function create_collection($userid, $name, $allowchanges = 0, $cant_delete = 0) { global $username, $anonymous_login, $rs_session, $anonymous_user_session_collection; if ($username == $anonymous_login && $anonymous_user_session_collection) { // We need to set a collection session_id for the anonymous user. Get session ID to create collection with this set $rs_session = get_rs_session_id(true); } else { $rs_session = ""; } # Creates a new collection and returns the reference sql_query("insert into collection (name,user,created,allow_changes,cant_delete,session_id) values ('" . escape_check($name) . "','{$userid}',now(),'{$allowchanges}','{$cant_delete}'," . ($rs_session == "" ? "NULL" : "'" . $rs_session . "'") . ")"); $ref = sql_insert_id(); index_collection($ref); return $ref; }
function auto_create_user_account() { # Automatically creates a user account (which requires approval unless $auto_approve_accounts is true). global $applicationname, $user_email, $baseurl, $email_notify, $lang, $user_account_auto_creation_usergroup, $registration_group_select, $auto_approve_accounts, $auto_approve_domains, $customContents; # Work out which user group to set. Allow a hook to change this, if necessary. $altgroup = hook("auto_approve_account_switch_group"); if ($altgroup !== false) { $usergroup = $altgroup; } else { $usergroup = $user_account_auto_creation_usergroup; } if ($registration_group_select) { $usergroup = getvalescaped("usergroup", "", true); # Check this is a valid selectable usergroup (should always be valid unless this is a hack attempt) if (sql_value("select allow_registration_selection value from usergroup where ref='{$usergroup}'", 0) != 1) { exit("Invalid user group selection"); } } $newusername = escape_check(make_username(getval("name", ""))); #check if account already exists $check = sql_value("select email value from user where email = '{$user_email}'", ""); if ($check != "") { return $lang["useremailalreadyexists"]; } # Prepare to create the user. $email = trim(getvalescaped("email", "")); $password = make_password(); # Work out if we should automatically approve this account based on $auto_approve_accounts or $auto_approve_domains $approve = false; # Block immediate reset $bypassemail = false; if ($auto_approve_accounts == true) { $approve = true; $bypassemail = true; // We can send user direct to password reset page } elseif (count($auto_approve_domains) > 0) { # Check e-mail domain. foreach ($auto_approve_domains as $domain => $set_usergroup) { // If a group is not specified the variables don't get set correctly so we need to correct this if (is_numeric($domain)) { $domain = $set_usergroup; $set_usergroup = ""; } if (substr(strtolower($email), strlen($email) - strlen($domain) - 1) == "@" . strtolower($domain)) { # E-mail domain match. $approve = true; # If user group is supplied, set this if (is_numeric($set_usergroup)) { $usergroup = $set_usergroup; } } } } # Create the user sql_query("insert into user (username,password,fullname,email,usergroup,comments,approved) values ('" . $newusername . "','" . $password . "','" . getvalescaped("name", "") . "','" . $email . "','" . $usergroup . "','" . escape_check($customContents) . "'," . ($approve ? 1 : 0) . ")"); $new = sql_insert_id(); hook("afteruserautocreated", "all", array("new" => $new)); if ($approve) { # Auto approving global $anonymous_login; if (isset($anonymous_login)) { global $rs_session; $rs_session = get_rs_session_id(); if ($rs_session == false) { break; } # Copy any anonymous session collections to the new user account if (!function_exists("get_session_collections")) { include_once dirname(__FILE__) . "/../include/collections_functions.php"; } global $username, $userref; $username = $anonymous_login; $userref = sql_value("SELECT ref value FROM user where username='******'", ""); $sessioncollections = get_session_collections($rs_session, $userref, false); if (count($sessioncollections) > 0) { foreach ($sessioncollections as $sessioncollection) { update_collection_user($sessioncollection, $new); } sql_query("UPDATE user SET current_collection='{$sessioncollection}' WHERE ref='{$new}'"); } } if ($bypassemail) { // No requirement to check anything else e.g. a valid email domain. We can take user direct to the password reset page to set the new account $password_reset_url_key = create_password_reset_key($newusername); redirect($baseurl . "?rp=" . $new . $password_reset_url_key); exit; } else { email_reset_link($email, true); redirect($baseurl . "/pages/done.php?text=user_request"); exit; } } else { # Not auto approving. # Build a message to send to an admin notifying of unapproved user (same as email_user_request(), # but also adds the new user name to the mail) $message = $lang["userrequestnotification1"] . "\n\n" . $lang["name"] . ": " . getval("name", "") . "\n\n" . $lang["email"] . ": " . getval("email", "") . "\n\n" . $lang["comment"] . ": " . getval("userrequestcomment", "") . "\n\n" . $lang["ipaddress"] . ": '" . $_SERVER["REMOTE_ADDR"] . "'\n\n" . $customContents . "\n\n" . $lang["userrequestnotification3"] . "\n{$baseurl}?u=" . $new; send_mail($email_notify, $applicationname . ": " . $lang["requestuserlogin"] . " - " . getval("name", ""), $message, "", $user_email, "", "", getval("name", "")); } return true; }
$username = ""; if (array_key_exists("user", $_GET)) { $session_hash = escape_check($_GET["user"]); } elseif (array_key_exists("user", $_COOKIE)) { $session_hash = escape_check($_COOKIE["user"]); } elseif (isset($anonymous_login)) { if (is_array($anonymous_login)) { foreach ($anonymous_login as $key => $val) { if ($baseurl == $key) { $anonymous_login = $val; } } } $username = $anonymous_login; $session_hash = ""; $rs_session = get_rs_session_id(true); } } if (!$api) { $user_select_sql = "and u.session='{$session_hash}'"; } else { $user_select_sql = "and u.username='******'"; } if (isset($anonymous_login) && $username == $anonymous_login) { $user_select_sql = "and u.username='******'"; } # Automatic anonymous login, do not require session hash. hook('provideusercredentials'); $userdata = sql_query("select u.ref, u.username, g.permissions, g.fixed_theme, g.parent, u.usergroup, u.current_collection, u.last_active, timestampdiff(second,u.last_active,now()) idle_seconds,u.email, u.password, u.fullname, g.search_filter, g.edit_filter, g.ip_restrict ip_restrict_group, g.name groupname, u.ip_restrict ip_restrict_user, resource_defaults, u.password_last_change,g.config_options,g.request_mode, g.derestrict_filter, u.hidden_collections from user u,usergroup g where u.usergroup=g.ref {$user_select_sql} and u.approved=1 and (u.account_expires is null or u.account_expires='0000-00-00 00:00:00' or u.account_expires>now())"); //print_r($userdata); if (count($userdata) > 0) {