Project

General

Profile

1 1347 Luisehahne
<?php
2
/**
3
 *
4
 * @category        admin
5
 * @package         users
6 1710 Luisehahne
 * @author          Ryan Djurovich, WebsiteBaker Project
7
 * @copyright       2009-2012, WebsiteBaker Org. e.V.
8 1347 Luisehahne
 * @link			http://www.websitebaker2.org/
9
 * @license         http://www.gnu.org/licenses/gpl.html
10
 * @platform        WebsiteBaker 2.8.x
11 1374 Luisehahne
 * @requirements    PHP 5.2.2 and higher
12 1347 Luisehahne
 * @version         $Id$
13
 * @filesource		$HeadURL$
14
 * @lastmodified    $Date$
15
 *
16
 */
17
18 1815 Luisehahne
/* -------------------------------------------------------- */
19
// Must include code to stop this file being accessed directly
20
if(!defined('WB_URL')) {
21
	require_once(dirname(dirname(dirname(__FILE__))).'/framework/globalExceptionHandler.php');
22
	throw new IllegalFileException();
23 1804 Luisehahne
}
24 1815 Luisehahne
/* -------------------------------------------------------- */
25 1804 Luisehahne
26 1815 Luisehahne
	function save_user($admin, &$aActionRequest)
27
	{
28
		global $TEXT, $MESSAGE;
29
        // Create a javascript back link
30
//        $js_back = ADMIN_URL.'/users/index.php';
31
        unset($aActionRequest['save']);
32
        $aActionRequest['modify']= 'change';
33
		$database = WbDatabase::getInstance();
34
        $bRetVal = 0;
35
    	$iMinPassLength = 6;
36 1804 Luisehahne
37 1815 Luisehahne
        if( !$admin->checkFTAN() )
38
        {
39
        	msgQueue::add($MESSAGE['GENERIC_SECURITY_ACCESS']);
40
            return $bRetVal;
41
        }
42 1347 Luisehahne
43 1815 Luisehahne
        // Check if user id is a valid number and doesnt equal 1
44
        if(!isset($aActionRequest['user_id']) OR !is_numeric($aActionRequest['user_id']) OR $aActionRequest['user_id'] == 1) {
45
        	msgQueue::add('::'.$MESSAGE['GENERIC_NOT_UPGRADED']);
46
            return $bRetVal;
47
        } else {
48
        	$user_id = intval($aActionRequest['user_id']);
49
        }
50 1425 Luisehahne
51 1815 Luisehahne
		if( ($user_id < 2 ) )
52
		{
53
			// if($admin_header) { $admin->print_header(); }
54
        	msgQueue::add($MESSAGE['GENERIC_SECURITY_OFFENSE']);
55
            return $bRetVal;
56
		}
57
		// Get existing values
58
        $sql  = 'SELECT * FROM `'.TABLE_PREFIX.'users` ' ;
59
        $sql .= 'WHERE user_id = '.$user_id.' ';
60
        $sql .=   'AND user_id != 1 ';
61 1347 Luisehahne
62 1815 Luisehahne
        if($oRes = $database->query($sql)){
63
            $olduser = $oRes->fetchRow(MYSQL_ASSOC);
64
        }
65 1347 Luisehahne
66 1815 Luisehahne
        // Gather details entered
67
        if($admin->is_group_match($admin->get_groups_id(), '1' )){
68
            $groups_id = (isset($aActionRequest['groups'])) ? implode(",", $admin->add_slashes($aActionRequest['groups'])) : '';
69
        } else {
70
            $groups_id = $olduser['group_id'];
71
        }
72
        // there will be an additional ',' when "Please Choose" was selected, too
73
        $groups_id = trim($groups_id, ',');
74
        $active = intval(strip_tags($admin->StripCodeFromText($aActionRequest['active'][0])));
75
        $username_fieldname = strip_tags($admin->StripCodeFromText($aActionRequest['username_fieldname']));
76
        $username = strtolower(strip_tags($admin->StripCodeFromText($aActionRequest[$username_fieldname])));
77
        $password = strip_tags($admin->StripCodeFromText($aActionRequest['password']));
78
        $password2 = strip_tags($admin->StripCodeFromText($aActionRequest['password2']));
79
        $display_name = strip_tags($admin->StripCodeFromText($aActionRequest['display_name']));
80
        $email = strip_tags($admin->StripCodeFromText($aActionRequest['email']));
81
        $home_folder = strip_tags($admin->StripCodeFromText($aActionRequest['home_folder']));
82 1347 Luisehahne
83 1815 Luisehahne
        // Check values
84
        if($groups_id == "") {
85
        	msgQueue::add($MESSAGE['USERS_NO_GROUP']);
86
        } else {
87
            $aGroups_id = explode(',', $groups_id);
88
            //if user is in administrator-group, get this group else just get the first one
89
            if($admin->is_group_match($groups_id,'1')) { $group_id = 1; } else { $group_id = intval($aGroups_id[0]); }
90
        }
91 1710 Luisehahne
92 1815 Luisehahne
//$admin->is_group_match($admin->get_groups_id(), '1' )
93
        if(!preg_match('/^[a-z]{1}[a-z0-9_-]{2,}$/i', $username))
94
        {
95
        	msgQueue::add( $MESSAGE['USERS_NAME_INVALID_CHARS']);
96
        }
97 1347 Luisehahne
98 1815 Luisehahne
        if($password != "") {
99
        	if(strlen($password) < $iMinPassLength ) {
100
        		msgQueue::add($MESSAGE['USERS_PASSWORD_TOO_SHORT']);
101
        	}
102 1347 Luisehahne
103 1815 Luisehahne
			$pattern = '/[^'.$admin->password_chars.']/';
