forked from science-ation/science-ation
0d8f704cd8
- user mysql_escape_string on all fields before saving (oops!) :) - add a committee login function to set SESSION variables.
363 lines
8.9 KiB
PHP
363 lines
8.9 KiB
PHP
<?
|
|
/*
|
|
This file is part of the 'Science Fair In A Box' project
|
|
SFIAB Website: http://www.sfiab.ca
|
|
|
|
Copyright (C) 2005 Sci-Tech Ontario Inc <info@scitechontario.org>
|
|
Copyright (C) 2005 James Grant <james@lightbox.org>
|
|
Copyright (C) 2007 David Grant <dave@lightbox.org>
|
|
|
|
This program is free software; you can redistribute it and/or
|
|
modify it under the terms of the GNU General Public
|
|
License as published by the Free Software Foundation, version 2.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program; see the file COPYING. If not, write to
|
|
the Free Software Foundation, Inc., 59 Temple Place - Suite 330,
|
|
Boston, MA 02111-1307, USA.
|
|
*/
|
|
?>
|
|
<?
|
|
require_once('common.inc.php');
|
|
|
|
|
|
$user_types = array('student','judge','committee','volunteer','region');
|
|
$user_what = array('student'=>'Participant', 'judge' => 'Judge',
|
|
'committee'=>'Committee Member','volunteer' => 'Volunteer',
|
|
'region'=>'Region');
|
|
|
|
|
|
function user_load_region($u)
|
|
{
|
|
/* Double check, make sure the user is of this type */
|
|
if(!in_array('region', $u['types'])) return false;
|
|
|
|
$q = mysql_query("SELECT * FROM users_region
|
|
WHERE id='{$u['id']}'
|
|
");
|
|
if(mysql_num_rows($q)!=1) return false;
|
|
|
|
$r = mysql_fetch_object($q);
|
|
$ret = array();
|
|
$ret['regions_id'] = intval($r->regions_id);
|
|
return $ret;
|
|
}
|
|
|
|
function user_load_student($u)
|
|
{
|
|
/* Double check, make sure the user is of this type */
|
|
if(!in_array('student', $u['types'])) return false;
|
|
$ret = array();
|
|
return $ret;
|
|
}
|
|
function user_load_judge($u)
|
|
{
|
|
/* Double check, make sure the user is of this type */
|
|
if(!in_array('judge', $u['types'])) return false;
|
|
$ret = array();
|
|
return $ret;
|
|
}
|
|
|
|
function user_load_committee($u)
|
|
{
|
|
/* Double check, make sure the user is of this type */
|
|
if(!in_array('committee', $u['types'])) return false;
|
|
|
|
$q = mysql_query("SELECT * FROM users_committee
|
|
WHERE users_id='{$u['id']}'");
|
|
if(mysql_num_rows($q)!=1) return false;
|
|
|
|
$r = mysel_fetch_object($q);
|
|
$ret = array();
|
|
$ret['emailprivate'] = $r->emailprivate;
|
|
$ret['ord'] = intval($r->ord);
|
|
$ret['displayemail'] = ($r->displayemail == 'Y') ? 'Y' : 'N';
|
|
$ret['access_admin'] = ($r->access_admin == 'Y') ? 'Y' : 'N';
|
|
$ret['access_config'] = ($r->access_config == 'Y') ? 'Y' : 'N';
|
|
$ret['access_super'] = ($r->access_super == 'Y') ? 'Y' : 'N';
|
|
return $ret;
|
|
}
|
|
|
|
function user_load_volunteer($u)
|
|
{
|
|
/* Double check, make sure the user is of this type */
|
|
if(!in_array('volunteer', $u['types'])) return false;
|
|
$ret = array();
|
|
return $ret;
|
|
}
|
|
|
|
function user_load($user, $load_full=false, $force_type=false)
|
|
{
|
|
$id = 0;
|
|
|
|
/* Sort out the type first */
|
|
if(is_array($user)){
|
|
/* User already loaded, this is just an extended load */
|
|
$id = $user['id'];
|
|
$where = "id='$id'";
|
|
$load_base = false;
|
|
} else {
|
|
|
|
$id = intval($user);
|
|
if($id > 0) {
|
|
/* Load by ID FIXME: if we enable load-by-email below,
|
|
* then a user could use a number at the beginning of
|
|
* their email address to exploit here, must fix that.
