echo lang_get('update_user_button'); ?> " /> </td> </tr> </table> </form> </div> <br /> <!-- RESET AND DELETE --> <?php $t_reset = $t_user['id'] != auth_get_current_user_id() && helper_call_custom_function('auth_can_change_password', array()); $t_unlock = OFF != config_get('max_failed_login_count') && $t_user['failed_login_count'] > 0; $t_delete = !(user_is_administrator($t_user_id) && user_count_level(config_get_global('admin_site_threshold')) <= 1); if ($t_reset || $t_unlock || $t_delete) { ?> <div class="border center"> <!-- Reset/Unlock Button --> <?php if ($t_reset || $t_unlock) { ?> <form method="post" action="manage_user_reset.php"> <?php echo form_security_field('manage_user_reset'); ?> <input type="hidden" name="user_id" value="<?php echo $t_user['id']; ?>
user_ensure_realname_valid($f_realname); user_ensure_realname_unique($f_username, $f_realname); $f_email = email_append_domain($f_email); email_ensure_valid($f_email); $c_email = db_prepare_string($f_email); $c_username = db_prepare_string($f_username); $c_realname = db_prepare_string($f_realname); $c_protected = db_prepare_bool($f_protected); $c_enabled = db_prepare_bool($f_enabled); $c_user_id = db_prepare_int($f_user_id); $c_access_level = db_prepare_int($f_access_level); $t_user_table = config_get('mantis_user_table'); $t_old_protected = user_get_field($f_user_id, 'protected'); # check that we are not downgrading the last administrator $t_old_access = user_get_field($f_user_id, 'access_level'); if (ADMINISTRATOR == $t_old_access && $t_old_access != $f_access_level && 1 >= user_count_level(ADMINISTRATOR)) { trigger_error(ERROR_USER_CHANGE_LAST_ADMIN, ERROR); } # Project specific access rights override global levels, hence, for users who are changed # to be administrators, we have to remove project specific rights. if ($c_access_level >= ADMINISTRATOR && !user_is_administrator($c_user_id)) { user_delete_project_specific_access_levels($c_user_id); } # if the user is already protected and the admin is not removing the # protected flag then don't update the access level and enabled flag. # If the user was unprotected or the protected flag is being turned off # then proceed with a full update. if ($f_protected && $t_old_protected) { $query = "UPDATE {$t_user_table}\n\t \t\tSET username='******', email='{$c_email}',\n\t \t\t\tprotected='{$c_protected}', realname='{$c_realname}'\n\t \t\tWHERE id='{$c_user_id}'"; } else { $query = "UPDATE {$t_user_table}\n\t \t\tSET username='******', email='{$c_email}',\n\t \t\t\taccess_level='{$c_access_level}', enabled='{$c_enabled}',\n\t \t\t\tprotected='{$c_protected}', realname='{$c_realname}'\n\t \t\tWHERE id='{$c_user_id}'";
*/ /** * MantisBT Core API's */ require_once 'core.php'; form_security_validate('account_delete'); auth_ensure_user_authenticated(); current_user_ensure_unprotected(); # Only allow users to delete their own accounts if allow_account_delete = ON or # the user has permission to manage user accounts. if (OFF == config_get('allow_account_delete') && !access_has_global_level(config_get('manage_user_threshold'))) { print_header_redirect('account_page.php'); } # check that we are not deleting the last administrator account $t_admin_threshold = config_get_global('admin_site_threshold'); if (current_user_is_administrator() && user_count_level($t_admin_threshold) <= 1) { trigger_error(ERROR_USER_CHANGE_LAST_ADMIN, ERROR); } helper_ensure_confirmed(lang_get('confirm_delete_msg'), lang_get('delete_account_button')); form_security_purge('account_delete'); $t_user_id = auth_get_current_user_id(); auth_logout(); user_delete($t_user_id); html_page_top1(); html_page_top2a(); ?> <br /> <div align="center"> <?php echo lang_get('account_removed_msg') . '<br />';
} $c_email = $t_email; $c_username = $f_username; $c_realname = $t_realname; $c_protected = db_prepare_bool($f_protected); $c_enabled = db_prepare_bool($f_enabled); $c_user_id = db_prepare_int($f_user_id); $c_access_level = db_prepare_int($f_access_level); $t_user_table = db_get_table('user'); $t_old_protected = $t_user['protected']; # Ensure that users aren't escalating privileges of accounts beyond their # own global access level. access_ensure_global_level($f_access_level); # check that we are not downgrading the last administrator $t_admin_threshold = config_get_global('admin_site_threshold'); if (user_is_administrator($f_user_id) && $f_access_level < $t_admin_threshold && user_count_level($t_admin_threshold) <= 1) { trigger_error(ERROR_USER_CHANGE_LAST_ADMIN, ERROR); } # Project specific access rights override global levels, hence, for users who are changed # to be administrators, we have to remove project specific rights. if ($f_access_level >= $t_admin_threshold && !user_is_administrator($f_user_id)) { user_delete_project_specific_access_levels($f_user_id); } # if the user is already protected and the admin is not removing the # protected flag then don't update the access level and enabled flag. # If the user was unprotected or the protected flag is being turned off # then proceed with a full update. $query_params = array(); if ($f_protected && $t_old_protected) { $query = "UPDATE {$t_user_table}\n\t\t\tSET username="******", email=" . db_param() . ",\n\t\t\t\tprotected=" . db_param() . ", realname=" . db_param() . "\n\t\t\tWHERE id=" . db_param(); $query_params = array($c_username, $c_email, $c_protected, $c_realname, $c_user_id);
