function perform_newpassword($HTTP_VARS, &$errors)
{
if (!is_user_valid($HTTP_VARS['uid'])) {
opendb_logger(OPENDB_LOG_WARN, __FILE__, __FUNCTION__, 'New password request failure: User does not exist', array($HTTP_VARS['uid']));
// make user look successful to prevent mining for valid userids
return TRUE;
} else {
if (!is_user_active($HTTP_VARS['uid'])) {
// Do not allow new password operation for 'deactivated' user.
opendb_logger(OPENDB_LOG_WARN, __FILE__, __FUNCTION__, 'New password request failure: User is not active', array($HTTP_VARS['uid']));
return FALSE;
} else {
if (!is_user_granted_permission(PERM_CHANGE_PASSWORD, $HTTP_VARS['uid'])) {
opendb_logger(OPENDB_LOG_WARN, __FILE__, __FUNCTION__, 'New password request failure: User does not have permission to change password', array($HTTP_VARS['uid']));
return FALSE;
} else {
if (get_opendb_config_var('user_admin', 'user_passwd_change_allowed') === FALSE && !is_user_granted_permission(PERM_ADMIN_CHANGE_PASSWORD)) {
opendb_logger(OPENDB_LOG_WARN, __FILE__, __FUNCTION__, 'New password request failure: Password change is disabled', array($HTTP_VARS['uid']));
return FALSE;
} else {
opendb_logger(OPENDB_LOG_INFO, __FILE__, __FUNCTION__, 'User requested to be emailed a new password', array($HTTP_VARS['uid']));
$user_r = fetch_user_r($HTTP_VARS['uid']);
$user_passwd = generate_password(8);
// only send if valid user (email)
if (strlen($user_r['email_addr']) > 0) {
$pass_result = update_user_passwd($HTTP_VARS['uid'], $user_passwd);
if ($pass_result === TRUE) {
$subject = get_opendb_lang_var('lost_password');
$message = get_opendb_lang_var('to_user_email_intro', 'fullname', $user_r['fullname']) . "\n\n" . get_opendb_lang_var('new_passwd_email') . "\n\n" . get_opendb_lang_var('userid') . ": " . $HTTP_VARS['uid'] . "\n" . get_opendb_lang_var('password') . ": " . $user_passwd;
if (opendb_user_email($user_r['user_id'], NULL, $subject, $message, $errors)) {
return TRUE;
} else {
return "EMAIL_NOT_SENT";
}
}
} else {
$errors[] = "User '" . $HTTP_VARS['uid'] . "' does not have a valid email address.";
return FALSE;
}
}
}
}
}
}
/**
* @param $op is 'edit' or 'new'
*/
function get_user_input_form($user_r, $HTTP_VARS)
{
global $PHP_SELF;
$buffer .= "<form action=\"{$PHP_SELF}\" method=\"POST\">";
$buffer .= "<table class=\"userInputForm\">";
if (is_not_empty_array($user_r)) {
$buffer .= get_input_field("user_id", NULL, get_opendb_lang_var('userid'), "readonly", "", $user_r['user_id'], TRUE);
} else {
$buffer .= get_input_field("user_id", NULL, get_opendb_lang_var('userid'), "filtered(20,20,a-zA-Z0-9_.)", "Y", $HTTP_VARS['user_id'], TRUE);
}
if (is_not_empty_array($user_r) && !is_user_granted_permission(PERM_ADMIN_USER_PROFILE)) {
$role_r = fetch_role_r($user_r['user_role']);
$buffer .= get_input_field("user_role", NULL, get_opendb_lang_var('user_role'), "readonly", "", $role_r['description'], TRUE);
} else {
$buffer .= format_field(get_opendb_lang_var('user_role'), custom_select('user_role', fetch_user_role_rs($HTTP_VARS['op'] == 'signup' ? EXCLUDE_SIGNUP_UNAVAILABLE_USER : INCLUDE_SIGNUP_UNAVAILABLE_USER), "%description%", '1', ifempty($user_r['user_role'], $HTTP_VARS['user_role']), 'role_name'));
}
$buffer .= get_input_field("fullname", NULL, get_opendb_lang_var('fullname'), "text(30,100)", "Y", ifempty($HTTP_VARS['fullname'], $user_r['fullname']), TRUE);
$buffer .= get_input_field("email_addr", NULL, get_opendb_lang_var('email'), "email(30,100)", "Y", ifempty($HTTP_VARS['email_addr'], $user_r['email_addr']), TRUE);
if (get_opendb_config_var('user_admin', 'user_themes_support') !== FALSE) {
$uid_theme = ifempty($HTTP_VARS['uid_theme'], $user_r['theme']);
$buffer .= format_field(get_opendb_lang_var('user_theme'), custom_select("uid_theme", get_user_theme_r(), "%value%", 1, is_exists_theme($uid_theme) ? $uid_theme : get_opendb_config_var('site', 'theme')));
// If theme no longer exists, then set to default!
