inc/users.inc.php
changeset 82 c255196bc447
parent 74 43c31dc98305
child 83 90fbb34b3d97
--- a/inc/users.inc.php	Wed Mar 12 20:45:56 2008 +0000
+++ b/inc/users.inc.php	Tue Mar 25 22:45:31 2008 +0000
@@ -21,6 +21,77 @@
 
 require_once("inc/toolkit.inc.php");
 
+
+/* 
+ *  Function to see if user has right to do something. It will check if
+ *  user has "ueberuser" bit set. If it isn't, it will check if the user has
+ *  the specific permission. It returns "false" if the user doesn't have the
+ *  right, and "true" if the user has. 
+ */
+
+function verify_permission($permission) {
+
+        global $db;
+
+	if ((!isset($_SESSION['userid'])) || (!is_object($db))) {
+		return 0;
+	}
+
+        // Set current user ID.
+        $userid=$_SESSION['userid'];
+
+        // Find the template ID that this user has been assigned.
+        $query = "SELECT perm_templ
+			FROM users 
+			WHERE id = " . $db->quote($userid) ;
+        $templ_id = $db->queryOne($query);
+
+        // Does this user have ueberuser rights?
+        $query = "SELECT id 
+			FROM perm_templ_items 
+			WHERE templ_id = " . $db->quote($templ_id) . " 
+			AND perm_id = '53'";
+        $result = $db->query($query);
+        if ( $result->numRows() > 0 ) {
+                return 1;
+        }
+
+        // Find the permission ID for the requested permission.
+        $query = "SELECT id 
+			FROM perm_items 
+			WHERE name = " . $db->quote($permission) ;
+        $perm_id = $db->queryOne($query);
+
+        // Check if the permission ID is assigned to the template ID. 
+        $query = "SELECT id 
+			FROM perm_templ_items 
+			WHERE templ_id = " . $db->quote($templ_id) . " 
+			AND perm_id = " . $db->quote($perm_id) ;
+        $result = $db->query($query);
+        if ( $result->numRows() > 0 ) {
+                return 1;
+        } else {
+                return 0;
+        }
+}
+
+function list_permission_templates() {
+	global $db;
+	$query = "SELECT * FROM perm_templ";
+	$result = $db->query($query);
+	if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+
+	$template_list = array();
+	while ($template= $result->fetchRow()) {
+		$tempate_list[] = array(
+			"id"	=>	$template['id'],
+			"name"	=>	$template['name'],
+			"descr"	=>	$template['descr']
+			);
+	}
+	return $tempate_list;
+}
+
 /*
  * Retrieve all users.
  * Its to show_users therefore the odd name. Has to be changed.
@@ -42,8 +113,8 @@
 		users.fullname AS fullname,
 		users.email AS email,
 		users.description AS description,
-		users.level AS level,
 		users.active AS active,
+		users.perm_templ AS perm_templ,
 		count(zones.owner) AS aantal FROM users
 		LEFT JOIN zones ON users.id=zones.owner$add
 		GROUP BY
@@ -52,7 +123,7 @@
 			users.fullname,
 			users.email,
 			users.description,
-			users.level,
+			users.perm_templ,
 			users.active
 		ORDER BY
 			users.fullname";
@@ -102,33 +173,6 @@
 
 
 /*
- * Gives a textdescribed value of the given levelid
- * return values: the text associated with the level
- */
-function leveldescription($id)
-{
-	switch($id)
-	{
-		case 1:
-			global $NAME_LEVEL_1;
-			return $NAME_LEVEL_1;
-			break;
-		case 5:
-			global $NAME_LEVEL_5;
-			return $NAME_LEVEL_5;
-			break;
-		case 10:
-			global $NAME_LEVEL_10;
-			return $NAME_LEVEL_10;
-			break;
-		default:
-			return "Unknown";
-			break;
-	}
-}
-
-
-/*
  * Checks if a given username exists in the database.
  * return values: true if exists, false if not.
  */
@@ -151,79 +195,39 @@
 }
 
