2006-12-02 04:36:16 +00:00
< ? php
/*
+ ----------------------------------------------------------------------------+
| e107 website system
|
| <EFBFBD> Steve Dunstan 2001 - 2002
| http :// e107 . org
| jalist @ e107 . org
|
| Released under the terms and conditions of the
| GNU General Public License ( http :// gnu . org ) .
|
| $Source : / cvs_backup / e107_0 . 8 / usersettings . php , v $
2008-10-19 21:17:58 +00:00
| $Revision : 1.26 $
| $Date : 2008 - 10 - 19 21 : 13 : 58 $
2007-06-25 20:09:30 +00:00
| $Author : e107steved $
2008-01-06 21:16:37 +00:00
+----------------------------------------------------------------------------+
2007-12-15 15:06:40 +00:00
Notes :
Uses $udata initially , later curVal to hold current user data
2008-01-06 21:16:37 +00:00
Admin log events :
USET_01 - admin changed user data
2006-12-02 04:36:16 +00:00
*/
2007-12-15 15:06:40 +00:00
2006-12-02 04:36:16 +00:00
require_once ( " class2.php " );
require_once ( e_HANDLER . " ren_help.php " );
require_once ( e_HANDLER . " user_extended_class.php " );
2008-06-13 20:20:23 +00:00
require_once ( e_HANDLER . " user_handler.php " );
2006-12-02 04:36:16 +00:00
$ue = new e107_user_extended ;
2008-06-13 20:20:23 +00:00
$user_info = new UserHandler ;
2006-12-02 04:36:16 +00:00
2007-10-09 21:30:29 +00:00
//define("US_DEBUG",TRUE);
define ( " US_DEBUG " , FALSE );
2007-12-15 15:06:40 +00:00
if ( ! USER )
{ // Must be logged in to change settings
header ( " location: " . e_BASE . " index.php " );
exit ;
2006-12-02 04:36:16 +00:00
}
2007-12-15 15:06:40 +00:00
if ( ! ADMIN && e_QUERY && e_QUERY != " update " )
{
header ( " location: " . e_BASE . " usersettings.php " );
exit ;
2006-12-02 04:36:16 +00:00
}
require_once ( e_HANDLER . " ren_help.php " );
if ( is_readable ( THEME . " usersettings_template.php " ))
{
2007-12-15 15:06:40 +00:00
include_once ( THEME . " usersettings_template.php " );
2006-12-02 04:36:16 +00:00
}
else
{
2007-12-15 15:06:40 +00:00
include_once ( e_THEME . " templates/usersettings_template.php " );
2006-12-02 04:36:16 +00:00
}
include_once ( e_FILE . " shortcode/batch/usersettings_shortcodes.php " );
require_once ( e_HANDLER . " calendar/calendar_class.php " );
$cal = new DHTML_Calendar ( true );
$_uid = is_numeric ( e_QUERY ) ? intval ( e_QUERY ) : " " ;
2007-07-23 20:06:05 +00:00
$sesschange = '' ; // Notice removal
$photo_to_delete = '' ;
$avatar_to_delete = '' ;
2007-12-15 15:06:40 +00:00
$changed_user_data = array ();
2008-06-13 20:20:23 +00:00
$ue_fields = '' ;
$promptPassword = FALSE ;
2006-12-02 04:36:16 +00:00
require_once ( HEADERF );
2008-01-06 21:16:37 +00:00
// Given an array of user data, return a comma separated string which includes public, admin, member classes etc as appropriate.
function addCommonClasses ( $udata )
{
$tmp = array ();
if ( $udata [ 'user_class' ] != " " ) $tmp = explode ( " , " , $udata [ 'user_class' ]);
$tmp [] = e_UC_MEMBER ;
$tmp [] = e_UC_READONLY ;
$tmp [] = e_UC_PUBLIC ;
if ( $udata [ 'user_admin' ] == 1 )
{
$tmp [] = e_UC_ADMIN ;
}
if ( strpos ( $udata [ 'user_perms' ], '0' ) === 0 )
{
$tmp [] = e_UC_MAINADMIN ;
}
return implode ( " , " , $tmp );
}
2007-12-15 15:06:40 +00:00
// Save user settings (changes only)
//-----------------------------------
2006-12-02 04:36:16 +00:00
$error = " " ;
2008-06-13 20:20:23 +00:00
if ( isset ( $_POST [ 'updatesettings' ]) || isset ( $_POST [ 'SaveValidatedInfo' ]))
2006-12-02 04:36:16 +00:00
{
2008-06-13 20:20:23 +00:00
// Get the required user info
2006-12-02 04:36:16 +00:00
if ( $_uid && ADMIN )
2007-01-29 20:39:41 +00:00
{ // Admin logged in and editing another user's settings - so editing a different ID
2007-10-09 21:30:29 +00:00
$inp = $_uid ;
$remflag = TRUE ;
2006-12-02 04:36:16 +00:00
}
else
2007-01-29 20:39:41 +00:00
{ // Current user logged in - use their ID
2007-10-09 21:30:29 +00:00
$inp = USERID ;
2006-12-02 04:36:16 +00:00
}
2007-12-15 15:06:40 +00:00
$udata = get_user_data ( $inp ); // Get all the existing user data, including any extended fields
2008-01-06 21:16:37 +00:00
$udata [ 'user_classlist' ] = addCommonClasses ( $udata );
2007-12-15 15:06:40 +00:00
2008-06-13 20:20:23 +00:00
