Copyright (C) 2005 James Grant Copyright (C) 2007 David Grant This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 2. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; see the file COPYING. If not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ ?> 1) { echo "ERROR: More than one user.\n"; return false; } /* Load the user */ $u = mysql_fetch_assoc($q); /* Sanitize before using these in mysql queries */ $u['id'] = intval($u['id']); $u['accounts_id'] = intval($u['accounts_id']); $u['year'] = intval($u['year']); /* Get roles, and active/complete status for each role */ $query = "SELECT user_roles.*,roles.type,roles.name FROM user_roles LEFT JOIN roles ON roles.id=user_roles.roles_id WHERE user_roles.users_id={$u['id']}"; $q = mysql_query($query); $u['roles'] = array(); while(($roledata = mysql_fetch_assoc($q))) { $u['roles'][$roledata['type']] = $roledata; } if(count($u['roles']) == 0) { /* No roles, that's ok actually, the previous logic here was that * a user without roles is deleted.. but.. this could happen for * new users, or if someone deletes all their roles before adding * a new role */ } /* Convenience */ $u['name'] = ($u['firstname'] ? "{$u['firstname']} " : '').$u['lastname']; /* Email recipient for "to" field on emails */ if( ($u['firstname'] || $u['lastname']) && $u['email']) { //use their full name if we have it //if the name contains anything non-standard, we need to quote it. if(eregi("[^a-z0-9 ]",$u['name'])) $u['emailrecipient']="\"{$u['name']}\" <{$u['email']}>"; else $u['emailrecipient']="{$u['name']} <{$u['email']}>"; } else if($u['email']) { //otherwise, just their email address $u['emailrecipient']=$u['email']; } else { $u['emailrecipient']=""; } foreach(array_keys($u['roles']) as $r) { /* Do the load routines inline, the explosion of user roles * means it's just silly to have a different function for each * one. If we get one that has a crazy amount of stuff to do, * we could move it all to a function and call it in the * switch below */ switch($r) { case 'committee': $u['ord'] = intval($u['ord']); $u['displayemail'] = ($u['displayemail'] == 'yes') ? 'yes' : 'no'; break; case 'judge': $u['years_school'] = intval($u['years_school']); $u['years_regional'] = intval($u['years_regional']); $u['years_national'] = intval($u['years_national']); $u['willing_chair'] = ($u['willing_chair'] == 'yes') ? 'yes' : 'no'; $u['special_award_only'] = ($u['special_award_only'] == 'yes') ? 'yes' : 'no'; $u['cat_prefs'] = (strlen($u['cat_prefs']) > 0) ? unserialize($u['cat_prefs']) : array(); $u['div_prefs'] = (strlen($u['div_prefs']) > 0) ? unserialize($u['div_prefs']) : array(); $u['divsub_prefs'] = (strlen($u['divsub_prefs']) > 0) ? unserialize($u['divsub_prefs']) : array(); // $u['expertise_other'] = $u['expertise_other']; $u['languages'] = (strlen($u['languages']) > 0) ? unserialize($u['languages']) : array(); // $u['highest_psd'] = $u['highest_psd']; /* Sanity check the arrays, make sure they are arrays */ $should_be_arrays = array('cat_prefs','div_prefs', 'divsub_prefs','languages'); foreach($should_be_arrays as $k) { if(!is_array($u[$k])) $u[$k] = array(); } break; case 'sponsor': $u['sponsors_id'] = intval($u['sponsors_id']); if($u['sponsors_id']) { $q=mysql_query("SELECT * FROM sponsors WHERE id='{$u['sponsors_id']}'"); $u['sponsor']=mysql_fetch_assoc($q); } break; default: /* Nothing to do for all other roles */ break; } } /* Do this assignment without recursion :) */ unset($u['orig']); $orig = $u; $u['orig'] = $orig; return $u; } function user_load_by_accounts_id($accounts_id) { return user_load(0, $accounts_id); } function user_load_by_email($email) { /* Find the accounts_id for the email, regardless of deleted status */ $e = mysql_real_escape_string($email); $q = mysql_query("SELECT accounts_id FROM users WHERE email='$e' OR username='$e'"); if(mysql_num_rows($q) == 1) { $i = mysql_fetch_assoc($q); return