--- a/inc/users.inc.php Wed Mar 12 20:45:56 2008 +0000
+++ b/inc/users.inc.php Tue Mar 25 22:45:31 2008 +0000
@@ -21,6 +21,77 @@
require_once("inc/toolkit.inc.php");
+
+/*
+ * Function to see if user has right to do something. It will check if
+ * user has "ueberuser" bit set. If it isn't, it will check if the user has
+ * the specific permission. It returns "false" if the user doesn't have the
+ * right, and "true" if the user has.
+ */
+
+function verify_permission($permission) {
+
+ global $db;
+
+ if ((!isset($_SESSION['userid'])) || (!is_object($db))) {
+ return 0;
+ }
+
+ // Set current user ID.
+ $userid=$_SESSION['userid'];
+
+ // Find the template ID that this user has been assigned.
+ $query = "SELECT perm_templ
+ FROM users
+ WHERE id = " . $db->quote($userid) ;
+ $templ_id = $db->queryOne($query);
+
+ // Does this user have ueberuser rights?
+ $query = "SELECT id
+ FROM perm_templ_items
+ WHERE templ_id = " . $db->quote($templ_id) . "
+ AND perm_id = '53'";
+ $result = $db->query($query);
+ if ( $result->numRows() > 0 ) {
+ return 1;
+ }
+
+ // Find the permission ID for the requested permission.
+ $query = "SELECT id
+ FROM perm_items
+ WHERE name = " . $db->quote($permission) ;
+ $perm_id = $db->queryOne($query);
+
+ // Check if the permission ID is assigned to the template ID.
+ $query = "SELECT id
+ FROM perm_templ_items
+ WHERE templ_id = " . $db->quote($templ_id) . "
+ AND perm_id = " . $db->quote($perm_id) ;
+ $result = $db->query($query);
+ if ( $result->numRows() > 0 ) {
+ return 1;
+ } else {
+ return 0;
+ }
+}
+
+function list_permission_templates() {
+ global $db;
+ $query = "SELECT * FROM perm_templ";
+ $result = $db->query($query);
+ if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+
+ $template_list = array();
+ while ($template= $result->fetchRow()) {
+ $tempate_list[] = array(
+ "id" => $template['id'],
+ "name" => $template['name'],
+ "descr" => $template['descr']
+ );
+ }
+ return $tempate_list;
+}
+
/*
* Retrieve all users.
* Its to show_users therefore the odd name. Has to be changed.
@@ -42,8 +113,8 @@
users.fullname AS fullname,
users.email AS email,
users.description AS description,
- users.level AS level,
users.active AS active,
+ users.perm_templ AS perm_templ,
count(zones.owner) AS aantal FROM users
LEFT JOIN zones ON users.id=zones.owner$add
GROUP BY
@@ -52,7 +123,7 @@
users.fullname,
users.email,
users.description,
- users.level,
+ users.perm_templ,
users.active
ORDER BY
users.fullname";
@@ -102,33 +173,6 @@
/*
- * Gives a textdescribed value of the given levelid
- * return values: the text associated with the level
- */
-function leveldescription($id)
-{
- switch($id)
- {
- case 1:
- global $NAME_LEVEL_1;
- return $NAME_LEVEL_1;
- break;
- case 5:
- global $NAME_LEVEL_5;
- return $NAME_LEVEL_5;
- break;
- case 10:
- global $NAME_LEVEL_10;
- return $NAME_LEVEL_10;
- break;
- default:
- return "Unknown";
- break;
- }
-}
-
-
-/*
* Checks if a given username exists in the database.
* return values: true if exists, false if not.
*/
@@ -151,79 +195,39 @@
}
-/*
- * Get all user info for the given user in an array.
- * return values: the database style array with the information about the user.
- */
-function get_user_info($id)
-{
- global $db;
- if (is_numeric($id))
- {
- $result = $db->query("SELECT id, username, fullname, email, description, level, active from users where id=".$db->quote($id));
- $r = $result->fetchRow();
- return $r;
- }
- else
- {
- error(sprintf(ERR_INV_ARGC,"get_user_info", "you gave illegal arguments: $id"));
- }
-}
-
/*
* Delete a user from the system
* return values: true if user doesnt exist.
*/
-function delete_user($id)
+function delete_user($uid,$zones)
{
global $db;
- if (!level(10))
- {
- error(ERR_LEVEL_10);
- }
- if (is_numeric($id))
- {
- $db->query("DELETE FROM users WHERE id=".$db->quote($id));
- $db->query("DELETE FROM zones WHERE owner=".$db->quote($id));
- return true;
- // No need to check the affected rows. If the affected rows would be 0,
- // the user isnt in the dbase, just as we want.
