From 2715d67aefe281fe31ed7fa0a77b0d4be2524f10 Mon Sep 17 00:00:00 2001 From: dave Date: Sat, 17 Nov 2007 21:59:59 +0000 Subject: [PATCH] - Fix login check for an expired password - Allow user_personal.php to handle committee members - Add password field if the editer in user_personal has access_super - Allow a committee member to edit anyone in user_personal.php - Convert auth_required to user_auth_required, and check for both a user type and an access level (if committee) - Convert the committee to the new user system (BIG change :) - Remove the ^M from admin/committees.php --- admin/committees.php | 849 +++++++++++++------------------ admin/communication.inc.php | 2 +- admin/index.php | 10 +- admin/reports_committees.inc.php | 16 +- committee.inc.php | 17 + committee_auth.php | 19 + committee_login.php | 10 +- committee_main.php | 64 +++ committees.php | 38 +- common.inc.php | 2 +- db/db.code.version.txt | 2 +- db/db.update.62.php | 87 ++++ db/db.update.62.sql | 12 + db/db.update.63.sql | 12 + user.inc.php | 202 +++++++- user_login.php | 54 +- user_password.php | 13 +- user_personal.php | 156 +++++- 18 files changed, 964 insertions(+), 601 deletions(-) create mode 100644 committee.inc.php create mode 100644 committee_main.php create mode 100644 db/db.update.62.php create mode 100644 db/db.update.62.sql create mode 100644 db/db.update.63.sql diff --git a/admin/committees.php b/admin/committees.php index ce947016..a14878a4 100644 --- a/admin/committees.php +++ b/admin/committees.php @@ -1,500 +1,349 @@ - - Copyright (C) 2005 James Grant - - This program is free software; you can redistribute it and/or - modify it under the terms of the GNU General Public - License as published by the Free Software Foundation, version 2. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; see the file COPYING. If not, write to - the Free Software Foundation, Inc., 59 Temple Place - Suite 330, - Boston, MA 02111-1307, USA. -*/ -?> -<< ".i18n("Back to Administration")."\n"; -?> - - - -\n"; - } - */ - - //print_r($config); - - if($config['committees_executeonsave']) - { - echo happy(i18n("Executing:").$config['committees_executeonsave']); - system($config['committees_executeonsave']); - } - - echo happy(i18n("Committee member saved")); - -} - -if($_POST['action']=="edit") -{ - $edit=$_POST['committees_members_id']; -} - -if($_GET['edit'] || $edit) -{ - if($_GET['edit']) - $e=$_GET['edit']; - else - $e=$edit; - $q=mysql_query("SELECT * FROM committees_members WHERE id='$e'"); - $r=mysql_fetch_object($q); - echo "

".i18n("Edit Committee Member")."

"; - echo "<< ".i18n("Back to Committees Editor")."\n"; - - echo "
\n"; - echo "\n"; - - - echo ""; - - echo ""; - - if(auth_has_access("super") || ($_SESSION['committee_member_id'] == intval($e))) - echo ""; - - $cq=mysql_query("SELECT committees.name, committees.id, committees_link.title, committees_link.ord FROM committees,committees_link WHERE committees_link.committees_id=committees.id AND committees_link.committees_members_id='$e' ORDER BY committees.name"); - - echo "\n"; - echo "\n"; - echo "\n"; - echo "\n"; - echo "\n"; - echo "\n"; - echo "\n"; - echo "\n"; - echo "\n"; - - if(auth_has_access("super")) - { - echo ""; - echo ""; - } - - - echo "\n"; - echo "
".i18n("Name").":name)."\" />
".i18n("Password").":password\" />
".i18n("Committees").":"; - if(mysql_num_rows($cq)) - { - echo ""; - echo ""; - while($cr=mysql_fetch_object($cq)) - { - echo ""; - } - - echo "
".i18n("Committee")."".i18n("Title in Committee")."".i18n("Order")."
$cr->nameid]\" value=\"$cr->title\" />id]\" value=\"$cr->ord\" size=\"3\" />
"; - } - else - echo "None"; - echo "
".i18n("Organization").":organization\" />
".i18n("Email (Public)").":email\" />
".i18n("Email (Private)").":emailprivate\" />
".i18n("Display Emails").":"; - if($r->displayemail=="N") $checked="checked=\"checked\""; else $checked=""; - echo "".i18n("No"); - echo "     "; - if($r->displayemail=="Y") $checked="checked=\"checked\""; else $checked=""; - echo "".i18n("Yes"); - - echo "
".i18n("Phone (Home)").":phonehome\" />
".i18n("Phone (Work)").":phonework\" />
".i18n("Phone (Cell)").":phonecell\" />
".i18n("Fax").":fax\" />
".i18n("Access Controls").":"; - if($r->access_admin=="Y") $checked="checked=\"checked\""; else $checked=""; - echo " ".i18n("Administration")."
"; - if($r->access_config=="Y") $checked="checked=\"checked\""; else $checked=""; - echo " ".i18n("Configuration")."
"; - if($r->access_super=="Y") $checked="checked=\"checked\""; else $checked=""; - echo " ".i18n("Superuser")."
"; - - echo "
"; - echo "

"; - echo "\n"; - echo "
\n"; - - echo "
\n"; -} -else -{ - - echo ""; - echo ""; - echo "
"; - - echo "

".i18n("Add Committee")."

