2006-12-02 04:36:16 +00:00
< ? php
/*
+ ----------------------------------------------------------------------------+
| e107 website system
|
| <EFBFBD> SteveDunstan 2001 - 2002
| http :// e107 . org
| jalist @ e107 . org
|
| Released under the terms and conditions of the
| GNU General Public License ( http :// gnu . org ) .
|
| $Source : / cvs_backup / e107_0 . 8 / usersettings . php , v $
2008-12-21 03:58:07 +00:00
| $Revision : 1.28 $
| $Date : 2008 - 12 - 21 03 : 58 : 07 $
2008-12-10 16:37:17 +00:00
| $Author : mcfly_e107 $
2008-01-06 21:16:37 +00:00
+----------------------------------------------------------------------------+
2007-12-15 15:06:40 +00:00
Notes :
Uses $udata initially , later curVal to hold current user data
2008-01-06 21:16:37 +00:00
Admin log events :
2008-12-10 16:37:17 +00:00
USET_01 - admin changed user data
2008-01-06 21:16:37 +00:00
2006-12-02 04:36:16 +00:00
*/
2007-12-15 15:06:40 +00:00
2008-12-10 16:37:17 +00:00
require_once ( 'class2.php' );
require_once ( e_HANDLER . 'ren_help.php' );
require_once ( e_HANDLER . 'user_extended_class.php' );
require_once ( e_HANDLER . 'user_handler.php' );
2006-12-02 04:36:16 +00:00
$ue = new e107_user_extended ;
2008-06-13 20:20:23 +00:00
$user_info = new UserHandler ;
2006-12-02 04:36:16 +00:00
2007-10-09 21:30:29 +00:00
//define("US_DEBUG",TRUE);
2008-12-10 16:37:17 +00:00
define ( 'US_DEBUG' , false );
2007-10-09 21:30:29 +00:00
2007-12-15 15:06:40 +00:00
2008-12-10 16:37:17 +00:00
if ( ! USER )
{ // Must be logged in to change settings
header ( 'location:' . e_BASE . 'index.php' );
exit ;
2006-12-02 04:36:16 +00:00
}
2008-12-10 16:37:17 +00:00
if ( ! ADMIN && e_QUERY && e_QUERY != 'update' )
2007-12-15 15:06:40 +00:00
{
2008-12-10 16:37:17 +00:00
header ( 'location:' . e_BASE . 'usersettings.php' );
exit ;
2006-12-02 04:36:16 +00:00
}
2008-12-10 16:37:17 +00:00
require_once ( e_HANDLER . 'ren_help.php' );
2006-12-02 04:36:16 +00:00
2008-12-10 16:37:17 +00:00
if ( is_readable ( THEME . 'usersettings_template.php' ))
2006-12-02 04:36:16 +00:00
{
2008-12-10 16:37:17 +00:00
include_once ( THEME . 'usersettings_template.php' );
2006-12-02 04:36:16 +00:00
}
else
{
2008-12-10 16:37:17 +00:00
include_once ( e_THEME . 'templates/usersettings_template.php' );
2006-12-02 04:36:16 +00:00
}
2008-12-10 16:37:17 +00:00
include_once ( e_FILE . 'shortcode/batch/usersettings_shortcodes.php' );
2006-12-02 04:36:16 +00:00
2008-12-10 16:37:17 +00:00
require_once ( e_HANDLER . 'calendar/calendar_class.php' );
2006-12-02 04:36:16 +00:00
$cal = new DHTML_Calendar ( true );
2008-12-10 16:37:17 +00:00
$_uid = is_numeric ( e_QUERY ) ? intval ( e_QUERY ) : '' ;
$sesschange = '' ; // Notice removal
2007-07-23 20:06:05 +00:00
$photo_to_delete = '' ;
$avatar_to_delete = '' ;
2007-12-15 15:06:40 +00:00
$changed_user_data = array ();
2008-06-13 20:20:23 +00:00
$ue_fields = '' ;
2008-12-10 16:37:17 +00:00
$promptPassword = false ;
2006-12-02 04:36:16 +00:00
2008-12-10 16:37:17 +00:00
require_once ( HEADERF );
2006-12-02 04:36:16 +00:00
2008-01-06 21:16:37 +00:00
// Given an array of user data, return a comma separated string which includes public, admin, member classes etc as appropriate.