- }
- else
- {
- error(ERR_INV_ARG);
- }
-}
+ if (($uid != $_SESSION['userid'] && !verify_permission(user_edit_others)) || ($uid == $_SESSION['userid'] && !verify_permission(user_edit_own))) {
+ error(ERR_PERM_DEL_USER);
+ return false;
+ } else {
-/*
- * Adds a user to the system.
- * return values: true if succesfully added.
- */
-function add_user($user, $password, $fullname, $email, $level, $description, $active)
-{
- global $db;
- if (!level(10))
- {
- error(ERR_LEVEL_10);
+ if (is_array($zones)) {
+ foreach ($zones as $zone) {
+ if ($zone['target'] == "delete") {
+ delete_domain($zone['zid']);
+ } elseif ($zone['target'] == "new_owner") {
+ add_owner_to_zone($zone['zid'], $zone['newowner']);
+ }
+ }
+ }
+
+ $query = "DELETE FROM zones WHERE owner = " . $db->quote($uid) ;
+ $result = $db->query($query);
+ if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+
+ $query = "DELETE FROM users WHERE id = " . $db->quote($uid) ;
+ $result = $db->query($query);
+ if (PEAR::isError($response)) { error($response->getMessage()); return false; }
}
- if (!user_exists($user))
- {
- if (!is_valid_email($email))
- {
- error(ERR_INV_EMAIL);
- }
- if ($active != 1) {
- $active = 0;
- }
- $db->query("INSERT INTO users (username, password, fullname, email, description, level, active) VALUES (".$db->quote($user).", '" . md5($password) . "', ".$db->quote($fullname).", ".$db->quote($email).", ".$db->quote($description).", ".$db->quote($level).", ".$db->quote($active).")");
- return true;
- }
- else
- {
- error(ERR_USER_EXISTS);
- }
+ return true;
}
@@ -231,57 +235,81 @@
* Edit the information of an user.. sloppy implementation with too many queries.. (2) :)
* return values: true if succesful
*/
-function edit_user($id, $user, $fullname, $email, $level, $description, $active, $password)
+function edit_user($id, $user, $fullname, $email, $perm_templ, $description, $active, $password)
{
global $db;
- if(!level(10)) {
- error(ERR_LEVEL_10);
- }
+
+ verify_permission(user_edit_own) ? $perm_edit_own = "1" : $perm_edit_own = "0" ;
+ verify_permission(user_edit_others) ? $perm_edit_others = "1" : $perm_edit_others = "0" ;
+
+ if (($id == $_SESSION["userid"] && $perm_edit_own == "1") || ($id != $_SESSION["userid"] && $perm_edit_others == "1" )) {
+
+ if (!is_valid_email($email)) {
+ error(ERR_INV_EMAIL);
+ return false;
+ }
- if (!is_valid_email($email))
- {
- error(ERR_INV_EMAIL);
- }
- if ($active != 1) {
- $active = 0;
- }
- $sqlquery = "UPDATE users set username=".$db->quote($user).", fullname=".$db->quote($fullname).", email=".$db->quote($email).", level=".$db->quote($level).", description=".$db->quote($description).", active=".$db->quote($active);
+ if ($active != 1) {
+ $active = 0;
+ }
+
+ // Before updating the database we need to check whether the user wants to
+ // change the username. If the user wants to change the username, we need
+ // to make sure it doesn't already exists.
+ //
+ // First find the current username of the user ID we want to change. If the
+ // current username is not the same as the username that was given by the
+ // user, the username should apparantly changed. If so, check if the "new"
+ // username already exists.
- if($password != "")
- {
- $sqlquery .= ", password= '" . md5($password) . "' ";
- }
+ $query = "SELECT username FROM users WHERE id = " . $db->quote($id);
+ $result = $db->query($query);
+ if (PEAR::isError($response)) { error($response->getMessage()); return false; }
- $sqlquery .= " WHERE id=".$db->quote($id) ;
+ $usercheck = array();
+ $usercheck = $result->fetchRow();
- // Search the username that right now goes with this ID.
- $result = $db->query("SELECT username from users where id=".$db->quote($id));
- $r = array();
- $r = $result->fetchRow();
+ if ($usercheck['username'] != $user) {
+
+ // Username of user ID in the database is different from the name
+ // we have been given. User wants a change of username. Now, make
+ // sure it doesn't already exist.
