diff -r c72d6d51f3d3 -r c255196bc447 inc/users.inc.php --- a/inc/users.inc.php Wed Mar 12 20:45:56 2008 +0000 +++ b/inc/users.inc.php Tue Mar 25 22:45:31 2008 +0000 @@ -21,6 +21,77 @@ require_once("inc/toolkit.inc.php"); + +/* + * Function to see if user has right to do something. It will check if + * user has "ueberuser" bit set. If it isn't, it will check if the user has + * the specific permission. It returns "false" if the user doesn't have the + * right, and "true" if the user has. + */ + +function verify_permission($permission) { + + global $db; + + if ((!isset($_SESSION['userid'])) || (!is_object($db))) { + return 0; + } + + // Set current user ID. + $userid=$_SESSION['userid']; + + // Find the template ID that this user has been assigned. + $query = "SELECT perm_templ + FROM users + WHERE id = " . $db->quote($userid) ; + $templ_id = $db->queryOne($query); + + // Does this user have ueberuser rights? + $query = "SELECT id + FROM perm_templ_items + WHERE templ_id = " . $db->quote($templ_id) . " + AND perm_id = '53'"; + $result = $db->query($query); + if ( $result->numRows() > 0 ) { + return 1; + } + + // Find the permission ID for the requested permission. + $query = "SELECT id + FROM perm_items + WHERE name = " . $db->quote($permission) ; + $perm_id = $db->queryOne($query); + + // Check if the permission ID is assigned to the template ID. + $query = "SELECT id + FROM perm_templ_items + WHERE templ_id = " . $db->quote($templ_id) . " + AND perm_id = " . $db->quote($perm_id) ; + $result = $db->query($query); + if ( $result->numRows() > 0 ) { + return 1; + } else { + return 0; + } +} + +function list_permission_templates() { + global $db; + $query = "SELECT * FROM perm_templ"; + $result = $db->query($query); + if (PEAR::isError($response)) { error($response->getMessage()); return false; } + + $template_list = array(); + while ($template= $result->fetchRow()) { + $tempate_list[] = array( + "id" => $template['id'], + "name" => $template['name'], + "descr" => $template['descr'] + ); + } + return $tempate_list; +} + /* * Retrieve all users. * Its to show_users therefore the odd name. Has to be changed. @@ -42,8 +113,8 @@ users.fullname AS fullname, users.email AS email, users.description AS description, - users.level AS level, users.active AS active, + users.perm_templ AS perm_templ, count(zones.owner) AS aantal FROM users LEFT JOIN zones ON users.id=zones.owner$add GROUP BY @@ -52,7 +123,7 @@ users.fullname, users.email, users.description, - users.level, + users.perm_templ, users.active ORDER BY users.fullname"; @@ -102,33 +173,6 @@ /* - * Gives a textdescribed value of the given levelid - * return values: the text associated with the level - */ -function leveldescription($id) -{ - switch($id) - { - case 1: - global $NAME_LEVEL_1; - return $NAME_LEVEL_1; - break; - case 5: - global $NAME_LEVEL_5; - return $NAME_LEVEL_5; - break; - case 10: - global $NAME_LEVEL_10; - return $NAME_LEVEL_10; - break; - default: - return "Unknown"; - break; - } -} - - -/* * Checks if a given username exists in the database. * return values: true if exists, false if not. */ @@ -151,79 +195,39 @@ } -/* - * Get all user info for the given user in an array. - * return values: the database style array with the information about the user. - */ -function get_user_info($id) -{ - global $db; - if (is_numeric($id)) - { - $result = $db->query("SELECT id, username, fullname, email, description, level, active from users where id=".$db->quote($id)); - $r = $result->fetchRow(); - return $r; - } - else - { - error(sprintf(ERR_INV_ARGC,"get_user_info", "you gave illegal arguments: $id")); - } -} - /* * Delete a user from the system * return values: true if user doesnt exist. */ -function delete_user($id) +function delete_user($uid,$zones) { global $db; - if (!level(10)) - { - error(ERR_LEVEL_10); - } - if (is_numeric($id)) - { - $db->query("DELETE FROM users WHERE id=".$db->quote($id)); - $db->query("DELETE FROM zones WHERE owner=".