\n"; - echo "
\n"; - echo "\n"; - echo ""; - echo " \n"; - echo "
".i18n("Committee Name").":
\n"; - echo "
\n"; - - echo "		 "; - - echo "

".i18n("Add Committee Member")."

\n"; - echo "
\n"; - echo "\n"; - echo "\n"; - echo " \n"; - echo "
".i18n("Member Name").": "; - echo "\n"; - echo "
\n"; - echo "
\n"; - - echo "
"; - - - echo "
"; - echo "

".i18n("Committee Member Management")."

\n"; - echo "
\n"; - echo ""; - echo ""; - - echo "
"; - echo ""; - - echo ""; - $q=mysql_query("SELECT * FROM committees_members ORDER BY name"); - echo ""; - - echo ""; - - - //The Assign Div - echo "
"; - echo i18n("To Committee").": "; - $q=mysql_query("SELECT * FROM committees ORDER BY ord,name"); - echo ""; - echo "
"; - - - //The Edit or Remove Div - - echo "
"; - echo "
"; - - echo ""; - echo "
"; - - - $q=mysql_query("SELECT * FROM committees ORDER BY ord,name"); - if(mysql_num_rows($q)) - { - echo "

".i18n("Committees")."

"; - echo "
\n"; - echo ""; - echo ""; - while($r=mysql_fetch_object($q)) - { - echo ""; - echo "\n"; - echo mysql_error(); - while($r2=mysql_fetch_object($q2)) - { - echo ""; - echo "\n"; - } - echo "\n"; - } - echo "\n"; - echo "
".i18n("Public Email / Private Email")."
"; - echo "id\" />"; - echo "ord\" />"; - echo "  $r->name"; - - $q2=mysql_query("SELECT ". - "committees_members.id,". - "committees_members.name,". - "committees_members.email,". - "committees_members.emailprivate,". - "committees_link.title, ". - "committees_link.ord ". - "FROM committees_members, committees_link ". - "WHERE committees_link.committees_members_id=committees_members.id ". - " AND committees_link.committees_id='$r->id'". - " ORDER BY ord,name"); - if(mysql_num_rows($q2)==0) - { - echo "   "; - echo "id\">\"Remove"; - } - - echo "
    "; - echo "id\">\"Edit\""; - echo " "; - echo "id&unlinkcommittee=$r->id\">\"Unlink\""; - echo ""; - echo " $r2->name"; - - if($r2->title) echo " - $r2->title    "; - - echo ""; - - if($r2->email) - { - list($b,$a)=split("@",$r2->email); - echo ""; - } - - if($r2->emailprivate) - { - if($r2->email) echo " / "; - list($b,$a)=split("@",$r2->emailprivate); - echo ""; - } - - echo "
 
"; - echo "
\n"; - } -} - -send_footer(); -?> - + + Copyright (C) 2005 James Grant + + This program is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public + License as published by the Free Software Foundation, version 2. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; see the file COPYING. If not, write to + the Free Software Foundation, Inc., 59 Temple Place - Suite 330, + Boston, MA 02111-1307, USA. +*/ +?> + 'committee_main.php', + 'Administration' => 'admin/index.php' )); + + $_SESSION['last_page'] = 'committee_management'; +?> + + + +"; + echo ""; + + echo "

".i18n("Add Committee")."

\n"; + echo "
\n"; + echo "\n"; + echo ""; + echo " \n"; + echo "
".i18n("Committee Name").":
\n"; + echo "
\n"; + + echo " "; + + echo "

".i18n("Add Committee Member")."

\n"; + echo "
\n"; + echo "\n"; + echo "\n"; + echo " \n"; + echo "
".i18n("Member Name").": "; + echo "\n"; + echo "
\n"; + echo "
\n"; + + echo ""; + echo ""; + + + echo "
"; + echo "

".i18n("Committee Member Management")."

\n"; + echo "
\n"; + echo ""; + echo ""; + + echo "
"; + echo ""; + + echo ""; + $q=mysql_query("SELECT * FROM users WHERE types LIKE '%committee%' ORDER BY firstname"); + echo ""; + + echo ""; + + + //The Assign Div + echo "
"; + echo i18n("To Committee").": "; + $q=mysql_query("SELECT * FROM committees ORDER BY ord,name"); + echo ""; + echo "
"; + + + //The Edit or Remove Div + + echo "
"; + echo "
"; + + echo ""; + echo "
"; + + + $q=mysql_query("SELECT * FROM committees ORDER BY ord,name"); + if(mysql_num_rows($q)) + { + echo "

".i18n("Committees")."

