You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

users.inc.php 29KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932
  1. <?php
  2. /* Poweradmin, a friendly web-based admin tool for PowerDNS.
  3. * See <http://www.poweradmin.org> for more details.
  4. *
  5. * Copyright 2007-2009 Rejo Zenger <rejo@zenger.nl>
  6. * Copyright 2010-2014 Poweradmin Development Team
  7. * <http://www.poweradmin.org/credits.html>
  8. *
  9. * This program is free software: you can redistribute it and/or modify
  10. * it under the terms of the GNU General Public License as published by
  11. * the Free Software Foundation, either version 3 of the License, or
  12. * (at your option) any later version.
  13. *
  14. * This program is distributed in the hope that it will be useful,
  15. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  16. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  17. * GNU General Public License for more details.
  18. *
  19. * You should have received a copy of the GNU General Public License
  20. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  21. */
  22. /**
  23. * User profile functions
  24. *
  25. * @package Poweradmin
  26. * @copyright 2007-2010 Rejo Zenger <rejo@zenger.nl>
  27. * @copyright 2010-2014 Poweradmin Development Team
  28. * @license http://opensource.org/licenses/GPL-3.0 GPL
  29. */
  30. require_once("inc/toolkit.inc.php");
  31. /** Verify User has Permission Name
  32. *
  33. * Function to see if user has right to do something. It will check if
  34. * user has "ueberuser" bit set. If it isn't, it will check if the user has
  35. * the specific permission. It returns "false" if the user doesn't have the
  36. * right, and "true" if the user has.
  37. *
  38. * @param string $permission Permission name
  39. *
  40. * @return boolean true if user has permission, false otherwise
  41. */
  42. function verify_permission($permission) {
  43. global $db;
  44. if ((!isset($_SESSION['userid'])) || (!is_object($db))) {
  45. return 0;
  46. }
  47. // Set current user ID.
  48. $userid = $_SESSION['userid'];
  49. $query = 'SELECT id FROM perm_items WHERE name=' . $db->quote('user_is_ueberuser', 'text');
  50. $ueberUserId = $db->queryOne($query);
  51. // Find the template ID that this user has been assigned.
  52. $query = "SELECT perm_templ
  53. FROM users
  54. WHERE id = " . $db->quote($userid, 'integer');
  55. $templ_id = $db->queryOne($query);
  56. // Does this user have ueberuser rights?
  57. $query = "SELECT id
  58. FROM perm_templ_items
  59. WHERE templ_id = " . $db->quote($templ_id, 'integer') . "
  60. AND perm_id = " . $ueberUserId;
  61. if ($db->queryOne($query)) {
  62. return true;
  63. }
  64. // Find the permission ID for the requested permission.
  65. $query = "SELECT id
  66. FROM perm_items
  67. WHERE name = " . $db->quote($permission, 'text');
  68. $perm_id = $db->queryOne($query);
  69. // Check if the permission ID is assigned to the template ID.
  70. $query = "SELECT id
  71. FROM perm_templ_items
  72. WHERE templ_id = " . $db->quote($templ_id, 'integer') . "
  73. AND perm_id = " . $db->quote($perm_id, 'integer');
  74. return ($db->queryOne($query) ? true : false);
  75. }
  76. /** Get a list of all available permission templates
  77. *
  78. * @return mixed[] array of templates [id, name, descr]
  79. */
  80. function list_permission_templates() {
  81. global $db;
  82. $query = "SELECT * FROM perm_templ ORDER BY name";
  83. $response = $db->query($query);
  84. if (PEAR::isError($response)) {
  85. error($response->getMessage());
  86. return false;
  87. }
  88. $template_list = array();
  89. while ($template = $response->fetchRow()) {
  90. $template_list[] = array(
  91. "id" => $template['id'],
  92. "name" => $template['name'],
  93. "descr" => $template['descr']
  94. );
  95. }
  96. return $template_list;
  97. }
  98. /** Retrieve all users
  99. *
  100. * Its to show_users therefore the odd name. Has to be changed.
