function save_obj_profile()
{
global $site;
global $objekt;
global $tyyp;
global $class_path;
include_once $class_path . "adminpage.inc.php";
### set skipped (system) fields for each class:
$skipped_fields['asset'] = 'objekt_id,profile_id';
$skipped_fields['event'] = 'objekt_id, profile_id, start_time, end_time, description,username,kasutaja_id,parent_id,recure_days, recure_week, recure_weeks,recure_month,recure_months,recure_year,recure_start,recure_end,recure_times,location,is_private,profile_id,progress,tracking_start_time,tracking_end_time,tracking_total_hours';
$skipped_fields['artikkel'] = 'objekt_id, profile_id, lyhi, sisu';
$skipped_fields['dokument'] = 'objekt_id';
$skipped_fields['file'] = 'objekt_id, profile_id, fullpath, relative_path, filename, mimetype, size, lastmodified, is_deleted';
### set field suffixes for each class (usually, if profile dropdown is used then it should be "_<profile_id>"):
$field_suffix['asset'] = '';
$field_suffix['event'] = '_' . $site->fdat['profile_id'];
$field_suffix['artikkel'] = '_' . $site->fdat['profile_id'];
$field_suffix['file'] = '_' . $site->fdat['profile_id'];
#printr($skipped_fields[$tyyp['klass']]);
if ($objekt->objekt_id) {
################## GET profile
$profile_def = $site->get_profile(array("id" => $site->fdat['profile_id']));
################ CUSTOM VALIDATION
if (file_exists($site->absolute_path . '/extensions/validations.inc.php')) {
require_once $site->absolute_path . '/extensions/validations.inc.php';
}
################## CHECK & CHANGE profile values (required, date formats, arrays, etc)
$sql_field_values = check_profile_values(array('profile_def' => &$profile_def, 'skip_fields' => $skipped_fields[$tyyp['klass']], 'skip_non_active_fields' => true, 'use_only_profile_fields' => true, 'field_suffix' => $field_suffix[$tyyp['klass']], 'custom_validation' => $VALIDATION_FUNCTIONS));
//printr($sql_field_values);
# check if usual field (save to 'obj_..' table) OR general object field (save to 'objekt' table)
$profile_data = unserialize($profile_def['data']);
if (is_array($profile_data)) {
foreach ($profile_data as $profile_field) {
if ($profile_field['is_general']) {
$general_obj_field[$profile_field['name']] = true;
}
}
# loop over fields
}
#########################
# save profile data
foreach ($sql_field_values as $field => $value) {
if ($general_obj_field[$field]) {
# (save to 'objekt' table)
$update_fields_gen[] = $site->db->prepare($field . "=?", html_entity_decode($value));
} else {
# (save to 'obj_..' table)
$update_fields[] = $site->db->prepare($field . "=?", html_entity_decode($value));
}
# which table
}
//printr($update_fields);
if (is_array($update_fields) && sizeof($update_fields) > 0) {
$sql = "UPDATE " . $tyyp['tabel'] . " SET " . join(",", $update_fields);
# Bug 2246
$sql .= $site->db->prepare(" WHERE objekt_id=?", $objekt->objekt_id);
$sth = new SQL($sql);
//printr($sql);
$site->debug->msg($sth->debug->get_msgs());
}
if (is_array($update_fields_gen) && sizeof($update_fields_gen) > 0) {
$sql = "UPDATE objekt SET " . join(",", $update_fields_gen);
# Bug 2246
$sql .= $site->db->prepare(" WHERE objekt_id=?", $objekt->objekt_id);
$sth = new SQL($sql);
#print $sql;
$site->debug->msg($sth->debug->get_msgs());
}
#print $sql;exit;
}
# obj OK
return;
}
/**
* This source file is is part of Saurus CMS content management software.
* It is licensed under MPL 1.1 (http://www.opensource.org/licenses/mozilla1.1.php).
* Copyright (C) 2000-2010 Saurused Ltd (http://www.saurus.info/).
* Redistribution of this file must retain the above copyright notice.
*
* Please note that the original authors never thought this would turn out
* such a great piece of software when the work started using Perl in year 2000.
* Due to organic growth, you may find parts of the software being
* a bit (well maybe more than a bit) old fashioned and here's where you can help.