+
+ $query = "SELECT id FROM users WHERE username = " . $db->query($user);
+ $result = $db->query($query);
+ if (PEAR::isError($response)) { error($response->getMessage()); return false; }
- // If the found username with this ID is the given username with the command.. execute.
+ if($result->numRows() > 0) {
+ error(ERR_USER_EXIST);
+ return false;
+ }
+ }
- if($r["username"] == $user)
- {
- $db->query($sqlquery);
- return true;
- }
+ // So, user doesn't want to change username or, if he wants, there is not
+ // another user that goes by the wanted username. So, go ahead!
- // Its not.. so the user wants to change.
- // Find if there is an id that has the wished username.
- $otheruser = $db->query("SELECT id from users where username=".$db->query($user));
- if($otheruser->numRows() > 0)
- {
- error(ERR_USER_EXIST);
- }
+ $query = "UPDATE users SET
+ username = " . $db->quote($user) . ",
+ fullname = " . $db->quote($fullname) . ",
+ email = " . $db->quote($email) . ",
+ perm_templ = " . $db->quote($perm_templ) . ",
+ description = " . $db->quote($description) . ",
+ active = " . $db->quote($active) ;
- // Its fine it seems.. :)
- // Lets execute it.
- else
- {
- $db->query($sqlquery);
- return true;
+ if($password != "") {
+ $query .= ", password = " . $db->quote(md5($password)) ;
+ }
+
+ $query .= " WHERE id = " . $db->quote($id) ;
+
+ $result = $db->query($query);
+ if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+
+ } else {
+ error(ERR_PERM_EDIT_USER);
+ return false;
}
+ return true;
}
/*
@@ -289,32 +317,29 @@
* The user is automatically logged out after the pass change.
* return values: none.
*/
-function change_user_pass($currentpass, $newpass, $newpass2)
-{
+function change_user_pass($details) {
global $db;
-
- // Check if the passwords are equal.
- if($newpass != $newpass2)
- {
+
+ if ($details['newpass'] != $details['newpass2']) {
error(ERR_USER_MATCH_NEW_PASS);
+ return false;
}
- // Retrieve the users password.
- $result = $db->query("SELECT password, id FROM users WHERE username=".$db->quote($_SESSION["userlogin"]));
+ $query = "SELECT id, password FROM users WHERE username = " . $db->quote($_SESSION["userlogin"]);
+ $result = $db->query($query);
+ if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+
$rinfo = $result->fetchRow();
- // Check the current password versus the database password and execute the update.
- if(md5($currentpass) == $rinfo["password"])
- {
- $sqlquery = "update users set password='" . md5($newpass) . "' where id='" . $rinfo["id"] . "'";
- $db->query($sqlquery);
+ if(md5($details['currentpass']) == $rinfo['password']) {
+ $query = "UPDATE users SET password = " . $db->quote(md5($details['newpass'])) . " WHERE id = " . $db->quote($rinfo['id']) ;
+ $result = $db->query($query);
+ if (PEAR::isError($response)) { error($response->getMessage()); return false; }
- // Logout the user.
- logout("Pass changed please re-login");
- }
- else
- {
+ logout( _('Password has been changed, please login.'));
+ } else {
error(ERR_USER_WRONG_CURRENT_PASS);
+ return false;
}
}
@@ -323,18 +348,15 @@
* Get a fullname when you have a userid.
* return values: gives the fullname from a userid.
