Index: branches/2.8.x/CHANGELOG
===================================================================
--- branches/2.8.x/CHANGELOG	(revision 1814)
+++ branches/2.8.x/CHANGELOG	(revision 1815)
@@ -13,6 +13,8 @@
 
 
 
+11 Nov-2012 Build 1815 Dietmar Woellbrink (Luisehahne)
+! Complex code refactoring users management
 10 Nov-2012 Build 1814 Dietmar Woellbrink (Luisehahne)
 ! update jQuery to jQuery 1.8.2 and jQuery UI 1.9.1
 10 Nov-2012 Build 1813 Dietmar Woellbrink (Luisehahne)
Index: branches/2.8.x/wb/upgrade-script.php
===================================================================
--- branches/2.8.x/wb/upgrade-script.php	(revision 1814)
+++ branches/2.8.x/wb/upgrade-script.php	(revision 1815)
@@ -821,15 +821,16 @@
 
         foreach($aUsers AS $user_id => $value){
                 // choose group_id from groups_id - workaround for still remaining calls to group_id (to be cleaned-up)
-                $groups_id = explode(',', $aUsers[$user_id]['groups_id']);
+                $aGroups_id = explode(',', $aUsers[$user_id]['groups_id']);
+                $groups_id = $aUsers[$user_id]['groups_id'];
                 $group_id = 0;
                 //if user is in administrator-group, get this group else just get the first one
-                if($admin->is_group_match($groups_id,'1')) { $group_id = 1; } else { $group_id = intval($groups_id[0]); }
-                unset($groups_id);
+                if($admin->is_group_match($aGroups_id,'1')) { $group_id = 1; $groups_id = '1'; } else { $group_id = intval($aGroups_id[0]); }
 
                 $sMessage = "<span>Updating group_id ".$TEXT['DISPLAY_NAME']." " .$aUsers[$user_id]['display_name']."</span>";
                 $sql  = 'UPDATE `'.TABLE_PREFIX.'users` ';
-                $sql .= 'SET `group_id` = '.$group_id.' ';
+                $sql .= 'SET `group_id`  = '.$group_id.', ';
+                $sql .=     '`groups_id` = '.$groups_id.' ';
                 $sql .= 'WHERE `user_id` = '.intval($user_id);
 
                 if($oRes = $database->query($sql)){  }
Index: branches/2.8.x/wb/admin/skel/themes/htt/users.htt
===================================================================
--- branches/2.8.x/wb/admin/skel/themes/htt/users.htt	(revision 1814)
+++ branches/2.8.x/wb/admin/skel/themes/htt/users.htt	(revision 1815)
@@ -13,7 +13,7 @@
      </tr>
 </table>
 <div class="account">
-<form name="users" action="users.php" method="post" class="left">
+<form name="users" action="index.php" method="post" class="left">
 <input type="hidden" name="userstatus" value="{USER_STATUS}" />
 {FTAN}
 
Index: branches/2.8.x/wb/admin/skel/themes/htt/users_form.htt
===================================================================
--- branches/2.8.x/wb/admin/skel/themes/htt/users_form.htt	(revision 1814)
+++ branches/2.8.x/wb/admin/skel/themes/htt/users_form.htt	(revision 1815)
@@ -8,11 +8,12 @@
 </script>
 <div class="account">
 
-<h2 class="left" style="{DISPLAY_EXTRA}">{HEADING_MODIFY_USER}</h2>
+<h3 class="left bold" style="{DISPLAY_EXTRA}">{HEADING_MODIFY_USER}</h3>
 
-<form name="user" action="{ACTION_URL}" method="post" class="{DISPLAY_ADD} left settings_table">
+<form action="{ACTION_URL}" method="post" class="{DISPLAY_ADD} left settings_table">
 <input type="hidden" name="user_id" value="{USER_ID}" />
 <input type="hidden" name="username_fieldname" value="{USERNAME_FIELDNAME}" />
+<input type="hidden" name="BackLink" value="{BACK_LINK}" />
 {FTAN}
 <table>
 <!-- BEGIN show_modify_loginname_block -->
@@ -46,7 +47,7 @@
 </tr>
 <tr style="{DISPLAY_EXTRA}">
 	<td colspan="2" style="">
-		<div class="warning value_input" style="max-width:700px; margin-right: 20%; float: right;">{CHANGING_PASSWORD}</div>
+		<div class="warning value_input" style="max-width:650px; margin-right: 23%; float: right;">{CHANGING_PASSWORD}</div>
 	</td>
 </tr>
 <tr>
@@ -72,7 +73,16 @@
 		</select>
 	</td>
 </tr>
+
+<!-- BEGIN show_change_group_list_block -->
 <tr>
+	<td colspan="2" style="">
+		<div class="warning value_input" style="max-width:650px; margin-right: 23%; float: right;">{CHANGING_GROUPS}</div>
+	</td>
+</tr>
+<!-- END show_change_group_list_block -->
+
+<tr>
 	<td class="rightTop">{TEXT_GROUP}:</td>
 	<td class="value_input">
 		<select name="groups[]" multiple="multiple" size="5">
@@ -93,9 +103,9 @@
 </tr>
 <tr>
 	<td colspan="2" class="center">
-		<input type="submit" name="submit" value="{SUBMIT_TITLE}" />
+		<input type="submit" name="{SUB_ACTION}" value="{SUBMIT_TITLE}" />
 		<input type="reset" name="reset" value="{TEXT_RESET}" />
-		<input type="button" style="width: 100px; margin-top: 5px;" onclick="javascript:window.location='index.php';" value="{TEXT_CANCEL}" />
+		<input type="button" style="width: 100px; margin-top: 5px;" onclick="javascript:window.location='{CANCEL_URL}';" value="{TEXT_CANCEL}" />
 	</td>
 </tr>
 </table>
Index: branches/2.8.x/wb/admin/interface/version.php
===================================================================
--- branches/2.8.x/wb/admin/interface/version.php	(revision 1814)
+++ branches/2.8.x/wb/admin/interface/version.php	(revision 1815)
@@ -51,5 +51,5 @@
 
 // check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled)
 if(!defined('VERSION')) define('VERSION', '2.8.3');
-if(!defined('REVISION')) define('REVISION', '1814');
+if(!defined('REVISION')) define('REVISION', '1815');
 if(!defined('SP')) define('SP', '');
Index: branches/2.8.x/wb/admin/users/users.php
===================================================================
--- branches/2.8.x/wb/admin/users/users.php	(revision 1814)
+++ branches/2.8.x/wb/admin/users/users.php	(nonexistent)
@@ -1,254 +0,0 @@
-<?php
-/**
- *
- * @category        admin
- * @package         users
- * @author          Ryan Djurovich, WebsiteBaker Project
- * @copyright       2009-2012, WebsiteBaker Org. e.V.
- * @link			http://www.websitebaker2.org/
- * @license         http://www.gnu.org/licenses/gpl.html
- * @platform        WebsiteBaker 2.8.x
- * @requirements    PHP 5.2.2 and higher
- * @version         $Id$
- * @filesource		$HeadURL$
- * @lastmodified    $Date$
- *
- */
-
- // Include config file and admin class file
-
-$config_file = realpath('../../config.php');
-if(file_exists($config_file) && !defined('WB_URL'))
-{
-	require_once($config_file);
-}
-
-if(!class_exists('admin', false)){ include(WB_PATH.'/framework/class.admin.php'); }
-
-$requestMethod = '_'.strtoupper($_SERVER['REQUEST_METHOD']);
-$aActionRequest = (isset(${$requestMethod})) ? ${$requestMethod} : null;
-
-$action = 'cancel';
-
-// Set parameter 'action' as alternative to javascript mechanism
-$action = (isset($aActionRequest['modify']) ? 'modify' : $action );
-$action = (isset($aActionRequest['delete']) ? 'delete' : $action );
-$action = (isset($aActionRequest['delete_outdated']) ? 'delete_outdated' : $action );
-
-switch ($action):
-	case 'modify' :
-			// Print header
-			$admin = new admin('Access', 'users_modify');
-			$user_id = intval($admin->checkIDKEY('user_id', 0, $_SERVER['REQUEST_METHOD']));
-			// Check if user id is a valid number and doesnt equal 1
-			if($user_id == 0){
-			$admin->print_error($MESSAGE['GENERIC_FORGOT_OPTIONS'] );
-            }
-			if( ($user_id < 2 ) )
-			{
-				// if($admin_header) { $admin->print_header(); }
-				$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'] );
-			}
-			// Get existing values
-			$results = $database->query("SELECT * FROM `".TABLE_PREFIX."users` WHERE `user_id` = '".$user_id."'");
-			$user = $results->fetchRow();
-
-			// Setup template object, parse vars to it, then parse it
-			// Create new template object
-			$template = new Template(dirname($admin->correct_theme_source('users_form.htt')),'keep');
-			// $template->debug = true;
-			$template->set_file('page', 'users_form.htt');
-			$template->set_block('page', 'main_block', 'main');
-			$template->set_block('main_block', 'show_modify_loginname_block', 'show_modify_loginname');
-			$template->set_block('main_block', 'show_add_loginname_block', 'show_add_loginname');
-			$template->set_var(	array(
-						'ACTION_URL' => ADMIN_URL.'/users/save.php',
-						'SUBMIT_TITLE' => $TEXT['SAVE'],
-						'USER_ID' => $user['user_id'],
-						'DISPLAY_EXTRA' => '',
-						'DISPLAY_HOME_FOLDERS' => '',
-						'USERNAME' => $user['username'],
-						'DISPLAY_NAME' => $user['display_name'],
-						'EMAIL' => $user['email'],
-						'ADMIN_URL' => ADMIN_URL,
-						'WB_URL' => WB_URL,
-						'THEME_URL' => THEME_URL
-						)
-				);
-
-			$template->set_var('FTAN', $admin->getFTAN());
-			if($user['active'] == 1) {
-                $template->set_var('DISABLED_CHECKED', '');
-				$template->set_var('ACTIVE_CHECKED', ' checked="checked"');
-			} else {
-                $template->set_var('ACTIVE_CHECKED', '');
-				$template->set_var('DISABLED_CHECKED', ' checked="checked"');
-			}
-			// Add groups to list
-			$template->set_block('main_block', 'group_list_block', 'group_list');
-			$results = $database->query("SELECT group_id, name FROM ".TABLE_PREFIX."groups WHERE group_id != '1' ORDER BY name");
-			if($results->numRows() > 0) {
-				$template->set_var('ID', '');
-				$template->set_var('NAME', $TEXT['PLEASE_SELECT'].'...');
-				$template->set_var('SELECTED', '');
-				$template->parse('group_list', 'group_list_block', true);
-				while($group = $results->fetchRow()) {
-					$template->set_var('ID', $group['group_id']);
-					$template->set_var('NAME', $group['name']);
-					if(in_array($group['group_id'], explode(",",$user['groups_id']))) {
-						$template->set_var('SELECTED', ' selected="selected"');
-					} else {
-						$template->set_var('SELECTED', '');
-					}
-					$template->parse('group_list', 'group_list_block', true);
-				}
-			}
-
-			// Only allow the user to add a user to the Administrators group if they belong to it
-			if(in_array(1, $admin->get_groups_id()))
-		    {
-				$template->set_var('ID', '1');
-				$users_groups = $admin->get_groups_name();
-				$template->set_var('NAME', $users_groups[1]);
-
-				$in_group = FALSE;
-				foreach($admin->get_groups_id() as $cur_gid){
-				    if (in_array($cur_gid, explode(",", $user['groups_id']))) {
-				        $in_group = TRUE;
-				    }
-				}
-
-				if($in_group) {
-					$template->set_var('SELECTED', ' selected="selected"');
-				} else {
-					$template->set_var('SELECTED', '');
-				}
-				$template->parse('group_list', 'group_list_block', true);
-			} else {
-				if($results->numRows() == 0) {
-					$template->set_var('ID', '');
-					$template->set_var('NAME', $TEXT['NONE_FOUND']);
-					$template->set_var('SELECTED', ' selected="selected"');
-					$template->parse('group_list', 'group_list_block', true);
-				}
-			}
-
-			// Generate username field name
-			$username_fieldname = 'username_';
-			$salt = "abchefghjkmnpqrstuvwxyz0123456789";
-			srand((double)microtime()*1000000);
-			$i = 0;
-			while ($i <= 7) {
-				$num = rand() % 33;
-				$tmp = substr($salt, $num, 1);
-				$username_fieldname = $username_fieldname . $tmp;
-				$i++;
-			}
-
-			// Work-out if home folder should be shown
-			if(!HOME_FOLDERS) {
-				$template->set_var('DISPLAY_HOME_FOLDERS', 'display:none;');
-			}
-
-			// Include the WB functions file
-			require_once(WB_PATH.'/framework/functions.php');
-
-			// Add media folders to home folder list
-			$template->set_block('main_block', 'folder_list_block', 'folder_list');
-			foreach(directory_list(WB_PATH.MEDIA_DIRECTORY) AS $name)
-		    {
-				$template->set_var('NAME', str_replace(WB_PATH, '', $name));
-				$template->set_var('FOLDER', str_replace(WB_PATH.MEDIA_DIRECTORY, '', $name));
-				if($user['home_folder'] == str_replace(WB_PATH.MEDIA_DIRECTORY, '', $name)) {
-					$template->set_var('SELECTED', ' selected="selected"');
-				} else {
-					$template->set_var('SELECTED', ' ');
-				}
-				$template->parse('folder_list', 'folder_list_block', true);
-			}
-
-			// Insert language text and messages
-			$template->set_var(array(
-								'TEXT_RESET' => $TEXT['RESET'],
-								'TEXT_CANCEL' => $TEXT['CANCEL'],
-								'TEXT_ACTIVE' => $TEXT['ACTIVE'],
-								'TEXT_DISABLED' => $TEXT['DISABLED'],
-								'TEXT_PLEASE_SELECT' => $TEXT['PLEASE_SELECT'],
-								'TEXT_USERNAME' => $TEXT['USERNAME'],
-								'TEXT_PASSWORD' => $TEXT['PASSWORD'],
-								'TEXT_RETYPE_PASSWORD' => $TEXT['RETYPE_PASSWORD'],
-								'TEXT_DISPLAY_NAME' => $TEXT['DISPLAY_NAME'],
-								'TEXT_EMAIL' => $TEXT['EMAIL'],
-								'TEXT_GROUP' => $TEXT['GROUP'],
-								'TEXT_NONE' => $TEXT['NONE'],
-								'TEXT_HOME_FOLDER' => $TEXT['HOME_FOLDER'],
-								'USERNAME_FIELDNAME' => $username_fieldname,
-								'CHANGING_PASSWORD' => $MESSAGE['USERS_CHANGING_PASSWORD'],
-								'HEADING_MODIFY_USER' => $HEADING['MODIFY_USER']
-								)
-						);
-
-			// Parse template object
-			$template->parse('show_modify_loginname', 'show_modify_loginname_block', true);
-			$template->parse('show_add_loginname', '', true);
-			$template->parse('main', 'main_block', false);
-			$template->pparse('output', 'page');
-			break;
-		case 'delete' :
-			// Print header
-			$admin = new admin('Access', 'users_delete');
-
-			$user_id = intval($admin->checkIDKEY('user_id', 0, $_SERVER['REQUEST_METHOD']));
-			// Check if user id is a valid number and doesnt equal 1
-
-			if($user_id == 0){
-			$admin->print_error($MESSAGE['GENERIC_FORGOT_OPTIONS'] );
-            }
-			if( ($user_id < 2 ) )
-			{
-				// if($admin_header) { $admin->print_header(); }
-				$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'] );
-			}
-			$sql  = 'SELECT `active` FROM `'.TABLE_PREFIX.'users` ';
-            $sql .= 'WHERE `user_id` = '.$user_id.'';
-            if( ($iDeleteUser = $database->get_one($sql)) == 1 ) {
-				// Delete the user
-				$database->query("UPDATE `".TABLE_PREFIX."users` SET `active` = 0 WHERE `user_id` = '".$user_id."' ");
-            } else {
-				$database->query("DELETE FROM `".TABLE_PREFIX."users` WHERE `user_id` = ".$user_id);
-            }
-
-			if($database->is_error()) {
-				$admin->print_error($database->get_error());
-			} else {
-				$admin->print_success($MESSAGE['USERS_DELETED']);
-			}
-			break;
-		case 'delete_outdated' :
-			$admin = new admin('Access', 'users_delete');
-			$user_id = intval($admin->checkIDKEY('user_id_activation_id', 0, $_SERVER['REQUEST_METHOD']));
-			// Check if user id is a valid number and doesnt equal 1
-			if($user_id == 0){
-    			$admin->print_error($MESSAGE['GENERIC_FORGOT_OPTIONS'] );
-            }
-			if( ($user_id < 2 ) )
-			{
-				// if($admin_header) { $admin->print_header(); }
-				$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'] );
-			}
-			$database->query("DELETE FROM `".TABLE_PREFIX."users` WHERE `user_id` = ".$user_id);
-			if($database->is_error()) {
-				$admin->print_error($database->get_error());
-			} else {
-				$admin->print_success($MESSAGE['USERS_DELETED']);
-			}
-			break;
-	default:
-			break;
-endswitch;
-
-
-
-// Print admin footer
-$admin->print_footer();
-

