diff --git a/signup.php b/signup.php
index b85fd78ff..052c03edc 100644
--- a/signup.php
+++ b/signup.php
@@ -9,8 +9,8 @@
* User signup
*
* $Source: /cvs_backup/e107_0.8/signup.php,v $
- * $Revision: 1.28 $
- * $Date: 2008-12-21 22:17:05 $
+ * $Revision: 1.29 $
+ * $Date: 2008-12-28 22:37:42 $
* $Author: e107steved $
*
*/
@@ -21,7 +21,7 @@ $qs = explode(".", e_QUERY);
if($qs[0] != 'activate')
{ // multi-language fix.
include_lan(e_LANGUAGEDIR.e_LANGUAGE."/lan_signup.php");
- include_lan(e_LANGUAGEDIR.e_LANGUAGE."/lan_usersettings.php");
+// include_lan(e_LANGUAGEDIR.e_LANGUAGE."/lan_usersettings.php"); Shouldn't need this now
}
include_lan(e_LANGUAGEDIR.e_LANGUAGE.'/lan_user.php'); // Generic user-related language defines
@@ -443,15 +443,15 @@ if (isset($_POST['register']))
else
{
$savePassword = $_POST['password1']; // May need in plaintext later
- unset($_POST['password1']); // Restrict the scope of this
- unset($_POST['password2']);
}
+ unset($_POST['password1']); // Restrict the scope of this
+ unset($_POST['password2']);
$allData['user_ip'] = $e107->getip();
// check for multiple signups from the same IP address.
- if($ipcount = $sql->db_Select("user", "*", "user_ip='".$allData['user_ip']."' and user_ban !='2' "))
+ if($ipcount = $sql->db_Select('user', '*', "user_ip='".$allData['user_ip']."' and user_ban !='2' "))
{
if($ipcount >= $pref['signup_maxip'] && trim($pref['signup_maxip']) != "")
{
@@ -473,83 +473,55 @@ if (isset($_POST['register']))
// Verify Custom Signup options if selected - need specific loop since the need for them is configuration-dependent
- $signup_option_title = array(LAN_USER_63, LAN_USER_71, LAN_USER_72, LAN_SIGNUP_28);
- $signup_option_names = array("realname", "signature", "image", "class");
+ $signup_option_title = array(LAN_USER_63, LAN_USER_71, LAN_USER_72, LAN_USER_73, LAN_USER_74);
+ $signup_option_names = array('realname', 'signature', 'image', 'class', 'customtitle');
foreach($signup_option_names as $key => $value)
{
if ($pref['signup_option_'.$value] == 2 && !isset($alldata['validate']['user_'.$value]) && !isset($alldata['errors']['user_'.$value]))
{
$alldata['errors']['user_'.$value] = ERR_GENERIC;
- $alldata['errortext']['user_'.$value] = LAN_SIGNUP_6.$signup_option_title[$key].LAN_SIGNUP_7;
+ $alldata['errortext']['user_'.$value] = str_replace('--SOMETHING--',$signup_option_title[$key],LAN_USER_75);
}
}
- // Extended Field validation
- $extList = $usere->user_extended_get_fieldList();
+ // Validate Extended User Fields.
$eufVals = array();
-
- foreach($extList as $ext)
+ if (isset($_POST['ue']))
{
- $eufName = 'user_'.$ext['user_extended_struct_name'];
- if(isset($_POST['ue'][$eufName]))
- {
- $newval = trim($_POST['ue'][$eufName]); // use $tp->toDB() ??
- // echo "Vetting field ".'user_'.$ext['user_extended_struct_name'].": {$newval} = ".trim($_POST['ue']['user_'.$ext['user_extended_struct_name']])." ";
- if($ext['user_extended_struct_required'] == 1 && (($newval == "") || (($ext['user_extended_struct_type'] == 7) && ($newval == '0000-00-00')) ))
- { // Required field not present
- $_ftext = (defined($ext['user_extended_struct_text']) ? constant($ext['user_extended_struct_text']) : $ext['user_extended_struct_text']);
- $error_message .= LAN_SIGNUP_6.$_ftext.LAN_SIGNUP_7."\\n";
- $error = TRUE;
- }
- else
- {
- $parms = explode("^,^", $ext['user_extended_struct_parms']);
- $regex = (isset($parms[1]) ? $tp->toText($parms[1]) : "");
- $regexfail = (isset($parms[2]) ? trim($tp->toText($parms[2])) : "");
-
- if($regexfail == "")
- {
- $regexfail = $ext['user_extended_struct_name']." ".LAN_SIGNUP_53;
- }
-
- if(defined($regexfail)) {$regexfail = constant($regexfail);}
-
- if($regex != "" && $newval != "" && !preg_match($regex, $newval))
- {
- $error_message .= $regexfail."\\n";
- $error = TRUE;
- }
- else
- {
- $eufVals[$eufName] = $newval;
- }
- }
- }
+ $eufVals = $ue->userExtendedValidateAll($_POST['ue'], varset($_POST['hide'],array())); // Validate the extended user fields
}
+
+
+ // Determine whether we have an error
+ $error = ((isset($allData['errors']) && count($allData['errors'])) || (isset($eufVals['errors']) && count($eufVals['errors'])));
+
// All validated here - handle any errors
- if (count($allData['errors']))
+ if ($error)
{
require_once(e_HANDLER."message_handler.php");
- $temp = validatorClass::makeErrorList($allData,'USER_ERR_','%n - %x - %t: %v', ' ', $userMethods->userVettingInfo);
- message_handler('P_ALERT', $temp.' '.$error_message);
- $error = TRUE;
+ $temp = array();
+ if (count($allData['errors']))
+ {
+ $temp[] = validatorClass::makeErrorList($allData,'USER_ERR_','%n - %x - %t: %v', ' ', $userMethods->userVettingInfo);
+ }
+ if (varsettrue($eufData['errors']))
+ {
+ $temp[] = validatorClass::makeErrorList($eufData,'USER_ERR_','%n - %x - %t: %v', ' ', $userMethods->userVettingInfo);
+ }
+ if ($error_message) { $temp[] = $error_message; }
+ message_handler('P_ALERT', implode(' ', $temp));
}
} // End of data validation
- if($error_message)
- {
- message_handler("P_ALERT", $error_message);
- $error_message = '';
- }
// ========== End of verification.. ==============
// If no errors, we can enter the new member in the DB
// At this point we have two data arrays:
// $allData['validate'] - the 'core' user data
- // $eufVals - any extended user fields
+ // $eufVals['validate'] - any extended user fields
if (!$error)
{
@@ -566,8 +538,8 @@ if (isset($_POST['register']))
}
- $u_key = md5(uniqid(rand(), 1)); // Key for signup completion