* Good luck and keep your open source minds open!
*
* @package SaurusCMS
* @copyright 2000-2010 Saurused Ltd (http://www.saurus.info/)
* @license Mozilla Public License 1.1 (http://www.opensource.org/licenses/mozilla1.1.php)
*
*/
function smarty_function_save_profile($params, &$smarty)
{
global $site, $class_path, $leht;
include_once $class_path . 'adminpage.inc.php';
// for check_profile_values()
$id = (int) $params['id'];
unset($params['id']);
$parent_id = (int) $params['parent'];
if (!$parent_id) {
$parent_id = $leht->id;
$current_objekt = $leht->objekt;
} else {
$current_objekt = new Objekt(array('objekt_id' => $parent_id));
}
unset($params['parent']);
if (!isset($params['name'])) {
$name = 'insert_id';
} else {
$name = $params['name'];
}
unset($params['name']);
// for CMS objects on_create publishing
$publish = strtoupper(trim($params['on_create'])) == 'PUBLISH' ? 1 : 0;
unset($params['on_create']);
# get all profile data from cash
# profile name is case insensitive
$profile = strtolower($params['profile']);
unset($params['profile']);
$profile = $site->get_profile(array('name' => $profile, 'id' => (int) $params['profile_id']));
$profile_field_values = $params['fields'];
unset($params['fields']);
# sanity check: kui ei leitud sellise nimega profiili, anda toimetajale veateade
if (!$profile['profile_id']) {
if ($site->admin) {
print "<font color=red><b>Profile '" . $profile['name'] . "' not found!</b></font>";
}
return;
}
// must go to source table
$params['profile_id'] = $profile['profile_id'];
// special cases for source table ID columns
switch ($profile['source_table']) {
case 'users':
$source_table_id_column = 'user_id';
break;
case 'groups':
$source_table_id_column = 'group_id';
break;
default:
$source_table_id_column = 'objekt_id';
break;
}
// if source_table is ext_ table
if (strpos($profile['source_table'], 'ext_') === 0) {
$source_table_id_column = 'id';
}
//printr($profile);
$source_table_columns = array();
$profile_data = unserialize($profile['data']);
foreach ($profile_data as $column => $data) {
if ($data['is_active']) {
if ($data['is_general']) {
$source_table_columns[] = 'objekt.' . $column;
} else {
$source_table_columns[] = $profile['source_table'] . '.' . $column;
}
}
}
//printr($source_table_columns);
$profile_field_values = array();
$profile_data['id'] = 0;
foreach (array_keys($profile_data) as $key) {
$profile_field_values[$key] = '';
}
//check profile filed values, errors go into $site->fdat['form_error']
$sql_values = check_profile_values(array('profile_def' => $profile, 'skip_non_active_fields' => true, 'use_only_profile_fields' => true));
$sql_values_skip_prepare = array();
// add additional fields to sql values
foreach ($params as $field_name => $field_value) {
$sql_values[$field_name] = $field_value;
if (array_search($profile['source_table'] . '.' . $field_name, $source_table_columns) === false) {
$source_table_columns[] = $profile['source_table'] . '.' . $field_name;
}
}
// add profile_id
if (array_search($profile['source_table'] . '.profile_id', $source_table_columns) === false) {
$source_table_columns[] = $profile['source_table'] . '.profile_id';
}
//$sql_values = array_unique($sql_values);
// special case for users
if ($profile['source_table'] == 'users') {
// username is required field but readonly for already registered users
if ($site->fdat['form_error']['username'] && $params['username']) {
unset($site->fdat['form_error']['username']);
}
// username must be unique for new user
if (!$id) {
$sql = $site->db->prepare('select username from users where username = ?', $sql_values['username']);
$result = new SQL($sql);
if ($result->rows) {
$site->fdat['form_error']['username'] = $site->sys_sona(array('sona' => 'user exists', 'tyyp' => 'kasutaja'));
