forked from science-ation/science-ation
873 lines
25 KiB
PHP
873 lines
25 KiB
PHP
<?
|
|
/*
|
|
This file is part of the 'Science Fair In A Box' project
|
|
SFIAB Website: http://www.sfiab.ca
|
|
|
|
Copyright (C) 2005 Sci-Tech Ontario Inc <info@scitechontario.org>
|
|
Copyright (C) 2005 James Grant <james@lightbox.org>
|
|
Copyright (C) 2007 David Grant <dave@lightbox.org>
|
|
|
|
This program is free software; you can redistribute it and/or
|
|
modify it under the terms of the GNU General Public
|
|
License as published by the Free Software Foundation, version 2.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program; see the file COPYING. If not, write to
|
|
the Free Software Foundation, Inc., 59 Temple Place - Suite 330,
|
|
Boston, MA 02111-1307, USA.
|
|
*/
|
|
?>
|
|
<?
|
|
|
|
function user_valid_role($role)
|
|
{
|
|
global $roles;
|
|
if(!is_array($role)) $role = array($role);
|
|
|
|
foreach($role as $r) {
|
|
if(!array_key_exists($r, $roles)) return false;
|
|
}
|
|
return true;
|
|
}
|
|
|
|
|
|
function user_load($users_id, $accounts_id = false)
|
|
{
|
|
/* Load user, join accounts so we also load the email, superuser flag */
|
|
$query = "SELECT * FROM users JOIN accounts ON accounts.id=users.accounts_id WHERE ";
|
|
if($accounts_id != false) {
|
|
$accounts_id = intval($accounts_id);
|
|
$query .= "`users`.`accounts_id`='$accounts_id' LIMIT 1";
|
|
} else {
|
|
$id = intval($users_id);
|
|
$query .= " `users`.`id`='$id'";
|
|
}
|
|
$q=mysql_query($query);
|
|
if(mysql_num_rows($q) == 0)
|
|
return false;
|
|
|
|
if(mysql_num_rows($q) > 1) {
|
|
echo "ERROR: More than one user.\n";
|
|
return false;
|
|
}
|
|
|
|
/* Load the user */
|
|
$u = mysql_fetch_assoc($q);
|
|
|
|
/* Sanitize before using these in mysql queries */
|
|
$u['id'] = intval($u['id']);
|
|
$u['accounts_id'] = intval($u['accounts_id']);
|
|
$u['year'] = intval($u['year']);
|
|
|
|
|
|
/* Get roles, and active/complete status for each role */
|
|
$query = "SELECT user_roles.*,roles.type,roles.name FROM user_roles LEFT JOIN roles ON roles.id=user_roles.roles_id WHERE user_roles.users_id={$u['id']}";
|
|
$q = mysql_query($query);
|
|
|
|
$u['roles'] = array();
|
|
while(($roledata = mysql_fetch_assoc($q))) {
|
|
$u['roles'][$roledata['type']] = $roledata;
|
|
}
|
|
|
|
if(count($u['roles']) == 0) {
|
|
/* No roles, that's ok actually, the previous logic here was that
|
|
* a user without roles is deleted.. but.. this could happen for
|
|
* new users, or if someone deletes all their roles before adding
|
|
* a new role */
|
|
}
|
|
|
|
/* Convenience */
|
|
$u['name'] = ($u['firstname'] ? "{$u['firstname']} " : '').$u['lastname'];
|
|
|
|
/* Email recipient for "to" field on emails */
|
|
if( ($u['firstname'] || $u['lastname']) && $u['email']) {
|
|
//use their full name if we have it
|
|
//if the name contains anything non-standard, we need to quote it.
