Skip to content

Instantly share code, notes, and snippets.

@alexweissman

alexweissman/create_user.php

Created December 24, 2014 17:13
Show Gist options
  • Save alexweissman/cdb15a580f25f1888ef9 to your computer and use it in GitHub Desktop.
Save alexweissman/cdb15a580f25f1888ef9 to your computer and use it in GitHub Desktop.
Download ZIP
adding study_in field
Raw
create_user.php
<?php
// Create a new user.
require_once("../models/config.php");
set_error_handler('logAllErrors');
// Request method: POST
$ajax = checkRequestMode("post");
$validator = new Validator();
// POST: user_name, display_name, email, title, password, passwordc, [admin, add_groups, skip_activation, csrf_token]
// Check if request is from public or backend
$admin = $validator->optionalPostVar('admin');
if ($admin == "true"){
// Admin mode must be from a logged in user
checkLoggedInUser($ajax);
$csrf_token = $validator->requiredPostVar('csrf_token');
// Validate csrf token
checkCSRF($ajax, $csrf_token);
} else {
global $can_register;
if (!userIdExists('1')){
addAlert("danger", lang("MASTER_ACCOUNT_NOT_EXISTS"));
apiReturnError($ajax, SITE_ROOT);
}
// If registration is disabled, send them back to the home page with an error message
if (!$can_register){
addAlert("danger", lang("ACCOUNT_REGISTRATION_DISABLED"));
apiReturnError($ajax, SITE_ROOT);
}
//Prevent the user visiting the logged in page if he/she is already logged in
if(isUserLoggedIn()) {
addAlert("danger", "I'm sorry, you cannot register for an account while logged in. Please log out first.");
apiReturnError($ajax, ACCOUNT_ROOT);
}
}
$user_name = str_normalize($validator->requiredPostVar('user_name'));
$display_name = trim($validator->requiredPostVar('display_name'));
$email = str_normalize($validator->requiredPostVar('email'));
// If we're in admin mode, require title. Otherwise, use the default title
if ($admin == "true"){
$title = trim($validator->requiredPostVar('title'));
} else {
$title = $new_user_title;
}
// Don't trim passwords
$password = $validator->requiredPostVar('password');
$passwordc = $validator->requiredPostVar('passwordc');
//Add the field named Study in !
$study_in = trim($validator -> requiredPostVar('study_in'));
// Requires admin mode and appropriate permits
$add_groups = $validator->optionalPostVar('add_groups');
$skip_activation = $validator->optionalPostVar('skip_activation');
$primary_group_id = $validator->optionalPostVar('primary_group_id');
// Required for non-admin mode
$captcha = $validator->optionalPostVar('captcha');
$spiderbro = $validator->optionalPostVar('spiderbro');
// Add alerts for any failed input validation
foreach ($validator->errors as $error){
addAlert("danger", $error);
}
$error_count = count($validator->errors);
// Check captcha and honeypot if not in admin mode
if ($admin != "true"){
if (!$captcha || md5($captcha) != $_SESSION['captcha']){
addAlert("danger", lang("CAPTCHA_FAIL"));
$error_count++;
}
// Check the honeypot. 'spiderbro' is not a real field, it is hidden on the main page and must be submitted with its default value for this to be processed.
if ($spiderbro != "http://"){
error_log("Possible spam received:" . print_r($_POST, true));
addAlert("danger", "Aww hellllls no!");
$error_count++;
}
}
if ($error_count == 0){
global $emailActivation;
// Use the global email activation setting unless we're told to skip it
if ($admin == "true" && $skip_activation == "true")
$require_activation = false;
else
$require_activation = $emailActivation;
// Try to create the new user
if ($new_user_id = createUser($user_name, $display_name, $email, $title, $password, $passwordc,$study_in, $require_activation, $admin)){
} else {
apiReturnError($ajax, ($admin == "true") ? ACCOUNT_ROOT : SITE_ROOT);
}
// If creation succeeds, try to add groups
// If we're in admin mode and add_groups is specified, try to add those groups
if ($admin == "true" && $add_groups){
// Convert string of comma-separated group_id's into array
$group_ids_arr = explode(',',$add_groups);
$addition_count = 0;
foreach ($group_ids_arr as $group_id){
$addition_count += addUserToGroup($new_user_id, $group_id);
}
// Set primary group
if(!empty($primary_group_id)){
if (updateUserPrimaryGroup($new_user_id, $primary_group_id)){
// Account creation was successful!