  101. *
  102. * @param int $id Exclude User ID
  103. * @param int $rowstart Startring row number
  104. * @param int $rowamount Number of rows to return this query
  105. *
  106. * @return mixed[] array with all users [id,username,fullname,email,description,active,numdomains]
  107. */
  108. function show_users($id = '', $rowstart = 0, $rowamount = 9999999) {
  109. global $db;
  110. $add = '';
  111. if (is_numeric($id)) {
  112. //When a user id is given, it is excluded from the userlist returned.
  113. $add = " WHERE users.id!=" . $db->quote($id, 'integer');
  114. }
  115. // Make a huge query.
  116. $query = "SELECT users.id AS id,
  117. users.username AS username,
  118. users.fullname AS fullname,
  119. users.email AS email,
  120. users.description AS description,
  121. users.active AS active,
  122. users.perm_templ AS perm_templ,
  123. count(zones.owner) AS aantal FROM users
  124. LEFT JOIN zones ON users.id=zones.owner$add
  125. GROUP BY
  126. users.id,
  127. users.username,
  128. users.fullname,
  129. users.email,
  130. users.description,
  131. users.perm_templ,
  132. users.active
  133. ORDER BY
  134. users.fullname";
  135. // Execute the huge query.
  136. $db->setLimit($rowamount, $rowstart);
  137. $response = $db->query($query);
  138. if (PEAR::isError($response)) {
  139. error($response->getMessage());
  140. return false;
  141. }
  142. $ret = array();
  143. while ($r = $response->fetchRow()) {
  144. $ret[] = array(
  145. "id" => $r["id"],
  146. "username" => $r["username"],
  147. "fullname" => $r["fullname"],
  148. "email" => $r["email"],
  149. "description" => $r["description"],
  150. "active" => $r["active"],
  151. "numdomains" => $r["aantal"]
  152. );
  153. }
  154. return $ret;
  155. }
  156. /** Check if Valid User
  157. *
  158. * Check if the given $userid is connected to a valid user.
  159. *
  160. * @param int $id User ID
  161. *
  162. * @return boolean true if user exists, false if users doesnt exist
  163. */
  164. function is_valid_user($id) {
  165. global $db;
  166. if (is_numeric($id)) {
  167. $response = $db->queryOne("SELECT id FROM users WHERE id=" . $db->quote($id, 'integer'));
  168. return ($response ? true : false);
  169. }
  170. }
  171. /** Check if Username Exists
  172. *
  173. * Checks if a given username exists in the database.
  174. *
  175. * @param string $user Username
  176. *
  177. * @return boolean true if exists, false if not
  178. */
  179. function user_exists($user) {
  180. global $db;
  181. $response = $db->queryOne("SELECT id FROM users WHERE username=" . $db->quote($user, 'text'));
  182. return ($response ? true : false);
  183. }
  184. /** Delete User ID
  185. *
  186. * Delete a user from the system. Will also delete zones owned by user or
  187. * re-assign those zones to a new specified owner.