"; + echo "
\n"; + echo ""; + echo ""; + while($r=mysql_fetch_object($q)) + { + echo ""; + echo "\n"; + echo mysql_error(); + while($r2=mysql_fetch_object($q2)) + { + echo ""; + echo "\n"; + } + echo "\n"; + } + echo "\n"; + echo "
".i18n("Public Email / Private Email")."
"; + echo "id\" />"; + echo "ord\" />"; + echo "  $r->name"; + + $q2=mysql_query("SELECT + users.id, + users.firstname,users.lastname, + users.email, + users_committee.emailprivate, + committees_link.title, + committees_link.ord + FROM + users, users_committee, committees_link + WHERE + users_committee.users_id=users.id + AND committees_link.users_id=users.id + AND committees_link.committees_id='$r->id' + ORDER BY + ord,firstname"); + + if(mysql_num_rows($q2)==0) + { + echo "   "; + echo "id\">\"Remove"; + } + + echo "
    "; + echo "id}\">\"Edit\""; + echo " "; + echo "id&unlinkcommittee={$r->id}\">\"Unlink\""; + echo ""; + $name = $r2->firstname.' '.$r2->lastname; + echo " $name"; + + if($r2->title) echo " - $r2->title    "; + + echo ""; + + if($r2->email) + { + list($b,$a)=split("@",$r2->email); + echo ""; + } + + if($r2->emailprivate) + { + if($r2->email) echo " / "; + list($b,$a)=split("@",$r2->emailprivate); + echo ""; + } + + echo "
 
"; + echo "
\n"; + } + +send_footer(); +?> + diff --git a/admin/communication.inc.php b/admin/communication.inc.php index 184c3963..22d13afa 100644 --- a/admin/communication.inc.php +++ b/admin/communication.inc.php @@ -1,7 +1,7 @@ array("name"=>"Committee Members (all)","query"=> - "SELECT name, organization, email FROM committees_members WHERE deleted='N'"), + "SELECT firstname, lastname, organization, email FROM users WHERE types LIKE '%committee' AND deleted='no'"), "judges_all"=>array("name"=>"Judges from all years","query"=> "SELECT firstname, lastname, email FROM judges ORDER BY email"), diff --git a/admin/index.php b/admin/index.php index fb0afb1d..ddba5469 100644 --- a/admin/index.php +++ b/admin/index.php @@ -22,9 +22,13 @@ */ ?> 'committee_main.php') ); echo "
"; echo "".i18n("Participant Registration")."
"; diff --git a/admin/reports_committees.inc.php b/admin/reports_committees.inc.php index 6118028e..55df58ea 100644 --- a/admin/reports_committees.inc.php +++ b/admin/reports_committees.inc.php @@ -26,37 +26,37 @@ $report_committees_fields = array( 'name' => 'Committee -- Full Name ', 'header' => 'Name', 'width' => 1.75, - 'table' => 'committees_members.name'), + 'table' => "CONCAT(users.firstname, ' ', users.lastname)", 'email' => array( 'name' => 'Committee -- Email', 'header' => 'Email', 'width' => 2.0, - 'table' => 'committees_members.email'), + 'table' => 'users.email'), 'phone_home' => array( 'name' => 'Committees -- Phone (Home)', 'header' => 'Phone(Home)', 'width' => 1, - 'table' => 'committees_members.phonehome'), + 'table' => 'users.phonehome'), 'phone_work' => array( 'name' => 'Committees -- Phone (Work)', 'header' => 'Phone(Work)', 'width' => 1.25, - 'table' => 'committees_members.phonework'), + 'table' => 'users.phonework'), 'phone_cel' => array( 'name' => 'Committees -- Phone (Cel)', 'header' => 'Phone(Cel)', 'width' => 1, - 'table' => 'committees_members.phonecel'), + 'table' => 'users.phonecell'), 'organization' => array( 'name' => 'Committees -- Organization', 'header' => 'Organization', 'width' => 2, - 'table' => 'committees_members.organization'), + 'table' => 'users.organization'), 'static_text' => array( 'name' => 'Static Text (useful for labels)', @@ -78,14 +78,14 @@ $report_committees_fields = array( $teams_where = ''; if(in_array('teams', $components)) { $teams_from = ",committees_teams_link, committees_teams"; - $teams_where = "AND committees_teams_link.committees_id=committees_members.id + $teams_where = "AND committees_teams_link.committees_id=users.id AND committees_teams_link.year='$year' AND committees_teams.id=committees_teams_link.committees_teams_id AND committees_teams.year='$year'"; } */ $q = " FROM - committees_members + users WHERE 1 "; diff --git a/committee.inc.php b/committee.inc.php new file mode 100644 index 00000000..8f66da19 --- /dev/null +++ b/committee.inc.php @@ -0,0 +1,17 @@ + diff --git a/committee_auth.php b/committee_auth.php index c016dced..26e98cfe 100644 --- a/committee_auth.php +++ b/committee_auth.php @@ -1,5 +1,21 @@ access_admin; $accesscache['config']=$r->access_config; $accesscache['super']=$r->access_super; @@ -44,5 +62,6 @@ function auth_required($access="") exit; } } +*/ ?