function autocomplete_users_data($where = NULL) { restrict_access('A'); //Because that's a lot of names you're dumping to the browser. $search = call_user_func_array('user_data', func_get_args()); $result = array(); foreach ($search as $user) { $result[] = array('label' => $user['name'] . ' (' . $user['id'] . ')', 'category' => $user['category']); } return $result; }
<?php /* * Admin/User_List.php * LHS Math Club Website * * Shows a list of users */ require_once '../.lib/functions.php'; restrict_access('A'); show_page(); function show_page() { global $use_rel_external_script; // direct page_header to include some javascript that will make links $use_rel_external_script = true; // marked as rel="external" open in a new tab while remaining XHTML-valid page_header('User List'); // Generate code for the different tables of users included in the body $captains_table = generate_user_table('SELECT id, name, email, yog FROM users WHERE permissions="C" ORDER BY yog ASC, name'); $other_admins_table = generate_user_table('SELECT id, name, email, yog FROM users WHERE permissions="A" ORDER BY yog ASC, name'); $members_table = generate_user_table('SELECT id, name, email, yog FROM users WHERE permissions="R" AND approved="1" ORDER BY yog ASC, name'); $alumni_table = generate_user_table('SELECT id, name, email, yog FROM users WHERE permissions="L" ORDER BY yog DESC, name'); $banned_users_table = generate_user_table('SELECT id, name, email, yog, creation_date, DATE_FORMAT(creation_date, "%M %e, %Y") AS formatted_creation FROM users WHERE approved="-1" ORDER BY creation_date DESC'); // The Pending Approval Table is different $pending_approval_table = <<<HEREDOC <table class="contrasting"> <tr> <th>Name</th> <th>Email Address</th> <th>YOG</th>
<?php /* * My_Scores.php * LHS Math Club Website * * Displays the user's contest scores */ require_once '.lib/functions.php'; restrict_access('RA'); show_page(); function show_page() { page_header('My Scores'); echo <<<HEREDOC <h1>My Scores</h1> HEREDOC; $query = 'SELECT test_scores.score AS score, tests.name AS name, tests.total_points AS total, DATE_FORMAT(tests.date, "%M %e, %Y") AS formatted_date' . ' FROM test_scores' . ' INNER JOIN tests ON tests.test_id=test_scores.test_id' . ' WHERE test_scores.user_id="' . mysqli_real_escape_string(DB::get(), $_SESSION['user_id']) . '" AND archived="0"' . ' ORDER BY tests.date DESC'; $result = DB::queryRaw($query); if (mysqli_num_rows($result) > 0) { echo <<<HEREDOC <h4>Recent Tests</h4> <table class="contrasting"> <tr> <th>Test</th> <th>Score</th> <th>Date</th> </tr> HEREDOC;
<?php /* * Account/Register.php * LHS Math Club Website * * Allows users to create an account on the website. */ require_once '../.lib/functions.php'; restrict_access('X'); // only for logged-out users //Expire any pre-approved-email invitation if it's past the expiration (15 min). if (isset($_SESSION['PREAPPROVED_expiry']) && $_SESSION['PREAPPROVED_expiry'] < time()) { header('Location: Signout'); } if (isset($_POST['do_register'])) { process_form(); } else { show_form(); } /* * show_form($err, $selected_field) * * Shows the registration form, with optional error message. * * $selected_field is the name of the field to put the cursor into; if the * form was already submitted but had errors, the cursor goes into the * problematic field, for convenience. */ function show_form() {
<?php /* * Account/My_Profile.php * LHS Math Club Website * * Allows users to view and change their stored personal information */ require_once '../.lib/functions.php'; restrict_access('RLA'); set_login_data($_SESSION['user_id']); // visiting this page will cause your cached data to reload if (isset($_POST['do_change_email'])) { change_email(); } else { if (isset($_POST['do_change_cell'])) { change_cell(); } else { if (isset($_POST['do_change_password'])) { change_password(); } else { if (isset($_GET['Email'])) { show_change_email_page('', 'email'); } else { if (isset($_GET['Cell'])) { show_change_cell_page('', 'cell'); } else { if (isset($_GET['Password'])) { show_change_password_page(''); } else { if (isset($_GET['Mailings'])) {
<?php /* * About.php * LHS Math Club Website */ require_once '.lib/functions.php'; restrict_access('XRLA'); //Privacy control. $benjamin_tidor = 'Benjamin T.'; if (isset($_SESSION['user_id'])) { $benjamin_tidor = '<a href="http://tidor.net" rel="external">Benjamin Tidor</a>'; } page_title('About'); ?> <h1>About</h1> <h3>LHS Math Club Website</h3> Written in <a href="http://www.php.net/" rel="external">PHP</a> 2008-2012 by <?php echo $benjamin_tidor; ?> <br /> With design assistance from <a href="http://teddomain.zzl.org/" rel="external">Ted Zhu</a><br /> Heavily revised and updated by <a href="http://clive.io" rel="external">Clive Chan</a> 2013-present<br /> and well-maintained by all LHSMATH webmasters.<br /> <br /> All pages consist of <a href="http://validator.w3.org/check?uri=referer" rel="external">valid XHTML 1.0</a> and <a href="http://jigsaw.w3.org/css-validator/check/referer?profile=css3" rel="external">CSS 3</a><br /> <br /><br />
