Revision 1804
Added by Luisehahne almost 13 years ago
| save.php | ||
|---|---|---|
| 15 | 15 |
* |
| 16 | 16 |
*/ |
| 17 | 17 |
|
| 18 |
|
|
| 19 |
// Print admin header |
|
| 20 |
require('../../config.php');
|
|
| 21 |
require_once(WB_PATH.'/framework/class.admin.php'); |
|
| 22 |
// suppress to print the header, so no new FTAN will be set |
|
| 23 |
$admin = new admin('Preferences','start', false);
|
|
| 24 |
|
|
| 25 | 18 |
function save_preferences( &$admin, &$database) |
| 26 | 19 |
{
|
| 27 | 20 |
global $MESSAGE; |
| 28 | 21 |
$err_msg = array(); |
| 29 | 22 |
$iMinPassLength = 6; |
| 23 |
$bPassRequest = false; |
|
| 24 |
$bMailHasChanged = false; |
|
| 30 | 25 |
// first check form-tan |
| 31 |
if(!$admin->checkFTAN()){ $err_msg[] = $MESSAGE['GENERIC_SECURITY_ACCESS']; }
|
|
| 26 |
if(!$admin->checkFTAN()){
|
|
| 27 |
$err_msg[] = $MESSAGE['GENERIC_SECURITY_ACCESS']; |
|
| 28 |
} else {
|
|
| 32 | 29 |
// Get entered values and validate all |
| 33 | 30 |
// remove any dangerouse chars from display_name |
| 34 |
$display_name = $admin->add_slashes(strip_tags(trim($admin->get_post('display_name'))));
|
|
| 35 |
$display_name = ( $display_name == '' ? $admin->get_display_name() : $display_name );
|
|
| 36 |
// check that display_name is unique in whoole system (prevents from User-faking)
|
|
| 37 |
$sql = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` '; |
|
| 38 |
$sql .= 'WHERE `user_id` <> '.(int)$admin->get_user_id().' AND `display_name` LIKE "'.$display_name.'"'; |
|
| 39 |
if( $database->get_one($sql) > 0 ){ $err_msg[] = $MESSAGE['USERS_USERNAME_TAKEN']; }
|
|
| 31 |
$display_name = $admin->add_slashes(strip_tags($admin->StripCodeFromText($admin->get_post('display_name'),true)));
|
|
| 32 |
$display_name = ( $display_name == '' ? $admin->get_display_name() : $display_name );
|
|
| 33 |
// check that display_name is unique in whoole system (prevents from User-faking) |
|
| 34 |
$sql = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` ';
|
|
| 35 |
$sql .= 'WHERE `user_id` <> '.(int)$admin->get_user_id().' AND `display_name` LIKE "'.$display_name.'"';
|
|
| 36 |
if( $database->get_one($sql) > 0 ){ $err_msg[] = $MESSAGE['USERS_USERNAME_TAKEN']; }
|
|
| 40 | 37 |
// language must be 2 upercase letters only |
| 41 |
$language = strtoupper($admin->get_post('language'));
|
|
| 42 |
$language = (preg_match('/^[A-Z]{2}$/', $language) ? $language : DEFAULT_LANGUAGE);
|
|
| 38 |
$language = strtoupper($admin->get_post('language'));
|
|
| 39 |
$language = (preg_match('/^[A-Z]{2}$/', $language) ? $language : DEFAULT_LANGUAGE);
|
|
| 43 | 40 |
// timezone must be between -12 and +13 or -20 as system_default |
| 44 |
$timezone = $admin->get_post('timezone');
|
|
| 45 |
$timezone = (is_numeric($timezone) ? $timezone : -20); |
|
| 46 |
$timezone = ( ($timezone >= -12 && $timezone <= 13) ? $timezone : -20 ) * 3600; |
|
| 41 |
$timezone = $admin->get_post('timezone');
|
|
| 42 |
$timezone = (is_numeric($timezone) ? $timezone : -20);
|
|
| 43 |
$timezone = ( ($timezone >= -12 && $timezone <= 13) ? $timezone : -20 ) * 3600;
|
|
| 47 | 44 |
// date_format must be a key from /interface/date_formats |