user_load_by_accounts_id($i['accounts_id']); } return false; } /* FIXME: these are going to need conference IDs too */ function user_load_by_accounts_id_year($uid, $year) { echo "FIXME"; exit; $q = mysql_query("SELECT id FROM users WHERE uid='$uid' AND year <= '$year'"); if(!mysql_num_rows($q)) return false; $i = mysql_fetch_assoc($q); return user_load($i['id']); } function user_save(&$u) { global $conference; global $roles; /* Sanity check */ if($u['conferences_id'] != $u['orig']['conferences_id']) { echo "The user's conference changed. Can't save a user to a difference conference, use user_dupe to copy the user to a new conference.\n"; exit; } /* Add any new roles */ $orig_roles = array_keys($u['orig']['roles']); $new_roles = array_keys($u['roles']); /* Delete any removed roles */ $removed = array_diff($orig_roles, $new_roles); foreach($removed as $r) { mysql_query("DELETE FROM user_roles WHERE users_id='{$u['id']}' AND roles_id='{$roles[$r]['id']}'"); } /* Update all roles */ foreach($new_roles as $r) { if(!in_array($r, $orig_roles)) { /* Role is new */ if(!user_add_role_allowed($u, $r)) { echo "HALT: user can't add this role"; exit; } mysql_query("INSERT INTO user_roles(accounts_id,users_id,roles_id,active,complete) VALUES('{$u['accounts_id']}','{$u['id']}','{$roles[$r]['id']}','no','no')"); echo mysql_error(); } else if($u['roles'][$r] != $u['orig']['roles'][$r]) { /* $u['roles'][$r] has changed from original, update it */ mysql_query("UPDATE user_roles SET active='{$u['roles'][$r]['active']}', complete='{$u['roles'][$r]['complete']}' WHERE id='{$u['roles'][$r]['id']}'"); echo mysql_error(); } } $fields = array('salutation','firstname','lastname','username', 'phonehome','phonework','phonecell','fax','organization', 'address','address2','city','province','postalcode','sex', 'firstaid', 'cpr', 'lang', 'notes'); $fields_for_role['committee'] = array('emailprivate','ord','displayemail', 'access_admin','access_config','access_super'); $fields_for_role['judge'] = array('years_school','years_regional','years_national', 'willing_chair','special_award_only', 'cat_prefs','div_prefs','divsub_prefs', 'expertise_other','languages', 'highest_psd'); $fields_for_role['student'] = array('schools_id'); $fields_for_role['fair'] = array('fairs_id'); $fields_for_role['sponsor'] = array('sponsors_id','primary','position'); /* Merge fields as necessary, build a big list of fields to save */ foreach($new_roles as $r) { if(!array_key_exists($r, $fields_for_role)) continue; $fields = array_merge($fields, $fields_for_role[$r]); } $set = ""; foreach($fields as $f) { if($u[$f] == $u['orig'][$f]) continue; if($set != "") $set .=','; if($u[$f] == NULL) { $set .= "$f=NULL"; continue; } if(is_array($u[$f])) $data = mysql_escape_string(serialize($u[$f])); else $data = mysql_escape_string(stripslashes($u[$f])); $set .= "$f='$data'"; } if($set != "") { $query = "UPDATE users SET $set WHERE id='{$u['id']}'"; mysql_query($query); echo mysql_error(); } /* Record all the data in orig that we saved so subsequent * calls to user_save don't try to overwrite data already * saved to the database */ unset($u['orig']); $orig = $u; $u['orig'] = $orig; // print_r($u); } function user_remove_role(&$u, $role) { if(!array_key_exists($role, $u['roles'])) { /* Hum, type specified, but the user is not this type, * so, i guess we're done. */ return; } $id = $u['id']; /* Do role-specific remove actions */ switch($role) { case 'committee': mysql_query("DELETE FROM committees_link WHERE accounts_id='{$u['accounts_id']}'"); break; case 'judge': mysql_query("DELETE FROM judges_teams_link WHERE users_id='$id'"); mysql_query("DELETE FROM judges_specialawards_sel WHERE users_id='$id'"); break; default: break; } /* Delete the role */ unset($u['roles'][$role]); /* Save this user (takes care of removing entries from the user_roles db) */ user_save($u); } /* If role is