function addCommonClasses ( $udata )
{
2008-12-10 16:37:17 +00:00
$tmp = array ();
if ( $udata [ 'user_class' ] != '' ) $tmp = explode ( ',' , $udata [ 'user_class' ]);
$tmp [] = e_UC_MEMBER ;
$tmp [] = e_UC_READONLY ;
$tmp [] = e_UC_PUBLIC ;
if ( $udata [ 'user_admin' ] == 1 )
{
$tmp [] = e_UC_ADMIN ;
}
if ( strpos ( $udata [ 'user_perms' ], '0' ) === 0 )
{
$tmp [] = e_UC_MAINADMIN ;
}
return implode ( " , " , $tmp );
2008-01-06 21:16:37 +00:00
}
2007-12-15 15:06:40 +00:00
// Save user settings (changes only)
//-----------------------------------
2008-12-10 16:37:17 +00:00
$error = '' ;
2006-12-02 04:36:16 +00:00
2008-06-13 20:20:23 +00:00
if ( isset ( $_POST [ 'updatesettings' ]) || isset ( $_POST [ 'SaveValidatedInfo' ]))
2006-12-02 04:36:16 +00:00
{
2008-12-10 16:37:17 +00:00
// Get the required user info
2006-12-02 04:36:16 +00:00
if ( $_uid && ADMIN )
2008-12-10 16:37:17 +00:00
{ // Admin logged in and editing another user's settings - so editing a different ID
$inp = $_uid ;
$remflag = true ;
2006-12-02 04:36:16 +00:00
}
else
2008-12-10 16:37:17 +00:00
{ // Current user logged in - use their ID
$inp = USERID ;
2006-12-02 04:36:16 +00:00
}
2008-12-10 16:37:17 +00:00
$udata = get_user_data ( $inp ); // Get all the existing user data, including any extended fields
2008-01-06 21:16:37 +00:00
$udata [ 'user_classlist' ] = addCommonClasses ( $udata );
2007-12-15 15:06:40 +00:00
2008-12-10 16:37:17 +00:00
$peer = ( $inp == USERID ? false : true ); // FALSE if editing own data
2008-06-13 20:20:23 +00:00
}
if ( isset ( $_POST [ 'updatesettings' ]))
{
2008-12-10 16:37:17 +00:00
if ( ! varsettrue ( $pref [ 'auth_method' ]) || $pref [ 'auth_method' ] == '>e107' )
{
$pref [ 'auth_method' ] = 'e107' ;
}
if ( $pref [ 'auth_method' ] != 'e107' )
2008-06-13 20:20:23 +00:00
{
2008-12-10 16:37:17 +00:00
$_POST [ 'password1' ] = '' ;
$_POST [ 'password2' ] = '' ;
2008-06-13 20:20:23 +00:00
}
2007-12-15 15:06:40 +00:00
2008-12-10 16:37:17 +00:00
if ( $_POST [ 'image' ] == '' && $udata [ 'user_image' ])
2008-06-13 20:20:23 +00:00
{
2008-12-10 16:37:17 +00:00
$changed_user_data [ 'user_image' ] = '' ;
2008-06-13 20:20:23 +00:00
}
2007-12-15 15:06:40 +00:00
2007-07-23 20:06:05 +00:00
// Check external avatar
2007-12-15 15:06:40 +00:00
if ( $_POST [ 'image' ])
{
2008-12-10 16:37:17 +00:00
$img = str_replace ( array ( '\'' , '"' , '(' , ')' ), '' , $_POST [ 'image' ]); // these are invalid anyway, so why allow them? (XSS Fix)
2006-12-02 04:36:16 +00:00
2008-12-10 16:37:17 +00:00
if ( preg_match ( '#[0-9\._]#' , $_POST [ 'image' ]))
2007-12-15 15:06:40 +00:00
{
2008-12-10 16:37:17 +00:00
$img = e_IMAGE . 'avatars/' . $_POST [ 'image' ];
2006-12-02 04:36:16 +00:00
}
2008-12-10 16:37:17 +00:00
if ( $size = getimagesize ( $img ))
2007-12-15 15:06:40 +00:00
{
2008-12-10 16:37:17 +00:00
$avwidth = $size [ 0 ];
$avheight = $size [ 1 ];
$avmsg = '' ;
$pref [ 'im_width' ] = varsettrue ( $pref [ 'im_width' ], 120 );
$pref [ 'im_height' ] = varsettrue ( $pref [ 'im_height' ], 100 );
if ( $avwidth > $pref [ 'im_width' ])
{
$avmsg .= LAN_USET_1 . " ( { $avwidth } )<br /> " . LAN_USET_2 . " : { $pref [ 'im_width' ] } <br /><br /> " ;
}
if ( $avheight > $pref [ 'im_height' ])
{
$avmsg .= LAN_USET_3 . " ( { $avheight } )<br /> " . LAN_USET_4 . " : { $pref [ 'im_height' ] } " ;
}
if ( $avmsg )
{
$_POST [ 'image' ] = '' ;
$error = $avmsg ;
}
else
{
if ( $_POST [ 'image' ] != $udata [ 'user_image' ])
{
$changed_user_data [ 'user_image' ] = $_POST [ 'image' ];
}
}
2006-12-02 04:36:16 +00:00
}
2007-12-15 15:06:40 +00:00
else
{
2008-12-10 16:37:17 +00:00
// Invalid image file - we could just put up a message
2007-12-15 15:06:40 +00:00
}
2006-12-02 04:36:16 +00:00
}
2007-12-15 15:06:40 +00:00
// The 'class' option doesn't really make sense to me, but left it for now
2008-12-10 16:37:17 +00:00
// $signup_option_title = array(LAN_308, LAN_120, LAN_121, LAN_USET_19);
// $signup_option_names = array("realname", "signature", "image", "timezone");
2007-12-15 15:06:40 +00:00
2008-01-15 21:57:53 +00:00
$signup_option_title = array ( LAN_308 , LAN_120 , LAN_121 , LAN_USET_6 , LAN_USET_19 );
$signup_option_names = array ( " realname " , " signature " , " image " , " class " , 'signup_option_customtitle' );
2008-12-10 16:37:17 +00:00
foreach ( $signup_option_names as $key => $value )
{ // Check required signup fields
2006-12-02 04:36:16 +00:00
if ( $pref [ 'signup_option_' . $value ] == 2 && ! $_POST [ $value ] && ! $_uid )
{
$error .= LAN_SIGNUP_6 . $signup_option_title [ $key ] . LAN_SIGNUP_7 . " \\ n " ;
}
2008-12-10 16:37:17 +00:00
}
2007-05-28 09:37:35 +00:00
2007-12-15 15:06:40 +00:00
2008-12-10 16:37:17 +00:00
// Login Name checks - only admin can change login name
