poweradmin: comparison inc/users.inc.php

equal deleted inserted replaced

-:c72d6d51f3d3
+:c255196bc447
 *  along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 require_once("inc/toolkit.inc.php");
+/*
+*  Function to see if user has right to do something. It will check if
+*  user has "ueberuser" bit set. If it isn't, it will check if the user has
+*  the specific permission. It returns "false" if the user doesn't have the
+*  right, and "true" if the user has.
+*/
+function verify_permission($permission) {
+global $db;
+	if ((!isset($_SESSION['userid'])) || (!is_object($db))) {
+		return 0;
+	}
+// Set current user ID.
+$userid=$_SESSION['userid'];
+// Find the template ID that this user has been assigned.
+$query = "SELECT perm_templ
+			FROM users
+			WHERE id = " . $db->quote($userid) ;
+$templ_id = $db->queryOne($query);
+// Does this user have ueberuser rights?
+$query = "SELECT id
+			FROM perm_templ_items
+			WHERE templ_id = " . $db->quote($templ_id) . "
+			AND perm_id = '53'";
+$result = $db->query($query);
+if ( $result->numRows() > 0 ) {
+return 1;
+}
+// Find the permission ID for the requested permission.
+$query = "SELECT id
+			FROM perm_items
+			WHERE name = " . $db->quote($permission) ;
+$perm_id = $db->queryOne($query);
+// Check if the permission ID is assigned to the template ID.
+$query = "SELECT id
+			FROM perm_templ_items
+			WHERE templ_id = " . $db->quote($templ_id) . "
+			AND perm_id = " . $db->quote($perm_id) ;
+$result = $db->query($query);
+if ( $result->numRows() > 0 ) {
+return 1;
+} else {
+return 0;
+}
+}
+function list_permission_templates() {
+	global $db;
+	$query = "SELECT * FROM perm_templ";
+	$result = $db->query($query);
+	if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+	$template_list = array();
+	while ($template= $result->fetchRow()) {
+		$tempate_list[] = array(
+			"id"	=>	$template['id'],
+			"name"	=>	$template['name'],
+			"descr"	=>	$template['descr']
+			);
+	}
+	return $tempate_list;
+}
 /*
 * Retrieve all users.
 * Its to show_users therefore the odd name. Has to be changed.
 * return values: an array with all users in it.
 */
 	$sqlq = "SELECT users.id AS id,
 		users.username AS username,
 		users.fullname AS fullname,
 		users.email AS email,
 		users.description AS description,
-		users.level AS level,
 		users.active AS active,
+		users.perm_templ AS perm_templ,
 		count(zones.owner) AS aantal FROM users
 		LEFT JOIN zones ON users.id=zones.owner$add
 		GROUP BY
 			users.id,
 			users.username,
 			users.fullname,
 			users.email,
 			users.description,
-			users.level,
+			users.perm_templ,
 			users.active
 		ORDER BY
 			users.fullname";
 	// Execute the huge query.
 	}
 }
 /*
-* Gives a textdescribed value of the given levelid
-* return values: the text associated with the level
-*/
-function leveldescription($id)
-{
-	switch($id)
-	{
-		case 1:
-			global $NAME_LEVEL_1;
-			return $NAME_LEVEL_1;
-			break;
-		case 5:
-			global $NAME_LEVEL_5;
-			return $NAME_LEVEL_5;
-			break;
-		case 10:
-			global $NAME_LEVEL_10;
-			return $NAME_LEVEL_10;
-			break;
-		default:
-			return "Unknown";
-			break;
-	}
-}
-/*
 * Checks if a given username exists in the database.
 * return values: true if exists, false if not.
 */
 function user_exists($user)
 {
 	error(ERR_UNKNOWN);
 	}
 }
-/*
-* Get all user info for the given user in an array.
-* return values: the database style array with the information about the user.
