pwg_db_check_charset(); $webmaster = trim(preg_replace('/\\s{2,}/', ' ', $admin_name)); if (empty($webmaster)) { $errors[] = l10n('enter a login for webmaster'); } else { if (preg_match('/[\'"]/', $webmaster)) { $errors[] = l10n('webmaster login can\'t contain characters \' or "'); } } if ($admin_pass1 != $admin_pass2 || empty($admin_pass1)) { $errors[] = l10n('please enter your password again'); } if (empty($admin_mail)) { $errors[] = l10n('mail address must be like xxx@yyy.eee (example : jack@altern.org)'); } else { $error_mail_address = validate_mail_address(null, $admin_mail); if (!empty($error_mail_address)) { $errors[] = $error_mail_address; } } if (count($errors) == 0) { $step = 2; $file_content = '<?php $conf[\'dblayer\'] = \'' . $dblayer . '\'; $conf[\'db_base\'] = \'' . $dbname . '\'; $conf[\'db_user\'] = \'' . $dbuser . '\'; $conf[\'db_password\'] = \'' . $dbpasswd . '\'; $conf[\'db_host\'] = \'' . $dbhost . '\'; $prefixeTable = \'' . $prefixeTable . '\';
function save_profile_from_post($userdata, &$errors) { global $conf, $page; $errors = array(); if (!isset($_POST['validate'])) { return false; } $special_user = in_array($userdata['id'], array($conf['guest_id'], $conf['default_user_id'])); if ($special_user) { unset($_POST['username'], $_POST['mail_address'], $_POST['password'], $_POST['use_new_pwd'], $_POST['passwordConf'], $_POST['theme'], $_POST['language']); $_POST['theme'] = get_default_theme(); $_POST['language'] = get_default_language(); } if (!defined('IN_ADMIN')) { unset($_POST['username']); } if ($conf['allow_user_customization'] or defined('IN_ADMIN')) { $int_pattern = '/^\\d+$/'; if (empty($_POST['nb_image_page']) or !preg_match($int_pattern, $_POST['nb_image_page'])) { $errors[] = l10n('The number of photos per page must be a not null scalar'); } // periods must be integer values, they represents number of days if (!preg_match($int_pattern, $_POST['recent_period']) or $_POST['recent_period'] < 0) { $errors[] = l10n('Recent period must be a positive integer value'); } if (!in_array($_POST['language'], array_keys(get_languages()))) { die('Hacking attempt, incorrect language value'); } if (!in_array($_POST['theme'], array_keys(get_pwg_themes()))) { die('Hacking attempt, incorrect theme value'); } } if (isset($_POST['mail_address'])) { // if $_POST and $userdata have are same email // validate_mail_address allows, however, to check email $mail_error = validate_mail_address($userdata['id'], $_POST['mail_address']); if (!empty($mail_error)) { $errors[] = $mail_error; } } if (!empty($_POST['use_new_pwd'])) { // password must be the same as its confirmation if ($_POST['use_new_pwd'] != $_POST['passwordConf']) { $errors[] = l10n('The passwords do not match'); } if (!defined('IN_ADMIN')) { // changing password requires old password $query = ' SELECT ' . $conf['user_fields']['password'] . ' AS password FROM ' . USERS_TABLE . ' WHERE ' . $conf['user_fields']['id'] . ' = \'' . $userdata['id'] . '\' ;'; list($current_password) = pwg_db_fetch_row(pwg_query($query)); if (!$conf['password_verify']($_POST['password'], $current_password)) { $errors[] = l10n('Current password is wrong'); } } } if (count($errors) == 0) { // mass_updates function include_once PHPWG_ROOT_PATH . 'admin/include/functions.php'; if (isset($_POST['mail_address'])) { // update common user informations $fields = array($conf['user_fields']['email']); $data = array(); $data[$conf['user_fields']['id']] = $userdata['id']; $data[$conf['user_fields']['email']] = $_POST['mail_address']; // password is updated only if filled if (!empty($_POST['use_new_pwd'])) { $fields[] = $conf['user_fields']['password']; // password is hashed with function $conf['password_hash'] $data[$conf['user_fields']['password']] = $conf['password_hash']($_POST['use_new_pwd']); } // username is updated only if allowed if (!empty($_POST['username'])) { if ($_POST['username'] != $userdata['username'] and get_userid($_POST['username'])) { $page['errors'][] = l10n('this login is already used'); unset($_POST['redirect']); } else { $fields[] = $conf['user_fields']['username']; $data[$conf['user_fields']['username']] = $_POST['username']; // send email to the user if ($_POST['username'] != $userdata['username']) { include_once PHPWG_ROOT_PATH . 