2007-12-15 15:06:40 +00:00
if ( isset ( $_POST [ 'loginname' ]) && ADMIN && getperms ( " 4 " ))
2008-12-10 16:37:17 +00:00
{ // Only check if its been edited
$loginname = trim ( preg_replace ( '/ |\#|\=|\$/' , " " , strip_tags ( $_POST [ 'loginname' ])));
if ( $loginname != $_POST [ 'loginname' ])
{
$error .= LAN_USET_13 . " \\ n " ;
}
// Check if login name exceeds maximum allowed length
if ( strlen ( $loginname ) > varset ( $pref [ 'loginname_maxlength' ], 30 ))
{
$error .= LAN_USET_14 . " \\ n " ;
}
if ( $udata [ 'user_loginname' ] != $loginname )
{
$changed_user_data [ 'user_loginname' ] = $loginname ;
}
else
{
unset ( $loginname );
}
}
if ( isset ( $loginname ))
{
$_POST [ 'loginname' ] = $loginname ;
}
else
{
unset ( $_POST [ 'loginname' ]); // Make sure no chance of the $_POST value staying set inappropriately
}
// Display name checks
2007-12-15 15:06:40 +00:00
// If display name == login name, it has to meet the criteria for both login name and display name
2008-12-10 16:37:17 +00:00
// echo "Check_class: {$pref['displayname_class']}; {$udata['user_classlist']}; {$peer}<br />";
2008-01-06 21:16:37 +00:00
if ( check_class ( $pref [ 'displayname_class' ], $udata [ 'user_classlist' ], $peer ))
2008-12-10 16:37:17 +00:00
{ // Display name can be different to login name - check display name if its been entered
if ( isset ( $_POST [ 'username' ]))
{
$username = trim ( strip_tags ( $_POST [ 'username' ]));
$_POST [ 'username' ] = $username ;
// echo "Found new display name: {$username}<br />";
}
2006-12-02 04:36:16 +00:00
}
2007-12-15 15:06:40 +00:00
else
2008-12-10 16:37:17 +00:00
{ // Display name and login name must be the same - check only if the login name has been changed
if ( varsettrue ( $loginname )) $username = $loginname ;
2006-12-02 04:36:16 +00:00
}
2007-12-15 15:06:40 +00:00
if ( varsettrue ( $username ))
2006-12-30 22:39:43 +00:00
{
2008-12-10 16:37:17 +00:00
// Impose a minimum length on display name
if ( strlen ( $username ) < 2 )
2007-12-15 15:06:40 +00:00
{
2008-12-10 16:37:17 +00:00
$error .= LAN_USET_12 . " \\ n " ;
}
if ( strlen ( $username ) > varset ( $pref [ 'displayname_maxlength' ], 15 ))
{
$error .= LAN_USET_15 . " \\ n " ;
}
2007-12-15 15:06:40 +00:00
2008-12-10 16:37:17 +00:00
if ( isset ( $pref [ 'signup_disallow_text' ]))
{
$tmp = explode ( " , " , $pref [ 'signup_disallow_text' ]);
foreach ( $tmp as $disallow )
{
if ( stristr ( $username , trim ( $disallow )))
{
$error .= LAN_USET_11 . " \\ n " ;
}
}
}
2007-12-15 15:06:40 +00:00
2008-12-10 16:37:17 +00:00
// Display Name exists.
if ( $sql -> db_Count ( 'user' , '(*)' , " WHERE `user_name`=' " . $username . " ' AND `user_id` != " . ( int ) $inp ))
{
$error .= LAN_USET_17 ;
}
if ( $username != $udata [ 'user_name' ]) { $changed_user_data [ 'user_name' ] = $username ; }
unset ( $username );
}
2007-12-15 15:06:40 +00:00
2008-12-10 16:37:17 +00:00
// Password checks
2008-06-13 20:20:23 +00:00
$new_pass = '' ;
2008-12-10 16:37:17 +00:00
if ( $_POST [ 'password1' ] != $_POST [ 'password2' ])
2007-12-15 15:06:40 +00:00
{
2008-12-10 16:37:17 +00:00
$error .= LAN_105 . " \\ n " ;
2007-12-15 15:06:40 +00:00
}
else
{
2008-12-10 16:37:17 +00:00
if ( trim ( $_POST [ 'password1' ]) != " " )
2007-12-15 15:06:40 +00:00
{
2008-12-10 16:37:17 +00:00
if ( strlen ( trim ( $_POST [ 'password1' ])) < $pref [ 'signup_pass_len' ])
{
$error .= LAN_SIGNUP_4 . $pref [ 'signup_pass_len' ] . LAN_SIGNUP_5 . " \\ n " ;
}
$new_pass = $_POST [ 'password1' ]; // Don't hash it yet
2007-12-15 15:06:40 +00:00
}
}
2008-12-10 16:37:17 +00:00
// Email address checks
2007-12-15 15:06:40 +00:00
if ( ! varsettrue ( $pref [ 'disable_emailcheck' ]))
{
2008-12-10 16:37:17 +00:00
if ( ! check_email ( $_POST [ 'email' ]))
{
$error .= LAN_106 . " \\ n " ;
}
2006-12-30 22:39:43 +00:00
}
2006-12-02 04:36:16 +00:00
2007-12-15 15:06:40 +00:00
// Check for duplicate of email address
2008-12-10 16:37:17 +00:00
if ( $sql -> db_Select ( 'user' , 'user_name, user_email' , " user_email=' " . $tp -> toDB ( $_POST [ 'email' ]) . " ' AND user_id != " . ( int ) $inp ))
2007-12-15 15:06:40 +00:00
{
2008-12-10 16:37:17 +00:00
$error .= LAN_408 . " \\ n " ;
2007-12-15 15:06:40 +00:00
}
2007-05-28 09:37:35 +00:00
2008-12-10 16:37:17 +00:00
// Uploaded avatar and/or photo
2008-06-13 20:20:23 +00:00
if ( $file_userfile [ 'error' ] != 4 )
2006-12-02 04:36:16 +00:00
{
2008-12-10 16:37:17 +00:00
require_once ( e_HANDLER . 'upload_handler.php' );
require_once ( e_HANDLER . 'resize_handler.php' );
2007-12-15 15:06:40 +00:00
2008-12-10 16:37:17 +00:00
if ( $uploaded = file_upload ( e_FILE . 'public/avatars/' , 'avatar=' . $udata [ 'user_id' ]))
{
foreach ( $uploaded as $upload )