addAlert("success", lang("ACCOUNT_PRIMARY_GROUP_SET"));
addAlert("success", lang("ACCOUNT_CREATION_COMPLETE", array($user_name)));
} else {
$error_count++;
}
}
// Otherwise, add default groups and set primary group for new users
} else {
if (dbAddUserToDefaultGroups($new_user_id)){
if ($require_activation)
// Activation required
addAlert("success", lang("ACCOUNT_REGISTRATION_COMPLETE_TYPE2"));
else
// No activation required
addAlert("success", lang("ACCOUNT_REGISTRATION_COMPLETE_TYPE1"));
} else {
apiReturnError($ajax, ($admin == "true") ? ACCOUNT_ROOT : SITE_ROOT);
}
}
} else {
apiReturnError($ajax, ($admin == "true") ? ACCOUNT_ROOT : SITE_ROOT);
}
restore_error_handler();
apiReturnSuccess($ajax, ($admin == "true") ? ACCOUNT_ROOT : SITE_ROOT);
?>
Raw
register.php
<?php
require_once("models/config.php");
setReferralPage(getAbsoluteDocumentPath(__FILE__));
if (!userIdExists('1')){
addAlert("danger", lang("MASTER_ACCOUNT_NOT_EXISTS"));
header("Location: install/wizard_root_user.php");
exit();
}
// If registration is disabled, send them back to the home page with an error message
if (!$can_register){
addAlert("danger", lang("ACCOUNT_REGISTRATION_DISABLED"));
header("Location: login.php");
exit();
}
//Prevent the user visiting the logged in page if he/she is already logged in
if(isUserLoggedIn()) {
addAlert("danger", "I'm sorry, you cannot register for an account while logged in. Please log out first.");
apiReturnError(false, SITE_ROOT);
}
?>
<!DOCTYPE html>
<html lang="en">
<?php
echo renderTemplate("head.html", array("#SITE_ROOT#" => SITE_ROOT, "#SITE_TITLE#" => SITE_TITLE, "#PAGE_TITLE#" => "Register"));
?>
<body>
<div class="container">
<div class="header">
<ul class="nav nav-pills navbar pull-right">
</ul>
<h3 class="text-muted">UserFrosting</h3>
</div>
<div class="jumbotron">
<h1>Let's get started!</h1>
<p class="lead">Registration is fast and simple.</p>
<form name='newUser' id='newUser' class='form-horizontal' role='form' action='api/create_user.php' method='post'>
<div class="row">
<div id='display-alerts' class="col-lg-12">
</div>
</div>
<div class="row form-group">
<label class="col-sm-4 control-label">Username</label>
<div class="col-sm-8">
<div class="input-group">
<span class='input-group-addon'><i class='fa fa-edit'></i></span>
<input type="text" class="form-control" placeholder="Username" name = 'user_name' value='' data-validate='{"minLength": 1, "maxLength": 25, "label": "Username" }'>
</div>
</div>
</div>
<div class="row form-group">
<label class="col-sm-4 control-label">Display Name</label>
<div class="col-sm-8">
<div class="input-group">
<span class='input-group-addon'><i class='fa fa-edit'></i></span>
<input type="text" class="form-control" placeholder="Display Name" name='display_name' data-validate='{"minLength": 1, "maxLength": 50, "label": "Display Name" }'>
</div>
</div>
</div>
<div class="row form-group">
<label class="col-sm-4 control-label">Email</label>
<div class="col-sm-8">
<div class="input-group">
<span class='input-group-addon'><i class='fa fa-envelope'></i></span>
<input type="email" class="form-control" placeholder="Email" name='email' data-validate='{"email": true, "minLength": 1, "maxLength": 150, "label": "Email" }'>
</div>
</div>
</div>
<div class="row form-group">
<label class="col-sm-4 control-label">Password</label>
<div class="col-sm-8">
<div class="input-group">
<span class='input-group-addon'><i class='fa fa-lock'></i></span>
<input type="password" class="form-control" placeholder="Password" name='password' data-validate='{"minLength": 8, "maxLength": 50, "passwordMatch": "passwordc", "label": "Password" }'>
</div>
</div>
</div>
<div class="row form-group">
<label class="col-sm-4 control-label">Confirm Password</label>
<div class="col-sm-8">
<div class="input-group">
<span class='input-group-addon'><i class='fa fa-lock'></i></span>
<input type="password" class="form-control" placeholder="Confirm Password" name='passwordc' data-validate='{"minLength": 8, "maxLength": 50, "label": "Confirm Password" }'>
</div>
</div>
<div class='form-group '>
<label>I am in</label>
<div class='input-group select2-bootstrap-prepend'>
<span class='input-group-addon'><i class='fa fa-edit'></i></span>
<select class='form-control select2' name='study_in' data-bv-stringlength=true data-bv-stringlength-message="'Title' must be between 1 and 150 characters long." data-bv-stringlength-min=1 data-bv-stringlength-max=15 ><option value='9' >IX</option><option value='10' >X</option><option value='11' >XI</option><option value='12' selected>XII</option><option value='13' >XII Passed</option>
</select>
</div>
</div>
</div>
<div class="form-group">
<label class="col-sm-4 control-label">Confirm Security Code</label>
<div class="col-sm-4">
<div class="input-group">
<span class='input-group-addon'><i class='fa fa-eye'></i></span>
<input type="text" class="form-control" name='captcha' data-validate='{"minLength": 1, "maxLength": 50, "label": "Confirm Security Code" }'>
</div>
</div>
<div class="col-sm-4">
<img src='<?php echo generateCaptcha(); ?>' id="captcha">
</div>
</div>
<br>
<div class="form-group">
<div class="col-sm-12">
<button type="submit" class="btn btn-success submit" value='Register'>Register</button>
</div>
</div>
<div class="collapse">
<label>Spiderbro: Don't change me bro, I'm tryin'a catch some flies!</label>
<input name="spiderbro" id="spiderbro" value="http://"/>
</div>
</form>
</div>
<?php echo renderTemplate("footer.html"); ?>
</div> <!-- /container -->
<script>
$(document).ready(function() {
// Load navigation bar
