Project

General

Profile

« Previous | Next » 

Revision 1815

Added by Dietmar over 11 years ago

! Complex code refactoring users management

View differences:

save.php
15 15 
 *
16 16 
 */
17 17 

  		




  18
  
  
    
$config_file = realpath('../../config.php');


  		




  19
  
  
    
if(file_exists($config_file) && !defined('WB_URL'))


  		




  20
  
  
    
{


  		




  21
  
  
    
	require_once($config_file);


  		




  
  18
  
    
/* -------------------------------------------------------- */


  		




  
  19
  
    
// Must include code to stop this file being accessed directly


  		




  
  20
  
    
if(!defined('WB_URL')) {


  		




  
  21
  
    
	require_once(dirname(dirname(dirname(__FILE__))).'/framework/globalExceptionHandler.php');


  		




  
  22
  
    
	throw new IllegalFileException();


  		




  22
  23
  
    
}


  		




  
  24
  
    
/* -------------------------------------------------------- */


  		




  23
  25
  
    

  		




  24
  
  
    
if(!class_exists('admin', false)){ include(WB_PATH.'/framework/class.admin.php'); }


  		




  
  26
  
    
	function save_user($admin, &$aActionRequest)


  		




  
  27
  
    
	{


  		




  
  28
  
    
		global $TEXT, $MESSAGE;


  		




  
  29
  
    
        // Create a javascript back link


  		




  
  30
  
    
//        $js_back = ADMIN_URL.'/users/index.php';


  		




  
  31
  
    
        unset($aActionRequest['save']);


  		




  
  32
  
    
        $aActionRequest['modify']= 'change';


  		




  
  33
  
    
		$database = WbDatabase::getInstance();


  		




  
  34
  
    
        $bRetVal = 0;


  		




  
  35
  
    
    	$iMinPassLength = 6;


  		




  25
  36
  
    

  		




  26
  
  
    
// suppress to print the header, so no new FTAN will be set


  		




  27
  
  
    
$admin = new admin('Access', 'users_modify', false);


  		




  
  37
  
    
        if( !$admin->checkFTAN() )


  		




  
  38
  
    
        {


  		




  
  39
  
    
        	msgQueue::add($MESSAGE['GENERIC_SECURITY_ACCESS']);


  		




  
  40
  
    
            return $bRetVal;


  		




  
  41
  
    
        }


  		




  28
  42
  
    

  		




  29
  
  
    
// Create a javascript back link


  		




  30
  
  
    
$js_back = ADMIN_URL.'/users/index.php';


  		




  
  43
  
    
        // Check if user id is a valid number and doesnt equal 1


  		




  
  44
  
    
        if(!isset($aActionRequest['user_id']) OR !is_numeric($aActionRequest['user_id']) OR $aActionRequest['user_id'] == 1) {


  		




  
  45
  
    
        	msgQueue::add('::'.$MESSAGE['GENERIC_NOT_UPGRADED']);


  		




  
  46
  
    
            return $bRetVal;


  		




  
  47
  
    
        } else {


  		




  
  48
  
    
        	$user_id = intval($aActionRequest['user_id']);


  		




  
  49
  
    
        }


  		




  31
  50
  
    

  		




  32
  
  
    
if( !$admin->checkFTAN() )


  		




  33
  
  
    
{


  		




  34
  
  
    
	$admin->print_header();


  		




  35
  
  
    
	$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'],$js_back);


  		




  36
  
  
    
}


  		




  37
  
  
    
// After check print the header


  		




  38
  
  
    
$admin->print_header();


  		




  
  51
  
    
		if( ($user_id < 2 ) )


  		




  
  52
  
    
		{


  		




  
  53
  
    
			// if($admin_header) { $admin->print_header(); }


  		




  
  54
  
    
        	msgQueue::add($MESSAGE['GENERIC_SECURITY_OFFENSE']);


  		




  
  55
  
    
            return $bRetVal;


  		




  
  56
  
    
		}


  		




  
  57
  
    
		// Get existing values


  		




  
  58
  
    
        $sql  = 'SELECT * FROM `'.TABLE_PREFIX.'users` ' ;


  		




  
  59
  
    
        $sql .= 'WHERE user_id = '.$user_id.' ';


  		




  
  60
  
    
        $sql .=   'AND user_id != 1 ';