{ // Needs the latest upload handler (with legacy and 'future' interfaces) to work
if ( $upload [ 'name' ] && ( $upload [ 'index' ] == 'avatar' ) && $pref [ 'avatar_upload' ])
{
// avatar uploaded - give it a reference which identifies it as server-stored
$_POST [ 'image' ] = " -upload- " . $upload [ 'name' ];
if ( $_POST [ 'image' ] != $udata [ 'user_image' ])
{
$avatar_to_delete = str_replace ( " -upload- " , " " , $udata [ 'user_image' ]);
// echo "Avatar change; deleting {$avatar_to_delete}<br />";
$changed_user_data [ 'user_image' ] = $_POST [ 'image' ];
}
if ( ! resize_image ( e_FILE . " public/avatars/ " . $upload [ 'name' ], e_FILE . " public/avatars/ " . $upload [ 'name' ], " avatar " ))
{
unset ( $message );
$error .= RESIZE_NOT_SUPPORTED . " \\ n " ;
@ unlink ( e_FILE . 'public/avatars/' . $upload [ 'name' ]);
$_POST [ 'image' ] = '' ;
unset ( $changed_user_data [ 'user_image' ]);
}
}
2007-12-15 15:06:40 +00:00
2008-12-10 16:37:17 +00:00
if ( $upload [ 'name' ] && ( $upload [ 'index' ] == 'photo' ) && $pref [ 'photo_upload' ])
{
// photograph uploaded
if ( $udata [ 'user_sess' ] != $upload [ 'name' ])
{
$photo_to_delete = $udata [ 'user_sess' ];
$changed_user_data [ 'user_sess' ] = $upload [ 'name' ];
}
if ( ! resize_image ( e_FILE . 'public/avatars/' . $upload [ 'name' ], e_FILE . 'public/avatars/' . $upload [ 'name' ], 180 ))
{
unset ( $message );
$error .= RESIZE_NOT_SUPPORTED . " \\ n " ;
@ unlink ( e_FILE . 'public/avatars/' . $upload [ 'name' ]);
unset ( $changed_user_data [ 'user_sess' ]);
}
}
2006-12-02 04:36:16 +00:00
}
}
}
2008-12-10 16:37:17 +00:00
// See if user just wants to delete existing photo
2007-07-23 20:06:05 +00:00
if ( isset ( $_POST [ 'user_delete_photo' ]))
2006-12-02 04:36:16 +00:00
{
2008-12-10 16:37:17 +00:00
$photo_to_delete = $udata [ 'user_sess' ];
$changed_user_data [ 'user_sess' ] = '' ;
// echo "Just delete old photo: {$photo_to_delete}<br />";
2007-07-23 20:06:05 +00:00
}
2007-12-15 15:06:40 +00:00
2008-12-10 16:37:17 +00:00
// Validate Extended User Fields.
if ( $_POST [ 'ue' ])
2006-12-02 04:36:16 +00:00
{
2008-12-10 16:37:17 +00:00
if ( $sql -> db_Select ( 'user_extended_struct' ))
2007-12-15 15:06:40 +00:00
{
2008-12-10 16:37:17 +00:00
while ( $row = $sql -> db_Fetch ())
{
$extList [ 'user_' . $row [ 'user_extended_struct_name' ]] = $row ;
}
2006-12-02 04:36:16 +00:00
}
2008-12-10 16:37:17 +00:00
foreach ( $_POST [ 'ue' ] as $key => $val )
2008-10-19 21:17:58 +00:00
{
if ( isset ( $extList [ $key ]))
2008-12-10 16:37:17 +00:00
{ // Only allow valid keys
$err = $ue -> user_extended_validate_entry ( $val , $extList [ $key ]);
if ( $err === true && ! $_uid )
{ // General error - usually empty field; could be unacceptable value, or regex fail and no error message defined
$error .= LAN_SIGNUP_6 . ( $tp -> toHtml ( $extList [ $key ][ 'user_extended_struct_text' ], false , " defs " )) . " " . LAN_SIGNUP_7 . " \\ n " ;
} elseif ( $err )
{ // Specific error message returned - usually regex fail
2008-10-19 21:17:58 +00:00
$error .= $err . " \\ n " ;
2008-12-10 16:37:17 +00:00
$err = true ;
2008-10-19 21:17:58 +00:00
}
2008-12-10 16:37:17 +00:00
if ( ! $err )
2008-10-19 21:17:58 +00:00
{
$val = $tp -> toDB ( $val );
$ue_fields .= ( $ue_fields ) ? " , " : " " ;
$ue_fields .= $key . " =' " . $val . " ' " ;
}
2008-06-13 20:20:23 +00:00
}
2008-10-19 21:17:58 +00:00
}
2008-12-10 16:37:17 +00:00
}
2006-12-02 04:36:16 +00:00
2008-12-10 16:37:17 +00:00
unset ( $_POST [ 'password1' ]); // Always clear the password fields - value noted if required
2008-06-13 20:20:23 +00:00
unset ( $_POST [ 'password2' ]);
2007-12-15 15:06:40 +00:00
2008-12-10 16:37:17 +00:00
// All key fields validated here
// -----------------------------
2006-12-02 04:36:16 +00:00
2008-12-10 16:37:17 +00:00
// $inp - UID of user whose data is being changed (may not be the currently logged in user)
2006-12-02 04:36:16 +00:00
if ( ! $error )
{
2008-12-10 16:37:17 +00:00
$_POST [ 'user_id' ] = intval ( $inp );
$ret = $e_event -> trigger ( " preuserset " , $_POST );
2007-10-09 21:30:29 +00:00
2008-12-10 16:37:17 +00:00
if ( $ret == '' )
2007-10-09 21:30:29 +00:00
{
2008-12-10 16:37:17 +00:00
if ( isset ( $_POST [ 'customtitle' ]) && ( $pref [ 'signup_option_customtitle' ]))
{
$new_customtitle = $tp -> toDB ( $_POST [ 'customtitle' ]);
if ( $new_customtitle != $udata [ 'user_customtitle' ])
{
$changed_user_data [ 'user_customtitle' ] = $new_customtitle ;
}
}
2006-12-02 04:36:16 +00:00
2008-12-10 16:37:17 +00:00
// Extended fields - handle any hidden fields
if ( $ue_fields )
2007-12-15 15:06:40 +00:00
{
2008-12-10 16:37:17 +00:00
$hidden_fields = implode ( " ^ " , array_keys ( $_POST [ 'hide' ]));
if ( $hidden_fields != " " )
{
