Beispiel #1
0
    lovd_showInfoTable('Can\'t uninstall LOVD - Uninstall lock in place.', 'warning');
    $_T->printFooter();
    exit;
}
if (!empty($_POST)) {
    lovd_errorClean();
    if (!isset($_GET['confirm'])) {
        // Check password.
        if (!lovd_verifyPassword($_POST['password'], $_AUTH['password'])) {
            lovd_errorAdd('password', 'Please enter your correct password for authorization.');
        }
    }
    if (!lovd_error()) {
        if (isset($_GET['confirm'])) {
            // Check password.
            if (!lovd_verifyPassword($_POST['password'], $_AUTH['password'])) {
                lovd_errorAdd('password', 'Please enter your correct password for authorization.');
            }
            if (!lovd_error()) {
                // OK, uninstall the lot.
                print '      <B>Uninstalling LOVD...</B><BR>' . "\n" . '      <BR>' . "\n\n";
                require ROOT_PATH . 'class/progress_bar.php';
                // This already puts the progress bar on the screen.
                $_BAR = new ProgressBar('', 'Initiating removal of LOVD...');
                $_T->printFooter(false);
                // The false prevents the footer to actually close the <BODY> and <HTML> tags.
                // Now we're still in the <BODY> so the progress bar can add <SCRIPT> tags as much as it wants.
                flush();
                // The reason to invert the tables is to handle all foreign key constraints nicely.
                $aTables = array_reverse($_TABLES);
                $nTables = count($aTables);
Beispiel #2
0
 function checkFields($aData, $zData = false)
 {
     // Checks fields before submission of data.
     global $_AUTH, $_SETT;
     $aForm = $this->getForm();
     $aFormInfo = array();
     if ($aForm) {
         $aFormInfo = $aForm[0];
         if (!in_array($aFormInfo[0], array('GET', 'POST'))) {
             // We're not working on a full form array, possibly an incomplete VOT form.
             $aFormInfo = array('POST');
         } else {
             unset($aForm[0]);
         }
     } else {
         // No form information available.
         $aForm = array();
     }
     if (lovd_getProjectFile() != '/import.php') {
         // Always mandatory... unless importing.
         $this->aCheckMandatory[] = 'password';
     }
     $aHeaders = array();
     // Validate form by looking at the form itself, and check what's needed.
     foreach ($aForm as $aField) {
         if (!is_array($aField)) {
             // 'skip', 'hr', etc...
             continue;
         }
         @(list($sHeader, $sHelp, $sType, $sName) = $aField);
         if (lovd_getProjectFile() == '/import.php') {
             // During import, we don't mention the field names how they appear on screen, but using their IDs which are used in the file.
             $sHeader = $sName;
         }
         $aHeaders[$sName] = $sHeader;
         // Trim() all fields. We don't want those spaces in the database anyway.
         if (lovd_getProjectFile() != '/import.php' && isset($aData[$sName]) && !is_array($aData[$sName])) {
             $GLOBALS['_' . $aFormInfo[0]][$sName] = trim($GLOBALS['_' . $aFormInfo[0]][$sName]);
             $aData[$sName] = trim($aData[$sName]);
         }
         // Mandatory fields, as defined by child object.
         if (in_array($sName, $this->aCheckMandatory) && (!isset($aData[$sName]) || $aData[$sName] === '')) {
             lovd_errorAdd($sName, 'Please fill in the \'' . $sHeader . '\' field.');
         }
         if ($sType == 'select') {
             if (!empty($aField[7])) {
                 // The browser fails to send value if selection list w/ multiple selection options is left empty.
                 // This is causing notices in the code.
                 if (!isset($aData[$sName])) {
                     $GLOBALS['_' . $aFormInfo[0]][$sName] = array();
                     $aData[$sName] = array();
                 }
             }
             // Simple check on non-custom columns (custom columns have their own function for this) to see if the given value is actually allowed.