> diff --git a/committee_login.php b/committee_login.php index 23b2f176..190a40c4 100644 --- a/committee_login.php +++ b/committee_login.php @@ -11,20 +11,20 @@ $r=mysql_fetch_object($q); $_SESSION['email']=$r->email; $_SESSION['committee_member_id']=$r->id; - send_header("Committee Login"); + send_header("Committee Login", array()); echo happy(i18n("Successfully logged in")); echo i18n("Use the menu on the left to access the committee pages"); } else { - send_header("Committee Login"); + send_header("Committee Login", array()); echo error(i18n("Invalid Email/Password")); } } else { - send_header("Committee Login"); + send_header("Committee Login", array()); echo error(i18n("Email/Password missing")); } } @@ -32,13 +32,13 @@ { unset($_SESSION['email']); unset($_SESSION['committee_member_id']); - send_header("Committee Login"); + send_header("Committee Login", array()); echo notice(i18n("You have been successfully logged out")); } else { - send_header("Committee Login"); + send_header("Committee Login", array()); ?>
diff --git a/committee_main.php b/committee_main.php new file mode 100644 index 00000000..b9220bbe --- /dev/null +++ b/committee_main.php @@ -0,0 +1,64 @@ + + Copyright (C) 2005 James Grant + Copyright (C) 2007 David Grant + + This program is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public + License as published by the Free Software Foundation, version 2. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; see the file COPYING. If not, write to + the Free Software Foundation, Inc., 59 Temple Place - Suite 330, + Boston, MA 02111-1307, USA. +*/ +?> +%1",array($_SESSION['name'])); + echo "
"; + echo "
"; + + echo i18n('Things you can do').':
'; + echo ''; + + send_footer(); +?> diff --git a/committees.php b/committees.php index a076e902..55211b91 100644 --- a/committees.php +++ b/committees.php @@ -23,25 +23,28 @@ ?> "; $q=mysql_query("SELECT * FROM committees ORDER BY ord,name"); while($r=mysql_fetch_object($q)) { - $q2=mysql_query("SELECT ". - "committees_members.id,". - "committees_members.name,". - "committees_members.email,". - "committees_members.emailprivate,". - "committees_members.displayemail,". - "committees_link.title, ". - "committees_link.ord ". - "FROM committees_members, committees_link ". - "WHERE committees_link.committees_members_id=committees_members.id ". - " AND committees_link.committees_id='$r->id'". - " ORDER BY ord,name"); - + $q2=mysql_query("SELECT + users.id, + users.firstname,users.lastname, + users.email, + users_committee.emailprivate, + users_committee.displayemail, + committees_link.title, + committees_link.ord + FROM + users, users_committee, committees_link + WHERE + users_committee.users_id=users.id + AND committees_link.users_id=users.id + AND committees_link.committees_id='$r->id' + ORDER BY + ord,firstname"); //if there's nobody in this committee, then just skip it and go on to the next one. if(mysql_num_rows($q2)==0) @@ -56,11 +59,12 @@ { $output=$config['committee_publiclayout']; - $output=str_replace("name",$r2->name,$output); + $name=$r2->firstname.' '.$r2->lastname; + $output=str_replace("name",$name,$output); $output=str_replace("title",$r2->title,$output); //make sure we do emailprivate before email so we dont match the wrong thing - if($r2->emailprivate && $r2->displayemail=='Y') + if($r2->emailprivate && $r2->displayemail=='yes') { list($b,$a)=split("@",$r2->emailprivate); $output=str_replace("emailprivate","",$output); @@ -68,7 +72,7 @@ else $output=str_replace("emailprivate","",$output); - if($r2->email && $r2->displayemail=='Y') + if($r2->email && $r2->displayemail=='yes') { list($b,$a)=split("@",$r2->email); $output=str_replace("email","",$output); diff --git a/common.inc.php b/common.inc.php index 70b80083..60b15c66 100644 --- a/common.inc.php +++ b/common.inc.php @@ -515,7 +515,7 @@ if(auth_has_access("admin") || auth_has_access("config") || auth_has_access("sup } else { -?>