$hidden_fields = " ^ " . $hidden_fields . " ^ " ;
}
$ue_fields .= " , user_hidden_fields = ' " . $hidden_fields . " ' " ;
2007-12-15 15:06:40 +00:00
}
2007-10-09 21:30:29 +00:00
2008-12-10 16:37:17 +00:00
// Handle fields which are just transferred without vetting (but are subject to toDB() for exploit restriction)
$copy_list = array ( 'user_signature' => 'signature' , 'user_login' => 'realname' , 'user_email' => 'email' , 'user_hideemail' => 'hideemail' , 'user_xup' => 'user_xup' );
// Next list identifies numerics which might take a value of 0
$non_text_list = array ( 'user_hideemail' => 'hideemail' );
foreach ( $copy_list as $k => $v )
{
if ( isset ( $_POST [ $v ]) && ( trim ( $_POST [ $v ]) || isset ( $non_text_list [ $k ])))
{
$_POST [ $v ] = $tp -> toDB ( trim ( $_POST [ $v ]));
if ( $_POST [ $v ] != $udata [ $k ])
{
$changed_user_data [ $k ] = $_POST [ $v ];
// echo "Changed {$k}, {$v} from {$udata[$k]} to {$_POST[$v]}<br />";
}
}
}
2007-12-15 15:06:40 +00:00
2007-10-09 21:30:29 +00:00
2008-12-10 16:37:17 +00:00
// Update Userclass - only if its the user changing their own data (admins can do it another way)
if ( ! $_uid )
2006-12-02 04:36:16 +00:00
{
2008-12-10 16:37:17 +00:00
if ( ! is_object ( $e_userclass ))
{
$e_userclass = new user_class ;
}
$ucList = explode ( ',' , $e_userclass -> get_editable_classes ()); // List of classes which this user can edit
if ( count ( $ucList ))
{
if ( US_DEBUG )
{
$admin_log -> e_log_event ( 10 , debug_backtrace (), " DEBUG " , " Usersettings test " , " Read editable list. Current user classes: " . $udata [ 'user_class' ], false , LOG_TO_ROLLING );
}
$cur_classes = explode ( " , " , $udata [ 'user_class' ]); // Current class membership
$newclist = array_flip ( $cur_classes ); // Array keys are now the class IDs
// Update class list - we must take care to only change those classes a user can edit themselves
foreach ( $ucList as $cid )
{
if ( ! in_array ( $cid , $_POST [ 'class' ]))
{
unset ( $newclist [ $cid ]);
}
else
{
$newclist [ $cid ] = 1 ;
}
}
$newclist = array_keys ( $newclist );
$nid = implode ( ',' , array_diff ( $newclist , array ( '' )));
// echo "Userclass data - new: {$nid}, old: {$udata['user_class']}<br />";
if ( $nid != $udata [ 'user_class' ])
{
if ( US_DEBUG )
{
$admin_log -> e_log_event ( 10 , debug_backtrace (), " DEBUG " , " Usersettings test " , " Write back classes; old list: { $udata [ 'user_class' ] } ; new list: " . $nid , false , LOG_TO_ROLLING );
}
$changed_user_data [ 'user_class' ] = $nid ;
}
}
2006-12-02 04:36:16 +00:00
}
2008-12-10 16:37:17 +00:00
// Only admins can update login name - do this just in case one of the event triggers has mucked it about
if ( ! ( ADMIN && getperms ( '4' )))
2006-12-02 04:36:16 +00:00
{
2008-12-10 16:37:17 +00:00
unset ( $changed_user_data [ 'user_loginname' ]);
2007-12-15 15:06:40 +00:00
}
2008-12-10 16:37:17 +00:00
}
else
{ // Invalid data - from hooked in trigger event
$message = " <div style='text-align:center'> " . $ret . " </div> " ;
$caption = LAN_151 ;
}
}
} // End - update setttings
elseif ( isset ( $_POST [ 'SaveValidatedInfo' ]))
{ // Next bit only valid if user editing their own data
if ( ! $peer && ! empty ( $_POST [ 'updated_data' ]) && ! empty ( $_POST [ 'currentpassword' ]) && ! empty ( $_POST [ 'updated_key' ]))
{ // Got some data confirmed with password entry
$new_data = base64_decode ( $_POST [ 'updated_data' ]);
if ( md5 ( $new_data ) != $_POST [ 'updated_key' ])
{ // Should only happen if someone's fooling around
echo " Mismatch on validation key<br /> " ;
exit ;
2007-12-15 15:06:40 +00:00
}
2008-12-10 16:37:17 +00:00
if ( isset ( $_POST [ 'updated_extended' ]))
{
$new_extended = base64_decode ( $_POST [ 'updated_extended' ]);
if ( md5 ( $new_extended ) != $_POST [ 'extended_key' ])
{ // Should only happen if someone's fooling around
echo " Mismatch on validity key<br /> " ;
exit ;
}
}
2007-12-15 15:06:40 +00:00
2008-12-10 16:37:17 +00:00
if ( $user_info -> CheckPassword ( $_POST [ 'currentpassword' ], $udata [ 'user_loginname' ], $udata [ 'user_password' ]) === false ) // Use old data to validate
2007-12-15 15:06:40 +00:00
2008-12-10 16:37:17 +00:00
{ // Invalid password
echo " <br /> " . LAN_USET_22 . " <br /> " ;
require_once ( FOOTERF );
exit ;
2007-12-15 15:06:40 +00:00
}
2008-12-10 16:37:17 +00:00
$changed_user_data = unserialize ( $new_data );
$new_pass = $_POST [ 'currentpassword' ];
if ( ! empty ( $new_extended )) $ue_fields = unserialize ( $new_extended );
unset ( $new_data );
unset ( $new_extended );
2008-06-13 20:20:23 +00:00
}
}
unset ( $_POST [ 'updatesettings' ]);
unset ( $_POST [ 'SaveValidatedInfo' ]);
2007-12-15 15:06:40 +00:00
2008-06-13 20:20:23 +00:00
// At this point we know the error status.