- $allData['validate']['user_sess'] = $u_key; // Validation key
+ $u_key = md5(uniqid(rand(), 1)); // Key for signup completion
+ $allData['validate']['user_sess'] = $u_key; // Validation key
// Work out all user classes
$intClasses = array();
@@ -613,10 +585,10 @@ if (isset($_POST['register']))
// Actually write data to DB
$nid = $sql->db_Insert("user", $allData['validate']);
- if(count($eufVals))
+ if (isset($eufVals['validate']) && count($eufVals['validate']))
{
$sql->db_Select_gen("INSERT INTO `#user_extended` (user_extended_id) values ('{$nid}')");
- $sql->db_UpdateArray("user_extended", $eufVals." WHERE `user_extended_id` = ".intval($nid));
+ $sql->db_UpdateArray("user_extended", $eufVals['validate']." WHERE `user_extended_id` = ".intval($nid));
}
if (SIGNUP_DEBUG) $admin_log->e_log_event(10,debug_backtrace(),"DEBUG","Signup new user",array_merge($allData['validate'],$eufVals) ,FALSE,LOG_TO_ROLLING);
diff --git a/usersettings.php b/usersettings.php
index 2875a4a8a..fb3f1a67f 100644
--- a/usersettings.php
+++ b/usersettings.php
@@ -1,35 +1,28 @@
addCommonClasses($udata, FALSE);
-
- $peer = ($inp == USERID ? false : true); // FALSE if editing own data
+ $udata['user_classlist'] = $userMethods->addCommonClasses($udata, FALSE);
}
if (isset($_POST['updatesettings']))
{
- if (!varsettrue($pref['auth_method']) || $pref['auth_method'] == '>e107')
+ if (!varsettrue($pref['auth_method']))
{
- $pref['auth_method'] = 'e107';
+ $pref['auth_method'] = 'e107';
}
if ($pref['auth_method'] != 'e107')
{
- $_POST['password1'] = '';
- $_POST['password2'] = '';
+ $_POST['password1'] = '';
+ $_POST['password2'] = '';
}
- if ($_POST['image'] == '' && $udata['user_image'])
- {
- $changed_user_data['user_image'] = '';
- }
-
- // Check external avatar
- if ($_POST['image'])
- {
- $img = str_replace(array('\'', '"', '(', ')'), '', $_POST['image']); // these are invalid anyway, so why allow them? (XSS Fix)
-
- if (preg_match('#[0-9\._]#', $_POST['image']))
- {
- $img = e_IMAGE.'avatars/'.$_POST['image'];
- }
-
- if ($size = getimagesize($img))
- {
- $avwidth = $size[0];
- $avheight = $size[1];
- $avmsg = '';
-
- $pref['im_width'] = varsettrue($pref['im_width'], 120);
- $pref['im_height'] = varsettrue($pref['im_height'], 100);
- if ($avwidth > $pref['im_width'])
- {
- $avmsg .= LAN_USET_1." ({$avwidth}) ".LAN_USET_2.": {$pref['im_width']}
";
- }
- if ($avheight > $pref['im_height'])
- {
- $avmsg .= LAN_USET_3." ({$avheight}) ".LAN_USET_4.": {$pref['im_height']}";
- }
- if ($avmsg)
- {
- $_POST['image'] = '';
- $error = $avmsg;
- }
- else
- {
- if ($_POST['image'] != $udata['user_image'])
- {
- $changed_user_data['user_image'] = $_POST['image'];
- }
- }
- }
- else
- {
- // Invalid image file - we could just put up a message
- }
- }
-
-
- // The 'class' option doesn't really make sense to me, but left it for now
- // $signup_option_title = array(LAN_308, LAN_120, LAN_121, LAN_USET_19);
- // $signup_option_names = array("realname", "signature", "image", "timezone");
-
- $signup_option_title = array(LAN_308, LAN_120, LAN_121, LAN_USET_6, LAN_USET_19);
- $signup_option_names = array("realname", "signature", "image", "class", 'signup_option_customtitle');
- foreach ($signup_option_names as $key => $value)
- { // Check required signup fields
- if ($pref['signup_option_'.$value] == 2 && !$_POST[$value] && !$_uid)
- {
- $error .= LAN_SIGNUP_6.$signup_option_title[$key].LAN_SIGNUP_7."\\n";
- }
- }
-
-
- // Login Name checks - only admin can change login name
- if (isset($_POST['loginname']) && ADMIN && getperms("4"))
- { // Only check if its been edited
- $loginname = trim(preg_replace('/ |\#|\=|\$/', "", strip_tags($_POST['loginname'])));
- if ($loginname != $_POST['loginname'])
- {
- $error .= LAN_USET_13."\\n";
- }
- // Check if login name exceeds maximum allowed length
- if (strlen($loginname) > varset($pref['loginname_maxlength'], 30))
- {
- $error .= LAN_USET_14."\\n";
- }
- if ($udata['user_loginname'] != $loginname)
- {
- $changed_user_data['user_loginname'] = $loginname;
- }
- else
- {
- unset($loginname);
- }
- }
- if (isset($loginname))
- {
- $_POST['loginname'] = $loginname;
- }
- else
- {
- unset($_POST['loginname']); // Make sure no chance of the $_POST value staying set inappropriately
- }
-
- // Display name checks
- // If display name == login name, it has to meet the criteria for both login name and display name
- // echo "Check_class: {$pref['displayname_class']}; {$udata['user_classlist']}; {$peer} ";
- if (check_class($pref['displayname_class'], $udata['user_classlist'], $peer))
- { // Display name can be different to login name - check display name if its been entered
- if (isset($_POST['username']))
- {
- $username = trim(strip_tags($_POST['username']));
- $_POST['username'] = $username;
- // echo "Found new display name: {$username} ";
- }
- }
- else
- { // Display name and login name must be the same - check only if the login name has been changed
- if (varsettrue($loginname)) $username = $loginname;
- }
-
- if (varsettrue($username))
- {
- // Impose a minimum length on display name
- if (strlen($username) < 2)
- {
- $error .= LAN_USET_12."\\n";
- }
- if (strlen($username) > varset($pref['displayname_maxlength'], 15))
- {
- $error .= LAN_USET_15."\\n";
- }
-
- if (isset($pref['signup_disallow_text']))
- {
- $tmp = explode(",", $pref['signup_disallow_text']);
- foreach ($tmp as $disallow)
- {
- if (stristr($username, trim($disallow)))
- {
- $error .= LAN_USET_11."\\n";
- }
- }
- }
-
- // Display Name exists.