-*/
-function get_user_info($id)
-{
-	global $db;
-	if (is_numeric($id))
-	{
-		$result = $db->query("SELECT id, username, fullname, email, description, level, active from users where id=".$db->quote($id));
-		$r = $result->fetchRow();
-		return $r;
-	}
-	else
-	{
-		error(sprintf(ERR_INV_ARGC,"get_user_info", "you gave illegal arguments: $id"));
-	}
-}
 /*
 * Delete a user from the system
 * return values: true if user doesnt exist.
 */
-function delete_user($id)
+function delete_user($uid,$zones)
 {
 	global $db;
-	if (!level(10))
-	{
+	if (($uid != $_SESSION['userid'] && !verify_permission(user_edit_others)) || ($uid == $_SESSION['userid'] && !verify_permission(user_edit_own))) {
-		error(ERR_LEVEL_10);
+		 error(ERR_PERM_DEL_USER);
-	}
+		 return false;
-	if (is_numeric($id))
+	} else {
-	{
-	$db->query("DELETE FROM users WHERE id=".$db->quote($id));
+		if (is_array($zones)) {
-	$db->query("DELETE FROM zones WHERE owner=".$db->quote($id));
+			foreach ($zones as $zone) {
-	return true;
+				if ($zone['target'] == "delete") {
-	// No need to check the affected rows. If the affected rows would be 0,
+					delete_domain($zone['zid']);
-	// the user isnt in the dbase, just as we want.
+				} elseif ($zone['target'] == "new_owner") {
-}
+					add_owner_to_zone($zone['zid'], $zone['newowner']);
-	else
+				}
-	{
+			}
-		error(ERR_INV_ARG);
+		}
-	}
-}
+		$query = "DELETE FROM zones WHERE owner = " . $db->quote($uid) ;
+		$result = $db->query($query);
+		if (PEAR::isError($response)) { error($response->getMessage()); return false; }
-/*
-* Adds a user to the system.
+		$query = "DELETE FROM users WHERE id = " . $db->quote($uid) ;
-* return values: true if succesfully added.
+		$result = $db->query($query);
-*/
+		if (PEAR::isError($response)) { error($response->getMessage()); return false; }
-function add_user($user, $password, $fullname, $email, $level, $description, $active)
+	}
-{
+	return true;
-	global $db;
-	if (!level(10))
-	{
-		error(ERR_LEVEL_10);
-	}
-	if (!user_exists($user))
-	{
-		if (!is_valid_email($email))
-		{
-			error(ERR_INV_EMAIL);
-		}
-		if ($active != 1) {
-			$active = 0;
-		}
-		$db->query("INSERT INTO users (username, password, fullname, email, description, level, active) VALUES (".$db->quote($user).", '" . md5($password) . "', ".$db->quote($fullname).", ".$db->quote($email).", ".$db->quote($description).", ".$db->quote($level).", ".$db->quote($active).")");
-		return true;
-	}
-	else
-	{
-		error(ERR_USER_EXISTS);
-	}
 }
 /*
 * Edit the information of an user.. sloppy implementation with too many queries.. (2) :)
 * return values: true if succesful
 */
-function edit_user($id, $user, $fullname, $email, $level, $description, $active, $password)
+function edit_user($id, $user, $fullname, $email, $perm_templ, $description, $active, $password)
 {
 	global $db;
-	if(!level(10)) {
-		error(ERR_LEVEL_10);
+	verify_permission(user_edit_own) ? $perm_edit_own = "1" : $perm_edit_own = "0" ;
-	}
+	verify_permission(user_edit_others) ? $perm_edit_others = "1" : $perm_edit_others = "0" ;
-	if (!is_valid_email($email))
+	if (($id == $_SESSION["userid"] && $perm_edit_own == "1") || ($id != $_SESSION["userid"] && $perm_edit_others == "1" )) {
-	{
-		error(ERR_INV_EMAIL);
+		if (!is_valid_email($email)) {
-	}
+			error(ERR_INV_EMAIL);
-	if ($active != 1) {
+			return false;
-		$active = 0;
+		}
-	}
-	$sqlquery = "UPDATE users set username=".$db->quote($user).", fullname=".$db->quote($fullname).", email=".$db->quote($email).", level=".$db->quote($level).", description=".$db->quote($description).", active=".$db->quote($active);
+		if ($active != 1) {
+			$active = 0;
-	if($password != "")
+		}
-	{
-		$sqlquery .= ", password= '" . md5($password) . "' ";
+		// Before updating the database we need to check whether the user wants to
-	}
+		// change the username. If the user wants to change the username, we need
+		// to make sure it doesn't already exists.