$peer = ( $inp == USERID ? false : true ); // FALSE if editing own data
}
if ( isset ( $_POST [ 'updatesettings' ]))
{
if ( ! varsettrue ( $pref [ 'auth_method' ]) || $pref [ 'auth_method' ] == '>e107' )
{
$pref [ 'auth_method' ] = 'e107' ;
}
2007-12-15 15:06:40 +00:00
2008-06-13 20:20:23 +00:00
if ( $pref [ 'auth_method' ] != 'e107' )
{
$_POST [ 'password1' ] = '' ;
$_POST [ 'password2' ] = '' ;
}
2007-12-15 15:06:40 +00:00
2007-07-23 20:06:05 +00:00
// Check external avatar
2007-12-15 15:06:40 +00:00
if ( $_POST [ 'image' ])
{
$_POST [ 'image' ] = str_replace ( array ( '\'' , '"' , '(' , ')' ), '' , $_POST [ 'image' ]); // these are invalid anyway, so why allow them? (XSS Fix)
if ( $size = getimagesize ( $_POST [ 'image' ]))
{
2006-12-02 04:36:16 +00:00
$avwidth = $size [ 0 ];
$avheight = $size [ 1 ];
$avmsg = " " ;
2007-12-15 15:06:40 +00:00
$pref [ 'im_width' ] = varsettrue ( $pref [ 'im_width' ], 120 );
$pref [ 'im_height' ] = varsettrue ( $pref [ 'im_height' ], 100 );
if ( $avwidth > $pref [ 'im_width' ])
{
$avmsg .= LAN_USET_1 . " ( { $avwidth } )<br /> " . LAN_USET_2 . " : { $pref [ 'im_width' ] } <br /><br /> " ;
2006-12-02 04:36:16 +00:00
}
2007-12-15 15:06:40 +00:00
if ( $avheight > $pref [ 'im_height' ])
{
$avmsg .= LAN_USET_3 . " ( { $avheight } )<br /> " . LAN_USET_4 . " : { $pref [ 'im_height' ] } " ;
2006-12-02 04:36:16 +00:00
}
2007-12-15 15:06:40 +00:00
if ( $avmsg )
{
$_POST [ 'image' ] = " " ;
$error = $avmsg ;
2006-12-02 04:36:16 +00:00
}
2007-12-15 15:06:40 +00:00
else
{
if ( $_POST [ 'image' ] != $udata [ 'user_image' ])
{
$changed_user_data [ 'user_image' ] = $_POST [ 'image' ];
}
}
}
else
{ // Invalid image file - we could just put up a message
}
2006-12-02 04:36:16 +00:00
}
2007-12-15 15:06:40 +00:00
// The 'class' option doesn't really make sense to me, but left it for now
2008-01-15 21:57:53 +00:00
// $signup_option_title = array(LAN_308, LAN_120, LAN_121, LAN_USET_19);
2007-12-15 15:06:40 +00:00
// $signup_option_names = array("realname", "signature", "image", "timezone");
2008-01-15 21:57:53 +00:00
$signup_option_title = array ( LAN_308 , LAN_120 , LAN_121 , LAN_USET_6 , LAN_USET_19 );
$signup_option_names = array ( " realname " , " signature " , " image " , " class " , 'signup_option_customtitle' );
2006-12-02 04:36:16 +00:00
foreach ( $signup_option_names as $key => $value )
2007-06-25 20:09:30 +00:00
{ // Check required signup fields
2006-12-02 04:36:16 +00:00
if ( $pref [ 'signup_option_' . $value ] == 2 && ! $_POST [ $value ] && ! $_uid )
{
$error .= LAN_SIGNUP_6 . $signup_option_title [ $key ] . LAN_SIGNUP_7 . " \\ n " ;
}
}
2007-05-28 09:37:35 +00:00
2007-12-15 15:06:40 +00:00
// Login Name checks - only admin can change login name
if ( isset ( $_POST [ 'loginname' ]) && ADMIN && getperms ( " 4 " ))
2007-01-29 21:03:53 +00:00
{ // Only check if its been edited
2007-12-15 15:06:40 +00:00
$loginname = trim ( preg_replace ( '/ |\#|\=|\$/' , " " , strip_tags ( $_POST [ 'loginname' ])));
if ( $loginname != $_POST [ 'loginname' ])
2007-01-29 21:03:53 +00:00
{
$error .= LAN_USET_13 . " \\ n " ;
}
2007-05-28 09:37:35 +00:00
// Check if login name exceeds maximum allowed length
2007-12-15 15:06:40 +00:00
if ( strlen ( $loginname ) > varset ( $pref [ 'loginname_maxlength' ], 30 ))
2007-05-28 09:37:35 +00:00
{
$error .= LAN_USET_14 . " \\ n " ;
2007-12-15 15:06:40 +00:00
}
if ( $udata [ 'user_loginname' ] != $loginname )
{
$changed_user_data [ 'user_loginname' ] = $loginname ;
}
else
{
unset ( $loginname );
}
2007-05-28 09:37:35 +00:00
}
2008-01-06 21:16:37 +00:00
if ( isset ( $loginname )) $_POST [ 'loginname' ] = $loginname ; else unset ( $_POST [ 'loginname' ]); // Make sure no chance of the $_POST value staying set inappropriately
2007-06-25 20:09:30 +00:00
2006-12-02 04:36:16 +00:00
2007-12-15 15:06:40 +00:00
// Display name checks
// If display name == login name, it has to meet the criteria for both login name and display name
2008-01-06 21:16:37 +00:00
// echo "Check_class: {$pref['displayname_class']}; {$udata['user_classlist']}; {$peer}<br />";
if ( check_class ( $pref [ 'displayname_class' ], $udata [ 'user_classlist' ], $peer ))
2007-12-15 15:06:40 +00:00
