From b7d0b113c30f20ccbf9b16d2919a2f04dcbc2d39 Mon Sep 17 00:00:00 2001 From: e107steved Date: Sun, 21 Dec 2008 11:07:58 +0000 Subject: [PATCH] Start of generic user data validation, kill references to user_realm field --- class2.php | 5 +- e107_admin/users.php | 620 +++++++------- e107_files/shortcode/user_extended.sc | 22 +- e107_handlers/login.php | 58 +- e107_handlers/user_extended_class.php | 10 +- e107_handlers/user_handler.php | 391 ++++++--- e107_handlers/userclass_class.php | 127 +-- e107_handlers/validator_class.php | 378 +++++++++ .../English/admin/lan_userclass2.php | 9 +- e107_languages/English/admin/lan_users.php | 84 +- e107_languages/English/lan_signup.php | 21 +- e107_languages/English/lan_userclass.php | 5 +- signup.php | 146 ++-- usersettings.php | 781 +++++++++--------- 14 files changed, 1564 insertions(+), 1093 deletions(-) create mode 100644 e107_handlers/validator_class.php diff --git a/class2.php b/class2.php index 935f76673..3884e5d7c 100644 --- a/class2.php +++ b/class2.php @@ -11,8 +11,8 @@ | GNU General Public License (http://gnu.org). | | $Source: /cvs_backup/e107_0.8/class2.php,v $ -| $Revision: 1.86 $ -| $Date: 2008-12-19 22:56:22 $ +| $Revision: 1.87 $ +| $Date: 2008-12-21 11:07:58 $ | $Author: e107steved $ +----------------------------------------------------------------------------+ */ @@ -1446,7 +1446,6 @@ function init_session() define('USEREMAIL', $result['user_email']); define('USER', true); define('USERCLASS', $result['user_class']); - define('USERREALM', $result['user_realm']); define('USERVIEWED', $result['user_viewed']); define('USERIMAGE', $result['user_image']); define('USERPHOTO', $result['user_sess']); diff --git a/e107_admin/users.php b/e107_admin/users.php index ed8a4f262..8d70a8216 100644 --- a/e107_admin/users.php +++ b/e107_admin/users.php @@ -1,20 +1,18 @@ localuser= $adminuser; @@ -141,20 +141,27 @@ if (isset($_POST['test_mail'])) // ------- Update Options. -------------- if (isset($_POST['update_options'])) { - $pref['avatar_upload'] = (FILE_UPLOADS ? $_POST['avatar_upload'] : 0); - $pref['im_width'] = $_POST['im_width']; - $pref['im_height'] = $_POST['im_height']; - $pref['photo_upload'] = (FILE_UPLOADS ? $_POST['photo_upload'] : 0); - $pref['del_unv'] = $_POST['del_unv']; - $pref['profile_rate'] = $_POST['profile_rate']; - $pref['profile_comments'] = $_POST['profile_comments']; - $pref['track_online'] = $_POST['track_online']; - $pref['force_userupdate'] = $_POST['force_userupdate']; - $pref['memberlist_access'] = $_POST['memberlist_access']; - save_prefs(); - unset($_POST['update_options']); // So we don't log it - $admin_log->log_event('USET_03',$tp->toDB(implode('; ',$_POST)),E_LOG_INFORMATIVE); - $user->show_message(USRLAN_1); + $temp = array(); + $temp['avatar_upload'] = (FILE_UPLOADS ? $_POST['avatar_upload'] : 0); + $temp['im_width'] = $_POST['im_width']; + $temp['im_height'] = $_POST['im_height']; + $temp['photo_upload'] = (FILE_UPLOADS ? $_POST['photo_upload'] : 0); + $temp['del_unv'] = $_POST['del_unv']; + $temp['profile_rate'] = $_POST['profile_rate']; + $temp['profile_comments'] = $_POST['profile_comments']; + $temp['track_online'] = $_POST['track_online']; + $temp['force_userupdate'] = $_POST['force_userupdate']; + $temp['memberlist_access'] = $_POST['memberlist_access']; + $temp['user_new_period'] = $_POST['user_new_period']; + if ($admin_log->logArrayDiffs($temp, $pref, 'USET_03')) + { + save_prefs(); // Only save if changes + $user->show_message(USRLAN_1); + } + else + { + $user->show_message(USRLAN_193); + } } @@ -184,136 +191,89 @@ if (isset($_POST['prune'])) // ------- Quick Add User -------------- if (isset($_POST['adduser'])) { - $e107cache->clear("online_menu_member_total"); - $e107cache->clear("online_menu_member_newest"); if (!$_POST['ac'] == md5(ADMINPWCHANGE)) { exit; } - $user_data = array(); // Assemble the data into an array - - require_once(e_HANDLER."message_handler.php"); - $displayname = strip_tags($_POST['name']); - if (($displayname != strip_tags($_POST['name'])) || (strstr($_POST['name'], "#") || strstr($_POST['name'], "="))) - { - message_handler("P_ALERT", USRLAN_92); - $error = TRUE; - } - $displayname = trim(str_replace(" ", "", $displayname)); - if ($displayname == "Anonymous") - { - message_handler("P_ALERT", USRLAN_65); - $error = TRUE; - } - if ((strlen($displayname) > varset($pref['displayname_maxlength'],15)) || (strlen($displayname) < 2)) - { - message_handler('P_ALERT',USRLAN_154); - $error = TRUE; - } - if ($sql->db_Count("user", "(*)", "WHERE user_name='".$displayname."' ")) - { - message_handler("P_ALERT", USRLAN_66); - $error = TRUE; - } + $e107cache->clear('online_menu_member_total'); + $e107cache->clear('online_menu_member_newest'); + $error = FALSE; if (isset($_POST['generateloginname'])) { - $loginname = $user_info->generateUserLogin($pref['predefinedLoginName']); + $_POST['loginname'] = $userMethods->generateUserLogin($pref['predefinedLoginName']); } - else - { - $loginname = trim(preg_replace('/ |\#|\=|\$/', "", strip_tags($_POST['loginname']))); - if ($loginname != $_POST['loginname']) - { - message_handler('P_ALERT',USRLAN_152); - $error = TRUE; - } - } - if ((strlen($loginname) > varset($pref['loginname_maxlength'],30)) || (strlen($loginname) < 3)) - { - message_handler('P_ALERT',USRLAN_154); - $error = TRUE; - } - if ($sql->db_Count("user", "(*)", "WHERE user_loginname='".$loginname."' ")) - { - message_handler("P_ALERT", USRLAN_153); - $error = TRUE; - } - - if (isset($_POST['generatepassword'])) { - $_POST['password1'] = $user_info->generateRandomString('**********'); // 10-char password should be enough - } - else - { - if ($_POST['password1'] != $_POST['password2']) - { - message_handler("P_ALERT", USRLAN_67); - $error = TRUE; - } + $_POST['password1'] = $userMethods->generateRandomString('**********'); // 10-char password should be enough + $_POST['password2'] = $_POST['password1']; } - if ($_POST['name'] == "" || $_POST['password1'] == "" || $_POST['password2'] = "") + // Now validate everything + $allData = validatorClass::validateFields($_POST,$userMethods->userVettingInfo, TRUE); // Do basic validation + validatorClass::checkMandatory('user_name,user_loginname', $allData); // Check for missing fields (email done in userValidation() ) + validatorClass::dbValidateArray($allData, $userMethods->userVettingInfo, 'user', 0); // Do basic DB-related checks + $userMethods->userValidation($allData); // Do user-specific DB checks + if (($_POST['password1'] != $_POST['password2']) && !isset($allData['errors']['user_password'])) { - message_handler("P_ALERT", USRLAN_68); - $error = TRUE; + $allData['errors']['user_password'] = ERR_PASSWORDS_DIFFERENT; } - if (!check_email($_POST['email'])) + if (!check_class($pref['displayname_class'], $allData['validate']['user_class'])) { - message_handler("P_ALERT", USRLAN_69); - $error = TRUE; + if ($allData['validate']['user_name'] != $allData['validate']['user_loginname']) + { + $allData['errors']['user_name'] = ERR_FIELDS_DIFFERENT; + } } - if ($sql->db_Count("user", "(*)", "WHERE user_email='".$_POST['email']."' AND user_ban='1' ")) + + if (count($allData['errors'])) { - message_handler("P_ALERT", USRLAN_147); - $error = TRUE; - } - if ($sql->db_Count("banlist", "(*)", "WHERE banlist_ip='".$_POST['email']."'")) - { - message_handler("P_ALERT", USRLAN_148); - $error = TRUE; + require_once(e_HANDLER."message_handler.php"); + $temp = validatorClass::makeErrorList($allData,'USER_ERR_','%n - %x - %t: %v', '
', $userMethods->userVettingInfo); + message_handler('P_ALERT', $temp); + $error = TRUE; } // Always save some of the entered data - then we can redisplay on error - $user_data['user_name'] = $displayname; - $user_data['user_loginname'] = $loginname; - $user_data['user_class'] = implode(",", $_POST['userclass']); - $user_data['user_email'] = $tp->toDB($_POST['email']); - $user_data['user_hideemail'] = 1; - $user_data['user_login'] = $tp->toDB($_POST['realname']); + $user_data = $allData['validate']; if (!$error) { - $user_data['user_password'] = $user_info->HashPassword($_POST['password1'],$loginname); - $user_data['user_join'] = time(); - $user_data['user_lastvisit'] = 0; - $user_data['user_currentvisit'] = 0; - $user_data['user_pwchange'] = 0; - if (admin_update($sql -> db_Insert("user", $user_data), 'insert', USRLAN_70)) - { - // Add to admin log - $admin_log->log_event('USET_02',"UName: {$user_data['user_name']}; Email: {$user_data['user_email']}",E_LOG_INFORMATIVE); - // Add to user audit trail - $admin_log->user_audit(USER_AUDIT_ADD_ADMIN,$user_data, 0,$user_data['user_loginname']); - if (isset($_POST['sendconfemail'])) - { // Send confirmation email to user - require_once(e_HANDLER.'mail.php'); - $e_message = str_replace(array('--SITE--','--LOGIN--','--PASSWORD--'),array(SITEURL,$loginname,$_POST['password1']),USRLAN_185).USRLAN_186; - if (sendemail($user_data['user_email'],USRLAN_187.SITEURL,$e_message,$user_data['user_login'],'','')) - { - $message = USRLAN_188; - } - else - { - $message = USRLAN_189; - } + $message = ''; + $user_data['user_password'] = $userMethods->HashPassword($_POST['password1'],$loginname); + $user_data['user_join'] = time(); + if ($userMethods->needEmailPassword()) + { // Save separate password encryption for use with email address + $user_data['user_prefs'] = serialize(array('email_password' => $userMethods->HashPassword($_POST['password1'], $user_data['user_email']))); + } + $userMethods->addNonDefaulted($user_data); + if (admin_update($sql -> db_Insert("user", $user_data), 'insert', USRLAN_70)) + { + // Add to admin log + $admin_log->log_event('USET_02',"UName: {$user_data['user_name']}; Email: {$user_data['user_email']}",E_LOG_INFORMATIVE); + // Add to user audit trail + $admin_log->user_audit(USER_AUDIT_ADD_ADMIN,$user_data, 0,$user_data['user_loginname']); + if (isset($_POST['sendconfemail'])) + { // Send confirmation email to user + require_once(e_HANDLER.'mail.php'); + $e_message = str_replace(array('--SITE--','--LOGIN--','--PASSWORD--'),array(SITEURL,$loginname,$_POST['password1']),USRLAN_185).USRLAN_186; + if (sendemail($user_data['user_email'],USRLAN_187.SITEURL,$e_message,$user_data['user_login'],'','')) + { + $message = USRLAN_188.'

'; + } + else + { + $message = USRLAN_189.'

