_msg[] = $MESSAGE['USERS_INVALID_EMAIL'];
68
    	} else {
69
    		if($email != '') {
70
    		// check that email is unique in whoole system
71
    			$sql  = 'SELECT `email` FROM `'.TABLE_PREFIX.'users` ';
72
    			$sql .= 'WHERE `user_id` = '.(int)$admin->get_user_id().' AND `email` LIKE "'.$email.'"';
73
                $IsOldMail = $database->get_one($sql);
74
    		// check that email is unique in whoole system
75
    			$email = $admin->add_slashes($email);
76
    			$sql  = 'SELECT `email` FROM `'.TABLE_PREFIX.'users` ';
77
    			$sql .= 'WHERE `user_id` <> '.(int)$admin->get_user_id().' AND `email` LIKE "'.$email.'"';
78
                $checkMail = $database->get_one($sql);
79

  
80
    			if( $checkMail == $email ){ $err_msg[] = $MESSAGE['USERS_EMAIL_TAKEN']; }
81
                $bMailHasChanged = ($email != $IsOldMail);
82
    		}
83
    	}
84

  
78 85
// receive password vars and calculate needed action
79
	$sCurrentPassword = $admin->get_post('current_password');
80
	$sCurrentPassword = (is_null($sCurrentPassword) ? '' : $sCurrentPassword);
81
	$sNewPassword = $admin->get_post('new_password_1');
82
	$sNewPassword = (is_null($sNewPassword) ? '' : $sNewPassword);
83
	$sNewPasswordRetyped = $admin->get_post('new_password_2');
84
	$sNewPasswordRetyped= (is_null($sNewPasswordRetyped) ? '' : $sNewPasswordRetyped);
85
// Check existing password
86
	$sql  = 'SELECT `password` ';
87
	$sql .= 'FROM `'.TABLE_PREFIX.'users` ';
88
	$sql .= 'WHERE `user_id` = '.$admin->get_user_id();
89
	if (md5($sCurrentPassword) != $database->get_one($sql)) {
90
// access denied
91
		$err_msg[] = $MESSAGE['PREFERENCES_CURRENT_PASSWORD_INCORRECT'];
92
	}else {
93
// validate new password
94
		$sPwHashNew = false;
95
		if($sNewPassword != '') {
96
			if(strlen($sNewPassword) < $iMinPassLength) {
97
				$err_msg[] = $MESSAGE['USERS_PASSWORD_TOO_SHORT'];
98
			}else {
99
				if($sNewPassword != $sNewPasswordRetyped) {
100
					$err_msg[] = $MESSAGE['USERS_PASSWORD_MISMATCH'];
101
				}else {
102
					$pattern = '/[^'.$admin->password_chars.']/';
103
					if (preg_match($pattern, $sNewPassword)) {
104
						$err_msg[] = $MESSAGE['PREFERENCES_INVALID_CHARS'];
105
					}else {
106
						$sPwHashNew = md5($sNewPassword);
107
					}
108
				}
109
			}
110
		}
111
// if no validation errors, try to update the database, otherwise return errormessages
112
		if(sizeof($err_msg) == 0)
113
		{
114
			$sql  = 'UPDATE `'.TABLE_PREFIX.'users` ';
115
			$sql .= 'SET `display_name`=\''.$display_name.'\', ';
116
			if($sPwHashNew) {
117
				$sql .=     '`password`=\''.$sPwHashNew.'\', ';
118
			}
119
			if($email != '') {
120
				$sql .=     '`email`=\''.$email.'\', ';
121
			}
122
			$sql .=     '`language`=\''.$language.'\', ';
123
			$sql .=     '`timezone`=\''.$timezone.'\', ';
124
			$sql .=     '`date_format`=\''.$date_format.'\', ';
125
			$sql .=     '`time_format`=\''.$time_format.'\' ';
126
			$sql .= 'WHERE `user_id`='.(int)$admin->get_user_id();
127
			if( $database->query($sql) )
128
			{
129
				// update successfull, takeover values into the session
130
				$_SESSION['DISPLAY_NAME'] = $display_name;
131
				$_SESSION['LANGUAGE'] = $language;
132
				$_SESSION['TIMEZONE'] = $timezone;
133
				$_SESSION['EMAIL'] = $email;
134
				// Update date format
135
				if($date_format != '') {
136
					$_SESSION['DATE_FORMAT'] = $date_format;
137
					if(isset($_SESSION['USE_DEFAULT_DATE_FORMAT'])) { unset($_SESSION['USE_DEFAULT_DATE_FORMAT']); }
138
				} else {
139
					$_SESSION['USE_DEFAULT_DATE_FORMAT'] = true;
140
					if(isset($_SESSION['DATE_FORMAT'])) { unset($_SESSION['DATE_FORMAT']); }
141
				}
142
				// Update time format
143
				if($time_format != '') {
144
					$_SESSION['TIME_FORMAT'] = $time_format;
145
					if(isset($_SESSION['USE_DEFAULT_TIME_FORMAT'])) { unset($_SESSION['USE_DEFAULT_TIME_FORMAT']); }
146
				} else {
147
					$_SESSION['USE_DEFAULT_TIME_FORMAT'] = true;
148
					if(isset($_SESSION['TIME_FORMAT'])) { unset($_SESSION['TIME_FORMAT']); }
149
				}
150
			}else {
151
				$err_msg[] = 'invalid database UPDATE call in '.__FILE__.'::'.__FUNCTION__.'before line '.__LINE__;
152
			}
153
		}
154
	}
86
        $sCurrentPassword = $admin->add_slashes($admin->StripCodeFromText($admin->get_post('current_password'),true));
87
        $sNewPassword = $admin->add_slashes($admin->StripCodeFromText($admin->get_post('new_password_1'),true));
88
        $sNewPasswordRetyped = $admin->add_slashes($admin->StripCodeFromText($admin->get_post('new_password_2'),true));
89