}
}
############ E-MAIL: CHECK FOR CORRECT FORMAT
if ($sql_values['email'] != '' && !preg_match("/^[\\w\\-\\&\\.\\d]+\\@[\\w\\-\\&\\.\\d]+\$/", $sql_values['email'])) {
$site->fdat['form_error']['email'] = $site->sys_sona(array('sona' => 'wrong email format', 'tyyp' => 'kasutaja'));
}
############ E-MAIL: CHECK FOR DUPLICATES
if ($sql_values['email']) {
$sql = $site->db->prepare("SELECT user_id FROM users WHERE email=? AND user_id<>?", $sql_values['email'], $id);
$sth = new SQL($sql);
if ($exists = $sth->fetchsingle()) {
$site->fdat['form_error']['email'] = $site->sys_sona(array(sona => 'Email already exists', 'tyyp' => 'kasutaja'));
}
}
############ PASSWORD: CHECK FOR CONFIRM MATCH & ENCRYPT
# if password is set
if (!$id || $params['password']) {
if (!$params['password']) {
$site->fdat['form_error']['password'] = $site->sys_sona(array('sona' => 'field required', 'tyyp' => 'kasutaja'));
}
if (!$params['confirm_password']) {
$site->fdat['form_error']['confirm_password'] = $site->sys_sona(array('sona' => 'field required', 'tyyp' => 'kasutaja'));
}
$old_user_enc_password = $site->user->all['password'];
unset($site->user->all['password']);
# if password expired, then check, if user inserted new password (check if this match with old one)
if ($old_user_enc_password && $site->user->all['pass_expired']) {
if ($old_user_enc_password == crypt($sql_values['password'], $old_user_enc_password)) {
$you_inserted_old_password = 1;
}
}
if ($you_inserted_old_password) {
$site->fdat['form_error']['password'] = $site->sys_sona(array('sona' => 'Password expired message', 'tyyp' => 'kasutaja'));
} elseif ($params['confirm_password'] != $sql_values['password']) {
$site->fdat['form_error']['password'] = $site->sys_sona(array('sona' => 'wrong confirmation', 'tyyp' => 'kasutaja'));
} elseif ($site->CONF['users_require_safe_password'] == 1 && strlen($sql_values['password']) < 8 && !(preg_match('/[a-z]/', $sql_values['password']) && preg_match('/[A-Z]/', $sql_values['password']) && preg_match('/[0-9]/', $sql_values['password']))) {
$site->fdat['form_error']['password'] = $site->sys_sona(array('sona' => 'pass_not_strong', 'tyyp' => 'kasutaja'));
} else {
$sql_values['password'] = crypt($sql_values['password'], Chr(rand(65, 91)) . Chr(rand(65, 91)));
// set pass_expiring date
if (!$sql_values['pass_expires'] || $sql_values['pass_expires'] == '0000-00-00') {
$source_table_columns[] = 'users.pass_expires';
$sql_values['pass_expires'] = "DATE_ADD(now(), INTERVAL " . $site->CONF['default_pass_expire_days'] . " DAY)";
$sql_values_skip_prepare['users.pass_expires'] = 1;
}
}
# if confirm ok
} else {
unset($sql_values['password']);
$key = array_search('users.password', $source_table_columns);
if ($key !== false) {
unset($source_table_columns[$key]);
}
}
// remove confirm_password
unset($sql_values['confirm_password']);
$key = array_search('users.confirm_password', $source_table_columns);
if ($key !== false) {
unset($source_table_columns[$key]);
}
// set group_id only for new users
if (!$sql_values['group_id'] && !$id) {
$sth = new SQL('SELECT group_id FROM groups WHERE is_predefined = 1');
$site->debug->msg($sth->debug->get_msgs());
$sql_values['group_id'] = $sth->fetchsingle();
$source_table_columns[] = 'users.group_id';
}
// set created_date
if (!$sql_values['created_date'] && !$id) {
$source_table_columns[] = 'users.created_date';
$sql_values['created_date'] = date('Y-m-d');
}
}
// if no erros
if (!sizeof($site->fdat['form_error'])) {
// UPDATE a field
if ($id) {
$update_source_sql = '';
$update_objekt_sql = '';
foreach ($source_table_columns as $source_table_column) {
if (strpos($source_table_column, 'objekt.') === 0) {
// only pealkir allowed and it must be prepared