$(".navbar").load("header-loggedout.php", function() {
$(".navbar .navitem-register").addClass('active');
});
// Process submission
$("form[name='newUser']").submit(function(e){
e.preventDefault();
var form = $(this);
var errorMessages = validateFormFields('newUser');
if (errorMessages.length > 0) {
$('#display-alerts').html("");
$.each(errorMessages, function (idx, msg) {
$('#display-alerts').append("<div class='alert alert-danger'>" + msg + "</div>");
});
} else {
// Process form
// Serialize and post to the backend script in ajax mode
var serializedData = form.serialize();
serializedData += '&ajaxMode=true';
//console.log(serializedData);
var url = APIPATH + "create_user.php";
$.ajax({
type: "POST",
url: url,
data: serializedData
}).done(function(result) {
var resultJSON = processJSONResult(result);
if (resultJSON['errors'] && resultJSON['errors'] > 0){
console.log("error");
// Reload captcha
var img_src = APIPATH + 'generate_captcha.php?' + new Date().getTime();
$.ajax({
type: "GET",
url: img_src,
dataType: "text"
}).done(function(result) {
$('#captcha').attr('src', result);
form.find('input[name="captcha"]' ).val("");
alertWidget('display-alerts');
return;
});
} else {
window.location.replace('login.php');
}
});
}
});
});
</script>
</body>
</html>
Raw
secure_functions.php
<?php
require_once("db_functions.php");
require_once("class.mail.php");
// phpDoc Blocks as per the phpDocumentor standard: http://manual.phpdoc.org/HTMLSmartyConverter/HandS/phpDocumentor/tutorial_tags.param.pkg.html
/******************************************************************************************************************
Secured functions. These functions will automatically check the logged in user's permissions against the permit
database before proceeding.
*******************************************************************************************************************/
/**
* Load data for specified user.
* @param int $user_id the id of the user to load.
* @return array $results fetch non-authorization related data for the specified user
*/
function loadUser($user_id){
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
return fetchUser($user_id);
}
/**
* Load data for all users.
* @todo also load group membership
* @param int $limit (optional) the maximum number of users to return.
* @return object $results fetch non-authorization related data for the all users
*/
function loadUsers($limit = NULL){
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
return fetchAllUsers($limit);
}
/**
* Load data for all users in a specified group.
* @param int $group_id the id of the group to search for users.
* @return array $results returns all users of a group
*/
function loadUsersInGroup($group_id){
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
return fetchGroupUsers($group_id);
}
/**
* Create a user with the specified fields.
* @param string $user_name the validated $_POST['user_name'] variable
* @param string $display_name the validated $_POST['display_name'] variable
* @param string $email the validated $_POST['email'] variable
* @param string $title the validated $_POST['title'] variable
* @param string $password the validated $_POST['password'] variable
* @param string $passwordc the validated $_POST['passwordc'] variable
* @param boolean $require_activation value of global $emailActivation when $admin is false
* @param boolean $admin True if admin is creating user, False if not admin creating user.
* @return int $inserted_id
*/
function createUser($user_name, $display_name, $email, $title, $password, $password,$study_in,$require_activation, $admin) {
// if we're in admin mode, then the user must be logged in and have appropriate permissions
if ($admin == "true"){
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
}
$error_count = 0;
// Check values
if(minMaxRange(1,25,$user_name))
{
addAlert("danger", lang("ACCOUNT_USER_CHAR_LIMIT",array(1,25)));
$error_count++;
}
if(!ctype_alnum($user_name)){
addAlert("danger", lang("ACCOUNT_USER_INVALID_CHARACTERS"));
$error_count++;
}
if(minMaxRange(1,50,$display_name))
{
addAlert("danger", lang("ACCOUNT_DISPLAY_CHAR_LIMIT",array(1,50)));
$error_count++;
}
if(!isValidName($display_name)){
addAlert("danger", lang("ACCOUNT_DISPLAY_INVALID_CHARACTERS"));
$error_count++;
}
if(!isValidEmail($email))
{
addAlert("danger", lang("ACCOUNT_INVALID_EMAIL"));
$error_count++;
}
if(minMaxRange(1,150,$title)) {
addAlert("danger", lang("ACCOUNT_TITLE_CHAR_LIMIT",array(1,150)));
$error_count++;
}
if(minMaxRange(8,50,$password) && minMaxRange(8,50,$passwordc))
{
addAlert("danger", lang("ACCOUNT_PASS_CHAR_LIMIT",array(8,50)));
$error_count++;
}
else if($password != $passwordc)
{
addAlert("danger", lang("ACCOUNT_PASS_MISMATCH"));
$error_count++;
}
if(usernameExists($user_name)) {
addAlert("danger", lang("ACCOUNT_USERNAME_IN_USE",array($user_name)));
$error_count++;
}
if(displayNameExists($display_name)) {
addAlert("danger", lang("ACCOUNT_DISPLAYNAME_IN_USE",array($display_name)));
$error_count++;
}
if(emailExists($email)) {
addAlert("danger", lang("ACCOUNT_EMAIL_IN_USE",array($email)));
$error_count++;
}
//Construct a secure hash for the plain text password
$password_hash = passwordHashUF($password);
if ($password_hash === null){
addAlert("danger", lang("PASSWORD_HASH_FAILED"));
$error_count++;
}
// Exit on any invalid parameters
if($error_count != 0)
return false;
//Construct a unique activation token (even if activation is not required)
$activation_token = generateActivationToken();
$active = 1;
//Do we need to require that the user activate their account first?