{ // Display name can be different to login name - check display name if its been entered
if ( isset ( $_POST [ 'username' ]))
{
$username = trim ( strip_tags ( $_POST [ 'username' ]));
$_POST [ 'username' ] = $username ;
2008-01-06 21:16:37 +00:00
// echo "Found new display name: {$username}<br />";
2007-12-15 15:06:40 +00:00
}
2006-12-02 04:36:16 +00:00
}
2007-12-15 15:06:40 +00:00
else
{ // Display name and login name must be the same - check only if the login name has been changed
if ( varsettrue ( $loginname )) $username = $loginname ;
2006-12-02 04:36:16 +00:00
}
2007-05-28 09:37:35 +00:00
2007-12-15 15:06:40 +00:00
if ( varsettrue ( $username ))
2006-12-30 22:39:43 +00:00
{
2007-05-28 09:37:35 +00:00
// Impose a minimum length on display name
if ( strlen ( $username ) < 2 )
{
$error .= LAN_USET_12 . " \\ n " ;
}
if ( strlen ( $username ) > varset ( $pref [ 'displayname_maxlength' ], 15 ))
{
$error .= LAN_USET_15 . " \\ n " ;
}
2007-08-07 19:27:18 +00:00
2007-12-15 15:06:40 +00:00
if ( isset ( $pref [ 'signup_disallow_text' ]))
{
$tmp = explode ( " , " , $pref [ 'signup_disallow_text' ]);
foreach ( $tmp as $disallow )
{
if ( stristr ( $username , trim ( $disallow )))
{
$error .= LAN_USET_11 . " \\ n " ;
}
}
}
2007-08-07 19:27:18 +00:00
// Display Name exists.
2007-09-18 19:12:27 +00:00
if ( $sql -> db_Count ( " user " , " (*) " , " WHERE `user_name`=' " . $username . " ' AND `user_id` != ' " . intval ( $inp ) . " ' " ))
2007-08-07 19:27:18 +00:00
{
$error .= LAN_USET_17 ;
}
2007-12-15 15:06:40 +00:00
if ( $username != $udata [ 'user_name' ]) $changed_user_data [ 'user_name' ] = $username ;
unset ( $username );
}
// Password checks
2008-06-13 20:20:23 +00:00
$new_pass = '' ;
2007-12-15 15:06:40 +00:00
if ( $_POST [ 'password1' ] != $_POST [ 'password2' ])
{
$error .= LAN_105 . " \\ n " ;
}
else
{
if ( trim ( $_POST [ 'password1' ]) != " " )
{
if ( strlen ( trim ( $_POST [ 'password1' ])) < $pref [ 'signup_pass_len' ])
{
$error .= LAN_SIGNUP_4 . $pref [ 'signup_pass_len' ] . LAN_SIGNUP_5 . " \\ n " ;
}
2008-06-13 20:20:23 +00:00
$new_pass = $_POST [ 'password1' ]; // Don't hash it yet
2007-12-15 15:06:40 +00:00
}
}
// Email address checks
if ( ! varsettrue ( $pref [ 'disable_emailcheck' ]))
{
if ( ! check_email ( $_POST [ 'email' ]))
{
$error .= LAN_106 . " \\ n " ;
}
2006-12-30 22:39:43 +00:00
}
2006-12-02 04:36:16 +00:00
2007-12-15 15:06:40 +00:00
// Check for duplicate of email address
if ( $sql -> db_Select ( " user " , " user_name, user_email " , " user_email=' " . $tp -> toDB ( $_POST [ 'email' ]) . " ' AND user_id !=' " . intval ( $inp ) . " ' " ))
{
$error .= LAN_408 . " \\ n " ;
}
2007-05-28 09:37:35 +00:00
2007-12-15 15:06:40 +00:00
2007-07-23 20:06:05 +00:00
// Uploaded avatar and/or photo
2008-06-13 20:20:23 +00:00
if ( $file_userfile [ 'error' ] != 4 )
2006-12-02 04:36:16 +00:00
{
2007-12-15 15:06:40 +00:00
require_once ( e_HANDLER . " upload_handler.php " );
require_once ( e_HANDLER . " resize_handler.php " );
2006-12-02 04:36:16 +00:00
2008-03-17 20:45:29 +00:00
if ( $uploaded = file_upload ( e_FILE . " public/avatars/ " , " avatar= " . $udata [ 'user_id' ]))
2007-12-15 15:06:40 +00:00
{
foreach ( $uploaded as $upload )
{ // Needs the latest upload handler (with legacy and 'future' interfaces) to work
if ( $upload [ 'name' ] && ( $upload [ 'index' ] == 'avatar' ) && $pref [ 'avatar_upload' ])
{
// avatar uploaded - give it a reference which identifies it as server-stored
$_POST [ 'image' ] = " -upload- " . $upload [ 'name' ];
if ( $_POST [ 'image' ] != $udata [ 'user_image' ])
2006-12-02 04:36:16 +00:00
{
2007-12-15 15:06:40 +00:00
$avatar_to_delete = str_replace ( " -upload- " , " " , $udata [ 'user_image' ]);
// echo "Avatar change; deleting {$avatar_to_delete}<br />";
$changed_user_data [ 'user_image' ] = $_POST [ 'image' ];
2006-12-02 04:36:16 +00:00
}
2007-07-23 20:06:05 +00:00
2007-12-15 15:06:40 +00:00
if ( ! resize_image ( e_FILE . " public/avatars/ " . $upload [ 'name' ], e_FILE . " public/avatars/ " . $upload [ 'name' ], " avatar " ))
2006-12-02 04:36:16 +00:00
{
2007-12-15 15:06:40 +00:00
unset ( $message );
$error .= RESIZE_NOT_SUPPORTED . " \\ n " ;