 
-/*
- * Get all user info for the given user in an array.
- * return values: the database style array with the information about the user.
- */
-function get_user_info($id)
-{
-	global $db;
-	if (is_numeric($id))
-	{
-		$result = $db->query("SELECT id, username, fullname, email, description, level, active from users where id=".$db->quote($id));
-		$r = $result->fetchRow();
-		return $r;
-	}
-	else
-	{
-		error(sprintf(ERR_INV_ARGC,"get_user_info", "you gave illegal arguments: $id"));
-	}
-}
-
 
 /*
  * Delete a user from the system
  * return values: true if user doesnt exist.
  */
-function delete_user($id)
+function delete_user($uid,$zones)
 {
 	global $db;
-	if (!level(10))
-	{
-		error(ERR_LEVEL_10);
-	}
-	if (is_numeric($id))
-	{
-        	$db->query("DELETE FROM users WHERE id=".$db->quote($id));
-        	$db->query("DELETE FROM zones WHERE owner=".$db->quote($id));
-        	return true;
-        	// No need to check the affected rows. If the affected rows would be 0,
-        	// the user isnt in the dbase, just as we want.
-        }
-	else
-	{
-		error(ERR_INV_ARG);
-	}
-}
 
+	if (($uid != $_SESSION['userid'] && !verify_permission(user_edit_others)) || ($uid == $_SESSION['userid'] && !verify_permission(user_edit_own))) {
+		 error(ERR_PERM_DEL_USER);
+		 return false;
+	} else {
 
-/*
- * Adds a user to the system.
- * return values: true if succesfully added.
- */
-function add_user($user, $password, $fullname, $email, $level, $description, $active)
-{
-	global $db;
-	if (!level(10))
-	{
-		error(ERR_LEVEL_10);
+		if (is_array($zones)) {
+			foreach ($zones as $zone) {
+				if ($zone['target'] == "delete") {
+					delete_domain($zone['zid']);
+				} elseif ($zone['target'] == "new_owner") {
+					add_owner_to_zone($zone['zid'], $zone['newowner']);
+				}
+			}
+		}
+
+		$query = "DELETE FROM zones WHERE owner = " . $db->quote($uid) ;
+		$result = $db->query($query);
+		if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+
+		$query = "DELETE FROM users WHERE id = " . $db->quote($uid) ;
+		$result = $db->query($query);
+		if (PEAR::isError($response)) { error($response->getMessage()); return false; }
 	}
-	if (!user_exists($user))
-	{
-		if (!is_valid_email($email)) 
-		{
-			error(ERR_INV_EMAIL);
-		}
-		if ($active != 1) {
-			$active = 0;
-		}
-		$db->query("INSERT INTO users (username, password, fullname, email, description, level, active) VALUES (".$db->quote($user).", '" . md5($password) . "', ".$db->quote($fullname).", ".$db->quote($email).", ".$db->quote($description).", ".$db->quote($level).", ".$db->quote($active).")");
-		return true;
-	}
-	else
-	{
-		error(ERR_USER_EXISTS);
-	}
+	return true;
 }
 
 
@@ -231,57 +235,81 @@
  * Edit the information of an user.. sloppy implementation with too many queries.. (2) :)
  * return values: true if succesful
  */
-function edit_user($id, $user, $fullname, $email, $level, $description, $active, $password)
+function edit_user($id, $user, $fullname, $email, $perm_templ, $description, $active, $password)
 {
 	global $db;
-	if(!level(10)) {
-		error(ERR_LEVEL_10);
-	}
+
+	verify_permission(user_edit_own) ? $perm_edit_own = "1" : $perm_edit_own = "0" ;
+	verify_permission(user_edit_others) ? $perm_edit_others = "1" : $perm_edit_others = "0" ;
+
+	if (($id == $_SESSION["userid"] && $perm_edit_own == "1") || ($id != $_SESSION["userid"] && $perm_edit_others == "1" )) {
+
+		if (!is_valid_email($email)) {
+			error(ERR_INV_EMAIL);
+			return false;
+		}
 