Property changes on: branches/2.8.x/wb/admin/users/users.php
___________________________________________________________________
Deleted: svn:executable
## -1 +0,0 ##
-*
\ No newline at end of property
Deleted: svn:keywords
## -1,4 +0,0 ##
-Id
-Revision
-HeadURL
-Date
\ No newline at end of property
Index: branches/2.8.x/wb/admin/users/user_list.php
===================================================================
--- branches/2.8.x/wb/admin/users/user_list.php	(nonexistent)
+++ branches/2.8.x/wb/admin/users/user_list.php	(revision 1815)
@@ -0,0 +1,306 @@
+<?php
+
+/**
+ *
+ * @category        admin
+ * @package         pages
+ * @author          Ryan Djurovich (2004-2009), WebsiteBaker Project
+ * @copyright       2009-2012, WebsiteBaker Org. e.V.
+ * @link			http://www.websitebaker2.org/
+ * @license         http://www.gnu.org/licenses/gpl.html
+ * @platform        WebsiteBaker 2.8.x
+ * @requirements    PHP 5.2.2 and higher
+ * @version         $Id$
+ * @filesource		$HeadURL$
+ * @lastmodified    $Date$
+ *
+ */
+
+/* -------------------------------------------------------- */
+// Must include code to stop this file being accessed directly
+if(!defined('WB_URL')) {
+	require_once(dirname(dirname(dirname(__FILE__))).'/framework/globalExceptionHandler.php');
+	throw new IllegalFileException();
+}
+/* -------------------------------------------------------- */
+
+	function show_userlist($admin, &$aActionRequest)
+	{
+		global $TEXT, $MESSAGE, $HEADING, $MENU;
+		$database = WbDatabase::getInstance();
+        $iUserStatus = 1;
+        $iUserStatus = ( ( $admin->get_get('status')==1 ) ? 0 : $iUserStatus );
+        unset($_GET);
+
+        // Setup template object, parse vars to it, then parse it
+        // Create new template object
+        $oTpl = new Template(dirname($admin->correct_theme_source('users.htt')),'keep');
+        // $oTpl->debug = true;
+
+        $oTpl->set_file('page', 'users.htt');
+        $oTpl->set_block('page', 'main_block', 'main');
+        $oTpl->set_block("main_block", "manage_groups_block", "groups");
+
+        $oTpl->set_var('ADMIN_URL', ADMIN_URL);
+        $oTpl->set_var('FTAN', $admin->getFTAN());
+        $oTpl->set_var('USER_STATUS', $iUserStatus );
+        $oTpl->set_var('groups', '');
+        $oTpl->set_var('DISPLAY_ADD', '');
+        $oTpl->set_var('DISPLAY_MODIFY', '');
+        $oTpl->set_var('DISABLED_CHECKED', '');
+        $oTpl->set_var('HEADING_MODIFY_USER', '');
+        $oTpl->set_var('DISPLAY_HOME_FOLDERS', '');
+
+        $UserStatusActive = 'url('.THEME_URL.'/images/user.png)';
+        $UserStatusInactive = 'url('.THEME_URL.'/images/user_red.png)';
+
+        $sUserTitle = ($iUserStatus == 0) ? $MENU['USERS'].' '.strtolower($TEXT['ACTIVE']) : $MENU['USERS'].' '.strtolower($TEXT['DELETED']) ;
+
+        $oTpl->set_var('TEXT_USERS', $sUserTitle.' '.$TEXT['SHOW'] );
+        $oTpl->set_var('STATUS_ICON', ( ($iUserStatus==0) ? $UserStatusActive : $UserStatusInactive) );
+
+        // Get existing value from database
+        $sql  = 'SELECT `user_id`, `username`, `display_name`, `active` FROM `'.TABLE_PREFIX.'users` ' ;
+        $sql .= 'WHERE user_id != 1 ';
+        $sql .=     'AND active = '.$iUserStatus.' ';
+        $sql .= 'ORDER BY `display_name`,`username`';
+
+//        $query = "SELECT user_id, username, display_name, active FROM ".TABLE_PREFIX."users WHERE user_id != '1' ORDER BY display_name,username";
+        $oRes = $database->query($sql);
+        if($database->is_error()) {
+        	$admin->print_error($database->get_error(), 'index.php');
+        }
+
+        $sUserList  = $TEXT['LIST_OPTIONS'].' ';
+        $sUserList .= ($iUserStatus == 1) ? $MENU['USERS'].' '.strtolower($TEXT['ACTIVE']) : $MENU['USERS'].' '.strtolower($TEXT['DELETED']) ;
+        // Insert values into the modify/remove menu
+        $oTpl->set_block('main_block', 'list_block', 'list');
+        if($oRes->numRows() > 0) {
+        	// Insert first value to say please select
+        	$oTpl->set_var('VALUE', '');
+        	$oTpl->set_var('NAME', $sUserList);
+        	$oTpl->set_var('STATUS', 'class="user-active"' );
+        	$oTpl->parse('list', 'list_block', true);
+        	// Loop through users
+        	while($user = $oRes->fetchRow(MYSQL_ASSOC)) {
+        		$oTpl->set_var('VALUE',$admin->getIDKEY($user['user_id']));
+        		$oTpl->set_var('STATUS', ($user['active']==false ? 'class="user-inactive"' : 'class="user-active"') );
+        		$oTpl->set_var('NAME', $user['display_name'].' ('.$user['username'].')');
+        		$oTpl->parse('list', 'list_block', true);
+        	}
+        } else {
+        	// Insert single value to say no users were found
+        	$oTpl->set_var('NAME', $TEXT['NONE_FOUND']);
+        	$oTpl->parse('list', 'list_block', true);
+        }
+
+        // Insert permissions values
+        if($admin->get_permission('users_add') != true) {
+        	$oTpl->set_var('DISPLAY_ADD', 'hide');
+        }
+        if($admin->get_permission('users_modify') != true) {
+        	$oTpl->set_var('DISPLAY_MODIFY', 'hide');
+        }
+        if($admin->get_permission('users_delete') != true) {
+        	$oTpl->set_var('DISPLAY_DELETE', 'hide');
+        }
+        $HeaderTitle = $HEADING['MODIFY_DELETE_USER'].' ';
+        $HeaderTitle .= (($iUserStatus == 1) ? strtolower($TEXT['ACTIVE']) : strtolower($TEXT['DELETED']));
+        // Insert language headings
+        $oTpl->set_var(array(
+        		'HEADING_MODIFY_DELETE_USER' => $HeaderTitle,
+        		'HEADING_ADD_USER' => $HEADING['ADD_USER']
+        		)
+        );
+        // insert urls
+        $oTpl->set_var(array(
+                'ADMIN_URL' => ADMIN_URL,
+                'WB_URL' => WB_URL,
+                'THEME_URL' => THEME_URL
+        		)
+        );
+        // Insert language text and messages
+        $oTpl->set_var(array(
+        		'DISPLAY_WAITING_ACTIVATION' => '',
+        		'TEXT_MODIFY' => $TEXT['MODIFY'],
+        		'TEXT_DELETE' => $TEXT['DELETE'],
+        		'TEXT_MANAGE_GROUPS' => ( $admin->get_permission('groups') == true ) ? $TEXT['MANAGE_GROUPS'] : "**",
+        		'CONFIRM_DELETE' => (($iUserStatus == 1) ? $TEXT['ARE_YOU_SURE'] : $MESSAGE['USERS_CONFIRM_DELETE'])
+        		)
+        );
+
+        $oTpl->set_block('main_block', 'show_confirmed_activation_block', 'show_confirmed_activation');
+        if($admin->ami_group_member('1')) {
+                $oTpl->set_block('show_confirmed_activation_block', 'list_confirmed_activation_block', 'list_confirmed_activation');
+            	$oTpl->set_var('DISPLAY_WAITING_ACTIVATION', 'Users awaiting for activation');
+        		$sql  = 'SELECT * FROM `'.TABLE_PREFIX.'users` ';
+        		$sql .= 'WHERE `confirm_timeout` != 0 ';
+                $sql .=   'AND `active` = 0 ';
+                $sql .=   'AND `user_id` != 1 ';
+                if( ($oRes = $database->query($sql)) ) {
+                	$oTpl->set_var('DISPLAY_DELETE', '');
+        //        	$oTpl->set_var('NAME', 'User waiting for activation');
+        //        	$oTpl->set_var('STATUS', '' );
+                	// Loop through users
+                    if($nNumRows = $oRes->numRows()) {
+                    	while($aUser = $oRes->fetchRow(MYSQL_ASSOC)) {
+                    		$oTpl->set_var('VALUE',$admin->getIDKEY($aUser['user_id']));
+                       		$oTpl->set_var('STATUS', '') ;
+                    		$oTpl->set_var('NAME', $aUser['display_name'].' ('.$aUser['username'].')'.' ['.$aUser['email'].']');
+                    		$oTpl->parse('list_confirmed_activation', 'list_confirmed_activation_block', true);
+                    	}
+                    	$oTpl->parse('show_confirmed_activation', 'show_confirmed_activation_block',true);
+                    }
+                } else { $nNumRows = 0; }
+
+        } else {
+            $nNumRows = 0;
+        }
+
+        if ( $nNumRows == 0){
+        	$oTpl->parse('show_confirmed_activation', '');
+        }
+
+        if ( $admin->get_permission('groups') == true ) $oTpl->parse("groups", "manage_groups_block", true);
+        // Parse template object
+        $oTpl->parse('main', 'main_block', false);
+
+		$output = $oTpl->finish($oTpl->parse('output', 'page'));
+        // Setup template object, parse vars to it, then parse it
+        // Create new template object
+        $oTpl = new Template(dirname($admin->correct_theme_source('users_form.htt')),'keep');
+        // $oTpl->debug = true;
+        $oTpl->set_file('page', 'users_form.htt');
+        $oTpl->set_block('page', 'main_block', 'main');
+        $oTpl->set_block('main_block', 'show_modify_loginname_block', 'show_modify_loginname');
+        $oTpl->set_block('main_block', 'show_add_loginname_block', 'show_add_loginname');
+
+		$oTpl->set_block('main_block', 'show_change_group_list_block', 'show_change_group_list');
+
+		$oTpl->parse('show_change_group_list', '');
+//		$oTpl->parse('show_change_group_list', 'show_change_group_list_block', true);
+
+		$oTpl->set_var(	array(
+    			   'ACTION_URL'   => ADMIN_URL.'/users/index.php',
+    			   'FTAN'   => $admin->getFTAN(),
+    			   'DISPLAY_EXTRA'   => 'display:none;',
+    			   'ACTIVE_CHECKED'   => ' checked="checked"',
+    			   'DISABLED_CHECKED'   => '',
+    			   'NO_RIGHTS' => 'hide',
+    			   'CHANGING_GROUPS' => '',
+    			   'DISPLAY_ADD' => '',
+    			   'DISPLAY_MODIFY' => '',
+    			   'HEADING_MODIFY_USER' => '',
+    			   'DISPLAY_HOME_FOLDERS' => '',
+    			   'SUBMIT_TITLE' => $TEXT['ADD'],
+    			   )
+			);
+
+
+        // insert urls
+        $oTpl->set_var(array(
+        		'USER_ID' => '',
+        		'USERNAME' => '',
+        		'DISPLAY_NAME' => '',
+        		'EMAIL' => '',
+        		'ADMIN_URL' => ADMIN_URL,
+        		'WB_URL' => WB_URL,
+                'SUB_ACTION' => 'add',
+                'CANCEL_URL' => $aActionRequest['cancel_url'],
+        		'THEME_URL' => THEME_URL
+        		)
+        );
+
+        // Add groups to list
+        $oTpl->set_block('main_block', 'group_list_block', 'group_list');
+        $results = $database->query("SELECT group_id, name FROM ".TABLE_PREFIX."groups WHERE group_id != '1'");
+        if($results->numRows() > 0) {
+        	$oTpl->set_var('ID', '');
+        	$oTpl->set_var('NAME', $TEXT['PLEASE_SELECT'].'...');
+        	$oTpl->set_var('SELECTED', ' selected="selected"');
+        	$oTpl->parse('group_list', 'group_list_block', true);
+        	while($group = $results->fetchRow()) {
+        		$oTpl->set_var('ID', $group['group_id']);
+        		$oTpl->set_var('NAME', $group['name']);
+        		$oTpl->set_var('SELECTED', '');
+        		$oTpl->parse('group_list', 'group_list_block', true);
+        	}
+        }
+        // Only allow the user to add a user to the Administrators group if they belong to it
+        if(in_array(1, $admin->get_groups_id())) {
+        	$users_groups = $admin->get_groups_name();
+        	$oTpl->set_var('ID', '1');
+        	$oTpl->set_var('NAME', $users_groups[1]);
+        	$oTpl->set_var('SELECTED', '');
+        	$oTpl->parse('group_list', 'group_list_block', true);
+        } else {
+        	if($results->numRows() == 0) {
+        		$oTpl->set_var('ID', '');
+        		$oTpl->set_var('NAME', $TEXT['NONE_FOUND']);
+        		$oTpl->parse('group_list', 'group_list_block', true);
+        	}
+        }
+
+        // Insert permissions values
+        if($admin->get_permission('users_add') != true) {
+        	$oTpl->set_var('DISPLAY_ADD', 'hide');
+        }
+
+        // Generate username field name
+        $username_fieldname = 'username_';
+        $salt = "abchefghjkmnpqrstuvwxyz0123456789";
+        srand((double)microtime()*1000000);
+        $i = 0;
+        while ($i <= 7) {
+        	$num = rand() % 33;
+        	$tmp = substr($salt, $num, 1);
+        	$username_fieldname = $username_fieldname . $tmp;
+        	$i++;
+        }
+
+        // Work-out if home folder should be shown
+        if(!HOME_FOLDERS) {
+        	$oTpl->set_var('DISPLAY_HOME_FOLDERS', 'display:none;');
+        }
+
+        // Include the WB functions file
+        require_once(WB_PATH.'/framework/functions.php');
+
+        // Add media folders to home folder list
+        $oTpl->set_block('main_block', 'folder_list_block', 'folder_list');
+        foreach(directory_list(WB_PATH.MEDIA_DIRECTORY) AS $name) {
+        	$oTpl->set_var('NAME', str_replace(WB_PATH, '', $name));
+        	$oTpl->set_var('FOLDER', str_replace(WB_PATH.MEDIA_DIRECTORY, '', $name));
+        	$oTpl->set_var('SELECTED', ' ');
+        	$oTpl->parse('folder_list', 'folder_list_block', true);
+        }
+
+        // Insert language text and messages
+        $oTpl->set_var(array(
+        			'TEXT_CANCEL' => $TEXT['CANCEL'],
+        			'TEXT_RESET' => $TEXT['RESET'],
+        			'TEXT_ACTIVE' => $TEXT['ACTIVE'],
+        			'TEXT_DISABLED' => $TEXT['DISABLED'],
+        			'TEXT_PLEASE_SELECT' => $TEXT['PLEASE_SELECT'],
+        			'TEXT_USERNAME' => $TEXT['USERNAME'],
+        			'TEXT_PASSWORD' => $TEXT['PASSWORD'],
+        			'TEXT_RETYPE_PASSWORD' => $TEXT['RETYPE_PASSWORD'],
+        			'TEXT_DISPLAY_NAME' => $TEXT['DISPLAY_NAME'],
+        			'TEXT_EMAIL' => $TEXT['EMAIL'],
+        			'TEXT_GROUP' => $TEXT['GROUP'],
+        			'TEXT_NONE' => $TEXT['NONE'],
+        			'TEXT_HOME_FOLDER' => $TEXT['HOME_FOLDER'],
+        			'USERNAME_FIELDNAME' => $username_fieldname,
+        			'CHANGING_PASSWORD' => $MESSAGE['USERS_CHANGING_PASSWORD']
+        			)
+        	);
+
+        // Parse template for add user form
+        $oTpl->parse('show_modify_loginname', '', true);
+        $oTpl->parse('show_add_loginname', 'show_add_loginname_block', true);
+        $oTpl->parse('main', 'main_block', false);
+		$output .= $oTpl->finish($oTpl->parse('output', 'page'));
+
+        return $output;
+
+    }