'include/functions_mail.inc.php'; switch_lang_to($userdata['language']); $keyargs_content = array(get_l10n_args('Hello', ''), get_l10n_args('Your username has been successfully changed to : %s', $_POST['username'])); pwg_mail($_POST['mail_address'], array('subject' => '[' . $conf['gallery_title'] . '] ' . l10n('Username modification'), 'content' => l10n_args($keyargs_content), 'content_format' => 'text/plain')); switch_lang_back(); } } } mass_updates(USERS_TABLE, array('primary' => array($conf['user_fields']['id']), 'update' => $fields), array($data)); } if ($conf['allow_user_customization'] or defined('IN_ADMIN')) { // update user "additional" informations (specific to Piwigo) $fields = array('nb_image_page', 'language', 'expand', 'show_nb_hits', 'recent_period', 'theme'); if ($conf['activate_comments']) { $fields[] = 'show_nb_comments'; } $data = array(); $data['user_id'] = $userdata['id']; foreach ($fields as $field) { if (isset($_POST[$field])) { $data[$field] = $_POST[$field]; } } mass_updates(USER_INFOS_TABLE, array('primary' => array('user_id'), 'update' => $fields), array($data)); } trigger_notify('save_profile_from_post', $userdata['id']); if (!empty($_POST['redirect'])) { redirect($_POST['redirect']); } } return true; }
/** * Creates a new user. * * @param string $login * @param string $password * @param string $mail_adress * @param bool $notify_admin * @param array &$errors populated with error messages * @param bool $notify_user * @return int|false user id or false */ function register_user($login, $password, $mail_address, $notify_admin = true, &$errors = array(), $notify_user = false) { global $conf; if ($login == '') { $errors[] = l10n('Please, enter a login'); } if (preg_match('/^.* $/', $login)) { $errors[] = l10n('login mustn\'t end with a space character'); } if (preg_match('/^ .*$/', $login)) { $errors[] = l10n('login mustn\'t start with a space character'); } if (get_userid($login)) { $errors[] = l10n('this login is already used'); } if ($login != strip_tags($login)) { $errors[] = l10n('html tags are not allowed in login'); } $mail_error = validate_mail_address(null, $mail_address); if ('' != $mail_error) { $errors[] = $mail_error; } if ($conf['insensitive_case_logon'] == true) { $login_error = validate_login_case($login); if ($login_error != '') { $errors[] = $login_error; } } $errors = trigger_change('register_user_check', $errors, array('username' => $login, 'password' => $password, 'email' => $mail_address)); // if no error until here, registration of the user if (count($errors) == 0) { $insert = array($conf['user_fields']['username'] => pwg_db_real_escape_string($login), $conf['user_fields']['password'] => $conf['password_hash']($password), $conf['user_fields']['email'] => $mail_address); single_insert(USERS_TABLE, $insert); $user_id = pwg_db_insert_id(); // Assign by default groups $query = ' SELECT id FROM ' . GROUPS_TABLE . ' WHERE is_default = \'' . boolean_to_string(true) . '\' ORDER BY id ASC ;'; $result = pwg_query($query); $inserts = array(); while ($row = pwg_db_fetch_assoc($result)) { $inserts[] = array('user_id' => $user_id, 'group_id' => $row['id']); } if (count($inserts) != 0) { mass_inserts(USER_GROUP_TABLE, array('user_id', 'group_id'), $inserts); } $override = array(); if ($language = get_browser_language()) { $override['language'] = $language; } create_user_infos($user_id, $override); if ($notify_admin and $conf['email_admin_on_new_user']) { include_once PHPWG_ROOT_PATH . 