Project

General

Profile

« Previous | Next » 

Revision 1815

Added by Dietmar almost 12 years ago

! Complex code refactoring users management

View differences:

save.php
15 15
 *
16 16
 */
17 17

  
18
$config_file = realpath('../../config.php');
19
if(file_exists($config_file) && !defined('WB_URL'))
20
{
21
	require_once($config_file);
18
/* -------------------------------------------------------- */
19
// Must include code to stop this file being accessed directly
20
if(!defined('WB_URL')) {
21
	require_once(dirname(dirname(dirname(__FILE__))).'/framework/globalExceptionHandler.php');
22
	throw new IllegalFileException();
22 23
}
24
/* -------------------------------------------------------- */
23 25

  
24
if(!class_exists('admin', false)){ include(WB_PATH.'/framework/class.admin.php'); }
26
	function save_user($admin, &$aActionRequest)
27
	{
28
		global $TEXT, $MESSAGE;
29
        // Create a javascript back link
30
//        $js_back = ADMIN_URL.'/users/index.php';
31
        unset($aActionRequest['save']);
32
        $aActionRequest['modify']= 'change';
33
		$database = WbDatabase::getInstance();
34
        $bRetVal = 0;
35
    	$iMinPassLength = 6;
25 36

  
26
// suppress to print the header, so no new FTAN will be set
27
$admin = new admin('Access', 'users_modify', false);
37
        if( !$admin->checkFTAN() )
38
        {
39
        	msgQueue::add($MESSAGE['GENERIC_SECURITY_ACCESS']);
40
            return $bRetVal;
41
        }
28 42

  
29
// Create a javascript back link
30
$js_back = ADMIN_URL.'/users/index.php';
43
        // Check if user id is a valid number and doesnt equal 1
44
        if(!isset($aActionRequest['user_id']) OR !is_numeric($aActionRequest['user_id']) OR $aActionRequest['user_id'] == 1) {
45
        	msgQueue::add('::'.$MESSAGE['GENERIC_NOT_UPGRADED']);
46
            return $bRetVal;
47
        } else {
48
        	$user_id = intval($aActionRequest['user_id']);
49
        }
31 50

  
32
if( !$admin->checkFTAN() )
33
{
34
	$admin->print_header();
35
	$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'],$js_back);
36
}
37
// After check print the header
38
$admin->print_header();
51
		if( ($user_id < 2 ) )
52
		{
53
			// if($admin_header) { $admin->print_header(); }
54
        	msgQueue::add($MESSAGE['GENERIC_SECURITY_OFFENSE']);
55
            return $bRetVal;
56
		}
57
		// Get existing values
58
        $sql  = 'SELECT * FROM `'.TABLE_PREFIX.'users` ' ;
59
        $sql .= 'WHERE user_id = '.$user_id.' ';
60
        $sql .=   'AND user_id != 1 ';
39 61

  
40
// Check if user id is a valid number and doesnt equal 1
41
if(!isset($_POST['user_id']) OR !is_numeric($_POST['user_id']) OR $_POST['user_id'] == 1) {
42
	header("Location: index.php");
43
	exit(0);
44
} else {
45
	$user_id = intval($_POST['user_id']);
46
}
62
        if($oRes = $database->query($sql)){
63
            $olduser = $oRes->fetchRow(MYSQL_ASSOC);
64
        }
47 65

  
48
// Gather details entered
49
$groups_id = (isset($_POST['groups'])) ? implode(",", $admin->add_slashes($_POST['groups'])) : '';
50
$active = $admin->add_slashes($_POST['active'][0]);
51
$username_fieldname = $admin->get_post_escaped('username_fieldname');
52
$username = strtolower($admin->get_post_escaped($username_fieldname));
53
$password = $admin->get_post('password');
54
$password2 = $admin->get_post('password2');
55
$display_name = $admin->get_post_escaped('display_name');
56
$email = $admin->get_post_escaped('email');
57
$home_folder = $admin->get_post_escaped('home_folder');
66
        // Gather details entered
67
        if($admin->is_group_match($admin->get_groups_id(), '1' )){
68
            $groups_id = (isset($aActionRequest['groups'])) ? implode(",", $admin->add_slashes($aActionRequest['groups'])) : '';
69
        } else {
70
            $groups_id = $olduser['group_id'];
71
        }
72
        // there will be an additional ',' when "Please Choose" was selected, too
73
        $groups_id = trim($groups_id, ',');
74
        $active = intval(strip_tags($admin->StripCodeFromText($aActionRequest['active'][0])));
75
        $username_fieldname = strip_tags($admin->StripCodeFromText($aActionRequest['username_fieldname']));
76
        $username = strtolower(strip_tags($admin->StripCodeFromText($aActionRequest[$username_fieldname])));
77
        $password = strip_tags($admin->StripCodeFromText($aActionRequest['password']));
78
        $password2 = strip_tags($admin->StripCodeFromText($aActionRequest['password2']));
79
        $display_name = strip_tags($admin->StripCodeFromText($aActionRequest['display_name']));
80
        $email = strip_tags($admin->StripCodeFromText($aActionRequest['email']));
81
        $home_folder = strip_tags($admin->StripCodeFromText($aActionRequest['home_folder']));
58 82