Property changes on: branches/2.8.x/wb/admin/users/user_list.php
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:keywords
## -0,0 +1 ##
+Date Author Id Revision HeadURL
\ No newline at end of property
Index: branches/2.8.x/wb/admin/users/save.php
===================================================================
--- branches/2.8.x/wb/admin/users/save.php	(revision 1814)
+++ branches/2.8.x/wb/admin/users/save.php	(revision 1815)
@@ -15,111 +15,192 @@
  *
  */
 
-$config_file = realpath('../../config.php');
-if(file_exists($config_file) && !defined('WB_URL'))
-{
-	require_once($config_file);
+/* -------------------------------------------------------- */
+// Must include code to stop this file being accessed directly
+if(!defined('WB_URL')) {
+	require_once(dirname(dirname(dirname(__FILE__))).'/framework/globalExceptionHandler.php');
+	throw new IllegalFileException();
 }
+/* -------------------------------------------------------- */
 
-if(!class_exists('admin', false)){ include(WB_PATH.'/framework/class.admin.php'); }
+	function save_user($admin, &$aActionRequest)
+	{
+		global $TEXT, $MESSAGE;
+        // Create a javascript back link
+//        $js_back = ADMIN_URL.'/users/index.php';
+        unset($aActionRequest['save']);
+        $aActionRequest['modify']= 'change';
+		$database = WbDatabase::getInstance();
+        $bRetVal = 0;
+    	$iMinPassLength = 6;
 
-// suppress to print the header, so no new FTAN will be set
-$admin = new admin('Access', 'users_modify', false);
+        if( !$admin->checkFTAN() )
+        {
+        	msgQueue::add($MESSAGE['GENERIC_SECURITY_ACCESS']);
+            return $bRetVal;
+        }
 
-// Create a javascript back link
-$js_back = ADMIN_URL.'/users/index.php';
+        // Check if user id is a valid number and doesnt equal 1
+        if(!isset($aActionRequest['user_id']) OR !is_numeric($aActionRequest['user_id']) OR $aActionRequest['user_id'] == 1) {
+        	msgQueue::add('::'.$MESSAGE['GENERIC_NOT_UPGRADED']);
+            return $bRetVal;
+        } else {
+        	$user_id = intval($aActionRequest['user_id']);
+        }
 
-if( !$admin->checkFTAN() )
-{
-	$admin->print_header();
-	$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'],$js_back);
-}
-// After check print the header
-$admin->print_header();
+		if( ($user_id < 2 ) )
+		{
+			// if($admin_header) { $admin->print_header(); }
+        	msgQueue::add($MESSAGE['GENERIC_SECURITY_OFFENSE']);
+            return $bRetVal;
+		}
+		// Get existing values
+        $sql  = 'SELECT * FROM `'.TABLE_PREFIX.'users` ' ;
+        $sql .= 'WHERE user_id = '.$user_id.' ';
+        $sql .=   'AND user_id != 1 ';
 