  
90
        if($bMailHasChanged == true)
91
        {
92
            $bPassRequest = $bMailHasChanged;
93
        } else {
94
            $bPassRequest = ( ( $sCurrentPassword != '') || ($sNewPassword != '') || ($sNewPasswordRetyped != '') ) ? true : false;
95
        }
96
        // Check existing password
97
    	$sql  = 'SELECT `password` ';
98
    	$sql .= 'FROM `'.TABLE_PREFIX.'users` ';
99
    	$sql .= 'WHERE `user_id` = '.$admin->get_user_id();
100
    	if ( $bPassRequest && md5($sCurrentPassword) != $database->get_one($sql) ) {
101
    // access denied
102
    		$err_msg[] = $MESSAGE['PREFERENCES_CURRENT_PASSWORD_INCORRECT'];
103
    	} else {
104
    // validate new password
105
    		$sPwHashNew = false;
106
    		if( ($sNewPassword != '') || ($sNewPasswordRetyped != '') ) {
107
    			if(strlen($sNewPassword) < $iMinPassLength) {
108
    				$err_msg[] = $MESSAGE['USERS_PASSWORD_TOO_SHORT'];
109
    			} else {
110
    				if($sNewPassword != $sNewPasswordRetyped) {
111
    					$err_msg[] =  $MESSAGE['USERS_PASSWORD_MISMATCH'];
112
    				} else {
113
    					$pattern = '/[^'.$admin->password_chars.']/';
114
    					if (preg_match($pattern, $sNewPassword)) {
115
    						$err_msg[] = $MESSAGE['PREFERENCES_INVALID_CHARS'];
116
    					} else {
117
    						$sPwHashNew = md5($sNewPassword);
118
    					}
119
    				}
120
    			}
121
    		}
122