  
59
// Check values
60
if($groups_id == "") {
61
	$admin->print_error($MESSAGE['USERS_NO_GROUP'], $js_back);
62
}
63
if(!preg_match('/^[a-z]{1}[a-z0-9_-]{2,}$/i', $username))
64
{
83
        // Check values
84
        if($groups_id == "") {
85
        	msgQueue::add($MESSAGE['USERS_NO_GROUP']);
86
        } else {
87
            $aGroups_id = explode(',', $groups_id);
88
            //if user is in administrator-group, get this group else just get the first one
89
            if($admin->is_group_match($groups_id,'1')) { $group_id = 1; } else { $group_id = intval($aGroups_id[0]); }
90
        }
65 91

  
66
//	print '<pre style="text-align: left;"><strong>function '.__FUNCTION__.'( '.''.' );</strong>  basename: '.basename(__FILE__).'  line: '.__LINE__.' -> <br />';
67
//	print_r( $_POST ); print '</pre>';
68
	$admin->print_error( $MESSAGE['USERS_NAME_INVALID_CHARS'].' / '.
69
	                  $MESSAGE['USERS_USERNAME_TOO_SHORT'], $js_back);
70
}
71
if($password != "") {
72
	if(strlen($password) < 6 ) {
73
		$admin->print_error($MESSAGE['USERS_PASSWORD_TOO_SHORT'], $js_back);
74
	}
75
	if($password != $password2) {
76
		$admin->print_error($MESSAGE['USERS_PASSWORD_MISMATCH'], $js_back);
77
	}
78
}
92
//$admin->is_group_match($admin->get_groups_id(), '1' )
93
        if(!preg_match('/^[a-z]{1}[a-z0-9_-]{2,}$/i', $username))
94
        {
95
        	msgQueue::add( $MESSAGE['USERS_NAME_INVALID_CHARS']);
96
        }
79 97

  
80
if($email != "")
81
{
82
	if($admin->validate_email($email) == false)
83
    {
84
        $admin->print_error($MESSAGE['USERS_INVALID_EMAIL'], $js_back);
85
	}
86
} else { // e-mail must be present
87
	$admin->print_error($MESSAGE['SIGNUP_NO_EMAIL'], $js_back);
88
}
98
        if($password != "") {
99
        	if(strlen($password) < $iMinPassLength ) {
100
        		msgQueue::add($MESSAGE['USERS_PASSWORD_TOO_SHORT']);
101
        	}
89 102

  
90
// Check if the email already exists
91
$results = $database->query("SELECT user_id FROM ".TABLE_PREFIX."users WHERE email = '".$admin->add_slashes($_POST['email'])."' AND user_id <> '".$user_id."' ");
92
if($results->numRows() > 0)
93
{
94
	if(isset($MESSAGE['USERS_EMAIL_TAKEN']))
95
    {
96
		$admin->print_error($MESSAGE['USERS_EMAIL_TAKEN'], $js_back);
97
	} else {
98
		$admin->print_error($MESSAGE['USERS_INVALID_EMAIL'], $js_back);
99
	}
100
}
103
			$pattern = '/[^'.$admin->password_chars.']/';
104
			if (preg_match($pattern, $password)) {
105
				msgQueue::add($MESSAGE['PREFERENCES_INVALID_CHARS']);
106
        	}
101 107

  
102
// Prevent from renaming user to "admin"
103
if($username != 'admin') {
104
	$username_code = ", username = '$username'";
105
} else {
106
	$username_code = '';
107
}
108
        	if(($password != $password2) ) {
109
        		msgQueue::add($MESSAGE['USERS_PASSWORD_MISMATCH']);
110
        	}
111
        }
112
// check that display_name is unique in whoole system (prevents from User-faking)
113
    	$sql  = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` ';
114
    	$sql .= 'WHERE `user_id` <> '.(int)$user_id.' AND `display_name` LIKE "'.$display_name.'"';
115
    	if( $database->get_one($sql) > 0 ){
116
            msgQueue::add($MESSAGE['USERS_USERNAME_TAKEN'].' ('.$TEXT['DISPLAY_NAME'].')');
117
            msgQueue::add($MESSAGE['MEDIA_CANNOT_RENAME']);
118
        }
119
//
120
		if( ($admin->get_user_id() != '1' ) )
121
		{
122
            if(findStringInFileList($display_name, dirname(__FILE__).'/disallowedNames')) {
123
                msgQueue::add( $TEXT['ERROR'].' '.$TEXT['DISPLAY_NAME'].' ('.$display_name.')' );
124
            }
125
		}
108 126