*/
-function get_fullname_from_userid($id)
-{
+function get_fullname_from_userid($id) {
global $db;
- if (is_numeric($id))
- {
+ if (is_numeric($id)) {
$result = $db->query("SELECT fullname FROM users WHERE id=".$db->quote($id));
$r = $result->fetchRow();
return $r["fullname"];
- }
- else
- {
+ } else {
error(ERR_INV_ARG);
+ return false;
}
}
@@ -369,7 +391,7 @@
* @param $id integer the id of the domain
* @return String the list of owners for this domain
*/
-function get_owners_from_domainid($id) {
+function get_fullnames_owners_from_domainid($id) {
global $db;
if (is_numeric($id))
@@ -392,4 +414,311 @@
error(ERR_INV_ARG);
}
+
+
+function verify_user_is_owner_zoneid($zoneid) {
+ global $db;
+
+ $userid=$_SESSION["userid"];
+
+ if (is_numeric($zoneid)) {
+ $result = $db->query("SELECT zones.id
+ FROM zones
+ WHERE zones.owner = " . $db->quote($userid) . "
+ AND zones.domain_id = ". $db->quote($zoneid)) ;
+ if ($result->numRows() == 0) {
+ return "0";
+ } else {
+ return "1";
+ }
+ }
+ error(ERR_INV_ARG);
+}
+
+
+function get_user_detail_list($specific) {
+
+ global $db;
+ $userid=$_SESSION['userid'];
+
+
+ if (v_num($specific)) {
+ $sql_add = "AND users.id = " . $db->quote($specific) ;
+ } else {
+ if (verify_permission(user_view_others)) {
+ $sql_add = "";
+ } else {
+ $sql_add = "AND users.id = " . $db->quote($userid) ;
+ }
+ }
+
+ $query = "SELECT users.id AS uid,
+ username,
+ fullname,
+ email,
+ description AS descr,
+ active,
+ perm_templ.id AS tpl_id,
+ perm_templ.name AS tpl_name,
+ perm_templ.descr AS tpl_descr
+ FROM users, perm_templ
+ WHERE users.perm_templ = perm_templ.id "
+ . $sql_add . "
+ ORDER BY username";
+
+ $result = $db->query($query);
+ if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+
+ while ($user = $result->fetchRow()) {
+ $userlist[] = array(
+ "uid" => $user['uid'],
+ "username" => $user['username'],
+ "fullname" => $user['fullname'],
+ "email" => $user['email'],
+ "descr" => $user['descr'],
+ "active" => $user['active'],
+ "tpl_id" => $user['tpl_id'],
+ "tpl_name" => $user['tpl_name'],
+ "tpl_descr" => $user['tpl_descr']
+ );
+ }
+ return $userlist;
+}
+
+
+// Get a list of permissions that are available. If first argument is "0", it
+// should return all available permissions. If the first argument is > "0", it
+// should return the permissions assigned to that particular template only. If
+// second argument is true, only the permission names are returned.
+
+function get_permissions_by_template_id($templ_id=0,$return_name_only=false) {
+ global $db;
+
+ if ($templ_id > 0) {
+ $limit = ", perm_templ_items
+ WHERE perm_templ_items.templ_id = " . $db->quote($templ_id) . "
+ AND perm_templ_items.perm_id = perm_items.id";
+ }
+
+ $query = "SELECT perm_items.id AS id,
+ perm_items.name AS name,
+ perm_items.descr AS descr
+ FROM perm_items"
+ . $limit . "
+ ORDER BY descr";
+ $result = $db->query($query);
+ if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+
+ $permission_list = array();
+ while ($permission = $result->fetchRow()) {
+ if ($return_name_only == false) {
+ $permission_list[] = array(
+ "id" => $permission['id'],
+ "name" => $permission['name'],
+ "descr" => $permission['descr']
+ );
+ } else {
+ $permission_list[] = $permission['name'];
+ }
+ }
+ return $permission_list;
+}
+
+
+// Get name and description of template based on template ID.
+
+function get_permission_template_details($templ_id) {
+ global $db;
+
+ $query = "SELECT *
+ FROM perm_templ
+ WHERE perm_templ.id = " . $db->quote($templ_id);
+
+ $result = $db->query($query);
+ if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+
+ while($details = $result->fetchRow()) {
+ $detail_list[] = array (
+ "name" => $details['name'],
+ "descr" => $details['descr']
+ );
+ }
+ return $detail_list;
+}
+
+
+// Get a list of all available permission templates.
+
+function get_list_permission_templates() {
+ global $db;
+
+ $query = "SELECT * FROM perm_templ";
+ $result = $db->query($query);
+ if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+
+ $perm_templ_list = array();
+ while ($perm_templ = $result->fetchRow()) {
+ $perm_templ_list[] = array(
+ "id" => $perm_templ['id'],
+ "name" => $perm_templ['name'],
+ "descr" => $perm_templ['descr']
+ );
+ }
+ return $perm_templ_list;
+}
+
+
+// Update all details of a permission template.
+
+function update_perm_templ_details($details) {
+ global $db;
+
+ // Fix permission template name and description first.
+
+ $query = "UPDATE perm_templ
+ SET name = " . $db->quote($details['templ_name']) . ",
+ descr = " . $db->quote($details['templ_descr']) . "
+ WHERE id = " . $db->quote($details['templ_id']) ;
+
+ $result = $db->query($query);
+ if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+
+ // Now, update list of permissions assigned to this template. We could do
+ // this The Correct Way [tm] by comparing the list of permissions that are
+ // currently assigned with a list of permissions that should be assigned and
+ // apply the difference between these two lists to the database. That sounds
+ // like to much work. Just delete all the permissions currently assigned to
+ // the template, than assign all the permessions the template should have.