             // 0 is a valid entry for the check for mandatory fields, so we should also check if 0 is a valid entry in the selection list!
             if (strpos($sName, '/') === false && isset($aData[$sName]) && $aData[$sName] !== '') {
                 $Val = $aData[$sName];
                 $aOptions = array_keys($aField[5]);
                 if (lovd_getProjectFile() == '/import.php' && !is_array($Val)) {
                     $Val = explode(';', $Val);
                     // Normally the form sends an array, but from the import I need to create an array.
                 } elseif (!is_array($Val)) {
                     $Val = array($Val);
                 }
                 foreach ($Val as $sValue) {
                     $sValue = trim($sValue);
                     // Trim whitespace from $sValue to ensure match independent of whitespace.
                     if (!in_array($sValue, $aOptions)) {
                         if (lovd_getProjectFile() == '/import.php') {
                             lovd_errorAdd($sName, 'Please select a valid entry from the \'' . $sHeader . '\' selection box, \'' . strip_tags($sValue) . '\' is not a valid value. Please choose from these options: \'' . implode('\', \'', $aOptions) . '\'.');
                         } else {
                             lovd_errorAdd($sName, 'Please select a valid entry from the \'' . $sHeader . '\' selection box, \'' . strip_tags($sValue) . '\' is not a valid value.');
                         }
                     }
                 }
             }
         } elseif ($sType == 'checkbox') {
             // The browser fails to send value if checkbox is left empty.
             // This is causing problems sometimes with MySQL, since INT
             // columns can't receive an empty string if STRICT is on.
             if (!isset($aData[$sName])) {
                 $GLOBALS['_' . $aFormInfo[0]][$sName] = 0;
                 $aData[$sName] = 0;
             } elseif (!in_array($aData[$sName], array('0', '1'))) {
                 lovd_errorAdd($sName, 'The field \'' . $sHeader . '\' must contain either a \'0\' or a \'1\'.');
             }
         }
         if ($sName == 'password') {
             // Password is in the form, it must be checked. Assuming here that it is also considered mandatory.
             if (!empty($aData['password']) && !lovd_verifyPassword($aData['password'], $_AUTH['password'])) {
                 lovd_errorAdd('password', 'Please enter your correct password for authorization.');
             }
         }
     }
     // Check all fields that we receive for data type and maximum length.
     // No longer to this through $aForm, because when importing,
     //  we do have data to check but no $aForm entry linked to it.
     foreach ($aData as $sFieldname => $sFieldvalue) {
         if (!is_string($sFieldvalue)) {
             // Checks below currently do not handle non-string values.
             continue;
         }
         $sNameClean = preg_replace('/^\\d{' . $_SETT['objectid_length']['transcripts'] . '}_/', '', $sFieldname);
         // Remove prefix (transcriptid) that LOVD_TranscriptVariants puts there.
         if (isset($aHeaders[$sFieldname])) {
             $sHeader = $aHeaders[$sFieldname];
         } else {
             $sHeader = $sFieldname;
         }
         // Checking free text fields for max length, data types, etc.
         if ($sMySQLType = lovd_getColumnType(constant($this->sTable), $sNameClean)) {
             // FIXME; we're assuming here, that $sName equals the database name. Which is true in probably most/every case, but even so...
             // FIXME; select fields might also benefit from having this check (especially for import).
             // Check max length.
             $nMaxLength = lovd_getColumnLength(constant($this->sTable), $sNameClean);
             if (!empty($sFieldvalue)) {
                 // For numerical columns, maxlength works differently!
                 if (in_array($sMySQLType, array('DECIMAL', 'DECIMAL_UNSIGNED', 'FLOAT', 'FLOAT_UNSIGNED', 'INT', 'INT_UNSIGNED'))) {
                     // SIGNED cols: negative values.
                     if (in_array($sMySQLType, array('DECIMAL', 'INT')) && (int) $sFieldvalue < (int) ('-' . str_repeat('9', $nMaxLength))) {
                         lovd_errorAdd($sFieldname, 'The \'' . $sHeader . '\' field is limited to numbers no lower than -' . str_repeat('9', $nMaxLength) . '.');
                     }
                     // ALL numerical cols (except floats): positive values.