| 48 |
$date_format = $admin->get_post('date_format');
|
|
| 49 |
$date_format_key = str_replace(' ', '|', $date_format);
|
|
| 50 |
$user_time = true; |
|
| 51 |
include( ADMIN_PATH.'/interface/date_formats.php' ); |
|
| 52 |
$date_format = (array_key_exists($date_format_key, $DATE_FORMATS) ? $date_format : 'system_default'); |
|
| 53 |
$date_format = ($date_format == 'system_default' ? '' : $date_format); |
|
| 54 |
unset($DATE_FORMATS); |
|
| 45 |
$date_format = $admin->get_post('date_format');
|
|
| 46 |
$date_format_key = str_replace(' ', '|', $date_format);
|
|
| 47 |
$user_time = true;
|
|
| 48 |
include( ADMIN_PATH.'/interface/date_formats.php' );
|
|
| 49 |
$date_format = (array_key_exists($date_format_key, $DATE_FORMATS) ? $date_format : 'system_default');
|
|
| 50 |
$date_format = ($date_format == 'system_default' ? '' : $date_format);
|
|
| 51 |
unset($DATE_FORMATS);
|
|
| 55 | 52 |
// time_format must be a key from /interface/time_formats |
| 56 |
$time_format = $admin->get_post('time_format');
|
|
| 57 |
$time_format_key = str_replace(' ', '|', $time_format);
|
|
| 58 |
$user_time = true; |
|
| 59 |
include( ADMIN_PATH.'/interface/time_formats.php' ); |
|
| 60 |
$time_format = (array_key_exists($time_format_key, $TIME_FORMATS) ? $time_format : 'system_default'); |
|
| 61 |
$time_format = ($time_format == 'system_default' ? '' : $time_format); |
|
| 62 |
unset($TIME_FORMATS); |
|
| 53 |
$time_format = $admin->get_post('time_format');
|
|
| 54 |
$time_format_key = str_replace(' ', '|', $time_format);
|
|
| 55 |
$user_time = true;
|
|
| 56 |
include( ADMIN_PATH.'/interface/time_formats.php' );
|
|
| 57 |
$time_format = (array_key_exists($time_format_key, $TIME_FORMATS) ? $time_format : 'system_default');
|
|
| 58 |
$time_format = ($time_format == 'system_default' ? '' : $time_format);
|
|
| 59 |
unset($TIME_FORMATS);
|
|
| 63 | 60 |
// email should be validatet by core |
| 64 |
$email = trim( $admin->get_post('email') == null ? '' : $admin->get_post('email') );
|
|
| 65 |
if( !$admin->validate_email($email) ) |
|
| 66 |
{
|
|
| 67 |
$email = ''; |
|
| 68 |
$err_msg[] = $MESSAGE['USERS_INVALID_EMAIL']; |
|
| 69 |
}else {
|
|
| 70 |
if($email != '') {
|
|
| 71 |
// check that email is unique in whoole system |
|
| 72 |
$email = $admin->add_slashes($email); |
|
| 73 |
$sql = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` '; |
|
| 74 |
$sql .= 'WHERE `user_id` <> '.(int)$admin->get_user_id().' AND `email` LIKE "'.$email.'"'; |
|
| 75 |
if( $database->get_one($sql) > 0 ){ $err_msg[] = $MESSAGE['USERS_EMAIL_TAKEN']; }
|
|
| 76 |
} |
|
| 77 |
} |
|
| 61 |
|
|
| 62 |
// $email = trim( $admin->get_post('email') == null ? '' : $admin->get_post('email') );
|
|
| 63 |
$email = $admin->add_slashes(strip_tags($admin->StripCodeFromText($admin->get_post('email'),true)));
|
|
| 64 |
if( !$admin->validate_email($email) ) |
|
| 65 |
{
|
|
| 66 |
$email = ''; |
|
| 67 |
$err_msg[] = $MESSAGE['USERS_INVALID_EMAIL']; |
|
| 68 |
} else {
|
|
| 69 |
if($email != '') {
|
|
| 70 |
// check that email is unique in whoole system |
|
| 71 |
$sql = 'SELECT `email` FROM `'.TABLE_PREFIX.'users` '; |
|
| 72 |
