function save_obj_profile() { global $site; global $objekt; global $tyyp; global $class_path; include_once $class_path . "adminpage.inc.php"; ### set skipped (system) fields for each class: $skipped_fields['asset'] = 'objekt_id,profile_id'; $skipped_fields['event'] = 'objekt_id, profile_id, start_time, end_time, description,username,kasutaja_id,parent_id,recure_days, recure_week, recure_weeks,recure_month,recure_months,recure_year,recure_start,recure_end,recure_times,location,is_private,profile_id,progress,tracking_start_time,tracking_end_time,tracking_total_hours'; $skipped_fields['artikkel'] = 'objekt_id, profile_id, lyhi, sisu'; $skipped_fields['dokument'] = 'objekt_id'; $skipped_fields['file'] = 'objekt_id, profile_id, fullpath, relative_path, filename, mimetype, size, lastmodified, is_deleted'; ### set field suffixes for each class (usually, if profile dropdown is used then it should be "_<profile_id>"): $field_suffix['asset'] = ''; $field_suffix['event'] = '_' . $site->fdat['profile_id']; $field_suffix['artikkel'] = '_' . $site->fdat['profile_id']; $field_suffix['file'] = '_' . $site->fdat['profile_id']; #printr($skipped_fields[$tyyp['klass']]); if ($objekt->objekt_id) { ################## GET profile $profile_def = $site->get_profile(array("id" => $site->fdat['profile_id'])); ################ CUSTOM VALIDATION if (file_exists($site->absolute_path . '/extensions/validations.inc.php')) { require_once $site->absolute_path . '/extensions/validations.inc.php'; } ################## CHECK & CHANGE profile values (required, date formats, arrays, etc) $sql_field_values = check_profile_values(array('profile_def' => &$profile_def, 'skip_fields' => $skipped_fields[$tyyp['klass']], 'skip_non_active_fields' => true, 'use_only_profile_fields' => true, 'field_suffix' => $field_suffix[$tyyp['klass']], 'custom_validation' => $VALIDATION_FUNCTIONS)); //printr($sql_field_values); # check if usual field (save to 'obj_..' table) OR general object field (save to 'objekt' table) $profile_data = unserialize($profile_def['data']); if (is_array($profile_data)) { foreach ($profile_data as $profile_field) { if ($profile_field['is_general']) { $general_obj_field[$profile_field['name']] = true; } } # loop over fields } ######################### # save profile data foreach ($sql_field_values as $field => $value) { if ($general_obj_field[$field]) { # (save to 'objekt' table) $update_fields_gen[] = $site->db->prepare($field . "=?", html_entity_decode($value)); } else { # (save to 'obj_..' table) $update_fields[] = $site->db->prepare($field . "=?", html_entity_decode($value)); } # which table } //printr($update_fields); if (is_array($update_fields) && sizeof($update_fields) > 0) { $sql = "UPDATE " . $tyyp['tabel'] . " SET " . join(",", $update_fields); # Bug 2246 $sql .= $site->db->prepare(" WHERE objekt_id=?", $objekt->objekt_id); $sth = new SQL($sql); //printr($sql); $site->debug->msg($sth->debug->get_msgs()); } if (is_array($update_fields_gen) && sizeof($update_fields_gen) > 0) { $sql = "UPDATE objekt SET " . join(",", $update_fields_gen); # Bug 2246 $sql .= $site->db->prepare(" WHERE objekt_id=?", $objekt->objekt_id); $sth = new SQL($sql); #print $sql; $site->debug->msg($sth->debug->get_msgs()); } #print $sql;exit; } # obj OK return; }