|
|
if(eregi("[^a-z0-9 ]",$u['name']))
|
|
$u['emailrecipient']="\"{$u['name']}\" <{$u['email']}>";
|
|
else
|
|
$u['emailrecipient']="{$u['name']} <{$u['email']}>";
|
|
}
|
|
else if($u['email']) {
|
|
//otherwise, just their email address
|
|
$u['emailrecipient']=$u['email'];
|
|
}
|
|
else {
|
|
$u['emailrecipient']="";
|
|
}
|
|
|
|
foreach(array_keys($u['roles']) as $r) {
|
|
/* Do the load routines inline, the explosion of user roles
|
|
* means it's just silly to have a different function for each
|
|
* one. If we get one that has a crazy amount of stuff to do,
|
|
* we could move it all to a function and call it in the
|
|
* switch below */
|
|
switch($r) {
|
|
case 'committee':
|
|
$u['ord'] = intval($u['ord']);
|
|
$u['displayemail'] = ($u['displayemail'] == 'yes') ? 'yes' : 'no';
|
|
break;
|
|
|
|
case 'judge':
|
|
$u['years_school'] = intval($u['years_school']);
|
|
$u['years_regional'] = intval($u['years_regional']);
|
|
$u['years_national'] = intval($u['years_national']);
|
|
$u['willing_chair'] = ($u['willing_chair'] == 'yes') ? 'yes' : 'no';
|
|
$u['special_award_only'] = ($u['special_award_only'] == 'yes') ? 'yes' : 'no';
|
|
$u['cat_prefs'] = (strlen($u['cat_prefs']) > 0) ? unserialize($u['cat_prefs']) : array();
|
|
$u['div_prefs'] = (strlen($u['div_prefs']) > 0) ? unserialize($u['div_prefs']) : array();
|
|
$u['divsub_prefs'] = (strlen($u['divsub_prefs']) > 0) ? unserialize($u['divsub_prefs']) : array();
|
|
// $u['expertise_other'] = $u['expertise_other'];
|
|
$u['languages'] = (strlen($u['languages']) > 0) ? unserialize($u['languages']) : array();
|
|
// $u['highest_psd'] = $u['highest_psd'];
|
|
|
|
/* Sanity check the arrays, make sure they are arrays */
|
|
$should_be_arrays = array('cat_prefs','div_prefs',
|
|
'divsub_prefs','languages');
|
|
foreach($should_be_arrays as $k) {
|
|
if(!is_array($u[$k])) $u[$k] = array();
|
|
}
|
|
break;
|
|
|
|
case 'sponsor':
|
|
$u['sponsors_id'] = intval($u['sponsors_id']);
|
|
if($u['sponsors_id']) {
|
|
$q=mysql_query("SELECT * FROM sponsors WHERE id='{$u['sponsors_id']}'");
|
|
$u['sponsor']=mysql_fetch_assoc($q);
|
|
}
|
|
break;
|
|
|
|
default:
|
|
/* Nothing to do for all other roles */
|
|
break;
|
|
}
|
|
}
|
|
|
|
/* Do this assignment without recursion :) */
|
|
unset($u['orig']);
|
|
$orig = $u;
|
|
$u['orig'] = $orig;
|
|
|
|
return $u;
|
|
}
|
|
|
|
function user_load_by_accounts_id($accounts_id)
|
|
{
|
|
return user_load(0, $accounts_id);
|
|
}
|
|
|
|
function user_load_by_email($email)
|
|
{
|
|
/* Find the accounts_id for the email, regardless of deleted status */
|
|
$e = mysql_real_escape_string($email);
|
|
$q = mysql_query("SELECT accounts_id FROM users WHERE email='$e' OR username='$e'");
|
|
|
|
if(mysql_num_rows($q) == 1) {
|
|
$i = mysql_fetch_assoc($q);
|
|
return user_load_by_accounts_id($i['accounts_id']);
|
|
}
|
|
return false;
|
|
}
|
|
|
|
/* FIXME: these are going to need conference IDs too */
|
|
function user_load_by_accounts_id_year($uid, $year)
|
|
{
|
|
echo "FIXME";
|
|
exit;
|
|
$q = mysql_query("SELECT id FROM users WHERE uid='$uid' AND year <= '$year'");
|
|
if(!mysql_num_rows($q)) return false;
|
|
$i = mysql_fetch_assoc($q);
|
|
return user_load($i['id']);
|
|
}
|
|
|
|
function user_save(&$u)
|
|
{
|
|
global $conference;
|
|
global $roles;
|
|
|
|
/* Sanity check */
|
|
if($u['conferences_id'] != $u['orig']['conferences_id']) {
|
|
echo "The user's conference changed. Can't save a user to a difference conference, use user_dupe to copy the user to a new conference.\n";
|
|
exit;
|
|
}
|
|
|
|
/* Add any new roles */
|
|
$orig_roles = array_keys($u['orig']['roles']);
|
|
