function donateme($lang) { global $supported_currencies; $action = 'init'; if (isset($_POST['donateme_donate'])) { $action = 'donate'; } $amount = $currency = $token = false; switch ($action) { case 'donate': if (isset($_POST['donateme_amount'])) { $amount = readarg($_POST['donateme_amount']); } if (isset($_POST['donateme_currency'])) { $currency = readarg($_POST['donateme_currency']); } if (isset($_POST['donateme_token'])) { $token = readarg($_POST['donateme_token']); } break; default: break; } $missing_amount = false; $bad_amount = false; $missing_currency = false; $bad_currency = false; $bad_token = false; switch ($action) { case 'donate': if (!isset($_SESSION['donateme_token']) or $token != $_SESSION['donateme_token']) { $bad_token = true; break; } if (!$amount) { $missing_amount = true; } else { if (!(is_numeric($amount) and $amount >= 1)) { $bad_amount = true; } } if (!$currency) { $missing_currency = true; } else { if (!validate_currency($currency)) { $bad_currency = true; } } break; default: break; } switch ($action) { case 'donate': if ($bad_token or $missing_amount or $bad_amount or $missing_currency or $bad_currency) { break; } unset($_SESSION['donateme_token']); require_once 'actions/paypalcheckout.php'; paypalcheckout($lang, $amount, $currency); break; default: break; } $_SESSION['donateme_token'] = $token = token_id(); $errors = compact('missing_amount', 'bad_amount', 'missing_currency', 'bad_currency'); $output = view('donateme', $lang, compact('token', 'supported_currencies', 'amount', 'currency', 'errors')); return $output; }
function remindme($lang) { $with_name = true; $with_captcha = true; $action = 'init'; if (isset($_POST['remindme_send'])) { $action = 'remindme'; } $login = $confirmed = $code = $token = false; if (!empty($_SESSION['login'])) { $login = $_SESSION['login']; } else { if (!empty($_SESSION['user']['name'])) { $login = $_SESSION['user']['name']; } else { if (!empty($_SESSION['user']['mail'])) { $login = $_SESSION['user']['mail']; } } } switch ($action) { case 'remindme': if (isset($_POST['remindme_login'])) { $login = strtolower(strflat(readarg($_POST['remindme_login']))); } if (isset($_POST['remindme_confirmed'])) { $confirmed = readarg($_POST['remindme_confirmed']) == 'on' ? true : false; } if (isset($_POST['remindme_code'])) { $code = readarg($_POST['remindme_code']); } if (isset($_POST['remindme_token'])) { $token = readarg($_POST['remindme_token']); } break; default: break; } $missing_code = false; $bad_code = false; $bad_token = false; $missing_login = false; $bad_login = false; $missing_confirmation = false; $email_sent = false; $user_page = false; $internal_error = false; $contact_page = false; switch ($action) { case 'remindme': if (!isset($_SESSION['remindme_token']) or $token != $_SESSION['remindme_token']) { $bad_token = true; } if ($with_captcha) { if (!$code) { $missing_code = true; break; } $captcha = isset($_SESSION['captcha']['remindme']) ? $_SESSION['captcha']['remindme'] : false; if (!$captcha or $captcha != strtoupper($code)) { $bad_code = true; break; } } if (!$login) { $missing_login = true; } else { if ((!validate_user_name($login) or !is_user_name_allowed($login)) and (!validate_mail($login) or !is_mail_allowed($login))) { $bad_login = true; } } if (!$confirmed) { $missing_confirmation = true; } break; default: break; } switch ($action) { case 'remindme': if ($bad_token or $missing_code or $bad_code or $missing_login or $bad_login or $missing_confirmation) { break; } require_once 'models/user.inc'; $user_id = user_find($login); if (!$user_id) { $bad_login = true; require_once 'log.php'; write_log('password.err', substr($login, 0, 40)); break; } $user = user_get($user_id); if (!$user) { $internal_error = true; break; } if (!$user['user_active'] or $user['user_banned']) { $bad_login = true; break; } require_once 'newpassword.php'; $newpassword = newpassword(); if (!user_set_newpassword($user_id, $newpassword)) { $internal_error = true; break; } require_once 'emailcrypto.php'; global $sitename, $webmaster; $to = $user['user_mail']; $subject = translate('email:new_password_subject', $lang); $msg = translate('email:new_password_text', $lang) . "\n\n" . translate('email:salutations', $lang); if (!emailcrypto($msg, $newpassword, $to, $subject, $webmaster)) { $internal_error = true; } else { $email_sent = $to; } $confirmed = false; break; default: break; } if ($internal_error) { $contact_page = url('contact', $lang); } else { if ($email_sent) { $user_page = url('user', $lang); } } $_SESSION['remindme_token'] = $token = token_id(); $errors = compact('missing_login', 'bad_login', 'missing_confirmation', 'missing_code', 'bad_code', 'internal_error', 'contact_page'); $infos = compact('email_sent', 'user_page'); $output = view('remindme', $lang, compact('token', 'with_captcha', 'with_name', 'login', 'confirmed', 'errors', 'infos')); return $output; }
function login($lang) { $with_name = true; $with_captcha = true; $with_facebook = false; $with_newuser = true; $with_newpassword = true; if ($with_facebook) { require_once 'facebook.php'; $facebook = facebook(); } $login = $password = $code = $token = false; if (isset($_SESSION['login'])) { $login = $_SESSION['login']; } $action = 'init'; if (isset($_POST['login_enter'])) { $action = 'enter'; } switch ($action) { case 'init': if ($with_facebook) { $facebook_user = $facebook->getUser(); if ($facebook_user) { try { $facebook_user_profile = $facebook->api('/me', 'GET'); if (!empty($facebook_user_profile['email'])) { $login = $facebook_user_profile['email']; } $action = 'facebook'; } catch (FacebookApiException $e) { } $facebook->destroySession(); } } break; case 'enter': if (isset($_POST['login_login'])) { $login = strtolower(strflat(readarg($_POST['login_login']))); } if (isset($_POST['login_password'])) { $password = readarg($_POST['login_password']); } if (isset($_POST['login_code'])) { $code = readarg($_POST['login_code']); } if (isset($_POST['login_token'])) { $token = readarg($_POST['login_token']); } break; default: break; } $missing_code = false; $bad_code = false; $bad_token = false; $missing_login = false; $bad_login = false; $missing_password = false; $access_denied = false; switch ($action) { case 'enter': if (!isset($_SESSION['login_token']) or $token != $_SESSION['login_token']) { $bad_token = true; break; } if ($with_captcha) { if (!