/** * This source file is is part of Saurus CMS content management software. * It is licensed under MPL 1.1 (http://www.opensource.org/licenses/mozilla1.1.php). * Copyright (C) 2000-2010 Saurused Ltd (http://www.saurus.info/). * Redistribution of this file must retain the above copyright notice. * * Please note that the original authors never thought this would turn out * such a great piece of software when the work started using Perl in year 2000. * Due to organic growth, you may find parts of the software being * a bit (well maybe more than a bit) old fashioned and here's where you can help. * Good luck and keep your open source minds open! * * @package SaurusCMS * @copyright 2000-2010 Saurused Ltd (http://www.saurus.info/) * @license Mozilla Public License 1.1 (http://www.opensource.org/licenses/mozilla1.1.php) * */ function smarty_function_save_profile($params, &$smarty) { global $site, $class_path, $leht; include_once $class_path . 'adminpage.inc.php'; // for check_profile_values() $id = (int) $params['id']; unset($params['id']); $parent_id = (int) $params['parent']; if (!$parent_id) { $parent_id = $leht->id; $current_objekt = $leht->objekt; } else { $current_objekt = new Objekt(array('objekt_id' => $parent_id)); } unset($params['parent']); if (!isset($params['name'])) { $name = 'insert_id'; } else { $name = $params['name']; } unset($params['name']); // for CMS objects on_create publishing $publish = strtoupper(trim($params['on_create'])) == 'PUBLISH' ? 1 : 0; unset($params['on_create']); # get all profile data from cash # profile name is case insensitive $profile = strtolower($params['profile']); unset($params['profile']); $profile = $site->get_profile(array('name' => $profile, 'id' => (int) $params['profile_id'])); $profile_field_values = $params['fields']; unset($params['fields']); # sanity check: kui ei leitud sellise nimega profiili, anda toimetajale veateade if (!$profile['profile_id']) { if ($site->admin) { print "<font color=red><b>Profile '" . $profile['name'] . "' not found!</b></font>"; } return; } // must go to source table $params['profile_id'] = $profile['profile_id']; // special cases for source table ID columns switch ($profile['source_table']) { case 'users': $source_table_id_column = 'user_id'; break; case 'groups': $source_table_id_column = 'group_id'; break; default: $source_table_id_column = 'objekt_id'; break; } // if source_table is ext_ table if (strpos($profile['source_table'], 'ext_') === 0) { $source_table_id_column = 'id'; } //printr($profile); $source_table_columns = array(); $profile_data = unserialize($profile['data']); foreach ($profile_data as $column => $data) { if ($data['is_active']) { if ($data['is_general']) { $source_table_columns[] = 'objekt.' . $column; } else { $source_table_columns[] = $profile['source_table'] . '.' . $column; } } } //printr($source_table_columns); $profile_field_values = array(); $profile_data['id'] = 0; foreach (array_keys($profile_data) as $key) { $profile_field_values[$key] = ''; } //check profile filed values, errors go into $site->fdat['form_error'] $sql_values = check_profile_values(array('profile_def' => $profile, 'skip_non_active_fields' => true, 'use_only_profile_fields' => true)); $sql_values_skip_prepare = array(); // add additional fields to sql values foreach ($params as $field_name => $field_value) { $sql_values[$field_name] = $field_value; if (array_search($profile['source_table'] . '.' . $field_name, $source_table_columns) === false) { $source_table_columns[] = $profile['source_table'] . '.' . $field_name; } } // add profile_id if (array_search($profile['source_table'] . '.profile_id', $source_table_columns) === false) { $source_table_columns[] = $profile['source_table'] . '.profile_id'; } //$sql_values = array_unique($sql_values); // special case for users if ($profile['source_table'] == 'users') { // username is required field but readonly for already registered users if ($site->fdat['form_error']['username'] && $params['username']) { unset($site->fdat['form_error']['username']); } // username must be unique for new user if (!