/**
* Merges rights for multiple group memebership or templates
* @param object $userobj
* @param array $groups
*/
static function merge_rights($userobj, $groups, $primeObjects)
{
global $_zp_authority;
$templates = false;
$objects = $primeObjects;
$custom = array();
$oldgroups = $userobj->getGroup();
$oldrights = $userobj->getRights();
$oldobjects = $userobj->getObjects();
$rights = 0;
foreach ($groups as $key => $groupname) {
if (empty($groupname)) {
// force the first template to happen
$group = new Zenphoto_Administrator('', 0);
$group->setName('template');
} else {
$group = Zenphoto_Authority::newAdministrator($groupname, 0, false);
}
if ($group->loaded) {
if ($group->getName() == 'template') {
unset($groups[$key]);
if ($userobj->getID() > 0 && !$templates) {
// fetch the existing rights and objects
$templates = true;
// but only once!
$rights = $userobj->getRights();
$objects = $userobj->getObjects();
}
}
$rights = $group->getRights() | $rights;
$objects = array_merge($group->getObjects(), $objects);
$custom[] = $group->getCustomData();
} else {
unset($groups[$key]);
}
}
$userobj->setCustomData(array_shift($custom));
// for now it is first come, first served.
// unique objects
$newobjects = array();
foreach ($objects as $object) {
$key = serialize(array('type' => $object['type'], 'data' => $object['data']));
if (array_key_exists($key, $newobjects)) {
if (array_key_exists('edit', $object)) {
$newobjects[$key]['edit'] = @$newobjects[$key]['edit'] | $object['edit'];
}
} else {
$newobjects[$key] = $object;
}
}
$objects = array();
foreach ($newobjects as $object) {
$objects[] = $object;
}
$userobj->setGroup($newgroups = implode(',', $groups));
$userobj->setRights($rights);
$userobj->setObjects($objects);
$updated = $newgroups != $oldgroups || $oldobjects != $objects || empty($newgroups) && $rights != $oldrights;
return $updated;
}
static function save($savemsg, $userobj, $what)
{
global $_zp_gallery;
if ($what == 'new' && ($mail = $userobj->getEmail())) {
$ref = Zenphoto_Authority::getResetTicket($adm = $userobj->getUser(), $userobj->getPass());
$msg = "\n" . sprintf(gettext('You are receiving this e-mail because a user code (%1$s) has been created for you on the Zenphoto gallery %2$s.'), $adm, $_zp_gallery->getTitle()) . "\n" . sprintf(gettext('To set your Zenphoto User password visit: %s'), FULLWEBPATH . "/" . ZENFOLDER . "/admin-users.php?ticket={$ref}&user={$adm}") . "\n" . gettext("This ticket will automatically expire in 3 days.");
$err_msg = zp_mail(gettext("Zenphoto user created"), $msg, array($mail));
if (!empty($err_msg)) {
$savemsg .= $err_msg;
}
}
return $savemsg;
}
window.location = "' . FULLWEBPATH . '/' . ZENFOLDER . '/' . UTILITIES_FOLDER . '/backup_restore.php?compression=' . $compression_handler . '";
}
</script>
';
}
}
$_zp_options = NULL;
//invalidate any options from before the restore
if (getOption('zenphoto_install') !== $signaure) {
$l1 = '<a href="' . WEBPATH . '/' . ZENFOLDER . '/setup.php">';
$messages .= '<div class="notebox">
<h2>' . sprintf(gettext('You have restored your database from a different instance of Zenphoto. You should run %1$ssetup%2$s to insure proper migration.'), $l1, '</a>') . '</h2>
</div>';
}
setOption('license_accepted', ZENPHOTO_VERSION . '[' . ZENPHOTO_RELEASE . ']');
if ($oldlibauth != Zenphoto_Authority::getVersion()) {
if (!$_zp_authority->migrateAuth($oldlibauth)) {
$messages .= '
<div class="errorbox fade-message">
<h2>' . gettext('Zenphoto Rights migration failed!') . '</h2>
</div>
';
}
}
}
}
if (isset($_GET['compression'])) {
$compression_handler = sanitize($_GET['compression']);
$messages = '
<div class="messagebox fade-message">
<h2>
$group->save();
if ($group->getName() == 'group') {
//have to update any users who have this group designate.