-// Check if user id is a valid number and doesnt equal 1
-if(!isset($_POST['user_id']) OR !is_numeric($_POST['user_id']) OR $_POST['user_id'] == 1) {
-	header("Location: index.php");
-	exit(0);
-} else {
-	$user_id = intval($_POST['user_id']);
-}
+        if($oRes = $database->query($sql)){
+            $olduser = $oRes->fetchRow(MYSQL_ASSOC);
+        }
 
-// Gather details entered
-$groups_id = (isset($_POST['groups'])) ? implode(",", $admin->add_slashes($_POST['groups'])) : '';
-$active = $admin->add_slashes($_POST['active'][0]);
-$username_fieldname = $admin->get_post_escaped('username_fieldname');
-$username = strtolower($admin->get_post_escaped($username_fieldname));
-$password = $admin->get_post('password');
-$password2 = $admin->get_post('password2');
-$display_name = $admin->get_post_escaped('display_name');
-$email = $admin->get_post_escaped('email');
-$home_folder = $admin->get_post_escaped('home_folder');
+        // Gather details entered
+        if($admin->is_group_match($admin->get_groups_id(), '1' )){
+            $groups_id = (isset($aActionRequest['groups'])) ? implode(",", $admin->add_slashes($aActionRequest['groups'])) : '';
+        } else {
+            $groups_id = $olduser['group_id'];
+        }
+        // there will be an additional ',' when "Please Choose" was selected, too
+        $groups_id = trim($groups_id, ',');
+        $active = intval(strip_tags($admin->StripCodeFromText($aActionRequest['active'][0])));
+        $username_fieldname = strip_tags($admin->StripCodeFromText($aActionRequest['username_fieldname']));
+        $username = strtolower(strip_tags($admin->StripCodeFromText($aActionRequest[$username_fieldname])));
+        $password = strip_tags($admin->StripCodeFromText($aActionRequest['password']));
+        $password2 = strip_tags($admin->StripCodeFromText($aActionRequest['password2']));
+        $display_name = strip_tags($admin->StripCodeFromText($aActionRequest['display_name']));
+        $email = strip_tags($admin->StripCodeFromText($aActionRequest['email']));
+        $home_folder = strip_tags($admin->StripCodeFromText($aActionRequest['home_folder']));
 
-// Check values
-if($groups_id == "") {
-	$admin->print_error($MESSAGE['USERS_NO_GROUP'], $js_back);
-}
-if(!preg_match('/^[a-z]{1}[a-z0-9_-]{2,}$/i', $username))
-{
+        // Check values
+        if($groups_id == "") {
+        	msgQueue::add($MESSAGE['USERS_NO_GROUP']);
+        } else {
+            $aGroups_id = explode(',', $groups_id);
+            //if user is in administrator-group, get this group else just get the first one
+            if($admin->is_group_match($groups_id,'1')) { $group_id = 1; } else { $group_id = intval($aGroups_id[0]); }
+        }
 
-//	print '<pre style="text-align: left;"><strong>function '.__FUNCTION__.'( '.''.' );</strong>  basename: '.basename(__FILE__).'  line: '.__LINE__.' -> <br />';
-//	print_r( $_POST ); print '</pre>';
-	$admin->print_error( $MESSAGE['USERS_NAME_INVALID_CHARS'].' / '.
-	                  $MESSAGE['USERS_USERNAME_TOO_SHORT'], $js_back);
-}
-if($password != "") {
-	if(strlen($password) < 6 ) {
-		$admin->print_error($MESSAGE['USERS_PASSWORD_TOO_SHORT'], $js_back);
-	}
-	if($password != $password2) {
-		$admin->print_error($MESSAGE['USERS_PASSWORD_MISMATCH'], $js_back);
-	}
-}
+//$admin->is_group_match($admin->get_groups_id(), '1' )
+        if(!preg_match('/^[a-z]{1}[a-z0-9_-]{2,}$/i', $username))
+        {
+        	msgQueue::add( $MESSAGE['USERS_NAME_INVALID_CHARS']);
+        }
 
-if($email != "")
-{
-	if($admin->validate_email($email) == false)
-    {
-        $admin->print_error($MESSAGE['USERS_INVALID_EMAIL'], $js_back);
-	}
-} else { // e-mail must be present
-	$admin->print_error($MESSAGE['SIGNUP_NO_EMAIL'], $js_back);
-}
+        if($password != "") {
+        	if(strlen($password) < $iMinPassLength ) {
+        		msgQueue::add($MESSAGE['USERS_PASSWORD_TOO_SHORT']);
+        	}
 
-// Check if the email already exists
-$results = $database->query("SELECT user_id FROM ".TABLE_PREFIX."users WHERE email = '".$admin->add_slashes($_POST['email'])."' AND user_id <> '".$user_id."' ");
-if($results->numRows() > 0)
-{
-	if(isset($MESSAGE['USERS_EMAIL_TAKEN']))
-    {
-		$admin->print_error($MESSAGE['USERS_EMAIL_TAKEN'], $js_back);
-	} else {
-		$admin->print_error($MESSAGE['USERS_INVALID_EMAIL'], $js_back);
-	}
-}
+			$pattern = '/[^'.$admin->password_chars.']/';
+			if (preg_match($pattern, $password)) {
+				msgQueue::add($MESSAGE['PREFERENCES_INVALID_CHARS']);
+        	}
 
-// Prevent from renaming user to "admin"
-if($username != 'admin') {
-	$username_code = ", username = '$username'";
-} else {
-	$username_code = '';
-}
+        	if(($password != $password2) ) {
+        		msgQueue::add($MESSAGE['USERS_PASSWORD_MISMATCH']);
+        	}
+        }
+// check that display_name is unique in whoole system (prevents from User-faking)
+    	$sql  = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` ';
+    	$sql .= 'WHERE `user_id` <> '.(int)$user_id.' AND `display_name` LIKE "'.$display_name.'"';
+    	if( $database->get_one($sql) > 0 ){
+            msgQueue::add($MESSAGE['USERS_USERNAME_TAKEN'].' ('.$TEXT['DISPLAY_NAME'].')');
+            msgQueue::add($MESSAGE['MEDIA_CANNOT_RENAME']);
+        }
+//
+		if( ($admin->get_user_id() != '1' ) )
+		{
+            if(findStringInFileList($display_name, dirname(__FILE__).'/disallowedNames')) {
+                msgQueue::add( $TEXT['ERROR'].' '.$TEXT['DISPLAY_NAME'].' ('.$display_name.')' );
+            }
+		}
 
-// Update the database
-if($password == "") {
-	$query = "UPDATE ".TABLE_PREFIX."users SET groups_id = '$groups_id', active = '$active'$username_code, display_name = '$display_name', home_folder = '$home_folder', email = '$email' WHERE user_id = '$user_id'";
-} else {
-	// MD5 supplied password
-	$md5_password = md5($password);
-	$query = "UPDATE ".TABLE_PREFIX."users SET groups_id = '$groups_id', active = '$active'$username_code, display_name = '$display_name', home_folder = '$home_folder', email = '$email', password = '$md5_password' WHERE user_id = '$user_id'";
-}
-$database->query($query);
-if($database->is_error()) {
-	$admin->print_error($database->get_error(),$js_back);
-} else {
-	$admin->print_success($MESSAGE['USERS_SAVED']);
-}
+    	$display_name = ( $display_name == '' ? $olduser['display_name'] : $display_name );
 
