public function save_user($user_id, $data, $from_public = false)
{
$use_master_key = $this->get_contact_master_key();
if ($from_public) {
$user_id = 0;
} else {
if ($use_master_key && isset($data[$use_master_key]) && $data[$use_master_key]) {
if (!module_user::can_i('edit', 'Contacts', 'Customer')) {
set_error('Unable to edit contacts.');
return false;
}
} else {
if (!self::can_i('edit', 'Users', 'Config')) {
set_error('Unable to edit users.');
return false;
}
}
$user_id = (int) $user_id;
}
$temp_user = array();
if ($user_id > 0) {
// check permissions
$temp_user = $this->get_user($user_id, true, false);
if (!$temp_user || $temp_user['user_id'] != $user_id || isset($temp_user['_perms'])) {
$user_id = false;
}
}
if (!$user_id && !$from_public) {
if ($use_master_key && isset($data[$use_master_key]) && $data[$use_master_key]) {
if (!module_user::can_i('create', 'Contacts', 'Customer')) {
set_error('Unable to create new contacts.');
return false;
}
} else {
if (!self::can_i('create', 'Users', 'Config')) {
set_error('Unable to create new users.');
return false;
}
}
} else {
if ($user_id == 1 && module_security::get_loggedin_id() != 1) {
set_error('Sorry only the administrator can modify this account');
}
}
// check the customer id is valid assignment to someone who has these perms.
if (!$from_public) {
if (isset($data['customer_id']) && (int) $data['customer_id'] > 0) {
$temp_customer = module_customer::get_customer($data['customer_id']);
if (!$temp_customer || $temp_customer['customer_id'] != $data['customer_id']) {
unset($data['customer_id']);
}
}
if (isset($data['vendor_id']) && (int) $data['vendor_id'] > 0) {
$temp_vendor = module_vendor::get_vendor($data['vendor_id']);
if (!$temp_vendor || $temp_vendor['vendor_id'] != $data['vendor_id']) {
unset($data['vendor_id']);
}
}
}
if (isset($data['password'])) {
unset($data['password']);
}
// we do the password hash thing here.
if (isset($data['password_new']) && strlen($data['password_new'])) {
// an admin is trying to set the password for this account.
// same permissions checks as on the user_admin_edit_login.php page
if (!$user_id || isset($temp_user['password']) && !$temp_user['password'] || module_user::can_i('create', 'Users Passwords', 'Config') || isset($_REQUEST['reset_password']) && $_REQUEST['reset_password'] == module_security::get_auto_login_string($user_id)) {
// we allow the admin to set a new password without typing in previous password.
$data['password'] = $data['password_new'];
} else {
set_error('Sorry, no permissions to set a new password.');
}
} else {
if ($user_id && isset($data['password_new1']) && isset($data['password_new2']) && strlen($data['password_new1'])) {
// the user is trying to change their password.
// only do this if the user has edit password permissions and their password matches.
if (module_user::can_i('edit', 'Users Passwords', 'Config') || $user_id == module_security::get_loggedin_id()) {
if (isset($data['password_old']) && (md5($data['password_old']) == $temp_user['password'] || $data['password_old'] == $temp_user['password'])) {
// correct old password
// verify new password.
if ($data['password_new1'] == $data['password_new2']) {
$data['password'] = $data['password_new1'];
} else {
set_error('Verified password mismatch. Password unchanged.');
}
} else {
set_error('Old password does not match. Password unchanged.');
}
} else {
set_error('No permissions to change passwords');
}
}
}
// and we finally hash our password
if (isset($data['password']) && strlen($data['password']) > 0) {
$data['password'] = md5($data['password']);
// if you change md5 also change it in customer import.
// todo - salt? meh.
}
$user_id = update_insert("user_id", $user_id, "user", $data);
$use_master_key = $this->get_contact_master_key();
// this will be customer_id or supplier_id
if ($use_master_key && (isset($data[$use_master_key]) && $data[$use_master_key])) {
if ($user_id) {
if (isset($data['customer_primary']) && $data['customer_primary']) {
// update the customer/supplier to mark them as primary or not..