$id) { $sql = $site->db->prepare('select username from users where username = ?', $sql_values['username']); $result = new SQL($sql); if ($result->rows) { $site->fdat['form_error']['username'] = $site->sys_sona(array('sona' => 'user exists', 'tyyp' => 'kasutaja')); } } ############ E-MAIL: CHECK FOR CORRECT FORMAT if ($sql_values['email'] != '' && !preg_match("/^[\\w\\-\\&\\.\\d]+\\@[\\w\\-\\&\\.\\d]+\$/", $sql_values['email'])) { $site->fdat['form_error']['email'] = $site->sys_sona(array('sona' => 'wrong email format', 'tyyp' => 'kasutaja')); } ############ E-MAIL: CHECK FOR DUPLICATES if ($sql_values['email']) { $sql = $site->db->prepare("SELECT user_id FROM users WHERE email=? AND user_id<>?", $sql_values['email'], $id); $sth = new SQL($sql); if ($exists = $sth->fetchsingle()) { $site->fdat['form_error']['email'] = $site->sys_sona(array(sona => 'Email already exists', 'tyyp' => 'kasutaja')); } } ############ PASSWORD: CHECK FOR CONFIRM MATCH & ENCRYPT # if password is set if (!$id || $params['password']) { if (!$params['password']) { $site->fdat['form_error']['password'] = $site->sys_sona(array('sona' => 'field required', 'tyyp' => 'kasutaja')); } if (!$params['confirm_password']) { $site->fdat['form_error']['confirm_password'] = $site->sys_sona(array('sona' => 'field required', 'tyyp' => 'kasutaja')); } $old_user_enc_password = $site->user->all['password']; unset($site->user->all['password']); # if password expired, then check, if user inserted new password (check if this match with old one) if ($old_user_enc_password && $site->user->all['pass_expired']) { if ($old_user_enc_password == crypt($sql_values['password'], $old_user_enc_password)) { $you_inserted_old_password = 1; } } if ($you_inserted_old_password) { $site->fdat['form_error']['password'] = $site->sys_sona(array('sona' => 'Password expired message', 'tyyp' => 'kasutaja')); } elseif ($params['confirm_password'] != $sql_values['password']) { $site->fdat['form_error']['password'] = $site->sys_sona(array('sona' => 'wrong confirmation', 'tyyp' => 'kasutaja')); } elseif ($site->CONF['users_require_safe_password'] == 1 && strlen($sql_values['password']) < 8 && !(preg_match('/[a-z]/', $sql_values['password']) && preg_match('/[A-Z]/', $sql_values['password']) && preg_match('/[0-9]/', $sql_values['password']))) { $site->fdat['form_error']['password'] = $site->sys_sona(array('sona' => 'pass_not_strong', 'tyyp' => 'kasutaja')); } else { $sql_values['password'] = crypt($sql_values['password'], Chr(rand(65, 91)) . Chr(rand(65, 91))); // set pass_expiring date if (!$sql_values['pass_expires'] || $sql_values['pass_expires'] == '0000-00-00') { $source_table_columns[] = 'users.pass_expires'; $sql_values['pass_expires'] = "DATE_ADD(now(), INTERVAL " . $site->CONF['default_pass_expire_days'] . " DAY)"; $sql_values_skip_prepare['users.pass_expires'] = 1; } } # if confirm ok } else { unset($sql_values['password']); $key = array_search('users.password', $source_table_columns); if ($key !== false) { unset($source_table_columns[$key]); } } // remove confirm_password unset($sql_values['confirm_password']); $key = array_search('users.confirm_password', $source_table_columns); if ($key !== false) { unset($source_table_columns[$key]); } // set group_id only for new users if (!$sql_values['group_id'] && !$id) { $sth = new SQL('SELECT group_id FROM groups WHERE is_predefined = 1'); $site->debug->msg($sth->debug->get_msgs()); $sql_values['group_id'] = $sth->fetchsingle(); $source_table_columns[] = 'users.group_id'; } // set created_date if (!$sql_values['created_date'] && !$id) { $source_table_columns[] = 'users.created_date'; $sql_values['created_date'] = date('Y-m-d'); } } // if no erros if (!sizeof($site->fdat['form_error'])) { // UPDATE a field if ($id) { $update_source_sql = ''; $update_objekt_sql = ''; foreach ($source_table_columns as $source_table_column) { if (strpos($source_table_column, 'objekt.') === 0) { // only pealkir allowed and it must be prepared if ($source_table_column == 'objekt.pealkiri') { $title = $sql_values[substr($source_table_column, strpos($source_table_column, '.') + 1)]; $update_objekt_sql .