- if ($sql->db_Count('user', '(*)', "WHERE `user_name`='".$username."' AND `user_id` != ".(int)$inp))
- {
- $error .= LAN_USET_17;
- }
- if ($username != $udata['user_name']) { $changed_user_data['user_name'] = $username; }
- unset($username);
- }
-
-
- // Password checks
- $new_pass = '';
- if ($_POST['password1'] != $_POST['password2'])
- {
- $error .= LAN_105."\\n";
- }
- else
- {
- if (trim($_POST['password1']) != "")
- {
- if (strlen(trim($_POST['password1'])) < $pref['signup_pass_len'])
- {
- $error .= LAN_SIGNUP_4.$pref['signup_pass_len'].LAN_SIGNUP_5."\\n";
- }
- $new_pass = $_POST['password1']; // Don't hash it yet
- }
- }
-
-
- // Email address checks
- if (!varsettrue($pref['disable_emailcheck']))
- {
- if (!check_email($_POST['email']))
- {
- $error .= LAN_106."\\n";
- }
- }
-
- // Check for duplicate of email address
- if ($sql->db_Select('user', 'user_name, user_email', "user_email='".$tp->toDB($_POST['email'])."' AND user_id !=".(int)$inp))
- {
- $error .= LAN_408."\\n";
- }
-
-
// Uploaded avatar and/or photo
if ($file_userfile['error'] != 4)
{
require_once (e_HANDLER.'upload_handler.php');
require_once (e_HANDLER.'resize_handler.php');
- if ($uploaded = file_upload(e_FILE.'public/avatars/', 'avatar='.$udata['user_id']))
- {
- foreach ($uploaded as $upload)
- { // Needs the latest upload handler (with legacy and 'future' interfaces) to work
- if ($upload['name'] && ($upload['index'] == 'avatar') && $pref['avatar_upload'])
- {
- // avatar uploaded - give it a reference which identifies it as server-stored
- $_POST['image'] = "-upload-".$upload['name'];
- if ($_POST['image'] != $udata['user_image'])
+ if ($uploaded = process_uploaded_files(e_FILE.'public/avatars/', 'prefix+ap_'.$udata['user_id'].'_', array('overwrite' => TRUE, 'file_mask'=>'jpg,png,gif', 'max_file_count' => 2)))
+ {
+ foreach ($uploaded as $upload)
{
- $avatar_to_delete = str_replace("-upload-", "", $udata['user_image']);
- // echo "Avatar change; deleting {$avatar_to_delete} ";
- $changed_user_data['user_image'] = $_POST['image'];
+ if ($upload['name'] && ($upload['index'] == 'avatar') && $pref['avatar_upload'])
+ {
+ // avatar uploaded - give it a reference which identifies it as server-stored
+ // Vetting routines will do resizing and so on
+ $_POST['image'] = '-upload-'.$upload['name'];
+ }
+ elseif ($upload['name'] && ($upload['index'] == 'photo') && $pref['photo_upload'])
+ {
+ // photograph uploaded
+ $_POST['user_sess'] = $upload['name'];
+ }
+ elseif (isset($upload['error']) && isset($upload['message']))
+ {
+ $extraErrors[] = $upload['message'];
+ }
}
-
- if (!resize_image(e_FILE."public/avatars/".$upload['name'], e_FILE."public/avatars/".$upload['name'], "avatar"))
- {
- unset($message);
- $error .= RESIZE_NOT_SUPPORTED."\\n";
- @unlink(e_FILE.'public/avatars/'.$upload['name']);
- $_POST['image'] = '';
- unset($changed_user_data['user_image']);
- }
- }
-
- if ($upload['name'] && ($upload['index'] == 'photo') && $pref['photo_upload'])
- {
- // photograph uploaded
- if ($udata['user_sess'] != $upload['name'])
- {
- $photo_to_delete = $udata['user_sess'];
- $changed_user_data['user_sess'] = $upload['name'];
- }
-
- if (!resize_image(e_FILE.'public/avatars/'.$upload['name'], e_FILE.'public/avatars/'.$upload['name'], 180))
- {
- unset($message);
- $error .= RESIZE_NOT_SUPPORTED."\\n";
- @unlink(e_FILE.'public/avatars/'.$upload['name']);
- unset($changed_user_data['user_sess']);
- }
- }
}
- }
}
+
+ // Now validate everything - just check everything that's been entered
+ $allData = validatorClass::validateFields($_POST,$userMethods->userVettingInfo, TRUE); // Do basic validation
+ validatorClass::dbValidateArray($allData, $userMethods->userVettingInfo, 'user', $inp); // Do basic DB-related checks
+ $userMethods->userValidation($allData); // Do user-specific DB checks
+
+ $savePassword = '';
+
+ if (($_POST['password1'] != '') || ($_POST['password2'] != ''))
+ { // Need to validate new password here
+ if (!isset($allData['errors']['user_password']))
+ { // No errors in password yet - may be valid
+ $savePassword = $allData['validate']['user_password'];
+ unset($allData['validate']['user_password']); // Delete the password value in the output array
+ }
+ }
+ else
+ {
+ unset($allData['errors']['user_password']); // Delete the error which an empty password field generates
+ }
+
+ unset($_POST['password1']);
+ unset($_POST['password2']);
+
+
+ $changedUserData = validatorClass::findChanges($allData['validate'], $udata,FALSE);
+
+
+ // Login Name checks - only admin can change login name
+ if (isset($changedUserData['user_loginname']))
+ {
+ if (ADMIN && getperms('4'))
+ {
+ if (!check_class($pref['displayname_class'], $udata['user_classlist'], $adminEdit))
+ { // Display name and login name must be the same
+ $changedUserData['user_name'] = $changedUserData['user_loginname'];
+ }
+ }
+ else
+ {
+ unset($changedUserData['user_loginname']); // Just doing this is probably being kind!