$code) { $missing_code = true; break; } $captcha = isset($_SESSION['captcha']['login']) ? $_SESSION['captcha']['login'] : false; if (!$captcha or $captcha != strtoupper($code)) { $bad_code = true; break; } } if (!$password) { $missing_password = true; } /* fall thru */ /* fall thru */ case 'facebook': if (!$login) { $missing_login = true; } else { if (!(validate_user_name($login) or validate_mail($login))) { $bad_login = true; } } break; default: break; } switch ($action) { case 'enter': case 'facebook': if ($bad_token or $missing_code or $bad_code or $missing_login or $bad_login or $missing_password) { break; } require_once 'models/user.inc'; $user = user_login($login, $password); if (!$user) { $access_denied = true; require_once 'log.php'; write_log('enter.err', substr($login, 0, 100)); $_SESSION['login'] = $login; break; } $user['ip'] = client_ip_address(); if (in_array('administrator', $user['role'])) { require_once 'serveripaddress.php'; require_once 'emailme.php'; global $sitename; $ip = server_ip_address(); $timestamp = strftime('%Y-%m-%d %H:%M:%S', time()); $subject = 'login' . '@' . $sitename; $msg = $ip . ' ' . $timestamp . ' ' . $user['id'] . ' ' . $lang . ' ' . $user['ip']; @emailme($subject, $msg); if ($action == 'facebook') { $access_denied = true; break; } } session_regenerate(); $_SESSION['user'] = $user; unset($_SESSION['login']); unset($_SESSION['login_token']); return true; default: break; } $connectbar = false; if ($with_facebook) { $scope = 'email'; $facebook_login_url = $facebook->getLoginUrl(compact('scope')); $connectbar = view('connect', $lang, compact('facebook_login_url')); } $password_page = $with_newpassword ? url('password', $lang) : false; $newuser_page = $with_newuser ? url('newuser', $lang) : false; $_SESSION['login_token'] = $token = token_id(); $errors = compact('missing_code', 'bad_code', 'missing_login', 'bad_login', 'missing_password', 'access_denied'); $output = view('login', $lang, compact('token', 'connectbar', 'with_captcha', 'with_name', 'password_page', 'newuser_page', 'login', 'errors')); return $output; }
function subscribe($lang) { global $sitekey, $system_languages; $with_locale = count($system_languages) > 1; // true, false $with_captcha = true; $action = 'init'; if (isset($_POST['subscribe_send'])) { $action = 'subscribe'; } $confirmed = $code = $token = false; $user_mail = user_profile('mail'); $user_locale = user_profile('locale'); if (!$user_locale) { $user_locale = $lang; } $unsubscribe_page = false; switch ($action) { case 'init': if ($sitekey) { $unsubscribe_page = url('newsletterunsubscribe', $lang); } break; case 'subscribe': if (isset($_POST['subscribe_mail'])) { $user_mail = strtolower(strflat(readarg($_POST['subscribe_mail']))); } if ($with_locale) { if (isset($_POST['subscribe_locale'])) { $user_locale = readarg($_POST['subscribe_locale']); } } if (isset($_POST['subscribe_confirmed'])) { $confirmed = readarg($_POST['subscribe_confirmed']) == 'on' ? true : false; } if (isset($_POST['subscribe_code'])) { $code = readarg($_POST['subscribe_code']); } if (isset($_POST['subscribe_token'])) { $token = readarg($_POST['subscribe_token']); } break; default: break; } $missing_code = false; $bad_code = false; $bad_token = false; $missing_mail = false; $bad_mail = false; $duplicated_mail = false; $missing_locale = false; $bad_locale = false; $missing_confirmation = false; $email_registered = false; $internal_error = false; $contact_page = false; switch ($action) { case 'subscribe': if (!isset($_SESSION['subscribe_token']) or $token != $_SESSION['subscribe_token']) { $bad_token = true; } if ($with_captcha) { if (!$code) { $missing_code = true; break; } $captcha = isset($_SESSION['captcha']['subscribe']) ? $_SESSION['captcha']['subscribe'] : false; if (!$captcha or $captcha != strtoupper($code)) { $bad_code = true; break; } } if (!$user_mail) { $missing_mail = true; } else { if (!validate_mail($user_mail) or !is_mail_allowed($user_mail)) { $bad_mail = true; } else { if (newsletter_get_user($user_mail)) { $duplicated_mail = true; } } } if ($with_locale) { if (!$user_locale) { $missing_locale = true; } else { if (!validate_locale($user_locale)) { $bad_locale = true; } } } if (!$confirmed) { $missing_confirmation = true; } break; default: break; } switch ($action) { case 'subscribe': if ($bad_token or $missing_code or $bad_code or $missing_mail or $bad_mail or $duplicated_mail or $missing_locale or $bad_locale or $missing_confirmation) { break; } $r = newsletter_create_user($user_mail, $user_locale); if (!$r) { $internal_error = true; break; } require_once 'serveripaddress.php'; require_once 'emailme.php'; global $sitename; $ip = server_ip_address(); $timestamp = strftime('%Y-%m-%d %H:%M:%S', time()); $subject = 'subscribe' . '@' . $sitename; $msg = $ip . ' ' . $timestamp . ' ' . $lang . ' ' . $user_mail; @emailme($subject, $msg); $email_registered = true; $confirmed = false; break; default: break; } if ($internal_error) { $contact_page = url('contact', $lang); } $_SESSION['subscribe_token'] = $token = token_id(); $errors = compact('missing_mail', 'bad_mail', 'missing_locale', 'bad_locale', 'duplicated_mail', 'missing_confirmation', 'missing_code', 'bad_code', 'internal_error', 'contact_page'); $infos = compact('email_registered'); $output = view('subscribe', $lang, compact('token', 'with_captcha', 'user_mail', 'with_locale', 'user_locale', 'confirmed', 'unsubscribe_page', 'errors', 'infos')); return $output; }