$db->quote($id)); - return true; - // No need to check the affected rows. If the affected rows would be 0, - // the user isnt in the dbase, just as we want. - } - else - { - error(ERR_INV_ARG); - } -} + if (($uid != $_SESSION['userid'] && !verify_permission(user_edit_others)) || ($uid == $_SESSION['userid'] && !verify_permission(user_edit_own))) { + error(ERR_PERM_DEL_USER); + return false; + } else { -/* - * Adds a user to the system. - * return values: true if succesfully added. - */ -function add_user($user, $password, $fullname, $email, $level, $description, $active) -{ - global $db; - if (!level(10)) - { - error(ERR_LEVEL_10); + if (is_array($zones)) { + foreach ($zones as $zone) { + if ($zone['target'] == "delete") { + delete_domain($zone['zid']); + } elseif ($zone['target'] == "new_owner") { + add_owner_to_zone($zone['zid'], $zone['newowner']); + } + } + } + + $query = "DELETE FROM zones WHERE owner = " . $db->quote($uid) ; + $result = $db->query($query); + if (PEAR::isError($response)) { error($response->getMessage()); return false; } + + $query = "DELETE FROM users WHERE id = " . $db->quote($uid) ; + $result = $db->query($query); + if (PEAR::isError($response)) { error($response->getMessage()); return false; } } - if (!user_exists($user)) - { - if (!is_valid_email($email)) - { - error(ERR_INV_EMAIL); - } - if ($active != 1) { - $active = 0; - } - $db->query("INSERT INTO users (username, password, fullname, email, description, level, active) VALUES (".$db->quote($user).", '" . md5($password) . "', ".$db->quote($fullname).", ".$db->quote($email).", ".$db->quote($description).", ".$db->quote($level).", ".$db->quote($active).")"); - return true; - } - else - { - error(ERR_USER_EXISTS); - } + return true; } @@ -231,57 +235,81 @@ * Edit the information of an user.. sloppy implementation with too many queries.. (2) :) * return values: true if succesful */ -function edit_user($id, $user, $fullname, $email, $level, $description, $active, $password) +function edit_user($id, $user, $fullname, $email, $perm_templ, $description, $active, $password) { global $db; - if(!level(10)) { - error(ERR_LEVEL_10); - } + + verify_permission(user_edit_own) ? $perm_edit_own = "1" : $perm_edit_own = "0" ; + verify_permission(user_edit_others) ? $perm_edit_others = "1" : $perm_edit_others = "0" ; + + if (($id == $_SESSION["userid"] && $perm_edit_own == "1") || ($id != $_SESSION["userid"] && $perm_edit_others == "1" )) { + + if (!is_valid_email($email)) { + error(ERR_INV_EMAIL); + return false; + } - if (!is_valid_email($email)) - { - error(ERR_INV_EMAIL); - } - if ($active != 1) { - $active = 0; - } - $sqlquery = "UPDATE users set username=".$db->quote($user).", fullname=".$db->quote($fullname).", email=".$db->quote($email).", level=".$db->quote($level).", description=".$db->quote($description).", active=".$db->quote($active); + if ($active != 1) { + $active = 0; + } + + // Before updating the database we need to check whether the user wants to + // change the username. If the user wants to change the username, we need + // to make sure it doesn't already exists. + // + // First find the current username of the user ID we want to change. If the + // current username is not the same as the username that was given by the + // user, the username should apparantly changed. If so, check if the "new" + // username already exists. - if($password != "") - { - $sqlquery .= ", password= '" . md5($password) . "' "; - } + $query = "SELECT username FROM users WHERE id = " . $db->quote($id); + $result = $db->query($query); + if (PEAR::isError($response)) { error($response->getMessage()); return false; } - $sqlquery .= " WHERE id=".$db->quote($id) ; + $usercheck = array(); + $usercheck = $result->fetchRow(); - // Search the username that right now goes with this ID. - $result = $db->query("SELECT username from users where id=".