<?php /* * Account/Approve.php * LHS Math Club Website * * When a user has completed registration, this page prompts them to print * out an information page and give it to a captain to approve their * account. */ require_once '../.lib/functions.php'; restrict_access('P'); show_page(); function show_page() { $query = 'SELECT * FROM users WHERE id="' . $_SESSION['user_id'] . '" LIMIT 1'; $result = DB::queryRaw($query); $row = mysqli_fetch_assoc($result); $cell = format_phone_number($row['cell']); if ($cell == '') { $cell = 'None'; } page_title('Approve'); ?> <h1>Account Approval</h1> Your account has been verified, but it must be approved by a captain. Please print this page and bring it to practice.<br /> <br /> <div class="scrhide"> <span class="b">ID: </span><?php echo $row['id'];
<?php /* * Account/Verify_Email.php * LHS Math Club Website * * After users register, they must click a link in a verification email in * order to activate their account. This page sends that email and gives * users the option of resending it. */ require_once '../.lib/functions.php'; restrict_access('E'); if (isset($_GET['code'])) { verify_code(); } else { if (isset($_SESSION['ACCOUNT_do_send_verification_email'])) { send_verification_email(); } else { if (isset($_POST['do_resend_verification_email']) && $_POST['xsrf_token'] == $_SESSION['xsrf_token']) { send_verification_email(); } else { show_page(); } } } /* * show_page($re_sent) * - $re_sent: if the message has just been resent * * Shows a message to users who have not yet verified their email address. */
function show_email_sent_page() { restrict_access('X'); if (time() >= $_SESSION['ACCOUNT_password_reset_time'] + 300) { // that page stops being displayed after 5 minutes. unset($_SESSION['ACCOUNT_sent_password_reset']); // On a public computer, you wouldn't want your email address unset($_SESSION['ACCOUNT_password_reset_time']); // hanging around indefinitely. unset($_SESSION['ACCOUNT_password_reset_email']); show_request_page('', 'email'); return; } page_header('Password Reset'); echo <<<HEREDOC <h1>Password Reset</h1> A confirmation message has been sent to <span class="b">{$_SESSION['ACCOUNT_password_reset_email']}</span>. Please click on the link in the message to continue. HEREDOC; }
<?php /* * Admin/Super_Admin.php * LHS Math Club Website */ require_once '../.lib/functions.php'; restrict_access('+'); if (isset($_POST['do_superadmin_elevate'])) { process_form(); } else { show_page(''); } function show_page($err) { // If an error message is given, put it inside this div if ($err != '') { $err = "\n <div class=\"error\">{$err}</div><br />\n"; } page_header('Super-Admin'); echo <<<HEREDOC <h1>Super-Admin</h1> If you accidentally lose access to all the Admin accounts, create a new account, log in as LHSMATH, and make the new account an Admin (you'll need the ID from the page that you're supposed to print).<br /> <br />{$err} <span class="b">Elevate Account</span> <form method="post" action="{$_SERVER['REQUEST_URI']}"> <table> <tr>
function do_download() { if (isset($_GET['Backup'])) { restrict_access('A'); $time = (int) $_GET['Backup']; $code = $_GET['Code']; if (!preg_match('#[a-z0-9]{4}#', $code)) { trigger_error('Invalid backup', E_USER_ERROR); } $name = 'db-backup-' . $time . '-' . $code . '.sql'; $file = './.content/backups/' . $name; } else { $query = 'SELECT filename, permissions FROM files WHERE file_id="' . mysqli_real_escape_string(DB::get(), $_GET['ID']) . '"'; $result = DB::queryRaw($query); if (mysqli_num_rows($result) != 1) { trigger_error('Incorrect number of categories match ID', E_USER_ERROR); } $row = mysqli_fetch_assoc($result); if ($row['permissions'] == 'P') { restrict_access('XLRA'); } else { if ($row['permissions'] == 'M') { restrict_access('LRA'); } else { // 'A' restrict_access('A'); } } if ($row['permissions'] == 'C' && !isset($_SESSION['is_captain'])) { page_header('Download'); echo <<<HEREDOC <h1>Access Blocked</h1> <div>The captains have requested that you not view this file.</div> HEREDOC; die; } $name = $row['filename']; $file = './.content/uploads/' . $name; } if (file_exists($file)) { $encoding = 'application/octet-stream'; if (preg_match('#\\.pdf$#', $name)) { $encoding = 'application/pdf'; } header('Content-Description: File Transfer'); header('Content-Type: ' . $encoding); header('Content-Disposition: inline; filename="' . $name . '"'); header('Content-Transfer-Encoding: binary'); header('Expires: 0'); header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Pragma: public'); header('Content-Length: ' . filesize($file)); cancel_templateify(); ob_clean(); readfile($file); flush(); } else { trigger_error('File does not exist', E_USER_ERROR); } }
function backstage_access() { if (backstage_is_open()) { restrict_access('RLA'); } else { restrict_access('A'); } }
<?php /* * Account/Banned.php * LHS Math Club Website * * Displays a message to banned users. */ if (!defined('FUNCTIONSPHP')) { require_once '../.lib/functions.php'; } //If functions hasn't been included, get functions. //(if it has been, that means someone's including this file, so rootpath may be messed up and the require will fail) restrict_access('B'); page_title('Banned'); ?> <h1>Banned</h1> You have been banned from the Math Club system.