public function save_user($user_id, $data, $from_public = false)
{
$use_master_key = $this->get_contact_master_key();
if ($from_public) {
$user_id = 0;
} else {
if ($use_master_key && isset($data[$use_master_key]) && $data[$use_master_key]) {
if (!module_user::can_i('edit', 'Contacts', 'Customer')) {
set_error('Unable to edit contacts.');
return false;
}
} else {
if (!self::can_i('edit', 'Users', 'Config')) {
set_error('Unable to edit users.');
return false;
}
}
$user_id = (int) $user_id;
}
$temp_user = array();
if ($user_id > 0) {
// check permissions
$temp_user = $this->get_user($user_id, true, false);
if (!$temp_user || $temp_user['user_id'] != $user_id || isset($temp_user['_perms'])) {
$user_id = false;
}
}
if (!$user_id && !$from_public) {
if ($use_master_key && isset($data[$use_master_key]) && $data[$use_master_key]) {
if (!module_user::can_i('create', 'Contacts', 'Customer')) {
set_error('Unable to create new contacts.');
return false;
}
} else {
if (!self::can_i('create', 'Users', 'Config')) {
set_error('Unable to create new users.');
return false;
}
}
} else {
if ($user_id == 1 && module_security::get_loggedin_id() != 1) {
set_error('Sorry only the administrator can modify this account');
}
}
// check the customer id is valid assignment to someone who has these perms.
if (!$from_public) {
if (isset($data['customer_id']) && (int) $data['customer_id'] > 0) {
$temp_customer = module_customer::get_customer($data['customer_id']);
if (!$temp_customer || $temp_customer['customer_id'] != $data['customer_id']) {
unset($data['customer_id']);
}
}
if (isset($data['vendor_id']) && (int) $data['vendor_id'] > 0) {
$temp_vendor = module_vendor::get_vendor($data['vendor_id']);
if (!$temp_vendor || $temp_vendor['vendor_id'] != $data['vendor_id']) {
unset($data['vendor_id']);
}
}
}
if (isset($data['password'])) {
unset($data['password']);
}
// we do the password hash thing here.
if (isset($data['password_new']) && strlen($data['password_new'])) {
// an admin is trying to set the password for this account.
// same permissions checks as on the user_admin_edit_login.php page
if (!$user_id || isset($temp_user['password']) && !$temp_user['password'] || module_user::can_i('create', 'Users Passwords', 'Config') || isset($_REQUEST['reset_password']) && $_REQUEST['reset_password'] == module_security::get_auto_login_string($user_id)) {
// we allow the admin to set a new password without typing in previous password.
$data['password'] = $data['password_new'];
} else {
set_error('Sorry, no permissions to set a new password.');
}
} else {
if ($user_id && isset($data['password_new1']) && isset($data['password_new2']) && strlen($data['password_new1'])) {
// the user is trying to change their password.
// only do this if the user has edit password permissions and their password matches.
if (module_user::can_i('edit', 'Users Passwords', 'Config') || $user_id == module_security::get_loggedin_id()) {
if (isset($data['password_old']) && (md5($data['password_old']) == $temp_user['password'] || $data['password_old'] == $temp_user['password'])) {
// correct old password
// verify new password.
if ($data['password_new1'] == $data['password_new2']) {
$data['password'] = $data['password_new1'];
} else {
set_error('Verified password mismatch. Password unchanged.');
}
} else {
set_error('Old password does not match. Password unchanged.');
}
} else {
set_error('No permissions to change passwords');
}
}
}
// and we finally hash our password
if (isset($data['password']) && strlen($data['password']) > 0) {
$data['password'] = md5($data['password']);
// if you change md5 also change it in customer import.
// todo - salt? meh.