// $changed_user_data has an array of core changed data, except password, which is in $new_pass if changed (or entered as confirmation).
if ( ! $error && ( count ( $changed_user_data ) || $new_pass ))
{
2008-12-10 16:37:17 +00:00
// Sort out password hashes
if ( $new_pass )
{
if ( empty ( $loginname )) $loginname = $udata [ 'user_loginname' ];
$email = $changed_user_data [ 'user_email' ] ? $changed_user_data [ 'user_email' ] : $udata [ 'user_email' ];
$changed_user_data [ 'user_password' ] = $sql -> escape ( $user_info -> HashPassword ( $new_pass , $loginname ), false );
if ( varsettrue ( $pref [ 'allowEmailLogin' ]))
2008-06-13 20:20:23 +00:00
{
$user_prefs = unserialize ( $udata [ 'user_prefs' ]);
$user_prefs [ 'email_password' ] = $user_info -> HashPassword ( $new_pass , $email );
$changed_user_data [ 'user_prefs' ] = serialize ( $user_prefs );
}
2008-12-10 16:37:17 +00:00
}
else
{
if (( isset ( $changed_user_data [ 'user_loginname' ]) && $user_info -> isPasswordRequired ( 'user_loginname' )) || ( isset ( $changed_user_data [ 'user_email' ]) && $user_info -> isPasswordRequired ( 'user_email' )))
2008-06-13 20:20:23 +00:00
{
if ( $_uid )
2008-12-10 16:37:17 +00:00
{ // Admin is changing it
$error = LAN_USET_20 ;
2008-06-13 20:20:23 +00:00
}
else
2008-12-10 16:37:17 +00:00
{ // User is changing their own info
$promptPassword = true ;
2008-06-13 20:20:23 +00:00
}
}
2008-12-10 16:37:17 +00:00
}
2008-06-13 20:20:23 +00:00
}
if (( ! $error && ! $promptPassword ) && ( count ( $changed_user_data ) || $ue_fields ))
{
2008-12-10 16:37:17 +00:00
// We can update the basic user record now - can just update fields from $changed_user_data
if ( US_DEBUG ) { $admin_log -> e_log_event ( 10 , debug_backtrace (), " DEBUG " , " Usersettings test " , " Changed data:<br> " . var_export ( $changed_user_data , true ), false , LOG_TO_ROLLING ); }
$sql -> db_UpdateArray ( " user " , $changed_user_data , " WHERE user_id=' " . intval ( $inp ) . " ' " );
// Now see if we need to log anything. First check the options and class membership
// (Normally we would leave logging decision to the log class. But this one's a bit more complicated)
$user_logging_opts = array_flip ( explode ( ',' , varset ( $pref [ 'user_audit_opts' ], '' )));
$do_log = array ();
$log_action = '' ;
if ( $_uid )
{ // Its an admin changing someone elses data - make an admin log entry here
$admin_log -> log_event ( 'USET_01' , " UID: { $udata [ 'user_id' ] } . UName: { $udata [ 'user_name' ] } " , E_LOG_INFORMATIVE );
// Check against the class of the target user, not the admin!
if ( ! check_class ( varset ( $pref [ 'user_audit_class' ], '' ), $udata [ 'user_class' ])) { $user_logging_opts = array (); }
}
else
{
if ( ! check_class ( varset ( $pref [ 'user_audit_class' ], '' ))) { $user_logging_opts = array (); }
}
// Now log changes if required
if ( count ( $user_logging_opts ))
{
// Start with any specific fields we're changing
2007-12-15 15:06:40 +00:00
2008-12-10 16:37:17 +00:00
if ( isset ( $changed_user_data [ 'user_name' ]))
{
if ( isset ( $user_logging_opts [ USER_AUDIT_NEW_DN ]))
2007-12-15 15:06:40 +00:00
{
$do_log [ 'user_name' ] = $changed_user_data [ 'user_name' ];
$log_action = USER_AUDIT_NEW_DN ;
}
2008-12-10 16:37:17 +00:00
unset ( $changed_user_data [ 'user_name' ]);
}
2007-12-15 15:06:40 +00:00
2008-12-10 16:37:17 +00:00
if ( isset ( $changed_user_data [ 'user_password' ]))
{
if ( isset ( $user_logging_opts [ USER_AUDIT_NEW_PW ]))
{ // Password has already been changed to a hashed value, so OK to leave the data
2007-12-15 15:06:40 +00:00
$do_log [ 'user_password' ] = $changed_user_data [ 'user_password' ];
$log_action = USER_AUDIT_NEW_PW ;
}
2008-12-10 16:37:17 +00:00
unset ( $changed_user_data [ 'user_password' ]);
}
2007-12-15 15:06:40 +00:00
2008-12-10 16:37:17 +00:00
if ( isset ( $changed_user_data [ 'user_email' ]))
{
if ( isset ( $user_logging_opts [ USER_AUDIT_NEW_EML ]))
2007-12-15 15:06:40 +00:00
{
$do_log [ 'user_email' ] = $changed_user_data [ 'user_email' ];
$log_action = USER_AUDIT_NEW_EML ;
}
2008-12-10 16:37:17 +00:00
unset ( $changed_user_data [ 'user_email' ]);
}
2007-12-15 15:06:40 +00:00
2008-12-10 16:37:17 +00:00
if ( count ( $changed_user_data ) && isset ( $user_logging_opts [ USER_AUDIT_NEW_SET ]))
{
$do_log = array_merge ( $do_log , $changed_user_data );
$log_action = USER_AUDIT_NEW_SET ;
}
if ( count ( $do_log ))
{ // Got some changes to audit
// echo "Adding to audit log<br />";
if ( $_uid )
2007-12-15 15:06:40 +00:00
{
2008-12-10 16:37:17 +00:00
$log_action = USER_AUDIT_ADMIN ; // If an admin did the mod, different heading
2007-12-15 15:06:40 +00:00
// Embed a message saying who changed the data
2008-12-10 16:37:17 +00:00
$changed_user_data [ 'message' ] = str_replace ( array ( '--ID--' , '--LOGNAME--' ), array ( USERID , USERNAME ), LAN_USET_18 );
$admin_log -> user_audit ( $log_action , $do_log , $udata [ 'user_id' ], $udata [ 'user_loginname' ]);
}
else
{