if ($source_table_column == 'objekt.pealkiri') {
$title = $sql_values[substr($source_table_column, strpos($source_table_column, '.') + 1)];
$update_objekt_sql .= $site->db->prepare($source_table_column . ' = ?, ', $title);
$update_objekt_sql .= $site->db->prepare('objekt.pealkiri_strip = ?, ', strip_tags($title));
}
} else {
if ($sql_values_skip_prepare[$source_table_column]) {
$update_source_sql .= $source_table_column . ' = ' . $sql_values[substr($source_table_column, strpos($source_table_column, '.') + 1)] . ', ';
} else {
$update_source_sql .= $site->db->prepare($source_table_column . ' = ?, ', $sql_values[substr($source_table_column, strpos($source_table_column, '.') + 1)]);
}
}
}
// remove trailing ,
$update_source_sql = substr_replace($update_source_sql, '', strlen($update_source_sql) - 2);
$update_objekt_sql = substr_replace($update_objekt_sql, '', strlen($update_objekt_sql) - 2);
// if this is a CMS objekt
if (strpos($profile['source_table'], 'obj_') === 0) {
$objekt = new Objekt(array('objekt_id' => $id));
// object must have READ and UPDATE permissions
if ($objekt->objekt_id && $objekt->permission['R'] && $objekt->permission['U']) {
// update the object table first
// changed_user_id
$update_objekt_sql .= ($update_objekt_sql ? ', ' : ' ') . 'objekt.changed_user_id = ' . (int) $site->user->id;
// changed_user_name
$update_objekt_sql .= $site->db->prepare(', objekt.changed_user_name = ?', $site->user->name);
// changed_time
$update_objekt_sql .= ', objekt.changed_time = now()';
$sql = 'update objekt set ' . $update_objekt_sql . ' where objekt.objekt_id = ' . $id;
//printr($sql);
new SQL($sql);
$sql = 'update ' . $profile['source_table'] . ' set ' . $update_source_sql . ' where ' . $profile['source_table'] . '.objekt_id = ' . $id;
//printr($sql);
new SQL($sql);
new Log(array('action' => 'update', 'objekt_id' => $objekt->objekt_id, 'message' => sprintf("%s '%s' (ID = %s) %s", ucfirst(translate_en($objekt->all['klass'])), $title, $objekt->objekt_id, "changed")));
$smarty->assign($name, $id);
} else {
new Log(array('action' => 'update', 'type' => 'WARNING', 'objekt_id' => $objekt->objekt_id, 'message' => sprintf("Access denied: attempt to edit %s '%s' (ID = %s)", ucfirst(translate_en($objekt->all['klass'])), $objekt->pealkiri(), $objekt->objekt_id)));
$smarty->assign($name, 0);
}
} else {
if ($profile['source_table'] == 'users' && $site->user->all['is_readonly'] == 1) {
new Log(array('action' => 'update', 'type' => 'WARNING', 'component' => 'Users', 'message' => "User '" . $site->user->all['firstname'] . ' ' . $site->user->all['lastname'] . "' tried to update an account but was unable because of a is_readonly flag"));
$smarty->assign($name, 0);
} else {
$sql = 'update ' . $profile['source_table'] . ' set ' . $update_source_sql . ' where ' . $source_table_id_column . ' = ' . $id;
//printr($sql);
$result = new SQL($sql);
if ($result->rows != -1) {
// log values for new user
if ($profile['source_table'] == 'users') {
new Log(array('action' => 'update', 'component' => 'Users', 'message' => "User '" . $site->user->all['firstname'] . ' ' . $site->user->all['lastname'] . "' account updated"));
} else {
new Log(array('action' => 'update', 'message' => "Record (ID: " . $id . ") updated in " . $profile['source_table']));
}
$smarty->assign($name, $id);
} else {
$smarty->assign($name, 0);
}
}
}
} else {
$insert_source_sql = '';
$insert_objekt_sql = '';
foreach ($source_table_columns as $source_table_column) {
if (strpos($source_table_column, 'objekt.') === 0) {
// only pealkir allowed and it must be prepared
if ($source_table_column == 'objekt.pealkiri') {
$title = $sql_values[substr($source_table_column, strpos($source_table_column, '.') + 1)];