  188. * $zones is an array of zone 'zid's to delete or re-assign depending on
  189. * 'target' value [delete,new_owner] and 'newowner' value
  190. *
  191. * @param int $uid User ID to delete
  192. * @param mixed[] $zones Array of zones
  193. *
  194. * @return boolean true on success, false otherwise
  195. */
  196. function delete_user($uid, $zones) {
  197. global $db;
  198. if (($uid != $_SESSION['userid'] && !verify_permission('user_edit_others')) || ($uid == $_SESSION['userid'] && !verify_permission('user_edit_own'))) {
  199. error(ERR_PERM_DEL_USER);
  200. return false;
  201. } else {
  202. if (is_array($zones)) {
  203. foreach ($zones as $zone) {
  204. if ($zone['target'] == "delete") {
  205. delete_domain($zone['zid']);
  206. } elseif ($zone['target'] == "new_owner") {
  207. add_owner_to_zone($zone['zid'], $zone['newowner']);
  208. }
  209. }
  210. }
  211. $query = "DELETE FROM zones WHERE owner = " . $db->quote($uid, 'integer');
  212. $response = $db->query($query);
  213. if (PEAR::isError($response)) {
  214. error($response->getMessage());
  215. return false;
  216. }
  217. $query = "DELETE FROM users WHERE id = " . $db->quote($uid, 'integer');
  218. $response = $db->query($query);
  219. if (PEAR::isError($response)) {
  220. error($response->getMessage());
  221. return false;
  222. }
  223. delete_zone_templ_userid($uid);
  224. }
  225. return true;
  226. }
  227. /** Delete Permission Template ID
  228. *
  229. * @param int $ptid Permission template ID
  230. *
  231. * @return boolean true on success, false otherwise
  232. */
  233. function delete_perm_templ($ptid) {
  234. global $db;
  235. if (!(verify_permission('user_edit_templ_perm'))) {
  236. error(ERR_PERM_DEL_PERM_TEMPL);
  237. } else {
  238. $query = "SELECT id FROM users WHERE perm_templ = " . $ptid;
  239. $response = $db->queryOne($query);
  240. if (PEAR::isError($response)) {
  241. error($response->getMessage());
  242. return false;
  243. }
  244. if ($response) {
  245. error(ERR_PERM_TEMPL_ASSIGNED);
  246. return false;
  247. } else {
  248. $query = "DELETE FROM perm_templ_items WHERE templ_id = " . $ptid;
  249. $response = $db->query($query);
  250. if (PEAR::isError($response)) {
  251. error($response->getMessage());
  252. return false;
  253. }
  254. $query = "DELETE FROM perm_templ WHERE id = " . $ptid;
  255. $response = $db->query($query);
  256. if (PEAR::isError($response)) {
  257. error($response->getMessage());
  258. return false;
  259. }
  260. return true;
  261. }
  262. }
  263. }
  264. /** Modify User Details
  265. *
  266. * Edit the information of an user.. sloppy implementation with too many queries.. (2) :)
  267. *
  268. * @param int $id User ID
  269. * @param string $user Username
  270. * @param string $fullname Full Name
  271. * @param string $email Email address
  272. * @param string $perm_templ Permission Template Name
  273. * @param string $description Description
  274. * @param int $active Active User
  275. * @param string $password Password
  276. *
  277. * @return boolean true if succesful, false otherwise
  278. */
  279. function edit_user($id, $user, $fullname, $email, $perm_templ, $description, $active, $password) {
  280. global $db;
  281. global $password_encryption;
  282. verify_permission('user_edit_own') ? $perm_edit_own = "1" : $perm_edit_own = "0";
  283. verify_permission('user_edit_others') ? $perm_edit_others = "1" : $perm_edit_others = "0";
  284. if (($id == $_SESSION["userid"] && $perm_edit_own == "1") || ($id != $_SESSION["userid"] && $perm_edit_others == "1" )) {
  285. if (!is_valid_email($email)) {
  286. error(ERR_INV_EMAIL);
  287. return false;
  288. }
  289. if ($active != 1) {
  290. $active = 0;
  291. }
  292. // Before updating the database we need to check whether the user wants to
  293. // change the username. If the user wants to change the username, we need
  294. // to make sure it doesn't already exists.
  295. //
  296. // First find the current username of the user ID we want to change. If the
  297. // current username is not the same as the username that was given by the
  298. // user, the username should apparantly changed. If so, check if the "new"
  299. // username already exists.
  300. $query = "SELECT username FROM users WHERE id = " . $db->quote($id, 'integer');
  301. $response = $db->query($query);
  302. if (PEAR::isError($response)) {
  303. error($response->getMessage());
  304. return false;
  305. }
  306. $usercheck = array();
  307. $usercheck = $response->fetchRow();
  308. if ($usercheck['username'] != $user) {
  309. // Username of user ID in the database is different from the name
  310. // we have been given. User wants a change of username. Now, make
  311. // sure it doesn't already exist.