-	if (!is_valid_email($email)) 
-	{
-		error(ERR_INV_EMAIL);
-	}
-	if ($active != 1) {
-		$active = 0;
-	}
-	$sqlquery = "UPDATE users set username=".$db->quote($user).", fullname=".$db->quote($fullname).", email=".$db->quote($email).", level=".$db->quote($level).", description=".$db->quote($description).", active=".$db->quote($active);
+		if ($active != 1) {
+			$active = 0;
+		}
+		
+		// Before updating the database we need to check whether the user wants to 
+		// change the username. If the user wants to change the username, we need 
+		// to make sure it doesn't already exists. 
+		//
+		// First find the current username of the user ID we want to change. If the 
+		// current username is not the same as the username that was given by the 
+		// user, the username should apparantly changed. If so, check if the "new" 
+		// username already exists.
 
-	if($password != "")
-	{
-		$sqlquery .= ", password= '" . md5($password) . "' ";
-	}
+		$query = "SELECT username FROM users WHERE id = " . $db->quote($id);
+		$result = $db->query($query);
+		if (PEAR::isError($response)) { error($response->getMessage()); return false; }
 
-	$sqlquery .= " WHERE id=".$db->quote($id) ;
+		$usercheck = array();
+		$usercheck = $result->fetchRow();
 
-  	// Search the username that right now goes with this ID.
-	$result = $db->query("SELECT username from users where id=".$db->quote($id));
-	$r = array();
-	$r = $result->fetchRow();
+		if ($usercheck['username'] != $user) {
+			
+			// Username of user ID in the database is different from the name
+			// we have been given. User wants a change of username. Now, make
+			// sure it doesn't already exist.
+			
+			$query = "SELECT id FROM users WHERE username = " . $db->query($user);
+			$result = $db->query($query);
+			if (PEAR::isError($response)) { error($response->getMessage()); return false; }
 
-  	// If the found username with this ID is the given username with the command.. execute.
+			if($result->numRows() > 0) {
+				error(ERR_USER_EXIST);
+				return false;
+			}
+		}
 
-	if($r["username"] == $user)
-	{
-		$db->query($sqlquery);
-  		return true;
-  	}
+		// So, user doesn't want to change username or, if he wants, there is not
+		// another user that goes by the wanted username. So, go ahead!
 
-  	// Its not.. so the user wants to change.
-  	// Find if there is an id that has the wished username.
-  	$otheruser = $db->query("SELECT id from users where username=".$db->query($user));
-  	if($otheruser->numRows() > 0)
-  	{
-  		error(ERR_USER_EXIST);
-  	}
+		$query = "UPDATE users SET
+				username = " . $db->quote($user) . ",
+				fullname = " . $db->quote($fullname) . ",
+				email = " . $db->quote($email) . ",
+				perm_templ = " . $db->quote($perm_templ) . ",
+				description = " . $db->quote($description) . ", 
+				active = " . $db->quote($active) ;
 
-  	// Its fine it seems.. :)
-  	// Lets execute it.
-  	else
-  	{
-		$db->query($sqlquery);
-		return true;
+		if($password != "") {
+			$query .= ", password = " . $db->quote(md5($password)) ;
+		}
+
+		$query .= " WHERE id = " . $db->quote($id) ;
+
+		$result = $db->query($query);
+		if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+		
+	} else {
+		error(ERR_PERM_EDIT_USER);
+		return false;
 	}
+	return true;
 }
 
 /*
@@ -289,32 +317,29 @@
  * The user is automatically logged out after the pass change.
  * return values: none.
  */
-function change_user_pass($currentpass, $newpass, $newpass2)
-{
+function change_user_pass($details) {
 	global $db;
-
-	// Check if the passwords are equal.
-	if($newpass != $newpass2)
-	{
+	
+	if ($details['newpass'] != $details['newpass2']) {
 		error(ERR_USER_MATCH_NEW_PASS);
+		return false;
 	}
 