function nodecomment($lang, $node_id, $node_user_id, $node_url, $nomore) { $user_id = user_profile('id'); $moderator = user_has_role('moderator'); // $user_id == $node_user_id || user_has_role('moderator') $now = time(); $message_maxlen = 1000; $with_captcha = false; $action = 'init'; if ($user_id) { if (isset($_POST['comment_comment'])) { $action = 'comment'; } else { if (isset($_POST['comment_edit'])) { $action = 'edit'; } else { if (isset($_POST['comment_validate'])) { $action = 'validate'; } else { if (isset($_POST['comment_moderate'])) { $action = 'moderate'; } else { if (isset($_POST['comment_modify'])) { $action = 'modify'; } else { if (isset($_POST['comment_delete'])) { $action = 'delete'; } } } } } } } $id = $message = $token = false; switch ($action) { case 'validate': if (isset($_POST['comment_code'])) { $code = readarg($_POST['comment_code']); } /* fall thru */ /* fall thru */ case 'comment': case 'edit': if (isset($_POST['comment_message'])) { $message = readarg($_POST['comment_message'], true, false); // trim but DON'T strip! } if (isset($_POST['comment_token'])) { $token = readarg($_POST['comment_token']); } break; case 'moderate': if (isset($_POST['comment_moderate'])) { $id = readarg($_POST['comment_moderate']); } break; case 'modify': case 'delete': if (isset($_POST['comment_id'])) { $id = readarg($_POST['comment_id']); } if (isset($_POST['comment_message'])) { $message = readarg($_POST['comment_message'], true, false); // trim but DON'T strip! } if (isset($_POST['comment_token'])) { $token = readarg($_POST['comment_token']); } break; default: break; } $missing_code = false; $bad_code = false; $bad_token = false; $missing_id = false; $bad_id = false; $missing_message = false; $message_too_long = false; switch ($action) { case 'validate': if ($with_captcha) { if (!$code) { $missing_code = true; break; } $captcha = isset($_SESSION['captcha']['comment']) ? $_SESSION['captcha']['comment'] : false; if (!$captcha or $captcha != strtoupper($code)) { $bad_code = true; break; } } /* fall thru */ /* fall thru */ case 'comment': case 'edit': case 'modify': case 'delete': if (!isset($_SESSION['comment_token']) or $token != $_SESSION['comment_token']) { $bad_token = true; } break; default: break; } switch ($action) { case 'moderate': case 'modify': case 'delete': if ($bad_token) { break; } if (!$id) { $missing_id = true; break; } if (!is_numeric($id)) { $id = false; $bad_id = true; break; } if (!$moderator) { $r = node_get_comment($node_id, $id, $lang); if (!$r) { $id = false; $bad_id = true; break; } extract($r); /* comment_user_id, comment_created */ if (!($comment_user_id == $user_id and $comment_created + 15 * 60 > $now)) { $id = false; $bad_id = true; break; } } break; default: break; } switch ($action) { case 'comment': case 'validate': case 'edit': case 'modify': if ($bad_token or $missing_code or $bad_code or $missing_id or $bad_id) { break; } if (!$message) { $missing_message = true; } else { if (strlen(utf8_decode($message)) > $message_maxlen) { $message_too_long = true; } } break; default: break; } switch ($action) { case 'validate': if ($bad_token or $missing_code or $bad_code or $missing_message or $message_too_long) { break; } $ip_address = client_ip_address(); $r = node_add_comment($node_id, $user_id, $ip_address, $message, $lang); if (!$r) { $internal_error = true; break; } require_once 'serveripaddress.php'; require_once 'emailme.php'; global $sitename; $ip = server_ip_address(); $timestamp = strftime('%Y-%m-%d %H:%M:%S', time()); $subject = 'comment' . '@' . $sitename; $msg = $ip . ' ' . $timestamp . ' ' . $user_id . ' ' . $lang . ' ' . $node_id . ' ' . $node_url; @emailme($subject, $msg); $message = false; break; case 'modify': if ($bad_token or $missing_id or $bad_id or $missing_message or $message_too_long) { break; } $r = node_set_comment($node_id, $id, $message, $lang); if (!$r) { $internal_error = true; break; } $id = $message = false; break; case 'delete': if ($bad_token or $missing_id or $bad_id) { break; } $r = node_delete_comment($node_id, $id); if (!$r) { $internal_error = true; break; } $id = $message = false; break; default: break; } $newcomment = $user_page = false; if (!$id and !$nomore) { if ($user_id) { $newcomment = true; } else { $user_page = url('user', $lang); } } $comments = node_get_all_comments($node_id, $lang); $moderated = false; if ($comments) { if ($moderator) { $moderated = true; } else { $moderated = array(); foreach ($comments as $c) { if ($c['comment_user_id'] == $user_id and $c['comment_created'] + 15 * 60 > $now) { $moderated[] = $c['comment_id']; } } } } $_SESSION['comment_token'] = $token = token_id(); $errors = compact('missing_code', 'bad_code', 'missing_message', 'message_too_long'); $output = view('nodecomment', $lang, compact('token', 'with_captcha', 'comments', 'moderated', 'id', 'newcomment', 'message', 'message_maxlen', 'user_page', 'node_url', 'errors')); return $output; }
