diff --git a/user_personal.php b/user_personal.php index 671345c..63089b5 100644 --- a/user_personal.php +++ b/user_personal.php @@ -68,31 +68,21 @@ ); +/* Sort out who we're editting */ +if($_POST['users_id']) + $eid = intval($_POST['users_id']); /* From a save form */ +else if(array_key_exists('embed_edit_id', $_SESSION)) + $eid = $_SESSION['embed_edit_id']; /* From the embedded editor */ +else + $eid = $_SESSION['users_id']; /* Regular entry */ +if($eid != $_SESSION['users_id']) { + /* Not editing ourself, we had better be + * a committee member */ + user_auth_required('committee','admin'); +} - /* See if there is an edit request */ - if($_SESSION['embed_edit_id']) - $eid = $_SESSION['embed_edit_id']; - else - $eid = intval($_GET['edit']); - - /* Force them to edit themselves if no eid found */ - if($eid == 0) $eid = $_SESSION['users_id']; - - if($_SESSION['users_id'] != $eid) { - /* There is an edit request for someone other than the logged in user, - * the user must be: - * - on the committee - * - with admin access */ - user_auth_required('committee', 'admin'); - $ext_editor = true; - } else { - /* Else, they are just editing themselves */ - $ext_editor = false; - } $u = user_load($eid); - - /* Load the fields the user can edit, and theones that are required */ $fields = array(); $required = array(); @@ -110,8 +100,15 @@ $fields[] = 'password'; } - if($_POST['action']=="save") - { + +switch($_GET['action']) { +case 'save': + $users_id = intval($_POST['users_id']); + if($users_id != $_SESSION['users_id']) { + user_auth_required('committee','admin'); + } + $u = user_load($users_id); + $save = true; /* Set values */ foreach($fields as $f) { @@ -140,7 +137,7 @@ /* Trying to save a committee member eh? Well, we established above * that we're allowed to be here, so go ahead and save it */ $u['displayemail'] = ($_POST['displayemail'] == 'yes') ? 'yes' : 'no'; - $u['emailprivate'] = mysql_escape_string(stripslashes($_POST['emailprivate'])); + $u['emailprivate'] = mysql_real_escape_string(stripslashes($_POST['emailprivate'])); if(committee_auth_has_access('super')) { /* But only superusers can save these ones */ @@ -155,31 +152,25 @@ $em = mysql_escape_string(stripslashes($_POST['email'])); $q=mysql_query("SELECT id FROM users WHERE email='$em' AND uid!='{$u['uid']}' AND deleted='no'"); if(mysql_num_rows($q) > 0) { - message_push(error(i18n("That email address is in use by another user"))); + error_("That email address is in use by another user"); $save = false; } if($save == true) { user_save($u); - message_push(notice(i18n("%1 %2 successfully updated",array($_POST['firstname'],$_POST['lastname'])))); + happy_("%1 %2 successfully updated",array($_POST['firstname'],$_POST['lastname'])); } - - + exit; } + + $type = $_SESSION['users_type']; //send the header if($_SESSION['embed'] == true) { echo "
"; - display_messages(); echo "

".i18n("Personal Information")."

"; echo "
"; - } else if($ext_editor == true) { - $m = ($type == 'committee') ? 'Committee' : $user_what[$type]; - send_header("Personal Information", - array("$m Main" => "{$type}_main.php") - ,"edit_profile" - ); } else { send_header("Personal Information for {$u['firstname']} {$u['lastname']}", array($user_what[$type]." Registration" => "{$type}_main.php") @@ -187,6 +178,18 @@ ); } +?> + + +\n"; - } else { - echo "
\n"; - } - - echo "\n"; + echo "\n"; + echo ""; echo "\n"; echo "\n"; @@ -356,7 +354,7 @@ if(in_array('committee', $u['types'])) { -echo "\n"; +echo "\n"; echo ""; echo "
";