  312. $query = "SELECT id FROM users WHERE username = " . $db->quote($user, 'text');
  313. $response = $db->queryOne($query);
  314. if ($response) {
  315. error(ERR_USER_EXIST);
  316. return false;
  317. }
  318. }
  319. // So, user doesn't want to change username or, if he wants, there is not
  320. // another user that goes by the wanted username. So, go ahead!
  321. $query = "UPDATE users SET
  322. username = " . $db->quote($user, 'text') . ",
  323. fullname = " . $db->quote($fullname, 'text') . ",
  324. email = " . $db->quote($email, 'text') . ",";
  325. if (verify_permission('user_edit_templ_perm')) {
  326. $query .= "perm_templ = " . $db->quote($perm_templ, 'integer') . ",";
  327. }
  328. $query .= "description = " . $db->quote($description, 'text') . ",
  329. active = " . $db->quote($active, 'integer');
  330. if ($password != "") {
  331. if ($password_encryption == 'md5salt') {
  332. $query .= ", password = " . $db->quote(gen_mix_salt($password), 'text');
  333. } else {
  334. $query .= ", password = " . $db->quote(md5($password), 'text');
  335. }
  336. }
  337. $query .= " WHERE id = " . $db->quote($id, 'integer');
  338. $response = $db->query($query);
  339. if (PEAR::isError($response)) {
  340. error($response->getMessage());
  341. return false;
  342. }
  343. } else {
  344. error(ERR_PERM_EDIT_USER);
  345. return false;
  346. }
  347. return true;
  348. }
  349. /** Change User Password
  350. *
  351. * Change the pass of the user.
  352. * The user is automatically logged out after the pass change.
  353. *
  354. * @param mixed[] $details User Details
  355. *
  356. * @return null
  357. */
  358. function change_user_pass($details) {
  359. global $db;
  360. global $password_encryption;
  361. if ($details['newpass'] != $details['newpass2']) {
  362. error(ERR_USER_MATCH_NEW_PASS);
  363. return false;
  364. }
  365. $query = "SELECT id, password FROM users WHERE username = " . $db->quote($_SESSION["userlogin"], 'text');
  366. $response = $db->query($query);
  367. if (PEAR::isError($response)) {
  368. error($response->getMessage());
  369. return false;
  370. }
  371. $rinfo = $response->fetchRow();
  372. if ($password_encryption == 'md5salt') {
  373. $extracted_salt = extract_salt($rinfo['password']);
  374. $current_password = mix_salt($extracted_salt, $details['currentpass']);
  375. } else {
  376. $current_password = md5($details['currentpass']);
  377. }
  378. if ($current_password == $rinfo['password']) {
  379. if ($password_encryption == 'md5salt') {
  380. $query = "UPDATE users SET password = " . $db->quote(gen_mix_salt($details['newpass']), 'text') . " WHERE id = " . $db->quote($rinfo['id'], 'integer');
  381. } else {
  382. $query = "UPDATE users SET password = " . $db->quote(md5($details['newpass']), 'text') . " WHERE id = " . $db->quote($rinfo['id'], 'integer');
  383. }
  384. $response = $db->query($query);
  385. if (PEAR::isError($response)) {
  386. error($response->getMessage());
  387. return false;
  388. }
  389. logout(_('Password has been changed, please login.'), 'success');
  390. } else {
  391. error(ERR_USER_WRONG_CURRENT_PASS);
  392. return false;
  393. }
  394. }
  395. /** Get User FullName from User ID
  396. *
  397. * Get a fullname when you have a userid.
  398. * @param int $id User ID
  399. *
  400. * @return string Full Name
  401. */
  402. function get_fullname_from_userid($id) {
  403. global $db;
  404. if (is_numeric($id)) {
  405. $response = $db->query("SELECT fullname FROM users WHERE id=" . $db->quote($id, 'integer'));
  406. if (PEAR::isError($response)) {
  407. error($response->getMessage());
  408. return false;
  409. }
  410. $r = $response->fetchRow();
  411. return $r["fullname"];
  412. } else {
  413. error(ERR_INV_ARG);
  414. return false;
  415. }
  416. }
  417. /** Get User FullName from User ID
  418. * fixme: Duplicate function
  419. *
  420. * Get a fullname when you have a userid.