'; + } + } + $message .= str_replace('--NAME--',$user_data['user_name'], USRLAN_174) ; + if (isset($_POST['generateloginname'])) $message .= '

'.USRLAN_173.': '.$loginname; + if (isset($_POST['generatepassword'])) $message .= '

'.USRLAN_172.': '.$_POST['password1']; + + unset($user_data); // Don't recycle the data once the user's been accepted without error } - if (isset($_POST['generateloginname'])) $message .= '

'.USRLAN_173.': '.$loginname; - if (isset($_POST['generatepassword'])) $message .= '

'.USRLAN_172.': '.$_POST['password1']; - } } if (isset($message)) $user->show_message($message); } @@ -599,24 +559,25 @@ $unverified = $sql -> db_Count("user", "(*)", "WHERE user_ban = 2"); if (!e_QUERY) $action = "main"; switch ($action) { - case "unverified" : - $user->show_existing_users($action, $sub_action, $id, $from, $amount); - break; + case "unverified" : + $user->show_existing_users($action, $sub_action, $id, $from, $amount); + break; - case "options" : - $user->show_prefs(); - break; + case "options" : + $user->show_prefs(); + break; - case "prune" : - $user->show_prune(); - break; + case "prune" : + $user->show_prune(); + break; - case "create" : - $user->add_user($user_data); - break; + case "create" : + $userMethods->deleteExpired(); // Remove time-expired users + $user->add_user($user_data); + break; - default : - $user->show_existing_users($action, $sub_action, $id, $from, $amount); + default : + $user->show_existing_users($action, $sub_action, $id, $from, $amount); } @@ -631,7 +592,7 @@ class users function show_existing_users($action, $sub_action, $id, $from, $amount) { - global $sql, $rs, $ns, $tp, $mySQLdefaultdb,$pref,$unverified; + global $sql, $rs, $ns, $tp, $mySQLdefaultdb,$pref,$unverified, $userMethods; // save the display choices. if(isset($_POST['searchdisp'])) { @@ -648,7 +609,8 @@ class users $search_display = explode("|",$pref['admin_user_disp']); } - if ($sql->db_Select("userclass_classes")) { + if ($sql->db_Select("userclass_classes")) + { while ($row = $sql->db_Fetch()) { $class[$row['userclass_id']] = $tp->toHTML($row['userclass_name'],"","defs,emotes_off, no_make_clickable"); @@ -660,12 +622,12 @@ class users if (isset($_POST['searchquery']) && $_POST['searchquery'] != "") { $_POST['searchquery'] = $tp->toDB(trim($_POST['searchquery'])); - $query = "WHERE ". + $query = "WHERE ". $query .= (strpos($_POST['searchquery'], "@") !== FALSE) ? "user_email REGEXP('".$_POST['searchquery']."') OR ": ""; $query .= (strpos($_POST['searchquery'], ".") !== FALSE) ? "user_ip REGEXP('".$_POST['searchquery']."') OR ": ""; foreach($search_display as $disp) { - $query .= "$disp REGEXP('".$_POST['searchquery']."') OR "; + $query .= $disp." REGEXP('".$_POST['searchquery']."') OR "; } $query .= "user_login REGEXP('".$_POST['searchquery']."') OR "; $query .= "user_name REGEXP('".$_POST['searchquery']."') "; @@ -674,7 +636,9 @@ class users $query .= " AND user_ban = 2 "; } $query .= " ORDER BY user_id"; - } else { + } + else + { $query = ""; if($action == 'unverified') { @@ -684,75 +648,42 @@ class users } // $user_total = db_Count($table, $fields = '(*)', - $qry_insert = "SELECT u.*, ue.* FROM #user AS u LEFT JOIN #user_extended AS ue ON ue.user_extended_id = u.user_id "; - - if ($user_total = $sql->db_Select_gen($qry_insert. $query)) { + $qry_insert = "SELECT u.*, ue.* FROM #user AS u LEFT JOIN #user_extended AS ue ON ue.user_extended_id = u.user_id "; + + if ($user_total = $sql->db_Select_gen($qry_insert. $query)) + { $text .= " - - - "; - - -// Search Display Column header. - $display_lan = array( - 'user_id' => DUSRLAN_1, - 'user_name' => DUSRLAN_2, - 'user_loginname' => DUSRLAN_3, - 'user_customtitle' => DUSRLAN_4, - 'user_password' => DUSRLAN_5, - 'user_sess' => DUSRLAN_6, - 'user_email' => DUSRLAN_7, - 'user_homepage' => DUSRLAN_8, - 'user_icq' => DUSRLAN_9, - 'user_aim' => DUSRLAN_10, - 'user_msn' => DUSRLAN_11, - 'user_location' => DUSRLAN_12, - 'user_birthday' => DUSRLAN_13, - 'user_signature' => DUSRLAN_14, - 'user_image' => DUSRLAN_15, - 'user_timezone' => DUSRLAN_16, - 'user_hideemail' => DUSRLAN_17, - 'user_join' => DUSRLAN_18, - 'user_lastvisit' => DUSRLAN_19, - 'user_currentvisit' => DUSRLAN_20, - 'user_lastpost' => DUSRLAN_21, - 'user_chats' => DUSRLAN_22, - 'user_comments' => DUSRLAN_23, - 'user_forums' => DUSRLAN_24, - 'user_ip' => DUSRLAN_25, - 'user_ban' => DUSRLAN_26, - 'user_prefs' => DUSRLAN_27, - 'user_new' => DUSRLAN_28, - 'user_viewed' => DUSRLAN_29, - 'user_visits' => DUSRLAN_30, - 'user_admin' => DUSRLAN_31, - 'user_login' => DUSRLAN_32, - 'user_class' => DUSRLAN_33, - 'user_perms' => DUSRLAN_34, - 'user_realm' => DUSRLAN_35, - 'user_pwchange' => DUSRLAN_36, - 'user_xup' => DUSRLAN_37 - ); - - foreach($search_display as $disp){ - if (isset($display_lan[$disp])) { + + + "; + + + // Search Display Column header. + $display_lan = $userMethods->getNiceNames(TRUE); // List of field names and descriptive names + foreach($search_display as $disp) + { + if (isset($display_lan[$disp])) + { $text .= ""; - } else { + } + else + { $text .= ""; } } - -// ------------------------------ - + + // ------------------------------ + $text .= " - "; - - while ($row = $sql->db_Fetch()) { + "; + + while ($row = $sql->db_Fetch()) + { extract($row); $text .= " - + "; - - - - // Display Chosen options ------------------------------------- - - $datefields = array("user_lastpost","user_lastvisit","user_join","user_currentvisit"); - $boleanfields = array("user_admin","user_hideemail","user_ban"); - - foreach($search_display as $disp) - { - $text .= ""; + $prev[$disp] = $row[$disp]; } - } - else - { - $text .= " "; - } - }elseif(in_array($disp,$boleanfields)) - { - $text .= ($row[$disp]) ? ADMIN_TRUE_ICON : ""; - } - elseif(in_array($disp,$datefields)) - { - $text .= ($row[$disp]) ? strftime($pref['shortdate'],$row[$disp])." " : " "; - } - elseif($disp == "user_name") - { - $text .= "{$row['user_name']}"; - } - else - { - $text .= $row[$disp]." "; - } - if(!in_array($disp,$boleanfields) && isset($prev[$disp]) && $row[$disp] == $prev[$disp] && $prev[$disp] != "") - { // show matches - $text .= " *"; - } - - $text .= ""; - $prev[$disp] = $row[$disp]; - } -// ------------------------------------------------------------- + // ------------------------------------------------------------- $qry = (e_QUERY) ? "?".e_QUERY : ""; $text .= "
ID".USRLAN_79."
ID".USRLAN_79."".$display_lan[$disp]."".ucwords(str_replace("_"," ",$disp))."".LAN_OPTIONS."
$user_id{$user_id} "; - + if ($user_perms == "0") { $text .= "
".LAN_MAINADMIN."
"; } @@ -770,95 +701,96 @@ class users } else { $text .= " "; } - + $text .= "		"; - if($disp == "user_class") - { - if ($user_class) - { - $tmp = explode(",", $user_class); - while (list($key, $class_id) = each($tmp)) + + + + // Display Chosen options + + $datefields = array("user_lastpost","user_lastvisit","user_join","user_currentvisit"); + $boleanfields = array("user_admin","user_hideemail","user_ban"); + + foreach($search_display as $disp) { - $text .= ($class[$class_id] ? $class[$class_id]."
\n" : ""); + $text .= "		"; + if($disp == "user_class") + { + if ($user_class) + { + $tmp = explode(",", $user_class); + while (list($key, $class_id) = each($tmp)) + { + $text .= ($class[$class_id] ? $class[$class_id]."
\n" : ""); + } + } + else + { + $text .= " "; + } + } + elseif (in_array($disp,$boleanfields)) + { + $text .= ($row[$disp]) ? ADMIN_TRUE_ICON : ""; + } + elseif(in_array($disp,$datefields)) + { + $text .= ($row[$disp]) ? strftime($pref['shortdate'],$row[$disp])." " : " "; + } + elseif($disp == "user_name") + { + $text .= "{$row['user_name']}"; + } + else + { + $text .= $row[$disp]." "; + } + if(!in_array($disp,$boleanfields) && isset($prev[$disp]) && $row[$disp] == $prev[$disp] && $prev[$disp] != "") + { // show matches + $text .= " *"; + } + + $text .= "
- +
"; } - if($action == "unverified"){ + if($action == "unverified") + { $text .= "

@@ -899,13 +831,13 @@ class users $text .= " 
"; - } $users = (e_QUERY != "unverified") ? $sql->db_Count("user"): $unverified; - if ($users > $amount && !$_POST['searchquery']) { + if ($users > $amount && !$_POST['searchquery']) + { $parms = "{$users},{$amount},{$from},".e_SELF."?".(e_QUERY ? "$action.$sub_action.$id." : "main.user_id.desc.")."[FROM]"; $text .= "
".$tp->parseTemplate("{NEXTPREV={$parms}}"); } @@ -920,34 +852,37 @@ class users $text .= "
".LAN_DISPLAYOPT."
"; $text .= " @@ -1008,72 +943,83 @@ class users $text = "
+ + + + - - + - - + - - + - - + - - + - - + - - + - - + - - + - - + + + + + + @@ -1177,7 +1123,7 @@ class users if (!isset($user_data['user_class'])) $user_data['user_class'] = varset($pref['initial_user_classes'],''); - $temp = $e_userclass->vetted_tree('userclass',array($e_userclass,'checkbox_desc'), $user_data['user_class'], 'classes'); + $temp = $e_userclass->vetted_tree('class',array($e_userclass,'checkbox_desc'), $user_data['user_class'], 'classes'); if ($temp) @@ -1191,7 +1137,7 @@ class users $text .= "
".USRLAN_44.":". ($pref['avatar_upload'] ? "".LAN_YES."  ".LAN_NO : "".LAN_YES."  ".LAN_NO). (!FILE_UPLOADS ? " (".USRLAN_58.")" : "")." + ".USRLAN_44.":". ($pref['avatar_upload'] ? "".LAN_YES."  ".LAN_NO : "".LAN_YES."  ".LAN_NO). (!FILE_UPLOADS ? " (".USRLAN_58.")" : "")."
".USRLAN_53.":". ($pref['photo_upload'] ? "".LAN_YES."  ".LAN_NO : "".LAN_YES."  ".LAN_NO). (!FILE_UPLOADS ? " (".USRLAN_58.")" : "")." + ".USRLAN_53.":". ($pref['photo_upload'] ? "".LAN_YES."  ".LAN_NO : "".LAN_YES."  ".LAN_NO). (!FILE_UPLOADS ? " (".USRLAN_58.")" : "")."
".USRLAN_47.": + ".USRLAN_47.": (".USRLAN_48.")
".USRLAN_49.": + ".USRLAN_49.": (".USRLAN_50.")
".USRLAN_126.":". ($pref['profile_rate'] ? "".LAN_YES."  ".LAN_NO : "".LAN_YES."  ".LAN_NO)." + ".USRLAN_126.":". ($pref['profile_rate'] ? "".LAN_YES."  ".LAN_NO : "".LAN_YES."  ".LAN_NO)."
".USRLAN_127.":". ($pref['profile_comments'] ? "".LAN_YES."  ".LAN_NO : "".LAN_YES."  ".LAN_NO)." + ".USRLAN_127.":". ($pref['profile_comments'] ? "".LAN_YES."  ".LAN_NO : "".LAN_YES."  ".LAN_NO)."
".USRLAN_133.":
".USRLAN_134."		". ($pref['force_userupdate'] ? "".LAN_YES."  ".LAN_NO : "".LAN_YES."  ".LAN_NO)." + ".USRLAN_133.":
".USRLAN_134."		". ($pref['force_userupdate'] ? "".LAN_YES."  ".LAN_NO : "".LAN_YES."  ".LAN_NO)."
".USRLAN_93."
".USRLAN_94."		 + ".USRLAN_93."
".USRLAN_94."		 ".USRLAN_95."
".USRLAN_130."
".USRLAN_131."		  + ".USRLAN_130."
".USRLAN_131."		  ".USRLAN_132."  
".USRLAN_146.":".USRLAN_146.":
".USRLAN_190."
".USRLAN_191."		 + ".USRLAN_192." +
@@ -1136,14 +1082,14 @@ class users
".USRLAN_61." - ".$rs->form_text("name", 40, varset($user_data['user_name'],""), 30)." + ".$rs->form_text('username', 40, varset($user_data['user_name'],""), 30)."
".USRLAN_128." - ".$rs->form_text("loginname", 40, varset($user_data['user_loginname'],""), 30)."   + ".$rs->form_text('loginname', 40, varset($user_data['user_loginname'],""), 30)."   ".$rs->form_checkbox('generateloginname',1,varset($pref['predefinedLoginName'],FALSE)).USRLAN_170."
- ".USRLAN_151." + ".USRLAN_181."