-	$sqlquery .= " WHERE id=".$db->quote($id) ;
+		//
+		// First find the current username of the user ID we want to change. If the
-	// Search the username that right now goes with this ID.
+		// current username is not the same as the username that was given by the
-	$result = $db->query("SELECT username from users where id=".$db->quote($id));
+		// user, the username should apparantly changed. If so, check if the "new"
-	$r = array();
+		// username already exists.
-	$r = $result->fetchRow();
+		$query = "SELECT username FROM users WHERE id = " . $db->quote($id);
-	// If the found username with this ID is the given username with the command.. execute.
+		$result = $db->query($query);
+		if (PEAR::isError($response)) { error($response->getMessage()); return false; }
-	if($r["username"] == $user)
-	{
+		$usercheck = array();
-		$db->query($sqlquery);
+		$usercheck = $result->fetchRow();
-		return true;
-	}
+		if ($usercheck['username'] != $user) {
-	// Its not.. so the user wants to change.
+			// Username of user ID in the database is different from the name
-	// Find if there is an id that has the wished username.
+			// we have been given. User wants a change of username. Now, make
-	$otheruser = $db->query("SELECT id from users where username=".$db->query($user));
+			// sure it doesn't already exist.
-	if($otheruser->numRows() > 0)
-	{
+			$query = "SELECT id FROM users WHERE username = " . $db->query($user);
-		error(ERR_USER_EXIST);
+			$result = $db->query($query);
-	}
+			if (PEAR::isError($response)) { error($response->getMessage()); return false; }
-	// Its fine it seems.. :)
+			if($result->numRows() > 0) {
-	// Lets execute it.
+				error(ERR_USER_EXIST);
-	else
+				return false;
-	{
+			}
-		$db->query($sqlquery);
+		}
-		return true;
-	}
+		// So, user doesn't want to change username or, if he wants, there is not
+		// another user that goes by the wanted username. So, go ahead!
+		$query = "UPDATE users SET
+				username = " . $db->quote($user) . ",
+				fullname = " . $db->quote($fullname) . ",
+				email = " . $db->quote($email) . ",
+				perm_templ = " . $db->quote($perm_templ) . ",
+				description = " . $db->quote($description) . ",
+				active = " . $db->quote($active) ;
+		if($password != "") {
+			$query .= ", password = " . $db->quote(md5($password)) ;
+		}
+		$query .= " WHERE id = " . $db->quote($id) ;
+		$result = $db->query($query);
+		if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+	} else {
+		error(ERR_PERM_EDIT_USER);
+		return false;
+	}
+	return true;
 }
 /*
 * Change the pass of the user.
 * The user is automatically logged out after the pass change.
 * return values: none.
 */
-function change_user_pass($currentpass, $newpass, $newpass2)
+function change_user_pass($details) {
-{
+	global $db;
-	global $db;
+	if ($details['newpass'] != $details['newpass2']) {
-	// Check if the passwords are equal.
-	if($newpass != $newpass2)
-	{
 		error(ERR_USER_MATCH_NEW_PASS);
-	}
+		return false;
+	}
-	// Retrieve the users password.