$sql .= 'WHERE `user_id` = '.(int)$admin->get_user_id().' AND `email` LIKE "'.$email.'"'; |
|
| 73 |
$IsOldMail = $database->get_one($sql); |
|
| 74 |
// check that email is unique in whoole system |
|
| 75 |
$email = $admin->add_slashes($email); |
|
| 76 |
$sql = 'SELECT `email` FROM `'.TABLE_PREFIX.'users` '; |
|
| 77 |
$sql .= 'WHERE `user_id` <> '.(int)$admin->get_user_id().' AND `email` LIKE "'.$email.'"'; |
|
| 78 |
$checkMail = $database->get_one($sql); |
|
| 79 |
|
|
| 80 |
if( $checkMail == $email ){ $err_msg[] = $MESSAGE['USERS_EMAIL_TAKEN']; }
|
|
| 81 |
$bMailHasChanged = ($email != $IsOldMail); |
|
| 82 |
} |
|
| 83 |
} |
|
| 84 |
|
|
| 78 | 85 |
// receive password vars and calculate needed action |
| 79 |
$sCurrentPassword = $admin->get_post('current_password');
|
|
| 80 |
$sCurrentPassword = (is_null($sCurrentPassword) ? '' : $sCurrentPassword); |
|
| 81 |
$sNewPassword = $admin->get_post('new_password_1');
|
|
| 82 |
$sNewPassword = (is_null($sNewPassword) ? '' : $sNewPassword); |
|
| 83 |
$sNewPasswordRetyped = $admin->get_post('new_password_2');
|
|
| 84 |
$sNewPasswordRetyped= (is_null($sNewPasswordRetyped) ? '' : $sNewPasswordRetyped); |
|
| 85 |
// Check existing password |
|
| 86 |
$sql = 'SELECT `password` '; |
|
| 87 |
$sql .= 'FROM `'.TABLE_PREFIX.'users` '; |
|
| 88 |
$sql .= 'WHERE `user_id` = '.$admin->get_user_id(); |
|
| 89 |
if (md5($sCurrentPassword) != $database->get_one($sql)) {
|
|
| 90 |
// access denied |
|
| 91 |
$err_msg[] = $MESSAGE['PREFERENCES_CURRENT_PASSWORD_INCORRECT']; |
|
| 92 |
}else {
|
|
| 93 |
// validate new password |
|
| 94 |
$sPwHashNew = false; |
|
| 95 |
if($sNewPassword != '') {
|
|
| 96 |
if(strlen($sNewPassword) < $iMinPassLength) {
|
|
| 97 |
$err_msg[] = $MESSAGE['USERS_PASSWORD_TOO_SHORT']; |
|
| 98 |
}else {
|
|
| 99 |
if($sNewPassword != $sNewPasswordRetyped) {
|
|
| 100 |
$err_msg[] = $MESSAGE['USERS_PASSWORD_MISMATCH']; |
|
| 101 |
}else {
|
|
| 102 |
$pattern = '/[^'.$admin->password_chars.']/'; |
|
| 103 |
if (preg_match($pattern, $sNewPassword)) {
|
|
| 104 |
$err_msg[] = $MESSAGE['PREFERENCES_INVALID_CHARS']; |
|
| 105 |
}else {
|
|
| 106 |
$sPwHashNew = md5($sNewPassword); |
|
| 107 |
} |
|
| 108 |
} |
|
| 109 |
} |
|
| 110 |
} |
|
| 111 |
// if no validation errors, try to update the database, otherwise return errormessages |
|
| 112 |
if(sizeof($err_msg) == 0) |
|
| 113 |
{
|
|
| 114 |
$sql = 'UPDATE `'.TABLE_PREFIX.'users` '; |
|
| 115 |
$sql .= 'SET `display_name`=\''.$display_name.'\', '; |
|
| 116 |
if($sPwHashNew) {
|
|
| 117 |
$sql .= '`password`=\''.$sPwHashNew.'\', '; |
|
| 118 |
} |
|
| 119 |
if($email != '') {
|
|
| 120 |
$sql .= '`email`=\''.$email.'\', '; |
|
| 121 |
} |
|
| 122 |
$sql .= '`language`=\''.$language.'\', '; |
|
| 123 |
$sql .= '`timezone`=\''.$timezone.'\', '; |
|
| 124 |
$sql .= '`date_format`=\''.$date_format.'\', '; |
|
| 125 |
$sql .= '`time_format`=\''.$time_format.'\' '; |
|
| 126 |
$sql .= 'WHERE `user_id`='.(int)$admin->get_user_id(); |
|
| 127 |
if( $database->query($sql) ) |
|
| 128 |
{
|
|
| 129 |
// update successfull, takeover values into the session |
|
| 130 |
$_SESSION['DISPLAY_NAME'] = $display_name; |