  421. * @param int $id User ID
  422. *
  423. * @return string Full Name
  424. */
  425. function get_owner_from_id($id) {
  426. global $db;
  427. if (is_numeric($id)) {
  428. $response = $db->queryRow("SELECT fullname FROM users WHERE id=" . $db->quote($id, 'integer'));
  429. if ($response) {
  430. return $response["fullname"];
  431. } else {
  432. error(ERR_USER_NOT_EXIST);
  433. }
  434. }
  435. error(ERR_INV_ARG);
  436. }
  437. /** Get Full Names of owners for a Domain ID
  438. *
  439. * @todo also fetch the subowners
  440. *
  441. * @param int $id Domain ID
  442. *
  443. * @return string[] array of owners for domain
  444. */
  445. function get_fullnames_owners_from_domainid($id) {
  446. global $db;
  447. if (is_numeric($id)) {
  448. $response = $db->query("SELECT users.id, users.fullname FROM users, zones WHERE zones.domain_id=" . $db->quote($id, 'integer') . " AND zones.owner=users.id ORDER by fullname");
  449. if ($response) {
  450. $names = array();
  451. while ($r = $response->fetchRow()) {
  452. $names[] = $r['fullname'];
  453. }
  454. return implode(', ', $names);
  455. }
  456. return "";
  457. }
  458. error(ERR_INV_ARG);
  459. }
  460. /** Verify User is Zone ID owner
  461. *
  462. * @param int $zoneid Zone ID
  463. *
  464. * @return int 1 if owner, 0 if not owner
  465. */
  466. function verify_user_is_owner_zoneid($zoneid) {
  467. global $db;
  468. $userid = $_SESSION["userid"];
  469. if (is_numeric($zoneid)) {
  470. $response = $db->queryOne("SELECT zones.id FROM zones
  471. WHERE zones.owner = " . $db->quote($userid, 'integer') . "
  472. AND zones.domain_id = " . $db->quote($zoneid, 'integer'));
  473. return ($response ? "1" : "0");
  474. }
  475. error(ERR_INV_ARG);
  476. }
  477. /** Get User Details
  478. *
  479. * Gets an array of all users and their details
  480. *
  481. * @param int $specific User ID (optional)
  482. *
  483. * @return mixed[] array of user details
  484. */
  485. function get_user_detail_list($specific) {
  486. global $db;
  487. global $ldap_use;
  488. $userid = $_SESSION['userid'];
  489. // fixme: does this actually verify the permission?
  490. if (v_num($specific)) {
  491. $sql_add = "AND users.id = " . $db->quote($specific, 'integer');
  492. } else {
  493. if (verify_permission('user_view_others')) {
  494. $sql_add = "";
  495. } else {
  496. $sql_add = "AND users.id = " . $db->quote($userid, 'integer');
  497. }
  498. }
  499. $query = "SELECT users.id AS uid,
  500. username,
  501. fullname,
  502. email,
  503. description AS descr,
  504. active,";
  505. if ($ldap_use) {
  506. $query .= "use_ldap,";
  507. }
  508. $query .= "perm_templ.id AS tpl_id,
  509. perm_templ.name AS tpl_name,
  510. perm_templ.descr AS tpl_descr
  511. FROM users, perm_templ
  512. WHERE users.perm_templ = perm_templ.id "
  513. . $sql_add . "
  514. ORDER BY username";
  515. $response = $db->query($query);
  516. if (PEAR::isError($response)) {
  517. error($response->getMessage());
  518. return false;
  519. }
  520. while ($user = $response->fetchRow()) {
  521. $userlist[] = array(
  522. "uid" => $user['uid'],
  523. "username" => $user['username'],
  524. "fullname" => $user['fullname'],
  525. "email" => $user['email'],
  526. "descr" => $user['descr'],
  527. "active" => $user['active'],
  528. "use_ldap" => $user['use_ldap'],
  529. "tpl_id" => $user['tpl_id'],
  530. "tpl_name" => $user['tpl_name'],
  531. "tpl_descr" => $user['tpl_descr']
  532. );
  533. }
  534. return $userlist;
  535. }
  536. /** Get List of Permissions
  537. *
  538. * Get a list of permissions that are available. If first argument is "0", it
  539. * should return all available permissions. If the first argument is > "0", it
  540. * should return the permissions assigned to that particular template only. If
  541. * second argument is true, only the permission names are returned.