$new_roles = array_keys($u['roles']);
|
|
|
|
/* Delete any removed roles */
|
|
$removed = array_diff($orig_roles, $new_roles);
|
|
foreach($removed as $r) {
|
|
mysql_query("DELETE FROM user_roles WHERE users_id='{$u['id']}' AND roles_id='{$roles[$r]['id']}'");
|
|
}
|
|
|
|
/* Update all roles */
|
|
foreach($new_roles as $r) {
|
|
if(!in_array($r, $orig_roles)) {
|
|
/* Role is new */
|
|
if(!user_add_role_allowed($u, $r)) {
|
|
echo "HALT: user can't add this role";
|
|
exit;
|
|
}
|
|
mysql_query("INSERT INTO user_roles(accounts_id,users_id,roles_id,active,complete)
|
|
VALUES('{$u['accounts_id']}','{$u['id']}','{$roles[$r]['id']}','no','no')");
|
|
echo mysql_error();
|
|
|
|
} else if($u['roles'][$r] != $u['orig']['roles'][$r]) {
|
|
/* $u['roles'][$r] has changed from original, update it */
|
|
mysql_query("UPDATE user_roles SET active='{$u['roles'][$r]['active']}',
|
|
complete='{$u['roles'][$r]['complete']}'
|
|
WHERE id='{$u['roles'][$r]['id']}'");
|
|
echo mysql_error();
|
|
}
|
|
}
|
|
|
|
|
|
$fields = array('salutation','firstname','lastname','username',
|
|
'phonehome','phonework','phonecell','fax','organization',
|
|
'address','address2','city','province','postalcode','sex',
|
|
'firstaid', 'cpr', 'lang', 'notes');
|
|
|
|
$fields_for_role['committee'] = array('emailprivate','ord','displayemail',
|
|
'access_admin','access_config','access_super');
|
|
$fields_for_role['judge'] = array('years_school','years_regional','years_national',
|
|
'willing_chair','special_award_only',
|
|
'cat_prefs','div_prefs','divsub_prefs',
|
|
'expertise_other','languages', 'highest_psd');
|
|
$fields_for_role['student'] = array('schools_id');
|
|
$fields_for_role['fair'] = array('fairs_id');
|
|
$fields_for_role['sponsor'] = array('sponsors_id','primary','position');
|
|
|
|
/* Merge fields as necessary, build a big list of fields to save */
|
|
foreach($new_roles as $r) {
|
|
if(!array_key_exists($r, $fields_for_role)) continue;
|
|
$fields = array_merge($fields, $fields_for_role[$r]);
|
|
}
|
|
|
|
$set = "";
|
|
foreach($fields as $f) {
|
|
if($u[$f] == $u['orig'][$f]) continue;
|
|
|
|
if($set != "") $set .=',';
|
|
|
|
if($u[$f] == NULL) {
|
|
$set .= "$f=NULL";
|
|
continue;
|
|
}
|
|
|
|
if(is_array($u[$f]))
|
|
$data = mysql_escape_string(serialize($u[$f]));
|
|
else
|
|
$data = mysql_escape_string(stripslashes($u[$f]));
|
|
$set .= "$f='$data'";
|
|
}
|
|
|
|
if($set != "") {
|
|
$query = "UPDATE users SET $set WHERE id='{$u['id']}'";
|
|
mysql_query($query);
|
|
echo mysql_error();
|
|
}
|
|
|
|
/* Record all the data in orig that we saved so subsequent
|
|
* calls to user_save don't try to overwrite data already
|
|
* saved to the database */
|
|
unset($u['orig']);
|
|
$orig = $u;
|
|
$u['orig'] = $orig;
|
|
|
|
// print_r($u);
|
|
}
|
|
|
|
|
|
function user_remove_role(&$u, $role)
|
|
{
|
|
if(!array_key_exists($role, $u['roles'])) {
|
|
/* Hum, type specified, but the user is not this type,
|
|
* so, i guess we're done. */
|
|
return;
|
|
}
|
|
|
|
$id = $u['id'];
|
|
|
|
/* Do role-specific remove actions */
|
|
switch($role) {
|
|
case 'committee':
|
|
mysql_query("DELETE FROM committees_link WHERE accounts_id='{$u['accounts_id']}'");
|
|
break;
|
|
|
|
case 'judge':
|
|
mysql_query("DELETE FROM judges_teams_link WHERE users_id='$id'");
|
|
mysql_query("DELETE FROM judges_specialawards_sel WHERE users_id='$id'");
|
|
break;
|
|
|
|
default:
|
|
break;
|
|
}
|
|
|
|
/* Delete the role */
|
|
unset($u['roles'][$role]);
|
|
|
|
/* Save this user (takes care of removing entries from the user_roles db) */
|
|
user_save($u);
|
|
}
|
|
|
|
|
|
/* If role is specified, just delete the role from the user.