function unsubscribe($lang) { $with_captcha = true; $action = 'init'; if (isset($_POST['unsubscribe_send'])) { $action = 'unsubscribe'; } $confirmed = $code = $token = false; $user_mail = user_profile('mail'); $subscribe_page = false; switch ($action) { case 'init': $subscribe_page = url('newslettersubscribe', $lang); break; case 'unsubscribe': if (isset($_POST['unsubscribe_mail'])) { $user_mail = strtolower(strflat(readarg($_POST['unsubscribe_mail']))); } if (isset($_POST['unsubscribe_confirmed'])) { $confirmed = readarg($_POST['unsubscribe_confirmed']) == 'on' ? true : false; } if (isset($_POST['unsubscribe_code'])) { $code = readarg($_POST['unsubscribe_code']); } if (isset($_POST['unsubscribe_token'])) { $token = readarg($_POST['unsubscribe_token']); } break; default: break; } $missing_code = false; $bad_code = false; $bad_token = false; $missing_mail = false; $bad_mail = false; $unknown_mail = false; $missing_confirmation = false; $mail_unsubscribed = false; $internal_error = false; $contact_page = false; switch ($action) { case 'unsubscribe': if (!isset($_SESSION['unsubscribe_token']) or $token != $_SESSION['unsubscribe_token']) { $bad_token = true; } if ($with_captcha) { if (!$code) { $missing_code = true; break; } $captcha = isset($_SESSION['captcha']['unsubscribe']) ? $_SESSION['captcha']['unsubscribe'] : false; if (!$captcha or $captcha != strtoupper($code)) { $bad_code = true; break; } } if (!$user_mail) { $missing_mail = true; } else { if (!validate_mail($user_mail) or !is_mail_allowed($user_mail)) { $bad_mail = true; } else { if (!newsletter_get_user($user_mail)) { $unknown_mail = true; } } } if (!$confirmed) { $missing_confirmation = true; } break; default: break; } switch ($action) { case 'unsubscribe': if ($bad_token or $missing_code or $bad_code or $missing_mail or $bad_mail or $unknown_mail or $missing_confirmation) { break; } require_once 'urlencodeaction.php'; $id = 1; // confirmnewsletterunsubscribe, see saction $param = $user_mail; $s64 = urlencodeaction($id, $param); if (!$s64) { $internal_error = true; break; } $saction_page = url('saction', $lang); if (!$saction_page) { $internal_error = true; break; } global $base_url; $url = $base_url . $saction_page . '/' . $s64; require_once 'emailtext.php'; $to = $user_mail; $subject = translate('newsletter:unregister_subject', $lang); $f = translate('newsletter:unregister_text', $lang); $s = sprintf($f, $url); $msg = $s . "\n\n" . translate('email:salutations', $lang); emailtext($msg, $to, $subject, false); $mail_unsubscribed = $user_mail; $confirmed = false; break; default: break; } if ($internal_error) { $contact_page = url('contact', $lang); } $_SESSION['unsubscribe_token'] = $token = token_id(); $errors = compact('missing_mail', 'bad_mail', 'unknown_mail', 'missing_confirmation', 'missing_code', 'bad_code', 'internal_error', 'contact_page'); $infos = compact('mail_unsubscribed'); $output = view('unsubscribe', $lang, compact('token', 'with_captcha', 'user_mail', 'confirmed', 'subscribe_page', 'errors', 'infos')); return $output; }
function useredit($lang, $user_id) { global $system_languages, $supported_roles; $is_admin = user_has_role('administrator'); $is_owner = $user_id == user_profile('id'); $with_name = true; $with_status = ($user_id != 1 and $is_admin); $with_delete = ($user_id != 1 and $is_admin and !$is_owner); $with_newpassword = false; // ($user_id != 1 and $is_owner); $with_locale = count($system_languages) > 1 ? true : false; $with_role = ($user_id != 1 and $is_admin); $with_timezone = ($user_id != 1 and $is_admin); $with_website = true; $with_info = false; $confirmed = false; $action = 'init'; if (isset($_POST['useredit_modify'])) { $action = 'modify'; } if ($with_newpassword) { if (isset($_POST['useredit_change'])) { $action = 'change'; } } if ($with_delete) { if (isset($_POST['useredit_delete'])) { $action = 'delete'; } else { if (isset($_POST['useredit_confirmdelete'])) { $action = 'delete'; $confirmed = true; } else { if (isset($_POST['useredit_cancel'])) { $action = 'cancel'; } } } } $user_name = $user_mail = $user_locale = $user_timezone = false; $user_website = false; $user_active = $user_banned = false; $user_accessed = false; $user_role = false; $user_newpassword = false; $user_lastname = $user_firstname = false; $token = false; switch ($action) { case 'init': case 'reset': $r = user_get($user_id); if ($r) { extract($r); /* user_name user_password user_newpassword user_seed user_mail user_timezone user_website user_created user_modified user_accessed user_locale user_active user_banned */ } $user_newpassword = false; if ($with_info) { $r = user_get_info($user_id); if ($r) { extract($r); /* user_lastname, user_firstname */ } } if ($with_role) { $user_role = user_get_role($user_id); } break; case 'modify': case 'change': case 'delete': case 'cancel': if ($with_info) { if (isset($_POST['useredit_lastname'])) { $user_lastname = readarg($_POST['useredit_lastname']); } if (isset($_POST['useredit_firstname'])) { $user_firstname = readarg($_POST['useredit_firstname']); } } if (isset($_POST['useredit_name'])) { $user_name = strtolower(strflat(readarg($_POST['useredit_name']))); } if (isset($_POST['useredit_mail'])) { $user_mail = strtolower(strflat(readarg($_POST['useredit_mail']))); } if (isset($_POST['useredit_website'])) { $user_website = strtolower(strflat(readarg($_POST['useredit_website']))); } if (isset($_POST['useredit_timezone'])) { $user_timezone = readarg($_POST['useredit_timezone']); } if (isset($_POST['useredit_locale'])) { $user_locale = readarg($_POST['useredit_locale']); } if ($with_role) { if (isset($_POST['useredit_role'])) { $user_role = readarg($_POST['useredit_role']); } } if ($with_status) { if (isset($_POST['useredit_active'])) { $user_active = readarg($_POST['useredit_active']) == 'on'; } if (isset($_POST['useredit_banned'])) { $user_banned = readarg($_POST['useredit_banned']) == 'on'; } if (isset($_POST['useredit_accessed'])) { $user_accessed = (int) readarg($_POST['useredit_accessed']); } } if ($with_newpassword) { if (isset($_POST['useredit_newpassword'])) { $user_newpassword = readarg($_POST['useredit_newpassword']); } } if (isset($_POST['useredit_token'])) { $token = readarg($_POST['useredit_token']); } break; default: break; } $bad_token = false; $missing_lastname = false; $missing_firstname = false; $missing_name = false; $bad_name = false; $duplicated_name = false; $missing_mail = false; $bad_mail = false; $duplicated_mail = false; $bad_role = false; $bad_website = false; $missing_locale = false; $bad_locale = false; $bad_timezone = false; $missing_newpassword = false; $bad_newpassword = false; $account_modified = false; $password_changed = false; $internal_error = false; $contact_page = false; switch ($action) { case 'modify': if (!isset($_SESSION['useredit_token']) or $token != $_SESSION['useredit_token']) { $bad_token = true; } if ($with_info) { if (!