  542. *
  543. * @param int $templ_id Template ID (optional) [default=0]
  544. * @param boolean $return_name_only Return name only or all details (optional) [default=false]
  545. *
  546. * @return mixed[] array of permissions [id,name,descr] or permission names [name]
  547. */
  548. function get_permissions_by_template_id($templ_id = 0, $return_name_only = false) {
  549. global $db;
  550. $limit = '';
  551. if ($templ_id > 0) {
  552. $limit = ", perm_templ_items
  553. WHERE perm_templ_items.templ_id = " . $db->quote($templ_id, 'integer') . "
  554. AND perm_templ_items.perm_id = perm_items.id";
  555. }
  556. $query = "SELECT perm_items.id AS id,
  557. perm_items.name AS name,
  558. perm_items.descr AS descr
  559. FROM perm_items"
  560. . $limit . "
  561. ORDER BY name";
  562. $response = $db->query($query);
  563. if (PEAR::isError($response)) {
  564. error($response->getMessage());
  565. return false;
  566. }
  567. $permission_list = array();
  568. while ($permission = $response->fetchRow()) {
  569. if ($return_name_only == false) {
  570. $permission_list[] = array(
  571. "id" => $permission['id'],
  572. "name" => $permission['name'],
  573. "descr" => $permission['descr']
  574. );
  575. } else {
  576. $permission_list[] = $permission['name'];
  577. }
  578. }
  579. return $permission_list;
  580. }
  581. /** Get name and description of template from Template ID
  582. *
  583. * @param int $templ_id Template ID
  584. *
  585. * @return mixed[] Template details
  586. */
  587. function get_permission_template_details($templ_id) {
  588. global $db;
  589. $query = "SELECT *
  590. FROM perm_templ
  591. WHERE perm_templ.id = " . $db->quote($templ_id, 'integer');
  592. $response = $db->query($query);
  593. if (PEAR::isError($response)) {
  594. error($response->getMessage());
  595. return false;
  596. }
  597. $details = $response->fetchRow();
  598. return $details;
  599. }
  600. /** Add a Permission Template
  601. *
  602. * @param mixed[] $details Permission template details [templ_name,templ_descr,perm_id]
  603. *
  604. * @return boolean true on success, false otherwise
  605. */
  606. function add_perm_templ($details) {
  607. global $db;
  608. global $db_layer;
  609. global $db_type;
  610. // Fix permission template name and description first.
  611. $query = "INSERT INTO perm_templ (name, descr)
  612. VALUES ("
  613. . $db->quote($details['templ_name'], 'text') . ", "
  614. . $db->quote($details['templ_descr'], 'text') . ")";
  615. $response = $db->query($query);
  616. if (PEAR::isError($response)) {
  617. error($response->getMessage());
  618. return false;
  619. }
  620. if ($db_layer == 'MDB2' && ($db_type == 'mysql' || $db_type == 'pgsql')) {
  621. $perm_templ_id = $db->lastInsertId('perm_templ', 'id');
  622. } else if ($db_layer == 'PDO' && $db_type == 'pgsql') {
  623. $perm_templ_id = $db->lastInsertId('perm_templ_id_seq');
  624. } else {
  625. $perm_templ_id = $db->lastInsertId();
  626. }
  627. if (isset($details['perm_id'])) {
  628. foreach ($details['perm_id'] AS $perm_id) {
  629. $query = "INSERT INTO perm_templ_items (templ_id, perm_id) VALUES (" . $db->quote($perm_templ_id, 'integer') . "," . $db->quote($perm_id, 'integer') . ")";
  630. $response = $db->query($query);
  631. if (PEAR::isError($response)) {
  632. error($response->getMessage());
  633. return false;
  634. }
  635. }
  636. }
  637. return true;
  638. }
  639. /** Update permission template details
  640. *
  641. * @param mixed[] $details Permission Template Details
  642. *
  643. * @return boolean true on success, false otherwise
  644. */
  645. function update_perm_templ_details($details) {
  646. global $db;
  647. // Fix permission template name and description first.