@ unlink ( e_FILE . " public/avatars/ " . $upload [ 'name' ]);
$_POST [ 'image' ] = '' ;
unset ( $changed_user_data [ 'user_image' ]);
}
}
if ( $upload [ 'name' ] && ( $upload [ 'index' ] == 'photo' ) && $pref [ 'photo_upload' ] )
{
// photograph uploaded
if ( $udata [ 'user_sess' ] != $upload [ 'name' ])
{
$photo_to_delete = $udata [ 'user_sess' ];
$changed_user_data [ 'user_sess' ] = $upload [ 'name' ];
}
if ( ! resize_image ( e_FILE . " public/avatars/ " . $upload [ 'name' ], e_FILE . " public/avatars/ " . $upload [ 'name' ], 180 ))
{
unset ( $message );
$error .= RESIZE_NOT_SUPPORTED . " \\ n " ;
@ unlink ( e_FILE . " public/avatars/ " . $upload [ 'name' ]);
unset ( $changed_user_data [ 'user_sess' ]);
2006-12-02 04:36:16 +00:00
}
2007-07-23 20:06:05 +00:00
}
2006-12-02 04:36:16 +00:00
}
2007-12-15 15:06:40 +00:00
}
2006-12-02 04:36:16 +00:00
}
2007-07-23 20:06:05 +00:00
// See if user just wants to delete existing photo
if ( isset ( $_POST [ 'user_delete_photo' ]))
2006-12-02 04:36:16 +00:00
{
2007-12-15 15:06:40 +00:00
$photo_to_delete = $udata [ 'user_sess' ];
$changed_user_data [ 'user_sess' ] = '' ;
2007-07-23 20:06:05 +00:00
// echo "Just delete old photo: {$photo_to_delete}<br />";
}
2007-12-15 15:06:40 +00:00
2006-12-02 04:36:16 +00:00
2007-07-23 20:06:05 +00:00
2006-12-02 04:36:16 +00:00
// Validate Extended User Fields.
if ( $_POST [ 'ue' ])
{
2007-12-15 15:06:40 +00:00
if ( $sql -> db_Select ( 'user_extended_struct' ))
{
while ( $row = $sql -> db_Fetch ())
{
$extList [ " user_ " . $row [ 'user_extended_struct_name' ]] = $row ;
2006-12-02 04:36:16 +00:00
}
2007-12-15 15:06:40 +00:00
}
2006-12-02 04:36:16 +00:00
2008-10-19 21:17:58 +00:00
foreach ( $_POST [ 'ue' ] as $key => $val )
{
if ( isset ( $extList [ $key ]))
{ // Only allow valid keys
$err = $ue -> user_extended_validate_entry ( $val , $extList [ $key ]);
if ( $err === TRUE && ! $_uid )
{ // General error - usually empty field; could be unacceptable value, or regex fail and no error message defined
$error .= LAN_SIGNUP_6 . ( $tp -> toHtml ( $extList [ $key ][ 'user_extended_struct_text' ], FALSE , " defs " )) . " " . LAN_SIGNUP_7 . " \\ n " ;
}
elseif ( $err )
{ // Specific error message returned - usually regex fail
$error .= $err . " \\ n " ;
$err = TRUE ;
}
if ( ! $err )
{
$val = $tp -> toDB ( $val );
$ue_fields .= ( $ue_fields ) ? " , " : " " ;
$ue_fields .= $key . " =' " . $val . " ' " ;
}
2008-06-13 20:20:23 +00:00
}
2008-10-19 21:17:58 +00:00
}
2006-12-02 04:36:16 +00:00
}
2008-06-13 20:20:23 +00:00
unset ( $_POST [ 'password1' ]); // Always clear the password fields - value noted if required
unset ( $_POST [ 'password2' ]);
2007-12-15 15:06:40 +00:00
// All key fields validated here
// -----------------------------
2006-12-02 04:36:16 +00:00
2007-10-09 21:30:29 +00:00
// $inp - UID of user whose data is being changed (may not be the currently logged in user)
2006-12-02 04:36:16 +00:00
if ( ! $error )
{
2007-10-09 21:30:29 +00:00
$_POST [ 'user_id' ] = intval ( $inp );
$ret = $e_event -> trigger ( " preuserset " , $_POST );
if ( $ret == '' )
{
2008-06-13 20:20:23 +00:00
if ( isset ( $_POST [ 'customtitle' ]) && ( $pref [ 'signup_option_customtitle' ]))
2007-10-09 21:30:29 +00:00
{
2007-12-15 15:06:40 +00:00
$new_customtitle = $tp -> toDB ( $_POST [ 'customtitle' ]);
if ( $new_customtitle != $udata [ 'user_customtitle' ]) $changed_user_data [ 'user_customtitle' ] = $new_customtitle ;
2007-10-09 21:30:29 +00:00
}
2006-12-02 04:36:16 +00:00
2007-10-09 21:30:29 +00:00
// Extended fields - handle any hidden fields
if ( $ue_fields )
{
$hidden_fields = implode ( " ^ " , array_keys ( $_POST [ 'hide' ]));
if ( $hidden_fields != " " )
{
$hidden_fields = " ^ " . $hidden_fields . " ^ " ;
}
$ue_fields .= " , user_hidden_fields = ' " . $hidden_fields . " ' " ;
}
2006-12-02 04:36:16 +00:00
2007-12-15 15:06:40 +00:00
// Handle fields which are just transferred without vetting (but are subject to toDB() for exploit restriction)
$copy_list = array ( 'user_signature' => 'signature' ,
'user_login' => 'realname' ,
'user_email' => 'email' ,
'user_hideemail' => 'hideemail' ,
'user_xup' => 'user_xup' );
// Next list identifies numerics which might take a value of 0