$user_lastname) { $missing_lastname = true; } if (!$user_firstname) { $missing_firstname = true; } } if ($with_name and !$user_name) { $missing_name = true; } if ($user_name) { if (!validate_user_name($user_name)) { $bad_name = true; } else { if (!user_check_name($user_name, $user_id)) { $duplicated_name = true; } } } if (!$user_mail) { $missing_mail = true; } else { if (!validate_mail($user_mail)) { $bad_mail = true; } else { if (!user_check_mail($user_mail, $user_id)) { $duplicated_mail = true; } } } if ($user_role) { foreach ($user_role as $role) { if (!validate_role($role)) { $bad_role = true; break; } } } if ($user_website) { if (!validate_website($user_website)) { $bad_website = true; } else { $user_website = normalize_website($user_website); } } if ($user_timezone) { if (!validate_timezone($user_timezone)) { $bad_timezone = true; } } if ($with_locale and !$user_locale) { $missing_locale = true; } if ($user_locale) { if (!validate_locale($user_locale)) { $bad_locale = true; } } break; case 'change': if (!$user_newpassword) { $missing_newpassword = true; } else { if (!validate_password($user_newpassword)) { $bad_newpassword = true; } } break; default: break; } $confirm_delete = false; switch ($action) { case 'modify': if ($bad_token or $missing_name or $bad_name or $duplicated_name or $missing_mail or $bad_mail or $duplicated_mail or $bad_role or $bad_website or $bad_timezone or $missing_locale or $bad_locale or $missing_lastname or $missing_firstname) { break; } $r = user_set($user_id, $user_name, $user_mail, $user_website, $user_locale, $user_timezone); if (!$r) { $internal_error = true; break; } if ($is_owner) { $_SESSION['user']['name'] = $user_name; $_SESSION['user']['mail'] = $user_mail; $_SESSION['user']['website'] = $user_website; $_SESSION['user']['locale'] = $user_locale; $_SESSION['user']['timezone'] = $user_timezone; } if ($with_info) { $r = user_set_info($user_id, $user_lastname, $user_firstname); if (!$r) { $internal_error = true; break; } if ($is_owner) { $_SESSION['user']['lastname'] = $user_lastname; $_SESSION['user']['firstname'] = $user_firstname; } } if ($with_role) { $r = user_set_role($user_id, $user_role); if (!$r) { $internal_error = true; break; } } if ($with_status) { $r = user_set_status($user_id, $user_active, $user_banned); if (!$r) { $internal_error = true; break; } } $account_modified = true; break; case 'change': if ($missing_newpassword or $bad_newpassword) { break; } $r = user_set_newpassword($user_id, $user_newpassword); if (!$r) { $internal_error = true; break; } $password_changed = true; break; case 'delete': if (!$confirmed) { $confirm_delete = true; break; } $r = user_delete($user_id); if (!$r) { $internal_error = true; break; } return false; default: break; } $user_newpassword = false; if ($internal_error) { $contact_page = url('contact', $lang); } $_SESSION['useredit_token'] = $token = token_id(); $errors = compact('missing_name', 'bad_name', 'duplicated_name', 'missing_mail', 'bad_mail', 'duplicated_mail', 'bad_timezone', 'bad_website', 'missing_locale', 'bad_locale', 'missing_newpassword', 'bad_newpassword', 'missing_lastname', 'missing_firstname', 'internal_error', 'contact_page'); $infos = compact('account_modified', 'password_changed'); $output = view('useredit', $lang, compact('token', 'errors', 'infos', 'with_name', 'user_name', 'user_mail', 'with_timezone', 'user_timezone', 'with_website', 'user_website', 'with_role', 'user_role', 'supported_roles', 'with_locale', 'user_locale', 'with_status', 'user_banned', 'user_active', 'user_accessed', 'with_newpassword', 'user_newpassword', 'with_info', 'user_lastname', 'user_firstname', 'with_delete', 'confirm_delete')); return $output; }
function postnews($lang, $newsletter_id, $page_id) { $postdate = $scheduled = $mailed = false; $r = newsletter_get_post($newsletter_id, $page_id, $lang); if ($r) { extract($r); // newsletter_post_scheduled, newsletter_post_mailed $scheduled = $newsletter_post_scheduled; $mailed = $newsletter_post_mailed; } if ($mailed) { return view('postnews', $lang, compact('mailed')); } $action = 'init'; if (isset($_POST['postnews_post']) and !$scheduled) { $action = 'post'; } else { if (isset($_POST['postnews_cancel']) and $scheduled and !$mailed) { $action = 'cancel'; } } $hmin = 8; $hmax = 18; $token = false; $date = false; $hour = $hmin; $minute = 0; switch ($action) { case 'init': break; case 'post': if (isset($_POST['postnews_date'])) { $date = readarg($_POST['postnews_date']); } if (isset($_POST['postnews_hour'])) { $hour = readarg($_POST['postnews_hour']); } if (isset($_POST['postnews_minute'])) { $minute = readarg($_POST['postnews_minute']); } if (isset($_POST['postnews_token'])) { $token = readarg($_POST['postnews_token']); } break; case 'cancel': break; default: break; } $bad_token = false; $missing_date = false; $bad_date = false; $internal_error = false; switch ($action) { case 'post': if (!isset($_SESSION['postnews_token']) or $token != $_SESSION['postnews_token']) { $bad_token = true; } if (!is_numeric($hour)) { $hour = $hmin; } else { if ($hour < $hmin) { $hour = $hmin; } else { if ($hour >= $hmax) { $hour = $hmax; $minute = 0; } } } if (!is_numeric($minute)) { $minute = 0; } else { if ($minute < 0) { $minute = 0; } else { if ($minute > 59) { $minute = 59; } } } if (!