  648. $query = "UPDATE perm_templ
  649. SET name = " . $db->quote($details['templ_name'], 'text') . ",
  650. descr = " . $db->quote($details['templ_descr'], 'text') . "
  651. WHERE id = " . $db->quote($details['templ_id'], 'integer');
  652. $response = $db->query($query);
  653. if (PEAR::isError($response)) {
  654. error($response->getMessage());
  655. return false;
  656. }
  657. // Now, update list of permissions assigned to this template. We could do
  658. // this The Correct Way [tm] by comparing the list of permissions that are
  659. // currently assigned with a list of permissions that should be assigned and
  660. // apply the difference between these two lists to the database. That sounds
  661. // like too much work. Just delete all the permissions currently assigned to
  662. // the template, than assign all the permessions the template should have.
  663. $query = "DELETE FROM perm_templ_items WHERE templ_id = " . $details['templ_id'];
  664. $response = $db->query($query);
  665. if (PEAR::isError($response)) {
  666. error($response->getMessage());
  667. return false;
  668. }
  669. if (isset($details['perm_id'])) {
  670. foreach ($details['perm_id'] AS $perm_id) {
  671. $query = "INSERT INTO perm_templ_items (templ_id, perm_id) VALUES (" . $db->quote($details['templ_id'], 'integer') . "," . $db->quote($perm_id, 'integer') . ")";
  672. $response = $db->query($query);
  673. if (PEAR::isError($response)) {
  674. error($response->getMessage());
  675. return false;
  676. }
  677. }
  678. }
  679. return true;
  680. }
  681. /** Update User Details
  682. *
  683. * @param mixed[] $details User details
  684. *
  685. * @return boolean true on success, false otherise
  686. */
  687. function update_user_details($details) {
  688. global $db;
  689. global $password_encryption;
  690. verify_permission('user_edit_own') ? $perm_edit_own = "1" : $perm_edit_own = "0";
  691. verify_permission('user_edit_others') ? $perm_edit_others = "1" : $perm_edit_others = "0";
  692. verify_permission('templ_perm_edit') ? $perm_templ_perm_edit = "1" : $perm_templ_perm_edit = "0";
  693. verify_permission('user_is_ueberuser') ? $perm_is_godlike = "1" : $perm_is_godlike = "0";
  694. if (($details['uid'] == $_SESSION["userid"] && $perm_edit_own == "1") ||
  695. ($details['uid'] != $_SESSION["userid"] && $perm_edit_others == "1" )) {
  696. if (!is_valid_email($details['email'])) {
  697. error(ERR_INV_EMAIL);
  698. return false;
  699. }
  700. if (!isset($details['active']) || $details['active'] != "on") {
  701. $active = 0;
  702. } else {
  703. $active = 1;
  704. }
  705. if (isset($details['use_ldap'])) {
  706. $use_ldap = 1;
  707. } else {
  708. $use_ldap = 0;
  709. }
  710. // Before updating the database we need to check whether the user wants to
  711. // change the username. If the user wants to change the username, we need
  712. // to make sure it doesn't already exists.
  713. //
  714. // First find the current username of the user ID we want to change. If the
  715. // current username is not the same as the username that was given by the
  716. // user, the username should apparantly changed. If so, check if the "new"
  717. // username already exists.
  718. $query = "SELECT username FROM users WHERE id = " . $db->quote($details['uid'], 'integer');
  719. $response = $db->query($query);
  720. if (PEAR::isError($response)) {
  721. error($response->getMessage());
  722. return false;
  723. }
  724. $usercheck = array();
  725. $usercheck = $response->fetchRow();
  726. if ($usercheck['username'] != $details['username']) {
  727. // Username of user ID in the database is different from the name
  728. // we have been given. User wants a change of username. Now, make
  729. // sure it doesn't already exist.