specified, just delete the role from the user. * If not, delete the whole user, all roles */ function user_delete($u, $role=false) { $finish_delete = false; if(!is_array($u)) { $u = user_load($u); } if($role != false) { user_remove_role($u, $role); if(count($u['roles']) == 0) { /* No roles left, finish the delete */ $finish_delete = true; } } else { /* Delete the whole user, every role */ foreach(array_keys($u['roles']) as $r) user_remove_role($u, $r); $finish_delete = true; } if($finish_delete) { mysql_query("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE id='{$u['id']}'"); return true; } /* User had some other role, so delete was not completed. */ return false; } /* Purge functions. These completely eliminate all traces of a user from the * database. This action cannot be undone. We prefer the committee to use the * "delete" functions, which simply mark the account as "deleted". */ function user_purge($u, $role=false) { /* Delete the user, then completely delete them from * the DB if delete returns true, that is, if there's * no other role blocking the delete/purge */ $finish_purge = user_delete($u, $role); if($finish_purge == true) { mysql_query("DELETE FROM users WHERE id='{$u['id']}'"); return true; } /* Not purged, some other role existed */ return false; } /* Duplicate a row in the users table, or any one of the users_* tables. */ function user_dupe_row($db, $key, $val, $newval) { global $config; $nullfields = array('deleteddatetime'); /* Fields that can be null */ $q = mysql_query("SELECT * FROM $db WHERE $key='$val'"); if(mysql_num_rows($q) != 1) { echo "ERROR duplicating row in $db: $key=$val NOT FOUND.\n"; exit; } $i = mysql_fetch_assoc($q); $i[$key] = $newval; foreach($i as $k=>$v) { if($v == NULL && in_array($k, $nullfields)) $i[$k] = 'NULL'; else if($k == 'year') $i[$k] = $config['FAIRYEAR']; else $i[$k] = '\''.mysql_escape_string($v).'\''; } $keys = '`'.join('`,`', array_keys($i)).'`'; $vals = join(',', array_values($i)); $q = "INSERT INTO $db ($keys) VALUES ($vals)"; // echo "Dupe Query: [$q]"; $r = mysql_query($q); echo mysql_error(); $id = mysql_insert_id(); return $id; } /* Used by the login scripts to copy one user from one year to another */ function user_dupe($u, $new_year) { /* Dupe a user if: * - They don't exist in the current year * (users->year != the target year (passed in so we can use it in the rollover script) ) * - They have a previous year entry * (users->year DESC LIMIT 1 == 1 row) * - That previous entry has deleted=no */ /* Find the last entry */ $q = mysql_query("SELECT id,uid,year,deleted FROM users WHERE uid='{$u['uid']}' ORDER BY year DESC LIMIT 1"); $r = mysql_fetch_object($q); if($r->deleted == 'yes') { echo "Cannot duplicate user ID {$u['id']}, they are deleted. Undelete them first.\n"; exit; } if($r->year == $new_year) { echo "Cannot duplicate user ID {$u['id']}, they already exist in year $new_year\n"; exit; } $id = user_dupe_row('users', 'id', $u['id'], NULL); $q = mysql_query("UPDATE users SET year='$new_year' WHERE id='$id'"); /* Load the new user */ $u2 = user_load($id); foreach($u2['types'] as $t) { user_dupe_row("users_$t", 'users_id', $u['id'], $id); } /* Return the ID of the new user */ return $id; } /* Returns true if loaded user ($u) is allowed to add role $role to their * profile. THis is intended as a last-stop mechanism, preventing, for example * a student from co-existing with any other role . */ function user_add_role_allowed(&$u, $role) { foreach(array_keys($u['orig']['roles']) as $ur) { switch($ur) { case 'student': /* Student cant' add any other role */ return false; default: if($role == 'student') { /* No role can add the student role */ return false; } /* All other roles can coexist (even the fair role) */ break; } } return true; } function user_add_role(&$u, $role) { if(!user_add_role_allowed($u, $role)) { /* If we get in here, someone is hand crafting