|
|
* */
|
|
$where = "id='$id'";
|
|
} else {
|
|
return false;
|
|
/* Load by email */
|
|
// $e = stripslashes($user);
|
|
// $where = "email='$e'";
|
|
}
|
|
$load_base = true;
|
|
}
|
|
|
|
if($load_base) {
|
|
$q=mysql_query("SELECT * FROM users
|
|
WHERE
|
|
$where
|
|
AND deleted='no'
|
|
");
|
|
|
|
if(mysql_num_rows($q)!=1) return false;
|
|
|
|
$ret = mysql_fetch_assoc($q);
|
|
|
|
/* Do we need to do number conversions? */
|
|
$ret['id'] = intval($ret['id']);
|
|
|
|
/* Turn the type into an array, because there could be more than one */
|
|
$ts = explode(',', $ret['types']);
|
|
$ret['types'] = $ts; /* Now we can use in_array($ret['type'], 'judge') ; */
|
|
|
|
/* Set the current type if there's only one */
|
|
if(count($ret['types']) == 1) {
|
|
$ret['type'] = $ret['types'][0];
|
|
} else {
|
|
$ret['type'] = false;
|
|
}
|
|
} else {
|
|
$ret = $user;
|
|
}
|
|
|
|
if($load_full) {
|
|
$r = true;
|
|
foreach($ret['types'] as $t) {
|
|
/* These all pass $ret by reference, and can modify
|
|
* $ret */
|
|
$r = call_user_func("user_load_$type", $ret);
|
|
if($r == false) return false;
|
|
|
|
/* It is important that each type database doesn't
|
|
have conflicting column names */
|
|
foreach($r as $k->$v) {
|
|
if(array_key_exists($k, $ret)) {
|
|
echo "DATABSE DESIGN ERROR, duplicate user key $k";
|
|
exit;
|
|
}
|
|
}
|
|
$ret = array_merge($ret, $r);
|
|
}
|
|
$ret['load_full'] = true;
|
|
} else {
|
|
$ret['load_full'] = false;
|
|
}
|
|
|
|
/* Do this assignment without recursion :) */
|
|
$orig = $ret;
|
|
$ret['orig'] = $orig;
|
|
|
|
return $ret;
|
|
}
|
|
|
|
|
|
function user_save($u)
|
|
{
|
|
$fields = array('firstname','lastname','username','password',
|
|
'email','emailprivate',
|
|
'phonehome','phonework','phonecell','fax',
|
|
'address','address2','city','province','postalcode');
|
|
|
|
$set = "";
|
|
foreach($fields as $f) {
|
|
if($u[$f] == $u['orig'][$f]) continue;
|
|
|
|
if($set != "") $set .=',';
|
|
|
|
// if($f == 'types')
|
|
// $set .= "$f='".implode(',', $u[$f])."'";
|
|
|
|
$data = mysql_escape_string(stripslashes($u[$f]));
|
|
$set .= "$f='$data'";
|
|
}
|
|
//echo "<pre>";
|
|
//print_r($u);
|
|
//echo "</pre>";
|
|
if($set != "") {
|
|
$query = "UPDATE users SET $set WHERE id='{$u['id']}'";
|
|
mysql_query($query);
|
|
// echo "query=[$query]";
|
|
echo mysql_error();
|
|
}
|
|
}
|
|
|
|
|
|
function user_valid_user($user)
|
|
{
|
|
/* Find any character that doesn't match the valid username characters
|
|
* (^ inverts the matching remember */
|
|
$x = preg_match('[^a-zA-Z0-9@.-_]',$user);
|
|
|
|
/* If x==1, a match was found, and the input is bad */
|
|
return ($x == 1) ? false : true;
|
|
}
|
|
|
|
function user_valid_password($pass)
|
|
{
|
|
/* Same as user, but allow more characters */
|
|
$x = preg_match('[^a-zA-Z0-9 ~!@#$%^&*()-_=+|;:,<.>/?]',$pass);
|
|
|
|
/* If x==1, a match was found, and the input is bad */
|
|
if($x == 1) return false;
|
|
|
|
if(strlen($pass) < 6) return false;
|
|
|
|
return true;
|
|
}
|
|
|
|
/* Perform some checks. Make sure the person is logged in, and that their
|
|
* password hasn't expired (the password_expired var is set in the login page)
|
|
*/
|
|
function user_auth_required($type, $check_expiry=true)