  
123
    // if no validation errors, try to update the database, otherwise return errormessages
124
    		if(sizeof($err_msg) == 0)
125
    		{
126
    			$sql  = 'UPDATE `'.TABLE_PREFIX.'users` ';
127
    			$sql .= 'SET `display_name`=\''.$display_name.'\', ';
128
    			if($sPwHashNew) {
129
    				$sql .=     '`password`=\''.$sPwHashNew.'\', ';
130
    			}
131
    			if($email != '') {
132
    				$sql .=     '`email`=\''.$email.'\', ';
133
    			}
134
    			$sql .=     '`language`=\''.$language.'\', ';
135
    			$sql .=     '`timezone`=\''.$timezone.'\', ';
136
    			$sql .=     '`date_format`=\''.$date_format.'\', ';
137
    			$sql .=     '`time_format`=\''.$time_format.'\' ';
138
    			$sql .= 'WHERE `user_id`='.(int)$admin->get_user_id();
139
    			if( $database->query($sql) )
140
    			{
141
    				// update successfull, takeover values into the session
142
    				$_SESSION['DISPLAY_NAME'] = $display_name;
143
    				$_SESSION['LANGUAGE'] = $language;
144
    				$_SESSION['TIMEZONE'] = $timezone;
145
    				$_SESSION['EMAIL'] = $email;
146
    				// Update date format
147
    				if($date_format != '') {
148
    					$_SESSION['DATE_FORMAT'] = $date_format;
149
    					if(isset($_SESSION['USE_DEFAULT_DATE_FORMAT'])) { unset($_SESSION['USE_DEFAULT_DATE_FORMAT']); }
150
    				} else {
151
    					$_SESSION['USE_DEFAULT_DATE_FORMAT'] = true;
152
    					if(isset($_SESSION['DATE_FORMAT'])) { unset($_SESSION['DATE_FORMAT']); }
153
    				}
154
    				// Update time format
155
    				if($time_format != '') {
156
    					$_SESSION['TIME_FORMAT'] = $time_format;
157
    					if(isset($_SESSION['USE_DEFAULT_TIME_FORMAT'])) { unset($_SESSION['USE_DEFAULT_TIME_FORMAT']); }
158
    				} else {
159
    					$_SESSION['USE_DEFAULT_TIME_FORMAT'] = true;
160
    					if(isset($_SESSION['TIME_FORMAT'])) { unset($_SESSION['TIME_FORMAT']); }
161
    				}
162
    			} else {
163
    				$err_msg[] = 'invalid database UPDATE call in '.__FILE__.'::'.__FUNCTION__.'before line '.__LINE__;
164
    			}
165
    		}
166
    	}
167

  
168
    }
169

  
155 170
	return ( (sizeof($err_msg) > 0) ? implode('<br />', $err_msg) : '' );
156 171
}
172

  
173
$config_file = realpath('../../config.php');
174
if(file_exists($config_file) && !defined('WB_URL'))
175
{
176
	require_once($config_file);
177
}
178

  
179
if(!class_exists('admin', false)){ include(WB_PATH.'/framework/class.admin.php'); }
180

  
181
// suppress to print the header, so no new FTAN will be set
182
$admin = new admin('Preferences','start', false);
183

  
157 184
$retval = save_preferences($admin, $database);
158 185
if( $retval == '')
159 186
{
......
161 188
	$admin->print_header();
162 189
	$admin->print_success($MESSAGE['PREFERENCES_DETAILS_SAVED']);
163 190
	$admin->print_footer();
164
}else {
191
} else {
165 192
	// print the header
166 193
	$admin->print_header();
167 194
	$admin->print_error($retval);
branches/2.8.x/wb/framework/SecureForm.mtab.php
369 369
	}
370 370

  
371 371
 	private function _timedout( $var ) {
372
        if(!isset($var['time'])) { return false; }
372 373
		if ($var['time'] < time()-$this->_timeout) return false;
373 374
		return true;
374 375
	}
branches/2.8.x/wb/modules/form/htt/submessage.htt
13 13
        </tr>
14 14
    </thead>
15 15
    <tbody class="frm-tbody">
16
        <tr class="frm-warning">
17
        	<td colspan="2"><p class="{NIX_HIER}">{SUCCESS_PRINT}</p></td>
16
        <tr class="frm-warning {NIX_HIER}">
17
        	<td colspan="2"><p>{SUCCESS_PRINT}</p></td>
18 18
        </tr>
19 19