+ $alldata['errors']['user_loginname'] = ERR_GENERIC;
+ $alldata['errortext']['user_loginname'] = LAN_USER_85;
+ }
+ }
+
+
// See if user just wants to delete existing photo
if (isset($_POST['user_delete_photo']))
{
$photo_to_delete = $udata['user_sess'];
- $changed_user_data['user_sess'] = '';
- // echo "Just delete old photo: {$photo_to_delete} ";
+ $changedUserData['user_sess'] = '';
}
- // Validate Extended User Fields.
- if ($_POST['ue'])
+ if ($udata['user_image'] && !isset($changedUserData['user_image']))
{
- if ($sql->db_Select('user_extended_struct'))
- {
- while ($row = $sql->db_Fetch())
+ $changedUserData['user_image'] = '';
+ $avatar_to_delete = str_replace('-upload-', '', $udata['user_image']);
+ }
+
+
+
+ // Validate Extended User Fields.
+ $changedEUFData = array();
+ if (isset($_POST['ue']))
+ {
+ $eufVals = $ue->userExtendedValidateAll($_POST['ue'], varset($_POST['hide'],array())); // Validate the extended user fields
+ $changedEUFData = validatorClass::findChanges($eufVals['validate'], $udata,FALSE);
+ }
+
+ // Determine whether we have an error
+ $error = ((isset($allData['errors']) && count($allData['errors'])) || (isset($eufVals['errors']) && count($eufVals['errors'])) || count($extraErrors));
+
+
+ // Update Userclass - only if its the user changing their own data (admins can do it another way)
+ if (isset($allData['validate']['user_class']))
+ {
+ unset($changedUserData['user_class']); // We always recalculate this
+ if (FALSE === $adminEdit)
+ { // Make sure admin can't edit another's user classes
+ if (!is_object($e_userclass))
{
- $extList['user_'.$row['user_extended_struct_name']] = $row;
+ $e_userclass = new user_class;
}
- }
-
- foreach ($_POST['ue'] as $key => $val)
- {
- if (isset($extList[$key]))
- { // Only allow valid keys
- $err = $ue->user_extended_validate_entry($val, $extList[$key]);
- if ($err === true && !$_uid)
- { // General error - usually empty field; could be unacceptable value, or regex fail and no error message defined
- $error .= LAN_SIGNUP_6.($tp->toHtml($extList[$key]['user_extended_struct_text'],FALSE,"defs"))." ".LAN_SIGNUP_7."\\n";
- }
- elseif ($err)
- { // Specific error message returned - usually regex fail
- $error .= $err."\\n";
- $err = true;
- }
- if (!$err)
+ $ucList = $e_userclass->get_editable_classes(USERCLASS_LIST,TRUE); // List of classes which this user can edit
+ if (count($ucList))
+ {
+ $nid = $e_userclass->mergeClassLists($udata['user_class'], $ucList, $allData['validate']['user_class'], TRUE);
+ $nid = $e_userclass->stripFixedClasses($nid);
+ $nid = implode(',',$nid);
+ // echo "Userclass data - new: {$nid}, old: {$udata['user_baseclasslist']}, editable: ".implode(',',$ucList).", entered: {$allData['validate']['user_class']} ";
+ if ($nid != $udata['user_baseclasslist'])
{
- $val = $tp->toDB($val);
- $ue_fields .= ($ue_fields) ? ", " : "";
- $ue_fields .= $key."='".$val."'";
+ if (US_DEBUG)
+ {
+ $admin_log->e_log_event(10, debug_backtrace(), "DEBUG", "Usersettings test", "Write back classes; old list: {$udata['user_class']}; new list: ".$nid, false, LOG_TO_ROLLING);
+ }
+ $changedUserData['user_class'] = $nid;
}
}
}
- }
-
-
- unset($_POST['password1']); // Always clear the password fields - value noted if required
- unset($_POST['password2']);
+ }
// All key fields validated here
// -----------------------------
-
// $inp - UID of user whose data is being changed (may not be the currently logged in user)
- if (!$error)
+ if (!$error && count($changedUserData) || count($changedEUFData))
{
- $_POST['user_id'] = intval($inp);
- $ret = $e_event->trigger("preuserset", $_POST);
+ $_POST['user_id'] = intval($inp);
+ $ret = $e_event->trigger('preuserset', $_POST);
- if ($ret == '')
- {
- if (isset($_POST['customtitle']) && ($pref['signup_option_customtitle']))
+ if ($ret == '')
{
- $new_customtitle = $tp->toDB($_POST['customtitle']);
- if ($new_customtitle != $udata['user_customtitle'])
- {
- $changed_user_data['user_customtitle'] = $new_customtitle;
- }
- }
-
- // Extended fields - handle any hidden fields
- if ($ue_fields)
- {
- $hidden_fields = implode("^", array_keys($_POST['hide']));
- if ($hidden_fields != "")
- {
- $hidden_fields = "^".$hidden_fields."^";
- }
- $ue_fields .= ", user_hidden_fields = '".$hidden_fields."'";
- }
-
-
- // Handle fields which are just transferred without vetting (but are subject to toDB() for exploit restriction)
- $copy_list = array('user_signature' => 'signature',
- 'user_login' => 'realname',
- 'user_email' => 'email',
- 'user_hideemail' =>'hideemail',
- 'user_xup' => 'user_xup');
-
- // Next list identifies numerics which might take a value of 0
- $non_text_list = array(
- 'user_hideemail' =>'hideemail'
- );
- foreach ($copy_list as $k => $v)
- {