@@ -1245,7 +1191,7 @@ class users { // echo str_replace("\n","
",$message); $admin_log->log_event('USET_11',str_replace(array('--ID--','--NAME--','--EMAIL--'),array($id,$name,$email),USRLAN_167),E_LOG_INFORMATIVE); - $this->show_message(USRLAN_140.": ".$name." (".$row['user_language'].") "); + $this->show_message(USRLAN_140.": ".$name." (".$row['user_language'].") "); } else { diff --git a/e107_files/shortcode/user_extended.sc b/e107_files/shortcode/user_extended.sc index be3fc0419..69d1cd433 100644 --- a/e107_files/shortcode/user_extended.sc +++ b/e107_files/shortcode/user_extended.sc @@ -1,5 +1,5 @@ -//USAGE: {EXTENDED=.[text|value|icon|text_value].} -//EXAMPLE: {EXTENDED=user_gender.value.5} will show the value of the extended field user_gender for user #5 +//USAGE: {USER_EXTENDED=.[text|value|icon|text_value].} +//EXAMPLE: {USER_EXTENDED=user_gender.value.5} will show the value of the extended field user_gender for user #5 include(e_LANGUAGEDIR.e_LANGUAGE."/lan_user_extended.php"); $parms = explode(".", $parm); global $currentUser, $tp, $loop_uid, $e107, $imode, $sc_style; @@ -64,15 +64,15 @@ if($parms[1] == 'text_value') if ($parms[1] == 'text') { - $text_val = $ueStruct["user_".$parms[0]]['user_extended_struct_text']; - if($text_val) - { - return (defined($text_val) ? constant($text_val) : $text_val); - } - else - { - return TRUE; - } + $text_val = $ueStruct["user_".$parms[0]]['user_extended_struct_text']; + if($text_val) + { + return (defined($text_val) ? constant($text_val) : $text_val); + } + else + { + return TRUE; + } } if ($parms[1] == 'icon') diff --git a/e107_handlers/login.php b/e107_handlers/login.php index 4237bf5cf..4914a7037 100644 --- a/e107_handlers/login.php +++ b/e107_handlers/login.php @@ -12,8 +12,8 @@ | GNU General Public License (http://gnu.org). | | $Source: /cvs_backup/e107_0.8/e107_handlers/login.php,v $ -| $Revision: 1.18 $ -| $Date: 2008-06-13 20:20:21 $ +| $Revision: 1.19 $ +| $Date: 2008-12-21 11:07:58 $ | $Author: e107steved $ +----------------------------------------------------------------------------+ */ @@ -173,7 +173,7 @@ class userlogin } - $userpass = ''; // Finished with any plaintext password - can get rid of it + $userpass = ''; // Finished with any plaintext password - can get rid of it $ret = $e_event->trigger("preuserlogin", $username); @@ -197,53 +197,30 @@ class userlogin } } + + // User login definitely accepted here + + if($user_xup) { $this->update_xup($user_id, $user_xup); } - $cookieval = $user_id.".".md5($lode['user_password']); // (Use extra md5 on cookie value to obscure hashed value for password) - if ($pref['user_tracking'] == "session") - { - $_SESSION[$pref['cookie_name']] = $cookieval; - } - else - { - if ($autologin == 1) - { // Cookie valid for up to 30 days - cookie($pref['cookie_name'], $cookieval, (time() + 3600 * 24 * 30)); - } - else - { - cookie($pref['cookie_name'], $cookieval); - } - } - - // User login definitely accepted here + $cookieval = $user_info->makeUserCookie($lode,$autologin); // Calculate class membership - needed for a couple of things // Problem is that USERCLASS_LIST just contains 'guest' and 'everyone' at this point - $class_list = explode(',',$lode['user_class']); - if ($lode['user_admin'] && strlen($lode['user_perms'])) - { - $class_list[] = e_UC_ADMIN; - if (strpos($lode['user_perms'],'0') === 0) - { - $class_list[] = e_UC_MAINADMIN; - } - } - $class_list[] = e_UC_MEMBER; - $class_list[] = e_UC_PUBLIC; + $class_list = $user_info->addCommonClasses($lode, TRUE); $user_logging_opts = array_flip(explode(',',varset($pref['user_audit_opts'],''))); if (isset($user_logging_opts[USER_AUDIT_LOGIN]) && in_array(varset($pref['user_audit_class'],''),$class_list)) { // Need to note in user audit trail - $admin_log->user_audit(USER_AUDIT_LOGIN,'', $user_id,$user_name); + $admin_log->user_audit(USER_AUDIT_LOGIN,'', $user_id,$user_name); } - $edata_li = array("user_id" => $user_id, "user_name" => $username, 'class_list' => implode(',',$class_list), 'remember_me' => $autologin); + $edata_li = array('user_id' => $user_id, 'user_name' => $username, 'class_list' => implode(',',$class_list), 'remember_me' => $autologin); $e_event->trigger("login", $edata_li); if($_E107['cli']) @@ -251,6 +228,19 @@ class userlogin return $cookieval; } + if (in_array(e_UC_NEWUSER,$class_list)) + { + if (time() > ($lode['user_join'] + (varset($pref['user_new_period'],0)*86400))) + { // 'New user' probationary period expired - we can take them out of the class + $lode['user_class'] = $e107->user_class->ucRemove(e_UC_NEWUSER, $lode['user_class']); +// $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","Login new user complete",$lode['user_class'],FALSE,FALSE); + $sql->db_UpdateArray('user',array('user_class' => $lode['user_class']), 'WHERE `user_id`='.$lode['user_id']); + unset($class_list[e_UC_NEWUSER]); + $edata_li = array('user_id' => $user_id, 'user_name' => $username, 'class_list' => implode(',',$class_list)); + $e_event->trigger('userNotNew', $edata_li); + } + } + $redir = e_SELF; if (e_QUERY) $redir .= '?'.str_replace('&','&',e_QUERY); if (isset($pref['frontpage_force']) && is_array($pref['frontpage_force'])) diff --git a/e107_handlers/user_extended_class.php b/e107_handlers/user_extended_class.php index 11527a5db..5d5b0ffa9 100755 --- a/e107_handlers/user_extended_class.php +++ b/e107_handlers/user_extended_class.php @@ -11,9 +11,9 @@ | GNU General Public License (http://gnu.org). | | $Source: /cvs_backup/e107_0.8/e107_handlers/user_extended_class.php,v $ -| $Revision: 1.19 $ -| $Date: 2008-12-18 15:28:59 $ -| $Author: mcfly_e107 $ +| $Revision: 1.20 $ +| $Date: 2008-12-21 11:07:58 $ +| $Author: e107steved $ +----------------------------------------------------------------------------+ */ @@ -80,9 +80,9 @@ class e107_user_extended $this->reserved_names = array ( 'id', 'name', 'loginname', 'customtitle', 'password', 'sess', 'email', 'signature', 'image', 'hideemail', - 'join', 'lastvisit', 'currentvisit', 'lastpost', 'chats', + 'join', 'lastvisit', 'currentvisit', 'chats', 'comments', 'forums', 'ip', 'ban', 'prefs', 'viewed', - 'visits', 'admin', 'login', 'class', 'perms', 'realm', 'pwchange', + 'visits', 'admin', 'login', 'class', 'perms', 'pwchange', 'xup' ); diff --git a/e107_handlers/user_handler.php b/e107_handlers/user_handler.php index 944047578..3c6b990a6 100644 --- a/e107_handlers/user_handler.php +++ b/e107_handlers/user_handler.php @@ -1,32 +1,34 @@ toDB() + 'stripTags' - strips HTML tags from the value (not an error if there are some) + 'minLength' - minimum length (in utf-8 characters) for the string + 'maxLength' - minimum length (in utf-8 characters) for the string + 'longTrim' - if set, and the string exceeds maxLength, its trimmed + 'enablePref' - value is processed only if the named $pref evaluates to true; otherwise any input is discarded without error +*/ + $this->userVettingInfo = array( + 'user_name' => array('niceName'=> LAN_USER_01, 'vetMethod' => '1,2', 'vetParam' => 'signup_disallow_text', 'srcName' => 'username', 'stripTags' => TRUE, 'stripChars' => '/ |\#|\=|\$/', fixedBlock => 'anonymous', 'minLength' => 2, 'maxLength' => varset($pref['displayname_maxlength'],15)), // Display name + 'user_loginname' => array('niceName'=> LAN_USER_02, 'vetMethod' => '1', 'vetParam' => '', 'srcName' => 'loginname', 'stripTags' => TRUE, 'stripChars' => '/ |\#|\=|\$/', 'minLength' => 2, 'maxLength' => varset($pref['loginname_maxlength'],30)), // User name + 'user_login' => array('niceName'=> LAN_USER_03, 'vetMethod' => '0', 'vetParam' => '', 'srcName' => 'realname', 'dbClean' => 'toDB'), // Real name (no real vetting) + 'user_customtitle' => array('niceName'=> LAN_USER_04, 'vetMethod' => '0', 'vetParam' => '', 'srcName' => 'customtitle', 'dbClean' => 'toDB', 'enablePref' => 'signup_option_customtitle'), // No real vetting + 'user_password' => array('niceName'=> LAN_USER_05, 'vetMethod' => '0', 'vetParam' => '', 'srcName' => 'password1', 'minLength' => varset($pref['signup_pass_len'],1)), + 'user_sess' => array('niceName'=> LAN_USER_06, 'vetMethod' => '0', 'vetParam' => '', 'dbClean' => 'toDB'), // Photo + 'user_image' => array('niceName'=> LAN_USER_07, 'vetMethod' => '0', 'vetParam' => '', 'srcName' => 'image', 'dbClean' => 'toDB'), // Avatar + 'user_email' => array('niceName'=> LAN_USER_08, 'vetMethod' => '1', 'vetParam' => '', 'srcName' => 'email', 'dbClean' => 'toDB'), + 'user_signature' => array('niceName'=> LAN_USER_09, 'vetMethod' => '0', 'vetParam' => '', 'srcName' => 'signature', 'dbClean' => 'toDB'), + 'user_hideemail' => array('niceName'=> LAN_USER_10, 'vetMethod' => '0', 'vetParam' => '', 'srcName' => 'hideemail', 'dbClean' => 'intval'), + 'user_xup' => array('niceName'=> LAN_USER_11, 'vetMethod' => '0', 'vetParam' => '', 'srcName' => 'user_xup', 'dbClean' => 'toDB'), + 'user_class' => array('niceName'=> LAN_USER_12, 'vetMethod' => '0', 'vetParam' => '', 'srcName' => 'class', 'dataType' => '1') + ); + + $this->otherFields = array( + 'user_join' => LAN_USER_14, + 'user_lastvisit' => LAN_USER_15, + 'user_currentvisit' => LAN_USER_16, + 'user_comments' => LAN_USER_17, + 'user_ip' => LAN_USER_18, + 'user_ban' => LAN_USER_19, + 'user_prefs' => LAN_USER_20, + 'user_visits' => LAN_USER_21, + 'user_admin' => LAN_USER_22, + 'user_perms' => LAN_USER_23, + 'user_pwchange' => LAN_USER_24 +// user_chats int(10) unsigned NOT NULL default '0', + ); + $this->passwordOpts = varset($pref['passwordEncoding'],0); $this->passwordEmail = varset($pref['allowEmailLogin'],FALSE); switch ($this->passwordOpts) @@ -142,17 +196,26 @@ class UserHandler // Returns TRUE if change required, FALSE otherwise function isPasswordRequired($fieldName) { - if ($this->preferred == PASSWORD_E107_MD5) return FALSE; - switch ($fieldName) - { - case 'user_email' : - return $this->passwordEmail; - case 'user_loginname' : - return TRUE; - } - return FALSE; + if ($this->preferred == PASSWORD_E107_MD5) return FALSE; + switch ($fieldName) + { + case 'user_email' : + return $this->passwordEmail; + case 'user_loginname' : + return TRUE; + } + return FALSE; } - + + + // Determines whether its necessary to store a separate password for email address validation + function needEmailPassword() + { + if ($this->preferred == PASSWORD_E107_MD5) return FALSE; + if ($this->passwordEmail) return TRUE; + return FALSE; + } + // Checks whether the password value can be converted to the current default // Returns TRUE if conversion possible. @@ -250,7 +313,7 @@ class UserHandler function make_email_query($email, $fieldname = 'banlist_ip') { global $tp; - $tmp = strtolower($tp -> toDB(trim(substr($email, strrpos($email, "@")+1)))); + $tmp = strtolower($tp -> toDB(trim(substr($email, strrpos($email, "@")+1)))); // Pull out the domain name if ($tmp == '') return FALSE; if (strpos($tmp,'.') === FALSE) return FALSE; $em = array_reverse(explode('.',$tmp)); @@ -259,103 +322,13 @@ class UserHandler foreach ($em as $e) { $line = '.'.$e.$line; - $out[] = $fieldname."='*{$line}'"; + $out[] = '`'.$fieldname."`='*{$line}'"; } return implode(' OR ',$out); } - // Validate a standard user field (for length, acceptable characters etc). - // Returns TRUE if totally acceptable - // If $justStrip is FALSE, returns FALSE for an unacceptable value - // If $justStrip is TRUE, usually returns a new value (based on that passed) which does validate - usually characters stripped, length trimmed etc - // Note: will return FALSE for some input values regardless of the setting of $justStrip - // Currently coded to always return TRUE if field name not recognised - function validateField($fieldName,$fieldValue, $justStrip = FALSE) - { - global $pref; - $newValue = $fieldValue; - switch ($fieldName) - { - case 'user_loginname' : - $newValue = trim(preg_replace('/ |\#|\=|\$/', "", strip_tags($fieldValue))); - $newValue = substr($newValue,0,varset($pref['loginname_maxlength'],30)); - if (strlen($newValue) < 2) return FALSE; // Always an error if a short string - break; - case 'user_password' : - if (strlen($fieldValue) < $pref['signup_pass_len']) return FALSE; - break; - } - if ($justStrip) - { - return $newValue; - } - else - { - return ($newValue == $fieldValue); - } - } - - - // Takes an array of $_POST fields whose first characters match $prefix, and passes them through the validateField routine - // Returns three arrays - one of validated results, one of failed fields and one of errors corresponding to the failed fields - function validatePostList($prefix = '', $doToDB = TRUE, $justStrip = FALSE) - { - global $tp; - $ret = array('validate' => array(), 'failed' => array(), 'errors' => array()); - foreach ($_POST as $k => $v) - { - if (($prefix == '') || (strpos($k,$prefix) === 0)) - { // Field to validate - $result = $this->validateField($k,$v,$justStrip); - if ($result === FALSE) - { // error - $ret['failed'][$k] = $v; - $ret['errors'][$k] = TRUE; - } - else - { - if ($doToTB) $result = $tp->toDB($result); - $ret['validate'][$k] = $result; - } - } - } - return $ret; - } - - // Takes an array of $_POST field names specified in comma-separated form in $fieldlist (blank = 'all'), and passes them through the validateField routine - // Returns three arrays - one of validated results, one of failed fields and one of errors corresponding to the failed fields - function validatePostFields($fieldList = '', $doToDB = TRUE, $justStrip = FALSE) - { - global $tp; - $ret = array('validate' => array(), 'failed' => array(), 'errors' => array()); - if ($fieldList == '') - { - $fieldArray = array_keys($_POST); - } - else - { - $fieldArray = explode(',',$fieldList); - } - foreach ($fieldArray as $k) - { - $k = trim($k); - $result = $this->validateField($k,$_POST[$k],$justStrip); - if ($result === FALSE) - { // error - $ret['failed'][$k] = $_POST[$k]; - $ret['errors'][$k] = TRUE; - } - else - { - if ($doToTB) $result = $tp->toDB($result); - $ret['validate'][$k] = $result; - } - } - return $ret; - } - function makeUserCookie($lode,$autologin = FALSE) { global $pref; @@ -377,6 +350,188 @@ class UserHandler } } + + // Generate an array of all the basic classes a user belongs to + // if $asArray TRUE, returns results in an array; else as a comma-separated string + // If $incInherited is TRUE, includes inherited classes + function addCommonClasses($userData, $asArray = FALSE, $incInherited = FALSE) + { + if ($incInherited) + { + $classList = array(); + global $e_userclass; + if (!isset($e_userclass) && !is_object($e_userclass)) + { + require_once(e_HANDLER."userclass_class.php"); + $e_userclass = new user_class; + } + $classList = $e_userclass->get_all_user_classes($var['user_class']); + } + else + { + if ($userData['user_class'] != '') $classList = explode(',',$userData['user_class']); + } + foreach (array(e_UC_MEMBER, e_UC_READONLY, e_UC_PUBLIC) as $c) + { + if (!in_array($c,$classList)) + { + $classList[] = $c; + } + } + if ((varset($userData['user_admin'],0) == 1) && strlen($userData['user_perms'])) + { + $classList[] = e_UC_ADMIN; + if (strpos($userData['user_perms'],'0') === 0) + { + $classList[] = e_UC_MAINADMIN; + } + } + if ($asArray) return $classList; + return implode(',',$classList); + } + + + // Return an array of descriptive names for each field in the user DB. If $all is false, just returns the modifiable ones. Else returns all + function getNiceNames($all = FALSE) + { +// $ret = array('user_id' => LAN_USER_13); + foreach ($this->userVettingInfo as $k => $v) + { + $ret[$k] = $v['niceName']; + } + if ($all) + { + $ret = array_merge($ret, $this->otherFields); + } + return $ret; + } +//=================================================== +// User Field validation +//=================================================== + +/* $_POST field names: + + DB signup usersettings quick add function + ------------------------------------------------------------------------------ + user_id - user_id - Unique user ID + user_name name username username Display name + user_loginname loginname loginname loginname User name (login name) + user_customtitle - customtitle - Custom title + user_password password1 password1 password1 Password (prior to encoding) + password2 password2 password1 (Check password field) + user_sess * - Photo (file on server) + user_email email email email Email address + email_confirm + user_signature signature signature - User signature + user_image image image* - Avatar (may be external URL or file on server) + user_hideemail hideemail hideemail - Flag to hide user's email address + user_login realname realname realname User Real name + user_xup xupexist user_xup - XUP file link + user_class class class userclass User class (array on form) + +user_loginname may be auto-generated +* avatar (user_image) and photo (user_sess) may be uploaded files + +Following fields auto-filled in code as required: + user_join + user_lastvisit + user_currentvisit + user_chats + user_comments + user_forums + user_ip + user_ban + user_prefs + user_viewed + user_visits + user_admin + user_perms + user_pwchange + +*/ + // Function does validation specific to user data. Updates the $targetData array as appropriate. + // Returns TRUE if nothing updated; FALSE if errors found (only checks data previously passed as good) + function userValidation(&$targetData) + { + global $e107, $pref; + $u_sql = new db; + $ret = TRUE; + if (isset($targetData['validate']['user_email'])) + { + $v = trim($targetData['validate']['user_email']); // Always check email address if its entered + if ($v == '') + { + $errMsg = ERR_MISSING_VALUE; + } + elseif (!check_email($v)) + { + $errMsg = ERR_INVALID_EMAIL; + } + elseif ($u_sql->db_Count('user', '(*)', "WHERE `user_email`='".$v."' AND `user_ban`=1 ")) + { + $errMsg = ERR_BANNED_USER; + } + else + { // See if email address banned + $wc = $this->make_email_query($v); // Generate the query for the ban list + if ($wc) { $wc = "`banlist_ip`='{$v}' OR ".$wc; } + if (($wc === FALSE) || !$e107->check_ban($wc, FALSE, TRUE)) + { + echo "Email banned
"; + $errMsg = ERR_BANNED_EMAIL; + } + } + if ($errMsg) + { + unset($targetData['validate']['user_email']); // Remove the valid entry + } + } + else + { + if (!isset($targetData['errors']['user_email']) && !varset($pref['disable_emailcheck'],FALSE)) + { // We may have already picked up an error on the email address - or it may be allowed to be empty + $errMsg = ERR_MISSING_VALUE; + } + } + if ($errMsg) + { // Update the error + $targetData['errors']['user_email'] = $errMsg; + $targetData['failed']['user_email'] = $v; + $ret = FALSE; + } + return $ret; + } + + // Given an array of user data intended to be written to the DB, adds empty strings (or other default value) for any field which doesn't have a default in the SQL definition. + // (Avoids problems with MySQL in STRICT mode.). + // Returns TRUE if additions made, FALSE if no change. + function addNonDefaulted(&$userInfo) + { + $nonDefaulted = array('user_signature' => '', 'user_prefs' => '', 'user_class' => '', 'user_perms' => ''); + $ret = FALSE; + foreach ($nonDefaulted as $k => $v) + { + if (!isset($userInfo[$k])) + { + $userInfo[$k] = $v; + $ret = TRUE; + } + } + return $ret; + } + + + // Delete time-expired partial registrations from the user DB + function deleteExpired() + { + global $pref, $sql; + if (isset($pref['del_unv']) && $pref['del_unv'] && $pref['user_reg_veri'] != 2) + { + $threshold=(time() - ($pref['del_unv'] * 60)); + $sql->db_Delete("user", "user_ban = 2 AND user_join < '{$threshold}' "); + } + } } + ?> diff --git a/e107_handlers/userclass_class.php b/e107_handlers/userclass_class.php index 30f73b0a5..75a146496 100644 --- a/e107_handlers/userclass_class.php +++ b/e107_handlers/userclass_class.php @@ -11,9 +11,9 @@ | GNU General Public License (http://gnu.org). | | $Source: /cvs_backup/e107_0.8/e107_handlers/userclass_class.php,v $ -| $Revision: 1.23 $ -| $Date: 2008-12-12 22:39:17 $ -| $Author: secretr $ +| $Revision: 1.24 $ +| $Date: 2008-12-21 11:07:58 $ +| $Author: e107steved $ +----------------------------------------------------------------------------+ */ @@ -26,7 +26,7 @@ if (!defined('e107_INIT')) { exit; } require_once(e_HANDLER.'arraystorage_class.php'); -include_lan(e_LANGUAGEDIR.e_LANGUAGE."/lan_userclass.php"); +include_lan(e_LANGUAGEDIR.e_LANGUAGE.'/lan_userclass.php'); /* @@ -39,10 +39,9 @@ define("e_UC_MEMBER", 253); define("e_UC_ADMIN", 254); define("e_UC_NOBODY", 255); */ -// Move these definitions to class2.php later if they're adopted -define("e_UC_ADMINMOD",249); -define("e_UC_MODS",248); -//define("e_UC_USERS",247); +define('e_UC_ADMINMOD',249); +define('e_UC_MODS',248); +define('e_UC_NEWUSER',247); // Users in 'probationary' period define('e_UC_SPECIAL_BASE',245); // Assign class IDs 245 and above for fixed/special purposes define('UC_CLASS_ICON_DIR','userclasses/'); // Directory for userclass icons @@ -77,11 +76,12 @@ class user_class e_UC_MEMBER => UC_LAN_3, e_UC_ADMIN => UC_LAN_5, e_UC_MAINADMIN => UC_LAN_6, - e_UC_READONLY => UC_LAN_4 + e_UC_READONLY => UC_LAN_4, + e_UC_NEWUSER => UC_LAN_9 ); $this->text_class_link = array('public' => e_UC_PUBLIC, 'guest' => e_UC_GUEST, 'nobody' => e_UC_NOBODY, 'member' => e_UC_MEMBER, - 'admin' => e_UC_ADMIN, 'main' => e_UC_MAINADMIN, 'readonly' => e_UC_READONLY); + 'admin' => e_UC_ADMIN, 'main' => e_UC_MAINADMIN, 'readonly' => e_UC_READONLY, 'new' => e_UC_NEWUSER); $this->readTree(TRUE); // Initialise the classes on entry } @@ -121,8 +121,18 @@ class user_class { if (!isset($this->class_tree[$c]) && ($c != e_UC_PUBLIC)) { - // $this->class_tree[$c]['userclass_parent'] = (($c == e_UC_MEMBER) || ($c == e_UC_NOBODY)) ? e_UC_PUBLIC : e_UC_MEMBER; - $this->class_tree[$c]['userclass_parent'] = (($c == e_UC_ADMIN) || ($c == e_UC_MAINADMIN)) ? e_UC_MEMBER : e_UC_PUBLIC ; + switch ($c) + { + case e_UC_ADMIN : + case e_UC_MAINADMIN : + $this->class_tree[$c]['userclass_parent'] = e_UC_NOBODY; + break; + case e_UC_NEWUSER : + $this->class_tree[$c]['userclass_parent'] = e_UC_MEMBER; + break; + default : + $this->class_tree[$c]['userclass_parent'] = e_UC_PUBLIC; + } $this->class_tree[$c]['userclass_id'] = $c; $this->class_tree[$c]['userclass_name'] = $d; $this->class_tree[$c]['userclass_description'] = 'Fixed class'; @@ -236,6 +246,7 @@ class user_class readonly admin main - main admin + new - new users classes - shows all classes matchclass - if 'classes' is set, this option will only show the classes that the user is a member of language - list of languages. @@ -250,9 +261,9 @@ class user_class */ function uc_dropdown($fieldname, $curval = 0, $optlist = "", $extra_js = '') { - global $pref; + global $pref; - $show_classes = $this->uc_required_class_list($optlist); + $show_classes = $this->uc_required_class_list($optlist); $text = ''; foreach ($show_classes as $k => $v) @@ -328,7 +339,7 @@ class user_class // if (isset($opt_arr[$k]) || isset($opt_arr['force'])) if (isset($opt_arr[$k])) { - $ret[$v] = $just_ids ? '1' : $this->fixed_classes[$v]; + $ret[$v] = $just_ids ? '1' : $this->fixed_classes[$v]; } } @@ -362,7 +373,7 @@ class user_class $ret[e_UC_READONLY] = $this->class_tree[e_UC_READONLY]['userclass_description']; } */ - return $ret; + return $ret; } @@ -421,44 +432,44 @@ class user_class $current_value is a single class number for single-select dropdown; comma separated array of class numbers for checkbox list or multi-select $optlist works the same as for other class displays */ - function vetted_sub_tree($treename, $callback,$listnum,$nest_level,$current_value, $perms) - { - $ret = ''; - $nest_level++; - foreach ($this->class_tree[$listnum]['class_children'] as $p) + function vetted_sub_tree($treename, $callback,$listnum,$nest_level,$current_value, $perms) { - // Looks like we don't need to differentiate between function and class calls - if (isset($perms[$p])) - { - $ret .= call_user_func($callback,$treename, $p,$current_value,$nest_level); - } - $ret .= $this->vetted_sub_tree($treename, $callback,$p,$nest_level,$current_value, $perms); + $ret = ''; + $nest_level++; + foreach ($this->class_tree[$listnum]['class_children'] as $p) + { + // Looks like we don't need to differentiate between function and class calls + if (isset($perms[$p])) + { + $ret .= call_user_func($callback,$treename, $p,$current_value,$nest_level); + } + $ret .= $this->vetted_sub_tree($treename, $callback,$p,$nest_level,$current_value, $perms); + } + return $ret; } - return $ret; - } - function vetted_tree($treename, $callback='', $current_value='', $optlist = '') - { - $ret = ''; - if (!$callback) $callback=array($this,'select'); - $current_value = str_replace(' ','',$current_value); // Simplifies parameter passing for the tidy-minded + function vetted_tree($treename, $callback='', $current_value='', $optlist = '') + { + $ret = ''; + if (!$callback) $callback=array($this,'select'); + $current_value = str_replace(' ','',$current_value); // Simplifies parameter passing for the tidy-minded - $perms = $this->uc_required_class_list($optlist,TRUE); // List of classes which we can display - if (isset($perms[e_UC_BLANK])) - { - $ret .= call_user_func($callback,$treename, e_UC_BLANK, $current_value,0); + $perms = $this->uc_required_class_list($optlist,TRUE); // List of classes which we can display + if (isset($perms[e_UC_BLANK])) + { + $ret .= call_user_func($callback,$treename, e_UC_BLANK, $current_value,0); + } + foreach ($this->class_parents as $p) + { + if (isset($perms[$p])) + { + $ret .= call_user_func($callback,$treename, $p,$current_value,0); + } + $ret .= $this->vetted_sub_tree($treename, $callback,$p,0, $current_value, $perms); + } + return $ret; } - foreach ($this->class_parents as $p) - { - if (isset($perms[$p])) - { - $ret .= call_user_func($callback,$treename, $p,$current_value,0); - } - $ret .= $this->vetted_sub_tree($treename, $callback,$p,0, $current_value, $perms); - } - return $ret; - } // Callback for vetted_tree - Creates the option list for a selection box @@ -595,6 +606,20 @@ class user_class return FALSE; // not found } + + // Utility to remove a specified class ID from the default comma-separated list + function ucRemove($classID, $from, $asArray = FALSE) + { + $tmp = array_flip(explode(',',$from)); + if (isset($tmp[$classID])) + { + unset($tmp[$classID]); + } + $tmp = array_keys($tmp); + if ($asArray) { return $tmp; } + return implode(',',$tmp); + } + /* Return all users in a particular class or set of classes. @@ -1162,6 +1187,12 @@ class user_class_admin extends user_class 'userclass_editclass' => e_UC_MAINADMIN, 'userclass_parent' => e_UC_ADMINMOD, 'userclass_visibility' => e_UC_MEMBER + ), + array('userclass_id' => e_UC_NEWUSER, 'userclass_name' => UC_LAN_9, + 'userclass_description' => UCSLAN_87, + 'userclass_editclass' => e_UC_MAINADMIN, + 'userclass_parent' => e_UC_MEMBER, + 'userclass_visibility' => e_UC_ADMIN ) ); diff --git a/e107_handlers/validator_class.php b/e107_handlers/validator_class.php new file mode 100644 index 000000000..ed2a12c35 --- /dev/null +++ b/e107_handlers/validator_class.php @@ -0,0 +1,378 @@ +toDB() + - 'intval' - makes an integer + 'stripTags' - strips HTML tags from the value (not an error if there are some) + 'minLength' - minimum length (in utf-8 characters) for the string + 'maxLength' - minimum length (in utf-8 characters) for the string + 'minVal' - lowest allowed value for numerics + 'maxVal' - highest allowed value for numerics + 'longTrim' - if set, and the string exceeds maxLength, its trimmed + 'enablePref' - value is processed only if the named $pref evaluates to true; otherwise any input is discarded without error + 'dataType' - selects special processing methods: + 1 - array of numerics (e.g. class membership) + + In general, only define an option if its to be used +*/ + + +class validatorClass +{ + // Passed an array of 'source' fields and an array of definitions to validate. The definition may include the name of a validation function. + // Returns three arrays - one of validated results, one of failed fields and one of errors corresponding to the failed fields + // Normally processes only those source fields it finds (and for which it has a definition). If $addDefaults is true, sets defaults for those that have + // ...one and aren't otherwise defined. + function validateFields(&$sourceFields, &$definitions, $addDefaults = FALSE) + { + global $tp, $pref; + $ret = array('validate' => array(), 'failed' => array(), 'errors' => array()); + foreach ($definitions as $dest => $defs) + { + $errNum = 0; // Start with no error + $src = varset($defs['srcName'],$dest); // Set source field name + if (!isset($sourceFields[$src])) + { + if ($addDefaults) + { + if (isset($defs['default'])) + { + $ret['validate'] = $defs['default']; // Set default value if one is specified + } //...otherwise don't add the value at all + } + else + { + $ret['errors'][$dest] = ERR_MISSING_VALUE; // No source value + } + } + else + { // Got a field we want, and some data to validate here + $value = $sourceFields[$src]; + if (!$errNum && isset($defs['enablePref'])) + { // Only process this field if a specified pref enables it + if (!varsettrue($pref[$options['enablePref']])) + { + continue; // Just loop to the next field - ignore this one. + } + } + if (!$errNum && isset($defs['stripTags'])) + { + $newValue = trim(strip_tags($value)); + if ($newValue <> $value) + { + $errNum = ERR_INVALID_CHARS; + } + $value = $newValue; + } + if (!$errNum && isset($defs['stripChars'])) + { + $newValue = trim(preg_replace($defs['stripChars'], "", $value)); + if ($newValue <> $value) + { + $errNum = ERR_INVALID_CHARS; + } + $value = $newValue; + } + if (!$errNum && isset($defs['minLength']) && $tp->uStrLen($value) < $defs['minLength']) + { + if ($value == '') + { + $errNum = ERR_MISSING_VALUE; + } + else + { + $errNum = ERR_TOO_SHORT; + } + } + if (!$errNum && isset($defs['maxLength']) && $tp->uStrLen($value) > $defs['maxLength']) + { + if (varsettrue($defs['longtrim'])) + { + $value = substr($value,0,$defs['maxLength']); + } + else + { + $errNum = ERR_TOO_LONG; + } + } + if (!$errnum && isset($defs['minVal']) && ($value < $defs['minVal'])) + { + $errNum = ERR_TOO_LOW; + } + if (!$errnum && isset($defs['maxVal']) && ($value < $defs['maxVal'])) + { + $errNum = ERR_TOO_HIGH; + } + if (!$errNum && isset($defs['fixedBlock'])) + { + $newValue = $tp->uStrToLower($value); + $temp = explode(',',$defs['fixedBlock']); + foreach ($temp as $t) + { + if ($newValue == $tp->uStrToLower($t)) + { + $errNum = ERR_INVALID_WORD; + break; + } + } + } + if (!$errNum && isset($defs['dataType'])) + { + switch ($defs['dataType']) + { + case 1 : // Assumes we're passed an array variable to be turned into a comma-separated list of integers + if (is_array($value)) + { + $temp = array(); + foreach ($value as $v) + { + $temp[] = intval($v); + } + $value = implode(',',array_unique($temp)); + } + else + { + $errNum = ERR_ARRAY_EXPECTED; + } + default : + $errNum = ERR_CODE_ERROR; // Pick up bad values + } + } + if (!$errNum) + { + if (isset($defs['dbClean'])) + { + switch ($defs['dbClean']) + { + case 'toDB' : + $value = $tp->toDB($value); + break; + case 'intval' : + $value = intval($value); + break; + default : + echo "Invalid dbClean method: {$defs['dbClean']}