URLs */ echo "HALT: invalid role add specified for operation."; exit; } /* Add the role */ $u['roles'][$role] = array('active' =>'yes', 'complete' => 'no'); /* Save it now so the DB gets updated */ user_save($u); } function user_create($accounts_id, $conferences_id=0) { global $config, $conference; if($conferences_id == 0) $conferences_id = $conference['id']; /* Make sure the user doesn't already exist */ $q = mysql_query("SELECT id FROM users WHERE accounts_id='$accounts_id' AND conferences_id='$conferences_id'"); echo mysql_error(); if(mysql_num_rows($q)) { echo "ERROR: user_create called for a user that already exists.\n"; exit; } /* Create the user */ mysql_query("INSERT INTO users(`accounts_id`,`conferences_id`) VALUES('$accounts_id','$conferences_id')"); $id = mysql_insert_id(); /* Return a loaded user with no roles */ return user_load($id); } /* Perform some checks. Make sure the person is logged in, and that their * password hasn't expired (the password_expired var is set in the login page) */ function user_auth_required($all_required = array(), $one_required = array()) { global $config; $ok = true; unset($_SESSION['request_uri']); if(!isset($_SESSION['roles']) || !isset($_SESSION['accounts_id'])) { message_push(error(i18n("You must login to view that page"))); $_SESSION['request_uri'] = $_SERVER['REQUEST_URI']; header("location: {$config['SFIABDIRECTORY']}/user_login.php"); exit; } /* Make sure the user has each role in $all_required, this returns * an array in the same order as $all_required, with all members * in $all_required that are also in the session roles */ if(!is_array($all_required)) $all_required = array($all_required); $match = array_intersect($all_required, $_SESSION['roles']); if($all_required != $match) { /* Something is missing */ $ok = false; } /* Make sure the user has one role in $one_required */ if(!is_array($one_required)) $one_required = array($one_required); if(count($one_required)) { $match = array_intersect($one_required, $_SESSION['roles']); if(count($match) == 0) { /* Missing any role in $one_required */ $ok = false; } } if(!$ok) { message_push(error(i18n("You do not have permission to view that page"))); header("location: {$config['SFIABDIRECTORY']}/user_login.php"); exit; } /* Forward to password expired, remember the target URI */ if($_SESSION['password_expired'] == true) { $_SESSION['request_uri'] = $_SERVER['REQUEST_URI']; header("location: {$config['SFIABDIRECTORY']}/user_edit.php"); exit; } /* Return the first role that matched, this retains the previous * behaviour */ return $match[0]; } /* Perform some checks. Make sure the person is logged in, and that their * password hasn't expired (the password_expired var is set in the login page) */ function api_user_auth_required($all_required = array(), $one_required = array()) { global $config; $ok = true; $ret=array(); if(!isset($_SESSION['roles']) || !isset($_SESSION['accounts_id'])) { $ret['status']="error"; $ret['error']="Not logged in"; return $ret; } /* Make sure the user has each role in $all_required, this returns * an array in the same order as $all_required, with all members * in $all_required that are also in the session roles */ if(!is_array($all_required)) $all_required = array($all_required); $match = array_intersect($all_required, $_SESSION['roles']); if($all_required != $match) { /* Something is missing */ $ok = false; } /* Make sure the user has one role in $one_required */ if(!is_array($one_required)) $one_required = array($one_required); if(count($one_required)) { $match = array_intersect($one_required, $_SESSION['roles']); if(count($match) == 0) { /* Missing any role in $one_required */ $ok = false; } } if(!