$groupname = $group->getUser();
foreach ($admins as $admin) {
if ($admin['valid']) {
$hisgroups = explode(',', $admin['group']);
if (in_array($groupname, $hisgroups)) {
$user = Zenphoto_Authority::newAdministrator($admin['user'], $admin['valid']);
user_groups::merge_rights($user, $hisgroups, user_groups::getPrimeObjects($user));
$user->save();
}
}
}
//user assignments: first clear out existing ones
Zenphoto_Authority::updateAdminField('group', NULL, array('`valid`>=' => '1', '`group`=' => $groupname));
//then add the ones marked
$target = 'user_' . $i . '-';
foreach ($_POST as $item => $username) {
if (strpos($item, $target) !== false) {
$username = postIndexDecode(substr(sanitize($item), strlen($target)));
//$username = substr($item, strlen($target));
$user = $_zp_authority->getAnAdmin(array('`user`=' => $username, '`valid`>=' => 1));
user_groups::merge_rights($user, $hisgroups, user_groups::getPrimeObjects($user));
$user->save();
}
}
}
}
}
$notify = '&saved';
/**
* Processes the verification POST tickets
* @param string $script (we do not use this)
* @return string
*/
static function verify($script)
{
//process any verifications posted
if (isset($_GET['verify_federated_user'])) {
$params = unserialize(pack("H*", trim(sanitize($_GET['verify_federated_user']), '.')));
if (time() - $params['date'] < 2592000) {
$userobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $params['user'], '`email`=' => $params['email'], '`valid`>' => 0));
if ($userobj) {
$groupname = getOption('federated_login_group');
$groupobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $groupname, '`valid`=' => 0));
if ($groupobj) {
$userobj->setRights($groupobj->getRights());
$userobj->setGroup($groupname);
$userobj->setObjects($groupobj->getObjects());
if (getOption('register_user_create_album')) {
$userobj->createPrimealbum();
}
$userobj->save();
}
zp_apply_filter('register_user_verified', $userobj);
if (getOption('register_logon_user_notify')) {
zp_mail(gettext('Zenphoto Gallery registration'), sprintf(gettext('%1$s (%2$s) has registered for the zenphoto gallery providing an e-mail address of %3$s.'), $userobj->getName(), $userobj->getUser(), $userobj->getEmail()));
}
Zenphoto_Authority::logUser($userobj);
header("Location: " . FULLWEBPATH . '/' . ZENFOLDER . '/admin.php');
exitZP();
}
}
}
return $script;
}
static function notify($tab, $subtab)
{
if ($tab == 'users' && ($subtab = 'users')) {
if (user_expiry::checkPasswordRenew()) {
echo '<p class="errorbox">' . gettext('You must change your password.'), '</p>';
} else {
if (Zenphoto_Authority::getAnAdmin(array('`valid`>' => 1))) {
echo '<p class="notebox">' . gettext('You have users whose credentials have expired.'), '</p>';
}
}
}
}
']);"><?php
echo gettext('Migrate rights');
?>
</a>
</span>
<br class="clearall" />
</p>
<br class="clearall" />
<?php
} else {
if (Zenphoto_Authority::getVersion() > Zenphoto_Authority::$preferred_version) {
?>
<br class="clearall" />
<p class="notebox">
<?php
printf(gettext('You may wish to revert the <em>Zenphoto_Authority</em> user rights to version %s for backwards compatibility with prior Zenphoto releases.'), Zenphoto_Authority::getVersion() - 1);
?>
<br class="clearall" />
<span class="buttons">
<a onclick="launchScript('', ['action=migrate_rights', 'revert=true', 'XSRFToken=<?php
echo getXSRFToken('migrate_rights');
?>
']);"><?php
echo gettext('Revert rights');
?>
</a>
</span>
<br class="clearall" />
</p>
<br class="clearall" />
<?php
<?php
/**
* processes the authorization (or login) of users
*
* @author Stephen Billard (sbillard)
*
* @package admin
*/
// force UTF-8 Ø
global $_zp_current_admin_obj, $_zp_loggedin, $_zp_authority;
$_zp_current_admin_obj = null;
if (!class_exists('Zenphoto_Authority')) {
require_once dirname(__FILE__) . '/class-auth.php';
}
$_zp_authority = new Zenphoto_Authority();
foreach (Zenphoto_Authority::getRights() as $key => $right) {
define($key, $right['value']);
}
define('MANAGED_OBJECT_RIGHTS_EDIT', 1);
define('MANAGED_OBJECT_RIGHTS_UPLOAD', 2);
define('MANAGED_OBJECT_RIGHTS_VIEW', 4);
define('MANAGED_OBJECT_MEMBER', 16);
define('LIST_RIGHTS', NO_RIGHTS);
if (!defined('USER_RIGHTS')) {
define('USER_RIGHTS', NO_RIGHTS);
}
if (defined('VIEW_ALL_RIGHTS')) {
define('ALL_ALBUMS_RIGHTS', VIEW_ALL_RIGHTS);
define('ALL_PAGES_RIGHTS', VIEW_ALL_RIGHTS);
define('ALL_NEWS_RIGHTS', VIEW_ALL_RIGHTS);
/**
* Logs an attempt for a guest user to log onto the site
* Returns the "success" parameter.
*
* @param bool $success
* @param string $user
* @param string $pass
* @param string $athority what kind of login
* @return bool
*/
static function guestLoginLogger($success, $user, $pass, $athority)
{
switch (getOption('logger_log_type')) {
case 'all':
break;
case 'success':
if (!$success) {
return false;
}
break;
case 'fail':
if ($success) {
return true;
}
break;
}
$name = '';
if ($success) {
$admin = Zenphoto_Authority::getAnAdmin(array('`user`=' => $user, '`valid`=' => 1));
$pass = '';
// mask it from display
if (is_object($admin)) {
$name = $admin->getName();
}
}
security_logger::Logger((int) ($success && true), $user, $name, 'Front-end', $athority, $pass);
return $success;
}
/**
*
* creates a unique id for a search
* @param string $table Database table
* @param string $search Search string
* @param string $sort Sort criteria
*/
protected function getCacheTag($table, $search, $sort)
{
$user = '******';
$authCookies = Zenphoto_Authority::getAuthCookies();
if (!empty($authCookies)) {
// some sort of password exists, play it safe and make the tag unique
$user = getUserIP();
}
return array('item' => $table, 'fields' => implode(', ', $this->fieldList), 'search' => $search, 'sort' => $sort, 'user' => $user);
}
/**
* Prints the logout link if the user is logged in.
* This is for album passwords only, not admin users;
*
* @param string $before before text
* @param string $after after text
* @param int $showLoginForm to display a login form
* to not display a login form, but just a login link, set to 0
* to display a login form set to 1
* to display a link to a login form in colorbox, set to 2, but you must have colorbox enabled for the theme pages where this link appears.)