= $site->db->prepare($source_table_column . ' = ?, ', $title); $update_objekt_sql .= $site->db->prepare('objekt.pealkiri_strip = ?, ', strip_tags($title)); } } else { if ($sql_values_skip_prepare[$source_table_column]) { $update_source_sql .= $source_table_column . ' = ' . $sql_values[substr($source_table_column, strpos($source_table_column, '.') + 1)] . ', '; } else { $update_source_sql .= $site->db->prepare($source_table_column . ' = ?, ', $sql_values[substr($source_table_column, strpos($source_table_column, '.') + 1)]); } } } // remove trailing , $update_source_sql = substr_replace($update_source_sql, '', strlen($update_source_sql) - 2); $update_objekt_sql = substr_replace($update_objekt_sql, '', strlen($update_objekt_sql) - 2); // if this is a CMS objekt if (strpos($profile['source_table'], 'obj_') === 0) { $objekt = new Objekt(array('objekt_id' => $id)); // object must have READ and UPDATE permissions if ($objekt->objekt_id && $objekt->permission['R'] && $objekt->permission['U']) { // update the object table first // changed_user_id $update_objekt_sql .= ($update_objekt_sql ? ', ' : ' ') . 'objekt.changed_user_id = ' . (int) $site->user->id; // changed_user_name $update_objekt_sql .= $site->db->prepare(', objekt.changed_user_name = ?', $site->user->name); // changed_time $update_objekt_sql .= ', objekt.changed_time = now()'; $sql = 'update objekt set ' . $update_objekt_sql . ' where objekt.objekt_id = ' . $id; //printr($sql); new SQL($sql); $sql = 'update ' . $profile['source_table'] . ' set ' . $update_source_sql . ' where ' . $profile['source_table'] . '.objekt_id = ' . $id; //printr($sql); new SQL($sql); new Log(array('action' => 'update', 'objekt_id' => $objekt->objekt_id, 'message' => sprintf("%s '%s' (ID = %s) %s", ucfirst(translate_en($objekt->all['klass'])), $title, $objekt->objekt_id, "changed"))); $smarty->assign($name, $id); } else { new Log(array('action' => 'update', 'type' => 'WARNING', 'objekt_id' => $objekt->objekt_id, 'message' => sprintf("Access denied: attempt to edit %s '%s' (ID = %s)", ucfirst(translate_en($objekt->all['klass'])), $objekt->pealkiri(), $objekt->objekt_id))); $smarty->assign($name, 0); } } else { if ($profile['source_table'] == 'users' && $site->user->all['is_readonly'] == 1) { new Log(array('action' => 'update', 'type' => 'WARNING', 'component' => 'Users', 'message' => "User '" . $site->user->all['firstname'] . ' ' . $site->user->all['lastname'] . "' tried to update an account but was unable because of a is_readonly flag")); $smarty->assign($name, 0); } else { $sql = 'update ' . $profile['source_table'] . ' set ' . $update_source_sql . ' where ' . $source_table_id_column . ' = ' . $id; //printr($sql); $result = new SQL($sql); if ($result->rows != -1) { // log values for new user if ($profile['source_table'] == 'users') { new Log(array('action' => 'update', 'component' => 'Users', 'message' => "User '" . $site->user->all['firstname'] . ' ' . $site->user->all['lastname'] . "' account updated")); } else { new Log(array('action' => 'update', 'message' => "Record (ID: " . $id . ") updated in " . $profile['source_table'])); } $smarty->assign($name, $id); } else { $smarty->assign($name, 0); } } } } else { $insert_source_sql = ''; $insert_objekt_sql = ''; foreach ($source_table_columns as $source_table_column) { if (strpos($source_table_column, 'objekt.') === 0) { // only pealkir allowed and it must be prepared if ($source_table_column == 'objekt.pealkiri') { $title = $sql_values[substr($source_table_column, strpos($source_table_column, '.') + 1)]; $insert_objekt_sql .