  
20 20
        <tr class="frm-submission_submission_id">
......
26 26
        	<td>{submission_submitted_when}</td>
27 27
        </tr>
28 28
        <tr class="frm-user_display_name">
29
        	<td>{TEXT_USER}:</td>
29
        	<td>{TEXT_USER} ({TEXT_USERNAME}):</td>
30 30
        	<td>{user_display_name} ({user_username})</td>
31 31
        </tr>
32 32
        <tr class="frm-hr">
branches/2.8.x/wb/modules/form/view.php
344 344
						 $mail_replyto = $success_email_to = htmlspecialchars($wb->add_slashes($_POST[$success_email_to]));
345 345
					}
346 346
					$success_email_to = '';
347
					$email_fromname = $TEXT['UNKNOWN'];
347
					$email_fromname = $TEXT['GUEST'];
348 348
//					$success_email_fromname = $TEXT['UNKNOWN'];
349 349
//					$email_from = $TEXT['UNKNOWN'];
350 350
				}
......
649 649
					'submission_submitted_when' => gmdate( DATE_FORMAT .', '.TIME_FORMAT, $submission['submitted_when']+TIMEZONE ),
650 650
					'NIX_HIER' => $NixHier,
651 651
					'TEXT_USER' => $TEXT['USER'],
652
					'TEXT_USERNAME' => $TEXT['USERNAME'],
652 653
					'TEXT_PRINT_PAGE' => $TEXT['PRINT_PAGE'],
653 654
					'TEXT_REQUIRED_JS' => $TEXT['REQUIRED_JS'],
654 655
					'user_display_name' => $user['display_name'],
branches/2.8.x/wb/modules/form/languages/NL.php
58 58
$MOD_FORM['SPAM'] = 'Caution! Answering an unchecked email can be perceived as spamming and entail the risk of receiving a cease-and-desist letter! ';
59 59

  
60 60
$TEXT['GUEST'] = 'Guest';
61
$TEXT['UNKNOWN'] = 'unkown';
61 62
$TEXT['PRINT_PAGE'] = 'Print page';
62 63
$TEXT['REQUIRED_JS'] = 'Required Javascript';
63 64
$TEXT['SUBMISSIONS_PERPAGE'] = 'Show submissions rows per page';
64
$TEXT['UNKNOWN'] = 'Unknown';
branches/2.8.x/wb/modules/form/languages/NO.php
58 58
$MOD_FORM['SPAM'] = 'Caution! Answering an unchecked email can be perceived as spamming and entail the risk of receiving a cease-and-desist letter! ';
59 59

  
60 60
$TEXT['GUEST'] = 'Guest';
61
$TEXT['UNKNOWN'] = 'unkown';
61 62
$TEXT['PRINT_PAGE'] = 'Print page';
62 63
$TEXT['REQUIRED_JS'] = 'Required Javascript';
63 64
$TEXT['SUBMISSIONS_PERPAGE'] = 'Show submissions rows per page';
64
$TEXT['UNKNOWN'] = 'Unknown';
branches/2.8.x/wb/modules/form/languages/EN.php
58 58
$MOD_FORM['SPAM'] = 'Caution! Answering an unchecked email can be perceived as spamming and entail the risk of receiving a cease-and-desist letter! ';
59 59

  
60 60
$TEXT['GUEST'] = 'Guest';
61
$TEXT['UNKNOWN'] = 'unkown';
61 62
$TEXT['PRINT_PAGE'] = 'Print page';
62 63
$TEXT['REQUIRED_JS'] = 'Required Javascript';
63 64
$TEXT['SUBMISSIONS_PERPAGE'] = 'Show submissions rows per page';
64
$TEXT['UNKNOWN'] = 'Unknown';
branches/2.8.x/wb/modules/form/languages/DA.php
58 58
$MOD_FORM['SPAM'] = 'Caution! Answering an unchecked email can be perceived as spamming and entail the risk of receiving a cease-and-desist letter! ';
59 59

  
60 60
$TEXT['GUEST'] = 'Guest';
61
$TEXT['UNKNOWN'] = 'unkown';
61 62
$TEXT['PRINT_PAGE'] = 'Print page';
62 63
$TEXT['REQUIRED_JS'] = 'Required Javascript';
63 64
$TEXT['SUBMISSIONS_PERPAGE'] = 'Show submissions rows per page';
64
$TEXT['UNKNOWN'] = 'Unknown';
branches/2.8.x/wb/modules/form/languages/RU.php
57 57
$MOD_FORM['SPAM'] = 'Caution! Answering an unchecked email can be perceived as spamming and entail the risk of receiving a cease-and-desist letter! ';
58 58