$non_text_list = array (
'user_hideemail' => 'hideemail'
);
foreach ( $copy_list as $k => $v )
2007-10-09 21:30:29 +00:00
{
2007-12-15 15:06:40 +00:00
if ( isset ( $_POST [ $v ]) && ( trim ( $_POST [ $v ]) || isset ( $non_text_list [ $k ])))
{
$_POST [ $v ] = $tp -> toDB ( trim ( $_POST [ $v ]));
if ( $_POST [ $v ] != $udata [ $k ])
{
$changed_user_data [ $k ] = $_POST [ $v ];
// echo "Changed {$k}, {$v} from {$udata[$k]} to {$_POST[$v]}<br />";
}
}
2007-10-09 21:30:29 +00:00
}
// Update Userclass - only if its the user changing their own data (admins can do it another way)
2008-01-08 22:24:22 +00:00
if ( ! $_uid )
2007-10-09 21:30:29 +00:00
{
2008-01-08 22:24:22 +00:00
if ( ! is_object ( $e_userclass )) $e_userclass = new user_class ;
$ucList = explode ( ',' , $e_userclass -> get_editable_classes ()); // List of classes which this user can edit
if ( count ( $ucList ))
{
if ( US_DEBUG ) $admin_log -> e_log_event ( 10 , debug_backtrace (), " DEBUG " , " Usersettings test " , " Read editable list. Current user classes: " . $udata [ 'user_class' ], FALSE , LOG_TO_ROLLING );
2007-12-15 15:06:40 +00:00
2007-10-09 21:30:29 +00:00
$cur_classes = explode ( " , " , $udata [ 'user_class' ]); // Current class membership
$newclist = array_flip ( $cur_classes ); // Array keys are now the class IDs
// Update class list - we must take care to only change those classes a user can edit themselves
2008-01-08 22:24:22 +00:00
foreach ( $ucList as $cid )
2006-12-02 04:36:16 +00:00
{
2007-10-09 21:30:29 +00:00
if ( ! in_array ( $cid , $_POST [ 'class' ]))
{
unset ( $newclist [ $cid ]);
}
else
{
$newclist [ $cid ] = 1 ;
}
2006-12-02 04:36:16 +00:00
}
2007-10-09 21:30:29 +00:00
$newclist = array_keys ( $newclist );
$nid = implode ( ',' , array_diff ( $newclist , array ( '' )));
2007-12-15 15:06:40 +00:00
// echo "Userclass data - new: {$nid}, old: {$udata['user_class']}<br />";
2007-10-09 21:30:29 +00:00
if ( $nid != $udata [ 'user_class' ])
2006-12-02 04:36:16 +00:00
{
2007-12-15 15:06:40 +00:00
if ( US_DEBUG ) $admin_log -> e_log_event ( 10 , debug_backtrace (), " DEBUG " , " Usersettings test " , " Write back classes; old list: { $udata [ 'user_class' ] } ; new list: " . $nid , FALSE , LOG_TO_ROLLING );
$changed_user_data [ 'user_class' ] = $nid ;
}
2008-01-08 22:24:22 +00:00
}
2007-12-15 15:06:40 +00:00
}
// Only admins can update login name - do this just in case one of the event triggers has mucked it about
if ( ! ( ADMIN && getperms ( " 4 " )))
{
unset ( $changed_user_data [ 'user_loginname' ]);
}
2008-06-13 20:20:23 +00:00
}
else
{ // Invalid data - from hooked in trigger event
$message = " <div style='text-align:center'> " . $ret . " </div> " ;
$caption = LAN_151 ;
}
}
} // End - update setttings
elseif ( isset ( $_POST [ 'SaveValidatedInfo' ]))
{ // Next bit only valid if user editing their own data
if ( ! $peer && ! empty ( $_POST [ 'updated_data' ]) && ! empty ( $_POST [ 'currentpassword' ]) && ! empty ( $_POST [ 'updated_key' ]))
{ // Got some data confirmed with password entry
$new_data = base64_decode ( $_POST [ 'updated_data' ]);
if ( md5 ( $new_data ) != $_POST [ 'updated_key' ])
{ // Should only happen if someone's fooling around
echo " Mismatch on validation key<br /> " ;
exit ;
}
if ( isset ( $_POST [ 'updated_extended' ]))
{
$new_extended = base64_decode ( $_POST [ 'updated_extended' ]);
if ( md5 ( $new_extended ) != $_POST [ 'extended_key' ])
{ // Should only happen if someone's fooling around
echo " Mismatch on validity key<br /> " ;
exit ;
}
}
if ( $user_info -> CheckPassword ( $_POST [ 'currentpassword' ], $udata [ 'user_loginname' ], $udata [ 'user_password' ]) === FALSE ) // Use old data to validate
{ // Invalid password
echo " <br /> " . LAN_USET_22 . " <br /> " ;
require_once ( FOOTERF );
exit ;
}
$changed_user_data = unserialize ( $new_data );
$new_pass = $_POST [ 'currentpassword' ];
if ( ! empty ( $new_extended )) $ue_fields = unserialize ( $new_extended );
unset ( $new_data );
unset ( $new_extended );
}
}
unset ( $_POST [ 'updatesettings' ]);
unset ( $_POST [ 'SaveValidatedInfo' ]);
2007-12-15 15:06:40 +00:00
2008-06-13 20:20:23 +00:00
// At this point we know the error status.