= $site->db->prepare($source_table_column . ' = ?, ', $title); $insert_objekt_sql .= $site->db->prepare('objekt.pealkiri_strip = ?, ', strip_tags($title)); } } else { if ($sql_values_skip_prepare[$source_table_column]) { $insert_source_sql .= $source_table_column . ' = ' . $sql_values[substr($source_table_column, strpos($source_table_column, '.') + 1)] . ', '; } else { $insert_source_sql .= $site->db->prepare($source_table_column . ' = ?, ', $sql_values[substr($source_table_column, strpos($source_table_column, '.') + 1)]); } } } // remove trailing , $insert_objekt_sql = substr_replace($insert_objekt_sql, '', strlen($insert_objekt_sql) - 2); $insert_source_sql = substr_replace($insert_source_sql, '', strlen($insert_source_sql) - 2); // if this is a CMS objekt if (strpos($profile['source_table'], 'obj_') === 0) { // parent object must have create permission if ($current_objekt->permission['C']) { //must be fields and cannot be overwritten by user data // tyyp_id $class_id = (int) array_search(str_replace('obj_', '', $profile['source_table']), $site->object_tyyp_id_klass); $insert_objekt_sql .= ($insert_objekt_sql ? ', ' : ' ') . 'objekt.tyyp_id = ' . $class_id; // keel $insert_objekt_sql .= ', objekt.keel = ' . $site->keel; // kesk (position) //$insert_objekt_sql .= ', kesk = '.(int)$current_objekt->all['kesk']; // aeg $insert_objekt_sql .= ', objekt.aeg = now()'; // publishing $insert_objekt_sql .= ', objekt.on_avaldatud = ' . $publish; // created user_id $insert_objekt_sql .= ', objekt.created_user_id = ' . (int) $site->user->id; // created user_name $insert_objekt_sql .= $site->db->prepare(', objekt.created_user_name = ?', $site->user->name); // created time $insert_objekt_sql .= ', objekt.created_time = now()'; // comment_count, for less errors in database_repair.php $insert_objekt_sql .= ', objekt.comment_count = 0'; $sql = 'insert into objekt set ' . $insert_objekt_sql; //printr($sql); $result = new SQL($sql); $id = $result->insert_id; if ($id) { $sql = 'select max(sorteering)+1 from objekt_objekt'; $result = new SQL($sql); $sql = $site->db->prepare('insert into objekt_objekt set objekt_id = ?, parent_id = ?, sorteering = ?', $id, $parent_id, $result->fetchsingle()); //printr($sql); $result = new SQL($sql); $insert_source_sql .= ', ' . $profile['source_table'] . '.objekt_id = ' . $id; $sql = 'insert into ' . $profile['source_table'] . ' set ' . $insert_source_sql; //printr($sql); $result = new SQL($sql); new Log(array('action' => 'create', 'objekt_id' => $id, 'message' => sprintf("%s '%s' (ID = %s) %s", ucfirst($site->object_tyyp_id_nimi[$class_id]), $title, $id, "inserted"))); foreach (unserialize($profile['data']) as $key => $value) { unset($site->fdat[$key]); } $smarty->assign($name, $id); } else { $smarty->assign($name, 0); } } else { // no create permission new Log(array('action' => 'create', 'type' => 'WARNING', 'message' => sprintf("Access denied: attempt to create %s under restricted category ID = %s", ucfirst(translate_en(str_replace('obj_', '', $profile['source_table']))), $current_objekt->objekt_id))); $smarty->assign($name, 0); } } elseif ($profile['source_table'] == 'users' && $site->user->all['is_readonly'] == 1) { new Log(array('action' => 'update', 'component' => 'Users', 'type' => 'WARNING', 'message' => "User '" . $site->user->all['firstname'] . ' ' . $site->user->all['lastname'] . "' tried to update his account, but was unable to because of a read_only flag on his/her account")); } else { $sql = 'insert into ' . $profile['source_table'] . ' set ' . $insert_source_sql; //printr($sql); $result = new SQL($sql); if ($result->insert_id) { // log values for new user if ($profile['source_table'] == 