|
| 131 |
$_SESSION['LANGUAGE'] = $language; |
|
| 132 |
$_SESSION['TIMEZONE'] = $timezone; |
|
| 133 |
$_SESSION['EMAIL'] = $email; |
|
| 134 |
// Update date format |
|
| 135 |
if($date_format != '') {
|
|
| 136 |
$_SESSION['DATE_FORMAT'] = $date_format; |
|
| 137 |
if(isset($_SESSION['USE_DEFAULT_DATE_FORMAT'])) { unset($_SESSION['USE_DEFAULT_DATE_FORMAT']); }
|
|
| 138 |
} else {
|
|
| 139 |
$_SESSION['USE_DEFAULT_DATE_FORMAT'] = true; |
|
| 140 |
if(isset($_SESSION['DATE_FORMAT'])) { unset($_SESSION['DATE_FORMAT']); }
|
|
| 141 |
} |
|
| 142 |
// Update time format |
|
| 143 |
if($time_format != '') {
|
|
| 144 |
$_SESSION['TIME_FORMAT'] = $time_format; |
|
| 145 |
if(isset($_SESSION['USE_DEFAULT_TIME_FORMAT'])) { unset($_SESSION['USE_DEFAULT_TIME_FORMAT']); }
|
|
| 146 |
} else {
|
|
| 147 |
$_SESSION['USE_DEFAULT_TIME_FORMAT'] = true; |
|
| 148 |
if(isset($_SESSION['TIME_FORMAT'])) { unset($_SESSION['TIME_FORMAT']); }
|
|
| 149 |
} |
|
| 150 |
}else {
|
|
| 151 |
$err_msg[] = 'invalid database UPDATE call in '.__FILE__.'::'.__FUNCTION__.'before line '.__LINE__; |
|
| 152 |
} |
|
| 153 |
} |
|
| 154 |
} |
|
| 86 |
$sCurrentPassword = $admin->add_slashes($admin->StripCodeFromText($admin->get_post('current_password'),true));
|
|
| 87 |
$sNewPassword = $admin->add_slashes($admin->StripCodeFromText($admin->get_post('new_password_1'),true));
|
|
| 88 |
$sNewPasswordRetyped = $admin->add_slashes($admin->StripCodeFromText($admin->get_post('new_password_2'),true));
|
|
| 89 |
|
|
| 90 |
if($bMailHasChanged == true) |
|
| 91 |
{
|
|
| 92 |
$bPassRequest = $bMailHasChanged; |
|
| 93 |
} else {
|
|
| 94 |
$bPassRequest = ( ( $sCurrentPassword != '') || ($sNewPassword != '') || ($sNewPasswordRetyped != '') ) ? true : false; |
|
| 95 |
} |
|
| 96 |
// Check existing password |
|
| 97 |
$sql = 'SELECT `password` '; |
|
| 98 |
$sql .= 'FROM `'.TABLE_PREFIX.'users` '; |
|
| 99 |
$sql .= 'WHERE `user_id` = '.$admin->get_user_id(); |
|
| 100 |
if ( $bPassRequest && md5($sCurrentPassword) != $database->get_one($sql) ) {
|
|
| 101 |
// access denied |
|
| 102 |
$err_msg[] = $MESSAGE['PREFERENCES_CURRENT_PASSWORD_INCORRECT']; |
|
| 103 |
} else {
|
|
| 104 |
// validate new password |
|
| 105 |
$sPwHashNew = false; |
|
| 106 |
if( ($sNewPassword != '') || ($sNewPasswordRetyped != '') ) {
|
|
| 107 |
if(strlen($sNewPassword) < $iMinPassLength) {
|
|
| 108 |
$err_msg[] = $MESSAGE['USERS_PASSWORD_TOO_SHORT']; |
|
| 109 |
} else {
|
|
| 110 |
if($sNewPassword != $sNewPasswordRetyped) {
|
|
| 111 |
$err_msg[] = $MESSAGE['USERS_PASSWORD_MISMATCH']; |
|
| 112 |
} else {
|
|
| 113 |
$pattern = '/[^'.$admin->password_chars.']/'; |
|
| 114 |
if (preg_match($pattern, $sNewPassword)) {
|
|
| 115 |
$err_msg[] = $MESSAGE['PREFERENCES_INVALID_CHARS']; |
|
| 116 |
} else {
|
|
| 117 |
$sPwHashNew = md5($sNewPassword); |
|
| 118 |
} |
|
| 119 |
} |
|
| 120 |
} |
|
| 121 |
} |
|
| 122 |
|
|
| 123 |
// if no validation errors, try to update the database, otherwise return errormessages |
|
| 124 |
if(sizeof($err_msg) == 0) |
|
| 125 |
{
|
|
| 126 |
$sql = 'UPDATE `'.TABLE_PREFIX.'users` '; |
|
| 127 |
$sql .= 'SET `display_name`=\''.$display_name.'\', '; |