-// Print admin footer
-$admin->print_footer();
+        if($email != "")
+        {
+        	if($admin->validate_email($email) == false)
+            {
+                msgQueue::add($MESSAGE['USERS_INVALID_EMAIL'].' ('.$email.')');
+        	}
+        } else { // e-mail must be present
+        	msgQueue::add($MESSAGE['SIGNUP_NO_EMAIL']);
+        }
+
+		$sql  = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` '.
+                'WHERE `email` LIKE \''.$email.'\' '.
+                  'AND `user_id` <> '.(int)$user_id;
+        // Check if the email already exists
+        if( ($iFoundUser = $database->get_one($sql)) != null ) {
+            if($iFoundUser) {
+            	if(isset($MESSAGE['USERS_EMAIL_TAKEN']))
+                {
+            		msgQueue::add($MESSAGE['USERS_EMAIL_TAKEN'].' ('.$email.')');
+            	} else {
+            		msgQueue::add($MESSAGE['USERS_INVALID_EMAIL'].' ('.$email.')');
+            	}
+            }
+        }
+
+        $bRetVal = $user_id;
+
+// no error then save
+        if( !msgQueue::getError() )
+        {
+            if($admin->is_group_match($groups_id,'1')) { $group_id = 1; $groups_id = '1'; }
+          // Prevent from renaming user to "admin"
+            if($username != 'admin') {
+            	$username_code = ", username = '$username'";
+            } else {
+            	$username_code = '';
+            }
+
+			$sql  = 'UPDATE `'.TABLE_PREFIX.'users` SET ';
+            // Update the database
+            if($password == "") {
+                $sql .= '`group_id`     = '.intval($group_id).', '.
+                        '`groups_id`    = \''.mysql_real_escape_string($groups_id).'\', '.
+                        '`username` = \''.mysql_real_escape_string($username).'\', '.
+                        '`active` = '.intval($active).', '.
+                        '`display_name` = \''.mysql_real_escape_string($display_name).'\', '.
+                        '`home_folder` = \''.mysql_real_escape_string($home_folder).'\', '.
+                        '`email` = \''.mysql_real_escape_string($email).'\' '.
+                        'WHERE `user_id` = '.intval($user_id).'';
+
+            } else {
+
+                $sql .= '`group_id`     = '.intval($group_id).', '.
+                        '`groups_id`    = \''.mysql_real_escape_string($groups_id).'\', '.
+                        '`username` = \''.mysql_real_escape_string($username).'\', '.
+                        '`password` = \''.md5($password).'\', '.
+                        '`active` = '.intval($active).', '.
+                        '`display_name` = \''.mysql_real_escape_string($display_name).'\', '.
+                        '`home_folder` = \''.mysql_real_escape_string($home_folder).'\', '.
+                        '`email` = \''.mysql_real_escape_string($email).'\' '.
+                        'WHERE `user_id` = '.intval($user_id).'';
+
+            }
+            if($database->query($sql)) {
+            	msgQueue::add($MESSAGE['USERS_SAVED'], true);
+                $bRetVal = $user_id;
+            }
+            if($database->is_error()) {
+               msgQueue::add( implode('<br />',explode(';',$database->get_error())) );
+            }
+       } else {
+            	msgQueue::add($MESSAGE['GENERIC_NOT_UPGRADED']);
+       }
+
+//        return $admin->getIDKEY($user_id);
+//if($admin_header) { $admin->print_header(); }
+        return $bRetVal;
+    }
Index: branches/2.8.x/wb/admin/users/user_form.php
===================================================================
--- branches/2.8.x/wb/admin/users/user_form.php	(nonexistent)
+++ branches/2.8.x/wb/admin/users/user_form.php	(revision 1815)
@@ -0,0 +1,219 @@
+<?php
+
+/**
+ *
+ * @category        admin
+ * @package         pages
+ * @author          Ryan Djurovich (2004-2009), WebsiteBaker Project
+ * @copyright       2009-2012, WebsiteBaker Org. e.V.
+ * @link			http://www.websitebaker2.org/
+ * @license         http://www.gnu.org/licenses/gpl.html
+ * @platform        WebsiteBaker 2.8.x
+ * @requirements    PHP 5.2.2 and higher
+ * @version         $Id$
+ * @filesource		$HeadURL$
+ * @lastmodified    $Date$
+ *
+ */
+
+/* -------------------------------------------------------- */
+// Must include code to stop this file being accessed directly
+if(!defined('WB_URL')) {
+	require_once(dirname(dirname(dirname(__FILE__))).'/framework/globalExceptionHandler.php');
+	throw new IllegalFileException();
+}
+/* -------------------------------------------------------- */
+
+	function show_usermask($admin, &$aActionRequest)
+	{
+		global $TEXT, $MESSAGE, $HEADING, $MENU;
+		$database = WbDatabase::getInstance();
+
+    	$user_id = intval($aActionRequest['user_id']);
+        $user = array(
+            'user_id' => 0,
+            'username'=> '',
+            'display_name'=> '',
+            'email'=> '',
+        );
+
+		// Get existing values
+        $sql  = 'SELECT * FROM `'.TABLE_PREFIX.'users` ' ;
+        $sql .= 'WHERE user_id = '.$user_id.' ';
+        $sql .=   'AND user_id != 1 ';
+
+        if($oRes = $database->query($sql)){
+            $user = $oRes->fetchRow(MYSQL_ASSOC);
+        }
+
+        $sNoRightsToChangeGroups = (($admin->get_user_id()==1)) ? 'hide' : '';
+        $sNoRightsToChangeGroups = (($user['group_id']==1)) ? $sNoRightsToChangeGroups : 'hide';
+		// Setup template object, parse vars to it, then parse it
+		// Create new template object
+		$oTpl = new Template(dirname($admin->correct_theme_source('users_form.htt')),'keep');
+//		$oTpl->debug = true;
+		$oTpl->set_file('page', 'users_form.htt');
+		$oTpl->set_block('page', 'main_block', 'main');
+		$oTpl->set_block('main_block', 'show_modify_loginname_block', 'show_modify_loginname');
+		$oTpl->set_block('main_block', 'show_add_loginname_block', 'show_add_loginname');
+		$oTpl->set_block('main_block', 'show_change_group_list_block', 'show_change_group_list');
+
+		if( ( $admin->get_user_id() != '1' ) )
+		{
+            $oTpl->set_var('CHANGING_GROUPS', 'You are not allowed to change the groups');
+    		$oTpl->parse('show_change_group_list', 'show_change_group_list_block');
+		} else {
+    		$oTpl->parse('show_change_group_list', '');
+		}
+
+		$oTpl->set_var(	array(
+    			   'ACTION_URL'   => ADMIN_URL.'/users/index.php',
+    			   'SUB_ACTION'   => 'save',
+                   'BACK_LINK'    => (isset($aActionRequest['BackLink'])) ? $aActionRequest['BackLink'] : '',
+                   'CANCEL_URL'   => $aActionRequest['cancel_url'],
+    			   'SUBMIT_TITLE' => $TEXT['SAVE'],
+                   'USER_ID' => $user['user_id'],
+//    			   'NO_RIGHTS' => 'hide',
+//    			   'CHANGING_GROUPS' => '',
+    			   'DISPLAY_EXTRA' => '',
+    			   'DISPLAY_HOME_FOLDERS' => '',
+    			   'USERNAME' => $user['username'],
+    			   'DISPLAY_NAME' => $user['display_name'],
+    			   'EMAIL' => $user['email'],
+    			   'ADMIN_URL' => ADMIN_URL,
+    			   'WB_URL' => WB_URL,
+    			   'THEME_URL' => THEME_URL
+    			   )
+			);
+
+		$oTpl->set_var('FTAN', $admin->getFTAN());
+		if($user['active'] == 1) {
+            $oTpl->set_var('DISABLED_CHECKED', '');
+			$oTpl->set_var('ACTIVE_CHECKED', ' checked="checked"');
+		} else {
+            $oTpl->set_var('ACTIVE_CHECKED', '');
+			$oTpl->set_var('DISABLED_CHECKED', ' checked="checked"');
+		}
+//		$results = $database->query("SELECT group_id, name FROM ".TABLE_PREFIX."groups WHERE group_id != '1' ORDER BY name");
+		// Add groups to list
+		$oTpl->set_block('main_block', 'group_list_block', 'group_list');
+    	$sql  = 'SELECT `group_id`,`name` FROM `'.TABLE_PREFIX.'groups` ';
+    	$sql .= 'WHERE `group_id` != 1 ORDER BY `name`';
+		if($oRes = $database->query($sql)) {
+			$oTpl->set_var('ID', '');
+			$oTpl->set_var('NAME', $TEXT['PLEASE_SELECT'].'...');
+			$oTpl->set_var('SELECTED', '');
+			$oTpl->parse('group_list', 'group_list_block', true);
+			while($group = $oRes->fetchRow(MYSQL_ASSOC)) {
+				$oTpl->set_var('ID', $group['group_id']);
+				$oTpl->set_var('NAME', $group['name']);
+				if(in_array($group['group_id'], explode(",",$user['groups_id']))) {
+					$oTpl->set_var('SELECTED', ' selected="selected"');
+				} else {
+					$oTpl->set_var('SELECTED', '');
+				}
+				$oTpl->parse('group_list', 'group_list_block', true);
+			}
+		}
+
+//		$in_group = false;
+//  || ($admin->ami_group_member('1'))
+// Only allow the user to add a user to the Administrators group if they belong to it
+		if( ($admin->is_group_match($user['groups_id'], '1') ) || ($admin->ami_group_member('1')) )
+	    {
+            if( ($in_group = ($admin->ami_group_member('1'))) == false ) {
+            	$sql  = 'SELECT `name` FROM `'.TABLE_PREFIX.'groups` ';
+            	$sql .= 'WHERE `group_id` = 1 ORDER BY `name`';
+                if( ($sGroupName = $database->get_one($sql)) != null ) {
+            		$in_group = true;
+        			$oTpl->set_var('ID', '1');
+        			$oTpl->set_var('NAME', $sGroupName);
+                }
+            } else {
+                if( $in_group = ($admin->is_group_match($admin->get_groups_id(), '1')) ) {
+        			$sGroupName = $admin->get_groups_name();
+        			$oTpl->set_var('ID', '1');
+        			$oTpl->set_var('NAME', $sGroupName[1]);
+                    $in_group = $user['group_id'] == 1;
+                }
+            }
+
+			if($in_group) {
+				$oTpl->set_var('SELECTED', ' selected="selected"');
+			} else {
+				$oTpl->set_var('SELECTED', '');
+			}
+			$oTpl->parse('group_list', 'group_list_block', true);
+		} else {
+			if($oRes->numRows() == 0) {
+				$oTpl->set_var('ID', '');
+				$oTpl->set_var('NAME', $TEXT['NONE_FOUND']);
+				$oTpl->set_var('SELECTED', ' selected="selected"');
+				$oTpl->parse('group_list', 'group_list_block', true);
+			}
+		}
+
+		// Generate username field name
+		$username_fieldname = 'username_';
+		$salt = "abchefghjkmnpqrstuvwxyz0123456789";
+		srand((double)microtime()*1000000);
+		$i = 0;
+		while ($i <= 7) {
+			$num = rand() % 33;
+			$tmp = substr($salt, $num, 1);
+			$username_fieldname = $username_fieldname . $tmp;
+			$i++;
+		}
+
+		// Work-out if home folder should be shown
+		if(!HOME_FOLDERS) {
+			$oTpl->set_var('DISPLAY_HOME_FOLDERS', 'display:none;');
+		}
+
+		// Include the WB functions file
+		require_once(WB_PATH.'/framework/functions.php');
+
+		// Add media folders to home folder list
+		$oTpl->set_block('main_block', 'folder_list_block', 'folder_list');
+		foreach(directory_list(WB_PATH.MEDIA_DIRECTORY) AS $name)
+	    {
+			$oTpl->set_var('NAME', str_replace(WB_PATH, '', $name));
+			$oTpl->set_var('FOLDER', str_replace(WB_PATH.MEDIA_DIRECTORY, '', $name));
+			if($user['home_folder'] == str_replace(WB_PATH.MEDIA_DIRECTORY, '', $name)) {
+				$oTpl->set_var('SELECTED', ' selected="selected"');
+			} else {
+				$oTpl->set_var('SELECTED', ' ');
+			}
+			$oTpl->parse('folder_list', 'folder_list_block', true);
+		}
+
+		// Insert language text and messages
+		$oTpl->set_var(array(
+                    'TEXT_RESET' => $TEXT['RESET'],
+                    'TEXT_CANCEL' => $TEXT['CANCEL'],
+                    'TEXT_ACTIVE' => $TEXT['ACTIVE'],
+                    'TEXT_DISABLED' => $TEXT['DISABLED'],
+                    'TEXT_PLEASE_SELECT' => $TEXT['PLEASE_SELECT'],
+                    'TEXT_USERNAME' => $TEXT['USERNAME'],
+                    'TEXT_PASSWORD' => $TEXT['PASSWORD'],
+                    'TEXT_RETYPE_PASSWORD' => $TEXT['RETYPE_PASSWORD'],
+                    'TEXT_DISPLAY_NAME' => $TEXT['DISPLAY_NAME'],
+                    'TEXT_EMAIL' => $TEXT['EMAIL'],
+                    'TEXT_GROUP' => $TEXT['GROUP'],
+                    'TEXT_NONE' => $TEXT['NONE'],
+                    'TEXT_HOME_FOLDER' => $TEXT['HOME_FOLDER'],
+                    'USERNAME_FIELDNAME' => $username_fieldname,
+                    'CHANGING_PASSWORD' => $MESSAGE['USERS_CHANGING_PASSWORD'],
+                    'HEADING_MODIFY_USER' => $HEADING['MODIFY_USER']
+                    )
+                );
+
+		// Parse template object
+		$oTpl->parse('show_modify_loginname', 'show_modify_loginname_block', true);
+		$oTpl->parse('show_add_loginname', '', true);
+		$oTpl->parse('main', 'main_block', false);
+//			$oTpl->pparse('output', 'page');
+		$output = $oTpl->finish($oTpl->parse('output', 'page'));
+
+        return $output;
+    }

Property changes on: branches/2.8.x/wb/admin/users/user_form.php
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:keywords
## -0,0 +1 ##
+Date Author Id Revision HeadURL
\ No newline at end of property
Index: branches/2.8.x/wb/admin/users/delete.php
===================================================================
--- branches/2.8.x/wb/admin/users/delete.php	(nonexistent)
+++ branches/2.8.x/wb/admin/users/delete.php	(revision 1815)
@@ -0,0 +1,98 @@
+<?php
+
+/**
+ *
+ * @category        admin
+ * @package         pages
+ * @author          Ryan Djurovich (2004-2009), WebsiteBaker Project
+ * @copyright       2009-2012, WebsiteBaker Org. e.V.
+ * @link			http://www.websitebaker2.org/
+ * @license         http://www.gnu.org/licenses/gpl.html
+ * @platform        WebsiteBaker 2.8.x
+ * @requirements    PHP 5.2.2 and higher
+ * @version         $Id$
+ * @filesource		$HeadURL$
+ * @lastmodified    $Date$
+ *
+ */
+
+/* -------------------------------------------------------- */
+// Must include code to stop this file being accessed directly
+if(!defined('WB_URL')) {
+	require_once(dirname(dirname(dirname(__FILE__))).'/framework/globalExceptionHandler.php');
+	throw new IllegalFileException();
+}
+/* -------------------------------------------------------- */
+function delete_user($admin, &$aActionRequest)
+{
+	global $TEXT, $MESSAGE;
+	$database = WbDatabase::getInstance();
+    $aUserID = array();
+    $bRetVal = false;
+    if(isset($aActionRequest['user_id']) && !is_array($aActionRequest['user_id'])) {
+        $aUserID[] = $aActionRequest['user_id'];
+    } else {
+        $aUserID = $aActionRequest['user_id'];
+    }
+
+    foreach ( $aUserID AS $key => $value)
+    {
+        switch ($_SERVER['REQUEST_METHOD']) :
+			case 'GET': // insert/update user
+                $_GET['user_id'] =$aUserID[$key];
+				break;
+			default: // show userlist with empty modify mask
+                $_POST['user_id'] =$aUserID[$key];
+		endswitch; // end of switch
+		$user_id = intval($admin->checkIDKEY('user_id', 0, $_SERVER['REQUEST_METHOD']));
+
+		// Check if user id is a valid number and doesnt equal 1
+		if($user_id == 0){
+			msgQueue::add($MESSAGE['GENERIC_FORGOT_OPTIONS'] );
+            return $bRetVal;
+        }
+
+		if( ($user_id < 2 ) )
+		{
+			// if($admin_header) { $admin->print_header(); }
+			msgQueue::add($MESSAGE['GENERIC_SECURITY_ACCESS'] );
+            return $bRetVal;
+		}
+
+		if( ($msg = msgQueue::getError()) == '')
+		{
+			$sql  = 'SELECT `active` FROM `'.TABLE_PREFIX.'users` '.
+                    'WHERE `user_id` = '.$user_id;
+            if( ($iDeleteUser = $database->get_one($sql)) != null ) {
+                if($iDeleteUser) {
+    				// Delete the user
+        			$sql  = 'UPDATE `'.TABLE_PREFIX.'users` SET '.
+                            '`active` = 0 '.
+                            'WHERE `user_id` = '.$user_id;
+                    if( $database->query($sql) ) {
+                        msgQueue::add($TEXT['USERS_DELETED'], true);
+                    }
+                } else {
+        			$sql  = 'DELETE FROM `'.TABLE_PREFIX.'users` '.
+                            'WHERE `user_id` = '.$user_id;
+                    if( $database->query($sql) ) {
+                        msgQueue::add($MESSAGE['USERS_DELETED'], true);
+                    }
+                }
+                $bRetVal = true;
+            }
+            if($database->is_error()) {
+                msgQueue::add( implode('<br />',explode(';',$database->get_error())) );
+                $bRetVal = false;
+           }
+		}
+    }
+    if(isset($aActionRequest['clearmsg'])) { msgQueue::clear();  }
+    return $user_id;
+}
+
+if(!isset($aActionRequest)) {
+    $requestMethod = '_'.strtoupper($_SERVER['REQUEST_METHOD']);
+    $aActionRequest = (isset(${$requestMethod})) ? ${$requestMethod} : null;
+    $aActionRequest['clearmsg'] = true;
+}