if ( count ( $do_log ) > 1 ) { $log_action = USER_AUDIT_NEW_SET ; } // Log multiple entries to one record
$admin_log -> user_audit ( $log_action , $do_log );
2006-12-02 04:36:16 +00:00
}
2007-12-15 15:06:40 +00:00
}
2008-12-10 16:37:17 +00:00
} // End of audit logging
2007-12-15 15:06:40 +00:00
2008-12-10 16:37:17 +00:00
// Now tidy up
if ( $photo_to_delete )
{ // Photo may be a flat file, or in the database
delete_file ( $photo_to_delete );
}
if ( $avatar_to_delete )
{ // Avatar may be a flat file, or in the database
delete_file ( $avatar_to_delete );
}
2006-12-02 04:36:16 +00:00
2008-12-10 16:37:17 +00:00
// If user has changed display name, update the record in the online table
if ( isset ( $changed_user_data [ 'user_name' ]) && ! $_uid )
{
$sql -> db_Update ( 'online' , " online_user_id = ' " . USERID . " . " . $changed_user_data [ 'user_name' ] . " ' WHERE online_user_id = ' " . USERID . " . " . USERNAME . " ' " );
}
2007-12-15 15:06:40 +00:00
2008-12-10 16:37:17 +00:00
// Save extended field values
if ( $ue_fields )
{
// ***** Next line creates a record which presumably should be there anyway, so could generate an error
$sql -> db_Select_gen ( " INSERT INTO #user_extended (user_extended_id, user_hidden_fields) values (' " . intval ( $inp ) . " ', '') " );
$sql -> db_Update ( 'user_extended' , $ue_fields . " WHERE user_extended_id = " . intval ( $inp ));
}
2008-01-06 21:16:37 +00:00
2006-12-02 04:36:16 +00:00
2008-12-10 16:37:17 +00:00
// Update XUP data if file name changed.
if ( isset ( $changed_user_data [ 'user_xup' ]))
{
require_once ( e_HANDLER . " login.php " );
userlogin :: update_xup ( $inp , $changed_user_data [ 'user_xup' ]);
}
2007-10-09 21:30:29 +00:00
2008-12-10 16:37:17 +00:00
$e_event -> trigger ( 'postuserset' , $_POST );
2008-06-13 20:20:23 +00:00
2008-12-10 16:37:17 +00:00
if ( e_QUERY == 'update' )
{
header ( 'Location: index.php' );
}
$message = " <div style='text-align:center'> " . LAN_150 . '</div>' ;
$caption = LAN_151 ;
} // End - if (!$error)...
2008-06-13 20:20:23 +00:00
2008-12-10 16:37:17 +00:00
if ( ! $error && ! $promptPassword ) { unset ( $_POST ); }
2008-06-13 20:20:23 +00:00
2006-12-02 04:36:16 +00:00
if ( $error )
{
2008-12-10 16:37:17 +00:00
require_once ( e_HANDLER . 'message_handler.php' );
message_handler ( 'P_ALERT' , $error );
$adref = $_POST [ 'adminreturn' ];
2006-12-02 04:36:16 +00:00
}
2007-10-09 21:30:29 +00:00
2008-06-13 20:20:23 +00:00
2007-12-15 15:06:40 +00:00
// --- User data has been updated here if appropriate ---
2006-12-02 04:36:16 +00:00
2008-12-10 16:37:17 +00:00
if ( isset ( $message ))
2006-12-02 04:36:16 +00:00
{
$ns -> tablerender ( $caption , $message );
}
2008-12-10 16:37:17 +00:00
$uuid = ( $_uid ? $_uid : USERID ); // If $_uid is set, its an admin changing another user's data
2008-06-13 20:20:23 +00:00
if ( $promptPassword )
2008-12-10 16:37:17 +00:00
{ // User has to enter password to validate data
$updated_data = serialize ( $changed_user_data );
$validation_key = md5 ( $updated_data );
$updated_data = base64_encode ( $updated_data );
$updated_extended = serialize ( $ue_fields );
$extended_key = md5 ( $updated_extended );
$updated_extended = base64_encode ( $updated_extended );
$text = " <form method='post' action=' " . e_SELF . ( e_QUERY ? " ? " . e_QUERY : '' ) . " '>
2008-06-13 20:20:23 +00:00
< table >< tr >< td style = 'text-align:center' > " ;
2008-12-10 16:37:17 +00:00
foreach ( $_POST as $k => $v )
2008-06-13 20:20:23 +00:00
{
2008-12-10 16:37:17 +00:00
if ( is_array ( $v ))
{
foreach ( $v as $sk => $sv )
{
$text .= " <input type='hidden' name=' { $k } [ { $sk } ]' value=' { $sv } ' /> \n " ;
}
}
else
{
$text .= " <input type='hidden' name=' { $k } ' value=' { $v } ' /> \n " ;
}
2008-06-13 20:20:23 +00:00
}
2008-12-10 16:37:17 +00:00
$text .= LAN_USET_21 . " </td></tr><tr><td> </td></tr>
2008-06-13 20:20:23 +00:00
< tr >< td style = 'text-align:center' >< input type = 'password' name = 'currentpassword' value = '' size = '30' /> " ;
2008-12-10 16:37:17 +00:00
$text .= " <input type='hidden' name='updated_data' value=' { $updated_data } ' /><input type='hidden' name='updated_key' value=' { $validation_key } ' />
2008-06-13 20:20:23 +00:00
< input type = 'hidden' name = 'updated_extended' value = '{$updated_extended}' />< input type = 'hidden' name = 'extended_key' value = '{$extended_key}' />
</ td ></ tr >
< tr >< td >& nbsp ; </ td ></ tr >
< tr >< td style = 'text-align:center' >< input type = 'submit' name = 'SaveValidatedInfo' value = '".LAN_ENTER."' /></ td ></ tr >
</ table >
</ form > " ;
2008-12-10 16:37:17 +00:00
$ns -> tablerender ( LAN_155 , $text );
require_once ( FOOTERF );
2008-06-13 20:20:23 +00:00
}
//--------------------------------------------------------
// Re-read the user data into curVal (ready for display)
//--------------------------------------------------------
2006-12-02 04:36:16 +00:00
$qry = "
SELECT u .* , ue .* FROM #user AS u
LEFT JOIN #user_extended AS ue ON ue.user_extended_id = u.user_id
WHERE u . user_id = '".intval($uuid)."'