|
| 128 |
if($sPwHashNew) {
|
|
| 129 |
$sql .= '`password`=\''.$sPwHashNew.'\', '; |
|
| 130 |
} |
|
| 131 |
if($email != '') {
|
|
| 132 |
$sql .= '`email`=\''.$email.'\', '; |
|
| 133 |
} |
|
| 134 |
$sql .= '`language`=\''.$language.'\', '; |
|
| 135 |
$sql .= '`timezone`=\''.$timezone.'\', '; |
|
| 136 |
$sql .= '`date_format`=\''.$date_format.'\', '; |
|
| 137 |
$sql .= '`time_format`=\''.$time_format.'\' '; |
|
| 138 |
$sql .= 'WHERE `user_id`='.(int)$admin->get_user_id(); |
|
| 139 |
if( $database->query($sql) ) |
|
| 140 |
{
|
|
| 141 |
// update successfull, takeover values into the session |
|
| 142 |
$_SESSION['DISPLAY_NAME'] = $display_name; |
|
| 143 |
$_SESSION['LANGUAGE'] = $language; |
|
| 144 |
$_SESSION['TIMEZONE'] = $timezone; |
|
| 145 |
$_SESSION['EMAIL'] = $email; |
|
| 146 |
// Update date format |
|
| 147 |
if($date_format != '') {
|
|
| 148 |
$_SESSION['DATE_FORMAT'] = $date_format; |
|
| 149 |
if(isset($_SESSION['USE_DEFAULT_DATE_FORMAT'])) { unset($_SESSION['USE_DEFAULT_DATE_FORMAT']); }
|
|
| 150 |
} else {
|
|
| 151 |
$_SESSION['USE_DEFAULT_DATE_FORMAT'] = true; |
|
| 152 |
if(isset($_SESSION['DATE_FORMAT'])) { unset($_SESSION['DATE_FORMAT']); }
|
|
| 153 |
} |
|
| 154 |
// Update time format |
|
| 155 |
if($time_format != '') {
|
|
| 156 |
$_SESSION['TIME_FORMAT'] = $time_format; |
|
| 157 |
if(isset($_SESSION['USE_DEFAULT_TIME_FORMAT'])) { unset($_SESSION['USE_DEFAULT_TIME_FORMAT']); }
|
|
| 158 |
} else {
|
|
| 159 |
$_SESSION['USE_DEFAULT_TIME_FORMAT'] = true; |
|
| 160 |
if(isset($_SESSION['TIME_FORMAT'])) { unset($_SESSION['TIME_FORMAT']); }
|
|
| 161 |
} |
|
| 162 |
} else {
|
|
| 163 |
$err_msg[] = 'invalid database UPDATE call in '.__FILE__.'::'.__FUNCTION__.'before line '.__LINE__; |
|
| 164 |
} |
|
| 165 |
} |
|
| 166 |
} |
|
| 167 |
|
|
| 168 |
} |
|
| 169 |
|
|
| 155 | 170 |
return ( (sizeof($err_msg) > 0) ? implode('<br />', $err_msg) : '' );
|
| 156 | 171 |
} |
| 172 |
|
|
| 173 |
$config_file = realpath('../../config.php');
|
|
| 174 |
if(file_exists($config_file) && !defined('WB_URL'))
|
|
| 175 |
{
|
|
| 176 |
require_once($config_file); |
|
| 177 |
} |
|
| 178 |
|
|
| 179 |
if(!class_exists('admin', false)){ include(WB_PATH.'/framework/class.admin.php'); }
|
|
| 180 |
|
|
| 181 |
// suppress to print the header, so no new FTAN will be set |
|
| 182 |
$admin = new admin('Preferences','start', false);
|
|
| 183 |
|
|
| 157 | 184 |
$retval = save_preferences($admin, $database); |
| 158 | 185 |
if( $retval == '') |
| 159 | 186 |
{
|
| ... | ... | |
| 161 | 188 |
$admin->print_header(); |
| 162 | 189 |
$admin->print_success($MESSAGE['PREFERENCES_DETAILS_SAVED']); |
| 163 | 190 |
$admin->print_footer(); |
| 164 |
}else {
|
|
| 191 |
} else {
|
|
| 165 | 192 |
// print the header |
| 166 | 193 |
$admin->print_header(); |
| 167 | 194 |
$admin->print_error($retval); |
Also available in: Unified diff
! add delete Outdated Confirmations in backend
! show waiting Activations if exists in user management
! security fixes in admin/preferences/
! update form modul, change text "unknown#" to "Guest"
in view_submission and emailheader email_fromname