- if (isset($_POST[$v]) && (trim($_POST[$v]) || isset($non_text_list[$k])))
- {
- $_POST[$v] = $tp->toDB(trim($_POST[$v]));
- if ($_POST[$v] != $udata[$k])
- {
- $changed_user_data[$k] = $_POST[$v];
- // echo "Changed {$k}, {$v} from {$udata[$k]} to {$_POST[$v]} ";
- }
- }
- }
-
-
- // Update Userclass - only if its the user changing their own data (admins can do it another way)
- if (!$_uid)
- {
- if (!is_object($e_userclass))
- {
- $e_userclass = new user_class;
- }
- $ucList = explode(',', $e_userclass->get_editable_classes()); // List of classes which this user can edit
- if (count($ucList))
- {
- if (US_DEBUG)
- {
- $admin_log->e_log_event(10, debug_backtrace(), "DEBUG", "Usersettings test", "Read editable list. Current user classes: ".$udata['user_class'], false, LOG_TO_ROLLING);
- }
-
- $cur_classes = explode(",", $udata['user_class']); // Current class membership
- $newclist = array_flip($cur_classes); // Array keys are now the class IDs
-
- // Update class list - we must take care to only change those classes a user can edit themselves
- foreach ($ucList as $cid)
- {
- if (!in_array($cid, $_POST['class']))
- {
- unset($newclist[$cid]);
- }
- else
- {
- $newclist[$cid] = 1;
- }
- }
- $newclist = array_keys($newclist);
- $nid = implode(',', array_diff($newclist, array('')));
- // echo "Userclass data - new: {$nid}, old: {$udata['user_class']} ";
- if ($nid != $udata['user_class'])
- {
- if (US_DEBUG)
- {
- $admin_log->e_log_event(10, debug_backtrace(), "DEBUG", "Usersettings test", "Write back classes; old list: {$udata['user_class']}; new list: ".$nid, false, LOG_TO_ROLLING);
- }
- $changed_user_data['user_class'] = $nid;
- }
- }
- }
// Only admins can update login name - do this just in case one of the event triggers has mucked it about
if (!(ADMIN && getperms('4')))
- {
- unset($changed_user_data['user_loginname']);
+ {
+ unset($changedUserData['user_loginname']);
+ }
+ }
+ else
+ { // Invalid data - from hooked in trigger event
+ $message = "
".$ret."
";
+ $caption = LAN_OK;
+ $error = TRUE;
}
- }
- else
- { // Invalid data - from hooked in trigger event
- $message = "
".$ret."
";
- $caption = LAN_151;
- }
}
} // End - update setttings
elseif (isset($_POST['SaveValidatedInfo']))
{ // Next bit only valid if user editing their own data
- if (!$peer && !empty($_POST['updated_data']) && !empty($_POST['currentpassword']) && !empty($_POST['updated_key']))
- { // Got some data confirmed with password entry
- $new_data = base64_decode($_POST['updated_data']);
- if (md5($new_data) != $_POST['updated_key'])
- { // Should only happen if someone's fooling around
- echo "Mismatch on validation key ";
- exit;
- }
+ if (!$adminEdit && !empty($_POST['updated_data']) && !empty($_POST['currentpassword']) && !empty($_POST['updated_key']))
+ { // Got some data confirmed with password entry
+ $new_data = base64_decode($_POST['updated_data']);
+ if (md5($new_data) != $_POST['updated_key'])
+ { // Should only happen if someone's fooling around
+ echo 'Mismatch on validation key ';
+ exit();
+ }
- if (isset($_POST['updated_extended']))
- {
- $new_extended = base64_decode($_POST['updated_extended']);
- if (md5($new_extended) != $_POST['extended_key'])
- { // Should only happen if someone's fooling around
- echo "Mismatch on validity key ";
- exit;
- }
- }
+ if (isset($_POST['updated_extended']))
+ {
+ $new_extended = base64_decode($_POST['updated_extended']);
+ if (md5($new_extended) != $_POST['extended_key'])
+ { // Should only happen if someone's fooling around
+ echo 'Mismatch on validity key ';
+ exit();
+ }
+ }
- if ($user_info->CheckPassword($_POST['currentpassword'], $udata['user_loginname'], $udata['user_password']) === false) // Use old data to validate
+ if ($userMethods->CheckPassword($_POST['currentpassword'], $udata['user_loginname'], $udata['user_password']) === false) // Use old data to validate
- { // Invalid password
- echo " ".LAN_USET_22." ";
+ { // Invalid password
+ echo " ".LAN_USET_22." ";
require_once (FOOTERF);
- exit;
+ exit();
+ }
+ $changedUserData = unserialize($new_data);
+ $savePassword = $_POST['currentpassword'];
+ if (!empty($new_extended)) $changedEUFData = unserialize($new_extended);
+ unset($new_data);
+ unset($new_extended);
+ if (isset($changedUserData['user_sess']))
+ {
+ $photo_to_delete = $udata['user_sess'];
+ }
+ if (isset($changedUserData['user_image']))
+ {
+ $avatar_to_delete = $udata['user_image'];
+ }
}
- $changed_user_data = unserialize($new_data);
- $new_pass = $_POST['currentpassword'];
- if (!empty($new_extended)) $ue_fields = unserialize($new_extended);
- unset($new_data);
- unset($new_extended);
- }
}
unset($_POST['updatesettings']);
unset($_POST['SaveValidatedInfo']);
// At this point we know the error status.