|
|
* If not, delete the whole user, all roles */
|
|
function user_delete($u, $role=false)
|
|
{
|
|
$finish_delete = false;
|
|
|
|
if(!is_array($u)) {
|
|
$u = user_load($u);
|
|
}
|
|
if($role != false) {
|
|
user_remove_role($u, $role);
|
|
if(count($u['roles']) == 0) {
|
|
/* No roles left, finish the delete */
|
|
$finish_delete = true;
|
|
}
|
|
} else {
|
|
/* Delete the whole user, every role */
|
|
foreach(array_keys($u['roles']) as $r)
|
|
user_remove_role($u, $r);
|
|
|
|
$finish_delete = true;
|
|
}
|
|
|
|
if($finish_delete) {
|
|
mysql_query("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE id='{$u['id']}'");
|
|
return true;
|
|
}
|
|
|
|
/* User had some other role, so delete was not completed. */
|
|
return false;
|
|
}
|
|
|
|
/* Purge functions. These completely eliminate all traces of a user from the
|
|
* database. This action cannot be undone. We prefer the committee to use the
|
|
* "delete" functions, which simply mark the account as "deleted". */
|
|
function user_purge($u, $role=false)
|
|
{
|
|
/* Delete the user, then completely delete them from
|
|
* the DB if delete returns true, that is, if there's
|
|
* no other role blocking the delete/purge */
|
|
$finish_purge = user_delete($u, $role);
|
|
|
|
if($finish_purge == true) {
|
|
mysql_query("DELETE FROM users WHERE id='{$u['id']}'");
|
|
return true;
|
|
}
|
|
|
|
/* Not purged, some other role existed */
|
|
return false;
|
|
}
|
|
|
|
|
|
/* Duplicate a row in the users table, or any one of the users_* tables. */
|
|
function user_dupe_row($db, $key, $val, $newval)
|
|
{
|
|
global $config;
|
|
$nullfields = array('deleteddatetime'); /* Fields that can be null */
|
|
$q = mysql_query("SELECT * FROM $db WHERE $key='$val'");
|
|
if(mysql_num_rows($q) != 1) {
|
|
echo "ERROR duplicating row in $db: $key=$val NOT FOUND.\n";
|
|
exit;
|
|
}
|
|
$i = mysql_fetch_assoc($q);
|
|
$i[$key] = $newval;
|
|
|
|
foreach($i as $k=>$v) {
|
|
if($v == NULL && in_array($k, $nullfields))
|
|
$i[$k] = 'NULL';
|
|
else if($k == 'year')
|
|
$i[$k] = $config['FAIRYEAR'];
|
|
else
|
|
$i[$k] = '\''.mysql_escape_string($v).'\'';
|
|
}
|
|
|
|
$keys = '`'.join('`,`', array_keys($i)).'`';
|
|
$vals = join(',', array_values($i));
|
|
|
|
$q = "INSERT INTO $db ($keys) VALUES ($vals)";
|
|
// echo "Dupe Query: [$q]";
|
|
$r = mysql_query($q);
|
|
echo mysql_error();
|
|
|
|
$id = mysql_insert_id();
|
|
return $id;
|
|
}
|
|
/* Used by the login scripts to copy one user from one year to another */
|
|
function user_dupe($u, $new_year)
|
|
{
|
|
/* Dupe a user if:
|
|
* - They don't exist in the current year
|
|
* (users->year != the target year (passed in so we can use it in the rollover script) )
|
|
* - They have a previous year entry
|
|
* (users->year DESC LIMIT 1 == 1 row)
|
|
* - That previous entry has deleted=no */
|
|
|
|
/* Find the last entry */
|
|
$q = mysql_query("SELECT id,uid,year,deleted FROM users WHERE uid='{$u['uid']}'
|
|
ORDER BY year DESC LIMIT 1");
|
|
$r = mysql_fetch_object($q);
|
|
if($r->deleted == 'yes') {
|
|
echo "Cannot duplicate user ID {$u['id']}, they are deleted. Undelete them first.\n";
|
|
exit;
|
|
}
|
|
if($r->year == $new_year) {
|
|
echo "Cannot duplicate user ID {$u['id']}, they already exist in year $new_year\n";
|
|
exit;
|
|
}
|
|
|
|
$id = user_dupe_row('users', 'id', $u['id'], NULL);
|
|
$q = mysql_query("UPDATE users SET year='$new_year' WHERE id='$id'");
|
|
|
|
/* Load the new user */
|
|