-	$result = $db->query("SELECT password, id FROM users WHERE username=".$db->quote($_SESSION["userlogin"]));
+	$query = "SELECT id, password FROM users WHERE username = " . $db->quote($_SESSION["userlogin"]);
+	$result = $db->query($query);
+	if (PEAR::isError($response)) { error($response->getMessage()); return false; }
 	$rinfo = $result->fetchRow();
-	// Check the current password versus the database password and execute the update.
+	if(md5($details['currentpass']) == $rinfo['password']) {
-	if(md5($currentpass) == $rinfo["password"])
+		$query = "UPDATE users SET password = " . $db->quote(md5($details['newpass'])) . " WHERE id = " . $db->quote($rinfo['id']) ;
-	{
+		$result = $db->query($query);
-		$sqlquery = "update users set password='" . md5($newpass) . "' where id='" . $rinfo["id"] . "'";
+		if (PEAR::isError($response)) { error($response->getMessage()); return false; }
-		$db->query($sqlquery);
+		logout( _('Password has been changed, please login.'));
-		// Logout the user.
+	} else {
-		logout("Pass changed please re-login");
-	}
-	else
-	{
 		error(ERR_USER_WRONG_CURRENT_PASS);
+		return false;
 	}
 }
 /*
 * Get a fullname when you have a userid.
 * return values: gives the fullname from a userid.
 */
-function get_fullname_from_userid($id)
+function get_fullname_from_userid($id) {
-{
+	global $db;
-	global $db;
+	if (is_numeric($id)) {
-	if (is_numeric($id))
-	{
 		$result = $db->query("SELECT fullname FROM users WHERE id=".$db->quote($id));
 		$r = $result->fetchRow();
 		return $r["fullname"];
-	}
+	} else {
-	else
-	{
 		error(ERR_INV_ARG);
+		return false;
 	}
 }
 /*
 *
 * @todo also fetch the subowners
 * @param $id integer the id of the domain
 * @return String the list of owners for this domain
 */
-function get_owners_from_domainid($id) {
+function get_fullnames_owners_from_domainid($id) {
 global $db;
 if (is_numeric($id))
 {
 $result = $db->query("SELECT users.id, users.fullname FROM users, zones WHERE zones.domain_id=".$db->quote($id)." AND zones.owner=users.id ORDER by fullname");
 }
 }
 error(ERR_INV_ARG);
 }
+function verify_user_is_owner_zoneid($zoneid) {
+	global $db;
+	$userid=$_SESSION["userid"];
+	if (is_numeric($zoneid)) {
+		$result = $db->query("SELECT zones.id
+				FROM zones
+				WHERE zones.owner = " . $db->quote($userid) . "
+				AND zones.domain_id = ". $db->quote($zoneid)) ;
+		if ($result->numRows() == 0) {
+			return "0";
+		} else {
+			return "1";
+		}
+	}
+	error(ERR_INV_ARG);
+}
+function get_user_detail_list($specific) {
+	global $db;
+	$userid=$_SESSION['userid'];
+	if (v_num($specific)) {
+		$sql_add = "AND users.id = " . $db->quote($specific) ;
+	} else {
+		if (verify_permission(user_view_others)) {
+			$sql_add = "";
+		} else {
+			$sql_add = "AND users.id = " . $db->quote($userid) ;
+		}
+	}
+	$query = "SELECT users.id AS uid,
+			username,
+			fullname,
+			email,
+			description AS descr,
+			active,
+			perm_templ.id AS tpl_id,
+			perm_templ.name AS tpl_name,
+			perm_templ.descr AS tpl_descr
+			FROM users, perm_templ
+			WHERE users.perm_templ = perm_templ.id "
+			. $sql_add . "
+			ORDER BY username";
+	$result = $db->query($query);
+	if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+	while ($user = $result->fetchRow()) {
+		$userlist[] = array(
+			"uid"		=>	$user['uid'],
+			"username"	=>	$user['username'],
+			"fullname"	=>	$user['fullname'],
+			"email"		=>	$user['email'],
+			"descr"		=>	$user['descr'],
+			"active"	=>	$user['active'],
+			"tpl_id"	=>	$user['tpl_id'],
+			"tpl_name"	=>	$user['tpl_name'],
+			"tpl_descr"	=>	$user['tpl_descr']
+			);
+	}
+	return $userlist;
+}
+// Get a list of permissions that are available. If first argument is "0", it
+// should return all available permissions. If the first argument is > "0", it
+// should return the permissions assigned to that particular template only. If
+// second argument is true, only the permission names are returned.