// $changed_user_data has an array of core changed data, except password, which is in $new_pass if changed (or entered as confirmation).
if ( ! $error && ( count ( $changed_user_data ) || $new_pass ))
{
// Sort out password hashes
if ( $new_pass )
{
if ( empty ( $loginname )) $loginname = $udata [ 'user_loginname' ];
$email = $changed_user_data [ 'user_email' ] ? $changed_user_data [ 'user_email' ] : $udata [ 'user_email' ];
$changed_user_data [ 'user_password' ] = $sql -> escape ( $user_info -> HashPassword ( $new_pass , $loginname ), FALSE );
if ( varsettrue ( $pref [ 'allowEmailLogin' ]))
{
$user_prefs = unserialize ( $udata [ 'user_prefs' ]);
$user_prefs [ 'email_password' ] = $user_info -> HashPassword ( $new_pass , $email );
$changed_user_data [ 'user_prefs' ] = serialize ( $user_prefs );
}
}
else
{
if (( isset ( $changed_user_data [ 'user_loginname' ]) && $user_info -> isPasswordRequired ( 'user_loginname' ))
|| ( isset ( $changed_user_data [ 'user_email' ]) && $user_info -> isPasswordRequired ( 'user_email' )))
{
if ( $_uid )
{ // Admin is changing it
$error = LAN_USET_20 ;
}
else
{ // User is changing their own info
$promptPassword = TRUE ;
}
}
}
}
if (( ! $error && ! $promptPassword ) && ( count ( $changed_user_data ) || $ue_fields ))
{
2007-12-15 15:06:40 +00:00
// We can update the basic user record now - can just update fields from $changed_user_data
if ( US_DEBUG ) $admin_log -> e_log_event ( 10 , debug_backtrace (), " DEBUG " , " Usersettings test " , " Changed data:<br> " . var_export ( $changed_user_data , TRUE ), FALSE , LOG_TO_ROLLING );
2008-01-06 21:16:37 +00:00
$sql -> db_UpdateArray ( " user " , $changed_user_data , " WHERE user_id=' " . intval ( $inp ) . " ' " );
2007-12-15 15:06:40 +00:00
// Now see if we need to log anything. First check the options and class membership
// (Normally we would leave logging decision to the log class. But this one's a bit more complicated)
$user_logging_opts = array_flip ( explode ( ',' , varset ( $pref [ 'user_audit_opts' ], '' )));
$do_log = array ();
$log_action = '' ;
if ( $_uid )
2008-01-06 21:16:37 +00:00
{ // Its an admin changing someone elses data - make an admin log entry here
2008-01-16 22:18:27 +00:00
$admin_log -> log_event ( 'USET_01' , " UID: { $udata [ 'user_id' ] } . UName: { $udata [ 'user_name' ] } " , E_LOG_INFORMATIVE );
2007-12-15 15:06:40 +00:00
// Check against the class of the target user, not the admin!