  		




  39
  61
  
    

  		




  40
  
  
    
// Check if user id is a valid number and doesnt equal 1


  		




  41
  
  
    
if(!isset($_POST['user_id']) OR !is_numeric($_POST['user_id']) OR $_POST['user_id'] == 1) {


  		




  42
  
  
    
	header("Location: index.php");


  		




  43
  
  
    
	exit(0);


  		




  44
  
  
    
} else {


  		




  45
  
  
    
	$user_id = intval($_POST['user_id']);


  		




  46
  
  
    
}


  		




  
  62
  
    
        if($oRes = $database->query($sql)){


  		




  
  63
  
    
            $olduser = $oRes->fetchRow(MYSQL_ASSOC);


  		




  
  64
  
    
        }


  		




  47
  65
  
    

  		




  48
  
  
    
// Gather details entered


  		




  49
  
  
    
$groups_id = (isset($_POST['groups'])) ? implode(",", $admin->add_slashes($_POST['groups'])) : '';


  		




  50
  
  
    
$active = $admin->add_slashes($_POST['active'][0]);


  		




  51
  
  
    
$username_fieldname = $admin->get_post_escaped('username_fieldname');


  		




  52
  
  
    
$username = strtolower($admin->get_post_escaped($username_fieldname));


  		




  53
  
  
    
$password = $admin->get_post('password');


  		




  54
  
  
    
$password2 = $admin->get_post('password2');


  		




  55
  
  
    
$display_name = $admin->get_post_escaped('display_name');


  		




  56
  
  
    
$email = $admin->get_post_escaped('email');


  		




  57
  
  
    
$home_folder = $admin->get_post_escaped('home_folder');


  		




  
  66
  
    
        // Gather details entered


  		




  
  67
  
    
        if($admin->is_group_match($admin->get_groups_id(), '1' )){


  		




  
  68
  
    
            $groups_id = (isset($aActionRequest['groups'])) ? implode(",", $admin->add_slashes($aActionRequest['groups'])) : '';


  		




  
  69
  
    
        } else {


  		




  
  70
  
    
            $groups_id = $olduser['group_id'];


  		




  
  71
  
    
        }


  		




  
  72
  
    
        // there will be an additional ',' when "Please Choose" was selected, too


  		




  
  73
  
    
        $groups_id = trim($groups_id, ',');


  		




  
  74
  
    
        $active = intval(strip_tags($admin->StripCodeFromText($aActionRequest['active'][0])));


  		




  
  75
  
    
        $username_fieldname = strip_tags($admin->StripCodeFromText($aActionRequest['username_fieldname']));


  		




  
  76
  
    
        $username = strtolower(strip_tags($admin->StripCodeFromText($aActionRequest[$username_fieldname])));


  		




  
  77
  
    
        $password = strip_tags($admin->StripCodeFromText($aActionRequest['password']));


  		




  
  78
  
    
        $password2 = strip_tags($admin->StripCodeFromText($aActionRequest['password2']));


  		




  
  79
  
    
        $display_name = strip_tags($admin->StripCodeFromText($aActionRequest['display_name']));


  		




  
  80
  
    
        $email = strip_tags($admin->StripCodeFromText($aActionRequest['email']));


  		




  
  81
  
    
        $home_folder = strip_tags($admin->StripCodeFromText($aActionRequest['home_folder']));


  		




  58
  82
  
    

  		




  59
  
  
    
// Check values


  		




  60
  
  
    
if($groups_id == "") {


  		




  61
  
  
    
	$admin->print_error($MESSAGE['USERS_NO_GROUP'], $js_back);


  		




  62
  
  
    
}


  		




  63
  
  
    
if(!preg_match('/^[a-z]{1}[a-z0-9_-]{2,}$/i', $username))


  		




  64
  
  
    
{


  		




  
  83
  
    
        // Check values


  		




  
  84
  
    
        if($groups_id == "") {


  		




  
  85
  
    
        	msgQueue::add($MESSAGE['USERS_NO_GROUP']);


  		




  
  86
  
    
        } else {


  		




  
  87
  
    
            $aGroups_id = explode(',', $groups_id);


  		




  
  88
  
    
            //if user is in administrator-group, get this group else just get the first one


  		




  
  89
  
    
            if($admin->is_group_match($groups_id,'1')) { $group_id = 1; } else { $group_id = intval($aGroups_id[0]); }


  		




  
  90
  
    
        }


  		




  65
  91
  
    

  		




  66
  
  
    
//	print '<pre style="text-align: left;"><strong>function '.__FUNCTION__.'( '.''.' );</strong>  basename: '.basename(__FILE__).'  line: '.__LINE__.' -> <br />';


  		




  67
  
  
    
//	print_r( $_POST ); print '</pre>';


  		




  68
  
  
    
	$admin->print_error( $MESSAGE['USERS_NAME_INVALID_CHARS'].' / '.