    • diff --git a/db/db.code.version.txt b/db/db.code.version.txt index b1e7d265..4b9026d8 100644 --- a/db/db.code.version.txt +++ b/db/db.code.version.txt @@ -1 +1 @@ -61 +63 diff --git a/db/db.update.62.php b/db/db.update.62.php new file mode 100644 index 00000000..4c92d8c1 --- /dev/null +++ b/db/db.update.62.php @@ -0,0 +1,87 @@ + 0) { + $passwordexpiry = "DATE_ADD(CURDATE(), + INTERVAL {$config['committee_password_expiry_days']} DAY)"; + } else { + $passwordexpiry = "'0000-00-00'"; + } + + $deleted = ($c['deleted'] == 'Y') ? 'yes' : 'no'; + $q = "INSERT INTO users + (`types`,`firstname`,`lastname`,`username`,`password`,`passwordexpiry`, + `email`,`phonehome`,`phonework`,`phonecell`,`fax`,`organization`, + `created`,`deleted`) + VALUES ('committee','$fn', '$ln', '$username', + '".mysql_escape_string($c['password'])."', + $passwordexpiry, + '{$c['email']}', + '{$c['phonehome']}', + '{$c['phonework']}', + '{$c['phonecell']}', + '{$c['fax']}', + '".mysql_escape_string($c['organization'])."', + NOW(), + '$deleted')"; + mysql_query($q); + echo "$q\n"; + $id = mysql_insert_id(); + + $access_admin = ($c['access_admin'] == 'Y') ? 'yes' : 'no'; + $access_config = ($c['access_config'] == 'Y') ? 'yes' : 'no'; + $access_super = ($c['access_super'] == 'Y') ? 'yes' : 'no'; + $displayemail = ($c['displayemail'] == 'Y') ? 'yes' : 'no'; + $q = "INSERT INTO users_committee(`users_id`,`emailprivate`, + `ord`,`displayemail`,`access_admin`,`access_config`, + `access_super`) VALUES ( + '$id', '{$c['emailprivate']}', + '{$c['ord']}', + '$displayemail', + '$access_admin', + '$access_config', + '$access_super')"; + mysql_query($q); + echo "$q\n"; + echo mysql_error(); + + /* Update committee links */ + $q = "UPDATE committees_link SET users_id='$id' + WHERE committees_members_id='{$c['id']}'"; + mysql_query($q); + echo "$q\n"; + + } +} + + +?> diff --git a/db/db.update.62.sql b/db/db.update.62.sql new file mode 100644 index 00000000..3fe65046 --- /dev/null +++ b/db/db.update.62.sql @@ -0,0 +1,12 @@ +ALTER TABLE `users_committee` CHANGE `displayemail` `displayemail` ENUM( 'no', 'yes' ) NOT NULL DEFAULT 'no', +CHANGE `access_admin` `access_admin` ENUM( 'no', 'yes' ) NOT NULL DEFAULT 'no', +CHANGE `access_config` `access_config` ENUM( 'no', 'yes' ) NOT NULL DEFAULT 'no', +CHANGE `access_super` `access_super` ENUM( 'no', 'yes' ) NOT NULL DEFAULT 'no'; + +ALTER TABLE `committees_link` ADD `users_id` INT NOT NULL AFTER `committees_members_id` ; + +INSERT INTO `emails` ( `id` , `val` , `name` , `description` , `from` , `subject` , `body` , `type` ) +VALUES ( +'', 'committee_recover_password', 'Committee Members - Recover Password', 'Recover the password for a committee member if they submit a ''forgot password'' request', '', 'Committee Member for [FAIRNAME]', 'We have received a request for the recovery of your password from this email address. Please find your new password below:\n\nCommittee Member Email Address: [EMAIL]\nCommittee Member Password: [PASSWORD] ', 'system' +); + diff --git a/db/db.update.63.sql b/db/db.update.63.sql new file mode 100644 index 00000000..6e95273e --- /dev/null +++ b/db/db.update.63.sql @@ -0,0 +1,12 @@ +ALTER TABLE `committees_link` DROP `committees_members_id` ; + +DROP TABLE `committees_members` ; + +ALTER TABLE `users` ADD `oldpassword` VARCHAR( 32 ) NOT NULL AFTER `passwordexpiry` ; + + + + + + + diff --git a/user.inc.php b/user.inc.php index d2c5ac3f..339a270e 100644 --- a/user.inc.php +++ b/user.inc.php @@ -31,7 +31,6 @@ $user_what = array('student'=>'Participant', 'judge' => 'Judge', 'committee'=>'Committee Member','volunteer' => 'Volunteer', 'region'=>'Region'); - function user_load_region($u) { /* Double check, make sure the user is of this type */ @@ -72,14 +71,15 @@ function user_load_committee($u) WHERE users_id='{$u['id']}'"); if(mysql_num_rows($q)!=1) return false; - $r = mysel_fetch_object($q); + $r = mysql_fetch_object($q); $ret = array(); $ret['emailprivate'] = $r->emailprivate; $ret['ord'] = intval($r->ord); - $ret['displayemail'] = ($r->displayemail == 'Y') ? 'Y' : 'N'; - $ret['access_admin'] = ($r->access_admin == 'Y') ? 'Y' : 'N'; - $ret['access_config'] = ($r->access_config == 'Y') ? 'Y' : 'N'; - $ret['access_super'] = ($r->access_super == 'Y') ? 'Y' : 'N'; + $ret['displayemail'] = ($r->displayemail == 'yes') ? 'yes' : 'no'; + $ret['access_admin'] = ($r->access_admin == 'yes') ? 'yes' : 'no'; + $ret['access_config'] = ($r->access_config == 'yes') ? 'yes' : 'no'; + $ret['access_super'] = ($r->access_super == 'yes') ? 