"; // Debug message + } + } + $ret['validate'][$dest] = $value; // Success!! + } + } + if ($errNum) + { // error to report + $ret['errors'][$dest] = $errNum; + $ret['failed'][$dest] = $sourceFields[$src]; // Save value with error + } + } + return $ret; + } + + +/* + // Validate data against a DB table + // Inspects the passed array of user data (not necessarily containing all possible fields) and validates against the DB where appropriate. + // Just skips over fields for which we don't have a validation routine without an error + // The target array is as returned from validateFields(), so has 'validate', 'failed' and 'errors' first-level sub-arrays + // All the 'vetting methods' begin 'vet', and don't overlap with validateFields(), so the same definition array may be used for both + // Similarly, error numbers don't overlap with validateFields() + // Typically checks for unacceptable duplicates, banned users etc + // Any errors are reflected by updating the passed array. + // Returns TRUE if all data validates, FALSE if any field fails to validate. Checks all fields which are present, regardless + // For some things we need to know the user_id of the data being validated, so may return an error if that isn't specified + + Parameters: + 'vetMethod' - see list below. To use more than one method, specify comma-separated + 'vetParam' - possible parameter for some vet methods + + Valid 'vetMethod' values (use comma separated list for multiple vetting): + 0 - Null method + 1 - Check for duplicates - field name in table must be the same as array index unless 'dbFieldName' specifies otherwise + 2 - Check against the comma-separated wordlist in the $pref named in vetParam['signup_disallow_text'] + +*/ + function dbValidateArray(&$targetData, &$definitions, $targetTable, $userID = 0) + { + global $pref; + $u_sql = new db; + $allOK = TRUE; + $userID = intval($userID); // Precautionary + if (!$targetTable) return FALSE; + foreach ($targetData['validate'] as $f => $v) + { + $errMsg = ''; + if (isset($definitions[$f])) + { + $options = $definitions[$f]; // Validation options to use + if (isset($options['vetMethod'])) + { + $toDo = explode(',',$options['vetMethod']); + foreach ($toDo as $vm) + { + switch ($vm) + { + case 0 : // Shouldn't get this - just do nothing if we do + break; + case 1 : // Check for duplicates. + if ($v == '') + { + $errMsg = ERR_MISSING_VALUE; + break; + } + $field = varset($options['dbFieldName'],$f); + if ($temp = $u_sql->db_Count($targetTable, "(*)", "WHERE `{$f}`='".$v."' AND `user_id` != ".$userID)) + { + $errMsg = ERR_DUPLICATE; + } +// echo "Duplicate check: {$f} = {$v} Result: {$temp}
"; + break; + case 2 : // Check against $pref + if (isset($options['vetParam']) && isset($pref[$options['vetParam']])) + { + $tmp = explode(",", $pref[$options['vetParam']]); + foreach($tmp as $disallow) + { + if(stristr($v, trim($disallow))) + { + $errMsg = ERR_DISALLOWED_TEXT; + } + } + unset($tmp); + } + break; + default : + echo 'Invalid vetMethod: '.$options['vetMethod'].'
'; // Really a debug aid - should never get here + } + if ($errMsg) { break; } // Just trap first error + } + // Add in other validation methods here + } + } + if ($errMsg) + { // Update the error + $targetData['errors'][$f] = $errMsg; + $targetData['failed'][$f] = $v; + unset($targetData['validate'][$f]); // Remove the valid entry + $allOK = FALSE; + } + } + return $allOK; + } + + + // Given a comma-separated string of required fields, and an array of data, adds an error message for each field which doesn't already have an entry. + // Returns TRUE if no changes (which doesn't mean there are no errors - other routines may have found them). FALSE if new errors + function checkMandatory($fieldList, &$target) + { + $fields = explode(',', $fieldList); + $allOK = TRUE; + foreach ($fields as $f) + { + if (!isset($target['validate'][$f]) && !isset($target['errors'][$f])) + { + $allOK = FALSE; + $targetData['errors'][$f] = ERR_MISSING_VALUE; + } + } + return $allOK; + } + + + // Given two arrays, returns an array of those elements in $input which are different from the corresponding element in $refs. + // If $addMissing == TRUE, includes any element in $input for which there isn't a corresponding element in $refs + function findChanges(&$input, &$refs, $addMissing = FALSE) + { + $ret = array(); + foreach ($input as $k => $v) + { + if (isset($refs[$k])) + { + if ($refs[$k] != $v) { $ret[$k] = $v; } + } + else + { + if ($addMissing) { $ret[$k] = $v; } + } + } + return $ret; + } + + + // Given a vetted array of variables, generates a list of errors using the specified format string. + // %n is the error number (as stored on the array) + // %t is the corresponding error message, made by concatenating $constPrefix and the error number to form a constant (e.g. $constPrefix = 'USER_ERROR_') + // %v calls up the entered value + // %f is the field name + // %x is the 'nice name' - possible if parameter list passed. Otherwise field name added + // $EOL is inserted after all messages except the last. + // If $EOL is an empty string, returns an array of messages. + function makeErrorList($vars, $constPrefix, $format = '%n - %x %t: %v', $EOL = '
', $niceNames = NULL) + { + if (count($vars['errors']) == 0) return ''; + $eList = array(); + $checkNice = ($niceNames != NULL) && is_array($niceNames); + foreach ($vars['errors'] as $f => $n) + { + $curLine = $format; + $curLine = str_replace('%n', $n, $curLine); + $curLine = str_replace('%t', constant($constPrefix.$n), $curLine); + $curLine = str_replace('%v', $vars['failed'][$f],$curLine); // Possibly this should have some protection added + $curLine = str_replace('%f', $f, $curLine); + if ($checkNice & isset($niceNames[$f]['niceName'])) + { + $curLine = str_replace('%x', $niceNames[$f]['niceName'], $curLine); + } + else + { + $curLine = str_replace('%x', $f, $curLine); // Just use the field name + } + $eList[] = $curLine; + } + if ($EOL == '') return $eList; + return implode($EOL, $eList); + } +} + + +?> diff --git a/e107_languages/English/admin/lan_userclass2.php b/e107_languages/English/admin/lan_userclass2.php index 04f310667..7b8337ddc 100644 --- a/e107_languages/English/admin/lan_userclass2.php +++ b/e107_languages/English/admin/lan_userclass2.php @@ -4,8 +4,8 @@ | e107 website system - Language File. | | $Source: /cvs_backup/e107_0.8/e107_languages/English/admin/lan_userclass2.php,v $ -| $Revision: 1.6 $ -| $Date: 2008-11-29 21:16:54 $ +| $Revision: 1.7 $ +| $Date: 2008-12-21 11:07:58 $ | $Author: e107steved $ +----------------------------------------------------------------------------+ */ @@ -95,6 +95,11 @@ define('UCSLAN_83', 'Classes in group'); define('UCSLAN_84', ' (Group)'); define('UCSLAN_85', 'You have assigned all available classes; please reassign one which is not in use'); define('UCSLAN_86', 'Some settings not allowed for admin classes - they have been set to defaults. '); +define('UCSLAN_87', 'Recently joined users'); +define('UCSLAN_88', ''); +define('UCSLAN_89', ''); +define('UCSLAN_90', ''); +define('UCSLAN_91', ''); define("UCSLAN_UPDATE", 'Update'); diff --git a/e107_languages/English/admin/lan_users.php b/e107_languages/English/admin/lan_users.php index 6651611d6..607b0ec0c 100644 --- a/e107_languages/English/admin/lan_users.php +++ b/e107_languages/English/admin/lan_users.php @@ -1,13 +1,18 @@ {DELUSER} users marked as 'bounced' (out of {FOUND} emails)"); +define("USRLAN_156", "Email address is already in use"); define('USRLAN_160', 'Total --COUNT-- users of type --TYPE-- pruned'); define('USRLAN_161', 'User ID --UID-- name --NAME-- banned'); @@ -170,12 +176,12 @@ define('USRLAN_170', 'Random user name'); define('USRLAN_171', 'Random password'); define('USRLAN_172', 'Password set'); define('USRLAN_173', 'Login name set'); -define('USRLAN_174', ''); +define('USRLAN_174', 'User name --NAME-- created'); define('USRLAN_175', ''); -define('USRLAN_179', "User banned: "); -define('USRLAN_180', "IP address of {IP} appears on whitelist; IP not banned."); -define('USRLAN_181', "Send confirmation email with password to new user"); +define('USRLAN_179', 'User banned: '); +define('USRLAN_180', 'IP address of {IP} appears on whitelist; IP not banned.'); +define('USRLAN_181', 'Send confirmation email with password to new user'); define('USRLAN_182', 'Invalid characters in login name'); define('USRLAN_183', 'That login name already in use'); define('USRLAN_184', 'Length of login name outside limits'); @@ -186,49 +192,19 @@ define('USRLAN_187', 'Access to website: '); define('USRLAN_188', 'Email sent successfully'); define('USRLAN_189', 'Error sending email'); -define("LAN_MAINADMIN","Main Admin"); -define("LAN_ADMIN","Admin"); -define("LAN_NOTVERIFIED","Not Verified"); -define("LAN_BANNED","Banned"); -define("LAN_BOUNCED","Bounced"); +define('USRLAN_190', 'New user probationary period (days)'); +define('USRLAN_191', '(admin can impose restrictions during this period in some areas)'); +define('USRLAN_192', 'days'); +define('USRLAN_193', 'Nothing changed - not saved'); +define('USRLAN_194', ''); +define('USRLAN_195', ''); -define("DUSRLAN_1", "ID"); -define("DUSRLAN_2", "Display Name"); -define("DUSRLAN_3", "Username"); -define("DUSRLAN_4", "Custom Title"); -define("DUSRLAN_5", "Password"); -define("DUSRLAN_6", "Photo"); -define("DUSRLAN_7", "Email"); -define("DUSRLAN_8", "Website"); -define("DUSRLAN_9", "ICQ"); -define("DUSRLAN_10", "AIM"); -define("DUSRLAN_11", "MSN"); -define("DUSRLAN_12", "Location"); -define("DUSRLAN_13", "Birthday"); -define("DUSRLAN_14", "Signature"); -define("DUSRLAN_15", "Avatar"); -define("DUSRLAN_16", "Timezone"); -define("DUSRLAN_17", "Hide Email"); -define("DUSRLAN_18", "Join Date"); -define("DUSRLAN_19", "Last Visit"); -define("DUSRLAN_20", "Current Visit"); -define("DUSRLAN_21", "Last Post"); -define("DUSRLAN_22", "Chatbox Posts"); -define("DUSRLAN_23", "Comments"); -define("DUSRLAN_24", "Forum Posts"); -define("DUSRLAN_25", "IP"); -define("DUSRLAN_26", "Ban"); -define("DUSRLAN_27", "Prefs"); -define("DUSRLAN_28", "New"); -define("DUSRLAN_29", "Viewed"); -define("DUSRLAN_30", "Visits"); -define("DUSRLAN_31", "Admin"); -define("DUSRLAN_32", "Real Name"); -define("DUSRLAN_33", "User Class"); -define("DUSRLAN_34", "Perms"); -define("DUSRLAN_35", "Tracked threads"); -define("DUSRLAN_36", "Password Change"); -define("DUSRLAN_37", "XUP"); + +define('LAN_MAINADMIN','Main Admin'); +define('LAN_ADMIN','Admin'); +define('LAN_NOTVERIFIED','Not Verified'); +define('LAN_BANNED','Banned'); +define('LAN_BOUNCED','Bounced'); ?> \ No newline at end of file diff --git a/e107_languages/English/lan_signup.php b/e107_languages/English/lan_signup.php index ac93e281b..ac9140de3 100644 --- a/e107_languages/English/lan_signup.php +++ b/e107_languages/English/lan_signup.php @@ -1,13 +1,18 @@ \ No newline at end of file diff --git a/signup.php b/signup.php index 7750bd975..f85beb866 100644 --- a/signup.php +++ b/signup.php @@ -1,36 +1,30 @@ db_Delete("user", "user_ban = 2 AND user_join < '{$threshold}' "); -} include_once(e_HANDLER."user_extended_class.php"); $usere = new e107_user_extended; @@ -38,6 +32,7 @@ require_once(e_HANDLER."calendar/calendar_class.php"); $cal = new DHTML_Calendar(true); require_once(e_HANDLER.'user_handler.php'); $user_info = new UserHandler; +$user_info->deleteExpired(); // Delete time-expired partial registrations if (is_readable(THEME."signup_template.php")) { @@ -74,76 +69,76 @@ if(e_QUERY == "resend" && !USER && ($pref['user_reg_veri'] == 1)) } if($_POST['submit_resend']) - { // Action user's submitted information - // 'resend_email' - user name or email address actually used to sign up - // 'resend_newemail' - corrected email address - // 'resend_password' - password (required if changing email address) + { // Action user's submitted information + // 'resend_email' - user name or email address actually used to sign up + // 'resend_newemail' - corrected email address + // 'resend_password' - password (required if changing email address) if($_POST['resend_email'] && !$new_email && $sql->db_Select_gen("SELECT * FROM #user WHERE user_ban=0 AND user_sess='' AND (user_loginname= \"".$tp->toDB($_POST['resend_email'])."\" OR user_name = \"".$tp->toDB($_POST['resend_email'])."\" OR user_email = \"".$clean_email."\" ) ")) - { // Account already activated + { // Account already activated $ns -> tablerender(LAN_SIGNUP_40,LAN_SIGNUP_41."
