unlink(BASEDIR . '/avatars/' . $avatar_oldname['profile_image']);
}
$avatar_name = substr(md5(time()), 0, 10) . '.' . $image_extn;
$image_path = BASEDIR . '/avatars/' . $avatar_name;
move_uploaded_file($image_temp, $image_path);
resizeImage($avatar_name, $fs->prefs['max_avatar_size'], $fs->prefs['max_avatar_size']);
$db->Query('UPDATE {users} SET profile_image = ? WHERE user_id = ?', array($avatar_name, Post::num('user_id')));
} else {
Flyspray::show_error(L('incorrectfiletype'));
break;
}
}
}
}
// end only admin or user himself can change
if ($user->perms('is_admin')) {
if ($user->id == (int) Post::val('user_id')) {
if (Post::val('account_enabled', 0) <= 0 || Post::val('old_global_id') != 1) {
Flyspray::show_error(L('nosuicide'));
break;
}
} else {
$db->Query('UPDATE {users} SET account_enabled = ? WHERE user_id = ?', array(Post::val('account_enabled', 0), Post::val('user_id')));
$db->Query('UPDATE {users_in_groups} SET group_id = ?
WHERE group_id = ? AND user_id = ?', array(Post::val('group_in'), Post::val('old_global_id'), Post::val('user_id')));
}
}
}
// end non project group changes
if ($user->perms('manage_project') && !is_null(Post::val('project_group_in')) && Post::val('project_group_in') != Post::val('old_project_id')) {
$db->Query('DELETE FROM {users_in_groups} WHERE group_id = ? AND user_id = ?', array(Post::val('old_project_id'), Post::val('user_id')));
header(':', true, 412);
# 'Precondition Failed'
die('wrongtoken');
}
$task = Flyspray::GetTaskDetails(Post::val('task_id'));
if (!$user->can_edit_task($task)) {
header(':', true, 403);
# 'Forbidden'
#Flyspray::show_error(L('nopermission'));
die(L('nopermission'));
}
# check field for update against allowed dbfields for quickedit.
# maybe FUTURE: add (dynamic read from database) allowed CUSTOM FIELDS checks for the project and user
# (if there is urgent request for implementing custom fields into Flyspray and using of tag-feature isn't enough to accomplish - like numbers/dates/timestamps as custom fields)
$allowedFields = array('due_date', 'item_status', 'percent_complete', 'task_type', 'product_category', 'task_severity', 'task_priority', 'product_version', 'closedby_version');
if ($proj->prefs['use_effort_tracking'] && $user->perms('track_effort')) {
$allowedFields[] = 'estimated_effort';
}
if (!in_array(Post::val('name'), $allowedFields)) {
header(':', true, 403);
die(L('invalidfield'));
}
$value = Post::val('value');
# check if user is not sending manipulated invalid values
switch (Post::val('name')) {
case 'due_date':
$value = Flyspray::strtotime(Post::val('value'));
$value = intval($value);
break;
case 'estimated_effort':
$value = effort::EditStringToSeconds(Post::val('value'), $proj->prefs['hours_per_manday'], $proj->prefs['estimated_effort_format']);
Flyspray::show_error(3);
}
# handle all forms request that modify data
if (Req::has('action')) {
# enforcing if the form sent the correct anti csrf token
# only allow token by post
if (!Post::has('csrftoken')) {
die('missingtoken');
} elseif (Post::val('csrftoken') == $_SESSION['csrftoken']) {
require_once BASEDIR . '/includes/modify.inc.php';
} else {
die('wrongtoken');
}
}
# start collecting infos for the answer page
if ($proj->id && $user->perms('manage_project')) {
// Find out if there are any PM requests wanting attention
$sql = $db->Query('SELECT COUNT(*) FROM {admin_requests} WHERE project_id = ? AND resolved_by = 0', array($proj->id));
list($count) = $db->fetchRow($sql);
$page->assign('pm_pendingreq_num', $count);
}
if ($user->perms('is_admin')) {
$sql = $db->Query('SELECT COUNT(*) FROM {admin_requests} WHERE request_type = 3 AND project_id = 0 AND resolved_by = 0');
list($count) = $db->fetchRow($sql);
$page->assign('admin_pendingreq_num', $count);
}
$sql = $db->Query('SELECT project_id, project_title, project_is_active, others_view, default_entry,
upper(project_title) AS sort_names
FROM {projects}
ORDER BY sort_names');
# old:
returns it for HTML display in a page.