* @param string $logouttext optional replacement text for "Logout"
*/
function printUserLogin_out($before = '', $after = '', $showLoginForm = NULL, $logouttext = NULL)
{
global $_zp_gallery, $__redirect, $_zp_current_admin_obj, $_zp_login_error, $_zp_gallery_page;
$excludedPages = array('password.php', 'register.php', 'favorites.php', '404.php');
$logintext = gettext('Login');
if (is_null($logouttext)) {
$logouttext = gettext("Logout");
}
$params = array("'userlog=0'");
if (!empty($__redirect)) {
foreach ($__redirect as $param => $value) {
$params[] .= "'" . $param . '=' . urlencode($value) . "'";
}
}
if (is_null($showLoginForm)) {
$showLoginForm = getOption('user_logout_login_form');
}
if (is_object($_zp_current_admin_obj)) {
if (!$_zp_current_admin_obj->logout_link) {
return;
}
}
$cookies = Zenphoto_Authority::getAuthCookies();
if (empty($cookies) || !zp_loggedin()) {
if (!in_array($_zp_gallery_page, $excludedPages)) {
switch ($showLoginForm) {
case 1:
?>
<div class="passwordform">
<?php
printPasswordForm('', true, false);
?>
</div>
<?php
break;
case 2:
if (getOption('colorbox_' . $_zp_gallery->getCurrentTheme() . '_' . stripSuffix($_zp_gallery_page)) && zp_has_filter('theme_head', 'colorbox::css')) {
?>
<script type="text/javascript">
// <!-- <![CDATA[
$(document).ready(function() {
$(".logonlink").colorbox({
inline: true,
innerWidth: "400px",
href: "#passwordform",
close: '<?php
echo gettext("close");
?>
',
open: $('#passwordform_enclosure .errorbox').length
});
});
// ]]> -->
</script>
<?php
if ($before) {
echo '<span class="beforetext">' . html_encodeTagged($before) . '</span>';
}
?>
<a href="#" class="logonlink" title="<?php
echo $logintext;
?>
"><?php
echo $logintext;
?>
</a>
<span id="passwordform_enclosure" style="display:none">
<div class="passwordform">
<?php
printPasswordForm('', true, false);
?>
</div>
</span>
<?php
if ($after) {
echo '<span class="aftertext">' . html_encodeTagged($after) . '</span>';
}
}
break;
default:
if ($loginlink = zp_apply_filter('login_link', getCustomPageURL('password'))) {
if ($before) {
echo '<span class="beforetext">' . html_encodeTagged($before) . '</span>';
}
?>
<a href="<?php
echo $loginlink;
?>
" title="<?php
echo $logintext;
?>
"><?php
echo $logintext;
?>
</a>
<?php
if ($after) {
echo '<span class="aftertext">' . html_encodeTagged($after) . '</span>';
}
}
}
}
} else {
if ($before) {
echo '<span class="beforetext">' . html_encodeTagged($before) . '</span>';
}
$logoutlink = "javascript:launchScript('" . FULLWEBPATH . "/',[" . implode(',', $params) . "]);";
?>
<a href="<?php
echo $logoutlink;
?>
" title="<?php
echo $logouttext;
?>
"><?php
echo $logouttext;
?>
</a>
<?php
if ($after) {
echo '<span class="aftertext">' . html_encodeTagged($after) . '</span>';
}
}
}
static function post_processor()
{
global $admin_e, $admin_n, $user, $_zp_authority, $_zp_captcha, $_zp_gallery, $_notify, $_link, $_message;
//Handle registration
if (isset($_POST['username']) && !empty($_POST['username'])) {
$_notify = 'honeypot';
// honey pot check
}
if (getOption('register_user_captcha')) {
if (isset($_POST['code'])) {
$code = sanitize($_POST['code'], 3);
$code_ok = sanitize($_POST['code_h'], 3);
} else {
$code = '';
$code_ok = '';
}
if (!$_zp_captcha->checkCaptcha($code, $code_ok)) {
$_notify = 'invalidcaptcha';
}
}
$admin_n = trim(sanitize($_POST['admin_name']));
if (empty($admin_n)) {
$_notify = 'incomplete';
}
if (isset($_POST['admin_email'])) {
$admin_e = trim(sanitize($_POST['admin_email']));
} else {
$admin_e = trim(sanitize($_POST['user']));
}
if (!is_valid_email_zp($admin_e)) {
$_notify = 'invalidemail';
}
$pass = trim(sanitize($_POST['pass']));
$user = trim(sanitize($_POST['user']));
if (empty($pass)) {
$_notify = 'empty';
} else {
if (!empty($user) && !empty($admin_n) && !empty($admin_e)) {
if (isset($_POST['disclose_password']) || $pass == trim(sanitize($_POST['pass_r']))) {
$currentadmin = Zenphoto_Authority::getAnAdmin(array('`user`=' => $user, '`valid`>' => 0));
if (is_object($currentadmin)) {
$_notify = 'exists';
}
if (empty($_notify)) {
$userobj = Zenphoto_Authority::newAdministrator('');
$userobj->transient = false;
$userobj->setUser($user);
$userobj->setPass($pass);
$userobj->setName($admin_n);
$userobj->setEmail($admin_e);
$userobj->setRights(0);
$userobj->setObjects(NULL);
$userobj->setGroup('');
$userobj->setCustomData('');
$userobj->setLanguage(getUserLocale());
if (extensionEnabled('userAddressFields')) {
$addresses = getOption('register_user_address_info');
$userinfo = register_user::getUserInfo(0);
$_comment_form_save_post = serialize($userinfo);
if ($addresses == 'required') {
if (!isset($userinfo['street']) || empty($userinfo['street'])) {
$userobj->transient = true;
$userobj->msg .= ' ' . gettext('You must supply the street field.');
}
if (!isset($userinfo['city']) || empty($userinfo['city'])) {
$userobj->transient = true;
$userobj->msg .= ' ' . gettext('You must supply the city field.');
}
if (!isset($userinfo['state']) || empty($userinfo['state'])) {
$userobj->transient = true;
$userobj->msg .= ' ' . gettext('You must supply the state field.');
}
if (!isset($userinfo['country']) || empty($userinfo['country'])) {
$userobj->transient = true;
$userobj->msg .= ' ' . gettext('You must supply the country field.');
}
if (!isset($userinfo['postal']) || empty($userinfo['postal'])) {
$userobj->transient = true;