"); require_once(FOOTERF); exit; } - // Start by looking up the user - if(!$sql->db_Select("user", "*", "(user_loginname = \"".$tp->toDB($_POST['resend_email'])."\" OR user_name = \"".$tp->toDB($_POST['resend_email'])."\" OR user_email = \"".$clean_email."\" ) AND user_ban=".USER_REGISTERED_NOT_VALIDATED." AND user_sess !='' LIMIT 1")) - { - require_once(e_HANDLER."message_handler.php"); - message_handler("ALERT",LAN_SIGNUP_64); // email (or other info) not valid. - exit; - } - $row = $sql -> db_Fetch(); - // We should have a user record here - - if(trim($_POST['resend_password']) !="" && $new_email) - { // Need to change the email address - check password to make sure - if ($user_info->CheckPassword($_POST['resend_password'], $row['user_loginname'], $row['user_password']) === TRUE) + // Start by looking up the user + if(!$sql->db_Select("user", "*", "(user_loginname = \"".$tp->toDB($_POST['resend_email'])."\" OR user_name = \"".$tp->toDB($_POST['resend_email'])."\" OR user_email = \"".$clean_email."\" ) AND user_ban=".USER_REGISTERED_NOT_VALIDATED." AND user_sess !='' LIMIT 1")) { - if($sql->db_Update("user", "user_email='".$new_email."' WHERE user_id = '".$row['user_id']."' LIMIT 1 ")) + require_once(e_HANDLER."message_handler.php"); + message_handler("ALERT",LAN_SIGNUP_64); // email (or other info) not valid. + exit; + } + $row = $sql -> db_Fetch(); + // We should have a user record here + + if(trim($_POST['resend_password']) !="" && $new_email) + { // Need to change the email address - check password to make sure + if ($user_info->CheckPassword($_POST['resend_password'], $row['user_loginname'], $row['user_password']) === TRUE) + { + if($sql->db_Update("user", "user_email='".$new_email."' WHERE user_id = '".$row['user_id']."' LIMIT 1 ")) { - $row['user_email'] = $new_email; + $row['user_email'] = $new_email; } } else { - require_once(e_HANDLER."message_handler.php"); - message_handler("ALERT",LAN_SIGNUP_52); // Incorrect Password. - exit; + require_once(e_HANDLER."message_handler.php"); + message_handler("ALERT",LAN_SIGNUP_52); // Incorrect Password. + exit; } } + + // Now send the email - got some valid info + $_POST['password1'] = "xxxxxxxxx"; + $_POST['loginname'] = $row['user_loginname']; + $_POST['name'] = $row['user_name']; + $nid = $row['user_id']; + $u_key = $row['user_sess']; - // Now send the email - got some valid info - $_POST['password1'] = "xxxxxxxxx"; - $_POST['loginname'] = $row['user_loginname']; - $_POST['name'] = $row['user_name']; - $nid = $row['user_id']; - $u_key = $row['user_sess']; + $eml = render_email(); + $mailheader_e107id = $nid; + require_once(e_HANDLER."mail.php"); - $eml = render_email(); - $mailheader_e107id = $nid; - require_once(e_HANDLER."mail.php"); + $do_log['signup_action'] = LAN_SIGNUP_63; - $do_log['signup_action'] = LAN_SIGNUP_63; - - if(!sendemail($row['user_email'], $eml['subject'], $eml['message'], $row['user_name'], "", "", $eml['attachments'], $eml['cc'], $eml['bcc'], $returnpath, $returnreceipt,$eml['inline-images'])) - { - $ns -> tablerender(LAN_ERROR,LAN_SIGNUP_42); - $do_log['signup_result'] = LAN_SIGNUP_62; - } - else - { - $ns -> tablerender(LAN_SIGNUP_43,LAN_SIGNUP_44." ".$row['user_email']." - ".LAN_SIGNUP_45."

"); - $do_log['signup_result'] = LAN_SIGNUP_61; - } - // Now log this (log will ignore if its disabled) - $admin_log->user_audit(USER_AUDIT_PW_RES,$do_log,$row['user_id'],$row['user_name']); - require_once(FOOTERF); - exit; - } + if(!sendemail($row['user_email'], $eml['subject'], $eml['message'], $row['user_name'], "", "", $eml['attachments'], $eml['cc'], $eml['bcc'], $returnpath, $returnreceipt,$eml['inline-images'])) + { + $ns -> tablerender(LAN_ERROR,LAN_SIGNUP_42); + $do_log['signup_result'] = LAN_SIGNUP_62; + } + else + { + $ns -> tablerender(LAN_SIGNUP_43,LAN_SIGNUP_44." ".$row['user_email']." - ".LAN_SIGNUP_45."

"); + $do_log['signup_result'] = LAN_SIGNUP_61; + } + // Now log this (log will ignore if its disabled) + $admin_log->user_audit(USER_AUDIT_PW_RES,$do_log,$row['user_id'],$row['user_name']); + require_once(FOOTERF); + exit; + } elseif(!$_POST['submit_resend']) - { // Display form to get info from user + { // Display form to get info from user $text .= "
@@ -188,7 +183,7 @@ if(e_QUERY == "resend" && !USER && ($pref['user_reg_veri'] == 1)) // ------------------------------------------------------------------ -if(!$_POST) // Notice Removal. +if(!$_POST) { $error = ""; @@ -381,7 +376,7 @@ if (isset($_POST['register'])) $error = TRUE; } - if($_POST['xupexist']) + if (varsettrue($pref['xup_enabled']) && varsettrue($_POST['xupexist'])) { require_once(e_HANDLER."xml_class.php"); $xml = new parseXml; @@ -585,7 +580,6 @@ global $db_debug; // Check Email against banlist. $wc = $tp -> toDB("*".trim(substr($_POST['email'], strpos($_POST['email'], "@")))); -// if ($do_email_validate && $sql->db_Select("banlist", "*", "banlist_ip='".$_POST['email']."' OR banlist_ip='{$wc}'")) if ($do_email_validate && !$e107->check_ban("banlist_ip='".$_POST['email']."' OR banlist_ip='{$wc}'",FALSE,TRUE)) { $email_address_OK = FALSE; diff --git a/usersettings.php b/usersettings.php index 1cfec8459..2875a4a8a 100644 --- a/usersettings.php +++ b/usersettings.php @@ -11,9 +11,9 @@ | GNU General Public License (http://gnu.org). | | $Source: /cvs_backup/e107_0.8/usersettings.php,v $ -| $Revision: 1.28 $ -| $Date: 2008-12-21 03:58:07 $ -| $Author: mcfly_e107 $ +| $Revision: 1.29 $ +| $Date: 2008-12-21 11:07:58 $ +| $Author: e107steved $ +----------------------------------------------------------------------------+ Notes: @@ -35,16 +35,16 @@ $user_info = new UserHandler; define('US_DEBUG', false); -if (!USER) -{ // Must be logged in to change settings +if (!USER) +{ // Must be logged in to change settings header('location:'.e_BASE.'index.php'); - exit; + exit; } if (!ADMIN && e_QUERY && e_QUERY != 'update') { header('location:'.e_BASE.'usersettings.php'); - exit; + exit; } require_once (e_HANDLER.'ren_help.php'); @@ -62,7 +62,7 @@ include_once (e_FILE.'shortcode/batch/usersettings_shortcodes.php'); require_once (e_HANDLER.'calendar/calendar_class.php'); $cal = new DHTML_Calendar(true); $_uid = is_numeric(e_QUERY) ? intval(e_QUERY) : ''; -$sesschange = ''; // Notice removal +$sesschange = ''; // Notice removal $photo_to_delete = ''; $avatar_to_delete = ''; $changed_user_data = array(); @@ -72,25 +72,6 @@ $promptPassword = false; require_once (HEADERF); -// Given an array of user data, return a comma separated string which includes public, admin, member classes etc as appropriate. -function addCommonClasses($udata) -{ - $tmp = array(); - if ($udata['user_class'] != '') $tmp = explode(',', $udata['user_class']); - $tmp[] = e_UC_MEMBER; - $tmp[] = e_UC_READONLY; - $tmp[] = e_UC_PUBLIC; - if ($udata['user_admin'] == 1) - { - $tmp[] = e_UC_ADMIN; - } - if (strpos($udata['user_perms'], '0') === 0) - { - $tmp[] = e_UC_MAINADMIN; - } - return implode(",", $tmp); -} - // Save user settings (changes only) //----------------------------------- @@ -100,20 +81,20 @@ if (isset($_POST['updatesettings']) || isset($_POST['SaveValidatedInfo'])) { // Get the required user info if ($_uid && ADMIN) - { // Admin logged in and editing another user's settings - so editing a different ID - $inp = $_uid; + { // Admin logged in and editing another user's settings - so editing a different ID + $inp = $_uid; $remflag = true; } else - { // Current user logged in - use their ID - $inp = USERID; + { // Current user logged in - use their ID + $inp = USERID; } - $udata = get_user_data($inp); // Get all the existing user data, including any extended fields - $udata['user_classlist'] = addCommonClasses($udata); + $udata = get_user_data($inp); // Get all the existing user data, including any extended fields + $udata['user_classlist'] = $user_info->addCommonClasses($udata, FALSE); - $peer = ($inp == USERID ? false : true); // FALSE if editing own data + $peer = ($inp == USERID ? false : true); // FALSE if editing own data } @@ -121,13 +102,13 @@ if (isset($_POST['updatesettings'])) { if (!varsettrue($pref['auth_method']) || $pref['auth_method'] == '>e107') { - $pref['auth_method'] = 'e107'; + $pref['auth_method'] = 'e107'; } if ($pref['auth_method'] != 'e107') { - $_POST['password1'] = ''; - $_POST['password2'] = ''; + $_POST['password1'] = ''; + $_POST['password2'] = ''; } if ($_POST['image'] == '' && $udata['user_image']) @@ -146,38 +127,38 @@ if (isset($_POST['updatesettings'])) } if ($size = getimagesize($img)) - { - $avwidth = $size[0]; - $avheight = $size[1]; + { + $avwidth = $size[0]; + $avheight = $size[1]; $avmsg = ''; - $pref['im_width'] = varsettrue($pref['im_width'], 120); - $pref['im_height'] = varsettrue($pref['im_height'], 100); - if ($avwidth > $pref['im_width']) - { - $avmsg .= LAN_USET_1." ({$avwidth})
".LAN_USET_2.": {$pref['im_width']}

"; - } - if ($avheight > $pref['im_height']) - { - $avmsg .= LAN_USET_3." ({$avheight})
".LAN_USET_4.": {$pref['im_height']}"; - } - if ($avmsg) - { + $pref['im_width'] = varsettrue($pref['im_width'], 120); + $pref['im_height'] = varsettrue($pref['im_height'], 100); + if ($avwidth > $pref['im_width']) + { + $avmsg .= LAN_USET_1." ({$avwidth})
".LAN_USET_2.": {$pref['im_width']}

"; + } + if ($avheight > $pref['im_height']) + { + $avmsg .= LAN_USET_3." ({$avheight})
".LAN_USET_4.": {$pref['im_height']}"; + } + if ($avmsg) + { $_POST['image'] = ''; - $error = $avmsg; - } - else - { - if ($_POST['image'] != $udata['user_image']) - { - $changed_user_data['user_image'] = $_POST['image']; - } - } + $error = $avmsg; } else { - // Invalid image file - we could just put up a message + if ($_POST['image'] != $udata['user_image']) + { + $changed_user_data['user_image'] = $_POST['image']; + } } + } + else + { + // Invalid image file - we could just put up a message + } } @@ -188,35 +169,35 @@ if (isset($_POST['updatesettings'])) $signup_option_title = array(LAN_308, LAN_120, LAN_121, LAN_USET_6, LAN_USET_19); $signup_option_names = array("realname", "signature", "image", "class", 'signup_option_customtitle'); foreach ($signup_option_names as $key => $value) - { // Check required signup fields + { // Check required signup fields if ($pref['signup_option_'.$value] == 2 && !$_POST[$value] && !$_uid) { $error .= LAN_SIGNUP_6.$signup_option_title[$key].LAN_SIGNUP_7."\\n"; } - } + } // Login Name checks - only admin can change login name if (isset($_POST['loginname']) && ADMIN && getperms("4")) - { // Only check if its been edited - $loginname = trim(preg_replace('/ |\#|\=|\$/', "", strip_tags($_POST['loginname']))); - if ($loginname != $_POST['loginname']) - { - $error .= LAN_USET_13."\\n"; - } - // Check if login name exceeds maximum allowed length + { // Only check if its been edited + $loginname = trim(preg_replace('/ |\#|\=|\$/', "", strip_tags($_POST['loginname']))); + if ($loginname != $_POST['loginname']) + { + $error .= LAN_USET_13."\\n"; + } + // Check if login name exceeds maximum allowed length if (strlen($loginname) > varset($pref['loginname_maxlength'], 30)) - { - $error .= LAN_USET_14."\\n"; - } - if ($udata['user_loginname'] != $loginname) - { - $changed_user_data['user_loginname'] = $loginname; - } - else - { - unset($loginname); - } + { + $error .= LAN_USET_14."\\n"; + } + if ($udata['user_loginname'] != $loginname) + { + $changed_user_data['user_loginname'] = $loginname; + } + else + { + unset($loginname); + } } if (isset($loginname)) { @@ -227,92 +208,92 @@ if (isset($_POST['updatesettings'])) unset($_POST['loginname']); // Make sure no chance of the $_POST value staying set inappropriately } - // Display name checks + // Display name checks // If display name == login name, it has to meet the criteria for both login name and display name // echo "Check_class: {$pref['displayname_class']}; {$udata['user_classlist']}; {$peer}
"; if (check_class($pref['displayname_class'], $udata['user_classlist'], $peer)) - { // Display name can be different to login name - check display name if its been entered - if (isset($_POST['username'])) - { - $username = trim(strip_tags($_POST['username'])); - $_POST['username'] = $username; + { // Display name can be different to login name - check display name if its been entered + if (isset($_POST['username'])) + { + $username = trim(strip_tags($_POST['username'])); + $_POST['username'] = $username; // echo "Found new display name: {$username}