-// $changed_user_data has an array of core changed data, except password, which is in $new_pass if changed (or entered as confirmation).
-if (!$error && (count($changed_user_data) || $new_pass))
+// $changedUserData has an array of core changed data, except password, which is in $savePassword if changed (or entered as confirmation).
+// $eufData has extended user field data
+$dataToSave = !$error && (isset($changedUserData) && count($changedUserData)) || (isset($changedEUFData) && count($changedEUFData)) || $savePassword;
+
+if ($dataToSave)
{
- // Sort out password hashes
- if ($new_pass)
+ // Sort out password hashes
+ if ($savePassword)
+ {
+ $loginname = $changedUserData['user_loginname'] ? $changedUserData['user_loginname'] : $udata['user_loginname'];
+ $email = (isset($changedUserData['user_email']) && $changedUserData['user_email']) ? $changedUserData['user_email'] : $udata['user_email'];
+ $changedUserData['user_password'] = $sql->escape($userMethods->HashPassword($savePassword, $loginname), false);
+ if (varset($pref['allowEmailLogin'], FALSE))
{
- if (empty($loginname)) $loginname = $udata['user_loginname'];
- $email = $changed_user_data['user_email'] ? $changed_user_data['user_email'] : $udata['user_email'];
- $changed_user_data['user_password'] = $sql->escape($user_info->HashPassword($new_pass, $loginname), false);
- if (varsettrue($pref['allowEmailLogin']))
- {
$user_prefs = unserialize($udata['user_prefs']);
- $user_prefs['email_password'] = $user_info->HashPassword($new_pass, $email);
- $changed_user_data['user_prefs'] = serialize($user_prefs);
- }
+ $user_prefs['email_password'] = $userMethods->HashPassword($savePassword, $email);
+ $changedUserData['user_prefs'] = serialize($user_prefs);
}
- else
+ }
+ else
+ {
+ if ((isset($changedUserData['user_loginname']) && $userMethods->isPasswordRequired('user_loginname'))
+ || (isset($changedUserData['user_email']) && $userMethods->isPasswordRequired('user_email')))
{
- if ((isset($changed_user_data['user_loginname']) && $user_info->isPasswordRequired('user_loginname'))
- || (isset($changed_user_data['user_email']) && $user_info->isPasswordRequired('user_email')))
- {
if ($_uid)
{ // Admin is changing it
- $error = LAN_USET_20;
+ $error = LAN_USET_20;
}
else
{ // User is changing their own info
$promptPassword = true;
}
- }
}
+ }
}
-if ((!$error && !$promptPassword) && (count($changed_user_data) || $ue_fields))
+if ($dataToSave && !$promptPassword)
{
- // We can update the basic user record now - can just update fields from $changed_user_data
- if (US_DEBUG) { $admin_log->e_log_event(10, debug_backtrace(), "DEBUG", "Usersettings test", "Changed data: ".var_export($changed_user_data, true), false, LOG_TO_ROLLING); }
- $sql->db_UpdateArray("user", $changed_user_data, " WHERE user_id='".intval($inp)."' ");
+ $message = LAN_USET_41;
- // Now see if we need to log anything. First check the options and class membership
- // (Normally we would leave logging decision to the log class. But this one's a bit more complicated)
- $user_logging_opts = array_flip(explode(',', varset($pref['user_audit_opts'], '')));
- $do_log = array();
- $log_action = '';
- if ($_uid)
- { // Its an admin changing someone elses data - make an admin log entry here
- $admin_log->log_event('USET_01', "UID: {$udata['user_id']}. UName: {$udata['user_name']}", E_LOG_INFORMATIVE);
- // Check against the class of the target user, not the admin!
- if (!check_class(varset($pref['user_audit_class'], ''), $udata['user_class'])) { $user_logging_opts = array(); }
+ // We can update the basic user record now - can just update fields from $changedUserData
+ if (US_DEBUG) { $admin_log->e_log_event(10, debug_backtrace(), "DEBUG", "Usersettings test", "Changed data: ".var_export($changedUserData, true), false, LOG_TO_ROLLING); }
+ if (isset($changedUserData) && count($changedUserData))
+ {
+ //print_a($changedUserData);
+ if (FALSE === $sql->db_UpdateArray('user', $changedUserData, ' WHERE user_id='.intval($inp)))
+ {
+ $message .= ' Error updating user data';
}
else
{
- if (!check_class(varset($pref['user_audit_class'], ''))) { $user_logging_opts = array(); }
+ if (isset($changedUserData['user_password']))
+ {
+ // echo "Make new cookie ";
+ $userMethods->makeUserCookie(array('user_id' => $udata['user_id'],'user_password' => $changedUserData['user_password']), FALSE); // Can't handle autologin ATM
+ }
}
-
- // Now log changes if required
- if (count($user_logging_opts))
+ }
+
+ // Save extended field values
+ if (isset($changedEUFData) && count($changedEUFData))
+ {
+ // ***** Next line creates a record which presumably should be there anyway, so could generate an error
+ $sql->db_Select_gen("INSERT INTO #user_extended (user_extended_id, user_hidden_fields) values ('".intval($inp)."', '')");
+ if (!$sql->db_UpdateArray('user_extended', $changedEUFData,' WHERE user_extended_id = '.$inp))
{
- // Start with any specific fields we're changing
+ $message .= ' Error updating EUF';
+ }
+ }
- if (isset($changed_user_data['user_name']))
+ // Now see if we need to log anything. First check the options and class membership
+ // (Normally we would leave logging decision to the log class. But this one's a bit more complicated)
+ $user_logging_opts = array_flip(explode(',', varset($pref['user_audit_opts'], '')));
+ $do_log = array();
+ $log_action = '';
+ if ($_uid)
+ { // Its an admin changing someone elses data - make an admin log entry here
+ $admin_log->log_event('USET_01', "UID: {$udata['user_id']}. UName: {$udata['user_name']}", E_LOG_INFORMATIVE);
+ // Check against the class of the target user, not the admin!