$u2 = user_load($id);
|
|
|
|
foreach($u2['types'] as $t) {
|
|
user_dupe_row("users_$t", 'users_id', $u['id'], $id);
|
|
}
|
|
/* Return the ID of the new user */
|
|
return $id;
|
|
}
|
|
|
|
/* Returns true if loaded user ($u) is allowed to add role $role to their
|
|
* profile. THis is intended as a last-stop mechanism, preventing, for example
|
|
* a student from co-existing with any other role . */
|
|
function user_add_role_allowed(&$u, $role)
|
|
{
|
|
foreach(array_keys($u['orig']['roles']) as $ur) {
|
|
switch($ur) {
|
|
case 'student':
|
|
/* Student cant' add any other role */
|
|
return false;
|
|
|
|
default:
|
|
if($role == 'student') {
|
|
/* No role can add the student role */
|
|
return false;
|
|
}
|
|
|
|
/* All other roles can coexist (even the fair role) */
|
|
break;
|
|
}
|
|
}
|
|
return true;
|
|
}
|
|
|
|
function user_add_role(&$u, $role)
|
|
{
|
|
if(!user_add_role_allowed($u, $role)) {
|
|
/* If we get in here, someone is hand crafting URLs */
|
|
echo "HALT: invalid role add specified for operation.";
|
|
exit;
|
|
}
|
|
|
|
/* Add the role */
|
|
$u['roles'][$role] = array('active' =>'yes',
|
|
'complete' => 'no');
|
|
/* Save it now so the DB gets updated */
|
|
user_save($u);
|
|
}
|
|
|
|
function user_create($accounts_id, $conferences_id=0)
|
|
{
|
|
global $config, $conference;
|
|
|
|
if($conferences_id == 0) $conferences_id = $conference['id'];
|
|
|
|
/* Make sure the user doesn't already exist */
|
|
$q = mysql_query("SELECT id FROM users WHERE accounts_id='$accounts_id' AND conferences_id='$conferences_id'");
|
|
echo mysql_error();
|
|
if(mysql_num_rows($q)) {
|
|
echo "ERROR: user_create called for a user that already exists.\n";
|
|
exit;
|
|
}
|
|
|
|
/* Create the user */
|
|
mysql_query("INSERT INTO users(`accounts_id`,`conferences_id`) VALUES('$accounts_id','$conferences_id')");
|
|
$id = mysql_insert_id();
|
|
|
|
/* Return a loaded user with no roles */
|
|
return user_load($id);
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Perform some checks. Make sure the person is logged in, and that their
|
|
* password hasn't expired (the password_expired var is set in the login page)
|
|
*/
|
|
function user_auth_required($all_required = array(), $one_required = array())
|
|
{
|
|
global $config;
|
|
$ok = true;
|
|
|
|
unset($_SESSION['request_uri']);
|
|
if(!isset($_SESSION['roles']) || !isset($_SESSION['users_id'])) {
|
|
message_push(error(i18n("You must login to view that page")));
|
|
$_SESSION['request_uri'] = $_SERVER['REQUEST_URI'];
|
|
header("location: {$config['SFIABDIRECTORY']}/user_login.php?type=$type");
|
|
exit;
|
|
}
|
|
|
|
/* Make sure the user has each role in $all_required, this returns
|
|
* an array in the same order as $all_required, with all members
|
|
* in $all_required that are also in the session roles */
|
|
if(!is_array($all_required)) $all_required = array($all_required);
|
|
|
|
$match = array_intersect($all_required, $_SESSION['roles']);
|
|
if($all_required != $match) {
|
|
/* Something is missing */
|
|
$ok = false;
|
|
}
|
|
|
|
/* Make sure the user has one role in $one_required */
|
|
if(!is_array($one_required)) $one_required = array($one_required);
|
|
if(count($one_required)) {
|
|
$match = array_intersect($one_required, $_SESSION['roles']);
|
|
if(count($match) == 0) {
|
|
/* Missing any role in $one_required */
|
|
$ok = false;
|
|
}
|
|
}
|
|
|
|
if(!$ok) {
|
|
message_push(error(i18n("You do not have permission to view that page")));