'include/functions_mail.inc.php'; $admin_url = get_absolute_root_url() . 'admin.php?page=user_list&username='******'User: %s', stripslashes($login)), get_l10n_args('Email: %s', $mail_address), get_l10n_args(''), get_l10n_args('Admin: %s', $admin_url)); pwg_mail_notification_admins(get_l10n_args('Registration of %s', stripslashes($login)), $keyargs_content); } if ($notify_user and email_check_format($mail_address)) { include_once PHPWG_ROOT_PATH . 'include/functions_mail.inc.php'; $keyargs_content = array(get_l10n_args('Hello %s,', stripslashes($login)), get_l10n_args('Thank you for registering at %s!', $conf['gallery_title']), get_l10n_args('', ''), get_l10n_args('Here are your connection settings', ''), get_l10n_args('', ''), get_l10n_args('Link: %s', get_absolute_root_url()), get_l10n_args('Username: %s', stripslashes($login)), get_l10n_args('Password: %s', stripslashes($password)), get_l10n_args('Email: %s', $mail_address), get_l10n_args('', ''), get_l10n_args('If you think you\'ve received this email in error, please contact us at %s', get_webmaster_mail_address())); pwg_mail($mail_address, array('subject' => '[' . $conf['gallery_title'] . '] ' . l10n('Registration'), 'content' => l10n_args($keyargs_content), 'content_format' => 'text/plain')); } trigger_notify('register_user', array('id' => $user_id, 'username' => $login, 'email' => $mail_address)); return $user_id; } else { return false; } }
/** * API method * Updates users * @param mixed[] $params * @option int[] user_id * @option string username (optional) * @option string password (optional) * @option string email (optional) * @option string status (optional) * @option int level (optional) * @option string language (optional) * @option string theme (optional) * @option int nb_image_page (optional) * @option int recent_period (optional) * @option bool expand (optional) * @option bool show_nb_comments (optional) * @option bool show_nb_hits (optional) * @option bool enabled_high (optional) */ function ws_users_setInfo($params, &$service) { if (get_pwg_token() != $params['pwg_token']) { return new PwgError(403, 'Invalid security token'); } global $conf, $user; include_once PHPWG_ROOT_PATH . 'admin/include/functions.php'; $updates = $updates_infos = array(); $update_status = null; if (count($params['user_id']) == 1) { if (get_username($params['user_id'][0]) === false) { return new PwgError(WS_ERR_INVALID_PARAM, 'This user does not exist.'); } if (!empty($params['username'])) { $user_id = get_userid($params['username']); if ($user_id and $user_id != $params['user_id'][0]) { return new PwgError(WS_ERR_INVALID_PARAM, l10n('this login is already used')); } if ($params['username'] != strip_tags($params['username'])) { return new PwgError(WS_ERR_INVALID_PARAM, l10n('html tags are not allowed in login')); } $updates[$conf['user_fields']['username']] = $params['username']; } if (!empty($params['email'])) { if (($error = validate_mail_address($params['user_id'][0], $params['email'])) != '') { return new PwgError(WS_ERR_INVALID_PARAM, $error); } $updates[$conf['user_fields']['email']] = $params['email']; } if (!empty($params['password'])) { $updates[$conf['user_fields']['password']] = $conf['password_hash']($params['password']); } } if (!empty($params['status'])) { if (in_array($params['status'], array('webmaster', 'admin')) and !is_webmaster()) { return new PwgError(403, 'Only webmasters can grant "webmaster/admin" status'); } if (!in_array($params['status'], array('guest', 'generic', 'normal', 'admin', 'webmaster'))) { return new PwgError(WS_ERR_INVALID_PARAM, 'Invalid status'); } $protected_users = array($user['id'], $conf['guest_id'], $conf['webmaster_id']); // an admin can't change status of other admin/webmaster if ('admin' == $user['status']) { $query = ' SELECT user_id FROM ' . USER_INFOS_TABLE . ' WHERE status IN (\'webmaster\', \'admin\') ;'; $protected_users = array_merge($protected_users, query2array($query, null, 'user_id')); } // status update query is separated from the rest as not applying to the same // set of users (current, guest and webmaster can't be changed) $params['user_id_for_status'] = array_diff($params['user_id'], $protected_users); $update_status = $params['status']; } if (!empty($params['level']) or @$params['level'] === 0) { if (!in_array($params['level'], $conf['available_permission_levels'])) { return new PwgError(WS_ERR_INVALID_PARAM, 'Invalid level'); } $updates_infos['level'] = $params['level']; } if (!empty($params['language'])) { if (!in_array($params['language'], array_keys(get_languages()))) { return new PwgError(WS_ERR_INVALID_PARAM, 'Invalid language'); } $updates_infos['language'] = $params['language']; } if (!empty($params['theme'])) { if (!in_array($params['theme'], array_keys(get_pwg_themes()))) { return new PwgError(WS_ERR_INVALID_PARAM, 'Invalid theme'); } $updates_infos['theme'] = $params['theme']; } if (!empty($params['nb_image_page'])) { $updates_infos['nb_image_page'] = $params['nb_image_page']; } if (!empty($params['recent_period']) or @$params['recent_period'] === 0) { $updates_infos['recent_period'] = $params['recent_period']; } if (!empty($params['expand']) or @$params['expand'] === false) { $updates_infos['expand'] = boolean_to_string($params['expand']); } if (!empty($params['show_nb_comments']) or @$params['show_nb_comments'] === false) { $updates_infos['show_nb_comments'] = boolean_to_string($params['show_nb_comments']); } if (!empty($params['show_nb_hits']) or @$params['show_nb_hits'] === false) { $updates_infos['show_nb_hits'] = boolean_to_string($params['show_nb_hits']); } if (!empty($params['enabled_high']) or @$params['enabled_high'] === false) { $updates_infos['enabled_high'] = boolean_to_string($params['enabled_high']); } // perform updates single_update(USERS_TABLE, $updates, array($conf['user_fields']['id'] => $params['user_id'][0])); if (isset($update_status) and count($params['user_id_for_status']) > 0) { $query = ' UPDATE ' . USER_INFOS_TABLE . ' SET status = "' . $update_status . '" WHERE user_id IN(' . implode(',', $params['user_id_for_status']) . ') ;'; pwg_query($query); } if (count($updates_infos) > 0) { $query = ' UPDATE ' . USER_INFOS_TABLE . ' SET '; $first = true; foreach ($updates_infos as $field => $value) { if (!$first) { $query .= ', '; } else { $first = false; } $query .= $field . ' = "' . $value . '"'; } $query .= ' WHERE user_id IN(' . implode(',', $params['user_id']) . ') ;'; pwg_query($query); } // manage association to groups if (!empty($params['group_id'])) { $query = ' DELETE FROM ' . USER_GROUP_TABLE . ' WHERE user_id IN (' . implode(',', $params['user_id']) . ') ;'; pwg_query($query); // we remove all provided groups that do not really exist $query = ' SELECT id FROM ' . GROUPS_TABLE . ' WHERE id IN (' . implode(',', $params['group_id']) . ') ;'; $group_ids = array_from_query($query, 'id'); // if only -1 (a group id that can't exist) is in the list, then no // group is associated if (count($group_ids) > 0) { $inserts = array(); foreach ($group_ids as $group_id) { foreach ($params['user_id'] as $user_id) { $inserts[] = array('user_id' => $user_id, 'group_id' => $group_id); } } mass_inserts(USER_GROUP_TABLE, array_keys($inserts[0]), $inserts); } } invalidate_user_cache(); return $service->invoke('pwg.users.getList', array('user_id' => $params['user_id'], 'display' => 'basics,' . implode(',', array_keys($updates_infos)))); }