auth_reauthenticate(); access_ensure_global_level( config_get( 'manage_user_threshold' ) ); $f_user_id = gpc_get_int( 'user_id' ); $t_user = user_get_row( $f_user_id ); # Ensure that the account to be deleted is of equal or lower access to the # current user. access_ensure_global_level( $t_user['access_level'] ); # check that we are not deleting the last administrator account $t_admin_threshold = config_get_global( 'admin_site_threshold' ); if ( user_is_administrator( $f_user_id ) && user_count_level( $t_admin_threshold ) <= 1 ) { trigger_error( ERROR_USER_CHANGE_LAST_ADMIN, ERROR ); } # If an administrator is trying to delete their own account, use # account_delete.php instead as it is handles logging out and redirection # of users who have just deleted their own accounts. if ( auth_get_current_user_id() == $f_user_id ) { form_security_purge( 'manage_user_delete' ); print_header_redirect( 'account_delete.php?account_delete_token=' . form_security_token( 'account_delete' ), true, false ); } helper_ensure_confirmed( lang_get( 'delete_account_sure_msg' ) . '<br/>' . lang_get( 'username_label' ) . lang_get( 'word_separator' ) . $t_user['username'], lang_get( 'delete_account_button' ) );
email_ensure_not_disposable($t_email); } $c_email = $t_email; $c_username = $f_username; $c_realname = $t_realname; $c_protected = (bool) $f_protected; $c_enabled = (bool) $f_enabled; $c_user_id = (int) $f_user_id; $c_access_level = (int) $f_access_level; $t_old_protected = $t_user['protected']; # Ensure that users aren't escalating privileges of accounts beyond their # own global access level. access_ensure_global_level($f_access_level); # check that we are not downgrading the last administrator $t_admin_threshold = config_get_global('admin_site_threshold'); if (user_is_administrator($f_user_id) && user_count_level($t_admin_threshold, true) <= 1) { if ($f_access_level < $t_admin_threshold || $c_enabled === false) { trigger_error(ERROR_USER_CHANGE_LAST_ADMIN, ERROR); } } # Project specific access rights override global levels, hence, for users who are changed # to be administrators, we have to remove project specific rights. if ($f_access_level >= $t_admin_threshold && !user_is_administrator($f_user_id)) { user_delete_project_specific_access_levels($f_user_id); } # if the user is already protected and the admin is not removing the # protected flag then don't update the access level and enabled flag. # If the user was unprotected or the protected flag is being turned off # then proceed with a full update. $t_query_params = array(); if ($f_protected && $t_old_protected) {
</form> </div> <div id="manage-user-actions-div" class="form-container"> <?php if( helper_call_custom_function( 'auth_can_change_password', array() ) ) { ?> <form id="manage-user-reset-form" method="post" action="manage_user_reset.php" class="action-button"> <fieldset> <?php echo form_security_field( 'manage_user_reset' ) ?> <input type="hidden" name="user_id" value="<?php echo $t_user['id'] ?>" /> <span><input type="submit" class="button" value="<?php echo lang_get( 'reset_password_button' ) ?>" /></span> </fieldset> </form> <?php } ?> <!-- Delete Button --> <?php if ( !( ( user_is_administrator( $t_user_id ) && ( user_count_level( config_get_global( 'admin_site_threshold' ) ) <= 1 ) ) ) ) { ?> <form id="manage-user-delete-form" method="post" action="manage_user_delete.php" class="action-button"> <fieldset> <?php echo form_security_field( 'manage_user_delete' ) ?> <input type="hidden" name="user_id" value="<?php echo $t_user['id'] ?>" /> <span><input type="submit" class="button" value="<?php echo lang_get( 'delete_user_button' ) ?>" /></span> </fieldset> </form> <?php } ?> </div> <?php if( !$t_ldap ) { ?> <div class="important-msg"> <?php if ( ( ON == config_get( 'send_reset_password' ) ) && ( ON == config_get( 'enable_email_notification' ) ) ) { echo lang_get( 'reset_password_msg' );
<?php echo form_security_field('manage_user_reset'); ?> <input type="hidden" name="user_id" value="<?php echo $t_user['id']; ?> " /> <input type="submit" class="button" value="<?php echo lang_get('reset_password_button'); ?> " /> </form> <!-- Delete Button --> <?php if (!(ADMINISTRATOR <= $t_user['access_level'] && 1 >= user_count_level(ADMINISTRATOR))) { ?> <form method="post" action="manage_user_delete.php"> <?php echo form_security_field('manage_user_delete'); ?> <input type="hidden" name="user_id" value="<?php echo $t_user['id']; ?> " /> <input type="submit" class="button" value="<?php echo lang_get('delete_user_button'); ?> " /> </form>