$date) { $missing_date = true; } else { if (!preg_match('#^([0-9]{4})([/-])([0-9]{2})\\2([0-9]{2})$#', $date, $d)) { $bad_date = true; } else { if (!checkdate($d[3], $d[4], $d[1])) { $bad_date = true; } } } if ($missing_date or $bad_date) { break; } $postdate = mktime($hour, $minute, 0, $d[3], $d[4], $d[1]); if ($postdate < mktime($hmin, 0, 0)) { $bad_date = true; } break; default: break; } switch ($action) { case 'post': if ($bad_token or $missing_date or $bad_date) { break; } $r = newsletter_schedule_post($newsletter_id, $page_id, $lang, $postdate); if (!$r) { $internal_error = true; break; } $scheduled = $postdate; break; case 'cancel': $r = newsletter_cancel_post($newsletter_id, $page_id, $lang); if (!$r) { $internal_error = true; break; } $scheduled = false; break; default: break; } if (!$scheduled) { $postdate = mktime($hour, $minute, 0); if (time() > mktime($hmax + 1, 0, 0)) { $postdate = strtotime('+1 day', $postdate); } } $_SESSION['postnews_token'] = $token = token_id(); $errors = compact('missing_date', 'bad_date', 'internal_error'); $output = view('postnews', $lang, compact('token', 'scheduled', 'mailed', 'hmin', 'hmax', 'postdate', 'errors')); return $output; }
function mailme($lang, $to = false, $with_appointment = false, $with_captcha = true, $with_home = true) { $action = 'init'; if (isset($_POST['mailme_send'])) { $action = 'send'; } $mail = $subject = $message = $date = $hour = $minute = $code = $token = false; if (isset($_SESSION['user']['mail'])) { $mail = $_SESSION['user']['mail']; } switch ($action) { case 'send': if (isset($_POST['mailme_mail'])) { $mail = strtolower(strflat(readarg($_POST['mailme_mail']))); } if (isset($_POST['mailme_subject'])) { $subject = readarg($_POST['mailme_subject']); } if (isset($_POST['mailme_message'])) { $message = readarg($_POST['mailme_message']); } if ($with_appointment) { if (isset($_POST['mailme_date'])) { $date = readarg($_POST['mailme_date']); } if (isset($_POST['mailme_hour'])) { $hour = readarg($_POST['mailme_hour']); } if (isset($_POST['mailme_minute'])) { $minute = readarg($_POST['mailme_minute']); } } if (isset($_POST['mailme_code'])) { $code = readarg($_POST['mailme_code']); } if (isset($_POST['mailme_token'])) { $token = readarg($_POST['mailme_token']); } break; default: break; } $missing_code = false; $bad_code = false; $bad_token = false; $missing_mail = false; $bad_mail = false; $missing_subject = false; $bad_subject = false; $missing_message = false; $bad_appointment = false; $email_sent = false; $home_page = false; $internal_error = false; switch ($action) { case 'send': if (!isset($_SESSION['mailme_token']) or $token != $_SESSION['mailme_token']) { $bad_token = true; } if ($with_captcha) { if (!$code) { $missing_code = true; break; } $captcha = isset($_SESSION['captcha']['mailme']) ? $_SESSION['captcha']['mailme'] : false; if (!$captcha or $captcha != strtoupper($code)) { $bad_code = true; break; } } if (!$mail) { $missing_mail = true; } else { if (!validate_mail($mail)) { $bad_mail = true; } } if (!$subject) { $missing_subject = true; } else { if (is_mail_injected($subject)) { $bad_subject = true; } } if (!$message) { $missing_message = true; } if ($with_appointment) { if ($date) { if (!preg_match('#^([0-9]{4})([/-])([0-9]{2})\\2([0-9]{2})$#', $date, $d)) { $bad_appointment = true; } else { if (!checkdate($d[3], $d[4], $d[1])) { $bad_appointment = true; } else { if (mktime(0, 0, 0, $d[3], $d[4], $d[1]) <= mktime(0, 0, 0, date("m"), date("d"), date("y"))) { $bad_appointment = true; } } } } if (is_numeric($hour) and is_numeric($minute)) { if ($hour < 0 or $hour > 23 or $minute < 0 or $minute > 59) { $bad_appointment = true; } } } break; default: break; } switch ($action) { case 'send': if ($bad_token or $missing_code or $bad_code or $missing_mail or $bad_mail or $missing_subject or $bad_subject or $missing_message or $bad_appointment) { break; } require_once 'emailme.php'; if ($date) { $f = translate('email:appointment', $lang); $s = sprintf($f ? $f : "%s %02d:%02d", $date, $hour, $minute); $message .= "\n\n{$s}"; } $r = emailme($subject, $message, $mail, $to); if (!$r) { $internal_error = true; break; } $subject = $message = $date = $hour = $minute = false; if ($with_home) { global $home_action; $home_page = url($home_action, $lang); } $email_sent = true; break; default: break; } $_SESSION['mailme_token'] = $token = token_id(); $errors = compact('missing_code', 'bad_code', 'missing_mail', 'bad_mail', 'missing_subject', 'bad_subject', 'missing_message', 'bad_appointment', 'internal_error'); $infos = compact('email_sent', 'home_page'); $output = view('mailme', $lang, compact('token', 'with_captcha', 'with_appointment', 'mail', 'subject', 'message', 'date', 'hour', 'minute', 'errors', 'infos')); return $output; }
function upload($lang) { $maxfilesize = 1000000; $action = 'init'; if (isset($_POST['upload_put'])) { $action = 'upload'; } $file = $name = $type = $error = false; $size = 0; $token = false; switch ($action) { case 'upload': if (isset($_POST['upload_token'])) { $token = readarg($_POST['upload_token']); } if (isset($_FILES['upload_file'])) { if (isset($_FILES['upload_file']['tmp_name'])) { $file = $_FILES['upload_file']['tmp_name']; } if (isset($_FILES['upload_file']['error'])) { $error = $_FILES['upload_file']['error']; } if (isset($_FILES['upload_file']['name'])) { $name = $_FILES['upload_file']['name']; } if (isset($_FILES['upload_file']['type'])) { $type = $_FILES['upload_file']['type']; } if (isset($_FILES['upload_file']['size'])) { $size = $_FILES['upload_file']['size']; } } break; default: break; } $bad_token = false; $missing_file = false; $bad_file = false; $bad_name = false; $bad_size = false; $bad_copy = false; $copy_error = false; $file_copied = false; switch ($action) { case 'upload': if (!isset($_SESSION['upload_token']) or $token != $_SESSION['upload_token']) { $bad_token = true; break; } if (!