  
109
// Update the database
110
if($password == "") {
111
	$query = "UPDATE ".TABLE_PREFIX."users SET groups_id = '$groups_id', active = '$active'$username_code, display_name = '$display_name', home_folder = '$home_folder', email = '$email' WHERE user_id = '$user_id'";
112
} else {
113
	// MD5 supplied password
114
	$md5_password = md5($password);
115
	$query = "UPDATE ".TABLE_PREFIX."users SET groups_id = '$groups_id', active = '$active'$username_code, display_name = '$display_name', home_folder = '$home_folder', email = '$email', password = '$md5_password' WHERE user_id = '$user_id'";
116
}
117
$database->query($query);
118
if($database->is_error()) {
119
	$admin->print_error($database->get_error(),$js_back);
120
} else {
121
	$admin->print_success($MESSAGE['USERS_SAVED']);
122
}
127
    	$display_name = ( $display_name == '' ? $olduser['display_name'] : $display_name );
123 128

  
124
// Print admin footer
125
$admin->print_footer();
129
        if($email != "")
130
        {
131
        	if($admin->validate_email($email) == false)
132
            {
133
                msgQueue::add($MESSAGE['USERS_INVALID_EMAIL'].' ('.$email.')');
134
        	}
135
        } else { // e-mail must be present
136
        	msgQueue::add($MESSAGE['SIGNUP_NO_EMAIL']);
137
        }
138

  
139
		$sql  = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` '.
140
                'WHERE `email` LIKE \''.$email.'\' '.
141
                  'AND `user_id` <> '.(int)$user_id;
142
        // Check if the email already exists
143
        if( ($iFoundUser = $database->get_one($sql)) != null ) {
144
            if($iFoundUser) {
145
            	if(isset($MESSAGE['USERS_EMAIL_TAKEN']))
146
                {
147
            		msgQueue::add($MESSAGE['USERS_EMAIL_TAKEN'].' ('.$email.')');
148
            	} else {
149
            		msgQueue::add($MESSAGE['USERS_INVALID_EMAIL'].' ('.$email.')');
150
            	}
151
            }
152
        }
153

  
154
        $bRetVal = $user_id;
155

  
156
// no error then save
157
        if( !msgQueue::getError() )
158
        {
159
            if($admin->is_group_match($groups_id,'1')) { $group_id = 1; $groups_id = '1'; }
160
          // Prevent from renaming user to "admin"
161
            if($username != 'admin') {
162
            	$username_code = ", username = '$username'";
163
            } else {
164
            	$username_code = '';
165
            }
166

  
167
			$sql  = 'UPDATE `'.TABLE_PREFIX.'users` SET ';
168
            // Update the database
169
            if($password == "") {
170
                $sql .= '`group_id`     = '.intval($group_id).', '.
171
                        '`groups_id`    = \''.mysql_real_escape_string($groups_id).'\', '.
172
                        '`username` = \''.mysql_real_escape_string($username).'\', '.
173
                        '`active` = '.intval($active).', '.
174
                        '`display_name` = \''.mysql_real_escape_string($display_name).'\', '.
175
                        '`home_folder` = \''.mysql_real_escape_string($home_folder).'\', '.
176
                        '`email` = \''.mysql_real_escape_string($email).'\' '.
177
                        'WHERE `user_id` = '.intval($user_id).'';
178

  
179
            } else {
180

  
181
                $sql .= '`group_id`     = '.intval($group_id).', '.
182
                        '`groups_id`    = \''.mysql_real_escape_string($groups_id).'\', '.
183
                        '`username` = \''.mysql_real_escape_string($username).'\', '.
184
                        '`password` = \''.md5($password).'\', '.
185
                        '`active` = '.intval($active).', '.
186
                        '`display_name` = \''.mysql_real_escape_string($display_name).'\', '.
187
                        '`home_folder` = \''.mysql_real_escape_string($home_folder).'\', '.
188
                        '`email` = \''.mysql_real_escape_string($email).'\' '.
189
                        'WHERE `user_id` = '.intval($user_id).'';
190

  
191
            }
192
            if($database->query($sql)) {
193
            	msgQueue::add($MESSAGE['USERS_SAVED'], true);
194
                $bRetVal = $user_id;
195
            }
196
            if($database->is_error()) {
197
               msgQueue::add( implode('<br />',explode(';',$database->get_error())) );
198
            }
199
       } else {
200
            	msgQueue::add($MESSAGE['GENERIC_NOT_UPGRADED']);
201
       }
202

  
203
//        return $admin->getIDKEY($user_id);
204
//if($admin_header) { $admin->print_header(); }
205
        return $bRetVal;
206
    }

Also available in: Unified diff