if($require_activation) {
//User must activate their account first
$active = 0;
$mailSender = new userCakeMail();
//Build the activation message
$activation_message = lang("ACCOUNT_ACTIVATION_MESSAGE",array(SITE_ROOT . "api/", $activation_token));
//Define more if you want to build larger structures
$hooks = array(
"searchStrs" => array("#ACTIVATION-MESSAGE","#ACTIVATION-KEY","#USERNAME#"),
"subjectStrs" => array($activation_message,$activation_token,$display_name)
);
/* Build the template - Optional, you can just use the sendMail function
Instead to pass a message. */
// If there is a mail failure, fatal error
if(!$mailSender->newTemplateMsg("new-registration.txt",$hooks)) {
addAlert("danger", lang("MAIL_ERROR"));
return false;
} else {
//Send the mail. Specify users email here and subject.
//SendMail can have a third paremeter for message if you do not wish to build a template.
if(!$mailSender->sendMail($email, "Please activate your account")) {
addAlert("danger", lang("MAIL_ERROR"));
return false;
}
}
}
// Insert the user into the database and return the new user's id
return addUser($user_name, $display_name, $title, $password_hash, $email, $active, $activation_token);
}
/**
* Activate user based on $user_id.
* @param int $user_id the id of the user to activate.
* @return boolean
*/
function activateUser($user_id) {
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
return activateUserById($user_id);
}
/**
* Update user's display_name based on $user_id and new $display_name.
* @param int $user_id the id of the user to update.
* @param string $display_name the validated $_POST['display_name']
* @return boolean true on success false on failure
*/
function updateUserDisplayName($user_id, $display_name) {
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
//Validate display name
if(displayNameExists($display_name)) {
addAlert("danger", lang("ACCOUNT_DISPLAYNAME_IN_USE",array($display_name)));
return false;
} elseif(minMaxRange(1,50,$display_name)) {
addAlert("danger", lang("ACCOUNT_DISPLAY_CHAR_LIMIT",array(1,50)));
return false;
}
if (updateUserField($user_id, 'display_name', $display_name)){
addAlert("success", lang("ACCOUNT_DISPLAYNAME_UPDATED", array($display_name)));
return true;
}
else {
return false;
}
}
/**
* Update user's email address based on $user_id and new $email.
* @param int $user_id the id of the user to update.
* @param string $email the validated $_POST['email']
* @return boolean true on success false on failure
*/
function updateUserEmail($user_id, $email) {
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
//Validate email
if(!isValidEmail($email)) {
addAlert("danger", lang("ACCOUNT_INVALID_EMAIL"));
return false;
} elseif(emailExists($email)) {
addAlert("danger", lang("ACCOUNT_EMAIL_IN_USE",array($email)));
return false;
}
if (updateUserField($user_id, 'email', $email)){
addAlert("success", lang("ACCOUNT_EMAIL_UPDATED"));
return true;
} else {
return false;
}
}
/**
* Update user's title based on $user_id and new $title.
* @param int $user_id the id of the user to update.
* @param string $title the validated $_POST['title']
* @return boolean true on success false on failure
*/
function updateUserTitle($user_id, $title) {
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
//Validate title
if(minMaxRange(1,150,$title)) {
addAlert("danger", lang("ACCOUNT_TITLE_CHAR_LIMIT",array(1,150)));
return false;
}
if (updateUserField($user_id, 'title', $title)){
$details = fetchUserAuthById($user_id);
$display_name = $details['display_name'];
addAlert("success", lang("ACCOUNT_TITLE_UPDATED", array ($display_name, $title)));
return true;
} else {
return false;
}
}
/**
* Update user's password(hashed value) based on $user_id and new $password & $passwordc.
* @param int $user_id the id of the user to update.
* @param string $password the new password
* @param string $passwordc the new password confirmation
* @return boolean true on success false on failure
*/
function updateUserPassword($user_id, $password, $passwordc) {
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
if($password == "") {
addAlert("danger", lang("ACCOUNT_SPECIFY_NEW_PASSWORD"));
return false;
} else if($passwordc == "") {
addAlert("danger", lang("ACCOUNT_SPECIFY_CONFIRM_PASSWORD"));
return false;
}
else if(minMaxRange(8,50,$password)) {
addAlert("danger", lang("ACCOUNT_NEW_PASSWORD_LENGTH",array(8,50)));
return false;
}
else if($password != $passwordc) {
addAlert("danger", lang("ACCOUNT_PASS_MISMATCH"));
return false;
}
// Hash the user's password and update
$password_hash = passwordHashUF($password);
if ($password_hash === null){
addAlert("danger", lang("PASSWORD_HASH_FAILED"));
return false;
}
if (updateUserField($user_id, 'password', $password_hash)){
addAlert("success", lang("ACCOUNT_PASSWORD_UPDATED"));
return $password_hash;
} else {
return false;
}
}
/**
* Update user's enabled status based on $user_id.
* @param int $user_id the id of the user to enable or disable.