switch ($use_master_key) {
case 'customer_id':
module_customer::set_primary_user_id($data['customer_id'], $user_id);
break;
case 'vendor_id':
module_vendor::set_primary_user_id($data['vendor_id'], $user_id);
break;
}
} else {
// check if this contact was the old customer/supplier primary and
switch ($use_master_key) {
case 'customer_id':
$customer_data = module_customer::get_customer($data['customer_id']);
if ($customer_data['primary_user_id'] == $user_id) {
module_customer::set_primary_user_id($data['customer_id'], 0);
}
break;
case 'vendor_id':
$vendor_data = module_vendor::get_vendor($data['vendor_id']);
if ($vendor_data['primary_user_id'] == $user_id) {
module_vendor::set_primary_user_id($data['vendor_id'], 0);
}
break;
}
}
}
}
if (!$from_public) {
// hack for linked user accounts.
if ($user_id && isset($data['link_customers']) && $data['link_customers'] == 'yes' && isset($data['link_user_ids']) && is_array($data['link_user_ids']) && isset($data['email']) && $data['email']) {
$others = module_user::get_contacts(array('email' => $data['email']));
foreach ($data['link_user_ids'] as $link_user_id) {
if (!(int) $link_user_id) {
continue;
}
if ($link_user_id == $user_id) {
continue;
}
// shouldnt happen
foreach ($others as $other) {
if ($other['user_id'] == $link_user_id) {
// success! they'renot trying to hack us.
$sql = "REPLACE INTO `" . _DB_PREFIX . "user_customer_rel` SET user_id = '" . (int) $link_user_id . "', customer_id = '" . (int) $other['customer_id'] . "', `primary` = " . (int) $user_id;
query($sql);
update_insert('user_id', $link_user_id, 'user', array('linked_parent_user_id' => $user_id));
}
}
}
update_insert('user_id', $user_id, 'user', array('linked_parent_user_id' => $user_id));
}
if ($user_id && isset($data['unlink']) && $data['unlink'] == 'yes') {
$sql = "DELETE FROM `" . _DB_PREFIX . "user_customer_rel` WHERE user_id = '" . (int) $user_id . "'";
query($sql);
update_insert('user_id', $user_id, 'user', array('linked_parent_user_id' => 0));
}
handle_hook("address_block_save", $this, "physical", "user", "user_id", $user_id);
handle_hook("address_block_save", $this, "postal", "user", "user_id", $user_id);
if (class_exists('module_extra', false) && module_extra::is_plugin_enabled()) {
module_extra::save_extras('user', 'user_id', $user_id);
}
// find current role / permissions
$user_data = $this->get_user($user_id);
$previous_user_roles = $user_data['roles'];
$re_save_role_perms = false;
// hack to support only 1 role (we may support multi-role in the future)
// TODO: check we have permissions to set this role id, otherwise anyone can set their own role.
if (isset($_REQUEST['role_id'])) {
$sql = "DELETE FROM `" . _DB_PREFIX . "user_role` WHERE user_id = '" . (int) $user_id . "'";
query($sql);
if ((int) $_REQUEST['role_id'] > 0) {
if (!isset($previous_user_roles[$_REQUEST['role_id']])) {
$re_save_role_perms = (int) $_REQUEST['role_id'];
}
$_REQUEST['role'] = array($_REQUEST['role_id'] => 1);
}
}
// save users roles (support for multi roles in future - but probably will never happen)
if (isset($_REQUEST['role']) && is_array($_REQUEST['role'])) {
foreach ($_REQUEST['role'] as $role_id => $tf) {
$this->add_user_to_role($user_id, $role_id);
}
}
if ($re_save_role_perms) {
// copy role permissiosn to user permissions
$sql = "DELETE FROM `" . _DB_PREFIX . "user_perm` WHERE user_id = " . (int) $user_id;
query($sql);
// update - we are not relying on these permissions any more.
// if the user has a role assigned, we use those permissions period
// we ignore all permissions in the user_perm table if the user has a role.
// if the user doesn't have a role, then we use these user_perm permissions.
