diff --git a/user.inc.php b/user.inc.php index d63970d..dbd685a 100644 --- a/user.inc.php +++ b/user.inc.php @@ -65,13 +65,12 @@ function user_load($users_id, $accounts_id = false) /* Get roles, and active/complete status for each role */ - $query = "SELECT * FROM user_roles LEFT JOIN roles ON roles.id=user_roles.roles_id WHERE user_roles.users_id={$ret['id']}"; + $query = "SELECT user_roles.*,roles.type,roles.name FROM user_roles LEFT JOIN roles ON roles.id=user_roles.roles_id WHERE user_roles.users_id={$ret['id']}"; $q = mysql_query($query); $ret['roles'] = array(); while(($roledata = mysql_fetch_assoc($q))) { - $t = $roledata['type']; - $ret['roles'][$t] = $roledata; + $ret['roles'][$roledata['type']] = $roledata; } if(count($ret['roles']) == 0) { @@ -199,15 +198,6 @@ function user_save(&$u) /* Add any new roles */ $orig_roles = array_keys($u['orig']['roles']); $new_roles = array_keys($u['roles']); - $added = array_diff($new_roles, $orig_roles); - foreach($added as $r) { - if(!user_add_role_allowed($r, $u)) { - echo "HALT: user can't add this roles"; - exit; - } - mysql_query("INSERT INTO user_roles(accounts_id,users_id,roles_id,active,complete) - VALUES('{$u['accounts_id']}','{$u['id']}','{$roles[$r]['id']}','no','no')"); - } /* Delete any removed roles */ $removed = array_diff($orig_roles, $new_roles); @@ -215,6 +205,28 @@ function user_save(&$u) mysql_query("DELETE FROM user_roles WHERE users_id='{$u['id']}' AND roles_id='{$roles[$r]['id']}'"); } + /* Update all roles */ + foreach($new_roles as $r) { + if(!in_array($r, $orig_roles)) { + /* Role is new */ + if(!user_add_role_allowed($u, $r)) { + echo "HALT: user can't add this role"; + exit; + } + mysql_query("INSERT INTO user_roles(accounts_id,users_id,roles_id,active,complete) + VALUES('{$u['accounts_id']}','{$u['id']}','{$roles[$r]['id']}','no','no')"); + echo mysql_error(); + + } else if($u['roles'][$r] != $u['orig']['roles'][$r]) { + /* $u['roles'][$r] has changed from original, update it */ + mysql_query("UPDATE user_roles SET active='{$u['roles'][$r]['active']}', + complete='{$u['roles'][$r]['complete']}' + WHERE id='{$u['roles'][$r]['id']}'"); + echo mysql_error(); + } + } + + $fields = array('salutation','firstname','lastname','username', 'phonehome','phonework','phonecell','fax','organization', 'address','address2','city','province','postalcode','sex', @@ -232,6 +244,7 @@ function user_save(&$u) /* Merge fields as necessary, build a big list of fields to save */ foreach($new_roles as $r) { + if(!array_key_exists($r, $fields_for_role)) continue; $fields = array_merge($fields, $fields_for_role[$r]); } diff --git a/user_activate.php b/user_activate.php index af878a1..67b3d05 100644 --- a/user_activate.php +++ b/user_activate.php @@ -26,8 +26,8 @@ require_once("common.inc.php"); require_once("user.inc.php"); - if(!isset($_SESSION['users_type'])) { - /* No type set, invalid session */ + if(!isset($_SESSION['users_id'])) { + /* No user ID set, invalid session for editting roles */ echo "ERROR: session is invalid"; exit; } @@ -42,19 +42,30 @@ else if($eid != $_SESSION['users_id']) { /* Not editing ourself, we had better be - * a committee member */ - user_auth_required('committee','admin'); + * someone with admin access */ + user_auth_required('admin'); } $u = user_load($eid); - /* Validate the type */ + /* Validate the incoming role, make sure it is actually a role */ + $role = ''; if($_GET['action'] != '') { - $action_type = $_GET['type']; - if(!in_array($action_type, $user_types)) { - echo "ERROR: not an allowed type."; + $role = $_GET['role']; + if(!array_key_exists($role, $roles)) { + echo "ERROR: not an allowed role."; exit; } - $action_what = $user_what[$action_type]; + /* We're not adding a role, but this checks to see if + * the user is allowed to be associated with this role, we don't + * want a student to deactivate a committee role, which would + * set the 'active' to 'no', but would create the 'committee' entry + * in the roles array, making them part of that role suddenly. We + * also check for this case below to prevent it */ + if(!user_add_role_allowed($u, $role)) { + /* If we get in here, someone is hand crafting URLs */ + echo "HALT: invalid role to manipulate for this user."; + exit; + } } switch($_GET['action']) { @@ -70,22 +81,32 @@ case 'delete': case 'remove': /* Like delete, only we're only deleting a role, not the whole account */ - happy_("$action_what role successfully removed."); + happy_("{$roles[$role]['name']} role successfully removed."); echo error(i18n("Permanently Removed")); - user_delete($u, $action_type); + user_delete($u, $role); exit; case 'activate': - $u["{$action_type}_active"] = 'yes'; + if(!array_key_exists($role, $u['roles'])) { + /* Hand crafting URLs? */ + echo "HALT: can't activate a role the user doesn't have"; + exit; + } + $u['roles'][$role]['active'] = 'yes'; user_save($u); - happy_("$action_what role for %1 successfully activated",array($config['FAIRYEAR'])); + happy_("{$roles[$role]['name']} role for %1 successfully activated",array($config['FAIRYEAR'])); echo happy(i18n("Active")); exit; case 'deactivate': - $u["{$action_type}_active"] = 'no'; + if(!array_key_exists($role, $u['roles'])) { + /* Hand crafting URLs? */ + echo "HALT: can't deactivate a role the user doesn't have"; + exit; + } + $u['roles'][$role]['active'] = 'no'; user_save($u); - happy_("$action_what role for %1 successfully deactivated",array($config['FAIRYEAR'])); + happy_("{$roles[$role]['name']} role for %1 successfully deactivated",array($config['FAIRYEAR'])); echo error(i18n("Deactivated")); exit; } @@ -98,37 +119,35 @@ case 'remove': echo "

".i18n("Role and Account Management")."

"; echo "
"; } else { - $type = $_SESSION['users_type']; - $m = $user_what[$type]; send_header("Role and Account Management", - array("$m Main" => "{$type}_main.php") + array("Main" => "user_main.php") ); } ?> @@ -137,10 +156,10 @@ function remove(type) '.i18n("Role: {$user_what[$t]}").''; - echo "
"; - if($u["{$t}_active"] == 'yes') { + foreach(array_keys($u['roles']) as $r) { + echo '

'.i18n("Role: {$roles[$r]['name']}").'

'; + echo "
"; + if($u['roles'][$r]['active'] == 'yes') { echo happy(i18n('Active')); $a = 'disabled="disabled"'; $d = ''; @@ -153,11 +172,11 @@ function remove(type)
- onclick="activate('');return false;" type="submit" value=""> + onclick="activate('');return false;" type="submit" value=""> - onclick="deactivate('');return false;" type="submit" value=""> + onclick="deactivate('');return false;" type="submit" value=""> - onclick="remove('');return false;" type="submit" value=""> + onclick="remove('');return false;" type="submit" value="">