$db->quote($id)); - $r = array(); - $r = $result->fetchRow(); + if ($usercheck['username'] != $user) { + + // Username of user ID in the database is different from the name + // we have been given. User wants a change of username. Now, make + // sure it doesn't already exist. + + $query = "SELECT id FROM users WHERE username = " . $db->query($user); + $result = $db->query($query); + if (PEAR::isError($response)) { error($response->getMessage()); return false; } - // If the found username with this ID is the given username with the command.. execute. + if($result->numRows() > 0) { + error(ERR_USER_EXIST); + return false; + } + } - if($r["username"] == $user) - { - $db->query($sqlquery); - return true; - } + // So, user doesn't want to change username or, if he wants, there is not + // another user that goes by the wanted username. So, go ahead! - // Its not.. so the user wants to change. - // Find if there is an id that has the wished username. - $otheruser = $db->query("SELECT id from users where username=".$db->query($user)); - if($otheruser->numRows() > 0) - { - error(ERR_USER_EXIST); - } + $query = "UPDATE users SET + username = " . $db->quote($user) . ", + fullname = " . $db->quote($fullname) . ", + email = " . $db->quote($email) . ", + perm_templ = " . $db->quote($perm_templ) . ", + description = " . $db->quote($description) . ", + active = " . $db->quote($active) ; - // Its fine it seems.. :) - // Lets execute it. - else - { - $db->query($sqlquery); - return true; + if($password != "") { + $query .= ", password = " . $db->quote(md5($password)) ; + } + + $query .= " WHERE id = " . $db->quote($id) ; + + $result = $db->query($query); + if (PEAR::isError($response)) { error($response->getMessage()); return false; } + + } else { + error(ERR_PERM_EDIT_USER); + return false; } + return true; } /* @@ -289,32 +317,29 @@ * The user is automatically logged out after the pass change. * return values: none. */ -function change_user_pass($currentpass, $newpass, $newpass2) -{ +function change_user_pass($details) { global $db; - - // Check if the passwords are equal. - if($newpass != $newpass2) - { + + if ($details['newpass'] != $details['newpass2']) { error(ERR_USER_MATCH_NEW_PASS); + return false; } - // Retrieve the users password. - $result = $db->query("SELECT password, id FROM users WHERE username=".$db->quote($_SESSION["userlogin"])); + $query = "SELECT id, password FROM users WHERE username = " . $db->quote($_SESSION["userlogin"]); + $result = $db->query($query); + if (PEAR::isError($response)) { error($response->getMessage()); return false; } + $rinfo = $result->fetchRow(); - // Check the current password versus the database password and execute the update. - if(md5($currentpass) == $rinfo["password"]) - { - $sqlquery = "update users set password='" . md5($newpass) . "' where id='" . $rinfo["id"] . "'"; - $db->query($sqlquery); + if(md5($details['currentpass']) == $rinfo['password']) { + $query = "UPDATE users SET password = " . $db->quote(md5($details['newpass'])) . " WHERE id = " . $db->quote($rinfo['id']) ; + $result = $db->query($query); + if (PEAR::isError($response)) { error($response->getMessage()); return false; } - // Logout the user. - logout("Pass changed please re-login"); - } - else - { + logout( _('Password has been changed, please login.')); + } else { error(ERR_USER_WRONG_CURRENT_PASS); + return false; } } @@ -323,18 +348,15 @@ * Get a fullname when you have a userid. * return values: gives the fullname from a userid. */ -function get_fullname_from_userid($id) -{ +function get_fullname_from_userid($id) { global $db; - if (is_numeric($id)) - { + if (is_numeric($id)) { $result = $db->query("SELECT fullname FROM users WHERE id=".$db->quote($id)); $r = $result->fetchRow(); return $r["fullname"]; - } - else - { + } else { error(ERR_INV_ARG); + return false; } } @@ -369,7 +391,7 @@ * @param $id integer the id of the domain * @return String the list of owners for this domain */ -function get_owners_from_domainid($id) { +function get_fullnames_owners_from_domainid($id) { global $db; if (is_numeric($id)) @@ -392,4 +414,311 @@ error(ERR_INV_ARG); } + + +function verify_user_is_owner_zoneid($zoneid) { + global $db; + + $userid=$_SESSION["userid"]; + + if (is_numeric($zoneid)) { + $result = $db->query("SELECT zones.id + FROM zones + WHERE zones.owner = " . $db->quote($userid) . " + AND zones.domain_id = ". $db->quote($zoneid)) ; + if ($result->numRows() == 0) { + return "0"; + } else { + return "1"; + } + } + error(ERR_INV_ARG); +} + + +function get_user_detail_list($specific) { + + global $db; + $userid=$_SESSION['userid']; + + + if (v_num($specific)) { + $sql_add = "AND users.id = " . $db->quote($specific) ; + } else { + if (verify_permission(user_view_others)) { + $sql_add = ""; + } else { + $sql_add = "AND users.id = " . $db->quote($userid) ; + } + } + + $query = "SELECT users.id AS uid, + username, + fullname, + email, + description AS descr, + active, + perm_templ.id AS tpl_id, + perm_templ.name AS tpl_name, + perm_templ.descr AS tpl_descr + FROM users, perm_templ + WHERE users.perm_templ = perm_templ.id " + . $sql_add . " + ORDER BY username"; + + $result = $db->query($query); + if (PEAR::isError($response)) { error($response->getMessage()); return false; } + + while ($user = $result->fetchRow()) { + $userlist[] = array( + "uid" => $user['uid'], + "username" => $user['username'], + "fullname" => $user['fullname'], + "email" => $user['email'], + "descr" => $user['descr'], + "active" => $user['active'], + "tpl_id" => $user['tpl_id'], + "tpl_name" => $user['tpl_name'], + "tpl_descr" => $user['tpl_descr'] + ); + } + return $userlist; +} + + +// Get a list of permissions that are available. If first argument is "0", it +// should return all available permissions. If the first argument is > "0", it +// should return the permissions assigned to that particular template only. If +// second argument is true, only the permission names are returned. + +function get_permissions_by_template_id($templ_id=0,$return_name_only=false) { + global $db; + + if ($templ_id > 0) { + $limit = ", perm_templ_items + WHERE perm_templ_items.templ_id = " . $db->quote($templ_id) . " + AND perm_templ_items.perm_id = perm_items.id"; + } + + $query = "SELECT perm_items.id AS id, + perm_items.name AS name, + perm_items.descr AS descr + FROM perm_items" + . $limit . " + ORDER BY descr"; + $result = $db->query($query); + if (PEAR::isError($response)) { error($response->getMessage()); return false; } + + $permission_list = array(); + while ($permission = $result->fetchRow()) { + if ($return_name_only == false) { + $permission_list[] = array( + "id" => $permission['id'], + "name" => $permission['name'], + "descr" => $permission['descr'] + ); + } else { + $permission_list[] = $permission['name']; + } + } + return $permission_list; +} + + +// Get name and description of template based on template ID. + +function get_permission_template_details($templ_id) { + global $db; + + $query = "SELECT * + FROM perm_templ + WHERE perm_templ.id = " . $db->quote($templ_id); + + $result = $db->query($query); + if (PEAR::isError($response)) { error($response->getMessage()); return false; } + + while($details = $result->fetchRow()) { + $detail_list[] = array ( + "name" => $details['name'], + "descr" => $details['descr'] + ); + } + return $detail_list; +} + + +// Get a list of all available permission templates. + +function get_list_permission_templates() { + global $db; + + $query = "SELECT * FROM perm_templ"; + $result = $db->query($query); + if (PEAR::isError($response)) { error($response->getMessage()); return false; } + + $perm_templ_list = array(); + while ($perm_templ = $result->fetchRow()) { + $perm_templ_list[] = array( + "id" => $perm_templ['id'], + "name" => $perm_templ['name'], + "descr" => $perm_templ['descr'] + ); + } + return $perm_templ_list; +} + + +// Update all details of a permission template. + +function update_perm_templ_details($details) { + global $db; + + // Fix permission template name and description first. + + $query = "UPDATE perm_templ + SET name = " . $db->quote($details['templ_name']) . ", + descr = " . $db->quote($details['templ_descr']) . " + WHERE id = " . $db->quote($details['templ_id']) ; + + $result = $db->query($query); + if (PEAR::isError($response)) { error($response->getMessage()); return false; } + + // Now, update list of permissions assigned to this template. We could do + // this The Correct Way [tm] by comparing the list of permissions that are + // currently assigned with a list of permissions that should be assigned and + // apply the difference between these two lists to the database. That sounds + // like to much work. Just delete all the permissions currently assigned to + // the template, than assign all the permessions the template should have. + + $query = "DELETE FROM