$file) { $missing_file = true; } else { if (!is_uploaded_file($file)) { $bad_file = true; } else { if ($error != UPLOAD_ERR_OK) { $bad_copy = true; } else { if ($size > $maxfilesize) { $bad_size = true; } else { if (!validate_filename($name) or !is_filename_allowed($name)) { $bad_name = true; } } } } } break; default: break; } switch ($action) { case 'upload': if ($bad_token or $missing_file or $bad_file or $bad_size or $bad_name or $bad_copy) { break; } $filecopy = FILES_DIR . DIRECTORY_SEPARATOR . $name; if (!@move_uploaded_file($file, $filecopy)) { $copy_error = true; break; } $file_copied = true; break; default: break; } $_SESSION['upload_token'] = $token = token_id(); $errors = compact('missing_file', 'bad_file', 'bad_size', 'bad_name', 'bad_copy', 'copy_error'); $infos = compact('file_copied'); $output = view('upload', $lang, compact('token', 'maxfilesize', 'name', 'errors', 'infos')); return $output; }
function configure($lang) { global $system_languages; global $base_url; $writable_files = array(CONFIG_DIRNAME . DIRECTORY_SEPARATOR . DB_INC, CONFIG_DIRNAME . DIRECTORY_SEPARATOR . CONFIG_INC, CONFIG_DIRNAME . DIRECTORY_SEPARATOR . ALIASES_INC, LOGOS_DIRNAME . DIRECTORY_SEPARATOR . SITELOGO_PNG, SITEMAP_XML, ROBOTS_TXT, AVATARS_DIRNAME, LOG_DIRNAME, TMP_DIRNAME, PHPQRCODECACHE_DIRNAME); $bad_write_permission = false; foreach ($writable_files as $fname) { $fpath = ROOT_DIR . DIRECTORY_SEPARATOR . $fname; clearstatcache(true, $fpath); if (!is_writable($fpath)) { if (!is_array($bad_write_permission)) { $bad_write_permission = array(); } $bad_write_permission[] = $fname; } } $token = false; if (isset($_POST['configure_token'])) { $token = readarg($_POST['configure_token']); } $action = 'init'; if (isset($_POST['configure_configure'])) { $action = 'configure'; } $sitename = $webmaster = ''; $content_languages = false; $default_language = false; $db_flag = false; $db_type = 'mysql'; $db_reuse = false; $db_host = 'localhost'; $db_admin_user = $db_admin_password = ''; $db_name = $db_user = $db_password = $db_prefix = ''; $site_admin_user = $site_admin_password = ''; switch ($action) { case 'init': $sitename = 'mysite.net'; $webmaster = '*****@*****.**'; $content_languages = array($lang); $default_language = $lang; $db_flag = true; $db_reuse = false; $db_name = 'mysite'; $db_user = '******'; $db_prefix = 'mysite_'; do { $db_password = newpassword(8); } while (!validate_password($db_password)); break; case 'configure': if (isset($_POST['configure_sitename'])) { $sitename = readarg($_POST['configure_sitename']); } if (isset($_POST['configure_webmaster'])) { $webmaster = readarg($_POST['configure_webmaster']); } if (isset($_POST['configure_content_languages'])) { $content_languages = readarg($_POST['configure_content_languages']); } if (isset($_POST['configure_default_language'])) { $default_language = readarg($_POST['configure_default_language']); } if (isset($_POST['configure_db_flag'])) { $db_flag = readarg($_POST['configure_db_flag']) == 'yes' ? true : false; } if (isset($_POST['configure_db_type'])) { $db_type = readarg($_POST['configure_db_type']); } if (isset($_POST['configure_db_reuse'])) { $db_reuse = readarg($_POST['configure_db_reuse']) == 'yes' ? true : false; } if (isset($_POST['configure_db_admin_user'])) { $db_admin_user = readarg($_POST['configure_db_admin_user']); } if (isset($_POST['configure_db_admin_password'])) { $db_admin_password = readarg($_POST['configure_db_admin_password']); } if (isset($_POST['configure_db_name'])) { $db_name = readarg($_POST['configure_db_name']); } if (isset($_POST['configure_db_host'])) { $db_host = readarg($_POST['configure_db_host']); } if (isset($_POST['configure_db_user'])) { $db_user = readarg($_POST['configure_db_user']); } if (isset($_POST['configure_db_password'])) { $db_password = readarg($_POST['configure_db_password']); } if (isset($_POST['configure_db_prefix'])) { $db_prefix = readarg($_POST['configure_db_prefix']); } if (isset($_POST['configure_site_admin_user'])) { $site_admin_user = readarg($_POST['configure_site_admin_user']); } if (isset($_POST['configure_site_admin_password'])) { $site_admin_password = readarg($_POST['configure_site_admin_password']); } break; default: break; } $bad_token = false; $missing_sitename = false; $missing_webmaster = false; $missing_content_languages = false; $bad_content_languages = false; $missing_default_language = false; $bad_default_language = false; $missing_db_admin_user = false; $missing_db_admin_password = false; $bad_db_type = false; $missing_db_name = false; $bad_db_name = false; $bad_db_prefix = false; $missing_db_host = false; $bad_db_host = false; $missing_db_user = false; $bad_db_user = false; $missing_db_password = false; $weak_db_password = false; $missing_site_admin_user = false; $bad_site_admin_user = false; $missing_site_admin_password = false; $weak_site_admin_password = false; $db_error = false; $file_error = false; $internal_error = false; switch ($action) { case 'configure': if (!isset($_SESSION['configure_token']) or $token != $_SESSION['configure_token']) { $bad_token = true; } if (empty($sitename)) { $missing_sitename = true; } if (empty($webmaster)) { $missing_webmaster = true; } if (empty($content_languages)) { $missing_content_languages = true; } else { if (!is_array($content_languages)) { $bad_content_languages = true; } else { foreach ($content_languages as $clang) { if (!in_array($clang, $system_languages)) { $bad_content_languages = true; break; } } if (empty($default_language)) { $default_language = $content_languages[0]; } else { if (!in_array($default_language, $content_languages)) { $bad_default_language = true; } } } } if ($db_flag) { if (empty($db_name)) { $missing_db_name = true; } else { if (!