$userobj->msg .= ' ' . gettext('You must supply the postal code field.');
}
}
zp_setCookie('reister_user_form_addresses', $_comment_form_save_post);
userAddressFields::setCustomData($userobj, $userinfo);
}
zp_apply_filter('register_user_registered', $userobj);
if ($userobj->transient) {
if (empty($_notify)) {
$_notify = 'filter';
}
} else {
$userobj->save();
if (MOD_REWRITE) {
$verify = '?verify=';
} else {
$verify = '&verify=';
}
$_link = PROTOCOL . "://" . $_SERVER['HTTP_HOST'] . register_user::getLink() . $verify . bin2hex(serialize(array('user' => $user, 'email' => $admin_e)));
$_message = sprintf(get_language_string(getOption('register_user_text')), $_link, $admin_n, $user, $pass);
$_notify = zp_mail(get_language_string(gettext('Registration confirmation')), $_message, array($user => $admin_e));
if (empty($_notify)) {
$_notify = 'accepted';
}
}
}
} else {
$_notify = 'mismatch';
}
} else {
$_notify = 'incomplete';
}
}
}
<?php
/**
* processes the authorization (or login) of admin users
* @package admin
*/
// force UTF-8 Ø
global $_zp_current_admin_obj, $_zp_loggedin, $_zp_null_account, $_zp_reset_admin, $_zp_authority;
$_zp_current_admin_obj = null;
if (file_exists(dirname(dirname(__FILE__)) . '/' . USER_PLUGIN_FOLDER . '/alt/lib-auth.php')) {
// load a custom authroization package if it is present
require_once dirname(dirname(__FILE__)) . '/' . USER_PLUGIN_FOLDER . '/alt/lib-auth.php';
} else {
require_once dirname(__FILE__) . '/lib-auth.php';
$_zp_authority = new Zenphoto_Authority();
}
foreach ($_zp_authority->getRights() as $key => $right) {
define($key, $right['value']);
}
define('MANAGED_OBJECT_RIGHTS_EDIT', 1);
define('MANAGED_OBJECT_RIGHTS_UPLOAD', 2);
define('MANAGED_OBJECT_RIGHTS_VIEW_IMAGE', 4);
define('LIST_RIGHTS', NO_RIGHTS);
if (defined('VIEW_ALL_RIGHTS')) {
define('VIEW_ALBUMS_RIGHTS', VIEW_ALL_RIGHTS);
define('VIEW_PAGES_RIGHTS', VIEW_ALL_RIGHTS);
define('VIEW_NEWS_RIGHTS', VIEW_ALL_RIGHTS);
define('VIEW_SEARCH_RIGHTS', NO_RIGHTS);
define('VIEW_GALLERY_RIGHTS', NO_RIGHTS);
define('VIEW_FULLIMAGE_RIGHTS', NO_RIGHTS);
} else {
static function setupUser($ad, $userData)
{
global $_zp_authority;
$user = $userData['uid'][0];
$id = $userData['uidnumber'][0] + LDAP_ID_OFFSET;
$name = $userData['cn'][0];
$groups = self::getZPGroups($ad, $user);
$adminObj = Zenphoto_Authority::newAdministrator('');
$adminObj->setID($id);
$adminObj->transient = true;
if (isset($userData['email'][0])) {
$adminObj->setEmail($userData['email'][0]);
}
$adminObj->setUser($user);
$adminObj->setName($name);
$adminObj->setPass(serialize($userData));
if (class_exists('user_groups')) {
user_groups::merge_rights($adminObj, $groups, array());
if (DEBUG_LOGIN) {
debugLogVar("LDAsetupUser: groups:", $adminObj->getGroup());
}
$rights = $adminObj->getRights() & ~USER_RIGHTS;
$adminObj->setRights($rights);
} else {
$rights = DEFAULT_RIGHTS & ~USER_RIGHTS;
$adminObj->setRights(DEFAULT_RIGHTS & ~USER_RIGHTS);
}
if ($rights) {
$_zp_authority->addOtherUser($adminObj);
return $adminObj;
}
return NULL;
}
}
}
}
$notify = '&saved';
} else {
$notify = '&post_error';
}
header("Location: " . FULLWEBPATH . "/" . ZENFOLDER . '/' . PLUGIN_FOLDER . '/user_groups/user_groups-tab.php?page=users&tab=groups&subpage=' . $subpage . $notify);
exitZP();
case 'saveauserassignments':
if (isset($_POST['checkForPostTruncation'])) {
for ($i = 0; $i < $_POST['totalusers']; $i++) {
if (isset($_POST[$i . 'group'])) {
$newgroups = sanitize($_POST[$i . 'group']);
$username = trim(sanitize($_POST[$i . '-user'], 3));
$userobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $username, '`valid`>=' => 1));
user_groups::merge_rights($userobj, $newgroups);
$userobj->save();
}
}
$notify = '&saved';
} else {
$notify = '&post_error';
}
header("Location: " . FULLWEBPATH . "/" . ZENFOLDER . '/' . PLUGIN_FOLDER . '/user_groups/user_groups-tab.php?page=users&tab=assignments&subpage=' . $subpage . $notify);
exitZP();
}
}
printAdminHeader('users');
$background = '';
?>
/**
* Creates a feed object from the URL parameters fetched only
*
*/
function __construct($options = NULL)
{
global $_zp_gallery, $_zp_current_admin_obj, $_zp_loggedin;
if (empty($options)) {
self::feed404();
}
$this->feedtype = $options['rss'];
parent::__construct($options);
if (isset($options['token'])) {
// The link camed from a logged in user, see if it is valid
$link = $options;
unset($link['token']);
$token = Zenphoto_Authority::passwordHash(serialize($link), '');
if ($token == $options['token']) {
$adminobj = Zenphoto_Authority::getAnAdmin(array('`id`=' => (int) $link['user']));
if ($adminobj) {
$_zp_current_admin_obj = $adminobj;
$_zp_loggedin = $_zp_current_admin_obj->getRights();
}
}
}
// general feed setup
$channeltitlemode = getOption('RSS_title');
$this->host = html_encode($_SERVER["HTTP_HOST"]);
//channeltitle general
switch ($channeltitlemode) {
case 'gallery':
$this->channel_title = $_zp_gallery->getBareTitle($this->locale);
break;
case 'website':
$this->channel_title = getBare($_zp_gallery->getWebsiteTitle($this->locale));
break;
case 'both':
$website_title = $_zp_gallery->getWebsiteTitle($this->locale);
$this->channel_title = $_zp_gallery->getBareTitle($this->locale);
if (!empty($website_title)) {
$this->channel_title = $website_title . ' - ' . $this->channel_title;
}
break;
}
// individual feedtype setup
switch ($this->feedtype) {
case 'gallery':