* @param boolean $enabled true for enable, false for disable
* @return boolean true on success false on failure
*/
function updateUserEnabled($user_id, $enabled){
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
global $master_account;
// Cannot disable master account
if ($user_id == $master_account && $enabled == 'false'){
addAlert("danger", lang("ACCOUNT_DISABLE_MASTER"));
return false;
}
if ($enabled == 'true')
$enabled_bit = '1';
else
$enabled_bit = '0';
// Disable the specified user, but leave their information intact in case the account is re-enabled.
if (updateUserField($user_id, 'enabled', $enabled_bit)){
if ($enabled == 'true')
addAlert("success", lang("ACCOUNT_ENABLE_SUCCESSFUL"));
else
addAlert("success", lang("ACCOUNT_DISABLE_SUCCESSFUL"));
return true;
} else {
return false;
}
}
/**
* Set user's primary group (by group_id)
* @param int $user_id the id of the user to update.
* @param int $group_id the id of the group to set as the primary group.
* @return boolean true on success false on failure
*/
function updateUserPrimaryGroup($user_id, $group_id) {
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
// Check that the group exists, and that the user is a member of it
if (!groupIdExists($group_id)){
addAlert("danger", "I'm sorry, the group id you specified is invalid!");
return false;
} else if (!userInGroup($user_id, $group_id)){
addAlert("danger", "I'm sorry, the specified user is not a member of the specified group.");
return false;
} else {
if (updateUserField($user_id, 'primary_group_id', $group_id)){
addAlert("success", "Primary group for user updated.");
return true;
} else {
return false;
}
}
}
/**
* Delete user and associated permissions based on $user_id.
* @param int $user_id the id of the user to delete.
* @return boolean true on success false on failure
*/
function deleteUser($user_id){
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
return removeUser($user_id);
}
/******************** group functions ******************/
/**
* Loads all group information.
* @return array $results contains group information id, name, is_default, can_delete
*/
function loadGroups(){
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
// Calls appropriate function in db_functions
return fetchAllGroups();
}
/**
* Load data for a specified group
* @param int $group_id the id of the group to load.
* @return array $results contains group information based on $group_id
*/
function loadGroup($group_id){
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
// Calls appropriate function in db_functions
return fetchGroupDetails($group_id);
}
/**
* Load data for a specified group's permitted actions or an array of permitted actions for every group
* @param int $group_id the id of the group to load, Could also use (string)all to load permits for all groups instead of one group.
* @return array either a single group's permitted actions, or an array of groups
*/
function loadGroupActionPermits($group_id) {
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
// Calls appropriate function in db_functions
if ($group_id == "all"){
return fetchAllPermits("group");
} else {
return fetchGroupPermits($group_id);
}
}
/**
* Load data for a specified user's permitted actions or an array of permitted actions for every user
* @param int $user_id the id of the user to load, Could also use (string)all to load permits for all users instead of one user.
* @return array either a single user's permitted actions, or an array of users
*/
function loadUserActionPermits($user_id) {
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
// Calls appropriate function in db_functions
if ($user_id == "all"){
return fetchAllPermits("user");
} else {
return fetchUserPermits($user_id);
}
}
/**
* Load groups for a specified user
* @param int $user_id the id of the user to load groups for.
* @return array $results contains all groups the selected user belongs to
*/
function loadUserGroups($user_id){
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
return fetchUserGroups($user_id);
}
/**
* Remove user from specified group
* @param int $user_id the id of the user to load.
* @param int $group_id the group to remove the user from
* @return boolean true for success, false if failed
*/
function removeUserFromGroup($user_id, $group_id){
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
$userGroups = fetchUserGroups($user_id);
// Only try to remove if the user is already part of this group
if (isset($userGroups[$group_id])) {
if ($deletion_count = dbRemoveUserFromGroups($user_id, $group_id)){
if ($deletion_count > 0)
addAlert("success", lang("ACCOUNT_GROUP_REMOVED", array ($userGroups[$group_id]['name'])));
return true;
} else {
return false;
}
}
}
/**
* Add user to specified group
* @param int $user_id the id of the user to load.
* @param int $group_id the group to add the user to
* @return boolean true for success, false if failed
*/
function addUserToGroup($user_id, $group_id){
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
$userGroups = fetchUserGroups($user_id);
$add = array();
// Only try to add if the user is not already part of this group
if (!isset($userGroups[$group_id])) {
if ($count = dbAddUserToGroups($user_id, $group_id)){
if ($count > 0){
$group = fetchGroupDetails($group_id);
addAlert("success", lang("ACCOUNT_GROUP_ADDED", array($group['name'])));
}
return true;
} else {
return false;
}
}
}
/**
* Creates new group based on name
* @param string $name the string name of the group to add.
* @param int $home_page_id the id of the home page for members of this group who have this as a primary group.
* @return boolean true for success, false if failed
*/
function createGroup($name, $home_page_id) {
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
//Validate request
if (groupNameExists($name)){
addAlert("danger", lang("PERMISSION_NAME_IN_USE", array($name)));
return false;
}
elseif (minMaxRange(1, 50, $name)){
addAlert("danger", lang("PERMISSION_CHAR_LIMIT", array(1, 50)));
return false;
}
else {
// Set group as NOT default on creation, and CAN be deleted
if (dbCreateGroup($name, 0, 1, $home_page_id)) {
addAlert("success", lang("PERMISSION_CREATION_SUCCESSFUL", array($name)));
return true;
} else {
return false;
}
}
}
/**
* Creates new action permit mapping for a group
* @param string $group_id the id of the group for which to create a new permit.