"; - } + } } else - { // Display name and login name must be the same - check only if the login name has been changed - if (varsettrue($loginname)) $username = $loginname; + { // Display name and login name must be the same - check only if the login name has been changed + if (varsettrue($loginname)) $username = $loginname; } if (varsettrue($username)) { - // Impose a minimum length on display name - if (strlen($username) < 2) - { - $error .= LAN_USET_12."\\n"; - } + // Impose a minimum length on display name + if (strlen($username) < 2) + { + $error .= LAN_USET_12."\\n"; + } if (strlen($username) > varset($pref['displayname_maxlength'], 15)) - { - $error .= LAN_USET_15."\\n"; - } + { + $error .= LAN_USET_15."\\n"; + } if (isset($pref['signup_disallow_text'])) - { - $tmp = explode(",", $pref['signup_disallow_text']); + { + $tmp = explode(",", $pref['signup_disallow_text']); foreach ($tmp as $disallow) - { - if (stristr($username, trim($disallow))) - { - $error .= LAN_USET_11."\\n"; - } - } - } - - // Display Name exists. - if ($sql->db_Count('user', '(*)', "WHERE `user_name`='".$username."' AND `user_id` != ".(int)$inp)) { - $error .= LAN_USET_17; - } + if (stristr($username, trim($disallow))) + { + $error .= LAN_USET_11."\\n"; + } + } + } + + // Display Name exists. + if ($sql->db_Count('user', '(*)', "WHERE `user_name`='".$username."' AND `user_id` != ".(int)$inp)) + { + $error .= LAN_USET_17; + } if ($username != $udata['user_name']) { $changed_user_data['user_name'] = $username; } - unset($username); + unset($username); } // Password checks $new_pass = ''; - if ($_POST['password1'] != $_POST['password2']) + if ($_POST['password1'] != $_POST['password2']) { - $error .= LAN_105."\\n"; + $error .= LAN_105."\\n"; } else { if (trim($_POST['password1']) != "") + { + if (strlen(trim($_POST['password1'])) < $pref['signup_pass_len']) { - if (strlen(trim($_POST['password1'])) < $pref['signup_pass_len']) - { - $error .= LAN_SIGNUP_4.$pref['signup_pass_len'].LAN_SIGNUP_5."\\n"; - } - $new_pass = $_POST['password1']; // Don't hash it yet + $error .= LAN_SIGNUP_4.$pref['signup_pass_len'].LAN_SIGNUP_5."\\n"; } + $new_pass = $_POST['password1']; // Don't hash it yet + } } // Email address checks if (!varsettrue($pref['disable_emailcheck'])) { - if (!check_email($_POST['email'])) - { - $error .= LAN_106."\\n"; - } + if (!check_email($_POST['email'])) + { + $error .= LAN_106."\\n"; + } } // Check for duplicate of email address if ($sql->db_Select('user', 'user_name, user_email', "user_email='".$tp->toDB($_POST['email'])."' AND user_id !=".(int)$inp)) { - $error .= LAN_408."\\n"; + $error .= LAN_408."\\n"; } - + // Uploaded avatar and/or photo if ($file_userfile['error'] != 4) { @@ -320,61 +301,61 @@ if (isset($_POST['updatesettings'])) require_once (e_HANDLER.'resize_handler.php'); if ($uploaded = file_upload(e_FILE.'public/avatars/', 'avatar='.$udata['user_id'])) - { - foreach ($uploaded as $upload) - { // Needs the latest upload handler (with legacy and 'future' interfaces) to work - if ($upload['name'] && ($upload['index'] == 'avatar') && $pref['avatar_upload']) - { - // avatar uploaded - give it a reference which identifies it as server-stored - $_POST['image'] = "-upload-".$upload['name']; - if ($_POST['image'] != $udata['user_image']) - { - $avatar_to_delete = str_replace("-upload-", "", $udata['user_image']); + { + foreach ($uploaded as $upload) + { // Needs the latest upload handler (with legacy and 'future' interfaces) to work + if ($upload['name'] && ($upload['index'] == 'avatar') && $pref['avatar_upload']) + { + // avatar uploaded - give it a reference which identifies it as server-stored + $_POST['image'] = "-upload-".$upload['name']; + if ($_POST['image'] != $udata['user_image']) + { + $avatar_to_delete = str_replace("-upload-", "", $udata['user_image']); // echo "Avatar change; deleting {$avatar_to_delete}
"; - $changed_user_data['user_image'] = $_POST['image']; - } + $changed_user_data['user_image'] = $_POST['image']; + } - if (!resize_image(e_FILE."public/avatars/".$upload['name'], e_FILE."public/avatars/".$upload['name'], "avatar")) - { - unset($message); - $error .= RESIZE_NOT_SUPPORTED."\\n"; + if (!resize_image(e_FILE."public/avatars/".$upload['name'], e_FILE."public/avatars/".$upload['name'], "avatar")) + { + unset($message); + $error .= RESIZE_NOT_SUPPORTED."\\n"; @unlink(e_FILE.'public/avatars/'.$upload['name']); - $_POST['image'] = ''; - unset($changed_user_data['user_image']); - } - } + $_POST['image'] = ''; + unset($changed_user_data['user_image']); + } + } if ($upload['name'] && ($upload['index'] == 'photo') && $pref['photo_upload']) - { - // photograph uploaded - if ($udata['user_sess'] != $upload['name']) - { - $photo_to_delete = $udata['user_sess']; - $changed_user_data['user_sess'] = $upload['name']; - } + { + // photograph uploaded + if ($udata['user_sess'] != $upload['name']) + { + $photo_to_delete = $udata['user_sess']; + $changed_user_data['user_sess'] = $upload['name']; + } if (!resize_image(e_FILE.'public/avatars/'.$upload['name'], e_FILE.'public/avatars/'.$upload['name'], 180)) - { - unset($message); - $error .= RESIZE_NOT_SUPPORTED."\\n"; + { + unset($message); + $error .= RESIZE_NOT_SUPPORTED."\\n"; @unlink(e_FILE.'public/avatars/'.$upload['name']); - unset($changed_user_data['user_sess']); - } - } + unset($changed_user_data['user_sess']); } + } } + } } // See if user just wants to delete existing photo if (isset($_POST['user_delete_photo'])) { - $photo_to_delete = $udata['user_sess']; - $changed_user_data['user_sess'] = ''; + $photo_to_delete = $udata['user_sess']; + $changed_user_data['user_sess'] = ''; // echo "Just delete old photo: {$photo_to_delete}
"; } - // Validate Extended User Fields. + // Validate Extended User Fields. if ($_POST['ue']) { if ($sql->db_Select('user_extended_struct')) @@ -388,13 +369,14 @@ if (isset($_POST['updatesettings'])) foreach ($_POST['ue'] as $key => $val) { if (isset($extList[$key])) - { // Only allow valid keys + { // Only allow valid keys $err = $ue->user_extended_validate_entry($val, $extList[$key]); if ($err === true && !$_uid) - { // General error - usually empty field; could be unacceptable value, or regex fail and no error message defined - $error .= LAN_SIGNUP_6.($tp->toHtml($extList[$key]['user_extended_struct_text'], false, "defs"))." ".LAN_SIGNUP_7."\\n"; - } elseif ($err) - { // Specific error message returned - usually regex fail + { // General error - usually empty field; could be unacceptable value, or regex fail and no error message defined + $error .= LAN_SIGNUP_6.($tp->toHtml($extList[$key]['user_extended_struct_text'],FALSE,"defs"))." ".LAN_SIGNUP_7."\\n"; + } + elseif ($err) + { // Specific error message returned - usually regex fail $error .= $err."\\n"; $err = true; } @@ -406,10 +388,10 @@ if (isset($_POST['updatesettings'])) } } } - } + } - unset($_POST['password1']); // Always clear the password fields - value noted if required + unset($_POST['password1']); // Always clear the password fields - value noted if required unset($_POST['password2']); @@ -419,142 +401,148 @@ if (isset($_POST['updatesettings'])) // $inp - UID of user whose data is being changed (may not be the currently logged in user) if (!$error) { - $_POST['user_id'] = intval($inp); - $ret = $e_event->trigger("preuserset", $_POST); + $_POST['user_id'] = intval($inp); + $ret = $e_event->trigger("preuserset", $_POST); - if ($ret == '') - { + if ($ret == '') + { if (isset($_POST['customtitle']) && ($pref['signup_option_customtitle'])) - { - $new_customtitle = $tp->toDB($_POST['customtitle']); + { + $new_customtitle = $tp->toDB($_POST['customtitle']); if ($new_customtitle != $udata['user_customtitle']) { $changed_user_data['user_customtitle'] = $new_customtitle; } - } + } - // Extended fields - handle any hidden fields + // Extended fields - handle any hidden fields if ($ue_fields) - { - $hidden_fields = implode("^", array_keys($_POST['hide'])); + { + $hidden_fields = implode("^", array_keys($_POST['hide'])); if ($hidden_fields != "") - { - $hidden_fields = "^".$hidden_fields."^"; - } - $ue_fields .= ", user_hidden_fields = '".$hidden_fields."'"; - } + { + $hidden_fields = "^".$hidden_fields."^"; + } + $ue_fields .= ", user_hidden_fields = '".$hidden_fields."'"; + } - // Handle fields which are just transferred without vetting (but are subject to toDB() for exploit restriction) - $copy_list = array('user_signature' => 'signature', 'user_login' => 'realname', 'user_email' => 'email', 'user_hideemail' => 'hideemail', 'user_xup' => 'user_xup'); - - // Next list identifies numerics which might take a value of 0 - $non_text_list = array('user_hideemail' => 'hideemail'); - foreach ($copy_list as $k => $v) + // Handle fields which are just transferred without vetting (but are subject to toDB() for exploit restriction) + $copy_list = array('user_signature' => 'signature', + 'user_login' => 'realname', + 'user_email' => 'email', + 'user_hideemail' =>'hideemail', + 'user_xup' => 'user_xup'); + + // Next list identifies numerics which might take a value of 0 + $non_text_list = array( + 'user_hideemail' =>'hideemail' + ); + foreach ($copy_list as $k => $v) + { + if (isset($_POST[$v]) && (trim($_POST[$v]) || isset($non_text_list[$k]))) + { + $_POST[$v] = $tp->toDB(trim($_POST[$v])); + if ($_POST[$v] != $udata[$k]) { - if (isset($_POST[$v]) && (trim($_POST[$v]) || isset($non_text_list[$k]))) - { - $_POST[$v] = $tp->toDB(trim($_POST[$v])); - if ($_POST[$v] != $udata[$k]) - { - $changed_user_data[$k] = $_POST[$v]; + $changed_user_data[$k] = $_POST[$v]; // echo "Changed {$k}, {$v} from {$udata[$k]} to {$_POST[$v]}
"; - } - } } + } + } - // Update Userclass - only if its the user changing their own data (admins can do it another way) - if (!$_uid) - { + // Update Userclass - only if its the user changing their own data (admins can do it another way) + if (!$_uid) + { if (!is_object($e_userclass)) { $e_userclass = new user_class; } $ucList = explode(',', $e_userclass->get_editable_classes()); // List of classes which this user can edit - if (count($ucList)) - { + if (count($ucList)) + { if (US_DEBUG) { $admin_log->e_log_event(10, debug_backtrace(), "DEBUG", "Usersettings test", "Read editable list. Current user classes: ".$udata['user_class'], false, LOG_TO_ROLLING); } - $cur_classes = explode(",", $udata['user_class']); // Current class membership - $newclist = array_flip($cur_classes); // Array keys are now the class IDs + $cur_classes = explode(",", $udata['user_class']); // Current class membership + $newclist = array_flip($cur_classes); // Array keys are now the class IDs - // Update class list - we must take care to only change those classes a user can edit themselves - foreach ($ucList as $cid) - { + // Update class list - we must take care to only change those classes a user can edit themselves + foreach ($ucList as $cid) + { if (!in_array($cid, $_POST['class'])) - { - unset($newclist[$cid]); - } - else - { - $newclist[$cid] = 1; - } - } - $newclist = array_keys($newclist); - $nid = implode(',', array_diff($newclist, array(''))); + { + unset($newclist[$cid]); + } + else + { + $newclist[$cid] = 1; + } + } + $newclist = array_keys($newclist); + $nid = implode(',', array_diff($newclist, array(''))); // echo "Userclass data - new: {$nid}, old: {$udata['user_class']}
"; - if ($nid != $udata['user_class']) - { + if ($nid != $udata['user_class']) + { if (US_DEBUG) { $admin_log->e_log_event(10, debug_backtrace(), "DEBUG", "Usersettings test", "Write back classes; old list: {$udata['user_class']}; new list: ".$nid, false, LOG_TO_ROLLING); } - $changed_user_data['user_class'] = $nid; - } - } + $changed_user_data['user_class'] = $nid; } + } + } - // Only admins can update login name - do this just in case one of the event triggers has mucked it about + // Only admins can update login name - do this just in case one of the event triggers has mucked it about if (!(ADMIN && getperms('4'))) - { - unset($changed_user_data['user_loginname']); - } - } - else - { // Invalid data - from hooked in trigger event - $message = "
".$ret."
"; - $caption = LAN_151; - } - } -} // End - update setttings -elseif (isset($_POST['SaveValidatedInfo'])) -{ // Next bit only valid if user editing their own data - if (!$peer && !empty($_POST['updated_data']) && !empty($_POST['currentpassword']) && !empty($_POST['updated_key'])) - { // Got some data confirmed with password entry - $new_data = base64_decode($_POST['updated_data']); - if (md5($new_data) != $_POST['updated_key']) - { // Should only happen if someone's fooling around - echo "Mismatch on validation key
"; - exit; - } - - if (isset($_POST['updated_extended'])) { - $new_extended = base64_decode($_POST['updated_extended']); - if (md5($new_extended) != $_POST['extended_key']) - { // Should only happen if someone's fooling around - echo "Mismatch on validity key
"; - exit; - } + unset($changed_user_data['user_loginname']); } + } + else + { // Invalid data - from hooked in trigger event + $message = "
".$ret."