'yes' : 'no'; + return $ret; } @@ -91,7 +91,7 @@ function user_load_volunteer($u) return $ret; } -function user_load($user, $load_full=false, $force_type=false) +function user_load($user, $load_full=false) { $id = 0; @@ -136,13 +136,6 @@ function user_load($user, $load_full=false, $force_type=false) /* Turn the type into an array, because there could be more than one */ $ts = explode(',', $ret['types']); $ret['types'] = $ts; /* Now we can use in_array($ret['type'], 'judge') ; */ - - /* Set the current type if there's only one */ - if(count($ret['types']) == 1) { - $ret['type'] = $ret['types'][0]; - } else { - $ret['type'] = false; - } } else { $ret = $user; } @@ -150,16 +143,17 @@ function user_load($user, $load_full=false, $force_type=false) if($load_full) { $r = true; foreach($ret['types'] as $t) { + if($ret['load_full'] == true) continue; /* These all pass $ret by reference, and can modify * $ret */ - $r = call_user_func("user_load_$type", $ret); - if($r == false) return false; + $r = call_user_func("user_load_$t", $ret); + if(!is_array($r)) return false; /* It is important that each type database doesn't have conflicting column names */ - foreach($r as $k->$v) { + foreach($r as $k=>$v) { if(array_key_exists($k, $ret)) { - echo "DATABSE DESIGN ERROR, duplicate user key $k"; + echo "DATABASE DESIGN ERROR, duplicate user key $k"; exit; } } @@ -171,13 +165,57 @@ function user_load($user, $load_full=false, $force_type=false) } /* Do this assignment without recursion :) */ + unset($ret['orig']); $orig = $ret; $ret['orig'] = $orig; +// echo "
    User load returning:\n";
+//	print_r($ret);
+//	echo "
    "; + return $ret; } +function user_save_volunteer($u) +{ +} + +function user_save_committee($u) +{ + $fields = array('emailprivate','ord','displayemail','access_admin', + 'access_config','access_super'); + //echo "
    ";
+//	print_r($u);
+//	echo "
    "; + $set = ''; + + foreach($fields as $f) { + if($u[$f] == $u['orig'][$f]) continue; + + if($set != '') $set .=','; + + $data = mysql_escape_string(stripslashes($u[$f])); + $set .= "$f='$data'"; + } + if($set != "") { + $query = "UPDATE users_committee SET $set WHERE users_id='{$u['id']}'"; + mysql_query($query); + } +} + +function user_save_judge($u) +{ +} + +function user_save_student($u) +{ +} + +function user_save_region($u) +{ +} + function user_save($u) { $fields = array('firstname','lastname','username','password', @@ -206,6 +244,92 @@ function user_save($u) // echo "query=[$query]"; echo mysql_error(); } + + /* If this was a full load, do a full save */ + if($u['load_full'] == true) { + foreach($u['types'] as $t) { + call_user_func("user_save_$t", $u); + } + } + + +} + + +function user_delete_committee($u) +{ + mysql_query("DELETE FROM users_committee WHERE users_id='{$u['id']}'"); + mysql_query("DELETE FROM committees_link WHERE users_id='{$u['id']}'"); +} + +function user_delete_volunteer($u) +{ +} + +function user_delete_judge($u) +{ +} + +function user_delete_region($u) +{ +} +function user_delete_student($u) +{ +} + +function user_delete($u, $type=false) +{ + $finish_delete = false; + + if(!is_array($u)) { + $u = user_load($u); + } + if($type != false) { + if(!in_array($type, $u['types'])) { + /* Hum, type specified, but the user is not this type, + * so, i guess we're done. */ + return; + } + if(count($u['types']) > 1) { + /* Don't delete the whole user */ + $types=''; + foreach($u['types'] as $t) { + if($t == $type) continue; + if($types != '') $types .= ','; + $types .= $t; + } + mysql_query("UPDATE users SET types='$types' WHERE id='{$u['id']}'"); + } else { + $finish_delete = true; + } + call_user_func("user_delete_$type", $u); + } else { + /* Delete the whole user */ + foreach($u['types'] as $t) call_user_func("user_delete_$t", $u); + + $finish_delete = true; + } + if($finish_delete == true) { + mysql_query("DELETE FROM users WHERE id='{$u['id']}'"); + } +} + +function user_create($type) +{ + mysql_query("INSERT INTO users (`types`,`created`) VALUES ('$type', NOW())"); + $uid = mysql_insert_id(); + + switch($type) { + case 'volunteer': + case 'student': + case 'judge': + case 'region': + break; + case 'committee': + mysql_query("INSERT INTO users_committee(`users_id`) VALUES ('$uid')"); + break; + } + return user_load($uid, true); } @@ -235,7 +359,7 @@ function user_valid_password($pass) /* Perform some checks. Make sure the person is logged in, and that their * password hasn't expired (the password_expired var is set in the login page) */ -function user_auth_required($type, $check_expiry=true) +function user_auth_required($type, $access='') { if(!isset($_SESSION['users_type'])) { header("location: user_login.php?type=$type¬ice=auth_required"); @@ -247,10 +371,22 @@ function user_auth_required($type, $check_expiry=true) exit; } - if($_SESSION['password_expired'] == true && $check_expiry==true) { + if($_SESSION['password_expired'] == true) { header("location: user_password.php"); exit; } + + if($access != '') { + if($type != 'committee') { + echo "CRITICAL ERROR, cannot check access in user_auth_required without specifying type=committee"; + exit; + } + + if(committee_auth_has_access($access) == false) { + header("Location: ".$config['SFIABDIRECTORY']."