* @param string $action_name the name of the action function.
* @param string $permit the permit expression, a sequence of permission validator function calls joined by '&'.
* @return boolean true for success, false if failed
*/
function createGroupActionPermit($group_id, $action_name, $permit){
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
//Check if selected group exists
if(!groupIdExists($group_id)){
addAlert("danger", "I'm sorry, the group id you specified is invalid!");
return false;
}
//Check that secure function name exists
$secure_funcs = fetchSecureFunctions();
if (!isset($secure_funcs[$action_name])){
addAlert("danger", "I'm sorry, the specified action does not exist.");
return false;
}
// Check that permission validators exist
if (!isValidPermitString($permit))
return false;
// Attempt to create in DB
if (!dbCreateActionPermit($group_id, $action_name, $permit, 'group')){
return false;
} else {
addAlert("success", "Successfully created group-level permit for action $action_name");
return true;
}
}
/**
* Creates new action permit mapping for a user
* @param string $user_id the id of the user for which to create a new permit.
* @param string $action_name the name of the action function.
* @param string $permit the permit expression, a sequence of permission validator function calls joined by '&'.
* @return boolean true for success, false if failed
*/
function createUserActionPermit($user_id, $action_name, $permit){
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
//Check if selected user exists
if(!userIdExists($user_id)){
addAlert("danger", "I'm sorry, the user_id you specified is invalid!");
return false;
}
//Check that secure function name exists
$secure_funcs = fetchSecureFunctions();
if (!isset($secure_funcs[$action_name])){
addAlert("danger", "I'm sorry, the specified action does not exist.");
return false;
}
// Check that permission validators exist
if (!isValidPermitString($permit))
return false;
// Attempt to create in DB
if (!dbCreateActionPermit($user_id, $action_name, $permit, 'user')){
return false;
} else {
addAlert("success", "Successfully created user-level permit for action $action_name");
return true;
}
}
/**
* Update group based on new details
* @param int $group_id the id of the group to edit.
* @param string $name the new name of the group
* @param int $is_default 0 if the group is not a default group for new users, 1 if it is, 2 if it is also the primary default group for new users
* @param int $home_page_id the id of the home page for users who have this group as their primary group
* @return boolean true for success, false if failed
*/
function updateGroup($group_id, $name, $is_default, $home_page_id) {
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
//Check if selected group exists
if(!groupIdExists($group_id)){
addAlert("danger", "I'm sorry, the group id you specified is invalid!");
return false;
}
$groupDetails = fetchGroupDetails($group_id); //Fetch information specific to group
//Update group name, if different from previous and not already taken
$name = trim($name);
if(strtolower($name) != strtolower($groupDetails['name'])){
if (groupNameExists($name)) {
addAlert("danger", lang("ACCOUNT_PERMISSIONNAME_IN_USE", array($name)));
return false;
}
elseif (minMaxRange(1, 50, $name)){
addAlert("danger", lang("ACCOUNT_PERMISSION_CHAR_LIMIT", array(1, 50)));
return false;
}
}
if (dbUpdateGroup($group_id, $name, $is_default, $home_page_id)){
addAlert("success", lang("GROUP_UPDATE", array($name)));
return true;
} else {
return false;
}
}
/**
* Update action permit mapping for a group
* @param string $action_id the id of the group action mapping for which to update a permit.
* @param string $group_id the id of the group for this permit. Not necessary to perform update, just included for controlling access based on group_id.
* @param string $permit the permit expression, a sequence of permission validator function calls joined by '&'.
* @return boolean true for success, false if failed
*/
function updateGroupActionPermit($action_id, $group_id, $permit){
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
//Check if selected action exists
$action_permit = fetchActionPermit($action_id, 'group');
if(!$action_permit){
addAlert("danger", "I'm sorry, the action_id you specified is invalid!");
return false;
}
// Check that permission validators exist
if (!isValidPermitString($permit))
return false;
// Attempt to create in DB
if (!dbUpdateActionPermit($action_id, $permit, 'group')){
return false;
} else {
addAlert("success", "Successfully updated permit for action {$action_permit['action']}");
return true;
}
}
/**
* Update action permit mapping for a user
* @param string $action_id the id of the user action mapping for which to update a permit.
* @param string $user_id the id of the user for this permit. Not necessary to perform update, just included for controlling access based on user_id.
* @param string $permit the permit expression, a sequence of permission validator function calls joined by '&'.
* @return boolean true for success, false if failed
*/
function updateUserActionPermit($action_id, $user_id, $permit){
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
// TODO: Check that user exists
//Check if selected action exists
$action_permit = fetchActionPermit($action_id, 'user');
if(!$action_permit){
addAlert("danger", "I'm sorry, the action_id you specified is invalid!");
return false;
}
// Check that permission validators exist
if (!isValidPermitString($permit))
return false;
// Attempt to create in DB
if (!dbUpdateActionPermit($action_id, $permit, 'user')){
return false;
} else {
addAlert("success", "Successfully updated permit for action {$action_permit['action']}");
return true;
}
}
/**
* Deletes group based on $group_id
* @param int $group_id the id of the group to delete.