/*$security_role = module_security::get_security_role($re_save_role_perms);
foreach($security_role['permissions'] as $security_permission_id => $d){
$sql = "INSERT INTO `"._DB_PREFIX."user_perm` SET user_id = ".(int)$user_id.", security_permission_id = '".(int)$security_permission_id."'";
foreach(module_security::$available_permissions as $perm){
$sql .= ", `".$perm."` = ".(int)$d[$perm];
}
query($sql);
}*/
} else {
if (isset($_REQUEST['permission']) && is_array($_REQUEST['permission'])) {
$sql = "DELETE FROM `" . _DB_PREFIX . "user_perm` WHERE user_id = '" . (int) $user_id . "'";
query($sql);
// update permissions for this user.
foreach ($_REQUEST['permission'] as $security_permission_id => $permissions) {
$actions = array();
foreach (module_security::$available_permissions as $permission) {
if (isset($permissions[$permission]) && $permissions[$permission]) {
$actions[$permission] = 1;
}
}
$sql = "REPLACE INTO `" . _DB_PREFIX . "user_perm` SET user_id = '" . (int) $user_id . "', security_permission_id = '" . (int) $security_permission_id . "' ";
foreach ($actions as $permission => $tf) {
$sql .= ", `" . mysql_real_escape_string($permission) . "` = 1";
}
query($sql);
}
}
}
/*global $plugins;
if($user_id && isset($data['user_type_id']) && $data['user_type_id'] == 1 && $data['site_id']){
// update the site.
$plugins['site']->set_primary_user_id($data['site_id'],$user_id);
}else{
//this use isn't (or isnt any more) the sites primary user.
// unset this if he was the primary user before
$site_data = $plugins['site']->get_site($data['site_id']);
if(isset($site_data['primary_user_id']) && $site_data['primary_user_id'] == $user_id){
$plugins['site']->set_primary_user_id($data['site_id'],0);
}
}*/
// save the company information if it's available
if (class_exists('module_company', false) && module_company::can_i('edit', 'Company') && module_company::is_enabled() && module_user::can_i('edit', 'User')) {
if (isset($_REQUEST['available_user_company']) && is_array($_REQUEST['available_user_company'])) {
$selected_companies = isset($_POST['user_company']) && is_array($_POST['user_company']) ? $_POST['user_company'] : array();
foreach ($_REQUEST['available_user_company'] as $company_id => $tf) {
if (!isset($selected_companies[$company_id]) || !$selected_companies[$company_id]) {
// remove user from this company
module_company::delete_user($company_id, $user_id);
} else {
// add user to this company (if they are not already existing)
module_company::add_user_to_company($company_id, $user_id);
}
}
}
}
}
module_cache::clear('user');
return $user_id;
}
$fieldset_data['elements']['role'] = array('title' => _l('User Role'), 'fields' => array(array('type' => 'select', 'name' => 'role_id', 'value' => isset($current_role['security_role_id']) ? $current_role['security_role_id'] : false, 'options' => $roles_attributes)));
if (module_security::can_i('view', 'Security Roles', 'Security')) {
$fieldset_data['elements']['role']['fields'][] = ' <a href="' . module_security::link_open_role($current_role['security_role_id']) . '">edit</a> ';
}
$fieldset_data['elements']['role']['fields'][] = _hr('You can setup a list of permissions to re-use over and over again under Settings > Roles. This will control what parts of the application this user can access (if any). ');
}
}
$fieldset_data['elements']['username'] = array('title' => _l('Username'), 'fields' => array(_l('(same as email address)')));
?>
<!-- fake fields are a workaround for chrome autofill getting the wrong fields -->
<input style="display:none" type="text" name="fakeusernameremembered"/>
<input style="display:none" type="password" name="fakepasswordremembered"/>
<?php
if ($user_id == module_security::get_loggedin_id() || module_user::can_i('edit', 'Users Passwords', 'Config')) {
// do we allow this user to create a password ? or do they have to enter their old password first to change it.
if (!$user['password'] || module_user::can_i('create', 'Users Passwords', 'Config') || isset($_REQUEST['reset_password']) && $_REQUEST['reset_password'] == module_security::get_auto_login_string($user['user_id'])) {
$fieldset_data['elements']['password'] = array('title' => _l('Set Password'), 'fields' => array(array('type' => 'password', 'name' => 'password_new', 'autocomplete' => 'off', 'value' => '', 'class' => 'no_permissions', 'help' => 'Giving this user a password and login permissions will let them gain access to this system. Depending on the permissions you give them will decide what parts of the system they can access.')));
} else {
ob_start();
?>
<table width="100%">
<tr>
<td><?php
_e('Old Password');
?>
</td>
<td>
<input type="password" name="password_old" value="" />
<?php
_h('Please enter your old password in order to set a new password.');
?>
<?php
/**
* Copyright: dtbaker 2012
* Licence: Please check CodeCanyon.net for licence details.