$insert_objekt_sql .= $site->db->prepare($source_table_column . ' = ?, ', $title);
$insert_objekt_sql .= $site->db->prepare('objekt.pealkiri_strip = ?, ', strip_tags($title));
}
} else {
if ($sql_values_skip_prepare[$source_table_column]) {
$insert_source_sql .= $source_table_column . ' = ' . $sql_values[substr($source_table_column, strpos($source_table_column, '.') + 1)] . ', ';
} else {
$insert_source_sql .= $site->db->prepare($source_table_column . ' = ?, ', $sql_values[substr($source_table_column, strpos($source_table_column, '.') + 1)]);
}
}
}
// remove trailing ,
$insert_objekt_sql = substr_replace($insert_objekt_sql, '', strlen($insert_objekt_sql) - 2);
$insert_source_sql = substr_replace($insert_source_sql, '', strlen($insert_source_sql) - 2);
// if this is a CMS objekt
if (strpos($profile['source_table'], 'obj_') === 0) {
// parent object must have create permission
if ($current_objekt->permission['C']) {
//must be fields and cannot be overwritten by user data
// tyyp_id
$class_id = (int) array_search(str_replace('obj_', '', $profile['source_table']), $site->object_tyyp_id_klass);
$insert_objekt_sql .= ($insert_objekt_sql ? ', ' : ' ') . 'objekt.tyyp_id = ' . $class_id;
// keel
$insert_objekt_sql .= ', objekt.keel = ' . $site->keel;
// kesk (position)
//$insert_objekt_sql .= ', kesk = '.(int)$current_objekt->all['kesk'];
// aeg
$insert_objekt_sql .= ', objekt.aeg = now()';
// publishing
$insert_objekt_sql .= ', objekt.on_avaldatud = ' . $publish;
// created user_id
$insert_objekt_sql .= ', objekt.created_user_id = ' . (int) $site->user->id;
// created user_name
$insert_objekt_sql .= $site->db->prepare(', objekt.created_user_name = ?', $site->user->name);
// created time
$insert_objekt_sql .= ', objekt.created_time = now()';
// comment_count, for less errors in database_repair.php
$insert_objekt_sql .= ', objekt.comment_count = 0';
$sql = 'insert into objekt set ' . $insert_objekt_sql;
//printr($sql);
$result = new SQL($sql);
$id = $result->insert_id;
if ($id) {
$sql = 'select max(sorteering)+1 from objekt_objekt';
$result = new SQL($sql);
$sql = $site->db->prepare('insert into objekt_objekt set objekt_id = ?, parent_id = ?, sorteering = ?', $id, $parent_id, $result->fetchsingle());
//printr($sql);
$result = new SQL($sql);
$insert_source_sql .= ', ' . $profile['source_table'] . '.objekt_id = ' . $id;
$sql = 'insert into ' . $profile['source_table'] . ' set ' . $insert_source_sql;
//printr($sql);
$result = new SQL($sql);
new Log(array('action' => 'create', 'objekt_id' => $id, 'message' => sprintf("%s '%s' (ID = %s) %s", ucfirst($site->object_tyyp_id_nimi[$class_id]), $title, $id, "inserted")));
foreach (unserialize($profile['data']) as $key => $value) {
unset($site->fdat[$key]);
}
$smarty->assign($name, $id);
} else {
$smarty->assign($name, 0);
}
} else {
// no create permission
new Log(array('action' => 'create', 'type' => 'WARNING', 'message' => sprintf("Access denied: attempt to create %s under restricted category ID = %s", ucfirst(translate_en(str_replace('obj_', '', $profile['source_table']))), $current_objekt->objekt_id)));
$smarty->assign($name, 0);
}
} elseif ($profile['source_table'] == 'users' && $site->user->all['is_readonly'] == 1) {
new Log(array('action' => 'update', 'component' => 'Users', 'type' => 'WARNING', 'message' => "User '" . $site->user->all['firstname'] . ' ' . $site->user->all['lastname'] . "' tried to update his account, but was unable to because of a read_only flag on his/her account"));
} else {
$sql = 'insert into ' . $profile['source_table'] . ' set ' . $insert_source_sql;
//printr($sql);
$result = new SQL($sql);
if ($result->insert_id) {
// log values for new user
if ($profile['source_table'] == 'users') {