-	// Retrieve the users password.
-	$result = $db->query("SELECT password, id FROM users WHERE username=".$db->quote($_SESSION["userlogin"]));
+	$query = "SELECT id, password FROM users WHERE username = " . $db->quote($_SESSION["userlogin"]);
+	$result = $db->query($query);
+	if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+
 	$rinfo = $result->fetchRow();
 
-	// Check the current password versus the database password and execute the update.
-	if(md5($currentpass) == $rinfo["password"])
-	{
-		$sqlquery = "update users set password='" . md5($newpass) . "' where id='" . $rinfo["id"] . "'";
-		$db->query($sqlquery);
+	if(md5($details['currentpass']) == $rinfo['password']) {
+		$query = "UPDATE users SET password = " . $db->quote(md5($details['newpass'])) . " WHERE id = " . $db->quote($rinfo['id']) ;
+		$result = $db->query($query);
+		if (PEAR::isError($response)) { error($response->getMessage()); return false; }
 
-		// Logout the user.
-		logout("Pass changed please re-login");
-	}
-	else
-	{
+		logout( _('Password has been changed, please login.')); 
+	} else {
 		error(ERR_USER_WRONG_CURRENT_PASS);
+		return false;
 	}
 }
 
@@ -323,18 +348,15 @@
  * Get a fullname when you have a userid.
  * return values: gives the fullname from a userid.
  */
-function get_fullname_from_userid($id)
-{
+function get_fullname_from_userid($id) {
 	global $db;
-	if (is_numeric($id))
-	{
+	if (is_numeric($id)) {
 		$result = $db->query("SELECT fullname FROM users WHERE id=".$db->quote($id));
 		$r = $result->fetchRow();
 		return $r["fullname"];
-	}
-	else
-	{
+	} else {
 		error(ERR_INV_ARG);
+		return false;
 	}
 }
 
@@ -369,7 +391,7 @@
  * @param $id integer the id of the domain
  * @return String the list of owners for this domain
  */
-function get_owners_from_domainid($id) {
+function get_fullnames_owners_from_domainid($id) {
       
       global $db;
       if (is_numeric($id))
@@ -392,4 +414,311 @@
       error(ERR_INV_ARG);
 }
 