+function get_permissions_by_template_id($templ_id=0,$return_name_only=false) {
+	global $db;
+	if ($templ_id > 0) {
+		$limit = ", perm_templ_items
+			WHERE perm_templ_items.templ_id = " . $db->quote($templ_id) . "
+			AND perm_templ_items.perm_id = perm_items.id";
+	}
+	$query = "SELECT perm_items.id AS id,
+			perm_items.name AS name,
+			perm_items.descr AS descr
+			FROM perm_items"
+			. $limit . "
+			ORDER BY descr";
+	$result = $db->query($query);
+	if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+	$permission_list = array();
+	while ($permission = $result->fetchRow()) {
+		if ($return_name_only == false) {
+			$permission_list[] = array(
+				"id"	=>	$permission['id'],
+				"name"	=>	$permission['name'],
+				"descr"	=>	$permission['descr']
+				);
+		} else {
+			$permission_list[] = $permission['name'];
+		}
+	}
+	return $permission_list;
+}
+// Get name and description of template based on template ID.
+function get_permission_template_details($templ_id) {
+	global $db;
+	$query = "SELECT *
+			FROM perm_templ
+			WHERE perm_templ.id = " . $db->quote($templ_id);
+	$result = $db->query($query);
+	if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+	while($details = $result->fetchRow()) {
+		$detail_list[] = array (
+			"name"	=>	$details['name'],
+			"descr"	=>	$details['descr']
+			);
+	}
+	return $detail_list;
+}
+// Get a list of all available permission templates.
+function get_list_permission_templates() {
+	global $db;
+	$query = "SELECT * FROM perm_templ";
+	$result = $db->query($query);
+	if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+	$perm_templ_list = array();
+	while ($perm_templ = $result->fetchRow()) {
+		$perm_templ_list[] = array(
+			"id"	=>	$perm_templ['id'],
+			"name"	=>	$perm_templ['name'],
+			"descr"	=>	$perm_templ['descr']
+			);
+	}
+	return $perm_templ_list;
+}
+// Update all details of a permission template.
+function update_perm_templ_details($details) {
+	global $db;
+	// Fix permission template name and description first.
+	$query = "UPDATE perm_templ
+			SET name = " . $db->quote($details['templ_name']) . ",
+			descr = " . $db->quote($details['templ_descr']) . "
+			WHERE id = " . $db->quote($details['templ_id']) ;
+	$result = $db->query($query);
+	if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+	// Now, update list of permissions assigned to this template. We could do
+	// this The Correct Way [tm] by comparing the list of permissions that are
+	// currently assigned with a list of permissions that should be assigned and
+	// apply the difference between these two lists to the database. That sounds
+	// like to much work. Just delete all the permissions currently assigned to
+	// the template, than assign all the permessions the template should have.
