/** * Delete a user account * * @param int $uid id of the user to delete * @return boolean true = user deleted, false = an error occured * */ function USER_deleteAccount($uid) { global $_CONF, $_TABLES, $_USER; // first some checks ... if ($uid == $_USER['uid'] && $_CONF['allow_account_delete'] == 1 || SEC_hasRights('user.delete')) { if (SEC_inGroup('Root', $uid)) { if (!SEC_inGroup('Root')) { // can't delete a Root user without being in the Root group COM_accessLog("User {$_USER['uid']} just tried to delete Root user {$uid} with insufficient privileges."); return false; } else { $rootgrp = DB_getItem($_TABLES['groups'], 'grp_id', "grp_name = 'Root'"); $result = DB_query("SELECT COUNT(DISTINCT {$_TABLES['users']}.uid) AS count FROM {$_TABLES['users']},{$_TABLES['group_assignments']} WHERE {$_TABLES['users']}.uid > 1 AND {$_TABLES['users']}.uid = {$_TABLES['group_assignments']}.ug_uid AND ({$_TABLES['group_assignments']}.ug_main_grp_id = {$rootgrp})"); $A = DB_fetchArray($result); if ($A['count'] <= 1) { // make sure there's at least 1 Root user left COM_errorLog("You can't delete the last user from the Root group.", 1); return false; } } } } else { // you can only delete your own account (if enabled) or you need // proper permissions to do so (user.delete) COM_accessLog("User {$_USER['uid']} just tried to delete user {$uid} with insufficient privileges."); return false; } // log the user out SESS_endUserSession($uid); // Ok, now delete everything related to this user // let plugins update their data for this user PLG_deleteUser($uid); // Call custom account profile delete function if enabled and exists if ($_CONF['custom_registration'] && function_exists('CUSTOM_userDelete')) { CUSTOM_userDelete($uid); } // remove from all security groups DB_delete($_TABLES['group_assignments'], 'ug_uid', $uid); // remove user information and preferences DB_delete($_TABLES['userprefs'], 'uid', $uid); DB_delete($_TABLES['userindex'], 'uid', $uid); DB_delete($_TABLES['usercomment'], 'uid', $uid); DB_delete($_TABLES['userinfo'], 'uid', $uid); // avoid having orphand stories/comments by making them anonymous posts DB_query("UPDATE {$_TABLES['comments']} SET uid = 1 WHERE uid = {$uid}"); DB_query("UPDATE {$_TABLES['stories']} SET uid = 1 WHERE uid = {$uid}"); DB_query("UPDATE {$_TABLES['stories']} SET owner_id = 1 WHERE owner_id = {$uid}"); // delete story submissions DB_delete($_TABLES['storysubmission'], 'uid', $uid); // delete user photo, if enabled & exists if ($_CONF['allow_user_photo'] == 1) { $photo = DB_getItem($_TABLES['users'], 'photo', "uid = {$uid}"); USER_deletePhoto($photo, false); } // in case the user owned any objects that require Admin access, assign // them to the Root user with the lowest uid $rootgroup = DB_getItem($_TABLES['groups'], 'grp_id', "grp_name = 'Root'"); $result = DB_query("SELECT DISTINCT ug_uid FROM {$_TABLES['group_assignments']} WHERE ug_main_grp_id = {$rootgroup} ORDER BY ug_uid LIMIT 1"); $A = DB_fetchArray($result); $rootuser = $A['ug_uid']; DB_query("UPDATE {$_TABLES['blocks']} SET owner_id = {$rootuser} WHERE owner_id = {$uid}"); DB_query("UPDATE {$_TABLES['topics']} SET owner_id = {$rootuser} WHERE owner_id = {$uid}"); // now delete the user itself DB_delete($_TABLES['users'], 'uid', $uid); return true; }
/** * Merge User Accounts * * This validates the entered password and then merges a remote * account with a local account. * * @return string HTML merge form if error, redirect on success * */ function USER_mergeAccounts() { global $_CONF, $_SYSTEM, $_TABLES, $_USER, $LANG04, $LANG12, $LANG20; $retval = ''; $remoteUID = COM_applyFilter($_POST['remoteuid'], true); $localUID = COM_applyFilter($_POST['localuid'], true); $localpwd = $_POST['localp']; $localResult = DB_query("SELECT * FROM {$_TABLES['users']} WHERE uid=" . (int) $localUID); $localRow = DB_fetchArray($localResult); if (SEC_check_hash($localpwd, $localRow['passwd'])) { // password is valid $sql = "SELECT * FROM {$_TABLES['users']} WHERE remoteusername <> '' and email='" . DB_escapeString($localRow['email']) . "'"; $result = DB_query($sql); $numRows = DB_numRows($result); if ($numRows == 1) { $remoteRow = DB_fetchArray($result); if ($remoteUID == $remoteRow['uid']) { $remoteUID = (int) $remoteRow['uid']; $remoteService = substr($remoteRow['remoteservice'], 6); } else { echo COM_refresh($_CONF['site_url'] . '/index.php'); } } else { echo COM_refresh($_CONF['site_url'] . '/index.php'); } $sql = "UPDATE {$_TABLES['users']} SET remoteusername='******'remoteusername']) . "'," . "remoteservice='" . DB_escapeString($remoteRow['remoteservice']) . "', " . "account_type=3 " . " WHERE uid=" . (int) $localUID; DB_query($sql); $_USER['uid'] = $localRow['uid']; $local_login = true; SESS_completeLogin($localUID); $_GROUPS = SEC_getUserGroups($_USER['uid']); $_RIGHTS = explode(',', SEC_getUserPermissions()); if ($_SYSTEM['admin_session'] > 0 && $local_login) { if (SEC_isModerator() || SEC_hasRights('story.edit,block.edit,topic.edit,user.edit,plugin.edit,user.mail,syndication.edit', 'OR') || count(PLG_getAdminOptions()) > 0) { $admin_token = SEC_createTokenGeneral('administration', $_SYSTEM['admin_session']); SEC_setCookie('token', $admin_token, 0, $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure'], true); } } COM_resetSpeedlimit('login'); // log the user out SESS_endUserSession($remoteUID); // Let plugins know a user is being merged PLG_moveUser($remoteUID, $_USER['uid']); // Ok, now delete everything related to this user // let plugins update their data for this user PLG_deleteUser($remoteUID); if (function_exists('CUSTOM_userDeleteHook')) { CUSTOM_userDeleteHook($remoteUID); } // Call custom account profile delete function if enabled and exists if ($_CONF['custom_registration'] && function_exists('CUSTOM_userDelete')) { CUSTOM_userDelete($remoteUID); } // remove from all security groups DB_delete($_TABLES['group_assignments'], 'ug_uid', $remoteUID); // remove user information and preferences DB_delete($_TABLES['userprefs'], 'uid', $remoteUID); DB_delete($_TABLES['userindex'], 'uid', $remoteUID); DB_delete($_TABLES['usercomment'], 'uid', $remoteUID); DB_delete($_TABLES['userinfo'], 'uid', $remoteUID); // delete user photo, if enabled & exists if ($_CONF['allow_user_photo'] == 1) { $photo = DB_getItem($_TABLES['users'], 'photo', "uid = {$remoteUID}"); USER_deletePhoto($photo, false); } // delete subscriptions DB_delete($_TABLES['subscriptions'], 'uid', $remoteUID); // in case the user owned any objects that require Admin access, assign // them to the Root user with the lowest uid $rootgroup = DB_getItem($_TABLES['groups'], 'grp_id', "grp_name = 'Root'"); $result = DB_query("SELECT DISTINCT ug_uid FROM {$_TABLES['group_assignments']} WHERE ug_main_grp_id = '{$rootgroup}' ORDER BY ug_uid LIMIT 1"); $A = DB_fetchArray($result); $rootuser = $A['ug_uid']; if ($rootuser == '' || $rootuser < 2) { $rootuser = 2; } DB_query("UPDATE {$_TABLES['blocks']} SET owner_id = {$rootuser} WHERE owner_id = {$remoteUID}"); DB_query("UPDATE {$_TABLES['topics']} SET owner_id = {$rootuser} WHERE owner_id = {$remoteUID}"); // now delete the user itself DB_delete($_TABLES['users'], 'uid', $remoteUID); } else { // invalid password - let's try one more time // need to set speed limit and give them 3 tries COM_clearSpeedlimit($_CONF['login_speedlimit'], 'merge'); $last = COM_checkSpeedlimit('merge', 4); if ($last > 0) { COM_setMsg($LANG04[190], 'error'); echo COM_refresh($_CONF['site_url'] . '/users.php'); } else { COM_updateSpeedlimit('merge'); USER_mergeAccountScreen($remoteUID, $localUID, $LANG20[3]); } return $retval; } // can't use COM_setMsg here since the session is being destroyed. echo COM_refresh($_CONF['site_url'] . '/index.php?msg=522'); }