if ( ! check_class ( varset ( $pref [ 'user_audit_class' ], '' ), $udata [ 'user_class' ])) $user_logging_opts = array ();
}
else
{
if ( ! check_class ( varset ( $pref [ 'user_audit_class' ], '' ))) $user_logging_opts = array ();
}
// Now log changes if required
if ( count ( $user_logging_opts ))
{
// Start with any specific fields we're changing
if ( isset ( $changed_user_data [ 'user_name' ]))
{
if ( isset ( $user_logging_opts [ USER_AUDIT_NEW_DN ]))
{
$do_log [ 'user_name' ] = $changed_user_data [ 'user_name' ];
$log_action = USER_AUDIT_NEW_DN ;
}
unset ( $changed_user_data [ 'user_name' ]);
}
if ( isset ( $changed_user_data [ 'user_password' ]))
{
if ( isset ( $user_logging_opts [ USER_AUDIT_NEW_PW ]))
2008-06-13 20:20:23 +00:00
{ // Password has already been changed to a hashed value, so OK to leave the data
2007-12-15 15:06:40 +00:00
$do_log [ 'user_password' ] = $changed_user_data [ 'user_password' ];
$log_action = USER_AUDIT_NEW_PW ;
}
unset ( $changed_user_data [ 'user_password' ]);
}
if ( isset ( $changed_user_data [ 'user_email' ]))
{
if ( isset ( $user_logging_opts [ USER_AUDIT_NEW_EML ]))
{
$do_log [ 'user_email' ] = $changed_user_data [ 'user_email' ];
$log_action = USER_AUDIT_NEW_EML ;
}
unset ( $changed_user_data [ 'user_email' ]);
}
if ( count ( $changed_user_data ) && isset ( $user_logging_opts [ USER_AUDIT_NEW_SET ]))
{
$do_log = array_merge ( $do_log , $changed_user_data );
$log_action = USER_AUDIT_NEW_SET ;
}
if ( count ( $do_log ))
{ // Got some changes to audit
// echo "Adding to audit log<br />";
if ( $_uid )
{
$log_action = USER_AUDIT_ADMIN ; // If an admin did the mod, different heading
// Embed a message saying who changed the data
$changed_user_data [ 'message' ] = str_replace ( array ( '--ID--' , '--LOGNAME--' ), array ( USERID , USERNAME ), LAN_USET_18 );
$admin_log -> user_audit ( $log_action , $do_log , $udata [ 'user_id' ], $udata [ 'user_loginname' ]);
}
else
{
if ( count ( $do_log ) > 1 ) $log_action = USER_AUDIT_NEW_SET ; // Log multiple entries to one record
$admin_log -> user_audit ( $log_action , $do_log );
}
2006-12-02 04:36:16 +00:00
}
2007-12-15 15:06:40 +00:00
} // End of audit logging
// Now tidy up
if ( $photo_to_delete )
{ // Photo may be a flat file, or in the database
delete_file ( $photo_to_delete );
}
if ( $avatar_to_delete )
{ // Avatar may be a flat file, or in the database
delete_file ( $avatar_to_delete );
}
// If user has changed display name, update the record in the online table
if ( isset ( $changed_user_data [ 'user_name' ]) && ! $_uid )
{
$sql -> db_Update ( " online " , " online_user_id = ' " . USERID . " . " . $changed_user_data [ 'user_name' ] . " ' WHERE online_user_id = ' " . USERID . " . " . USERNAME . " ' " );
2007-10-09 21:30:29 +00:00
}
2006-12-02 04:36:16 +00:00
2007-12-15 15:06:40 +00:00
// Save extended field values
if ( $ue_fields )
{
// ***** Next line creates a record which presumably should be there anyway, so could generate an error
$sql -> db_Select_gen ( " INSERT INTO #user_extended (user_extended_id, user_hidden_fields) values (' " . intval ( $inp ) . " ', '') " );
$sql -> db_Update ( " user_extended " , $ue_fields . " WHERE user_extended_id = ' " . intval ( $inp ) . " ' " );
}
2008-01-06 21:16:37 +00:00
// Update XUP data if file name changed.
2007-12-15 15:06:40 +00:00
if ( isset ( $changed_user_data [ 'user_xup' ]))
2007-10-09 21:30:29 +00:00
{
require_once ( e_HANDLER . " login.php " );
2007-12-15 15:06:40 +00:00
userlogin :: update_xup ( $inp , $changed_user_data [ 'user_xup' ]);
2007-10-09 21:30:29 +00:00
}
2008-01-06 21:16:37 +00:00
2006-12-02 04:36:16 +00:00
2007-10-09 21:30:29 +00:00
$e_event -> trigger ( " postuserset " , $_POST );
if ( e_QUERY == " update " )
{
header ( " Location: index.php " );
2006-12-02 04:36:16 +00:00
}
2007-10-09 21:30:29 +00:00
$message = " <div style='text-align:center'> " . LAN_150 . " </div> " ;
$caption = LAN_151 ;
2008-06-13 20:20:23 +00:00
} // End - if (!$error)...