}
if (get_opendb_config_var('user_admin', 'user_language_support') !== FALSE) {
// Do not bother with language input field if only one language pack available.
if (fetch_language_cnt() > 1) {
$uid_language = ifempty($HTTP_VARS['uid_language'], $user_r['language']);
$buffer .= format_field(get_opendb_lang_var('user_language'), custom_select('uid_language', fetch_language_rs(), "%language%", 1, is_exists_language($uid_language) ? $uid_language : get_opendb_config_var('site', 'language'), 'language', NULL, 'default_ind'));
// If language no longer exists, then set to default!
}
}
$buffer .= "</table>";
// Now do the addresses
if (is_not_empty_array($user_r)) {
$addr_results = fetch_user_address_type_rs($user_r['user_id'], TRUE);
} else {
$addr_results = fetch_address_type_rs(TRUE);
}
if ($addr_results) {
while ($address_type_r = db_fetch_assoc($addr_results)) {
$v_address_type = strtolower($address_type_r['s_address_type']);
if (is_not_empty_array($user_r)) {
$attr_results = fetch_address_type_attribute_type_rs($address_type_r['s_address_type'], 'update', TRUE);
} else {
$attr_results = fetch_address_type_attribute_type_rs($address_type_r['s_address_type'], 'update', TRUE);
}
if ($attr_results) {
$buffer .= '<h3>' . $address_type_r['description'] . '</h3>';
$buffer .= "<ul class=\"addressIndicators\">";
$buffer .= '<li><input type="checkbox" class="checkbox" name="' . $v_address_type . '[public_address_ind]" value="Y"' . (ifempty($address_type_r['public_address_ind'], $HTTP_VARS[$v_address_type]['public_address_ind']) == 'Y' ? ' CHECKED' : '') . '">' . get_opendb_lang_var('public_address_indicator') . '</li>';
$buffer .= '<li><input type="checkbox" class="checkbox" name="' . $v_address_type . '[borrow_address_ind]" value="Y"' . (ifempty($address_type_r['borrow_address_ind'], $HTTP_VARS[$v_address_type]['borrow_address_ind']) == 'Y' ? ' CHECKED' : '') . '">' . get_opendb_lang_var('borrow_address_indicator') . '</li>';
$buffer .= "</ul>";
$buffer .= "<table class=\"addressInputForm\">";
while ($addr_attribute_type_r = db_fetch_assoc($attr_results)) {
$fieldname = get_field_name($addr_attribute_type_r['s_attribute_type'], $addr_attribute_type_r['order_no']);
$value = NULL;
if ($address_type_r['sequence_number'] !== NULL) {
if (is_lookup_attribute_type($addr_attribute_type_r['s_attribute_type'])) {
$value = fetch_user_address_lookup_attribute_val($address_type_r['sequence_number'], $addr_attribute_type_r['s_attribute_type'], $addr_attribute_type_r['order_no']);
} else {
$value = fetch_user_address_attribute_val($address_type_r['sequence_number'], $addr_attribute_type_r['s_attribute_type'], $addr_attribute_type_r['order_no']);
}
$value = ifempty(filter_item_input_field($addr_attribute_type_r, $HTTP_VARS[$v_address_type][$fieldname]), $value);
} else {
$value = filter_item_input_field($addr_attribute_type_r, $HTTP_VARS[$v_address_type][$fieldname]);
}
// If this is an edit operation - the value must be NOT NULL
// for some widgets to work properly.