                     if (substr($sMySQLType, 0, 5) != 'FLOAT' && (int) $sFieldvalue > (int) str_repeat('9', $nMaxLength)) {
                         lovd_errorAdd($sFieldname, 'The \'' . $sHeader . '\' field is limited to numbers no higher than ' . str_repeat('9', $nMaxLength) . '.');
                     }
                 } elseif (strlen($sFieldvalue) > $nMaxLength) {
                     lovd_errorAdd($sFieldname, 'The \'' . $sHeader . '\' field is limited to ' . $nMaxLength . ' characters, you entered ' . strlen($sFieldvalue) . '.');
                 }
             }
             // Check data type.
             if (!empty($sFieldvalue)) {
                 switch ($sMySQLType) {
                     case 'DATE':
                         if (!lovd_matchDate($sFieldvalue)) {
                             lovd_errorAdd($sFieldname, 'The field \'' . $sHeader . '\' must contain a date in the format YYYY-MM-DD, "' . htmlspecialchars($sFieldvalue) . '" does not match.');
                         }
                         break;
                     case 'DATETIME':
                         if (!preg_match('/^[0-9]{4}[.\\/-][0-9]{2}[.\\/-][0-9]{2}( [0-9]{2}\\:[0-9]{2}\\:[0-9]{2})?$/', $sFieldvalue)) {
                             lovd_errorAdd($sFieldname, 'The field \'' . $sHeader . '\' must contain a date, possibly including a time, in the format YYYY-MM-DD HH:MM:SS, "' . htmlspecialchars($sFieldvalue) . '" does not match.');
                         }
                         break;
                     case 'DECIMAL':
                     case 'DECIMAL_UNSIGNED':
                     case 'FLOAT':
                     case 'FLOAT_UNSIGNED':
                         if (!is_numeric($sFieldvalue) || substr($sMySQLType, -8) == 'UNSIGNED' && $sFieldvalue < 0) {
                             lovd_errorAdd($sFieldname, 'The field \'' . $sHeader . '\' must contain a' . (substr($sMySQLType, -8) != 'UNSIGNED' ? '' : ' positive') . ' number, "' . htmlspecialchars($sFieldvalue) . '" does not match.');
                         }
                         break;
                     case 'INT':
                     case 'INT_UNSIGNED':
                         if (!preg_match('/^' . ($sMySQLType != 'INT' ? '' : '\\-?') . '[0-9]*$/', $sFieldvalue)) {
                             lovd_errorAdd($sFieldname, 'The field \'' . $sHeader . '\' must contain a' . ($sMySQLType == 'INT' ? 'n' : ' positive') . ' integer, "' . htmlspecialchars($sFieldvalue) . '" does not match.');
                         }
                         break;
                 }
             }
         }
     }
     return $aData;
 }
Beispiel #3
0
             $_SESSION['password_force_change'] = true;
         }
         // Check if referer is given, check it, then forward the user.
         if (!empty($_POST['referer'])) {
             // Location is within this LOVD installation.
             $sLocation = $_POST['referer'];
         } else {
             // Redirect to proper location will be done somewhere else in this code.
             $sLocation = lovd_getInstallURL() . 'login';
         }
         header('Location: ' . $sLocation);
         exit;
     }
 }
 // The bad logins end up here!
 if (!$zUser || !lovd_error() && !lovd_verifyPassword($_POST['password'], $zUser['password'])) {
     lovd_writeLog('Auth', 'AuthError', $_SERVER['REMOTE_ADDR'] . ' (' . gethostbyaddr($_SERVER['REMOTE_ADDR']) . ') tried logging in using ' . $_POST['username'] . '/' . str_repeat('*', strlen($_POST['password'])));
     lovd_errorAdd('', 'Invalid Username/Password combination.');
     // This may not actually update (user misspelled his username) but we can call the query anyway.
     if ($_CONF['lock_users']) {
         $_DB->query('UPDATE ' . TABLE_USERS . ' SET login_attempts = login_attempts + 1 WHERE username = ? AND level < ' . LEVEL_ADMIN, array($_POST['username']), false);
     }
     // Check if the user is locked, now.
     if ($zUser && $zUser['login_attempts'] >= 3 - 1) {
         lovd_errorAdd('password', 'Your account is now locked, since this is the third time a wrong password was provided.');
     }
     // The "Forgot my password" option.
     if ($_CONF['allow_unlock_accounts']) {
         lovd_errorAdd('', 'Did you <A href="reset_password">forget your password</A>?');
     }
 }
Beispiel #4
0
         // Of the selected persons, at least one should be shown AND able to edit!