if ( ! $error && ! $promptPassword ) unset ( $_POST );
2006-12-02 04:36:16 +00:00
if ( $error )
{
2008-06-13 20:20:23 +00:00
require_once ( e_HANDLER . " message_handler.php " );
message_handler ( " P_ALERT " , $error );
$adref = $_POST [ 'adminreturn' ];
2006-12-02 04:36:16 +00:00
}
2007-10-09 21:30:29 +00:00
2008-06-13 20:20:23 +00:00
2007-12-15 15:06:40 +00:00
// --- User data has been updated here if appropriate ---
2006-12-02 04:36:16 +00:00
if ( isset ( $message ))
{
$ns -> tablerender ( $caption , $message );
}
2008-06-13 20:20:23 +00:00
2006-12-02 04:36:16 +00:00
2007-12-15 15:06:40 +00:00
$uuid = ( $_uid ) ? $_uid : USERID ; // If $_uid is set, its an admin changing another user's data
2006-12-02 04:36:16 +00:00
2008-06-13 20:20:23 +00:00
if ( $promptPassword )
{ // User has to enter password to validate data
$updated_data = serialize ( $changed_user_data );
$validation_key = md5 ( $updated_data );
$updated_data = base64_encode ( $updated_data );
$updated_extended = serialize ( $ue_fields );
$extended_key = md5 ( $updated_extended );
$updated_extended = base64_encode ( $updated_extended );
$text = " <form method='post' action=' " . e_SELF . ( e_QUERY ? " ? " . e_QUERY : '' ) . " '>
< table >< tr >< td style = 'text-align:center' > " ;
foreach ( $_POST as $k => $v )
{
if ( is_array ( $v ))
{
foreach ( $v as $sk => $sv )
{
$text .= " <input type='hidden' name=' { $k } [ { $sk } ]' value=' { $sv } ' /> \n " ;
}
}
else
{
$text .= " <input type='hidden' name=' { $k } ' value=' { $v } ' /> \n " ;
}
}
$text .= LAN_USET_21 . " </td></tr><tr><td> </td></tr>
< tr >< td style = 'text-align:center' >< input type = 'password' name = 'currentpassword' value = '' size = '30' /> " ;
$text .= " <input type='hidden' name='updated_data' value=' { $updated_data } ' /><input type='hidden' name='updated_key' value=' { $validation_key } ' />
< input type = 'hidden' name = 'updated_extended' value = '{$updated_extended}' />< input type = 'hidden' name = 'extended_key' value = '{$extended_key}' />
</ td ></ tr >
< tr >< td >& nbsp ; </ td ></ tr >
< tr >< td style = 'text-align:center' >< input type = 'submit' name = 'SaveValidatedInfo' value = '".LAN_ENTER."' /></ td ></ tr >
</ table >
</ form > " ;
$ns -> tablerender ( LAN_155 , $text );
require_once ( FOOTERF );
}
//--------------------------------------------------------
// Re-read the user data into curVal (ready for display)
//--------------------------------------------------------
2006-12-02 04:36:16 +00:00
$qry = "
SELECT u .* , ue .* FROM #user AS u
LEFT JOIN #user_extended AS ue ON ue.user_extended_id = u.user_id
WHERE u . user_id = '".intval($uuid)."'
" ;
$sql -> db_Select_gen ( $qry );
$curVal = $sql -> db_Fetch ();
2008-01-06 21:16:37 +00:00
$curVal [ 'userclass_list' ] = addCommonClasses ( $curVal );
2006-12-02 04:36:16 +00:00
if ( $_POST )
2007-12-15 15:06:40 +00:00
{ // Fix for all the values being lost when there was an error in a field - restore from the latest $_POST values
// (Password fields have intentionally been cleared). If no error, there's an unset($_POST) to disable this block
foreach ( $_POST as $key => $val )
{
$curVal [ " user_ " . $key ] = $val ;
}
foreach ( $_POST [ 'ue' ] as $key => $val )
{
$curVal [ $key ] = $val ;
}
2006-12-02 04:36:16 +00:00
}
require_once ( e_HANDLER . " form_handler.php " );
$rs = new form ;
$text = ( e_QUERY ? $rs -> form_open ( " post " , e_SELF . " ? " . e_QUERY , " dataform " , " " , " enctype='multipart/form-data' " ) : $rs -> form_open ( " post " , e_SELF , " dataform " , " " , " enctype='multipart/form-data' " ));
if ( e_QUERY == " update " )
{
$text .= " <div class='fborder' style='text-align:center'><br /> " . str_replace ( " * " , " <span style='color:red'>*</span> " , LAN_USET_9 ) . " <br /> " . LAN_USET_10 . " <br /><br /></div> " ;
}
2007-06-13 22:13:58 +00:00
$text .= $tp -> parseTemplate ( $USERSETTINGS_EDIT , TRUE , $usersettings_shortcodes );
2006-12-02 04:36:16 +00:00
$text .= " <div> " ;
$text .= "
2007-10-09 21:30:29 +00:00
< input type = 'hidden' name = '_uid' value = '{$uuid}' />
2006-12-02 04:36:16 +00:00
</ div >
</ form >
" ;
$ns -> tablerender ( LAN_155 , $text );
require_once ( FOOTERF );
2007-12-15 15:06:40 +00:00
// If a field is required, returns a red asterisk
function req ( $field )
{
2006-12-02 04:36:16 +00:00
global $pref ;
if ( $field == 2 )
{
$ret = " <span style='text-align:right;font-size:15px; color:red'> *</span> " ;
}
else
{
$ret = " " ;
}
return $ret ;
}
2007-12-15 15:06:40 +00:00
2007-07-23 20:06:05 +00:00
// Delete a file from the public directories. Return TRUE on success, FALSE on failure.
// Also deletes from database if appropriate.
function delete_file ( $fname , $dir = 'avatars/' )
{
global $sql ;
if ( ! $fname ) return FALSE ;
if ( preg_match ( " #Binary (.*?)/# " , $fname , $match ))
{
return $sql -> db_Delete ( " rbinary " , " binary_id=' " . $tp -> toDB ( $match [ 1 ]) . " ' " );
}
elseif ( file_exists ( e_FILE . " public/ " . $dir . $fname ))
{
unlink ( e_FILE . " public/ " . $dir . $fname );
return TRUE ;
}
return FALSE ;
}
2006-12-02 04:36:16 +00:00
2007-12-15 15:06:40 +00:00
function headerjs ()
{
2006-12-02 04:36:16 +00:00
global $cal ;
$script = " <script type= \" text/javascript \" >
function addtext_us ( sc ){
document . getElementById ( 'dataform' ) . image . value = sc ;
}
</ script > \n " ;
$script .= $cal -> load_files ();
return $script ;
}
?>