Property changes on: branches/2.8.x/wb/admin/users/delete.php
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:keywords
## -0,0 +1 ##
+Date Author Id Revision HeadURL
\ No newline at end of property
Index: branches/2.8.x/wb/admin/users/disallowedNames
===================================================================
--- branches/2.8.x/wb/admin/users/disallowedNames	(nonexistent)
+++ branches/2.8.x/wb/admin/users/disallowedNames	(revision 1815)
@@ -0,0 +1,9 @@
+admin
+asshole
+porno
+arsch
+fuck
+fick
+shit
+scheiss
+viagra
\ No newline at end of file
Index: branches/2.8.x/wb/admin/users/index.php
===================================================================
--- branches/2.8.x/wb/admin/users/index.php	(revision 1814)
+++ branches/2.8.x/wb/admin/users/index.php	(revision 1815)
@@ -15,271 +15,157 @@
  *
  */
 
-$config_file = realpath('../../config.php');
-if(file_exists($config_file) && !defined('WB_URL'))
-{
-	require_once($config_file);
-}
+    /**
+     * checks if a given string is part of a line in a defined file
+     * @param string $sString
+     * @param string $sListFile
+     * @return bool TRUE if at least one match is found, otherwise FALSE
+     */
+    function findStringInFileList( $sString, $sListFile)
+    {
+     $aMatch = array();
+     if(is_readable($sListFile)) {
+      $aList = file($sListFile, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
+      $aMatch = preg_grep('/'.preg_quote($sString, '/').'/i',$aList);
+     }
+     return (sizeof($aMatch)>0);
+    }
 
-if(!class_exists('admin', false)){ include(WB_PATH.'/framework/class.admin.php'); }
+	function admin_users_index($aActionRequest)
+	{
+		global $MESSAGE;
+		$database = WbDatabase::getInstance();
 
-$admin = new admin('Access', 'users');
+        $sAdminPath = dirname(str_replace('\\', '/', __FILE__));
+        $sAdminName = basename($sAdminPath);
+        $output = '';
+        $aActionRequest['requestMethod'] = '_'.strtoupper($_SERVER['REQUEST_METHOD']);
+        $action = 'show';
+        // Set parameter 'action' as alternative to javascript mechanism
+        $action = (isset($aActionRequest['add'])    ? 'add'    : $action );
+        $action = (isset($aActionRequest['save'])   ? 'save'   : $action );
+        $action = (isset($aActionRequest['modify']) ? 'modify' : $action );
+        $action = (isset($aActionRequest['delete']) ? 'delete' : $action );
+        $action = (isset($aActionRequest['delete_outdated']) ? 'delete_outdated' : $action );
 
-$iUserStatus = 1;
-$iUserStatus = ( ( $admin->get_get('status')==1 ) ? 0 : $iUserStatus );
-unset($_GET);
+		switch($action) :
+			case 'delete': // delete the user
+    			$admin = new admin('Access', 'users_delete',false);
 
-// Setup template object, parse vars to it, then parse it
-// Create new template object
-$template = new Template(dirname($admin->correct_theme_source('users.htt')),'keep');
-// $template->debug = true;
+				include($sAdminPath.'/delete.php');
+    			$output = delete_user($admin,$aActionRequest);
 
-$template->set_file('page', 'users.htt');
-$template->set_block('page', 'main_block', 'main');
-$template->set_block("main_block", "manage_groups_block", "groups");
-$template->set_var('ADMIN_URL', ADMIN_URL);
-$template->set_var('FTAN', $admin->getFTAN());
-$template->set_var('USER_STATUS', $iUserStatus );
-$template->set_var('DISPLAY_ADD', '');
-$template->set_var('DISPLAY_MODIFY', '');
-$template->set_var('DISABLED_CHECKED', '');
-$template->set_var('HEADING_MODIFY_USER', '');
-$template->set_var('DISPLAY_HOME_FOLDERS', '');
+        		if( ($msg = msgQueue::getError()) != '')
+        		{
+        		}
 
-$UserStatusActive = 'url('.THEME_URL.'/images/user.png)';
-$UserStatusInactive = 'url('.THEME_URL.'/images/user_red.png)';
+                $aActionRequest['cancel_url'] = ADMIN_URL.'/access/index.php';
+				$admin = new admin('Access', 'users');
+				include($sAdminPath.'/user_list.php');
+				$output .= show_userlist($admin, $aActionRequest);
+				break;
+			case 'add': // insert/update user
+                $admin = new admin('Access', 'users_add',false);
+				include($sAdminPath.'/add.php');
+    			$output = add_user($admin,$aActionRequest);
+                $aActionRequest['cancel_url'] = ADMIN_URL.'/access/index.php';
+				$admin = new admin('Access', 'users');
+				include($sAdminPath.'/user_list.php');
+				$output .= show_userlist($admin, $aActionRequest);
+				break;
+			case 'save': // insert/update user
+    			$admin = new admin('Access', 'users_modify',false);
+// hold the cancel_url if request comes outside from users
+                if(isset($aActionRequest['BackLink'])) {
+                    $sBackLink = $aActionRequest['BackLink'];
+                    $aActionRequest['cancel_url'] = $sBackLink;
+                    $aActionRequest['BackLink'] = $sBackLink;
+                }
+     			include($sAdminPath.'/save.php');
+                $user_id = save_user($admin, $aActionRequest);
+    			$admin = new admin('Access', 'users_modify');
+     			include($sAdminPath.'/user_form.php');
+                $aActionRequest['user_id'] = $user_id;
+    			$output = show_usermask($admin,$aActionRequest);
+				break;
+			case 'modify': // insert/update user
+// first check acess to auth users can change his own preferences
+    			$admin = new admin('Preferences', 'preferences_view',false);
+    			$user_id = intval($admin->checkIDKEY('user_id', 0, $_SERVER['REQUEST_METHOD']));
+// Check if user id is a valid number and doesnt equal 1
+                $aActionRequest['user_id'] = $user_id;
+    			if($user_id == 0){
+        			msgQueue::add($MESSAGE['GENERIC_FORGOT_OPTIONS'] );
+                }
 
-$sUserTitle = ($iUserStatus == 0) ? $MENU['USERS'].' '.strtolower($TEXT['ACTIVE']) : $MENU['USERS'].' '.strtolower($TEXT['DELETED']) ;
+    			if( ($user_id == $admin->get_user_id() ) )
+    			{
+                    $sQueryString = (isset($_SERVER['QUERY_STRING'])&& ($_SERVER['QUERY_STRING']!='')) ? $_SERVER['QUERY_STRING'] :  'tool=uaerat';
+                    $admin->send_header(ADMIN_URL.'/preferences/index.php?'.$sQueryString);
+    			}
 
-$template->set_var('TEXT_USERS', $sUserTitle.' '.$TEXT['SHOW'] );
-$template->set_var('STATUS_ICON', ( ($iUserStatus==0) ? $UserStatusActive : $UserStatusInactive) );
+    			$admin = new admin('Access', 'users_modify');
 
-// Get existing value from database
-$sql  = 'SELECT `user_id`, `username`, `display_name`, `active` FROM `'.TABLE_PREFIX.'users` ' ;
-$sql .= 'WHERE user_id != 1 ';
-$sql .=     'AND active = '.$iUserStatus.' ';
-$sql .= 'ORDER BY `display_name`,`username`';
+    			if( ($user_id < 2 ) )
+    			{
+    				// if($admin_header) { $admin->print_header(); }
+    				msgQueue::add($MESSAGE['GENERIC_SECURITY_ACCESS'] );
+    			}
+                $admin_header = false;
+                if(isset($aActionRequest['BackLink'])) {
+                    $sBackLink = $aActionRequest['BackLink'];
+                    $aActionRequest['cancel_url'] = $sBackLink;
+                    $aActionRequest['BackLink']   = $sBackLink;
+                } else {
+                    $sBackLink = (isset($_SERVER['QUERY_STRING'])&& ($_SERVER['QUERY_STRING']!='')) ? $_SERVER['HTTP_REFERER'].'?'.$_SERVER['QUERY_STRING'] :  $_SERVER['HTTP_REFERER'];
+                    $aActionRequest['cancel_url'] = $sBackLink;
+                    $aActionRequest['BackLink']   = $sBackLink;
+                }
+     			include($sAdminPath.'/user_form.php');
+    			$output = show_usermask($admin,$aActionRequest);
+				break;
+			default: // show userlist with empty modify mask
+				$admin = new admin('Access', 'users');
+				msgQueue::clear();
+    			$user_id = intval($admin->checkIDKEY('user_id', 0, $_SERVER['REQUEST_METHOD']));
+    			// Check if user id is a valid number and doesnt equal 1
+                $aActionRequest['user_id'] = $user_id;
+                $aActionRequest['cancel_url'] = ADMIN_URL.'/access/index.php';
 
-$query = "SELECT user_id, username, display_name, active FROM ".TABLE_PREFIX."users WHERE user_id != '1' ORDER BY display_name,username";
-$results = $database->query($sql);
-if($database->is_error()) {
-	$admin->print_error($database->get_error(), 'index.php');
-}
+				if($user_id > 1) // prevent 'admin' [ID 1] from modify
+				{
+					include($sAdminPath.'/user_form.php');
+					$output .= show_usermask($admin, $aActionRequest);
+				} elseif($user_id == 0) { // if invalid UserID is called, fall back to 'show-mode'
+					include($sAdminPath.'/user_list.php');
+					$output  = show_userlist($admin, $aActionRequest);
+				}
+		endswitch; // end of switch
+		if( ($msg = msgQueue::getSuccess()) != '')
+		{
+			$output = $admin->format_message($msg, 'ok').$output;
+		}
+		if( ($msg = msgQueue::getError()) != '')
+		{
+			$output = $admin->format_message($msg, 'error').$output;
+		}
+		print $output;
+		$admin->print_footer();
+    }
 
