current_user_ensure_unprotected();
$f_email = gpc_get_string('email', '');
$f_realname = gpc_get_string('realname', '');
$f_password = gpc_get_string('password', '');
$f_password_confirm = gpc_get_string('password_confirm', '');
// get the user id once, so that if we decide in the future to enable this for
// admins / managers to change details of other users.
$t_user_id = auth_get_current_user_id();
$t_redirect = 'account_page.php';
$t_email_updated = false;
$t_password_updated = false;
$t_realname_updated = false;
/** @todo Listing what fields were updated is not standard behaviour of MantisBT - it also complicates the code. */
if (OFF == config_get('use_ldap_email')) {
$f_email = email_append_domain($f_email);
email_ensure_valid($f_email);
email_ensure_not_disposable($f_email);
if ($f_email != user_get_email($t_user_id)) {
user_set_email($t_user_id, $f_email);
$t_email_updated = true;
}
}
# strip extra spaces from real name
$t_realname = string_normalize($f_realname);
if ($t_realname != user_get_field($t_user_id, 'realname')) {
# checks for problems with realnames
$t_username = user_get_field($t_user_id, 'username');
user_ensure_realname_unique($t_username, $t_realname);
user_set_realname($t_user_id, $t_realname);
$t_realname_updated = true;
}
/**
* Set the user's email to the given string after checking that it is a valid email
* @param integer $p_user_id A valid user identifier.
* @param string $p_email An email address to set.
* @return boolean
*/
function user_set_email($p_user_id, $p_email)
{
email_ensure_valid($p_email);
return user_set_field($p_user_id, 'email', $p_email);
}
/**
* Set the user's email to the given string after checking that it is a valid email
* @param integer $p_user_id A valid user identifier.
* @param string $p_email An email address to set.
* @return boolean
*/
function user_set_email($p_user_id, $p_email)
{
$p_email = trim($p_email);
email_ensure_valid($p_email);
email_ensure_not_disposable($p_email);
$t_old_email = user_get_email($p_user_id);
if (strcasecmp($t_old_email, $p_email) != 0) {
user_ensure_email_unique($p_email);
}
return user_set_field($p_user_id, 'email', $p_email);
}
trigger_error(ERROR_USER_NAME_NOT_UNIQUE, ERROR);
}
user_ensure_name_valid($f_username);
$t_ldap = LDAP == config_get('login_method');
if ($t_ldap && config_get('use_ldap_realname')) {
$t_realname = ldap_realname_from_username($f_username);
} else {
# strip extra space from real name
$t_realname = string_normalize($f_realname);
user_ensure_realname_unique($t_old_username, $t_realname);
}
if ($t_ldap && config_get('use_ldap_email')) {
$t_email = ldap_email($f_user_id);
} else {
$t_email = email_append_domain(trim($f_email));
email_ensure_valid($t_email);
email_ensure_not_disposable($t_email);
}
$c_email = $t_email;
$c_username = $f_username;
$c_realname = $t_realname;
$c_protected = db_prepare_bool($f_protected);
$c_enabled = db_prepare_bool($f_enabled);
$c_user_id = db_prepare_int($f_user_id);
$c_access_level = db_prepare_int($f_access_level);
$t_user_table = db_get_table('user');
$t_old_protected = $t_user['protected'];
# Ensure that users aren't escalating privileges of accounts beyond their
# own global access level.
access_ensure_global_level($f_access_level);
# check that we are not downgrading the last administrator
public function put($request)
{
/**
* Updates the user.
*
* @param $request - The Request we're responding to
*/
$this->user_id = User::get_mantis_id_from_url($request->url);
if (!access_has_global_level(config_get('manage_user_threshold')) && auth_get_current_user_id() != $this->user_id) {
throw new HTTPException(403, "Access denied to edit user {$this->user_id}'s info");
}
$this->populate_from_repr($request->body);
# Do some validation on the inputs (from Mantis's user_create())
$username = db_prepare_string($this->rsrc_data['username']);
$realname = db_prepare_string($this->rsrc_data['realname']);
$password = db_prepare_string($this->rsrc_data['password']);
$email = db_prepare_string($this->rsrc_data['email']);
$access_level = db_prepare_int(get_string_to_enum(config_get('access_levels_enum_string'), $this->rsrc_data['access_level']));
$protected = db_prepare_bool($this->rsrc_data['protected']);
$enabled = db_prepare_bool($this->rsrc_data['enabled']);
user_ensure_name_valid($username);
user_ensure_realname_valid($realname);
user_ensure_realname_unique($username, $realname);
email_ensure_valid($email);
# The cookie string is based on email and username, so if either of those changed,
# we have to change the cookie string.
$user_row = user_get_row($this->user_id);
$username_key = array_key_exists('username', $user_row) ? 'username' : 1;
$email_key = array_key_exists('email', $user_row) ? 'email' : 3;
$cookie_string_key = array_key_exists('cookie_string', $user_row) ? 'cookie_string' : 13;
if ($user_row[$username_key] != $username || $user_row[$email_key] != $email) {
$seed = $email . $username;
$cookie_string = auth_generate_unique_cookie_string($seed);
} else {
$cookie_string = $user_row[$cookie_string_key];
}
$password_hash = auth_process_plain_password($password);
$user_table = config_get('mantis_user_table');
$query = "UPDATE {$user_table}\n\t\t\t\tSET username = '******',\n\t\t\t\t realname = '{$realname}',\n\t\t\t\t email = '{$email}',\n\t\t\t\t password = '******',\n\t\t\t\t enabled = {$enabled},\n\t\t\t\t protected = {$protected},\n\t\t\t\t access_level = {$access_level},\n\t\t\t\t cookie_string = '{$cookie_string}'\n\t\t\t\tWHERE id = {$this->user_id};";
db_query($query);
$resp = new Response();
$resp->status = 204;
return $resp;
}