  
59 59
$TEXT['GUEST'] = 'Guest';
60
$TEXT['UNKNOWN'] = 'unkown';
60 61
$TEXT['PRINT_PAGE'] = 'Print page';
61 62
$TEXT['REQUIRED_JS'] = 'Required Javascript';
62 63
$TEXT['SUBMISSIONS_PERPAGE'] = 'Show submissions rows per page';
63
$TEXT['UNKNOWN'] = 'Unknown';
branches/2.8.x/wb/modules/form/languages/FR.php
58 58
$MOD_FORM['SPAM'] = 'Caution! Answering an unchecked email can be perceived as spamming and entail the risk of receiving a cease-and-desist letter! ';
59 59

  
60 60
$TEXT['GUEST'] = 'Guest';
61
$TEXT['UNKNOWN'] = 'unkown';
61 62
$TEXT['PRINT_PAGE'] = 'Print page';
62 63
$TEXT['REQUIRED_JS'] = 'Required Javascript';
63 64
$TEXT['SUBMISSIONS_PERPAGE'] = 'Show submissions rows per page';
64
$TEXT['UNKNOWN'] = 'Unknown';
branches/2.8.x/wb/modules/form/languages/DE.php
15 15
 * @description
16 16
 */
17 17

  
18
// Must include code to stop this file being accessed directly
18
// Must include code to stop this file being access directly
19 19
if(!defined('WB_URL')) {
20 20
	require_once(dirname(dirname(dirname(dirname(__FILE__)))).'/framework/globalExceptionHandler.php');
21
	// Stop this file being access directly
21
	throw new IllegalFileException();
22 22
}
23 23
/* -------------------------------------------------------- */
24 24

  
......
59 59
$MOD_FORM['SPAM'] = 'ACHTUNG! Beantworten einer ungeprüften E-Mail kann als Spam abgemahnt werden! ';
60 60

  
61 61
$TEXT['GUEST'] = 'Gast';
62
$TEXT['UNKNOWN'] = 'unbekannt';
62 63
$TEXT['PRINT_PAGE'] = 'Seite drucken';
63 64
$TEXT['REQUIRED_JS'] = 'Javascript erforderlich';
64 65
$TEXT['SUBMISSIONS_PERPAGE'] = 'Anzeige gespeicherte Einträge pro Seite';
65
$TEXT['UNKNOWN'] = 'Unbekannt';
branches/2.8.x/wb/modules/form/view_submission.php
19 19

  
20 20
// Include WB admin wrapper script
21 21
require(WB_PATH.'/modules/admin.php');
22
// load module language file
23
$lang = (dirname(__FILE__)) . '/languages/' . LANGUAGE . '.php';
24
require_once(!file_exists($lang) ? (dirname(__FILE__)) . '/languages/EN.php' : $lang );
22 25
/* */
26

  
23 27
include_once (WB_PATH.'/framework/functions.php');
28

  
24 29
// Get page
25 30
$requestMethod = '_'.strtoupper($_SERVER['REQUEST_METHOD']);
26 31
$page = intval(isset(${$requestMethod}['page'])) ? ${$requestMethod}['page'] : 1;
......
49 54
	if($get_user->numRows() != 0) {
50 55
		$user = $get_user->fetchRow(MYSQL_ASSOC);
51 56
	} else {
52
		$user['display_name'] = 'Unknown';
53
		$user['username'] = 'unknown';
57
		$user['display_name'] = $TEXT['GUEST'];
58
		$user['username'] = $TEXT['UNKNOWN'];
54 59
	}
55 60
}
56 61
//$sec_anchor = (defined( 'SEC_ANCHOR' ) && ( SEC_ANCHOR != '' )  ? '#'.SEC_ANCHOR.$section['section_id'] : '' );
......
66 71
	<td><?php echo gmdate(DATE_FORMAT .', '.TIME_FORMAT, $submission['submitted_when']+TIMEZONE); ?></td>
67 72
</tr>
68 73
<tr>
69
	<td><?php echo $TEXT['USER']; ?>:</td>
74
	<td><?php echo $TEXT['USER'].' ('.$TEXT['USERNAME'].')'; ?>:</td>
70 75
	<td><?php echo $user['display_name'].' ('.$user['username'].')'; ?></td>
71 76
</tr>
72 77
<tr>

Also available in: Unified diff