*/
define('IN_FS', true);
header('Content-type: text/html; charset=utf-8');
require_once '../../header.php';
require_once '../../includes/events.inc.php';
$baseurl = dirname(dirname($baseurl)) . '/';
// Initialise user
if (Cookie::has('flyspray_userid') && Cookie::has('flyspray_passhash')) {
$user = new User(Cookie::val('flyspray_userid'));
$user->check_account_ok();
} else {
$user = new User(0, $proj);
}
// Check permissions
if (!$user->perms('view_history')) {
die;
}
// Load translations
load_translations();
if ($details = Get::num('details')) {
$details = " AND h.history_id = {$details}";
} else {
$details = null;
}
$sql = get_events(Get::num('task_id'), $details);
$histories = $db->fetchAllArray($sql);
$page = new FSTpl();
$page->setTheme($proj->prefs['theme_style']);
$page->uses('histories', 'details');
if ($details) {
function action_edituser()
{
global $fs, $db, $proj, $user, $do, $conf;
if (Post::val('delete_user')) {
// check that he is not the last user
if ($db->x->GetOne('SELECT count(*) FROM {users}') > 1) {
Backend::delete_user(Post::val('user_id'));
return array(SUBMIT_OK, L('userdeleted'), CreateURL(array('admin', 'groups')));
} else {
return array(ERROR_RECOVER, L('lastuser'));
}
}
if (!Post::val('real_name') || !Post::val('email_address')) {
return array(ERROR_RECOVER, L('realandnotify'));
}
if ((!$user->perms('is_admin') || $user->id == Post::val('user_id')) && !Post::val('oldpass') && (Post::val('changepass') || Post::val('confirmpass'))) {
return array(ERROR_RECOVER, L('nooldpass'));
}
if (Post::val('changepass') || Post::val('confirmpass')) {
if (Post::val('changepass') != Post::val('confirmpass')) {
return array(ERROR_RECOVER, L('passnomatch'));
}
if (Post::val('oldpass')) {
$oldpass = $db->x->getRow('SELECT user_pass, password_salt FROM {users} WHERE user_id = ?', null, Post::val('user_id'));
$oldsalt = $oldpass['password_salt'] ? $oldpass['password_salt'] : null;
if (Flyspray::cryptPassword(Post::val('oldpass'), $oldsalt) !== $oldpass['user_pass']) {
return array(ERROR_RECOVER, L('oldpasswrong'));
}
}
$new_salt = md5(uniqid(mt_rand(), true));
$new_hash = Flyspray::cryptPassword(Post::val('changepass'), $new_salt);
$db->x->execParam('UPDATE {users} SET user_pass = ?, password_salt = ? WHERE user_id = ?', array($new_hash, $new_salt, Post::val('user_id')));
// If the user is changing their password, better update their cookie hash
if ($user->id == Post::val('user_id')) {
Flyspray::setcookie('flyspray_passhash', hash_hmac('md5', $new_hash, $conf['general']['cookiesalt']), time() + 3600 * 24 * 30);
}
}
// Check for existing email / jabber ID
$taken = $db->x->GetOne("SELECT COUNT(*)\n FROM {users}\n WHERE (jabber_id = ? AND ? != NULL\n OR email_address = ? AND ? != NULL)\n AND user_id != ?", null, array(Post::val('jabber_id'), Post::val('jabber_id'), Post::val('email_address'), Post::val('email_address'), Post::val('user_id')));
if ($taken) {
return array(ERROR_RECOVER, L('emailtaken'));
}
if (Post::val('old_jabber_id') != Post::val('jabber_id')) {
Notifications::JabberRequestAuth(Post::val('jabber_id'));
}
$previous = $db->x->GetRow('SELECT real_name, user_name FROM {users} WHERE user_id = ?', null, Post::val('user_id'));
$db->x->execParam('UPDATE {users}
SET real_name = ?, email_address = ?, notify_own = ?,
jabber_id = ?, notify_type = ?, show_contact = ?,
dateformat = ?, dateformat_extended = ?, defaultorder = ?,
tasks_perpage = ?, time_zone = ?, defaultsortcolumn = ?,
notify_blacklist = ?, lang_code = ?, syntax_plugins = ?