-$sUserList  = $TEXT['LIST_OPTIONS'].' ';
-$sUserList .= ($iUserStatus == 1) ? $MENU['USERS'].' '.strtolower($TEXT['ACTIVE']) : $MENU['USERS'].' '.strtolower($TEXT['DELETED']) ;
-// Insert values into the modify/remove menu
-$template->set_block('main_block', 'list_block', 'list');
-if($results->numRows() > 0) {
-	// Insert first value to say please select
-	$template->set_var('VALUE', '');
-	$template->set_var('NAME', $sUserList);
-	$template->set_var('STATUS', 'class="user-active"' );
-	$template->parse('list', 'list_block', true);
-	// Loop through users
-	while($user = $results->fetchRow(MYSQL_ASSOC)) {
-		$template->set_var('VALUE',$admin->getIDKEY($user['user_id']));
-		$template->set_var('STATUS', ($user['active']==false ? 'class="user-inactive"' : 'class="user-active"') );
-		$template->set_var('NAME', $user['display_name'].' ('.$user['username'].')');
-		$template->parse('list', 'list_block', true);
-	}
-} else {
-	// Insert single value to say no users were found
-	$template->set_var('NAME', $TEXT['NONE_FOUND']);
-	$template->parse('list', 'list_block', true);
-}
+	if(!defined('WB_URL'))
+	{
+        $config_file = realpath('../../config.php');
+        if(file_exists($config_file) && !defined('WB_URL'))
+        {
+        	require($config_file);
+        }
+    }
+    if(!class_exists('admin', false)){ include(WB_PATH.'/framework/class.admin.php'); }
 
-// Insert permissions values
-if($admin->get_permission('users_add') != true) {
-	$template->set_var('DISPLAY_ADD', 'hide');
-}
-if($admin->get_permission('users_modify') != true) {
-	$template->set_var('DISPLAY_MODIFY', 'hide');
-}
-if($admin->get_permission('users_delete') != true) {
-	$template->set_var('DISPLAY_DELETE', 'hide');
-}
-$HeaderTitle = $HEADING['MODIFY_DELETE_USER'].' ';
-$HeaderTitle .= (($iUserStatus == 1) ? strtolower($TEXT['ACTIVE']) : strtolower($TEXT['DELETED']));
-// Insert language headings
-$template->set_var(array(
-		'HEADING_MODIFY_DELETE_USER' => $HeaderTitle,
-		'HEADING_ADD_USER' => $HEADING['ADD_USER']
-		)
-);
-// insert urls
-$template->set_var(array(
-		'ADMIN_URL' => ADMIN_URL,
-		'WB_URL' => WB_URL,
-		'THEME_URL' => THEME_URL
-		)
-);
-// Insert language text and messages
-$template->set_var(array(
-		'DISPLAY_WAITING_ACTIVATION' => '',
-		'TEXT_MODIFY' => $TEXT['MODIFY'],
-		'TEXT_DELETE' => $TEXT['DELETE'],
-		'TEXT_MANAGE_GROUPS' => ( $admin->get_permission('groups') == true ) ? $TEXT['MANAGE_GROUPS'] : "**",
-		'CONFIRM_DELETE' => (($iUserStatus == 1) ? $TEXT['ARE_YOU_SURE'] : $MESSAGE['USERS_CONFIRM_DELETE'])
-		)
-);
+    $requestMethod = '_'.strtoupper($_SERVER['REQUEST_METHOD']);
+    $aActionRequest = (isset(${$requestMethod})) ? ${$requestMethod} : null;
 
-$template->set_block('main_block', 'show_confirmed_activation_block', 'show_confirmed_activation');
-if($admin->ami_group_member('1')) {
-        $template->set_block('show_confirmed_activation_block', 'list_confirmed_activation_block', 'list_confirmed_activation');
-    	$template->set_var('DISPLAY_WAITING_ACTIVATION', 'Users waiting for activation');
-		$sql  = 'SELECT * FROM `'.TABLE_PREFIX.'users` ';
-		$sql .= 'WHERE `confirm_timeout` != 0 ';
-        $sql .=   'AND `active` = 0 ';
-        $sql .=   'AND `user_id` != 1 ';
-        if( ($oRes = $database->query($sql)) ) {
-        	$template->set_var('DISPLAY_DELETE', '');
-//        	$template->set_var('NAME', 'User waiting for activation');
-//        	$template->set_var('STATUS', '' );
-        	// Loop through users
-            if($nNumRows = $oRes->numRows()) {
-            	while($aUser = $oRes->fetchRow(MYSQL_ASSOC)) {
-            		$template->set_var('VALUE',$admin->getIDKEY($aUser['user_id']));
-               		$template->set_var('STATUS', '') ;
-            		$template->set_var('NAME', $aUser['display_name'].' ('.$aUser['username'].')'.' ['.$aUser['email'].']');
-            		$template->parse('list_confirmed_activation', 'list_confirmed_activation_block', true);
-            	}
-            	$template->parse('show_confirmed_activation', 'show_confirmed_activation_block',true);
-            }
-        } else { $nNumRows = 0; }
-
-} else {
-$nNumRows = 0;
-}
-
-if ( $nNumRows == 0){
-	$template->parse('show_confirmed_activation', '');
-}
-
-if ( $admin->get_permission('groups') == true ) $template->parse("groups", "manage_groups_block", true);
-// Parse template object
-$template->parse('main', 'main_block', false);
-$template->pparse('output', 'page');
-
-// Setup template object, parse vars to it, then parse it
-// Create new template object
-$template = new Template(dirname($admin->correct_theme_source('users_form.htt')),'keep');
-// $template->debug = true;
-$template->set_file('page', 'users_form.htt');
-$template->set_block('page', 'main_block', 'main');
-$template->set_block('main_block', 'show_modify_loginname_block', 'show_modify_loginname');
-$template->set_block('main_block', 'show_add_loginname_block', 'show_add_loginname');
-$template->set_var('DISPLAY_EXTRA', 'display:none;');
-$template->set_var('ACTIVE_CHECKED', ' checked="checked"');
-
-$template->set_var('DISPLAY_ADD', '');
-$template->set_var('DISPLAY_MODIFY', '');
-$template->set_var('DISABLED_CHECKED', '');
-$template->set_var('HEADING_MODIFY_USER', '');
-$template->set_var('DISPLAY_HOME_FOLDERS', '');
-$template->set_var('ACTION_URL', ADMIN_URL.'/users/add.php');
-$template->set_var('SUBMIT_TITLE', $TEXT['ADD']);
-$template->set_var('FTAN', $admin->getFTAN());
-// insert urls
-$template->set_var(array(
-		'USER_ID' => '',
-		'USERNAME' => '',
-		'DISPLAY_NAME' => '',
-		'EMAIL' => '',
-		'ADMIN_URL' => ADMIN_URL,
-		'WB_URL' => WB_URL,
-		'THEME_URL' => THEME_URL
-		)
-);
-
-// Add groups to list
-$template->set_block('main_block', 'group_list_block', 'group_list');
-$results = $database->query("SELECT group_id, name FROM ".TABLE_PREFIX."groups WHERE group_id != '1'");
-if($results->numRows() > 0) {
-	$template->set_var('ID', '');
-	$template->set_var('NAME', $TEXT['PLEASE_SELECT'].'...');
-	$template->set_var('SELECTED', ' selected="selected"');
-	$template->parse('group_list', 'group_list_block', true);
-	while($group = $results->fetchRow()) {
-		$template->set_var('ID', $group['group_id']);
-		$template->set_var('NAME', $group['name']);
-		$template->set_var('SELECTED', '');
-		$template->parse('group_list', 'group_list_block', true);
-	}
-}
-// Only allow the user to add a user to the Administrators group if they belong to it
-if(in_array(1, $admin->get_groups_id())) {
-	$users_groups = $admin->get_groups_name();
-	$template->set_var('ID', '1');
-	$template->set_var('NAME', $users_groups[1]);
-	$template->set_var('SELECTED', '');
-	$template->parse('group_list', 'group_list_block', true);
-} else {
-	if($results->numRows() == 0) {
-		$template->set_var('ID', '');
-		$template->set_var('NAME', $TEXT['NONE_FOUND']);
-		$template->parse('group_list', 'group_list_block', true);
-	}
-}
-
-// Insert permissions values
-if($admin->get_permission('users_add') != true) {
-	$template->set_var('DISPLAY_ADD', 'hide');
-}
-
-// Generate username field name
-$username_fieldname = 'username_';
-$salt = "abchefghjkmnpqrstuvwxyz0123456789";
-srand((double)microtime()*1000000);
-$i = 0;
-while ($i <= 7) {
-	$num = rand() % 33;
-	$tmp = substr($salt, $num, 1);
-	$username_fieldname = $username_fieldname . $tmp;
-	$i++;
-}
-
-// Work-out if home folder should be shown
-if(!HOME_FOLDERS) {
-	$template->set_var('DISPLAY_HOME_FOLDERS', 'display:none;');
-}
-
-// Include the WB functions file
-require_once(WB_PATH.'/framework/functions.php');
-
-// Add media folders to home folder list
-$template->set_block('main_block', 'folder_list_block', 'folder_list');
-foreach(directory_list(WB_PATH.MEDIA_DIRECTORY) AS $name) {
-	$template->set_var('NAME', str_replace(WB_PATH, '', $name));
-	$template->set_var('FOLDER', str_replace(WB_PATH.MEDIA_DIRECTORY, '', $name));
-	$template->set_var('SELECTED', ' ');
-	$template->parse('folder_list', 'folder_list_block', true);
-}
-
-// Insert language text and messages
-$template->set_var(array(
-			'TEXT_CANCEL' => $TEXT['CANCEL'],
-			'TEXT_RESET' => $TEXT['RESET'],
-			'TEXT_ACTIVE' => $TEXT['ACTIVE'],
-			'TEXT_DISABLED' => $TEXT['DISABLED'],
-			'TEXT_PLEASE_SELECT' => $TEXT['PLEASE_SELECT'],
-			'TEXT_USERNAME' => $TEXT['USERNAME'],
-			'TEXT_PASSWORD' => $TEXT['PASSWORD'],
-			'TEXT_RETYPE_PASSWORD' => $TEXT['RETYPE_PASSWORD'],
-			'TEXT_DISPLAY_NAME' => $TEXT['DISPLAY_NAME'],
-			'TEXT_EMAIL' => $TEXT['EMAIL'],
-			'TEXT_GROUP' => $TEXT['GROUP'],
-			'TEXT_NONE' => $TEXT['NONE'],
-			'TEXT_HOME_FOLDER' => $TEXT['HOME_FOLDER'],
-			'USERNAME_FIELDNAME' => $username_fieldname,
-			'CHANGING_PASSWORD' => $MESSAGE['USERS_CHANGING_PASSWORD']
-			)
-	);
-
-// Parse template for add user form
-$template->parse('show_modify_loginname', '', true);
-$template->parse('show_add_loginname', 'show_add_loginname_block', true);
-$template->parse('main', 'main_block', false);
-$template->pparse('output', 'page');
-
-$admin->print_footer();
+	admin_users_index($aActionRequest);
+	exit;
+// end of file
Index: branches/2.8.x/wb/admin/users/add.php
===================================================================
--- branches/2.8.x/wb/admin/users/add.php	(revision 1814)
+++ branches/2.8.x/wb/admin/users/add.php	(revision 1815)
@@ -15,95 +15,162 @@
  *
  */
 
-// Print admin header
-require('../../config.php');
-require_once(WB_PATH.'/framework/class.admin.php');
-// suppress to print the header, so no new FTAN will be set
-$admin = new admin('Access', 'users_add',false);
+/* -------------------------------------------------------- */
+// Must include code to stop this file being accessed directly
+if(!defined('WB_URL')) {
+	require_once(dirname(dirname(dirname(__FILE__))).'/framework/globalExceptionHandler.php');
+	throw new IllegalFileException();
+}
+/* -------------------------------------------------------- */
 
-// Create a javascript back link
-$js_back = ADMIN_URL.'/users/index.php';
+	function add_user($admin, &$aActionRequest)
+	{
+		global $MESSAGE,$TEXT, $HEADING;
+		$database = WbDatabase::getInstance();
+        $bRetVal = false;
+        $iMinPassLength = 6;
 
-if( !$admin->checkFTAN() )
-{
-	$admin->print_header();
-	$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'], $js_back);
-}
-// After check print the header
-$admin->print_header();
+        if( !$admin->checkFTAN() )
+        {
+//        	$admin->print_header();
+        	msgQueue::add($MESSAGE['GENERIC_SECURITY_ACCESS']);
+            return $bRetVal;
+        }
 