104
			if (preg_match($pattern, $password)) {
105
				msgQueue::add($MESSAGE['PREFERENCES_INVALID_CHARS']);
106
        	}
107 1347 Luisehahne
108 1815 Luisehahne
        	if(($password != $password2) ) {
109
        		msgQueue::add($MESSAGE['USERS_PASSWORD_MISMATCH']);
110
        	}
111
        }
112
// check that display_name is unique in whoole system (prevents from User-faking)
113
    	$sql  = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` ';
114
    	$sql .= 'WHERE `user_id` <> '.(int)$user_id.' AND `display_name` LIKE "'.$display_name.'"';
115
    	if( $database->get_one($sql) > 0 ){
116
            msgQueue::add($MESSAGE['USERS_USERNAME_TAKEN'].' ('.$TEXT['DISPLAY_NAME'].')');
117
            msgQueue::add($MESSAGE['MEDIA_CANNOT_RENAME']);
118
        }
119
//
120
		if( ($admin->get_user_id() != '1' ) )
121
		{
122
            if(findStringInFileList($display_name, dirname(__FILE__).'/disallowedNames')) {
123
                msgQueue::add( $TEXT['ERROR'].' '.$TEXT['DISPLAY_NAME'].' ('.$display_name.')' );
124
            }
125
		}
126 1347 Luisehahne
127 1815 Luisehahne
    	$display_name = ( $display_name == '' ? $olduser['display_name'] : $display_name );
128 1347 Luisehahne
129 1815 Luisehahne
        if($email != "")
130
        {
131
        	if($admin->validate_email($email) == false)
132
            {
133
                msgQueue::add($MESSAGE['USERS_INVALID_EMAIL'].' ('.$email.')');
134
        	}
135
        } else { // e-mail must be present
136
        	msgQueue::add($MESSAGE['SIGNUP_NO_EMAIL']);
137
        }
138
139
		$sql  = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` '.
140
                'WHERE `email` LIKE \''.$email.'\' '.
141
                  'AND `user_id` <> '.(int)$user_id;
142
        // Check if the email already exists
143
        if( ($iFoundUser = $database->get_one($sql)) != null ) {
144
            if($iFoundUser) {
145
            	if(isset($MESSAGE['USERS_EMAIL_TAKEN']))
146
                {
147
            		msgQueue::add($MESSAGE['USERS_EMAIL_TAKEN'].' ('.$email.')');
148
            	} else {
149
            		msgQueue::add($MESSAGE['USERS_INVALID_EMAIL'].' ('.$email.')');
150
            	}
151
            }
152
        }
153
154
        $bRetVal = $user_id;
155
156
// no error then save
157
        if( !msgQueue::getError() )
158
        {
159
            if($admin->is_group_match($groups_id,'1')) { $group_id = 1; $groups_id = '1'; }
160
          // Prevent from renaming user to "admin"
161
            if($username != 'admin') {
162
            	$username_code = ", username = '$username'";
163
            } else {
164
            	$username_code = '';
165
            }
166
167
			$sql  = 'UPDATE `'.TABLE_PREFIX.'users` SET ';
168
            // Update the database
169
            if($password == "") {
170
                $sql .= '`group_id`     = '.intval($group_id).', '.
171
                        '`groups_id`    = \''.mysql_real_escape_string($groups_id).'\', '.
172
                        '`username` = \''.mysql_real_escape_string($username).'\', '.
173
                        '`active` = '.intval($active).', '.
174
                        '`display_name` = \''.mysql_real_escape_string($display_name).'\', '.
175
                        '`home_folder` = \''.mysql_real_escape_string($home_folder).'\', '.
176
                        '`email` = \''.mysql_real_escape_string($email).'\' '.
177
                        'WHERE `user_id` = '.intval($user_id).'';
178
179
            } else {
180
181
                $sql .= '`group_id`     = '.intval($group_id).', '.
182
                        '`groups_id`    = \''.mysql_real_escape_string($groups_id).'\', '.
183
                        '`username` = \''.mysql_real_escape_string($username).'\', '.
184
                        '`password` = \''.md5($password).'\', '.
185
                        '`active` = '.intval($active).', '.
186
                        '`display_name` = \''.mysql_real_escape_string($display_name).'\', '.
187
                        '`home_folder` = \''.mysql_real_escape_string($home_folder).'\', '.
188
                        '`email` = \''.mysql_real_escape_string($email).'\' '.
189
                        'WHERE `user_id` = '.intval($user_id).'';
190
191
            }
192
            if($database->query($sql)) {
193
            	msgQueue::add($MESSAGE['USERS_SAVED'], true);
194
                $bRetVal = $user_id;
195
            }
196
            if($database->is_error()) {
197
               msgQueue::add( implode('<br />',explode(';',$database->get_error())) );
198
            }
199
       } else {
200
            	msgQueue::add($MESSAGE['GENERIC_NOT_UPGRADED']);
201
       }
202
203
//        return $admin->getIDKEY($user_id);
204
//if($admin_header) { $admin->print_header(); }
205
        return $bRetVal;
206
    }