* @return boolean true for success, false if failed
*/
function deleteGroup($group_id) {
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
if ($name = dbDeleteGroup($group_id)){
addAlert("success", lang("PERMISSION_DELETION_SUCCESSFUL_NAME", array($name)));
return true;
} else {
return false;
}
}
/**
* Delete action permit mapping for a group.
* @param int $action_id the id of the action mapping to delete.
* @return boolean true for success, false if failed
*/
function deleteGroupActionPermit($action_id) {
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
if ($name = dbDeleteActionPermit($action_id, "group")){
addAlert("success", "Successfully deleted the specified action-permit mapping for the group.");
return true;
} else {
return false;
}
}
/**
* Delete action permit mapping for a user.
* @param int $action_id the id of the user action mapping to delete.
* @return boolean true for success, false if failed
*/
function deleteUserActionPermit($action_id) {
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
if ($name = dbDeleteActionPermit($action_id, "user")){
addAlert("success", "Successfully deleted the specified action-permit mapping for the user.");
return true;
} else {
return false;
}
}
/************************* Site configuration functions *************************/
/**
* Retrieve all site settings in a array
* @return array $results contains all site settings
*/
function loadSiteSettings(){
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
return fetchConfigParameters();
}
/**
* Update site settings
* @param array $settings the array of key => value to update.
* @return boolean true for success, false if failed
*/
function updateSiteSettings($settings){
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
return updateConfig($settings);
}
/**
* Retrieve all site plugin settings in a array
* @return array $results contains all plugin settings
*/
function loadSitePluginSettings(){
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
return fetchConfigParametersPlugins();
}
/**
* Update site plugin settings
* @param string $name the name of the value to update.
* @param string $value the value to update with
* @return boolean true for success, false if failed
*/
function updateSitePluginSettings($name, $value){
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
return updatePluginConfig($name, $value);
}
/************************* Site page functions *************************/
// Load list of all site pages from DB, updating as necessary. Recommend only allow root access.
/**
* Loads all site pages, adds new pages found, deletes pages not found
* @return array $allPages containing all pages and associated permissions for those pages
*/
function loadSitePages(){
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
global $page_include_paths;
try {
// Retrieve files in all included directories
$pages = array();
foreach ($page_include_paths as $path){
$pages = array_merge($pages, getPageFiles($path));
}
$dbpages = fetchAllPages(); //Retrieve list of pages in pages table
$creations = array();
$deletions = array();
$originals = array();
//Check if any pages exist which are not in DB
foreach ($pages as $page){
if(!isset($dbpages[$page])){
$creations[] = $page;
}
}
//Enter new pages in DB if found
if (count($creations) > 0) {
createPages($creations) ;
}
// Find pages in table which no longer exist
if (count($dbpages) > 0){
//Check if DB contains pages that don't exist
foreach ($dbpages as $page){
if(!isset($pages[$page['page']])){
$deletions[] = $page['id'];
} else {
$originals[] = $page['id'];
}
}
}
$allPages = fetchAllPages();
// Merge the newly created pages, plus the pages slated for deletion, load their permissions, and set a flag (C)reated, (U)pdated, (D)eleted
foreach ($allPages as $page){
$id = $page['id'];
$name = $page['page'];
if (in_array($name, $creations)){
$allPages[$name]['status'] = 'C';
} else if (in_array($id, $deletions)){
$allPages[$name]['status'] = 'D';
} else {
$allPages[$name]['status'] = 'U';
}
$pageGroups = fetchPageGroups($id);
if ($pageGroups)
$allPages[$name]['permissions'] = $pageGroups;
else
$allPages[$name]['permissions'] = array();
}
//Delete pages from DB
if (count($deletions) > 0) {
deletePages($deletions);
}
return $allPages;
} catch (PDOException $e) {
addAlert("danger", "Oops, looks like our database encountered an error.");
error_log("Error in " . $e->getFile() . " on line " . $e->getLine() . ": " . $e->getMessage());
} catch (ErrorException $e) {
addAlert("danger", "Oops, looks like our server might have goofed. If you're an admin, please check the PHP error logs.");
}
}
/**
* Link/unlink the specified group with the specified page. Recommend root access only.
* @param int $page_id the id of the page
* @param int $group_id the id of the group
* @param boolean $checked 1 if private page 0 if public
* @return boolean true for success, false if failed
*/
function updatePageGroupLink($page_id, $group_id, $checked){
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
//Check if selected page exists
if(!pageIdExists($page_id)){
addAlert("danger", "I'm sorry, the page id you specified is invalid!");
return false;
}
//TODO: Check if selected group exists
$pageDetails = fetchPageDetails($page_id); //Fetch information specific to page
// Determine if we're changing the 'private' status, or a specific group
if ($group_id == "private"){
// Set as private if checked=1, otherwise set as 0
updatePrivate($page_id, $checked);
return true;
} else {
// Get the current page groups
$pageGroups = fetchPageGroups($page_id);
// Add the group if checked=1 and the page doesn't already have that group assigned
if ($checked == "1") {
if (!isset($pageGroups[$group_id])){
addPage($page_id, $group_id);
return true;
} else {
return false;
}
} else {
if (isset($pageGroups[$group_id])){
removePage($page_id, $group_id);
return true;
} else {
return false;
}
}
}
}
/***************************** Secure function authorization functions - recommend allow root user access only! *****************************/
// This function allows you to view action permissions for groups.