/committee_main.php?notice=no_auth"); + exit; + } + } return true; } @@ -280,17 +416,21 @@ function user_personal_fields($type) switch($type) { case 'volunteer': $f = array(); + break; case 'committee': - $f = array('workphone','fax'); + $f = array('phonework','fax'); + break; case 'judge': $f = array(); + break; case 'student': $f = array(); + break; case 'region': $f = array(); + break; } return array_merge($all_fields, $f); - return null; } function user_personal_required_fields($type) @@ -299,17 +439,21 @@ function user_personal_required_fields($type) switch($type) { case 'volunteer': $f = array(); + break; case 'committee': $f = array(); + break; case 'judge': $f = array(); + break; case 'student': $f = array(); + break; case 'region': $f = array(); + break; } return array_merge($all_fields, $f); - return null; } function user_personal_info_status($u = false) @@ -350,13 +494,15 @@ function user_update_complete(&$u, $status) function user_committee_login($u) { /* Double check, make sure the user is of this type */ - if(!in_array('committee', $u['types'])) return false; + if(!in_array('committee', $u['types'])) { + echo "ERROR: attempted to login committee on a non-committee user\n"; + exit; + } $u = user_load($u, true); - - $_SESSION['access_admin'] = ($u['access_admin'] == 'Y') ? true : false; - $_SESSION['access_config'] = ($u['access_config'] == 'Y') ? true : false; - $_SESSION['access_super'] = ($u['access_super'] == 'Y') ? true : false; + $_SESSION['access_admin'] = $u['access_admin'];// == 'yes') ? true : false; + $_SESSION['access_config'] = $u['access_config'];// == 'yes') ? true : false; + $_SESSION['access_super'] = $u['access_super'];// == 'yes') ? true : false; } diff --git a/user_login.php b/user_login.php index 4b59de51..beb36cea 100644 --- a/user_login.php +++ b/user_login.php @@ -81,7 +81,6 @@ $reg_open = user_volunteer_registration_status(); break; case 'committee': - exit; $reg_open = 'notpermitted'; break; case 'judge': @@ -105,33 +104,53 @@ exit; } else { $u = user_load($id); + + /* Make sure $type is in their types */ + if(!in_array($type, $u['types'])) { + /* Huh, someone is fudging with the HTML, get + * out before touching the session */ + header("location: index.php"); + exit; + } + $_SESSION['name']="{$u['firstname']} {$u['lastname']}"; $_SESSION['username']=$u['username']; $_SESSION['email']=$u['email']; $_SESSION['users_id']=$u['id']; - $_SESSION['users_type']=$u['type']; + $_SESSION['users_type']=$type; /* Check for an expired password */ - $now = date('Y-m-d H:i:s'); - if($now > $u['passwordexpiry']) { - $_SESSION['password_expired'] = true; - /* The main page (or any other user page) will catch this now and - * require them to set a password */ + if($u['passwordexpiry'] == NULL) { + unset($_SESSION['password_expired']); + } else { + $now = date('Y-m-d H:i:s'); + if($now > $u['passwordexpiry']) { + $_SESSION['password_expired'] = true; + /* The main page (or any other user page) will catch this now and + * require them to set a password */ + } } - /* FIXME: call a type sepcific function - to set type specific session variables */ + /* Call login functions for each type, so multirole + * users can easily switch */ + foreach($u['types'] as $t) { + if(is_callable("user_{$t}_login")) { + call_user_func_array("user_{$t}_login", array($u)); + } + } mysql_query("UPDATE users SET lastlogin=NOW() WHERE id={$u['id']}"); - if(count($u['types']) > 1) { + /* Setup multirole so a multirole user can switch if they want to + * without logging in/out */ + if($u['types'] > 1) { $_SESSION['multirole'] = true; - header("location: user_multirole.php"); } else { $_SESSION['multirole'] = false; - header("location: {$type}_main.php"); } + /* Now finally, take them to whatever main page they logged in for */ + header("location: {$type}_main.php"); exit; } @@ -152,7 +171,10 @@ $keys = array_keys($_SESSION); foreach($keys as $k) unset($_SESSION[$k]); - header("location: user_login.php?type=$type¬ice=logged_out"); + if($type != '') + header("location: user_login.php?type=$type¬ice=logged_out"); + if($type != '') + header("location: user_login.php?type=$type¬ice=logged_out"); exit; } else if($_GET['action']=="recover") @@ -210,6 +232,11 @@ $pchars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; for($x=0;$x<12;$x++) $password .= $pchars{rand(0,61)}; + /* Save their old password so it can be recovered if someone is just trying + * to reset someones password */ + mysql_query("UPDATE users SET oldpassword=password WHERE id={$r->id}"); + + /* Set the new password, and force it to expire */ mysql_query("UPDATE users SET password='$password',passwordexpiry='0000-00-00' WHERE id={$r->id}"); /* volunteer_recover_password, judge_recover_password, student_recover_password, @@ -220,6 +247,7 @@ array( "PASSWORD"=>$password, "EMAIL"=>$email) ); + header("Location: user_login.php?type=$type¬ice=recover_sent"); exit; } else { diff --git a/user_password.php b/user_password.php index 74faefcb..20ad791c 100644 --- a/user_password.php +++ b/user_password.php @@ -31,12 +31,21 @@ if(isset($_SESSION['users_type'])) { $type = $_SESSION['users_type']; } else { - header("location: index.php"); + header("location: index.php?notice=auth_requird"); exit; } /* Make sure the user is logged in, but don't check passwd expiry */ - user_auth_required($type, false); + if(!isset($_SESSION['users_type'])) { + header("location: user_login.php?type=$type¬ice=auth_required"); + exit; + } + + if($_SESSION['users_type'] != $type) { + header("location: user_login.php?type=$type¬ice=auth_required"); + exit; + } + $notice=$_GET['notice']; diff --git a/user_personal.php b/user_personal.php index 1604eb9e..132fe467 100644 --- a/user_personal.php +++ b/user_personal.php @@ -25,6 +25,7 @@ "{$type}_main.php") - ); - + if(committee_auth_has_access('super')) { + /* If the editer is super, let them see/edit/save the password */ + $fields[] = 'password'; + } if($_POST['action']=="save") { + + /* Set values */ foreach($fields as $f) { $u[$f] = mysql_escape_string(stripslashes($_POST[$f])); } - user_save($u); + if(in_array('committee', $u['types'])) { + /* Trying to save a committee member eh? Well, we established above + * that we're allowed to be here, so go ahead and save it */ + $u['displayemail'] = ($_POST['displayemail'] == 'yes') ? 'yes' : 'no'; + $u['emailprivate'] = mysql_escape_string(stripslashes($_POST['emailprivate'])); + + if(committee_auth_has_access('super')) { + /* But only superusers can save these ones */ + $u['access_admin'] = ($_POST['access_admin'] == 'yes') ? 'yes' : 'no'; + $u['access_config'] = ($_POST['access_config'] == 'yes') ? 'yes' : 'no'; + $u['access_super'] = ($_POST['access_super'] == 'yes') ? 'yes' : 'no'; + } + } + + + /* Check for an email collision */ + $em = mysql_escape_string(stripslashes($_POST['email'])); + $q=mysql_query("SELECT id FROM users WHERE email='$em'"); + if(mysql_num_rows($q) > 0) { + $notice = 'email_exists'; + } else { + user_save($u); + if($_SESSION['last_page'] == 'committee_management') { + header("location: {$config['SFIABDIRECTORY']}/admin/committees.php"); + exit; + } + $notice = 'success'; + } + - echo notice(i18n("%1 %2 successfully updated",array($_POST['firstname'],$_POST['lastname']))); } -// updateJudgeCompleteStatus($judgeinfo); + //send the header + if($eid == false) { + $type = $_SESSION['users_type']; + send_header("{$user_what[$type]} - Personal Information", + array("{$user_what[$type]} Registration" => "{$type}_main.php") + ); + } else { + if($_SESSION['last_page'] == 'committee_management') { + send_header("Personal Information for {$u['firstname']} {$u['lastname']}", + array('Committee Main' => 'committee_main.php', + 'Administration' => 'admin/index.php', + 'Committee Management' => 'admin/committees.php') + ); + } else { + send_header("Personal Information for {$u['firstname']} {$u['lastname']}", + array("Committee Main" => "committee_main.php") + ); + } + } -//output the current status -$newstatus=user_personal_info_status($u); -if($newstatus!='complete') -{ - echo error(i18n("Personal Information Incomplete")); + switch($notice) { + case 'success': + echo notice(i18n("%1 %2 successfully updated",array($_POST['firstname'],$_POST['lastname']))); + break; + case 'email_exists': + echo notice(i18n("That email address is in use by another user")); + break; + } + +if($eid == false) { + //output the current status + $newstatus=user_personal_info_status($u); + if($newstatus!='complete') + echo error(i18n("Personal Information Incomplete")); + else + echo happy(i18n("Personal Information Complete")); } -else -{ - echo happy(i18n("Personal Information Complete")); + +if(count($u['types']) > 1) { + $roles=''; + foreach($u['types'] as $t) { + $roles.= (($roles=='')?'':', ').i18n($user_what[$t]); + } + echo notice(i18n('This user has multiple roles, the fields shown below are a combination of every role. Some may not apply to some roles. This user has the following roles:').' '.$roles); } function item($user, $text, $fname) @@ -91,8 +167,11 @@ function item($user, $text, $fname) } - - echo "\n"; + $eidstr = ''; + if($eid != false) { + $eidstr="?edit=$eid"; + } + echo "\n"; echo "\n"; echo "\n"; @@ -102,7 +181,7 @@ item($u, "Last Name", 'lastname'); echo "\n"; echo "\n"; item($u, "Email Address", 'email'); -echo ""; +item($u, "Password", 'password'); echo "\n"; echo "\n"; item($u, "Address 1", 'address'); @@ -138,10 +217,43 @@ item($u, "Fax", 'fax'); echo ''; echo ""; - echo ""; echo "
    "; + +/* Committee specific fields */ +if(in_array('committee', $u['types'])) { + echo "\n"; + item($u, "Email (Private)", 'emailprivate'); + echo ""; + + echo "\n"; + echo ""; + echo ""; + } + echo '
    ".i18n("Email (Private)").":
    ".i18n("Display Emails").":"; + if($u['displayemail']=="no") $checked="checked=\"checked\""; else $checked=""; + echo "".i18n("No"); + echo "     "; + if($u['displayemail']=="yes") $checked="checked=\"checked\""; else $checked=""; + echo "".i18n("Yes"); + + if(committee_auth_has_access("super")) + { + /* If the user is a committee member, only print these fields + * if the editer has super access */ + echo "
    ".i18n("Access Controls").":"; + $ch = ($u['access_admin']=="yes") ? 'checked="checked"' : ''; + echo " ".i18n("Administration")."
    "; + $ch = ($u['access_config']=="yes") ? 'checked="checked"' : ''; + echo " ".i18n("Configuration")."
    "; + $ch = ($u['access_super']=="yes") ? 'checked="checked"' : ''; + echo " ".i18n("Superuser")."
    "; + echo "
    '; +} + + + echo "\n"; echo "";