+	$query = "DELETE FROM perm_templ_items WHERE templ_id = " . $details['templ_id'] ;
+	$result = $db->query($query);
+	if (pear::iserror($response)) { error($response->getmessage()); return false; }
+	foreach ($details['perm_id'] AS $perm_id) {
+		$r_insert_values[] = "(''," . $db->quote($details['templ_id']) . "," . $db->quote($perm_id) . ")";
+	}
+	$query = "INSERT INTO perm_templ_items VALUES " . implode(',', $r_insert_values) ;
+	$result = $db->query($query);
+	if (pear::iserror($response)) { error($response->getmessage()); return false; }
+	return true;
+}
+function update_user_details($details) {
+	global $db;
+	verify_permission(user_edit_own) ? $perm_edit_own = "1" : $perm_edit_own = "0" ;
+	verify_permission(user_edit_others) ? $perm_edit_others = "1" : $perm_edit_others = "0" ;
+	if (($details['uid'] == $_SESSION["userid"] && $perm_edit_own == "1") ||
+			($details['uid'] != $_SESSION["userid"] && $perm_edit_others == "1" )) {
+		if (!is_valid_email($details['email'])) {
+			error(ERR_INV_EMAIL);
+			return false;
+		}
+		if (!isset($details['active']) || $details['active'] != "on" ) {
+			$active = 0;
+		} else {
+			$active = 1;
+		}
+		// Before updating the database we need to check whether the user wants to
+		// change the username. If the user wants to change the username, we need
+		// to make sure it doesn't already exists.
+		//
+		// First find the current username of the user ID we want to change. If the
+		// current username is not the same as the username that was given by the
+		// user, the username should apparantly changed. If so, check if the "new"
+		// username already exists.
+		$query = "SELECT username FROM users WHERE id = " . $db->quote($details['uid']);
+		$result = $db->query($query);
+		if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+		$usercheck = array();
+		$usercheck = $result->fetchRow();
+		if ($usercheck['username'] != $details['username']) {
+			// Username of user ID in the database is different from the name
+			// we have been given. User wants a change of username. Now, make
+			// sure it doesn't already exist.
+			$query = "SELECT id FROM users WHERE username = " . $db->quote($details['username']);
+			$result = $db->query($query);
+			if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+			if($result->numRows() > 0) {
+				error(ERR_USER_EXIST);
+				return false;
+			}
+		}
+		// So, user doesn't want to change username or, if he wants, there is not
+		// another user that goes by the wanted username. So, go ahead!
+		$query = "UPDATE users SET
+				username = " . $db->quote($details['username']) . ",
+				fullname = " . $db->quote($details['fullname']) . ",
+				email = " . $db->quote($details['email']) . ",
+				perm_templ = " . $db->quote($details['templ_id']) . ",
+				description = " . $db->quote($details['descr']) . ",
+				active = " . $db->quote($active) ;
+		// TODO Check if function works if password is set too.
+		if($details['password'] != "") {
+			$query .= ", password = '" . md5($db->quote($details['password'])) . "' ";
+		}
+		$query .= " WHERE id = " . $db->quote($details['uid']) ;
+		$result = $db->query($query);
+		if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+	} else {
+		error(ERR_PERM_EDIT_USER);
+		return false;
+	}
+	return true;
+}
+// Add a new user
+function add_new_user($details) {
+	global $db;
+	if (!verify_permission(user_add_new)) {
+		error(ERR_PERM_ADD_USER);
+	} elseif (user_exists($details['username'])) {
+		error(ERR_USER_EXISTS);
+	} elseif (!is_valid_email($details['email'])) {
+		error(ERR_INV_EMAIL);
+	} elseif ($details['active'] == 1) {
+		$active = 1;
+	} else {
+		$active = 0;
+	}
+	$query = "INSERT INTO users VALUES ( "
+			. "'', "
+			. $db->quote($details['username']) . ", "
+			. $db->quote(md5($details['password'])) . ", "
+			. $db->quote($details['fullname']) . ", "
+			. $db->quote($details['email']) . ", "
+			. $db->quote($details['descr']) . ", "
+			. $db->quote($details['perm_templ']) . ", "
+			. $db->quote($active)
+			. ")";
+	$result = $db->query($query);
+	if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+	return true;
+}
 ?>

changeset 82	c255196bc447
parent 74	43c31dc98305
child 83	90fbb34b3d97