perm_templ_items WHERE templ_id = " . $details['templ_id'] ; + $result = $db->query($query); + if (pear::iserror($response)) { error($response->getmessage()); return false; } + + foreach ($details['perm_id'] AS $perm_id) { + $r_insert_values[] = "(''," . $db->quote($details['templ_id']) . "," . $db->quote($perm_id) . ")"; + } + $query = "INSERT INTO perm_templ_items VALUES " . implode(',', $r_insert_values) ; + $result = $db->query($query); + if (pear::iserror($response)) { error($response->getmessage()); return false; } + + return true; +} + +function update_user_details($details) { + + global $db; + + verify_permission(user_edit_own) ? $perm_edit_own = "1" : $perm_edit_own = "0" ; + verify_permission(user_edit_others) ? $perm_edit_others = "1" : $perm_edit_others = "0" ; + + if (($details['uid'] == $_SESSION["userid"] && $perm_edit_own == "1") || + ($details['uid'] != $_SESSION["userid"] && $perm_edit_others == "1" )) { + + if (!is_valid_email($details['email'])) { + error(ERR_INV_EMAIL); + return false; + } + + if (!isset($details['active']) || $details['active'] != "on" ) { + $active = 0; + } else { + $active = 1; + } + + // Before updating the database we need to check whether the user wants to + // change the username. If the user wants to change the username, we need + // to make sure it doesn't already exists. + // + // First find the current username of the user ID we want to change. If the + // current username is not the same as the username that was given by the + // user, the username should apparantly changed. If so, check if the "new" + // username already exists. + $query = "SELECT username FROM users WHERE id = " . $db->quote($details['uid']); + $result = $db->query($query); + if (PEAR::isError($response)) { error($response->getMessage()); return false; } + + $usercheck = array(); + $usercheck = $result->fetchRow(); + + if ($usercheck['username'] != $details['username']) { + // Username of user ID in the database is different from the name + // we have been given. User wants a change of username. Now, make + // sure it doesn't already exist. + $query = "SELECT id FROM users WHERE username = " . $db->quote($details['username']); + $result = $db->query($query); + if (PEAR::isError($response)) { error($response->getMessage()); return false; } + + if($result->numRows() > 0) { + error(ERR_USER_EXIST); + return false; + } + } + + // So, user doesn't want to change username or, if he wants, there is not + // another user that goes by the wanted username. So, go ahead! + + $query = "UPDATE users SET + username = " . $db->quote($details['username']) . ", + fullname = " . $db->quote($details['fullname']) . ", + email = " . $db->quote($details['email']) . ", + perm_templ = " . $db->quote($details['templ_id']) . ", + description = " . $db->quote($details['descr']) . ", + active = " . $db->quote($active) ; + + // TODO Check if function works if password is set too. + if($details['password'] != "") { + $query .= ", password = '" . md5($db->quote($details['password'])) . "' "; + } + + $query .= " WHERE id = " . $db->quote($details['uid']) ; + + $result = $db->query($query); + if (PEAR::isError($response)) { error($response->getMessage()); return false; } + + } else { + error(ERR_PERM_EDIT_USER); + return false; + } + return true; +} + +// Add a new user + +function add_new_user($details) { + global $db; + + if (!verify_permission(user_add_new)) { + error(ERR_PERM_ADD_USER); + + } elseif (user_exists($details['username'])) { + error(ERR_USER_EXISTS); + + } elseif (!is_valid_email($details['email'])) { + error(ERR_INV_EMAIL); + + } elseif ($details['active'] == 1) { + $active = 1; + } else { + $active = 0; + } + + $query = "INSERT INTO users VALUES ( " + . "'', " + . $db->quote($details['username']) . ", " + . $db->quote(md5($details['password'])) . ", " + . $db->quote($details['fullname']) . ", " + . $db->quote($details['email']) . ", " + . $db->quote($details['descr']) . ", " + . $db->quote($details['perm_templ']) . ", " + . $db->quote($active) + . ")"; + + $result = $db->query($query); + if (PEAR::isError($response)) { error($response->getMessage()); return false; } + + return true; +} + + + ?>