"; + $caption = LAN_151; + } + } +} // End - update setttings +elseif (isset($_POST['SaveValidatedInfo'])) +{ // Next bit only valid if user editing their own data + if (!$peer && !empty($_POST['updated_data']) && !empty($_POST['currentpassword']) && !empty($_POST['updated_key'])) + { // Got some data confirmed with password entry + $new_data = base64_decode($_POST['updated_data']); + if (md5($new_data) != $_POST['updated_key']) + { // Should only happen if someone's fooling around + echo "Mismatch on validation key
"; + exit; + } + + if (isset($_POST['updated_extended'])) + { + $new_extended = base64_decode($_POST['updated_extended']); + if (md5($new_extended) != $_POST['extended_key']) + { // Should only happen if someone's fooling around + echo "Mismatch on validity key
"; + exit; + } + } if ($user_info->CheckPassword($_POST['currentpassword'], $udata['user_loginname'], $udata['user_password']) === false) // Use old data to validate - { // Invalid password - echo "
".LAN_USET_22."
"; + { // Invalid password + echo "
".LAN_USET_22."
"; require_once (FOOTERF); - exit; - } - $changed_user_data = unserialize($new_data); - $new_pass = $_POST['currentpassword']; - if (!empty($new_extended)) $ue_fields = unserialize($new_extended); - unset($new_data); - unset($new_extended); + exit; } + $changed_user_data = unserialize($new_data); + $new_pass = $_POST['currentpassword']; + if (!empty($new_extended)) $ue_fields = unserialize($new_extended); + unset($new_data); + unset($new_extended); + } } unset($_POST['updatesettings']); unset($_POST['SaveValidatedInfo']); @@ -564,161 +552,162 @@ unset($_POST['SaveValidatedInfo']); // $changed_user_data has an array of core changed data, except password, which is in $new_pass if changed (or entered as confirmation). if (!$error && (count($changed_user_data) || $new_pass)) { - // Sort out password hashes - if ($new_pass) - { - if (empty($loginname)) $loginname = $udata['user_loginname']; - $email = $changed_user_data['user_email'] ? $changed_user_data['user_email'] : $udata['user_email']; - $changed_user_data['user_password'] = $sql->escape($user_info->HashPassword($new_pass, $loginname), false); - if (varsettrue($pref['allowEmailLogin'])) + // Sort out password hashes + if ($new_pass) { + if (empty($loginname)) $loginname = $udata['user_loginname']; + $email = $changed_user_data['user_email'] ? $changed_user_data['user_email'] : $udata['user_email']; + $changed_user_data['user_password'] = $sql->escape($user_info->HashPassword($new_pass, $loginname), false); + if (varsettrue($pref['allowEmailLogin'])) + { $user_prefs = unserialize($udata['user_prefs']); $user_prefs['email_password'] = $user_info->HashPassword($new_pass, $email); $changed_user_data['user_prefs'] = serialize($user_prefs); + } } - } - else - { - if ((isset($changed_user_data['user_loginname']) && $user_info->isPasswordRequired('user_loginname')) || (isset($changed_user_data['user_email']) && $user_info->isPasswordRequired('user_email'))) + else { + if ((isset($changed_user_data['user_loginname']) && $user_info->isPasswordRequired('user_loginname')) + || (isset($changed_user_data['user_email']) && $user_info->isPasswordRequired('user_email'))) + { if ($_uid) - { // Admin is changing it - $error = LAN_USET_20; + { // Admin is changing it + $error = LAN_USET_20; } else - { // User is changing their own info + { // User is changing their own info $promptPassword = true; } + } } - } } if ((!$error && !$promptPassword) && (count($changed_user_data) || $ue_fields)) { - // We can update the basic user record now - can just update fields from $changed_user_data + // We can update the basic user record now - can just update fields from $changed_user_data if (US_DEBUG) { $admin_log->e_log_event(10, debug_backtrace(), "DEBUG", "Usersettings test", "Changed data:
".var_export($changed_user_data, true), false, LOG_TO_ROLLING); } $sql->db_UpdateArray("user", $changed_user_data, " WHERE user_id='".intval($inp)."' "); - // Now see if we need to log anything. First check the options and class membership - // (Normally we would leave logging decision to the log class. But this one's a bit more complicated) + // Now see if we need to log anything. First check the options and class membership + // (Normally we would leave logging decision to the log class. But this one's a bit more complicated) $user_logging_opts = array_flip(explode(',', varset($pref['user_audit_opts'], ''))); - $do_log = array(); - $log_action = ''; - if ($_uid) - { // Its an admin changing someone elses data - make an admin log entry here + $do_log = array(); + $log_action = ''; + if ($_uid) + { // Its an admin changing someone elses data - make an admin log entry here $admin_log->log_event('USET_01', "UID: {$udata['user_id']}. UName: {$udata['user_name']}", E_LOG_INFORMATIVE); - // Check against the class of the target user, not the admin! + // Check against the class of the target user, not the admin! if (!check_class(varset($pref['user_audit_class'], ''), $udata['user_class'])) { $user_logging_opts = array(); } - } - else - { - if (!check_class(varset($pref['user_audit_class'], ''))) { $user_logging_opts = array(); } - } - - // Now log changes if required - if (count($user_logging_opts)) - { - // Start with any specific fields we're changing - - if (isset($changed_user_data['user_name'])) + } + else { - if (isset($user_logging_opts[USER_AUDIT_NEW_DN])) + if (!check_class(varset($pref['user_audit_class'], ''))) { $user_logging_opts = array(); } + } + + // Now log changes if required + if (count($user_logging_opts)) + { + // Start with any specific fields we're changing + + if (isset($changed_user_data['user_name'])) { + if (isset($user_logging_opts[USER_AUDIT_NEW_DN])) + { $do_log['user_name'] = $changed_user_data['user_name']; $log_action = USER_AUDIT_NEW_DN; + } + unset($changed_user_data['user_name']); } - unset($changed_user_data['user_name']); - } - if (isset($changed_user_data['user_password'])) - { - if (isset($user_logging_opts[USER_AUDIT_NEW_PW])) - { // Password has already been changed to a hashed value, so OK to leave the data + if (isset($changed_user_data['user_password'])) + { + if (isset($user_logging_opts[USER_AUDIT_NEW_PW])) + { // Password has already been changed to a hashed value, so OK to leave the data $do_log['user_password'] = $changed_user_data['user_password']; $log_action = USER_AUDIT_NEW_PW; + } + unset($changed_user_data['user_password']); } - unset($changed_user_data['user_password']); - } - if (isset($changed_user_data['user_email'])) - { - if (isset($user_logging_opts[USER_AUDIT_NEW_EML])) + if (isset($changed_user_data['user_email'])) { + if (isset($user_logging_opts[USER_AUDIT_NEW_EML])) + { $do_log['user_email'] = $changed_user_data['user_email']; $log_action = USER_AUDIT_NEW_EML; + } + unset($changed_user_data['user_email']); } - unset($changed_user_data['user_email']); - } - if (count($changed_user_data) && isset($user_logging_opts[USER_AUDIT_NEW_SET])) - { - $do_log = array_merge($do_log, $changed_user_data); - $log_action = USER_AUDIT_NEW_SET; - } - if (count($do_log)) - { // Got some changes to audit - // echo "Adding to audit log
"; - if ($_uid) + if (count($changed_user_data) && isset($user_logging_opts[USER_AUDIT_NEW_SET])) { - $log_action = USER_AUDIT_ADMIN; // If an admin did the mod, different heading + $do_log = array_merge($do_log, $changed_user_data); + $log_action = USER_AUDIT_NEW_SET; + } + if (count($do_log)) + { // Got some changes to audit + // echo "Adding to audit log
"; + if ($_uid) + { + $log_action = USER_AUDIT_ADMIN; // If an admin did the mod, different heading // Embed a message saying who changed the data $changed_user_data['message'] = str_replace(array('--ID--', '--LOGNAME--'), array(USERID, USERNAME), LAN_USET_18); $admin_log->user_audit($log_action, $do_log, $udata['user_id'], $udata['user_loginname']); - } - else - { + } + else + { if (count($do_log) > 1) { $log_action = USER_AUDIT_NEW_SET; } // Log multiple entries to one record $admin_log->user_audit($log_action, $do_log); + } } + } // End of audit logging + + + // Now tidy up + if ($photo_to_delete) + { // Photo may be a flat file, or in the database + delete_file($photo_to_delete); + } + if ($avatar_to_delete) + { // Avatar may be a flat file, or in the database + delete_file($avatar_to_delete); } - } // End of audit logging - // Now tidy up - if ($photo_to_delete) - { // Photo may be a flat file, or in the database - delete_file($photo_to_delete); - } - if ($avatar_to_delete) - { // Avatar may be a flat file, or in the database - delete_file($avatar_to_delete); - } - - - // If user has changed display name, update the record in the online table + // If user has changed display name, update the record in the online table if (isset($changed_user_data['user_name']) && !$_uid) - { + { $sql->db_Update('online', "online_user_id = '".USERID.".".$changed_user_data['user_name']."' WHERE online_user_id = '".USERID.".".USERNAME."'"); - } + } - // Save extended field values + // Save extended field values if ($ue_fields) - { + { // ***** Next line creates a record which presumably should be there anyway, so could generate an error - $sql->db_Select_gen("INSERT INTO #user_extended (user_extended_id, user_hidden_fields) values ('".intval($inp)."', '')"); + $sql->db_Select_gen("INSERT INTO #user_extended (user_extended_id, user_hidden_fields) values ('".intval($inp)."', '')"); $sql->db_Update('user_extended', $ue_fields." WHERE user_extended_id = ".intval($inp)); - } + } - // Update XUP data if file name changed. + // Update XUP data if file name changed. if (isset($changed_user_data['user_xup'])) - { + { require_once (e_HANDLER."login.php"); - userlogin::update_xup($inp, $changed_user_data['user_xup']); - } + userlogin::update_xup($inp, $changed_user_data['user_xup']); + } $e_event->trigger('postuserset', $_POST); if (e_QUERY == 'update') - { + { header('Location: index.php'); - } + } $message = "
".LAN_150.'
'; - $caption = LAN_151; -} // End - if (!$error)... + $caption = LAN_151; +} // End - if (!$error)... if (!$error && !$promptPassword) { unset($_POST); } @@ -728,7 +717,7 @@ if ($error) { require_once (e_HANDLER.'message_handler.php'); message_handler('P_ALERT', $error); - $adref = $_POST['adminreturn']; + $adref = $_POST['adminreturn']; } @@ -744,39 +733,39 @@ $uuid = ($_uid ? $_uid : USERID); // If $_uid is set, its an admin changing anot if ($promptPassword) -{ // User has to enter password to validate data - $updated_data = serialize($changed_user_data); - $validation_key = md5($updated_data); - $updated_data = base64_encode($updated_data); - $updated_extended = serialize($ue_fields); - $extended_key = md5($updated_extended); - $updated_extended = base64_encode($updated_extended); - $text = " +{ // User has to enter password to validate data + $updated_data = serialize($changed_user_data); + $validation_key = md5($updated_data); + $updated_data = base64_encode($updated_data); + $updated_extended = serialize($ue_fields); + $extended_key = md5($updated_extended); + $updated_extended = base64_encode($updated_extended); + $text = "
+ else + { + $text .= "\n"; + } + } + $text .= LAN_USET_21."
"; - foreach ($_POST as $k => $v) + foreach ($_POST as $k => $v) + { + if (is_array($v)) { - if (is_array($v)) - { - foreach ($v as $sk => $sv) - { - $text .= "\n"; - } - } - else - { - $text .= "\n"; - } + foreach ($v as $sk => $sv) + { + $text .= "\n"; + } } - $text .= LAN_USET_21."
 
 
"; - $text .= " + $text .= "
 
"; - $ns->tablerender(LAN_155, $text); + $ns->tablerender(LAN_155, $text); require_once (FOOTERF); } @@ -792,21 +781,21 @@ WHERE u.user_id='".intval($uuid)."' "; $sql->db_Select_gen($qry); -$curVal = $sql->db_Fetch(); -$curVal['userclass_list'] = addCommonClasses($curVal); +$curVal=$sql->db_Fetch(); +$curVal['userclass_list'] = $user_info->addCommonClasses($curVal, FALSE); if ($_POST) -{ // Fix for all the values being lost when there was an error in a field - restore from the latest $_POST values - // (Password fields have intentionally been cleared). If no error, there's an unset($_POST) to disable this block +{ // Fix for all the values being lost when there was an error in a field - restore from the latest $_POST values + // (Password fields have intentionally been cleared). If no error, there's an unset($_POST) to disable this block foreach ($_POST as $key => $val) - { + { $curVal['user_'.$key] = $tp->post_toForm($val); - } + } foreach ($_POST['ue'] as $key => $val) - { + { $curVal[$key] = $to->post_toForm($val); - } + } } require_once (e_HANDLER."form_handler.php"); @@ -833,7 +822,7 @@ require_once (FOOTERF); // If a field is required, returns a red asterisk -function req($field) +function req($field) { global $pref; if ($field == 2) @@ -848,26 +837,28 @@ function req($field) } + // Delete a file from the public directories. Return TRUE on success, FALSE on failure. // Also deletes from database if appropriate. function delete_file($fname, $dir = 'avatars/') { - global $sql; + global $sql; if (!$fname) return false; - - if (preg_match("#Binary (.*?)/#", $fname, $match)) - { - return $sql->db_Delete("rbinary", "binary_id='".$tp->toDB($match[1])."'"); - } elseif (file_exists(e_FILE."public/".$dir.$fname)) - { - unlink(e_FILE."public/".$dir.$fname); + + if (preg_match("#Binary (.*?)/#", $fname, $match)) + { + return $sql -> db_Delete("rbinary", "binary_id='".$tp -> toDB($match[1])."'"); + } + elseif (file_exists(e_FILE."public/".$dir.$fname)) + { + unlink(e_FILE."public/".$dir.$fname); return true; - } + } return false; } -function headerjs() +function headerjs() { global $cal; $script = "