|
|
header("location: {$config['SFIABDIRECTORY']}/user_login.php");
|
|
exit;
|
|
}
|
|
|
|
/* Forward to password expired, remember the target URI */
|
|
if($_SESSION['password_expired'] == true) {
|
|
$_SESSION['request_uri'] = $_SERVER['REQUEST_URI'];
|
|
header("location: {$config['SFIABDIRECTORY']}/user_edit.php");
|
|
exit;
|
|
}
|
|
|
|
/* Return the first role that matched, this retains the previous
|
|
* behaviour */
|
|
return $match[0];
|
|
}
|
|
|
|
/* Perform some checks. Make sure the person is logged in, and that their
|
|
* password hasn't expired (the password_expired var is set in the login page)
|
|
*/
|
|
function api_user_auth_required($all_required = array(), $one_required = array())
|
|
{
|
|
global $config;
|
|
$ok = true;
|
|
$ret=array();
|
|
|
|
if(!isset($_SESSION['roles'])) {
|
|
$ret['status']="error";
|
|
$ret['error']="Not logged in";
|
|
return $ret;
|
|
}
|
|
|
|
/* Make sure the user has each role in $all_required, this returns
|
|
* an array in the same order as $all_required, with all members
|
|
* in $all_required that are also in the session roles */
|
|
if(!is_array($all_required)) $all_required = array($all_required);
|
|
|
|
$match = array_intersect($all_required, $_SESSION['roles']);
|
|
if($all_required != $match) {
|
|
/* Something is missing */
|
|
$ok = false;
|
|
}
|
|
|
|
/* Make sure the user has one role in $one_required */
|
|
if(!is_array($one_required)) $one_required = array($one_required);
|
|
if(count($one_required)) {
|
|
$match = array_intersect($one_required, $_SESSION['roles']);
|
|
if(count($match) == 0) {
|
|
/* Missing any role in $one_required */
|
|
$ok = false;
|
|
}
|
|
}
|
|
|
|
if(!$ok) {
|
|
$ret['status']="error";
|
|
$ret['error']="You do not have permission to access that information";
|
|
exit;
|
|
}
|
|
|
|
/* Forward to password expired, remember the target URI */
|
|
if($_SESSION['password_expired'] == true) {
|
|
$ret['status']="error";
|
|
$ret['error']="Your password has expired";
|
|
exit;
|
|
}
|
|
$ret['status']="ok";
|
|
$ret['match']=$match[0];
|
|
return $ret;
|
|
}
|
|
|
|
|
|
function user_volunteer_registration_status()
|
|
{
|
|
global $config;
|
|
// $now = date('Y-m-d H:i:s');
|
|
// if($now < $config['dates']['judgeregopen']) return "notopenyet";
|
|
// if($now > $config['dates']['judgeregclose']) return "closed";
|
|
return "open";
|
|
}
|
|
|
|
function user_judge_registration_status()
|
|
{
|
|
global $config;
|
|
$now = date('Y-m-d H:i:s');
|
|
if($now < $config['dates']['judgeregopen']) return "notopenyet";
|
|
if($now > $config['dates']['judgeregclose']) return "closed";
|
|
return "open";
|
|
}
|
|
|
|
$user_fields_map = array(
|
|
/* Account -- Email requirement is set based on username, which
|
|
* is always required. Password is not required unless they type
|
|
* in the field, in which case the form validator kicks
|
|
* (checks pass1==pass2 and all that) */
|
|
// 'email' => array('email'),
|
|
/* Personal */
|
|
'salutation' => array('salutation'),
|
|
'name' => array('firstname','lastname'),
|
|
'sex' => array('sex'),
|
|
'phonehome' => array('phonehome'),
|
|
'phonecell' => array('phonecell'),
|
|
'birthdate' => array('birthdate'),
|
|
'lang' => array('lang'),
|
|
'address' => array('address', 'address2', 'postalcode'),
|
|
'city' => array('city'),
|
|
'province' => array('province'),
|
|
'firstaid' => array('firstaid','cpr'),
|
|
/* Organization */
|
|