+
+
+function verify_user_is_owner_zoneid($zoneid) {
+	global $db;
+
+	$userid=$_SESSION["userid"];
+
+	if (is_numeric($zoneid)) {
+		$result = $db->query("SELECT zones.id 
+				FROM zones 
+				WHERE zones.owner = " . $db->quote($userid) . "
+				AND zones.domain_id = ". $db->quote($zoneid)) ;
+		if ($result->numRows() == 0) {
+			return "0";
+		} else {
+			return "1";
+		}
+	}
+	error(ERR_INV_ARG);
+}
+
+
+function get_user_detail_list($specific) {
+
+	global $db;
+	$userid=$_SESSION['userid'];
+
+
+	if (v_num($specific)) {
+		$sql_add = "AND users.id = " . $db->quote($specific) ;
+	} else {
+		if (verify_permission(user_view_others)) {
+			$sql_add = "";
+		} else {
+			$sql_add = "AND users.id = " . $db->quote($userid) ;
+		}
+	}
+
+	$query = "SELECT users.id AS uid, 
+			username, 
+			fullname, 
+			email, 
+			description AS descr,
+			active,
+			perm_templ.id AS tpl_id,
+			perm_templ.name AS tpl_name,
+			perm_templ.descr AS tpl_descr
+			FROM users, perm_templ 
+			WHERE users.perm_templ = perm_templ.id " 
+			. $sql_add . "
+			ORDER BY username";
+
+	$result = $db->query($query);
+	if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+	
+	while ($user = $result->fetchRow()) {
+		$userlist[] = array(
+			"uid"		=>	$user['uid'],
+			"username"	=>	$user['username'],
+			"fullname"	=>	$user['fullname'],
+			"email"		=>	$user['email'],
+			"descr"		=>	$user['descr'],
+			"active"	=>	$user['active'],
+			"tpl_id"	=>	$user['tpl_id'],
+			"tpl_name"	=>	$user['tpl_name'],
+			"tpl_descr"	=>	$user['tpl_descr']
+			);
+	}
+	return $userlist;
+}
+
+
+// Get a list of permissions that are available. If first argument is "0", it
+// should return all available permissions. If the first argument is > "0", it
+// should return the permissions assigned to that particular template only. If
+// second argument is true, only the permission names are returned.
+
+function get_permissions_by_template_id($templ_id=0,$return_name_only=false) {
+	global $db;
+	
+	if ($templ_id > 0) {
+		$limit = ", perm_templ_items 
+			WHERE perm_templ_items.templ_id = " . $db->quote($templ_id) . "
+			AND perm_templ_items.perm_id = perm_items.id";
+	}
+
+	$query = "SELECT perm_items.id AS id, 
+			perm_items.name AS name, 
+			perm_items.descr AS descr
+			FROM perm_items" 
+			. $limit . "
+			ORDER BY descr";
+	$result = $db->query($query);
+	if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+
+	$permission_list = array();
+	while ($permission = $result->fetchRow()) {
+		if ($return_name_only == false) {
+			$permission_list[] = array(
+				"id"	=>	$permission['id'],
+				"name"	=>	$permission['name'],
+				"descr"	=>	$permission['descr']
+				);
+		} else {
+			$permission_list[] = $permission['name'];
+		}
+	}
+	return $permission_list;
+}
+
+
+// Get name and description of template based on template ID.
+
+function get_permission_template_details($templ_id) {
+	global $db;
+
+	$query = "SELECT *
+			FROM perm_templ
+			WHERE perm_templ.id = " . $db->quote($templ_id);
+
+	$result = $db->query($query);
+	if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+
+	while($details = $result->fetchRow()) {
+		$detail_list[] = array (
+			"name"	=>	$details['name'],
+			"descr"	=>	$details['descr']
+			);
+	}
+	return $detail_list;
+}	
+
+
+// Get a list of all available permission templates.
+
+function get_list_permission_templates() {
+	global $db;
+
+	$query = "SELECT * FROM perm_templ";
+	$result = $db->query($query);
+	if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+
+	$perm_templ_list = array();
+	while ($perm_templ = $result->fetchRow()) {
+		$perm_templ_list[] = array(
+			"id"	=>	$perm_templ['id'],
+			"name"	=>	$perm_templ['name'],
+			"descr"	=>	$perm_templ['descr']
+			);
+	}
+	return $perm_templ_list;
+}
+
+
+// Update all details of a permission template.
+
+function update_perm_templ_details($details) {
+	global $db;
+
+	// Fix permission template name and description first. 
+
+	$query = "UPDATE perm_templ 
+			SET name = " . $db->quote($details['templ_name']) . ",
+			descr = " . $db->quote($details['templ_descr']) . "
+			WHERE id = " . $db->quote($details['templ_id']) ;
+	
+	$result = $db->query($query);
+	if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+
+	// Now, update list of permissions assigned to this template. We could do 
+	// this The Correct Way [tm] by comparing the list of permissions that are
+	// currently assigned with a list of permissions that should be assigned and