|
|
{
|
|
if(!isset($_SESSION['users_type'])) {
|
|
header("location: user_login.php?type=$type¬ice=auth_required");
|
|
exit;
|
|
}
|
|
|
|
if($_SESSION['users_type'] != $type) {
|
|
header("location: user_login.php?type=$type¬ice=auth_required");
|
|
exit;
|
|
}
|
|
|
|
if($_SESSION['password_expired'] == true && $check_expiry==true) {
|
|
header("location: user_password.php");
|
|
exit;
|
|
}
|
|
return true;
|
|
}
|
|
|
|
|
|
function user_volunteer_registration_status()
|
|
{
|
|
global $config;
|
|
// $now = date('Y-m-d H:i:s');
|
|
// if($now < $config['dates']['judgeregopen']) return "notopenyet";
|
|
// if($now > $config['dates']['judgeregclose']) return "closed";
|
|
return "open";
|
|
}
|
|
|
|
function user_judge_registration_status()
|
|
{
|
|
global $config;
|
|
$now = date('Y-m-d H:i:s');
|
|
if($now < $config['dates']['judgeregopen']) return "notopenyet";
|
|
if($now > $config['dates']['judgeregclose']) return "closed";
|
|
return "open";
|
|
}
|
|
|
|
function user_personal_fields($type)
|
|
{
|
|
/* Figure out what fields we should show. */
|
|
$all_fields = array('firstname','lastname','email','phonehome','phonecell','organization');
|
|
switch($type) {
|
|
case 'volunteer':
|
|
$f = array();
|
|
case 'committee':
|
|
$f = array('workphone','fax');
|
|
case 'judge':
|
|
$f = array();
|
|
case 'student':
|
|
$f = array();
|
|
case 'region':
|
|
$f = array();
|
|
}
|
|
return array_merge($all_fields, $f);
|
|
return null;
|
|
}
|
|
|
|
function user_personal_required_fields($type)
|
|
{
|
|
$all_fields = array('firstname','lastname','email');
|
|
switch($type) {
|
|
case 'volunteer':
|
|
$f = array();
|
|
case 'committee':
|
|
$f = array();
|
|
case 'judge':
|
|
$f = array();
|
|
case 'student':
|
|
$f = array();
|
|
case 'region':
|
|
$f = array();
|
|
}
|
|
return array_merge($all_fields, $f);
|
|
return null;
|
|
}
|
|
|
|
function user_personal_info_status($u = false)
|
|
{
|
|
if($u == false) {
|
|
$u = user_load($_SESSION['users_id']);
|
|
}
|
|
$required = array();
|
|
foreach($u['types'] as $t) {
|
|
$required = array_merge($required, user_personal_required_fields($t));
|
|
}
|
|
foreach($required as $r) {
|
|
$val = trim($u[$r]);
|
|
|
|
if(strlen($val) > 0) {
|
|
/* Ok */
|
|
} else {
|
|
return 'incomplete';
|
|
}
|
|
}
|
|
return 'complete';
|
|
}
|
|
|
|
function user_update_complete(&$u, $status)
|
|
{
|
|
if($status == 'complete' && $u['complete'] != 'yes') {
|
|
mysql_query("UPDATE users SET complete='yes' WHERE id='{$_SESSION['users_id']}'");
|
|
$u['complete'] = 'yes';
|
|
return;
|
|
}
|
|
if($status != 'complete' && $u['complete'] == 'yes') {
|
|
mysql_query("UPDATE users SET complete='no' WHERE id='{$_SESSION['users_id']}'");
|
|
$u['complete'] = 'no';
|
|
return;
|
|
}
|
|
}
|
|
|
|
function user_committee_login($u)
|
|
{
|
|
/* Double check, make sure the user is of this type */
|
|
if(!in_array('committee', $u['types'])) return false;
|
|
|
|
$u = user_load($u, true);
|
|
|
|
$_SESSION['access_admin'] = ($u['access_admin'] == 'Y') ? true : false;
|
|
$_SESSION['access_config'] = ($u['access_config'] == 'Y') ? true : false;
|
|
$_SESSION['access_super'] = ($u['access_super'] == 'Y') ? true : false;
|
|
}
|
|
|
|
|