$db_reuse and !validate_db_name($db_name)) { $bad_db_name = true; } } if (empty($db_type) or !in_array($db_type, array('mysql', 'pgsql'))) { $bad_db_type = true; } if (!empty($db_prefix) and !validate_db_name($db_prefix)) { $bad_db_prefix = true; } if (!$db_reuse) { if (empty($db_admin_user)) { $missing_db_admin_user = true; } if (empty($db_admin_password)) { $missing_db_admin_password = true; } } if (empty($db_host)) { $missing_db_host = true; } else { if (!(validate_host_name($db_host) or validate_ip_address($db_host))) { $bad_db_host = true; } } if (empty($db_user)) { $missing_db_user = true; } else { if (!$db_reuse and !validate_db_name($db_user)) { $bad_db_user = true; } } if (empty($db_password)) { $missing_db_password = true; } else { if (!$db_reuse and !validate_password($db_password)) { $weak_db_password = true; } } if (empty($site_admin_user)) { $missing_site_admin_user = true; } else { if (!validate_db_name($site_admin_user)) { $bad_site_admin_user = true; } } if (empty($site_admin_password)) { $missing_site_admin_password = true; } else { if (!validate_password($site_admin_password)) { $weak_site_admin_password = true; } } } break; default: break; } switch ($action) { case 'configure': if ($bad_token or $bad_write_permission or $missing_sitename or $missing_webmaster or $missing_content_languages or $bad_default_language or $missing_db_admin_user or $missing_db_admin_password or $missing_db_name or $bad_db_name or $bad_db_type or $missing_db_host or $bad_db_host or $missing_db_user or $bad_db_user or $missing_db_password or $weak_db_password or $missing_site_admin_user or $bad_site_admin_user or $missing_site_admin_password or $weak_site_admin_password) { break; } $site_admin_mail = $site_admin_user . '@' . $sitename; $languages = array($default_language); foreach ($content_languages as $clang) { if ($clang != $default_language) { $languages[] = $clang; } } if ($db_flag) { switch ($db_type) { case 'pgsql': require_once 'configurepgsql.php'; break; case 'mysql': default: require_once 'configuremysql.php'; break; } if (!$db_reuse) { try { create_db($db_admin_user, $db_admin_password, 'localhost', $db_name, $db_user, $db_password); } catch (PDOException $e) { $db_error = $e->getMessage(); break; } } try { init_db($db_host, $db_name, $db_user, $db_password, $db_prefix, $site_admin_user, $site_admin_password, $site_admin_mail, $default_language); } catch (PDOException $e) { $db_error = $e->getMessage(); break; } $img = identicon($site_admin_user, AVATAR_SIZE); @imagepng($img, AVATARS_DIR . DIRECTORY_SEPARATOR . $site_admin_user . '.png'); $db_inc = build_db_inc($db_host, $db_name, $db_user, $db_password, $db_prefix, $db_type); $config_inc = build_config_inc($sitename, $webmaster, $site_admin_user, 1, 'home', 'page', $languages); $features = array('captcha', 'avatar', 'rssfeed', 'home', 'contact', 'user', 'nobody', 'account', 'password', 'newuser', 'search', 'suggest', 'download', 'admin', 'adminuser', 'pagecontent', 'pagevisit', 'page', 'editpage', 'folder', 'folderedit', 'story', 'storyedit', 'book', 'bookedit', 'newsletter', 'newsletteredit', 'newslettersubscribe', 'newsletterunsubscribe', 'thread', 'threadedit', 'node', 'editnode', 'donation', 'paypalreturn', 'paypalcancel', 'sslverifyclient', 'saction'); $aliases_inc = build_aliases_inc($features, $languages); } else { $db_inc = build_db_inc(false, false, false, false, false, false); $config_inc = build_config_inc($sitename, $webmaster, $site_admin_user, false, 'homepage', 'anypage', $languages); $features = array('captcha', 'avatar', 'rssfeed', 'homepage', 'contact', 'donation', 'paypalreturn', 'paypalcancel', 'sslverifyclient', 'saction'); $aliases_inc = build_aliases_inc($features, $languages); } if (!$db_inc or !$config_inc or !$aliases_inc) { $internal_error = true; break; } if (!@file_put_contents(CONFIG_DIR . DIRECTORY_SEPARATOR . DB_INC, array('<?php', $db_inc))) { $file_error = true; break; } if (!@file_put_contents(CONFIG_DIR . DIRECTORY_SEPARATOR . CONFIG_INC, array('<?php', $config_inc))) { $file_error = true; break; } if (!@file_put_contents(CONFIG_DIR . DIRECTORY_SEPARATOR . ALIASES_INC, array("<?php", $aliases_inc))) { $file_error = true; break; } $sitemap_xml = build_sitemap_xml($sitename, $languages); @file_put_contents(ROOT_DIR . DIRECTORY_SEPARATOR . SITEMAP_XML, array('<?xml version="1.0" encoding="UTF-8"?>', "\n", $sitemap_xml)); $robots_txt = build_robots_txt($sitename, $languages); @file_put_contents(ROOT_DIR . DIRECTORY_SEPARATOR . ROBOTS_TXT, $robots_txt); $logo = strlogo($sitename); @imagepng($logo, LOGOS_DIR . DIRECTORY_SEPARATOR . SITELOGO_PNG, 9, PNG_ALL_FILTERS); imagedestroy($logo); session_reopen(); reload($base_url); return false; default: break; } $_SESSION['configure_token'] = $token = token_id(); $errors = compact('bad_write_permission', 'missing_sitename', 'missing_webmaster', 'missing_content_languages', 'bad_default_language', 'missing_db_admin_user', 'missing_db_admin_password', 'bad_db_type', 'missing_db_name', 'bad_db_name', 'missing_db_host', 'bad_db_host', 'bad_db_prefix', 'missing_db_user', 'bad_db_user', 'missing_db_password', 'weak_db_password', 'missing_site_admin_user', 'bad_site_admin_user', 'missing_site_admin_password', 'weak_site_admin_password'); $output = view('configure', $lang, compact('token', 'sitename', 'webmaster', 'db_error', 'file_error', 'internal_error', 'content_languages', 'default_language', 'db_flag', 'db_type', 'db_reuse', 'db_admin_user', 'db_admin_password', 'db_name', 'db_host', 'db_prefix', 'db_user', 'db_password', 'site_admin_user', 'site_admin_password', 'errors')); return $output; }