From 895bcc36e2fc0dffe4e494f7427f4a11752ddfd6 Mon Sep 17 00:00:00 2001
From: james <james>
Date: Fri, 1 Oct 2010 19:28:26 +0000
Subject: [PATCH] Add user/view API Change user_load() to explicitly load
 specific values instead of all values, as there's now some fields that need
 to be deleted but we cant delete them yet...

---
 api.php      | 48 +++++++++++++++++++++++++++++++++++++------
 user.inc.php | 57 ++++++++++++++++++++++++++++++++++++++++++++++++----
 2 files changed, 95 insertions(+), 10 deletions(-)

diff --git a/api.php b/api.php
index 1ead7df..194e230 100644
--- a/api.php
+++ b/api.php
@@ -421,7 +421,48 @@ switch($request[0]) {
 			break;
 		}
 	break;
+	case 'user':
+		$chk=api_user_auth_required();
+		if($chk['status']!="ok") {
+			$ret['status']="error";
+			$ret['error']=$chk['error'];
+			break;
+		}
 
+		require_once("so_teams.inc.php");
+		switch($request[1]) {
+			/*	APIDOC: user/view
+				description(view user information for current conference)
+				return(user array)
+			*/
+			case "view":
+				if($u=user_load($_SESSION['users_id'])) {
+					unset($u['orig']);
+					unset($u['types']);
+					unset($u['username']);
+					unset($u['password']);
+					unset($u['year']);
+					unset($u['access_admin']);
+					unset($u['access_config']);
+					unset($u['access_super']);
+					$ret['status']="ok";
+					$ret['user']=$u;
+				}
+				else {
+					$ret['status']="error";
+					$ret['error']="Error loading user";
+				}
+			break;
+		}
+
+		/*	APIDOC: user/edit
+			notimplemented
+			description(edit user information for current conference)
+			post(user array)
+			return(user array)
+		*/
+
+	break;
 	default:
 		$ret['status']="error";
 		$ret['error']="Invalid API command ({$request[0]})";
@@ -442,12 +483,7 @@ echo json_encode($ret);
 			return(account array)
 		*/
 
-		/*	APIDOC: user/edit
-			notimplemented
-			description(edit user information for current conference)
-			post(user array)
-			return(user array)
-		*/
+
 
 		/*	APIDOC: user/connect_teacher_to_school
 			notimplemented
diff --git a/user.inc.php b/user.inc.php
index c1a5754..3e8d529 100644
--- a/user.inc.php
+++ b/user.inc.php
@@ -39,7 +39,50 @@ function user_valid_role($role)
 function user_load($users_id, $accounts_id = false)
 {
 	/* Load user, join accounts so we also load the email, superuser flag */
-	$query = "SELECT users.* FROM users JOIN accounts ON accounts.id=users.accounts_id WHERE ";
+	//hand-code the list here because we dont want all the old stuff that hasnt been removed yet like username/password access_*, etc.
+	$query = "SELECT users.id,
+			users.accounts_id,
+			users.conferences_id,
+			users.salutation,
+			users.firstname,
+			users.lastname,
+			users.sex,
+			users.phonehome,
+			users.phonework,
+			users.phonecell,
+			users.fax,
+			users.organization,
+			users.birthdate,
+			users.lang,
+			users.created,
+			users.lastlogin,
+			users.address,
+			users.address2,
+			users.city,
+			users.province,
+			users.postalcode,
+			users.firstaid,
+			users.cpr,
+			users.fairs_id,
+			users.years_school,
+			users.years_regional,
+			users.years_national,
+			users.willing_chair,
+			users.special_award_only,
+			users.cat_prefs,
+			users.div_prefs,
+			users.divsub_prefs,
+			users.languages,
+			users.highest_psd,
+			users.expertise_other,
+			users.sponsors_id,
+			users.primary,
+			users.position,
+			users.primary,
+			users.schools_id,
+			users.grade,
+			accounts.email
+			FROM users JOIN accounts ON accounts.id=users.accounts_id WHERE ";
 	if($accounts_id != false) {
 		$accounts_id = intval($accounts_id);
 		$query .= "`users`.`accounts_id`='$accounts_id' LIMIT 1";
@@ -48,6 +91,7 @@ function user_load($users_id, $accounts_id = false)
 		$query .= " `users`.`id`='$id'";
 	}
 	$q=mysql_query($query);
+	echo mysql_error();
 	if(mysql_num_rows($q) == 0) 
 		return false;
 
@@ -63,12 +107,10 @@ function user_load($users_id, $accounts_id = false)
 	$u['id'] = intval($u['id']);
 	$u['accounts_id'] = intval($u['accounts_id']);
 	$u['year'] = intval($u['year']);
-	
 
 	/* Get roles, and active/complete status for each role */
-	$query = "SELECT user_roles.*,roles.type,roles.name FROM user_roles LEFT JOIN roles ON roles.id=user_roles.roles_id WHERE user_roles.users_id={$u['id']}";
+	$query = "SELECT user_roles.roles_id, user_roles.active, user_roles.complete, roles.type,roles.name FROM user_roles LEFT JOIN roles ON roles.id=user_roles.roles_id WHERE user_roles.users_id={$u['id']}";
 	$q = mysql_query($query);
-
 	$u['roles'] = array();
 	while(($roledata = mysql_fetch_assoc($q))) {
 		$u['roles'][$roledata['type']] = $roledata;
@@ -101,6 +143,13 @@ function user_load($users_id, $accounts_id = false)
 		$u['emailrecipient']="";
 	}
 
+	/* we dont want them thinking they can change the email, so dont include it here, 
+	its part of the account, not the user, this way they still get the 'emailrecipient'
+	convenience variable, not not the email itself, for that, they need to access
+	the account. */
+	unset($u['email']);
+
+
 	foreach(array_keys($u['roles']) as $r) {
 		/* Do the load routines inline, the explosion of user roles
 		 * means it's just silly to have a different function for each