if (!getOption('RSS_album_image')) {
self::feed404();
}
$albumname = $this->getChannelTitleExtra();
if ($this->albumfolder) {
$alb = newAlbum($this->albumfolder, true, true);
if ($alb->exists) {
$albumtitle = $alb->getTitle();
if ($this->mode == 'albums' || $this->collection) {
$albumname = ' - ' . html_encode($albumtitle) . $this->getChannelTitleExtra();
}
} else {
self::feed404();
}
} else {
$albumtitle = '';
}
$albumname = $this->getChannelTitleExtra();
$this->channel_title = html_encode($this->channel_title . ' ' . getBare($albumname));
$this->imagesize = $this->getImageSize();
require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/image_album_statistics.php';
break;
case 'news':
//Zenpage News RSS
if (!getOption('RSS_articles')) {
self::feed404();
}
$titleappendix = gettext(' (Latest news)');
switch ($this->newsoption) {
case 'withalbums':
case 'withalbums_mtime':
case 'withalbums_publishdate':
case 'withalbums_latestupdated':
$titleappendix = gettext(' (Latest news and albums)');
break;
case 'withimages':
case 'withimages_mtime':
case 'withimages_publishdate':
$titleappendix = gettext(' (Latest news and images)');
break;
default:
switch ($this->sortorder) {
case 'popular':
$titleappendix = gettext(' (Most popular news)');
break;
case 'mostrated':
$titleappendix = gettext(' (Most rated news)');
break;
case 'toprated':
$titleappendix = gettext(' (Top rated news)');
break;
case 'random':
$titleappendix = gettext(' (Random news)');
break;
}
break;
}
$this->channel_title = html_encode($this->channel_title . $this->cattitle . $titleappendix);
$this->imagesize = $this->getImageSize();
$this->itemnumber = getOption("RSS_zenpage_items");
// # of Items displayed on the feed
require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/image_album_statistics.php';
require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/zenpage/zenpage-template-functions.php';
break;
case 'pages':
//Zenpage News RSS
if (!getOption('RSS_pages')) {
self::feed404();
}
switch ($this->sortorder) {
case 'popular':
$titleappendix = gettext(' (Most popular pages)');
break;
case 'mostrated':
$titleappendix = gettext(' (Most rated pages)');
break;
case 'toprated':
$titleappendix = gettext(' (Top rated pages)');
break;
case 'random':
$titleappendix = gettext(' (Random pages)');
break;
default:
$titleappendix = gettext(' (Latest pages)');
break;
}
$this->channel_title = html_encode($this->channel_title . $titleappendix);
require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/zenpage/zenpage-template-functions.php';
break;
case 'comments':
//Comments RSS
if (!getOption('RSS_comments')) {
self::feed404();
}
if ($this->id) {
switch ($this->commentfeedtype) {
case 'album':
$table = 'albums';
break;
case 'image':
$table = 'images';
break;
case 'news':
$table = 'news';
break;
case 'page':
$table = 'pages';
break;
default:
self::feed404();
break;
}
$this->itemobj = getItemByID($table, $this->id);
if ($this->itemobj) {
$title = ' - ' . $this->itemobj->getTitle();
} else {
self::feed404();
}
} else {
$this->itemobj = NULL;
$title = NULL;
}
$this->channel_title = html_encode($this->channel_title . $title . gettext(' (latest comments)'));
if (extensionEnabled('zenpage')) {
require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/zenpage/zenpage-template-functions.php';
}
break;
case 'null':
//we just want the class instantiated
return;
}
$this->feeditems = $this->getitems();
}
static function check($authorized)
{
global $_zp_authority, $_zp_current_admin_obj;
if (!$authorized) {
// not logged in via normal zenphoto handling
// PHP-CGI auth fixd
if (isset($_SERVER['HTTP_AUTHORIZATION'])) {
$auth_params = explode(":", base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
$_SERVER['PHP_AUTH_USER'] = $auth_params[0];
unset($auth_params[0]);
$_SERVER['PHP_AUTH_PW'] = implode('', $auth_params);
}
if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
$auth_params = explode(":", base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6)));
$_SERVER['PHP_AUTH_USER'] = $auth_params[0];
unset($auth_params[0]);
$_SERVER['PHP_AUTH_PW'] = implode('', $auth_params);
}
if (array_key_exists('PHP_AUTH_USER', $_SERVER) && array_key_exists('PHP_AUTH_PW', $_SERVER)) {
$user = $_SERVER['PHP_AUTH_USER'];
$pass = $_SERVER['PHP_AUTH_PW'];
if (getOption('http_auth_trust')) {
$userobj = $_zp_authority->getAnAdmin(array('`user`=' => $user, '`valid`=' => 1));
} else {
$userobj = Zenphoto_Authority::checkLogon($user, $pass);
}
if ($userobj) {
$_zp_current_admin_obj = $userobj;
$_zp_current_admin_obj->logout_link = false;
$authorized = $_zp_current_admin_obj->getRights();
}
}
}
return $authorized;
}
static function handleOptionSave($themename, $themealbum)
{
if (!class_exists('user_groups')) {
$saved_rights = NO_RIGHTS;
$rightslist = sortMultiArray(Zenphoto_Authority::getRights(), array('set', 'value'));
foreach ($rightslist as $rightselement => $right) {
if (isset($_POST['register_user-' . $rightselement])) {
$saved_rights = $saved_rights | $_POST['register_user-' . $rightselement];
}
}
setOption('register_user_user_rights', $saved_rights);
}
return false;
}
/**
*
* handles save of user/password
* @param object $object
*/
function processCredentials($object, $suffix = '')
{
$notify = '';
if (isset($_POST['password_enabled' . $suffix]) && $_POST['password_enabled' . $suffix]) {
if (is_object($object)) {