function loadSecureFunctions(){
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
return fetchSecureFunctions();
}
// This function allows you to view a list of permission validator functions.
function loadPermissionValidators(){
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
return fetchPermissionValidators();
}
// Returns a list of commonly used preset permit options
function loadPresetPermitOptions($fields){
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
return fetchPresetPermitOptions($fields);
}
?>
Raw
update_user.php
<?php
require_once("../models/config.php");
set_error_handler('logAllErrors');
// Request method: POST
$ajax = checkRequestMode("post");
// User must be logged in
checkLoggedInUser($ajax);
$validator = new Validator();
// Required: csrf_token, user_id
$csrf_token = $validator->requiredPostVar('csrf_token');
$user_id = $validator->requiredNumericPostVar('user_id');
$display_name = trim($validator->optionalPostVar('display_name'));
$email = str_normalize($validator->optionalPostVar('email'));
$title = trim($validator->optionalPostVar('title'));
$rm_groups = $validator->optionalPostVar('remove_groups');
$add_groups = $validator->optionalPostVar('add_groups');
$enabled = $validator->optionalPostVar('enabled');
$primary_group_id = $validator->optionalPostVar('primary_group_id');
// For updating passwords. The user's current password must also be included (passwordcheck) if they are resetting their own password.
$password = $validator->optionalPostVar('password');
$passwordc = $validator->optionalPostVar('passwordc');
$passwordcheck = $validator->optionalPostVar('passwordcheck');
// Add alerts for any failed input validation
foreach ($validator->errors as $error){
addAlert("danger", $error);
}
// Validate csrf token
checkCSRF($ajax, $csrf_token);
if (count($validator->errors) > 0){
apiReturnError($ajax, getReferralPage());
}
// Special case to update the logged in user (self)
$self = false;
if ($user_id == "0"){
$self = true;
$user_id = $loggedInUser->user_id;
}
//Check if selected user exists
if(!$user_id or !userIdExists($user_id)){
addAlert("danger", lang("ACCOUNT_INVALID_USER_ID"));
apiReturnError($ajax, getReferralPage());
}
$userdetails = fetchUserAuthById($user_id); //Fetch user details
$error_count = 0;
$success_count = 0;
//Update display name if specified and different from current value
if ($display_name && $userdetails['display_name'] != $display_name){
if (!updateUserDisplayName($user_id, $display_name)){
$error_count++;
$display_name = $userdetails['display_name'];
} else {
$success_count++;
}
} else {
$display_name = $userdetails['display_name'];
}
//Update email if specified and different from current value
if ($email && $userdetails['email'] != $email){
if (!updateUserEmail($user_id, $email)){
$error_count++;
} else {
$success_count++;
}
}
//Update title if specified and different from current value
if ($title && $userdetails['title'] != $title){
if (!updateUserTitle($user_id, $title)){
$error_count++;
} else {
$success_count++;
}
}
// Update enabled if specified
if ($enabled !== null){
if (!updateUserEnabled($user_id, $enabled)){
$error_count++;
} else {
$success_count++;
}
}
// Update password if specified
if ($password) {
// If updating own password, validate their current password
if ($self){
//Confirm the hashes match before updating a users password
if ($passwordcheck == ""){
addAlert("danger", lang("ACCOUNT_SPECIFY_PASSWORD"));
apiReturnError($ajax, getReferralPage());
} else if (!passwordVerifyUF($passwordcheck, $loggedInUser->hash_pw)) {
//No match
addAlert("danger", lang("ACCOUNT_PASSWORD_INVALID"));
apiReturnError($ajax, getReferralPage());
}
}
// Prevent updating if someone attempts to update with the same password
if(passwordVerifyUF($password, $loggedInUser->hash_pw)) {
addAlert("danger", lang("ACCOUNT_PASSWORD_NOTHING_TO_UPDATE"));
apiReturnError($ajax, getReferralPage());
}
if (!$password_hash = updateUserPassword($user_id, $password, $passwordc)){
$error_count++;
} else {
// If we're updating for the currently logged in user, update their hash_pw field
if ($self)
$loggedInUser->hash_pw = $password_hash;
$success_count++;
}
}
//Remove groups
if(!empty($rm_groups)){
// Convert string of comma-separated group_id's into array
$group_ids_arr = explode(',',$rm_groups);
foreach ($group_ids_arr as $group_id){
if (removeUserFromGroup($user_id, $group_id)){
$success_count++;
} else {
$error_count++;
}
}
}
// Add groups
if(!empty($add_groups)){
// Convert string of comma-separated group_id's into array
$group_ids_arr = explode(',',$add_groups);
foreach ($group_ids_arr as $group_id){
if (addUserToGroup($user_id, $group_id)){
$success_count++;
} else {
$error_count++;
}
}
}
// Set primary group (must be done after group membership is set)
if ($primary_group_id && $userdetails['primary_group_id'] != $primary_group_id){
if (updateUserPrimaryGroup($user_id, $primary_group_id)){
$success_count++;
} else {
$error_count++;
}
}
restore_error_handler();
if ($error_count > 0){
apiReturnError($ajax, getReferralPage());
} else {
apiReturnSuccess($ajax, getReferralPage());
}
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment