unlink(BASEDIR . '/avatars/' . $avatar_oldname['profile_image']); } $avatar_name = substr(md5(time()), 0, 10) . '.' . $image_extn; $image_path = BASEDIR . '/avatars/' . $avatar_name; move_uploaded_file($image_temp, $image_path); resizeImage($avatar_name, $fs->prefs['max_avatar_size'], $fs->prefs['max_avatar_size']); $db->Query('UPDATE {users} SET profile_image = ? WHERE user_id = ?', array($avatar_name, Post::num('user_id'))); } else { Flyspray::show_error(L('incorrectfiletype')); break; } } } } // end only admin or user himself can change if ($user->perms('is_admin')) { if ($user->id == (int) Post::val('user_id')) { if (Post::val('account_enabled', 0) <= 0 || Post::val('old_global_id') != 1) { Flyspray::show_error(L('nosuicide')); break; } } else { $db->Query('UPDATE {users} SET account_enabled = ? WHERE user_id = ?', array(Post::val('account_enabled', 0), Post::val('user_id'))); $db->Query('UPDATE {users_in_groups} SET group_id = ? WHERE group_id = ? AND user_id = ?', array(Post::val('group_in'), Post::val('old_global_id'), Post::val('user_id'))); } } } // end non project group changes if ($user->perms('manage_project') && !is_null(Post::val('project_group_in')) && Post::val('project_group_in') != Post::val('old_project_id')) { $db->Query('DELETE FROM {users_in_groups} WHERE group_id = ? AND user_id = ?', array(Post::val('old_project_id'), Post::val('user_id')));
header(':', true, 412); # 'Precondition Failed' die('wrongtoken'); } $task = Flyspray::GetTaskDetails(Post::val('task_id')); if (!$user->can_edit_task($task)) { header(':', true, 403); # 'Forbidden' #Flyspray::show_error(L('nopermission')); die(L('nopermission')); } # check field for update against allowed dbfields for quickedit. # maybe FUTURE: add (dynamic read from database) allowed CUSTOM FIELDS checks for the project and user # (if there is urgent request for implementing custom fields into Flyspray and using of tag-feature isn't enough to accomplish - like numbers/dates/timestamps as custom fields) $allowedFields = array('due_date', 'item_status', 'percent_complete', 'task_type', 'product_category', 'task_severity', 'task_priority', 'product_version', 'closedby_version'); if ($proj->prefs['use_effort_tracking'] && $user->perms('track_effort')) { $allowedFields[] = 'estimated_effort'; } if (!in_array(Post::val('name'), $allowedFields)) { header(':', true, 403); die(L('invalidfield')); } $value = Post::val('value'); # check if user is not sending manipulated invalid values switch (Post::val('name')) { case 'due_date': $value = Flyspray::strtotime(Post::val('value')); $value = intval($value); break; case 'estimated_effort': $value = effort::EditStringToSeconds(Post::val('value'), $proj->prefs['hours_per_manday'], $proj->prefs['estimated_effort_format']);
Flyspray::show_error(3); } # handle all forms request that modify data if (Req::has('action')) { # enforcing if the form sent the correct anti csrf token # only allow token by post if (!Post::has('csrftoken')) { die('missingtoken'); } elseif (Post::val('csrftoken') == $_SESSION['csrftoken']) { require_once BASEDIR . '/includes/modify.inc.php'; } else { die('wrongtoken'); } } # start collecting infos for the answer page if ($proj->id && $user->perms('manage_project')) { // Find out if there are any PM requests wanting attention $sql = $db->Query('SELECT COUNT(*) FROM {admin_requests} WHERE project_id = ? AND resolved_by = 0', array($proj->id)); list($count) = $db->fetchRow($sql); $page->assign('pm_pendingreq_num', $count); } if ($user->perms('is_admin')) { $sql = $db->Query('SELECT COUNT(*) FROM {admin_requests} WHERE request_type = 3 AND project_id = 0 AND resolved_by = 0'); list($count) = $db->fetchRow($sql); $page->assign('admin_pendingreq_num', $count); } $sql = $db->Query('SELECT project_id, project_title, project_is_active, others_view, default_entry, upper(project_title) AS sort_names FROM {projects} ORDER BY sort_names'); # old:
returns it for HTML display in a page. */ define('IN_FS', true); header('Content-type: text/html; charset=utf-8'); require_once '../../header.php'; require_once '../../includes/events.inc.php'; $baseurl = dirname(dirname($baseurl)) . '/'; // Initialise user if (Cookie::has('flyspray_userid') && Cookie::has('flyspray_passhash')) { $user = new User(Cookie::val('flyspray_userid')); $user->check_account_ok(); } else { $user = new User(0, $proj); } // Check permissions if (!$user->perms('view_history')) { die; } // Load translations load_translations(); if ($details = Get::num('details')) { $details = " AND h.history_id = {$details}"; } else { $details = null; } $sql = get_events(Get::num('task_id'), $details); $histories = $db->fetchAllArray($sql); $page = new FSTpl(); $page->setTheme($proj->prefs['theme_style']); $page->uses('histories', 'details'); if ($details) {
function action_edituser() { global $fs, $db, $proj, $user, $do, $conf; if (Post::val('delete_user')) { // check that he is not the last user if ($db->x->GetOne('SELECT count(*) FROM {users}') > 1) { Backend::delete_user(Post::val('user_id')); return array(SUBMIT_OK, L('userdeleted'), CreateURL(array('admin', 'groups'))); } else { return array(ERROR_RECOVER, L('lastuser')); } } if (!Post::val('real_name') || !Post::val('email_address')) { return array(ERROR_RECOVER, L('realandnotify')); } if ((!$user->perms('is_admin') || $user->id == Post::val('user_id')) && !Post::val('oldpass') && (Post::val('changepass') || Post::val('confirmpass'))) { return array(ERROR_RECOVER, L('nooldpass')); } if (Post::val('changepass') || Post::val('confirmpass')) { if (Post::val('changepass') != Post::val('confirmpass')) { return array(ERROR_RECOVER, L('passnomatch')); } if (Post::val('oldpass')) { $oldpass = $db->x->getRow('SELECT user_pass, password_salt FROM {users} WHERE user_id = ?', null, Post::val('user_id')); $oldsalt = $oldpass['password_salt'] ? $oldpass['password_salt'] : null; if (Flyspray::cryptPassword(Post::val('oldpass'), $oldsalt) !== $oldpass['user_pass']) { return array(ERROR_RECOVER, L('oldpasswrong')); } } $new_salt = md5(uniqid(mt_rand(), true)); $new_hash = Flyspray::cryptPassword(Post::val('changepass'), $new_salt); $db->x->execParam('UPDATE {users} SET user_pass = ?, password_salt = ? WHERE user_id = ?', array($new_hash, $new_salt, Post::val('user_id'))); // If the user is changing their password, better update their cookie hash if ($user->id == Post::val('user_id')) { Flyspray::setcookie('flyspray_passhash', hash_hmac('md5', $new_hash, $conf['general']['cookiesalt']), time() + 3600 * 24 * 30); } } // Check for existing email / jabber ID $taken = $db->x->GetOne("SELECT COUNT(*)\n FROM {users}\n WHERE (jabber_id = ? AND ? != NULL\n OR email_address = ? AND ? != NULL)\n AND user_id != ?", null, array(Post::val('jabber_id'), Post::val('jabber_id'), Post::val('email_address'), Post::val('email_address'), Post::val('user_id'))); if ($taken) { return array(ERROR_RECOVER, L('emailtaken')); } if (Post::val('old_jabber_id') != Post::val('jabber_id')) { Notifications::JabberRequestAuth(Post::val('jabber_id')); } $previous = $db->x->GetRow('SELECT real_name, user_name FROM {users} WHERE user_id = ?', null, Post::val('user_id')); $db->x->execParam('UPDATE {users} SET real_name = ?, email_address = ?, notify_own = ?, jabber_id = ?, notify_type = ?, show_contact = ?, dateformat = ?, dateformat_extended = ?, defaultorder = ?, tasks_perpage = ?, time_zone = ?, defaultsortcolumn = ?, notify_blacklist = ?, lang_code = ?, syntax_plugins = ? WHERE user_id = ?', array(Post::val('real_name'), Post::val('email_address'), Post::num('notify_own', 0), Post::val('jabber_id', 0), Post::num('notify_type'), Post::num('show_contact'), Post::val('dateformat', 0), Post::val('dateformat_extended', 0), Post::val('defaultorder', 'asc'), Post::num('tasks_perpage'), Post::num('time_zone'), implode(' ', Post::val('defaultsortcolumn')), implode(' ', Post::val('notify_blacklist', array())), Post::val('lang_code', ''), implode(' ', (array) Post::val('syntax_plugins')), Post::num('user_id'))); if ($previous['real_name'] != Post::val('real_name')) { Backend::UpdateRedudantUserData($previous['user_name']); } if ($do == 'myprofile') { $user = new User($user->id); } if ($user->perms('is_admin')) { $db->x->execParam('UPDATE {users} SET account_enabled = ? WHERE user_id = ?', array(Post::val('account_enabled', 0), Post::val('user_id'))); $db->x->execParam('UPDATE {users_in_groups} SET group_id = ? WHERE group_id = ? AND user_id = ?', array(Post::val('group_in'), Post::val('old_global_id'), Post::val('user_id'))); } return array(SUBMIT_OK, L('userupdated')); }
public static function destroy() { session_regenerate_id(true); // session itself is not destroyed; status changed => regenerate id session_unset(); $_SESSION['locale'] = self::$localeId; // keep locale $_SESSION['dataKey'] = self::$dataKey; // keep dataKey self::$id = 0; self::$displayName = ''; self::$perms = 0; self::$groups = U_GROUP_NONE; }
} else { $user = new User(0, $proj); } // don't allow anonymous users to access this page at all if ($user->isAnon()) { die(L('nopermission')); } load_translations(); if (!Post::has('csrftoken')) { header(':', true, 428); # 'Precondition Required' die('missingtoken'); } elseif (Post::val('csrftoken') == $_SESSION['csrftoken']) { # empty } else { header(':', true, 412); # 'Precondition Failed' die('wrongtoken'); } if (!$user->perms('is_admin')) { header(':', true, 403); # 'Forbidden' die(L('nopermission')); } $notify = new Notifications(); $result = $notify->SendEmail($user->infos['email_address'], 'test', 'testcontent', 1); if ($result != 1) { header(':', true, 406); # 'not acceptable' } echo 'ok';
ob_start(); } $page = new FSTpl(); if ($show_task = Get::val('show_task')) { // If someone used the 'show task' form, redirect them if (is_numeric($show_task)) { Flyspray::Redirect(CreateURL('details', $show_task)); } else { Flyspray::Redirect($baseurl . '?string=' . $show_task); } } if (Flyspray::requestDuplicated()) { // Check that this page isn't being submitted twice Flyspray::show_error(3); } if ($proj->id && $user->perms('manage_project')) { // Find out if there are any PM requests wanting attention $sql = $db->Query("SELECT COUNT(*) FROM {admin_requests} WHERE project_id = ? AND resolved_by = '0'", array($proj->id)); list($count) = $db->fetchRow($sql); $page->assign('pm_pendingreq_num', $count); } $sql = $db->Query('SELECT project_id, project_title, project_is_active, others_view, upper(project_title) AS sort_names FROM {projects} ORDER BY sort_names'); $fs->projects = array_filter($db->FetchAllArray($sql), array($user, 'can_view_project')); // Get e-mail addresses of the admins if ($user->isAnon() && !$fs->prefs['user_notify']) { $sql = $db->Query('SELECT email_address FROM {users} u LEFT JOIN {users_in_groups} g ON u.user_id = g.user_id