" ;
$sql -> db_Select_gen ( $qry );
2008-12-10 16:37:17 +00:00
$curVal = $sql -> db_Fetch ();
2008-01-06 21:16:37 +00:00
$curVal [ 'userclass_list' ] = addCommonClasses ( $curVal );
2006-12-02 04:36:16 +00:00
2008-12-10 16:37:17 +00:00
if ( $_POST )
{ // Fix for all the values being lost when there was an error in a field - restore from the latest $_POST values
// (Password fields have intentionally been cleared). If no error, there's an unset($_POST) to disable this block
foreach ( $_POST as $key => $val )
{
2008-12-21 03:58:07 +00:00
$curVal [ 'user_' . $key ] = $tp -> post_toForm ( $val );
2008-12-10 16:37:17 +00:00
}
foreach ( $_POST [ 'ue' ] as $key => $val )
{
2008-12-21 03:58:07 +00:00
$curVal [ $key ] = $to -> post_toForm ( $val );
2008-12-10 16:37:17 +00:00
}
2006-12-02 04:36:16 +00:00
}
2008-12-10 16:37:17 +00:00
require_once ( e_HANDLER . " form_handler.php " );
2006-12-02 04:36:16 +00:00
$rs = new form ;
$text = ( e_QUERY ? $rs -> form_open ( " post " , e_SELF . " ? " . e_QUERY , " dataform " , " " , " enctype='multipart/form-data' " ) : $rs -> form_open ( " post " , e_SELF , " dataform " , " " , " enctype='multipart/form-data' " ));
2008-12-10 16:37:17 +00:00
if ( e_QUERY == " update " )
2006-12-02 04:36:16 +00:00
{
2008-12-10 16:37:17 +00:00
$text .= " <div class='fborder' style='text-align:center'><br /> " . str_replace ( " * " , " <span style='color:red'>*</span> " , LAN_USET_9 ) . " <br /> " . LAN_USET_10 . " <br /><br /></div> " ;
2006-12-02 04:36:16 +00:00
}
2008-12-10 16:37:17 +00:00
$text .= $tp -> parseTemplate ( $USERSETTINGS_EDIT , true , $usersettings_shortcodes );
2006-12-02 04:36:16 +00:00
$text .= " <div> " ;
$text .= "
2007-10-09 21:30:29 +00:00
< input type = 'hidden' name = '_uid' value = '{$uuid}' />
2006-12-02 04:36:16 +00:00
</ div >
</ form >
" ;
$ns -> tablerender ( LAN_155 , $text );
2008-12-10 16:37:17 +00:00
require_once ( FOOTERF );
2006-12-02 04:36:16 +00:00
2007-12-15 15:06:40 +00:00
// If a field is required, returns a red asterisk
2008-12-10 16:37:17 +00:00
function req ( $field )
2007-12-15 15:06:40 +00:00
{
2006-12-02 04:36:16 +00:00
global $pref ;
if ( $field == 2 )
{
$ret = " <span style='text-align:right;font-size:15px; color:red'> *</span> " ;
}
else
{
$ret = " " ;
}
return $ret ;
}
2007-12-15 15:06:40 +00:00
2007-07-23 20:06:05 +00:00
// Delete a file from the public directories. Return TRUE on success, FALSE on failure.
// Also deletes from database if appropriate.
function delete_file ( $fname , $dir = 'avatars/' )
{
2008-12-10 16:37:17 +00:00
global $sql ;
if ( ! $fname ) return false ;
if ( preg_match ( " #Binary (.*?)/# " , $fname , $match ))
{
return $sql -> db_Delete ( " rbinary " , " binary_id=' " . $tp -> toDB ( $match [ 1 ]) . " ' " );
} elseif ( file_exists ( e_FILE . " public/ " . $dir . $fname ))
{
unlink ( e_FILE . " public/ " . $dir . $fname );
return true ;
}
return false ;
2007-07-23 20:06:05 +00:00
}
2006-12-02 04:36:16 +00:00
2008-12-10 16:37:17 +00:00
function headerjs ()
2007-12-15 15:06:40 +00:00
{
2006-12-02 04:36:16 +00:00
global $cal ;
$script = " <script type= \" text/javascript \" >
function addtext_us ( sc ){
document . getElementById ( 'dataform' ) . image . value = sc ;
}
</ script > \n " ;
$script .= $cal -> load_files ();
return $script ;
}
?>