$ok) { $ret['status']="error"; $ret['error']="You do not have permission to access that information"; return $ret; } /* Forward to password expired, remember the target URI */ if($_SESSION['password_expired'] == true) { $ret['status']="error"; $ret['error']="Your password has expired"; return $ret; } $ret['status']="ok"; $ret['match']=$match[0]; return $ret; } function user_volunteer_registration_status() { global $config; // $now = date('Y-m-d H:i:s'); // if($now < $config['dates']['judgeregopen']) return "notopenyet"; // if($now > $config['dates']['judgeregclose']) return "closed"; return "open"; } function user_judge_registration_status() { global $config; $now = date('Y-m-d H:i:s'); if($now < $config['dates']['judgeregopen']) return "notopenyet"; if($now > $config['dates']['judgeregclose']) return "closed"; return "open"; } $user_fields_map = array( /* Account -- Email requirement is set based on username, which * is always required. Password is not required unless they type * in the field, in which case the form validator kicks * (checks pass1==pass2 and all that) */ // 'email' => array('email'), /* Personal */ 'salutation' => array('salutation'), 'name' => array('firstname','lastname'), 'sex' => array('sex'), 'phonehome' => array('phonehome'), 'phonecell' => array('phonecell'), 'birthdate' => array('birthdate'), 'lang' => array('lang'), 'address' => array('address', 'address2', 'postalcode'), 'city' => array('city'), 'province' => array('province'), 'firstaid' => array('firstaid','cpr'), /* Organization */ 'org' => array('organization'), 'phonework' => array('phonework'), 'fax' => array('fax'), ); /* Return fields to show based on role. In the user editor, many * fields are always shown and some have hard-coded requirements, but * any in this list can be made optionally-required or not shown * at all */ function user_fields_enabled($role) { global $config, $user_fields_map; $ret = array('firstname','lastname'); $fields = $config["{$role}_personal_fields"]; if($fields != '') { $fields = split(',', $fields); foreach($fields as $f) { $ret = array_merge($ret, $user_fields_map[$f]); } } return $ret; } /* Return required fields. Some fields are always shown and can be * set to required. Some have hard-coded requirement status. This is only * for the fields where the requirement can be configured. Not for ALL fields * the user sees */ function user_fields_required($role) { global $config, $user_fields_map; $ret = array('firstname','lastname','username'); $required = $config["{$role}_personal_required"]; if($required != '') { $fields = split(',', $required); foreach($fields as $f) { $ret = array_merge($ret, $user_fields_map[$f]); } } /* Filter some elements that are never required. * - address2 */ $ret = array_diff($ret, array('address2')); return $ret; } //this function checks if $field is set in the user record, if it is, it returns it, otherwise, it returns false __AND__ redirects to the redirect page. function user_field_required($field,$redirect) { $u=user_load($_SESSION['users_id']); if($u[$field]) return $u[$field]; else { header("Location: $redirect"); } } /* user_{$role}_login() is called with a full $u loaded */ function user_fair_login($u) { /* Double check, make sure the user is of this role */ if(!array_key_exists('fair', $u['roles'])) { echo "ERROR: attempted to login fair on a non-fair user\n"; exit; } $_SESSION['fairs_id'] = $u['fairs_id'];// == 'yes') ? true : false; } function superuser_required() { //first, they have to be logged in user_auth_required(); //next, they need superuser if($_SESSION['superuser']!