$olduser = $object->getUser();
} else {
$olduser = getOption($object . '_user');
}
$newuser = trim(sanitize($_POST['user' . $suffix], 3));
$pwd = trim(sanitize($_POST['pass' . $suffix]));
if (isset($_POST['disclose_password' . $suffix])) {
$pass2 = $pwd;
} else {
if (isset($_POST['pass_r' . $suffix])) {
$pass2 = trim(sanitize($_POST['pass_r' . $suffix]));
} else {
$pass2 = '';
}
}
$fail = '';
if ($olduser != $newuser) {
if (!empty($newuser) && strlen($_POST['pass' . $suffix]) == 0) {
$fail = '?mismatch=user';
}
}
if (!$fail && $pwd == $pass2) {
if (is_object($object)) {
$object->setUser($newuser);
} else {
setOption($object . '_user', $newuser);
}
if (empty($pwd)) {
if (strlen($_POST['pass' . $suffix]) == 0) {
// clear the password
if (is_object($object)) {
$object->setPassword(NULL);
} else {
setOption($object . '_password', NULL);
}
}
} else {
if (is_object($object)) {
$object->setPassword(Zenphoto_Authority::passwordHash($newuser, $pwd));
} else {
setOption($object . '_password', Zenphoto_Authority::passwordHash($newuser, $pwd));
}
}
} else {
if (empty($fail)) {
$notify = '?mismatch';
} else {
$notify = $fail;
}
}
$hint = process_language_string_save('hint' . $suffix, 3);
if (is_object($object)) {
$object->setPasswordHint($hint);
} else {
setOption($object . '_hint', $hint);
}
}
return $notify;
}
/**
* This is the cookie processor filter handler
* it invokes the child class check() method to see if there is a valid visitor to the site
* The check() method should return "false" if there is no valid visitor or an array of
* User information if there is one.
*
* If there is a valid user, the user name is checked against Zenphoto users. If such user exists
* he will be automatically logged in. If no user by that userid exists a transient user will be
* created and logged in. User details are filled in from the user information in the passed array.
*
* Most enteries in the result array are simply stored into the user property of the same name. However,
* there are some special handling items that may be present:
* <ul>
* <li>groups: an array of the user's group membership</li>
* <li>objects: a Zenphoto "managed object list" array</li>
* <li>album: the name of the user's primary album</li>
* <li>logout_link: information that the plugin can use when a user loggs out</li>
* </ul>
*
* All the above may be missing. However, if there is no groups entry, there needs to be an
* entry for the user's rights otherwise he will have none. There should not be both a rights entry
* and a groups entry as they are mutually exclusive.
*
* album and objects entries should come last in the list so all other properties are processed first as
* these methods may modify other properties.
*
* @param BIT $authorized
*/
function check($authorized)
{
global $_zp_current_admin_obj;
if (!$authorized) {
// not logged in via normal Zenphoto handling
if ($result = $this->user()) {
$user = $result['user'];
$searchfor = array('`user`=' => $user, '`valid`=' => 1);
$userobj = Zenphoto_Authority::getAnAdmin($searchfor);
if (!$userobj) {
unset($result['id']);
unset($result['user']);
$authority = '';
// create a transient user
$userobj = new Zenphoto_Administrator('', 1);
$userobj->setUser($user);
$userobj->setRights(NO_RIGHTS);
// just incase none get set
// Flag as external credentials for completeness
$properties = array_keys($result);
// the list of things we got from the external authority
array_unshift($properties, $this->auth);
$userobj->setCredentials($properties);
// populate the user properties
$member = false;
// no group membership (yet)
foreach ($result as $key => $value) {
switch ($key) {
case 'authority':
$authority = '::' . $value;
unset($result['authority']);
break;
case 'groups':
// find the corresponding Zenphoto group (if it exists)
$rights = NO_RIGHTS;
$objects = array();
$groups = $value;
foreach ($groups as $key => $group) {
$groupobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $group, '`valid`=' => 0));
if ($groupobj) {
$member = true;
$rights = $groupobj->getRights() | $rights;
$objects = array_merge($groupobj->getObjects(), $objects);
if ($groupobj->getName() == 'template') {
unset($groups[$key]);
}
} else {
unset($groups[$key]);
}
}
if ($member) {
$userobj->setGroup(implode(',', $groups));
$userobj->setRights($rights);
$userobj->setObjects($objects);
}
break;
case 'defaultgroup':
if (!$member && isset($result['defaultgroup'])) {
// No Zenphoto group, use the default group
$group = $result['defaultgroup'];
$groupobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $group, '`valid`=' => 0));
if ($groupobj) {
$rights = $groupobj->getRights();
$objects = $groupobj->getObjects();
if ($groupobj->getName() != 'template') {
$group = NULL;
}
$userobj->setGroup($group);
$userobj->setRights($rights);
$userobj->setObjects($objects);
}
}
break;
case 'objects':
$userobj->setObjects($objects);
break;
case 'album':
$userobj->createPrimealbum(false, $value);
break;
default:
$userobj->set($key, $value);
break;
}
}
$properties = array_keys($result);
// the list of things we got from the external authority
array_unshift($properties, $this->auth . $authority);
$userobj->setCredentials($properties);
}
if (isset($result['logout_link'])) {
$userobj->logout_link = $result['logout_link'];
}
$_zp_current_admin_obj = $userobj;
$authorized = $_zp_current_admin_obj->getRights();
}
}
return $authorized;
}
/**
* checks password posting
*
* @param string $authType override of athorization type
*/
function zp_handle_password($authType = NULL, $check_auth = NULL, $check_user = NULL)
{
global $_zp_loggedin, $_zp_login_error, $_zp_current_album, $_zp_current_zenpage_page, $_zp_gallery;
if (empty($authType)) {
// not supplied by caller
$check_auth = '';
if (isset($_GET['z']) && @$_GET['p'] == 'full-image' || isset($_GET['p']) && $_GET['p'] == '*full-image') {
$authType = 'zp_image_auth';
$check_auth = getOption('protected_image_password');
$check_user = getOption('protected_image_user');
} else {
if (in_context(ZP_SEARCH)) {
// search page
$authType = 'zp_search_auth';
$check_auth = getOption('search_password');
$check_user = getOption('search_user');
} else {
if (in_context(ZP_ALBUM)) {
// album page
$authType = "zp_album_auth_" . $_zp_current_album->getID();
$check_auth = $_zp_current_album->getPassword();
$check_user = $_zp_current_album->getUser();
if (empty($check_auth)) {
$parent = $_zp_current_album->getParent();
while (!is_null($parent)) {
$check_auth = $parent->getPassword();
$check_user = $parent->getUser();
$authType = "zp_album_auth_" . $parent->getID();
if (!empty($check_auth)) {
break;
}
$parent = $parent->getParent();
}
}
} else {
if (in_context(ZP_ZENPAGE_PAGE)) {
$authType = "zp_page_auth_" . $_zp_current_zenpage_page->getID();
$check_auth = $_zp_current_zenpage_page->getPassword();
$check_user = $_zp_current_zenpage_page->getUser();
if (empty($check_auth)) {
$pageobj = $_zp_current_zenpage_page;
while (empty($check_auth)) {
$parentID = $pageobj->getParentID();
if ($parentID == 0) {
break;
}
$sql = 'SELECT `titlelink` FROM ' . prefix('pages') . ' WHERE `id`=' . $parentID;
$result = query_single_row($sql);
$pageobj = new ZenpagePage($result['titlelink']);
$authType = "zp_page_auth_" . $pageobj->getID();
$check_auth = $pageobj->getPassword();
$check_user = $pageobj->getUser();
}
}
}
}
}
}
if (empty($check_auth)) {
// anything else is controlled by the gallery credentials
$authType = 'zp_gallery_auth';
$check_auth = $_zp_gallery->getPassword();
$check_user = $_zp_gallery->getUser();
}
}
// Handle the login form.
if (DEBUG_LOGIN) {
debugLog("zp_handle_password: \$authType={$authType}; \$check_auth={$check_auth}; \$check_user={$check_user}; ");
}
if (isset($_POST['password']) && isset($_POST['pass'])) {
// process login form
if (isset($_POST['user'])) {
$post_user = sanitize($_POST['user']);
} else {
$post_user = '';
}
$post_pass = $_POST['pass'];
// We should not sanitize the password
foreach (Zenphoto_Authority::$hashList as $hash => $hi) {
$auth = Zenphoto_Authority::passwordHash($post_user, $post_pass, $hi);
$success = $auth == $check_auth && $post_user == $check_user;
if (DEBUG_LOGIN) {
debugLog("zp_handle_password({$success}): \$post_user={$post_user}; \$post_pass={$post_pass}; \$check_auth={$check_auth}; \$auth={$auth}; \$hash={$hash};");
}
if ($success) {
break;
}
}
$success = zp_apply_filter('guest_login_attempt', $success, $post_user, $post_pass, $authType);
if ($success) {
// Correct auth info. Set the cookie.
if (DEBUG_LOGIN) {
debugLog("zp_handle_password: valid credentials");
}
zp_setCookie($authType, $auth);
if (isset($_POST['redirect'])) {
$redirect_to = sanitizeRedirect($_POST['redirect'], true);
if (!empty($redirect_to)) {
header("Location: " . $redirect_to);
exitZP();
}
}
} else {
// Clear the cookie, just in case
if (DEBUG_LOGIN) {
debugLog("zp_handle_password: invalid credentials");
}
zp_clearCookie($authType);
$_zp_login_error = true;
}
return;
}
if (empty($check_auth)) {
//no password on record or admin logged in
return;
}
if (($saved_auth = zp_getCookie($authType)) != '') {
if ($saved_auth == $check_auth) {
if (DEBUG_LOGIN) {
debugLog("zp_handle_password: valid cookie");
}
return;
} else {
// Clear the cookie
if (DEBUG_LOGIN) {
debugLog("zp_handle_password: invalid cookie");
}
zp_clearCookie($authType);
}
}
}
<?php
/**
* processes the authorization (or login) of admin users
* @package admin
*/
// force UTF-8 Ø
global $_zp_current_admin_obj, $_zp_loggedin, $_zp_authority;
$_zp_current_admin_obj = null;
if (file_exists(SERVERPATH . '/' . USER_PLUGIN_FOLDER . '/alt/lib-auth.php')) {
// load a custom authroization package if it is present
require_once SERVERPATH . '/' . USER_PLUGIN_FOLDER . '/alt/lib-auth.php';
} else {
require_once dirname(__FILE__) . '/lib-auth.php';
$_zp_authority = new Zenphoto_Authority();
}
foreach (Zenphoto_Authority::getRights() as $key => $right) {
define($key, $right['value']);
}
define('MANAGED_OBJECT_RIGHTS_EDIT', 1);
define('MANAGED_OBJECT_RIGHTS_UPLOAD', 2);
define('MANAGED_OBJECT_RIGHTS_VIEW', 4);
define('LIST_RIGHTS', NO_RIGHTS);
if (!defined('USER_RIGHTS')) {
define('USER_RIGHTS', NO_RIGHTS);
}
if (defined('VIEW_ALL_RIGHTS')) {
define('ALL_ALBUMS_RIGHTS', VIEW_ALL_RIGHTS);
define('ALL_PAGES_RIGHTS', VIEW_ALL_RIGHTS);
define('ALL_NEWS_RIGHTS', VIEW_ALL_RIGHTS);
define('VIEW_SEARCH_RIGHTS', NO_RIGHTS);
echo $targetid;
?>
').tagSuggest({
tags: [
<?php
echo implode(',', $dbfields);
?>
]
});
});
// ]]> -->
</script>
<?php
}
zp_apply_filter('texteditor_config', 'zenphoto');
Zenphoto_Authority::printPasswordFormJS();
?>
</head>
<body>
<?php
printLogoAndLinks();
?>
<div id="main">
<?php
printTabs();
?>
<div id="content">
<?php
/* Page code */
?>
<div id="container">
/**
* Re-validates user's e-mail via ticket.