WHERE user_id = ?', array(Post::val('real_name'), Post::val('email_address'), Post::num('notify_own', 0), Post::val('jabber_id', 0), Post::num('notify_type'), Post::num('show_contact'), Post::val('dateformat', 0), Post::val('dateformat_extended', 0), Post::val('defaultorder', 'asc'), Post::num('tasks_perpage'), Post::num('time_zone'), implode(' ', Post::val('defaultsortcolumn')), implode(' ', Post::val('notify_blacklist', array())), Post::val('lang_code', ''), implode(' ', (array) Post::val('syntax_plugins')), Post::num('user_id')));
if ($previous['real_name'] != Post::val('real_name')) {
Backend::UpdateRedudantUserData($previous['user_name']);
}
if ($do == 'myprofile') {
$user = new User($user->id);
}
if ($user->perms('is_admin')) {
$db->x->execParam('UPDATE {users} SET account_enabled = ? WHERE user_id = ?', array(Post::val('account_enabled', 0), Post::val('user_id')));
$db->x->execParam('UPDATE {users_in_groups} SET group_id = ?
WHERE group_id = ? AND user_id = ?', array(Post::val('group_in'), Post::val('old_global_id'), Post::val('user_id')));
}
return array(SUBMIT_OK, L('userupdated'));
}
public static function destroy()
{
session_regenerate_id(true);
// session itself is not destroyed; status changed => regenerate id
session_unset();
$_SESSION['locale'] = self::$localeId;
// keep locale
$_SESSION['dataKey'] = self::$dataKey;
// keep dataKey
self::$id = 0;
self::$displayName = '';
self::$perms = 0;
self::$groups = U_GROUP_NONE;
}
} else {
$user = new User(0, $proj);
}
// don't allow anonymous users to access this page at all
if ($user->isAnon()) {
die(L('nopermission'));
}
load_translations();
if (!Post::has('csrftoken')) {
header(':', true, 428);
# 'Precondition Required'
die('missingtoken');
} elseif (Post::val('csrftoken') == $_SESSION['csrftoken']) {
# empty
} else {
header(':', true, 412);
# 'Precondition Failed'
die('wrongtoken');
}
if (!$user->perms('is_admin')) {
header(':', true, 403);
# 'Forbidden'
die(L('nopermission'));
}
$notify = new Notifications();
$result = $notify->SendEmail($user->infos['email_address'], 'test', 'testcontent', 1);
if ($result != 1) {
header(':', true, 406);
# 'not acceptable'
}
echo 'ok';
ob_start();
}
$page = new FSTpl();
if ($show_task = Get::val('show_task')) {
// If someone used the 'show task' form, redirect them
if (is_numeric($show_task)) {
Flyspray::Redirect(CreateURL('details', $show_task));
} else {
Flyspray::Redirect($baseurl . '?string=' . $show_task);
}
}
if (Flyspray::requestDuplicated()) {
// Check that this page isn't being submitted twice
Flyspray::show_error(3);
}
if ($proj->id && $user->perms('manage_project')) {
// Find out if there are any PM requests wanting attention
$sql = $db->Query("SELECT COUNT(*) FROM {admin_requests} WHERE project_id = ? AND resolved_by = '0'", array($proj->id));
list($count) = $db->fetchRow($sql);
$page->assign('pm_pendingreq_num', $count);
}
$sql = $db->Query('SELECT project_id, project_title, project_is_active, others_view,
upper(project_title) AS sort_names
FROM {projects}
ORDER BY sort_names');
$fs->projects = array_filter($db->FetchAllArray($sql), array($user, 'can_view_project'));
// Get e-mail addresses of the admins
if ($user->isAnon() && !$fs->prefs['user_notify']) {
$sql = $db->Query('SELECT email_address
FROM {users} u
LEFT JOIN {users_in_groups} g ON u.user_id = g.user_id