'users') { new Log(array('action' => 'create', 'component' => 'Users', 'message' => "New user '" . $sql_field_values['username'] . "' inserted")); } else { new Log(array('action' => 'create', 'message' => "Record (ID: " . $result->insert_id . ") inserted into " . $profile['source_table'])); } foreach (unserialize($profile['data']) as $key => $value) { unset($site->fdat[$key]); } $smarty->assign($name, $result->insert_id); } else { $smarty->assign($name, 0); } } } } else { $_POST['form_error'] = $site->fdat['form_error']; $smarty->assign($name, 0); } }
########################### # / PERMISSIONS CHECK #################################### ######### GO ON WITH REAL WORK ################# # STEP2: SAVE DATA if ($op2 && !$site->fdat['refresh']) { $form_error = array(); verify_form_token(); ############## # SAVE GROUP TAB if ($site->fdat['tab'] == 'group') { ################## GET profile $profile_def = $site->get_profile(array("id" => $site->fdat['profile_id'])); ################## CHECK & CHANGE profile values (required, date formats, arrays, etc) $sql_field_values = check_profile_values(array("profile_def" => &$profile_def, "skip_fields" => "group_id,name,parent_group_id")); #printr($sql_field_values); ############ NEW OR COPY if ($op == 'new' || $op == 'copy') { $parent_id = $site->fdat['group_id']; $sql = $site->db->prepare("INSERT INTO groups (profile_id, name, parent_group_id, auth_type " . (count($update_fields) ? ',' . join(",", array_keys($sql_field_values)) : '') . ") VALUES (?,?,?,? " . (count($update_fields) ? ",'" . join("','", array_values($sql_field_values)) . "'" : "") . " )", $site->fdat['profile_id'] ? $site->fdat['profile_id'] : 0, trim($site->fdat['name']) == '' ? 'undefined' : $site->fdat['name'], $site->fdat['parent_group_id'], $site->fdat['auth_type']); #print $sql; $sth = new SQL($sql); $site->debug->msg($sth->debug->get_msgs()); $site->fdat['group_id'] = $sth->insert_id; ######################## # INSERT PERMISSIONS # lisame uuele grupile t�pselt samad �igused nagu on tema parent grupil: # leia k�ik parenti �igused userite/gruppide kohta: $sql = $site->db->prepare("SELECT * FROM permissions WHERE type=? AND source_id=?", 'ACL', $parent_id); $sth = new SQL($sql);
if (!$site->fdat['refresh'] && ($op2 == 'save' || $op2 == 'saveclose' || $op2 == 'deleteconfirmed' || $op2 == 'lockconfirmed')) { verify_form_token(); $form_error = $site->fdat['error']; # get all table fields: $user_fields = array(); $user_fields = split(",", $site->db->get_fields(array(tabel => 'users'))); # remove ID field from array: $id_key = array_search('user_id', $user_fields); unset($user_fields[$id_key]); ############## # SAVE USER TAB if ($site->fdat['tab'] == 'user') { ################## GET profile $profile_def = $site->get_profile(array("id" => $site->fdat['profile_id'])); ################## CHECK & CHANGE profile values (required, date formats, arrays, etc) $sql_field_values = check_profile_values(array("profile_def" => &$profile_def, "skip_fields" => "user_id, group_id, email, profile_id, firstname, lastname, is_predefined, username, password, pass_expires")); #printr($sql_field_values); $form_error = $site->fdat['error']; # if name is not defined then set it to 'undefined': if (trim($site->fdat['firstname']) == '') { $site->fdat['firstname'] = 'undefined'; } #echo printr($sql_field_values); ############ E-MAIL: CHECK FOR CORRECT FORMAT # if e-mail is set if ($site->fdat['email'] != '') { if (!preg_match("/^[\\w\\-\\&\\.\\d]+\\@[\\w\\-\\&\\.\\d]+\$/", $site->fdat['email'])) { # don't save incorrect data: unset($site->fdat['email']); # save error message for use in form later: $form_error['email'] = $site->sys_sona(array(sona => "wrong email format", tyyp => "kasutaja"));