'org' => array('organization'),
|
|
'phonework' => array('phonework'),
|
|
'fax' => array('fax'),
|
|
);
|
|
|
|
/* Return fields to show based on role. In the user editor, many
|
|
* fields are always shown and some have hard-coded requirements, but
|
|
* any in this list can be made optionally-required or not shown
|
|
* at all */
|
|
function user_fields_enabled($role)
|
|
{
|
|
global $config, $user_fields_map;
|
|
$ret = array('firstname','lastname');
|
|
$fields = $config["{$role}_personal_fields"];
|
|
if($fields != '') {
|
|
$fields = split(',', $fields);
|
|
foreach($fields as $f) {
|
|
$ret = array_merge($ret, $user_fields_map[$f]);
|
|
}
|
|
}
|
|
return $ret;
|
|
}
|
|
|
|
/* Return required fields. Some fields are always shown and can be
|
|
* set to required. Some have hard-coded requirement status. This is only
|
|
* for the fields where the requirement can be configured. Not for ALL fields
|
|
* the user sees */
|
|
function user_fields_required($role)
|
|
{
|
|
global $config, $user_fields_map;
|
|
$ret = array('firstname','lastname','username');
|
|
$required = $config["{$role}_personal_required"];
|
|
if($required != '') {
|
|
$fields = split(',', $required);
|
|
foreach($fields as $f) {
|
|
$ret = array_merge($ret, $user_fields_map[$f]);
|
|
}
|
|
}
|
|
/* Filter some elements that are never required.
|
|
* - address2
|
|
*/
|
|
$ret = array_diff($ret, array('address2'));
|
|
return $ret;
|
|
}
|
|
|
|
|
|
/* user_{$role}_login() is called with a full $u loaded */
|
|
|
|
function user_fair_login($u)
|
|
{
|
|
/* Double check, make sure the user is of this role */
|
|
if(!array_key_exists('fair', $u['roles'])) {
|
|
echo "ERROR: attempted to login fair on a non-fair user\n";
|
|
exit;
|
|
}
|
|
|
|
$_SESSION['fairs_id'] = $u['fairs_id'];// == 'yes') ? true : false;
|
|
}
|
|
|
|
function superuser_required() {
|
|
//first, they have to be logged in
|
|
user_auth_required();
|
|
|
|
//next, they need superuser
|
|
if($_SESSION['superuser']!="yes") {
|
|
send_header("Superuser access required");
|
|
send_footer();
|
|
exit;
|
|
}
|
|
}
|
|
|
|
function try_login($user, $pass)
|
|
{
|
|
/* Ensure sanity of inputs */
|
|
/* User could be a username, or could be an email, check */
|
|
if(!account_valid_user($user) && !account_valid_email($user)) {
|
|
return false;
|
|
}
|
|
|
|
/* Don't check for a valid password, administrators can set any password they'd like, but
|
|
* there has to be a password */
|
|
if(!strlen($pass)) {
|
|
return false;
|
|
}
|
|
|
|
$user = mysql_real_escape_string($user);
|
|
$q = mysql_query("SELECT id,password,deleted FROM accounts WHERE username='$user'");
|
|
echo mysql_error();
|
|
/*
|
|
$q = mysql_query("SELECT id,username,password,year,deleted
|
|
FROM users
|
|
WHERE username='$user'
|
|
AND deleted='no'
|
|
ORDER BY year DESC LIMIT 1");
|
|
*/
|
|
if(mysql_num_rows($q) < 1) return false;
|
|
|
|
$r = mysql_fetch_assoc($q);
|
|
|
|
/* See if the user account has been deleted */
|
|
if($r['deleted'] == 'yes') return false;
|
|
|
|
/* See if the password matches */
|
|
if($r['password'] != $pass) return false;
|
|
|
|
/* Login successful */
|
|
return $r['id'];
|
|
}
|
|
|
|
function user_conference_load($accounts_id,$conferences_id) {
|
|
global $config;
|
|
/* Use the active conference to find the user id to load */
|
|
/* FIXME: Need to be able to handle the case where there is no
|
|
* active conference, but one step at a time */
|
|