+	// apply the difference between these two lists to the database. That sounds 
+	// like to much work. Just delete all the permissions currently assigned to 
+	// the template, than assign all the permessions the template should have.
+
+	$query = "DELETE FROM perm_templ_items WHERE templ_id = " . $details['templ_id'] ;
+	$result = $db->query($query);
+	if (pear::iserror($response)) { error($response->getmessage()); return false; }
+
+	foreach ($details['perm_id'] AS $perm_id) {
+		$r_insert_values[] = "(''," . $db->quote($details['templ_id']) . "," . $db->quote($perm_id) . ")";
+	}
+	$query = "INSERT INTO perm_templ_items VALUES " . implode(',', $r_insert_values) ;
+	$result = $db->query($query);
+	if (pear::iserror($response)) { error($response->getmessage()); return false; }
+
+	return true;
+}
+
+function update_user_details($details) {
+
+	global $db;
+
+	verify_permission(user_edit_own) ? $perm_edit_own = "1" : $perm_edit_own = "0" ;
+	verify_permission(user_edit_others) ? $perm_edit_others = "1" : $perm_edit_others = "0" ;
+
+	if (($details['uid'] == $_SESSION["userid"] && $perm_edit_own == "1") || 
+			($details['uid'] != $_SESSION["userid"] && $perm_edit_others == "1" )) {
+
+		if (!is_valid_email($details['email'])) {
+			error(ERR_INV_EMAIL);
+			return false;
+		}
+
+		if (!isset($details['active']) || $details['active'] != "on" ) {
+			$active = 0;
+		} else {
+			$active = 1;
+		}
+
+		// Before updating the database we need to check whether the user wants to 
+		// change the username. If the user wants to change the username, we need 
+		// to make sure it doesn't already exists. 
+		//
+		// First find the current username of the user ID we want to change. If the 
+		// current username is not the same as the username that was given by the 
+		// user, the username should apparantly changed. If so, check if the "new" 
+		// username already exists.
+		$query = "SELECT username FROM users WHERE id = " . $db->quote($details['uid']);
+		$result = $db->query($query);
+		if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+
+		$usercheck = array();
+		$usercheck = $result->fetchRow();
+
+		if ($usercheck['username'] != $details['username']) {
+			// Username of user ID in the database is different from the name
+			// we have been given. User wants a change of username. Now, make
+			// sure it doesn't already exist.
+			$query = "SELECT id FROM users WHERE username = " . $db->quote($details['username']);
+			$result = $db->query($query);
+			if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+
+			if($result->numRows() > 0) {
+				error(ERR_USER_EXIST);
+				return false;
+			}
+		}
+
+		// So, user doesn't want to change username or, if he wants, there is not
+		// another user that goes by the wanted username. So, go ahead!
+
+		$query = "UPDATE users SET
+				username = " . $db->quote($details['username']) . ",
+				fullname = " . $db->quote($details['fullname']) . ",
+				email = " . $db->quote($details['email']) . ",
+				perm_templ = " . $db->quote($details['templ_id']) . ",
+				description = " . $db->quote($details['descr']) . ", 
+				active = " . $db->quote($active) ;
+
+		// TODO Check if function works if password is set too.
+		if($details['password'] != "") {
+			$query .= ", password = '" . md5($db->quote($details['password'])) . "' ";
+		}
+
+		$query .= " WHERE id = " . $db->quote($details['uid']) ;
+
+		$result = $db->query($query);
+		if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+
+	} else {
+		error(ERR_PERM_EDIT_USER);
+		return false;
+	}
+	return true;		
+}
+
+// Add a new user
+
+function add_new_user($details) {
+	global $db;
+
+	if (!verify_permission(user_add_new)) {
+		error(ERR_PERM_ADD_USER);
+
+	} elseif (user_exists($details['username'])) {
+		error(ERR_USER_EXISTS);
+
+	} elseif (!is_valid_email($details['email'])) {
+		error(ERR_INV_EMAIL);
+	
+	} elseif ($details['active'] == 1) {
+		$active = 1;
+	} else {
+		$active = 0;
+	}
+
+	$query = "INSERT INTO users VALUES ( "
+			. "'', "
+			. $db->quote($details['username']) . ", "
+			. $db->quote(md5($details['password'])) . ", "
+			. $db->quote($details['fullname']) . ", "
+			. $db->quote($details['email']) . ", "
+			. $db->quote($details['descr']) . ", "
+			. $db->quote($details['perm_templ']) . ", "
+			. $db->quote($active) 
+			. ")";
+
+	$result = $db->query($query);
+	if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+	
+	return true;
+}
+
+			
+
 ?>