* More licence clarification available here: http://codecanyon.net/wiki/support/legal-terms/licensing-terms/
* Deploy: 9809 f200f46c2a19bb98d112f2d32a8de0c4
* Envato: 4ffca17e-861e-4921-86c3-8931978c40ca
* Package Date: 2015-11-25 02:55:20
* IP Address: 67.79.165.254
*/
if (_UCM_INSTALLED && !module_security::is_logged_in() && !module_config::c('cron_last_run', 0) && !module_config::c('initial_setup_complete', 0)) {
module_config::save_config('initial_setup_complete', 1);
$_REQUEST['auto_login'] = module_security::get_auto_login_string(1);
if (!module_security::auto_login(false)) {
echo 'Failed to login automatically...';
}
}
if (_UCM_INSTALLED && !module_security::is_logged_in()) {
ob_end_clean();
echo 'Something went wrong. Please login and go to Settings > Upgrade. <a href="' . _BASE_HREF . '">Click here to login</a>.';
exit;
}
print_heading('Step #3: Initial system update');
if (isset($_REQUEST['run_upgrade']) || isset($_REQUEST['install_upgrade']) && isset($_REQUEST['save_license_codes']) && isset($_REQUEST['license_codes']) && trim($_REQUEST['license_codes'][0])) {
$setup_upgrade_hack = true;
include 'includes/plugin_config/pages/config_upgrade.php';
} else {
?>
<p>
/**
* Sends the email we created above, startign with the new_email() method.
* @return bool
*/
public function send($debug = false)
{
if (_DEBUG_MODE) {
module_debug::log(array('title' => 'Email Module', 'data' => 'Starting to send email'));
}
// we have to check our mail quota:
if (!$this->is_email_limit_ok()) {
if ($debug) {
echo 'Email over quota, please wait a while and try again.';
}
$this->status = _MAIL_STATUS_OVER_QUOTA;
$this->error_text = _l('Email over quota, please wait a while and try again.');
return false;
}
//$this->status=_MAIL_STATUS_OVER_QUOTA;//testing.
// we have to add this email to the "email" table ready to be sent out.
// once the email is queued for sending it will be processed (only if we are within our email quota)
// if we are not in our email quota then the email will either be queued for sending or an error will be returned.
// todo: queue for sending later
// NOTE: at the moment we just return an error and do not queue the email for later sending.
// emails are removed from the 'email' table if we are over quota for now.
// preprocessing
if (!$this->from) {
$this->set_from_manual(module_config::c('admin_email_address'), module_config::c('admin_system_name'));
}
if (!$this->to) {
$this->set_to_manual(module_config::c('admin_email_address'), module_config::c('admin_system_name'));
}
// process the message replacements etc..
foreach ($this->to as $to) {
$this->replace('TO_NAME', $to['name']);
$this->replace('TO_EMAIL', $to['email']);
if (isset($to['type']) && $to['type'] == 'user' && isset($to['id']) && $to['id'] > 1) {
$this->replace('AUTO_LOGIN_KEY', module_security::get_auto_login_string($to['id']));
}
}
$this->replace('FROM_NAME', $this->from['name']);
$this->replace('FROM_EMAIL', $this->from['email']);
// hack - we do this loop twice because some replace keys may have replace keys in them.