$q = mysql_query("SELECT id FROM users WHERE accounts_id=$accounts_id AND conferences_id=$conferences_id");
|
|
if(mysql_num_rows($q) == 0) {
|
|
/* FIXME: this should probably just return false, but for now, see if there's an error */
|
|
return false;
|
|
// header("location: user_edit.php");
|
|
// echo "No user {$accounts_id} for conference {$_SESSION['conferences_id']}";
|
|
exit;
|
|
}
|
|
if(mysql_num_rows($q) > 1) {
|
|
echo "DATABASE ERROR: More than one user for account $accounts_id conference {$conferences_id}";
|
|
exit;
|
|
}
|
|
$uid = mysql_fetch_assoc($q);
|
|
$id = $uid['id'];
|
|
|
|
$u = user_load($id);
|
|
|
|
$_SESSION['name']="{$u['firstname']} {$u['lastname']}";
|
|
$_SESSION['users_id']=$u['id'];
|
|
$_SESSION['roles']=array_keys($u['roles']);
|
|
|
|
/* Load the password expiry for each user role, and
|
|
* find the longest expiry, which is the one we'll use
|
|
* for this user to determine if the passwd has
|
|
* expired. */
|
|
$longest_expiry = 0;
|
|
foreach(array_keys($u['roles']) as $r) {
|
|
$e = $config["{$r}_password_expiry_days"];
|
|
if($e == 0) {
|
|
/* Catch a never expire case. */
|
|
$longest_expiry = 0;
|
|
break;
|
|
} else if($e > $longest_expiry) {
|
|
$longest_expiry = $e;
|
|
}
|
|
}
|
|
|
|
if($u['passwordset'] == '0000-00-00') {
|
|
/* Force the password to expire */
|
|
$_SESSION['password_expired'] = true;
|
|
} else if($longest_expiry == 0) {
|
|
/* Never expires */
|
|
unset($_SESSION['password_expired']);
|
|
} else {
|
|
/* Check expiry */
|
|
$expires = date('Y-m-d', strtotime("{$u['passwordset']} +$longest_expiry days"));
|
|
$now = date('Y-m-d');
|
|
if($now > $expires) {
|
|
$_SESSION['password_expired'] = true;
|
|
} else {
|
|
unset($_SESSION['password_expired']);
|
|
}
|
|
}
|
|
/* If password_expired == true, the main page (or any
|
|
* other user page) will catch this and require
|
|
* them to set a password */
|
|
|
|
/* Call login functions for each role */
|
|
foreach(array_keys($u['roles']) as $r) {
|
|
if(is_callable("user_{$r}_login")) {
|
|
call_user_func_array("user_{$r}_login", array($u));
|
|
}
|
|
}
|
|
|
|
// mysql_query("UPDATE accounts SET lastlogin=NOW()
|
|
// WHERE id={$u['id']}");
|
|
|
|
/* Setup multirole so a multirole user can switch if they want to
|
|
* without logging in/out */
|
|
/* if(count($u['roes']) > 1) {
|
|
$_SESSION['multirole'] = true;
|
|
} else {
|
|
$_SESSION['multirole'] = false;
|
|
}
|
|
*/
|
|
/* See if there is a redirect, and do that instead of
|
|
* taking them to their main page */
|
|
/* if($redirect != '') {
|
|
switch($redirect) {
|
|
case 'roleadd':
|
|
if(!user_valid_role($multirole_data))
|
|
$multirole_data = '';
|
|
|
|
header("location: user_multirole.php?action=add&role=$multirole_data");
|
|
exit;
|
|
case 'roleattached':
|
|
message_push(happy(i18n('The %1 role has been attached to your account', array($roles[$role]['name']))));
|
|
message_push(notice(i18n('Use the [Switch Roles] link in the upper right to change roles while you are logged in')));
|
|
header("location: {$role}_main.php");
|
|
exit;
|
|
|
|
}
|
|
}
|
|
*/
|
|
/* Is there a saved requesT_uri from a failed login attempt?, if so
|
|
* take them there */
|
|
if(array_key_exists('request_uri', $_SESSION)) {
|
|
// header("location: {$_SESSION['request_uri']}");
|
|
unset($_SESSION['request_uri']);
|
|
return $_SESSION['request_uri'];
|
|
}
|
|
return "user_main.php";
|
|
// header("location: user_main.php");
|
|
//exit;
|
|
}
|
|
|
|
|
|
?>
|