-// Get details entered
-$groups_id = (isset($_POST['groups'])) ? implode(",", $admin->add_slashes($_POST['groups'])) : ''; //should check permissions
-$groups_id = trim($groups_id, ','); // there will be an additional ',' when "Please Choose" was selected, too
-$active = $admin->add_slashes($_POST['active'][0]);
-$username_fieldname = $admin->get_post_escaped('username_fieldname');
-$username = strtolower($admin->get_post_escaped($username_fieldname));
-$password = $admin->get_post('password');
-$password2 = $admin->get_post('password2');
-$display_name = $admin->get_post_escaped('display_name');
-$email = $admin->get_post_escaped('email');
-$home_folder = $admin->get_post_escaped('home_folder');
-$default_language = DEFAULT_LANGUAGE;
+        // Get details entered
+        $groups_id = (isset($aActionRequest['groups'])) ? implode(",", $admin->add_slashes($aActionRequest['groups'])) : '';
+        $groups_id = trim($groups_id, ','); // there will be an additional ',' when "Please Choose" was selected, too
+        $active = intval(strip_tags($admin->StripCodeFromText($aActionRequest['active'][0])));
+        $username_fieldname = strip_tags($admin->StripCodeFromText($aActionRequest['username_fieldname']));
+        $username = strtolower(strip_tags($admin->StripCodeFromText($aActionRequest[$username_fieldname])));
+        $password = strip_tags($admin->StripCodeFromText($aActionRequest['password']));
+        $password2 = strip_tags($admin->StripCodeFromText($aActionRequest['password2']));
+        $display_name = strip_tags($admin->StripCodeFromText($aActionRequest['display_name']));
+        $email = strip_tags($admin->StripCodeFromText($aActionRequest['email']));
+        $home_folder = strip_tags($admin->StripCodeFromText($aActionRequest['home_folder']));
 
-// Check values
-if($groups_id == '') {
-	$admin->print_error($MESSAGE['USERS']['NO_GROUP'], $js_back);
-}
-if(!preg_match('/^[a-z]{1}[a-z0-9_-]{2,}$/i', $username)) {
-	$admin->print_error( $MESSAGE['USERS_NAME_INVALID_CHARS'].' / '.
-	                  $MESSAGE['USERS_USERNAME_TOO_SHORT'], $js_back);
-}
-if(strlen($password) < 2) {
-	$admin->print_error($MESSAGE['USERS']['PASSWORD_TOO_SHORT'], $js_back);
-}
-if($password != $password2) {
-	$admin->print_error($MESSAGE['USERS']['PASSWORD_MISMATCH'], $js_back);
-}
-if($email != '')
-{
-	if($admin->validate_email($email) == false)
-    {
-		$admin->print_error($MESSAGE['USERS']['INVALID_EMAIL'], $js_back);
-	}
-} else { // e-mail must be present
-	$admin->print_error($MESSAGE['SIGNUP']['NO_EMAIL'], $js_back);
-}
+        $language = DEFAULT_LANGUAGE;
+        $timezone = -72000;
+        $date_format = DEFAULT_DATE_FORMAT;
+        $time_format = DEFAULT_TIME_FORMAT;
+        $confirm_code = '';
+        $confirm_timeout = 0;
+        $remember_key = '';
+        $login_ip = '';
+        $last_reset = 0;
+        $login_when = 0;
 
-// choose group_id from groups_id - workaround for still remaining calls to group_id (to be cleaned-up)
-$gid_tmp = explode(',', $groups_id);
-if(in_array('1', $gid_tmp)) $group_id = '1'; // if user is in administrator-group, get this group
-else $group_id = $gid_tmp[0]; // else just get the first one
-unset($gid_tmp);
+        // Check values
+        // Check values
+        if($groups_id == "") {
+        	msgQueue::add($MESSAGE['USERS_NO_GROUP']);
+        } else {
+            $aGroups_id = explode(',', $groups_id);
+            //if user is in administrator-group, get this group else just get the first one
+            if($admin->is_group_match($groups_id,'1')) { $group_id = 1; } else { $group_id = intval($aGroups_id[0]); }
+        }
 
-// Check if username already exists
-$results = $database->query("SELECT user_id FROM ".TABLE_PREFIX."users WHERE username = '$username'");
-if($results->numRows() > 0) {
-	$admin->print_error($MESSAGE['USERS']['USERNAME_TAKEN'], $js_back);
-}
+        if(!preg_match('/^[a-z]{1}[a-z0-9_-]{2,}$/i', $username)) {
+        	msgQueue::add( $MESSAGE['USERS_NAME_INVALID_CHARS']);
+        }
 
-// Check if the email already exists
-$results = $database->query("SELECT user_id FROM ".TABLE_PREFIX."users WHERE email = '".$admin->add_slashes($_POST['email'])."'");
-if($results->numRows() > 0)
-{
-	if(isset($MESSAGE['USERS']['EMAIL_TAKEN']))
-    {
-		$admin->print_error($MESSAGE['USERS']['EMAIL_TAKEN'], $js_back);
-	} else {
-		$admin->print_error($MESSAGE['USERS']['INVALID_EMAIL'], $js_back);
-	}
-}
+		$sql  = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` '.
+                'WHERE `username` LIKE \''.$username.'\' ';
+        // Check if username already exists
+        if( ($iFoundUser = $database->get_one($sql)) != null ) {
+            if($iFoundUser) {
+            	msgQueue::add($MESSAGE['USERS_USERNAME_TAKEN']);
+            }
+        }
 
-// MD5 supplied password
-$md5_password = md5($password);
+    	if(strlen($password) < $iMinPassLength ) {
+    		msgQueue::add($MESSAGE['USERS_PASSWORD_TOO_SHORT']);
+    	}
 
-// Inser the user into the database
-$query = "INSERT INTO ".TABLE_PREFIX."users (group_id,groups_id,active,username,password,display_name,home_folder,email,timezone, language) VALUES ('$group_id', '$groups_id', '$active', '$username','$md5_password','$display_name','$home_folder','$email','-72000', '$default_language')";
-$database->query($query);
-if($database->is_error()) {
-	$admin->print_error($database->get_error());
-} else {
-	$admin->print_success($MESSAGE['USERS']['ADDED']);
-}
+		$pattern = '/[^'.$admin->password_chars.']/';
+		if (preg_match($pattern, $password)) {
+			msgQueue::add($MESSAGE['PREFERENCES_INVALID_CHARS']);
+    	}
 
-// Print admin footer
-$admin->print_footer();
+    	if(($password != $password2) ) {
+    		msgQueue::add($MESSAGE['USERS_PASSWORD_MISMATCH']);
+    	}
+
+//
+// check that display_name is unique in whoole system (prevents from User-faking)
+    	$sql  = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` ';
+    	$sql .= 'WHERE `user_id` <> '.(int)$admin->get_user_id().' AND `display_name` LIKE "'.$display_name.'"';
+    	if( ($iFoundUser = intval($database->get_one($sql))) > 0 ){
+    	   msgQueue::add($MESSAGE['USERS_USERNAME_TAKEN'].' ('.$TEXT['DISPLAY_NAME'].')');
+        } else {
+            if($display_name == '') {
+        	   msgQueue::add($MESSAGE['GENERIC_FILL_IN_ALL'].' ('.$TEXT['DISPLAY_NAME'].')');
+            }
+       }
+
+        if(findStringInFileList($display_name, dirname(__FILE__).'/disallowedNames')) {
+            msgQueue::add( $TEXT['ERROR'].' '.$TEXT['DISPLAY_NAME'].' ('.$display_name.')' );
+        }
+
+        if($email != "")
+        {
+        	if($admin->validate_email($email) == false)
+            {
+                msgQueue::add($MESSAGE['USERS_INVALID_EMAIL'].' ('.$email.')');
+        	}
+        } else { // e-mail must be present
+        	msgQueue::add($MESSAGE['SIGNUP_NO_EMAIL']);
+        }
+
+		$sql  = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` '.
+                'WHERE `email` LIKE \''.$email.'\' ';
+
+        // Check if the email already exists
+        if( ($iFoundUser = $database->get_one($sql)) != null ) {
+            if($iFoundUser) {
+            	if(isset($MESSAGE['USERS_EMAIL_TAKEN']))
+                {
+            		msgQueue::add($MESSAGE['USERS_EMAIL_TAKEN'].' ('.$email.')');
+            	} else {
+            		msgQueue::add($MESSAGE['USERS_INVALID_EMAIL'].' ('.$email.')');
+            	}
+            }
+        }
+
+		if( ($msg = msgQueue::getError()) == '')
+		{
+            //if user is in administrator-group, get this group else just get the first one
+            if($admin->is_group_match($groups_id,'1')) { $group_id = 1; $groups_id = '1'; }
+            // Inser the user into the database
+			$sql  = 'INSERT INTO `'.TABLE_PREFIX.'users` SET '.
+                    '`group_id`     = '.intval($group_id).', '.
+                    '`groups_id`    = \''.mysql_real_escape_string($groups_id).'\', '.
+                    '`active`       = '.intval($active).', '.
+                    '`username`     = \''.mysql_real_escape_string($username).'\', '.
+                    '`password`     = \''.md5($password).'\', '.
+                    '`confirm_code` = \''.mysql_real_escape_string($confirm_code).'\', '.
+                    '`confirm_timeout` = '.intval($confirm_timeout).', '.
+                    '`remember_key` = \''.mysql_real_escape_string($remember_key).'\', '.
+                    '`last_reset`   = '.intval($last_reset).', '.
+                    '`display_name` = \''.mysql_real_escape_string($display_name).'\', '.
+                    '`email`        = \''.mysql_real_escape_string($email).'\', '.
+                    '`timezone`     = '.intval($timezone).', '.
+                    '`date_format`  = \''.mysql_real_escape_string($date_format).'\', '.
+                    '`time_format`  = \''.mysql_real_escape_string($time_format).'\', '.
+                    '`language`     = \''.mysql_real_escape_string($language).'\', '.
+                    '`home_folder`  = \''.mysql_real_escape_string($home_folder).'\', '.
+                    '`login_when`   = '.intval($login_when).', '.
+                    '`login_ip`     = \''.mysql_real_escape_string($login_ip).'\' '.
+                    '';
+            if($database->query($sql)) {
+            	msgQueue::add($MESSAGE['USERS_ADDED'], true);
+            }
+            if($database->is_error()) {
+                msgQueue::add( implode('<br />',explode(';',$database->get_error())) );
+            }
+        } else {
+        	msgQueue::add($HEADING['ADD_USER'].' '.$MESSAGE['GENERIC_NOT_COMPARE']);
+
+       }
+    }
+//
\ No newline at end of file
Index: branches/2.8.x/wb/admin/preferences/save.php
===================================================================
--- branches/2.8.x/wb/admin/preferences/save.php	(revision 1814)
+++ branches/2.8.x/wb/admin/preferences/save.php	(revision 1815)
@@ -17,7 +17,7 @@
 
 function save_preferences( &$admin, &$database)
 {
-	global $MESSAGE;
+	global $MESSAGE,$TEXT;
 	$err_msg = array();
 	$iMinPassLength = 6;
 	$bPassRequest = false;
@@ -33,7 +33,7 @@
 // check that display_name is unique in whoole system (prevents from User-faking)
     	$sql  = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` ';
     	$sql .= 'WHERE `user_id` <> '.(int)$admin->get_user_id().' AND `display_name` LIKE "'.$display_name.'"';
-    	if( $database->get_one($sql) > 0 ){ $err_msg[] = $MESSAGE['USERS_USERNAME_TAKEN']; }
+    	if( $database->get_one($sql) > 0 ){ $err_msg[] = $MESSAGE['USERS_USERNAME_TAKEN'].' ('.$TEXT['DISPLAY_NAME'].')'; }
 // language must be 2 upercase letters only
     	$language         = strtoupper($admin->get_post('language'));
     	$language         = (preg_match('/^[A-Z]{2}$/', $language) ? $language : DEFAULT_LANGUAGE);