="yes") { send_header("Superuser access required"); send_footer(); exit; } } function try_login($user, $pass) { /* Ensure sanity of inputs */ /* User could be a username, or could be an email, check */ if(!account_valid_user($user) && !account_valid_email($user)) { return false; } /* Don't check for a valid password, administrators can set any password they'd like, but * there has to be a password */ if(!strlen($pass)) { return false; } $user = mysql_real_escape_string($user); $q = mysql_query("SELECT id,password,deleted FROM accounts WHERE username='$user'"); echo mysql_error(); /* $q = mysql_query("SELECT id,username,password,year,deleted FROM users WHERE username='$user' AND deleted='no' ORDER BY year DESC LIMIT 1"); */ if(mysql_num_rows($q) < 1) return false; $r = mysql_fetch_assoc($q); /* See if the user account has been deleted */ if($r['deleted'] == 'yes') return false; /* See if the password matches */ if($r['password'] != $pass) return false; /* Login successful */ return $r['id']; } function user_conference_load($accounts_id,$conferences_id) { global $config; if(! ($accounts_id && $conferences_id)) return $config['SFIABDIRECTORY']."/index.php"; /* Use the active conference to find the user id to load */ /* FIXME: Need to be able to handle the case where there is no * active conference, but one step at a time */ $q = mysql_query("SELECT id FROM users WHERE accounts_id=$accounts_id AND conferences_id=$conferences_id"); if(mysql_num_rows($q) == 0) { /* FIXME: this should probably just return false, but for now, see if there's an error */ return false; // header("location: user_edit.php"); // echo "No user {$accounts_id} for conference {$_SESSION['conferences_id']}"; exit; } if(mysql_num_rows($q) > 1) { echo "DATABASE ERROR: More than one user for account $accounts_id conference {$conferences_id}"; exit; } $uid = mysql_fetch_assoc($q); $id = $uid['id']; $u = user_load($id); $_SESSION['name']="{$u['firstname']} {$u['lastname']}"; $_SESSION['users_id']=$u['id']; $_SESSION['roles']=array_keys($u['roles']); /* Load the password expiry for each user role, and * find the longest expiry, which is the one we'll use * for this user to determine if the passwd has * expired. */ $longest_expiry = 0; foreach(array_keys($u['roles']) as $r) { $e = $config["{$r}_password_expiry_days"]; if($e == 0) { /* Catch a never expire case. */ $longest_expiry = 0; break; } else if($e > $longest_expiry) { $longest_expiry = $e; } } if($u['passwordset'] == '0000-00-00') { /* Force the password to expire */ $_SESSION['password_expired'] = true; } else if($longest_expiry == 0) { /* Never expires */ unset($_SESSION['password_expired']); } else { /* Check expiry */ $expires = date('Y-m-d', strtotime("{$u['passwordset']} +$longest_expiry days")); $now = date('Y-m-d'); if($now > $expires) { $_SESSION['password_expired'] = true; } else { unset($_SESSION['password_expired']); } } /* If password_expired == true, the main page (or any * other user page) will catch this and require * them to set a password */ /* Call login functions for each role */ foreach(array_keys($u['roles']) as $r) { if(is_callable("user_{$r}_login")) { call_user_func_array("user_{$r}_login", array($u)); } } // mysql_query("UPDATE accounts SET lastlogin=NOW() // WHERE id={$u['id']}"); /* Setup multirole so a multirole user can switch if they want to * without logging in/out */ /* if(count($u['roes']) > 1) { $_SESSION['multirole'] = true; } else { $_SESSION['multirole'] = false; } */ /* See if there is a redirect, and do that instead of * taking them to their main page */ /* if($redirect != '') { switch($redirect) { case 'roleadd': if(!user_valid_role($multirole_data)) $multirole_data = ''; header("location: user_multirole.php?action=add&role=$multirole_data"); exit; case 'roleattached': message_push(happy(i18n('The %1 role has been attached to your account', array($roles[$role]['name'])))); message_push(notice(i18n('Use the [Switch Roles] link in the upper right to change roles while you are logged in'))); header("location: {$role}_main.php"); exit; } } */ /* Is there a saved requesT_uri from a failed login attempt?, if so * take them there */ if(array_key_exists('request_uri', $_SESSION)) { // header("location: {$_SESSION['request_uri']}"); unset($_SESSION['request_uri']); return $_SESSION['request_uri']; } return "user_main.php"; // header("location: user_main.php"); //exit; } ?>