+ if (!check_class(varset($pref['user_audit_class'], ''), $udata['user_class'])) { $user_logging_opts = array(); }
+ }
+ else
+ {
+ if (!check_class(varset($pref['user_audit_class'], ''))) { $user_logging_opts = array(); }
+ }
+
+ // Now log changes if required
+ if (count($user_logging_opts))
+ {
+ // Start with any specific fields we're changing
+ if (isset($changedUserData['user_name']))
+ {
+ if (isset($user_logging_opts[USER_AUDIT_NEW_DN]))
{
- if (isset($user_logging_opts[USER_AUDIT_NEW_DN]))
- {
- $do_log['user_name'] = $changed_user_data['user_name'];
+ $do_log['user_name'] = $changedUserData['user_name'];
$log_action = USER_AUDIT_NEW_DN;
- }
- unset($changed_user_data['user_name']);
}
+ unset($changedUserData['user_name']);
+ }
- if (isset($changed_user_data['user_password']))
- {
- if (isset($user_logging_opts[USER_AUDIT_NEW_PW]))
- { // Password has already been changed to a hashed value, so OK to leave the data
- $do_log['user_password'] = $changed_user_data['user_password'];
+ if (isset($changedUserData['user_password']))
+ {
+ if (isset($user_logging_opts[USER_AUDIT_NEW_PW]))
+ { // Password has already been changed to a hashed value, so OK to leave the data
+ $do_log['user_password'] = $changedUserData['user_password'];
$log_action = USER_AUDIT_NEW_PW;
- }
- unset($changed_user_data['user_password']);
}
+ unset($changedUserData['user_password']);
+ }
- if (isset($changed_user_data['user_email']))
+ if (isset($changedUserData['user_email']))
+ {
+ if (isset($user_logging_opts[USER_AUDIT_NEW_EML]))
{
- if (isset($user_logging_opts[USER_AUDIT_NEW_EML]))
- {
- $do_log['user_email'] = $changed_user_data['user_email'];
+ $do_log['user_email'] = $changedUserData['user_email'];
$log_action = USER_AUDIT_NEW_EML;
- }
- unset($changed_user_data['user_email']);
}
+ unset($changedUserData['user_email']);
+ }
- if (count($changed_user_data) && isset($user_logging_opts[USER_AUDIT_NEW_SET]))
- {
- $do_log = array_merge($do_log, $changed_user_data);
- $log_action = USER_AUDIT_NEW_SET;
- }
- if (count($do_log))
- { // Got some changes to audit
+ if (count($changedUserData) && isset($user_logging_opts[USER_AUDIT_NEW_SET]))
+ {
+ $do_log = array_merge($do_log, $changedUserData);
+ $log_action = USER_AUDIT_NEW_SET;
+ }
+ if (count($do_log))
+ { // Got some changes to audit
// echo "Adding to audit log ";
- if ($_uid)
- {
+ if ($_uid)
+ {
$log_action = USER_AUDIT_ADMIN; // If an admin did the mod, different heading
// Embed a message saying who changed the data
- $changed_user_data['message'] = str_replace(array('--ID--', '--LOGNAME--'), array(USERID, USERNAME), LAN_USET_18);
+ $changedUserData['message'] = str_replace(array('--ID--', '--LOGNAME--'), array(USERID, USERNAME), LAN_USET_18);
$admin_log->user_audit($log_action, $do_log, $udata['user_id'], $udata['user_loginname']);
- }
- else
- {
+ }
+ else
+ {
if (count($do_log) > 1) { $log_action = USER_AUDIT_NEW_SET; } // Log multiple entries to one record
$admin_log->user_audit($log_action, $do_log);
- }
}
- } // End of audit logging
-
-
- // Now tidy up
- if ($photo_to_delete)
- { // Photo may be a flat file, or in the database
- delete_file($photo_to_delete);
- }
- if ($avatar_to_delete)
- { // Avatar may be a flat file, or in the database
- delete_file($avatar_to_delete);
}
+ } // End of audit logging
+ // Now tidy up
+ if ($photo_to_delete)
+ { // Photo may be a flat file, or in the database
+ delete_file($photo_to_delete);
+ }
+ if ($avatar_to_delete)
+ { // Avatar may be a flat file, or in the database
+ delete_file($avatar_to_delete);
+ }
+
// If user has changed display name, update the record in the online table
- if (isset($changed_user_data['user_name']) && !$_uid)
- {
- $sql->db_Update('online', "online_user_id = '".USERID.".".$changed_user_data['user_name']."' WHERE online_user_id = '".USERID.".".USERNAME."'");
- }
+ if (isset($changedUserData['user_name']) && !$_uid)
+ {
+ $sql->db_Update('online', "online_user_id = '".USERID.".".$changedUserData['user_name']."' WHERE online_user_id = '".USERID.".".USERNAME."'");
+ }
- // Save extended field values
- if ($ue_fields)
- {
- // ***** Next line creates a record which presumably should be there anyway, so could generate an error
- $sql->db_Select_gen("INSERT INTO #user_extended (user_extended_id, user_hidden_fields) values ('".intval($inp)."', '')");
- $sql->db_Update('user_extended', $ue_fields." WHERE user_extended_id = ".intval($inp));
- }
-
// Update XUP data if file name changed.