new Log(array('action' => 'create', 'component' => 'Users', 'message' => "New user '" . $sql_field_values['username'] . "' inserted"));
} else {
new Log(array('action' => 'create', 'message' => "Record (ID: " . $result->insert_id . ") inserted into " . $profile['source_table']));
}
foreach (unserialize($profile['data']) as $key => $value) {
unset($site->fdat[$key]);
}
$smarty->assign($name, $result->insert_id);
} else {
$smarty->assign($name, 0);
}
}
}
} else {
$_POST['form_error'] = $site->fdat['form_error'];
$smarty->assign($name, 0);
}
}
###########################
# / PERMISSIONS CHECK
####################################
######### GO ON WITH REAL WORK
#################
# STEP2: SAVE DATA
if ($op2 && !$site->fdat['refresh']) {
$form_error = array();
verify_form_token();
##############
# SAVE GROUP TAB
if ($site->fdat['tab'] == 'group') {
################## GET profile
$profile_def = $site->get_profile(array("id" => $site->fdat['profile_id']));
################## CHECK & CHANGE profile values (required, date formats, arrays, etc)
$sql_field_values = check_profile_values(array("profile_def" => &$profile_def, "skip_fields" => "group_id,name,parent_group_id"));
#printr($sql_field_values);
############ NEW OR COPY
if ($op == 'new' || $op == 'copy') {
$parent_id = $site->fdat['group_id'];
$sql = $site->db->prepare("INSERT INTO groups (profile_id, name, parent_group_id, auth_type " . (count($update_fields) ? ',' . join(",", array_keys($sql_field_values)) : '') . ") VALUES (?,?,?,? " . (count($update_fields) ? ",'" . join("','", array_values($sql_field_values)) . "'" : "") . " )", $site->fdat['profile_id'] ? $site->fdat['profile_id'] : 0, trim($site->fdat['name']) == '' ? 'undefined' : $site->fdat['name'], $site->fdat['parent_group_id'], $site->fdat['auth_type']);
#print $sql;
$sth = new SQL($sql);
$site->debug->msg($sth->debug->get_msgs());
$site->fdat['group_id'] = $sth->insert_id;
########################
# INSERT PERMISSIONS
# lisame uuele grupile t�pselt samad �igused nagu on tema parent grupil:
# leia k�ik parenti �igused userite/gruppide kohta:
$sql = $site->db->prepare("SELECT * FROM permissions WHERE type=? AND source_id=?", 'ACL', $parent_id);
$sth = new SQL($sql);
if (!$site->fdat['refresh'] && ($op2 == 'save' || $op2 == 'saveclose' || $op2 == 'deleteconfirmed' || $op2 == 'lockconfirmed')) {
verify_form_token();
$form_error = $site->fdat['error'];
# get all table fields:
$user_fields = array();
$user_fields = split(",", $site->db->get_fields(array(tabel => 'users')));
# remove ID field from array:
$id_key = array_search('user_id', $user_fields);
unset($user_fields[$id_key]);
##############
# SAVE USER TAB
if ($site->fdat['tab'] == 'user') {
################## GET profile
$profile_def = $site->get_profile(array("id" => $site->fdat['profile_id']));
################## CHECK & CHANGE profile values (required, date formats, arrays, etc)
$sql_field_values = check_profile_values(array("profile_def" => &$profile_def, "skip_fields" => "user_id, group_id, email, profile_id, firstname, lastname, is_predefined, username, password, pass_expires"));
#printr($sql_field_values);
$form_error = $site->fdat['error'];
# if name is not defined then set it to 'undefined':
if (trim($site->fdat['firstname']) == '') {
$site->fdat['firstname'] = 'undefined';
}
#echo printr($sql_field_values);
############ E-MAIL: CHECK FOR CORRECT FORMAT
# if e-mail is set
if ($site->fdat['email'] != '') {
if (!preg_match("/^[\\w\\-\\&\\.\\d]+\\@[\\w\\-\\&\\.\\d]+\$/", $site->fdat['email'])) {
# don't save incorrect data:
unset($site->fdat['email']);
# save error message for use in form later:
$form_error['email'] = $site->sys_sona(array(sona => "wrong email format", tyyp => "kasutaja"));