* @param string $path the script (which we ignore)
* @return string
*/
static function reverify($path)
{
global $_zp_authority;
//process any verifications posted
if (isset($_GET['user_expiry_reverify'])) {
$params = unserialize(pack("H*", trim(sanitize($_GET['user_expiry_reverify']), '.')));
if (time() - $params['date'] < 2592000) {
$userobj = $_zp_authority->getAnAdmin(array('`user`=' => $params['user'], '`email`=' => $params['email'], '`valid`>' => 0));
if ($userobj) {
$credentials = $userobj->getCredentials();
$credentials[] = 'expiry';
$credentials[] = 'email';
$credentials = array_unique($credentials);
}
$userobj->setCredentials($credentials);
$userobj->setValid(1);
$userobj->set('loggedin', date('Y-m-d H:i:s'));
$userobj->save();
Zenphoto_Authority::logUser($userobj);
header("Location: " . FULLWEBPATH . '/' . ZENFOLDER . '/admin.php');
exitZP();
}
}
if (user_expiry::checkPasswordRenew()) {
header("Location: " . FULLWEBPATH . '/' . ZENFOLDER . '/admin-users.php?page=users&tab=users');
exitZP();
}
return $path;
}
$groupobj->set('other_credentials', gettext('Managers of one or more albums'));
$groupobj->setValid(0);
$groupobj->save();
$groupsdefined[] = 'album managers';
}
if (!in_array('default', $groupsdefined)) {
$groupobj = Zenphoto_Authority::newAdministrator('default', 0);
$groupobj->setName('template');
$groupobj->setRights(DEFAULT_RIGHTS);
$groupobj->set('other_credentials', gettext('Default user settings'));
$groupobj->setValid(0);
$groupobj->save();
$groupsdefined[] = 'default';
}
if (!in_array('newuser', $groupsdefined)) {
$groupobj = Zenphoto_Authority::newAdministrator('newuser', 0);
$groupobj->setName('template');
$groupobj->setRights(NO_RIGHTS);
$groupobj->set('other_credentials', gettext('Newly registered and verified users'));
$groupobj->setValid(0);
$groupobj->save();
$groupsdefined[] = 'newuser';
}
setOption('defined_groups', serialize($groupsdefined));
// record that these have been set once (and never again)
setOptionDefault('RSS_album_image', 1);
setOptionDefault('RSS_comments', 1);
setOptionDefault('RSS_articles', 1);
setOptionDefault('RSS_pages', 1);
setOptionDefault('RSS_article_comments', 1);
setOptionDefault('AlbumThumbSelect', 1);
/**
* Hashes and stores the password
* @param $pwd
*/
function setPass($pwd)
{
$hash_type = getOption('strong_hash');
$pwd = Zenphoto_Authority::passwordHash($this->getUser(), $pwd, $hash_type);
$this->set('pass', $pwd);
$this->set('passupdate', date('Y-m-d H:i:s'));
$this->set('passhash', $hash_type);
return $pwd;
}
/**
* Wrapper function to get the author of a news article or page: Used by getNewsAuthor() and getPageAuthor().
*
* @param bool $fullname False for the user name, true for the full name
*
* @return string
*/
function getAuthor($fullname = false)
{
global $_zp_current_zenpage_page, $_zp_current_zenpage_news;
if (is_Pages()) {
$obj = $_zp_current_zenpage_page;
} else {
if (is_News()) {
$obj = $_zp_current_zenpage_news;
} else {
$obj = false;
}
}
if ($obj) {
if ($fullname) {
$admin = Zenphoto_Authority::getAnAdmin(array('`user`=' => $obj->getAuthor(), '`valid`=' => 1));
if (is_object($admin) && $admin->getName()) {
return $admin->getName();
}
}
return $obj->getAuthor();
}
return false;
}
$ordered[$key] = $admin['date'];
}
}
asort($ordered);
$adminordered = array();
foreach ($ordered as $key => $user) {
$adminordered[] = $admins[$key];
}
$msg = NULL;
if (isset($_GET['action'])) {
$action = sanitize($_GET['action']);
XSRFdefender($action);
if ($action == 'expiry') {
foreach ($_POST as $key => $action) {
if (strpos($key, 'r_') === 0) {
$userobj = Zenphoto_Authority::getAnAdmin(array('`id`=' => str_replace('r_', '', postIndexDecode($key))));
if ($userobj) {
switch ($action) {
case 'delete':
$userobj->remove();
break;
case 'disable':
$userobj->setValid(2);
$userobj->save();
break;
case 'enable':
$userobj->setValid(1);
$userobj->save();
break;
case 'renew':
$newdate = getOption('user_expiry_interval') * 86400 + strtotime($userobj->getDateTime());
