$newUser = new User($database, intval($_REQUEST['id'])); } catch (Exception $e) { redirect_to(array('location' => 'user.php' . (isset($_REQUEST['id']) ? "?action=show&id=" . intval($_REQUEST['id']) : ""), 'status' => 'This user does not exist.', 'class' => 'error')); } if (intval($_POST['user']['facility_id']) != $user->facility['id']) { redirect_to(array('location' => 'user.php', 'status' => 'You may only modify users from your own facility.', 'class' => 'error')); } // if changing userlevel, ensure that they are setting it less than their current userlevel. if (isset($_POST['user']['usermask']) && !$user->isAdmin() && intval(@array_sum($_POST['user']['usermask'])) >= $user->usermask) { redirect_to(array('location' => 'user.php', 'status' => 'You are not allowed to set userlevels beyond your current userlevel.', 'class' => 'error')); } // if changing facility, ensure that they are an administrator. if (isset($_POST['user']['facility_id']) && !$user->isAdmin()) { redirect_to(array('location' => 'user.php', 'status' => 'You are not allowed to change a user\'s facility. Please contact a facility administrator.', 'class' => 'error')); } $updateUser = $newUser->create_or_update($_POST['user']); if ($updateUser) { redirect_to(array('location' => 'user.php?action=show&id=' . intval($updateUser), 'status' => "Successfully " . (isset($_REQUEST['id']) ? "updated" : "created") . " this user.", 'class' => 'success')); } else { redirect_to(array('location' => 'user.php' . (isset($_REQUEST['id']) ? "?action=edit&id=" . intval($_REQUEST['id']) : "?action=new"), 'status' => "An error occurred while " . (isset($_REQUEST['id']) ? "updating" : "creating") . " this user.", 'class' => 'error')); } } elseif ($_REQUEST['action'] == 'delete' && isset($_REQUEST['id'])) { // ensure that this user is an admin. if (!$user->loggedIn() || !$user->isAdmin()) { redirect_to(array('location' => 'user.php', 'status' => 'Only facility administrators are allowed to delete users.', 'class' => 'error')); } // get this user entry. try { $targetUser = new User($database, intval($_REQUEST['id'])); } catch (Exception $e) { redirect_to(array('location' => 'user.php', 'status' => 'The requested user was not found. Please try again.', 'class' => 'error'));