if ($address_type_r['sequence_number'] !== NULL && $value === NULL) {
$value = '';
}
$buffer .= get_item_input_field($v_address_type . '[' . $fieldname . ']', $addr_attribute_type_r, NULL, $value);
}
//while
db_free_result($attr_results);
$buffer .= "</table>";
}
//if($attr_results)
}
//while
db_free_result($addr_results);
}
//if($addr_results)
$buffer .= format_help_block(array('img' => 'compulsory.gif', 'text' => get_opendb_lang_var('compulsory_field'), id => 'compulsory'));
if ($HTTP_VARS['op'] == 'new_user') {
$buffer .= "<h3>" . get_opendb_lang_var('password') . "</h3>";
if (get_opendb_config_var('user_admin', 'user_passwd_change_allowed') !== FALSE || is_user_granted_permission(PERM_ADMIN_CHANGE_PASSWORD)) {
$buffer .= "<table class=\"changePasswordForm\">";
if (is_valid_opendb_mailer()) {
$compulsory_ind = 'N';
} else {
$compulsory_ind = 'Y';
}
$buffer .= get_input_field("pwd", NULL, get_opendb_lang_var('new_passwd'), "password(30,40)", $compulsory_ind, "", TRUE);
$buffer .= get_input_field("confirmpwd", NULL, get_opendb_lang_var('confirm_passwd'), "password(30,40)", $compulsory_ind, "", TRUE, NULL, get_opendb_config_var('widgets', 'enable_javascript_validation') !== FALSE ? "if( (this.form.pwd.value.length!=0 || this.form.confirmpwd.value.length!=0) && this.form.pwd.value!=this.form.confirmpwd.value){alert('" . get_opendb_lang_var('passwds_do_not_match') . "'); this.focus(); return false;}" : "");
$buffer .= "\n</table>";
if ($compulsory_ind == 'N') {
$buffer .= format_help_block(get_opendb_lang_var('new_passwd_will_be_autogenerated_if_not_specified'));
}
}
}
if ($HTTP_VARS['op'] == 'signup' && get_opendb_config_var('login.signup', 'disable_captcha') !== TRUE) {
$buffer .= render_secret_image_form_field();
}
if (get_opendb_config_var('widgets', 'enable_javascript_validation') !== FALSE) {
$onclick_event = "if(!checkForm(this.form)){return false;}else{this.form.submit();}";
} else {
$onclick_event = "this.form.submit();";
}
if (is_not_empty_array($user_r)) {
$buffer .= "\n<input type=\"hidden\" name=\"op\" value=\"update\">";
if ($HTTP_VARS['user_id'] != get_opendb_session_var('user_id')) {
$buffer .= "\n<input type=\"button\" class=\"button\" onclick=\"this.form.op.value='update'; {$onclick_event}\" value=\"" . get_opendb_lang_var('update_user') . "\">";
if (is_user_not_activated($HTTP_VARS['user_id'])) {
$buffer .= "\n<input type=\"button\" class=\"button\" onclick=\"this.form.op.value='delete'; this.form.submit();\" value=\"" . get_opendb_lang_var('delete_user') . "\">";
} else {
if (is_user_active($HTTP_VARS['user_id'])) {
$buffer .= "\n<input type=\"button\" class=\"button\" onclick=\"this.form.op.value='deactivate'; this.form.submit();\" value=\"" . get_opendb_lang_var('deactivate_user') . "\">";
}
}
if (!is_user_active($HTTP_VARS['user_id'])) {
$buffer .= "\n<input type=\"button\" class=\"button\" onclick=\"this.form.op.value='activate'; this.form.submit();\" value=\"" . get_opendb_lang_var('activate_user') . "\">";
}
} else {
$buffer .= "\n<input type=\"button\" class=\"button\" onclick=\"{$onclick_event}\" value=\"" . get_opendb_lang_var('update_details') . "\">";
}
} else {
if ($HTTP_VARS['op'] != 'signup') {
if (is_valid_opendb_mailer()) {
if ($HTTP_VARS['op'] == 'new_user') {
if ($HTTP_VARS['email_user'] == 'Y') {