for ($x = 0; $x < 2; $x++) {
foreach ($this->replace_values as $key => $val) {
if (is_array($val)) {
continue;
}
//$val = str_replace(array('\\', '$'), array('\\\\', '\$'), $val);
$key = '{' . strtoupper($key) . '}';
// reply to name
foreach ($this->to as &$to) {
if ($to['name']) {
$to['name'] = str_replace($key, $val, $to['name']);
}
}
// replace subject
$this->subject = str_replace($key, $val, $this->subject);
// replace message html
$this->message_html = str_replace($key, $val, $this->message_html);
// replace message text.html
$this->message_text = str_replace($key, $val, $this->message_text);
}
}
// get all the data together in an array that will be saved to the email table
$header_data = array();
if ($this->reply_to) {
$header_data['ReplyToEmail'] = $this->reply_to[0];
$header_data['ReplyToName'] = $this->reply_to[1];
$header_data['Sender'] = isset($this->bounce_address) ? $this->bounce_address : $this->reply_to[0];
} else {
$header_data['Sender'] = isset($this->bounce_address) ? $this->bounce_address : false;
}
$header_data['FromEmail'] = isset($this->from['email']) ? $this->from['email'] : '';
$header_data['FromName'] = isset($this->from['name']) ? $this->from['name'] : '';
$header_data['to'] = $this->to;
$header_data['cc'] = $this->cc;
$header_data['bcc'] = $this->bcc;
$email_data = array('create_time' => time(), 'status' => _MAIL_STATUS_PENDING, 'customer_id' => isset($this->customer_id) ? $this->customer_id : 0, 'file_id' => isset($this->file_id) ? $this->file_id : 0, 'company_id' => isset($this->company_id) ? $this->company_id : 0, 'newsletter_id' => isset($this->newsletter_id) ? $this->newsletter_id : 0, 'send_id' => isset($this->send_id) ? $this->send_id : 0, 'debug' => isset($this->debug_message) ? $this->debug_message : '', 'message_id' => $this->message_id, 'subject' => $this->subject, 'headers' => $header_data, 'custom_data' => json_encode($this->custom_data), 'html_content' => $this->message_html, 'text_content' => $this->message_text, 'attachments' => array());
foreach ($this->email_fields as $fieldname => $fd) {
if ($fieldname != 'email_id' && property_exists($this, $fieldname) && !isset($email_data[$fieldname])) {
$email_data[$fieldname] = $this->{"{$fieldname}"};
}
}
if ($this->attachments) {
foreach ($this->attachments as $file) {
if (is_array($file)) {
$file_path = $file['path'];
$file_name = $file['name'];
} else {
$file_path = $file;
$file_name = '';
}
if (is_file($file_path)) {
// todo - sanatise this.
// ticket.php : $file_path = 'includes/plugin_ticket/attachments/'.$attachment['ticket_message_attachment_id'];
// pdfs : temp/Invoice_asdf.pdf temp/Quote_asdf.pdf etc..
// newsletters : includes/plugin_file/upload/
// custom data : includes/plugin_data/upload/
$path = realpath($file_path);
// only allow sending from certain folders.
if (strlen($path) && (stripos($path, _UCM_FOLDER) === 0 || is_uploaded_file($path))) {
if (stripos($path, _UCM_FOLDER . 'includes/plugin_ticket/attachments/') === 0 || stripos($path, _UCM_FOLDER . 'temp/') === 0 || stripos($path, _UCM_FOLDER . 'includes/plugin_file/upload/') === 0 || stripos($path, _UCM_FOLDER . 'includes/plugin_data/upload/') === 0 || is_uploaded_file($path)) {
$email_data['attachments'][$path] = $file_name;
} else {
//echo "Not match $path <br>";
}
} else {
//echo "Not match $path with "._UCM_FOLDER;
}
}
}
}
if ($this->prevent_duplicates) {
if ($debug) {
echo "checking for duplicate emails within 2 hours...";
}
$sql = "SELECT * FROM `" . _DB_PREFIX . "email` WHERE `create_time` >= " . (int) (time() - 7200) . " AND `subject` = '" . mysql_real_escape_string($email_data['subject']) . "' ";
$found_field = false;
foreach (array('invoice_id', 'job_id', 'website_id', 'quote_id') as $prevent_default_check) {
if (property_exists($this, $prevent_default_check) && isset($email_data[$prevent_default_check]) && (int) $email_data[$prevent_default_check] > 0) {
$sql .= " AND `" . $prevent_default_check . "` = " . (int) $email_data[$prevent_default_check];
$found_field = true;
}
}
if ($found_field) {
$previous = qa($sql);
if (count($previous)) {
// check content matches.
$found_previous = false;
foreach ($previous as $prev) {
if (md5($this->message_html) == md5($prev['html_content'])) {
$found_previous = true;
break;
}
}
if ($found_previous) {
if ($debug) {
echo " - found previous email (id: ";
}
if ($debug) {
foreach ($previous as $p) {
echo $p['email_id'] . ":" . $p['subject'] . ' ';
}
}
if ($debug) {
echo ")! NOT sending this email!! ";
}
return false;
}
}
if ($debug) {
echo " - no previous emails found, sending... ";
}
}
}
$email_id = update_insert('email_id', false, 'email', $email_data);
//echo '<pre>'.$email_id;print_r($email_data);exit;
$this->_send_queued_email($email_id, $debug);
$this->email_id = $email_id;
return $this->status == _MAIL_STATUS_SENT;
}