+
+ $query = "DELETE FROM perm_templ_items WHERE templ_id = " . $details['templ_id'] ;
+ $result = $db->query($query);
+ if (pear::iserror($response)) { error($response->getmessage()); return false; }
+
+ foreach ($details['perm_id'] AS $perm_id) {
+ $r_insert_values[] = "(''," . $db->quote($details['templ_id']) . "," . $db->quote($perm_id) . ")";
+ }
+ $query = "INSERT INTO perm_templ_items VALUES " . implode(',', $r_insert_values) ;
+ $result = $db->query($query);
+ if (pear::iserror($response)) { error($response->getmessage()); return false; }
+
+ return true;
+}
+
+function update_user_details($details) {
+
+ global $db;
+
+ verify_permission(user_edit_own) ? $perm_edit_own = "1" : $perm_edit_own = "0" ;
+ verify_permission(user_edit_others) ? $perm_edit_others = "1" : $perm_edit_others = "0" ;
+
+ if (($details['uid'] == $_SESSION["userid"] && $perm_edit_own == "1") ||
+ ($details['uid'] != $_SESSION["userid"] && $perm_edit_others == "1" )) {
+
+ if (!is_valid_email($details['email'])) {
+ error(ERR_INV_EMAIL);
+ return false;
+ }
+
+ if (!isset($details['active']) || $details['active'] != "on" ) {
+ $active = 0;
+ } else {
+ $active = 1;
+ }
+
+ // Before updating the database we need to check whether the user wants to
+ // change the username. If the user wants to change the username, we need
+ // to make sure it doesn't already exists.
+ //
+ // First find the current username of the user ID we want to change. If the
+ // current username is not the same as the username that was given by the
+ // user, the username should apparantly changed. If so, check if the "new"
+ // username already exists.
+ $query = "SELECT username FROM users WHERE id = " . $db->quote($details['uid']);
+ $result = $db->query($query);
+ if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+
+ $usercheck = array();
+ $usercheck = $result->fetchRow();
+
+ if ($usercheck['username'] != $details['username']) {
+ // Username of user ID in the database is different from the name
+ // we have been given. User wants a change of username. Now, make
+ // sure it doesn't already exist.
+ $query = "SELECT id FROM users WHERE username = " . $db->quote($details['username']);
+ $result = $db->query($query);
+ if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+
+ if($result->numRows() > 0) {
+ error(ERR_USER_EXIST);
+ return false;
+ }
+ }
+
+ // So, user doesn't want to change username or, if he wants, there is not
+ // another user that goes by the wanted username. So, go ahead!
+
+ $query = "UPDATE users SET
+ username = " . $db->quote($details['username']) . ",
+ fullname = " . $db->quote($details['fullname']) . ",
+ email = " . $db->quote($details['email']) . ",
+ perm_templ = " . $db->quote($details['templ_id']) . ",
+ description = " . $db->quote($details['descr']) . ",
+ active = " . $db->quote($active) ;
+
+ // TODO Check if function works if password is set too.
+ if($details['password'] != "") {
+ $query .= ", password = '" . md5($db->quote($details['password'])) . "' ";
+ }
+
+ $query .= " WHERE id = " . $db->quote($details['uid']) ;
+
+ $result = $db->query($query);
+ if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+
+ } else {
+ error(ERR_PERM_EDIT_USER);
+ return false;
+ }
+ return true;
+}
+
+// Add a new user
+
+function add_new_user($details) {
+ global $db;
+
+ if (!verify_permission(user_add_new)) {
+ error(ERR_PERM_ADD_USER);
+
+ } elseif (user_exists($details['username'])) {
+ error(ERR_USER_EXISTS);
+
+ } elseif (!is_valid_email($details['email'])) {
+ error(ERR_INV_EMAIL);
+
+ } elseif ($details['active'] == 1) {
+ $active = 1;
+ } else {
+ $active = 0;
+ }
+
+ $query = "INSERT INTO users VALUES ( "
+ . "'', "
+ . $db->quote($details['username']) . ", "
+ . $db->quote(md5($details['password'])) . ", "
+ . $db->quote($details['fullname']) . ", "
+ . $db->quote($details['email']) . ", "
+ . $db->quote($details['descr']) . ", "
+ . $db->quote($details['perm_templ']) . ", "
+ . $db->quote($active)
+ . ")";
+
+ $result = $db->query($query);
+ if (PEAR::isError($response)) { error($response->getMessage()); return false; }
+
+ return true;
+}
+
+
+
?>