  		




  69
  
  
    
	                  $MESSAGE['USERS_USERNAME_TOO_SHORT'], $js_back);


  		




  70
  
  
    
}


  		




  71
  
  
    
if($password != "") {


  		




  72
  
  
    
	if(strlen($password) < 6 ) {


  		




  73
  
  
    
		$admin->print_error($MESSAGE['USERS_PASSWORD_TOO_SHORT'], $js_back);


  		




  74
  
  
    
	}


  		




  75
  
  
    
	if($password != $password2) {


  		




  76
  
  
    
		$admin->print_error($MESSAGE['USERS_PASSWORD_MISMATCH'], $js_back);


  		




  77
  
  
    
	}


  		




  78
  
  
    
}


  		




  
  92
  
    
//$admin->is_group_match($admin->get_groups_id(), '1' )


  		




  
  93
  
    
        if(!preg_match('/^[a-z]{1}[a-z0-9_-]{2,}$/i', $username))


  		




  
  94
  
    
        {


  		




  
  95
  
    
        	msgQueue::add( $MESSAGE['USERS_NAME_INVALID_CHARS']);


  		




  
  96
  
    
        }


  		




  79
  97
  
    

  		




  80
  
  
    
if($email != "")


  		




  81
  
  
    
{


  		




  82
  
  
    
	if($admin->validate_email($email) == false)


  		




  83
  
  
    
    {


  		




  84
  
  
    
        $admin->print_error($MESSAGE['USERS_INVALID_EMAIL'], $js_back);


  		




  85
  
  
    
	}


  		




  86
  
  
    
} else { // e-mail must be present


  		




  87
  
  
    
	$admin->print_error($MESSAGE['SIGNUP_NO_EMAIL'], $js_back);


  		




  88
  
  
    
}


  		




  
  98
  
    
        if($password != "") {


  		




  
  99
  
    
        	if(strlen($password) < $iMinPassLength ) {


  		




  
  100
  
    
        		msgQueue::add($MESSAGE['USERS_PASSWORD_TOO_SHORT']);


  		




  
  101
  
    
        	}


  		




  89
  102
  
    

  		




  90
  
  
    
// Check if the email already exists


  		




  91
  
  
    
$results = $database->query("SELECT user_id FROM ".TABLE_PREFIX."users WHERE email = '".$admin->add_slashes($_POST['email'])."' AND user_id <> '".$user_id."' ");


  		




  92
  
  
    
if($results->numRows() > 0)


  		




  93
  
  
    
{


  		




  94
  
  
    
	if(isset($MESSAGE['USERS_EMAIL_TAKEN']))


  		




  95
  
  
    
    {


  		




  96
  
  
    
		$admin->print_error($MESSAGE['USERS_EMAIL_TAKEN'], $js_back);


  		




  97
  
  
    
	} else {


  		




  98
  
  
    
		$admin->print_error($MESSAGE['USERS_INVALID_EMAIL'], $js_back);


  		




  99
  
  
    
	}


  		




  100
  
  
    
}


  		




  
  103
  
    
			$pattern = '/[^'.$admin->password_chars.']/';


  		




  
  104
  
    
			if (preg_match($pattern, $password)) {


  		




  
  105
  
    
				msgQueue::add($MESSAGE['PREFERENCES_INVALID_CHARS']);


  		




  
  106
  
    
        	}


  		




  101
  107
  
    

  		




  102
  
  
    
// Prevent from renaming user to "admin"


  		




  103
  
  
    
if($username != 'admin') {


  		




  104
  
  
    
	$username_code = ", username = '$username'";


  		




  105
  
  
    
} else {


  		




  106
  
  
    
	$username_code = '';


  		




  107
  
  
    
}


  		