         $bCurator = false;
         foreach ($_POST['curators'] as $nUserID) {
             if (in_array($nUserID, $_POST['allow_edit']) && in_array($nUserID, $_POST['shown'])) {
                 $bCurator = true;
                 break;
             }
         }
         if (!$bCurator) {
             lovd_errorAdd('', 'Please select at least one curator that is allowed to edit <I>and</I> is shown on the gene home page!');
         }
     }
     // Mandatory fields.
     if (empty($_POST['password'])) {
         lovd_errorAdd('password', 'Please fill in the \'Enter your password for authorization\' field.');
     } elseif ($_POST['password'] && !lovd_verifyPassword($_POST['password'], $_AUTH['password'])) {
         // User had to enter his/her password for authorization.
         lovd_errorAdd('password', 'Please enter your correct password for authorization.');
     }
 } else {
     // MUST select at least one visible curator!
     if (empty($_POST['curators']) || empty($_POST['shown'])) {
         lovd_errorAdd('', 'Please select at least one curator to be shown on the gene home page!');
     }
 }
 if (!lovd_error()) {
     // What's by far the most efficient code-wise is just insert/update all we've got and delete everything else.
     // Prepare log for changes.
     // (depends on current database status, so we create the log message before
     // the changes are committed, but log the actual message afterwards).
     $sLogMessage = lovd_prepareCuratorLogMessage($sID, $_POST['curators'], $_POST['allow_edit'], $_POST['shown']);
Beispiel #5
0
    }
}
if (FORMAT == 'text/plain' && !defined('FORMAT_ALLOW_TEXTPLAIN')) {
    die(AJAX_NO_AUTH);
}
$sFile = ROOT_PATH . 'class/object_' . strtolower($sObject) . 's.php';
if (!file_exists($sFile)) {
    header('HTTP/1.0 404 Not Found');
    exit;
}
require $sFile;
$sObjectClassname = 'LOVD_' . str_replace('_', '', $sObject);
$_DATA = new $sObjectClassname($sObjectID, $nID);
if (POST && ACTION == 'applyFR') {
    // Apply find & replace.
    if ($_AUTH['level'] < LEVEL_CURATOR || !isset($_POST['password']) || !lovd_verifyPassword($_POST['password'], $_AUTH['password'])) {
        // Not authorized for find & replace.
        die(AJAX_NO_AUTH);
    }
    $aFROptions['sFRMatchType'] = isset($_POST['FRMatchType_' . $sViewListID]) ? $_POST['FRMatchType_' . $sViewListID] : null;
    $aFROptions['bFRReplaceAll'] = isset($_POST['FRReplaceAll_' . $sViewListID]) ? $_POST['FRReplaceAll_' . $sViewListID] : null;
    if (!isset($_POST['FRFieldname_' . $sViewListID]) || !isset($_POST['FRSearch_' . $sViewListID]) || !isset($_POST['FRReplace_' . $sViewListID])) {
        die(AJAX_DATA_ERROR);
    }
    // Setup search filters before applying find & replace.
    list($WHERE, $HAVING, $aArguments, $aBadSyntaxColumns, $aColTypes) = $_DATA->processViewListSearchArgs($_POST);
    // Update where/having clauses based on search filters (needed for LOVD_Object->buildSQL()).
    if ($WHERE) {
        $_DATA->aSQLViewList['WHERE'] .= ($_DATA->aSQLViewList['WHERE'] ? ' AND ' : '') . $WHERE;
    }
    if ($HAVING) {