$checked = "CHECKED";
} else {
$checked = "";
}
} else {
$checked = "CHECKED";
}
$buffer .= "<p><input type=\"checkbox\" class=\"checkbox\" id=\"email_user\" name=\"email_user\" value=\"Y\" {$checked}>" . get_opendb_lang_var('send_welcome_email') . "</p>";
}
$buffer .= "\n<input type=\"hidden\" name=\"op\" value=\"insert\">" . "\n<input type=\"button\" class=\"button\" onclick=\"{$onclick_event}\" value=\"" . get_opendb_lang_var('add_user') . "\">";
} else {
$buffer .= "\n<input type=\"hidden\" name=\"op\" value=\"signup\">" . "<input type=\"hidden\" name=\"op2\" value=\"send_info\">" . "<input type=\"button\" class=\"button\" onclick=\"{$onclick_event}\" value=\"" . get_opendb_lang_var('submit') . "\">";
}
}
$buffer .= "\n</form>";
return $buffer;
}
require_once "./include/begin.inc.php";
include_once "./lib/JsonRpcServer.class.php";
// TODO - enable a plugin layer
include_once "./lib/jsonrpc/ItemSearch.class.php";
function request_http_basic_auth()
{
header('WWW-Authenticate: Basic realm="' . htmlspecialchars(get_opendb_title()) . '"');
header('HTTP/1.0 401 Unauthorized');
}
if (is_site_enabled()) {
if (!isset($_SERVER['PHP_AUTH_USER'])) {
request_http_basic_auth();
} else {
$userId = $_SERVER['PHP_AUTH_USER'];
$password = $_SERVER['PHP_AUTH_PW'];
if (is_user_active($userId) && validate_user_passwd($userId, $password)) {
$server = new JsonRpcServer();
// TODO - currently no role based permissions are being performed for these services.
$server->registerClass(new ItemSearch());
$server->handle();
} else {
request_http_basic_auth();
}
}
} else {
header('HTTP/1.0 503 Service Unavailable');
echo "<h1>" . get_opendb_lang_var('site_is_disabled') . "</h1>";
echo get_opendb_lang_var('site_is_disabled');
}
// Cleanup after begin.inc.php
require_once "./include/end.inc.php";
function validate_borrower_id($borrower_id, &$errors)
{
if (strlen($borrower_id) > 0) {
if (!is_user_active($borrower_id)) {
$errors[] = get_opendb_lang_var('invalid_borrower_user', 'user_id', $HTTP_VARS['borrower_id']);
return FALSE;
} else {
if (!is_user_granted_permission(PERM_USER_BORROWER, $borrower_id)) {
$errors[] = get_opendb_lang_var('user_must_be_borrower', 'user_id', $HTTP_VARS['borrower_id']);
return FALSE;
} else {
return TRUE;
}
}
} else {
return FALSE;
}
}
function is_opendb_valid_session()
{
if (is_opendb_configured()) {
if (get_opendb_session_var('login_time') != NULL && get_opendb_session_var('last_access_time') != NULL && get_opendb_session_var('user_id') != NULL && get_opendb_session_var('hash_check') != NULL) {
$site_r = get_opendb_config_var('site');
// A valid session as far as the variables go at least.
if ($site_r['security_hash'] == get_opendb_session_var('hash_check')) {
// idle_timeout is how long between requests a login session
// can remain valid. If login_timeout is set, then this controls
// how long a session can remain active overall.
$current_time = time();
if (!is_numeric($site_r['login_timeout']) || $current_time - get_opendb_session_var('login_time') < $site_r['login_timeout']) {
if (!is_numeric($site_r['idle_timeout']) || $current_time - get_opendb_session_var('last_access_time') < $site_r['idle_timeout']) {
if (is_user_active(get_opendb_session_var('user_id'))) {
// reset the time, as we are only interested in idle session tests.