  
  108
  
    
        	if(($password != $password2) ) {


  		




  
  109
  
    
        		msgQueue::add($MESSAGE['USERS_PASSWORD_MISMATCH']);


  		




  
  110
  
    
        	}


  		




  
  111
  
    
        }


  		




  
  112
  
    
// check that display_name is unique in whoole system (prevents from User-faking)


  		




  
  113
  
    
    	$sql  = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` ';


  		




  
  114
  
    
    	$sql .= 'WHERE `user_id` <> '.(int)$user_id.' AND `display_name` LIKE "'.$display_name.'"';


  		




  
  115
  
    
    	if( $database->get_one($sql) > 0 ){


  		




  
  116
  
    
            msgQueue::add($MESSAGE['USERS_USERNAME_TAKEN'].' ('.$TEXT['DISPLAY_NAME'].')');


  		




  
  117
  
    
            msgQueue::add($MESSAGE['MEDIA_CANNOT_RENAME']);


  		




  
  118
  
    
        }


  		




  
  119
  
    
//


  		




  
  120
  
    
		if( ($admin->get_user_id() != '1' ) )


  		




  
  121
  
    
		{


  		




  
  122
  
    
            if(findStringInFileList($display_name, dirname(__FILE__).'/disallowedNames')) {


  		




  
  123
  
    
                msgQueue::add( $TEXT['ERROR'].' '.$TEXT['DISPLAY_NAME'].' ('.$display_name.')' );


  		




  
  124
  
    
            }


  		




  
  125
  
    
		}


  		




  108
  126
  
    

  		




  109
  
  
    
// Update the database


  		




  110
  
  
    
if($password == "") {


  		




  111
  
  
    
	$query = "UPDATE ".TABLE_PREFIX."users SET groups_id = '$groups_id', active = '$active'$username_code, display_name = '$display_name', home_folder = '$home_folder', email = '$email' WHERE user_id = '$user_id'";


  		




  112
  
  
    
} else {


  		




  113
  
  
    
	// MD5 supplied password


  		




  114
  
  
    
	$md5_password = md5($password);


  		




  115
  
  
    
	$query = "UPDATE ".TABLE_PREFIX."users SET groups_id = '$groups_id', active = '$active'$username_code, display_name = '$display_name', home_folder = '$home_folder', email = '$email', password = '$md5_password' WHERE user_id = '$user_id'";


  		




  116
  
  
    
}


  		




  117
  
  
    
$database->query($query);


  		




  118
  
  
    
if($database->is_error()) {


  		




  119
  
  
    
	$admin->print_error($database->get_error(),$js_back);


  		




  120
  
  
    
} else {


  		




  121
  
  
    
	$admin->print_success($MESSAGE['USERS_SAVED']);


  		




  122
  
  
    
}


  		




  
  127
  
    
    	$display_name = ( $display_name == '' ? $olduser['display_name'] : $display_name );


  		




  123
  128
  
    

  		




  124
  
  
    
// Print admin footer


  		




  125
  
  
    
$admin->print_footer();


  		




  
  129
  
    
        if($email != "")


  		




  
  130
  
    
        {


  		




  
  131
  
    
        	if($admin->validate_email($email) == false)


  		




  
  132
  
    
            {


  		




  
  133
  
    
                msgQueue::add($MESSAGE['USERS_INVALID_EMAIL'].' ('.$email.')');


  		




  
  134
  
    
        	}


  		




  
  135
  
    
        } else { // e-mail must be present


  		




  
  136
  
    
        	msgQueue::add($MESSAGE['SIGNUP_NO_EMAIL']);


  		




  
  137
  
    
        }


  		




  
  138
  
    

  		




  
  139
  
    
		$sql  = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` '.


  		




  
  140
  
    
                'WHERE `email` LIKE \''.$email.'\' '.