  730. $query = "SELECT id FROM users WHERE username = " . $db->quote($details['username'], 'text');
  731. $response = $db->queryOne($query);
  732. if ($response) {
  733. error(ERR_USER_EXIST);
  734. return false;
  735. }
  736. }
  737. // So, user doesn't want to change username or, if he wants, there is not
  738. // another user that goes by the wanted username. So, go ahead!
  739. $query = "UPDATE users SET
  740. username = " . $db->quote($details['username'], 'text') . ",
  741. fullname = " . $db->quote($details['fullname'], 'text') . ",
  742. email = " . $db->quote($details['email'], 'text') . ",
  743. description = " . $db->quote($details['descr'], 'text') . ",
  744. active = " . $db->quote($active, 'integer');
  745. // If the user is alllowed to change the permission template, set it.
  746. if ($perm_templ_perm_edit == "1") {
  747. $query .= ", perm_templ = " . $db->quote($details['templ_id'], 'integer');
  748. }
  749. // If the user is allowed to change the use_ldap flag, set it.
  750. if ($perm_is_godlike == "1") {
  751. $query .= ", use_ldap = " . $db->quote($use_ldap, 'integer');
  752. }
  753. if (isset($details['password']) && $details['password'] != "") {
  754. if ($password_encryption == 'md5salt') {
  755. $query .= ", password = " . $db->quote(gen_mix_salt($details['password']), 'text');
  756. } else {
  757. $query .= ", password = " . $db->quote(md5($details['password']), 'text');
  758. }
  759. }
  760. $query .= " WHERE id = " . $db->quote($details['uid'], 'integer');
  761. $response = $db->query($query);
  762. if (PEAR::isError($response)) {
  763. error($response->getMessage());
  764. return false;
  765. }
  766. } else {
  767. error(ERR_PERM_EDIT_USER);
  768. return false;
  769. }
  770. return true;
  771. }
  772. /** Add a new user
  773. *
  774. * @param mixed[] $details Array of User details
  775. *
  776. * @return boolean true on success, false otherwise
  777. */
  778. function add_new_user($details) {
  779. global $db;
  780. global $password_encryption;
  781. if (!verify_permission('user_add_new')) {
  782. error(ERR_PERM_ADD_USER);
  783. return false;
  784. } elseif (user_exists($details['username'])) {
  785. error(ERR_USER_EXIST);
  786. return false;
  787. } elseif (!is_valid_email($details['email'])) {
  788. error(ERR_INV_EMAIL);
  789. return false;
  790. } elseif ($details['active'] == 1) {
  791. $active = 1;
  792. } else {
  793. $active = 0;
  794. }
  795. $query = "INSERT INTO users (username, password, fullname, email, description,";
  796. if (verify_permission('user_edit_templ_perm')) {
  797. $query .= ' perm_templ,';
  798. }
  799. if ($password_encryption == 'md5salt') {
  800. $password_hash = gen_mix_salt($details['password']);
  801. } else {
  802. $password_hash = md5($details['password']);
  803. }
  804. $query .= " active) VALUES ("
  805. . $db->quote($details['username'], 'text') . ", "
  806. . $db->quote($password_hash, 'text') . ", "
  807. . $db->quote($details['fullname'], 'text') . ", "
  808. . $db->quote($details['email'], 'text') . ", "
  809. . $db->quote($details['descr'], 'text') . ", ";
  810. if (verify_permission('user_edit_templ_perm')) {
  811. $query .= $db->quote($details['perm_templ'], 'integer') . ", ";
  812. }
  813. $query .= $db->quote($active, 'integer')
  814. . ")";
  815. $response = $db->query($query);
  816. if (PEAR::isError($response)) {
  817. error($response->getMessage());
  818. return false;
  819. }
  820. return true;
  821. }