- if (isset($changed_user_data['user_xup']))
- {
+ if (isset($changedUserData['user_xup']))
+ {
require_once (e_HANDLER."login.php");
- userlogin::update_xup($inp, $changed_user_data['user_xup']);
- }
+ userlogin::update_xup($inp, $changedUserData['user_xup']);
+ }
$e_event->trigger('postuserset', $_POST);
if (e_QUERY == 'update')
- {
+ {
header('Location: index.php');
- }
- $message = "
".LAN_150.'
';
- $caption = LAN_151;
+ }
+ $message = "
".$message.'
';
+ $caption = LAN_OK;
} // End - if (!$error)...
@@ -716,13 +521,25 @@ if (!$error && !$promptPassword) { unset($_POST); }
if ($error)
{
require_once (e_HANDLER.'message_handler.php');
- message_handler('P_ALERT', $error);
- $adref = $_POST['adminreturn'];
+ $temp = '';
+ if (count($extraErrors))
+ {
+ $temp .= implode(' ', $extraErrors);
+ }
+ if (count($allData['errors']))
+ {
+ $temp .= validatorClass::makeErrorList($allData,'USER_ERR_','%n - %x - %t: %v', ' ', $userMethods->userVettingInfo);
+ }
+ if (varsettrue($eufData['errors']))
+ {
+ $temp .= ' '.validatorClass::makeErrorList($eufData,'USER_ERR_','%n - %x - %t: %v', ' ', $userMethods->userVettingInfo);
+ }
+ message_handler('P_ALERT', $temp);
+// $adref = $_POST['adminreturn'];
}
// --- User data has been updated here if appropriate ---
-
if (isset($message))
{
$ns->tablerender($caption, $message);
@@ -734,38 +551,38 @@ $uuid = ($_uid ? $_uid : USERID); // If $_uid is set, its an admin changing anot
if ($promptPassword)
{ // User has to enter password to validate data
- $updated_data = serialize($changed_user_data);
- $validation_key = md5($updated_data);
- $updated_data = base64_encode($updated_data);
- $updated_extended = serialize($ue_fields);
- $extended_key = md5($updated_extended);
- $updated_extended = base64_encode($updated_extended);
- $text = "";
+ $ns->tablerender(LAN_USET_39, $text);
require_once (FOOTERF);
}
@@ -777,25 +594,24 @@ if ($promptPassword)
$qry = "
SELECT u.*, ue.* FROM #user AS u
LEFT JOIN #user_extended AS ue ON ue.user_extended_id = u.user_id
-WHERE u.user_id='".intval($uuid)."'
-";
+WHERE u.user_id=".intval($uuid);
$sql->db_Select_gen($qry);
-$curVal=$sql->db_Fetch();
-$curVal['userclass_list'] = $user_info->addCommonClasses($curVal, FALSE);
-
+$curVal=$sql->db_Fetch(MYSQL_ASSOC);
+$curVal['user_class'] = varset($changedUserData['user_class'], $curVal['user_class']);
+$curVal['userclass_list'] = $userMethods->addCommonClasses($curVal, FALSE);
if ($_POST)
{ // Fix for all the values being lost when there was an error in a field - restore from the latest $_POST values
// (Password fields have intentionally been cleared). If no error, there's an unset($_POST) to disable this block
foreach ($_POST as $key => $val)
- {
- $curVal['user_'.$key] = $tp->post_toForm($val);
- }
+ {
+ if ($key != 'class') { $curVal['user_'.$key] = $tp->post_toForm($val); }
+ }
foreach ($_POST['ue'] as $key => $val)
- {
- $curVal[$key] = $to->post_toForm($val);
- }
+ {
+ $curVal[$key] = $tp->post_toForm($val);
+ }
}
require_once (e_HANDLER."form_handler.php");
@@ -817,22 +633,20 @@ $text .= "
";
-$ns->tablerender(LAN_155, $text);
+$ns->tablerender(LAN_USET_39, $text);
require_once (FOOTERF);
+
+
// If a field is required, returns a red asterisk
function req($field)
{
- global $pref;
+ $ret = "";
if ($field == 2)
{
$ret = " *";
}
- else
- {
- $ret = "";
- }
return $ret;
}
@@ -842,18 +656,19 @@ function req($field)
// Also deletes from database if appropriate.
function delete_file($fname, $dir = 'avatars/')
{
- global $sql;
+ global $sql;
+ $fname = trim($fname);
if (!$fname) return false;
- if (preg_match("#Binary (.*?)/#", $fname, $match))
- {
- return $sql -> db_Delete("rbinary", "binary_id='".$tp -> toDB($match[1])."'");
- }
- elseif (file_exists(e_FILE."public/".$dir.$fname))
- {
- unlink(e_FILE."public/".$dir.$fname);
+ if (preg_match("#Binary (.*?)/#", $fname, $match))
+ {
+ return $sql -> db_Delete("rbinary", "binary_id='".$tp -> toDB($match[1])."'");
+ }
+ elseif (file_exists(e_FILE."public/".$dir.$fname))
+ {
+ unlink(e_FILE."public/".$dir.$fname);
return true;
- }
+ }
return false;
}
@@ -862,10 +677,10 @@ function headerjs()
{
global $cal;
$script = "\n";
$script .= $cal->load_files();