  		




  
  141
  
    
                  'AND `user_id` <> '.(int)$user_id;


  		




  
  142
  
    
        // Check if the email already exists


  		




  
  143
  
    
        if( ($iFoundUser = $database->get_one($sql)) != null ) {


  		




  
  144
  
    
            if($iFoundUser) {


  		




  
  145
  
    
            	if(isset($MESSAGE['USERS_EMAIL_TAKEN']))


  		




  
  146
  
    
                {


  		




  
  147
  
    
            		msgQueue::add($MESSAGE['USERS_EMAIL_TAKEN'].' ('.$email.')');


  		




  
  148
  
    
            	} else {


  		




  
  149
  
    
            		msgQueue::add($MESSAGE['USERS_INVALID_EMAIL'].' ('.$email.')');


  		




  
  150
  
    
            	}


  		




  
  151
  
    
            }


  		




  
  152
  
    
        }


  		




  
  153
  
    

  		




  
  154
  
    
        $bRetVal = $user_id;


  		




  
  155
  
    

  		




  
  156
  
    
// no error then save


  		




  
  157
  
    
        if( !msgQueue::getError() )


  		




  
  158
  
    
        {


  		




  
  159
  
    
            if($admin->is_group_match($groups_id,'1')) { $group_id = 1; $groups_id = '1'; }


  		




  
  160
  
    
          // Prevent from renaming user to "admin"


  		




  
  161
  
    
            if($username != 'admin') {


  		




  
  162
  
    
            	$username_code = ", username = '$username'";


  		




  
  163
  
    
            } else {


  		




  
  164
  
    
            	$username_code = '';


  		




  
  165
  
    
            }


  		




  
  166
  
    

  		




  
  167
  
    
			$sql  = 'UPDATE `'.TABLE_PREFIX.'users` SET ';


  		




  
  168
  
    
            // Update the database


  		




  
  169
  
    
            if($password == "") {


  		




  
  170
  
    
                $sql .= '`group_id`     = '.intval($group_id).', '.


  		




  
  171
  
    
                        '`groups_id`    = \''.mysql_real_escape_string($groups_id).'\', '.


  		




  
  172
  
    
                        '`username` = \''.mysql_real_escape_string($username).'\', '.


  		




  
  173
  
    
                        '`active` = '.intval($active).', '.


  		




  
  174
  
    
                        '`display_name` = \''.mysql_real_escape_string($display_name).'\', '.


  		




  
  175
  
    
                        '`home_folder` = \''.mysql_real_escape_string($home_folder).'\', '.


  		




  
  176
  
    
                        '`email` = \''.mysql_real_escape_string($email).'\' '.


  		




  
  177
  
    
                        'WHERE `user_id` = '.intval($user_id).'';


  		




  
  178
  
    

  		




  
  179
  
    
            } else {


  		




  
  180
  
    

  		




  
  181
  
    
                $sql .= '`group_id`     = '.intval($group_id).', '.


  		




  
  182
  
    
                        '`groups_id`    = \''.mysql_real_escape_string($groups_id).'\', '.


  		




  
  183
  
    
                        '`username` = \''.mysql_real_escape_string($username).'\', '.


  		




  
  184
  
    
                        '`password` = \''.md5($password).'\', '.


  		




  
  185
  
    
                        '`active` = '.intval($active).', '.


  		




  
  186
  
    
                        '`display_name` = \''.mysql_real_escape_string($display_name).'\', '.


  		




  
  187
  
    
                        '`home_folder` = \''.mysql_real_escape_string($home_folder).'\', '.


  		




  
  188
  
    
                        '`email` = \''.mysql_real_escape_string($email).'\' '.


  		




  
  189
  
    
                        'WHERE `user_id` = '.intval($user_id).'';


  		




  
  190
  
    

  		




  
  191
  
    
            }


  		




  
  192
  
    
            if($database->query($sql)) {


  		




  
  193
  
    
            	msgQueue::add($MESSAGE['USERS_SAVED'], true);


  		




  
  194
  
    
                $bRetVal = $user_id;


  		




  
  195
  
    
            }


  		




  
  196
  
    
            if($database->is_error()) {


  		




  
  197
  
    
               msgQueue::add( implode('<br />',explode(';',$database->get_error())) );


  		




  
  198
  
    
            }


  		




  
  199
  
    
       } else {


  		




  
  200
  
    
            	msgQueue::add($MESSAGE['GENERIC_NOT_UPGRADED']);


  		




  
  201
  
    
       }


  		




  
  202
  
    

  		




  
  203
  
    
//        return $admin->getIDKEY($user_id);


  		




  
  204
  
    
//if($admin_header) { $admin->print_header(); }


  		




  
  205
  
    
        return $bRetVal;


  		




  
  206
  
    
    }


  		












Also available in:  Unified diff