$_SESSION['last_access_time'] = $current_time;
return TRUE;
} else {
opendb_logger(OPENDB_LOG_WARN, __FILE__, __FUNCTION__, 'Invalid user encountered');
return FALSE;
}
}
}
} else {
//if($site_r['security_hash'] == get_opendb_session_var('hash_check'))
opendb_logger(OPENDB_LOG_WARN, __FILE__, __FUNCTION__, 'Invalid security-hash login invalidated');
return FALSE;
}
}
}
//if(is_opendb_configured())
//else
return FALSE;
}
<?php
include 'core/init.php';
if (empty($_POST) === false) {
$username = $_POST['username'];
$password = $_POST['password'];
if (empty($username) === true || empty($password) === true) {
$errors[] = 'You need to enter a user name and password';
} else {
if (user_exists($username) === false) {
$errors[] = 'That user name does not exist. Please click Register below.';
} else {
if (is_user_active($username) === false) {
$errors[] = 'Please check your email to activate your account';
} else {
if (strlen($password) > 32) {
//remove
$errors[] = 'Password too long';
//remove
}
//remove
$login = login($username, $password);
if ($login === false) {
$errors[] = 'That username and password combination is incorrect.';
} else {
$_SESSION['user_id'] = $login;
//set the user session
header("Location: index.php");
//redirect to home
exit;
}
function is_user_permitted_to_receive_email($user_id)
{
return is_user_valid($user_id) && is_user_active($user_id) && is_user_granted_permission(PERM_RECEIVE_EMAIL, $user_id);
}
session_start();
//error_reporting(E_ERROR | E_WARNING | E_PARSE | E_NOTICE);
require 'database.php';
require 'site_config.php';
require 'functions/password.php';
// BCRYPT hashing library
require 'functions/general.php';
require 'functions/users.php';
require 'functions/project.php';
$current_file = explode('/', $_SERVER['SCRIPT_NAME']);
$current_file = end($current_file);
if (is_logged_in() === true) {
$session_user_id = $_SESSION['user_id'];
$user_data = get_user_data($session_user_id, 'user_id', 'username', 'password', 'first_name', 'last_name', 'email', 'password_recover', 'type', 'allow_email', 'profile', 'beta', 'active_project', 'viewed_tutorial');
//lets me use the user data in other functions
if (is_user_active($user_data['username']) === false) {
//logs a user out if their account is disabled, even if they are browsing at the time
session_destroy();
echo '<meta HTTP-EQUIV="REFRESH" content="0; url=index.php">';
exit;
} else {
if ($current_file !== 'change_password.php' && $current_file !== 'logout.php' && $user_data['password_recover'] == 1) {
echo '<meta HTTP-EQUIV="REFRESH" content="0; url=change_password.php?force">';
}
}
}
if (!empty($user_data['active_project'])) {
$activeProject = get_project($user_data['active_project']);
}
$errors = array();
//$include_deactivated_users
}
$listingObject->addHeaderColumn(NULL, 'user_id_rs', FALSE, 'checkbox');
$listingObject->addHeaderColumn(get_opendb_lang_var('user'), 'user_id');
$listingObject->addHeaderColumn(get_opendb_lang_var('action'));
$listingObject->addHeaderColumn(get_opendb_lang_var('user_role'), 'role');
if ($HTTP_VARS['restrict_active_ind'] != 'X') {
$listingObject->addHeaderColumn(get_opendb_lang_var('last_visit'), 'lastvisit');
}
if ($result) {
$v_listing_url_vars = $HTTP_VARS;
$v_listing_url_vars['mode'] = NULL;
unset($v_listing_url_vars['show_deactivated_users_cbox']);
register_opendb_session_var('user_listing_url_vars', $v_listing_url_vars);
while ($user_r = db_fetch_assoc($result)) {
$user_is_active = is_user_active($user_r['user_id']);
$listingObject->startRow();
// todo - consider disabling for guest users!
if ($HTTP_VARS['restrict_active_ind'] != 'X' ? $user_is_active : TRUE) {
$listingObject->addCheckboxColumn($user_r['user_id'], FALSE);
} else {
$listingObject->addColumn();
}
$user_name = get_opendb_lang_var('user_name', array('fullname' => $user_r['fullname'], 'user_id' => $user_r['user_id']));
$listingObject->addColumn('<a href="user_profile.php?uid=' . $user_r['user_id'] . '" title="' . get_opendb_lang_var('user_profile') . '">' . $user_name . '</a>');
$action_links_rs = NULL;
$action_links_rs[] = array(url => 'user_admin.php?op=edit&user_id=' . $user_r['user_id'], img => 'edit_user.gif', text => get_opendb_lang_var('edit'));
if ($user_r['user_id'] != get_opendb_session_var('user_id')) {
if ($user_r['active_ind'] == 'X') {
$action_links_rs[] = array(url => 'user_admin.php?op=delete&user_id=' . $user_r['user_id'], img => 'delete_user.gif', text => get_opendb_lang_var('delete_user'));
} else {