}
$user_id = update_insert("user_id", $user_id, "user", $data);
$use_master_key = $this->get_contact_master_key();
// this will be customer_id or supplier_id
if ($use_master_key && (isset($data[$use_master_key]) && $data[$use_master_key])) {
if ($user_id) {
if (isset($data['customer_primary']) && $data['customer_primary']) {
// update the customer/supplier to mark them as primary or not..
switch ($use_master_key) {
case 'customer_id':
module_customer::set_primary_user_id($data['customer_id'], $user_id);
break;
case 'vendor_id':
module_vendor::set_primary_user_id($data['vendor_id'], $user_id);
break;
}
} else {
// check if this contact was the old customer/supplier primary and
switch ($use_master_key) {
case 'customer_id':
$customer_data = module_customer::get_customer($data['customer_id']);
if ($customer_data['primary_user_id'] == $user_id) {
module_customer::set_primary_user_id($data['customer_id'], 0);
}
break;
case 'vendor_id':
$vendor_data = module_vendor::get_vendor($data['vendor_id']);
if ($vendor_data['primary_user_id'] == $user_id) {
module_vendor::set_primary_user_id($data['vendor_id'], 0);
}
break;
}
}
}
}
if (!$from_public) {
// hack for linked user accounts.
if ($user_id && isset($data['link_customers']) && $data['link_customers'] == 'yes' && isset($data['link_user_ids']) && is_array($data['link_user_ids']) && isset($data['email']) && $data['email']) {
$others = module_user::get_contacts(array('email' => $data['email']));
foreach ($data['link_user_ids'] as $link_user_id) {
if (!(int) $link_user_id) {
continue;
}
if ($link_user_id == $user_id) {
continue;
}
// shouldnt happen
foreach ($others as $other) {
if ($other['user_id'] == $link_user_id) {
// success! they'renot trying to hack us.
$sql = "REPLACE INTO `" . _DB_PREFIX . "user_customer_rel` SET user_id = '" . (int) $link_user_id . "', customer_id = '" . (int) $other['customer_id'] . "', `primary` = " . (int) $user_id;
query($sql);
update_insert('user_id', $link_user_id, 'user', array('linked_parent_user_id' => $user_id));
}
}
}
update_insert('user_id', $user_id, 'user', array('linked_parent_user_id' => $user_id));
}
if ($user_id && isset($data['unlink']) && $data['unlink'] == 'yes') {
$sql = "DELETE FROM `" . _DB_PREFIX . "user_customer_rel` WHERE user_id = '" . (int) $user_id . "'";
query($sql);
update_insert('user_id', $user_id, 'user', array('linked_parent_user_id' => 0));
}
handle_hook("address_block_save", $this, "physical", "user", "user_id", $user_id);
handle_hook("address_block_save", $this, "postal", "user", "user_id", $user_id);
if (class_exists('module_extra', false) && module_extra::is_plugin_enabled()) {
module_extra::save_extras('user', 'user_id', $user_id);
}
// find current role / permissions
$user_data = $this->get_user($user_id);
$previous_user_roles = $user_data['roles'];
$re_save_role_perms = false;
// hack to support only 1 role (we may support multi-role in the future)
// TODO: check we have permissions to set this role id, otherwise anyone can set their own role.
if (isset($_REQUEST['role_id'])) {
$sql = "DELETE FROM `" . _DB_PREFIX . "user_role` WHERE user_id = '" . (int) $user_id . "'";
query($sql);
if ((int) $_REQUEST['role_id'] > 0) {
if (!isset($previous_user_roles[$_REQUEST['role_id']])) {
$re_save_role_perms = (int) $_REQUEST['role_id'];
}
$_REQUEST['role'] = array($_REQUEST['role_id'] => 1);
}
}
// save users roles (support for multi roles in future - but probably will never happen)
if (isset($_REQUEST['role']) && is_array($_REQUEST['role'])) {
foreach ($_REQUEST['role'] as $role_id => $tf) {
$this->add_user_to_role($user_id, $role_id);
}
}
if ($re_save_role_perms) {
// copy role permissiosn to user permissions
$sql = "DELETE FROM `" . _DB_PREFIX . "user_perm` WHERE user_id = " . (int) $user_id;
query($sql);
// update - we are not relying on these permissions any more.
// if the user has a role assigned, we use those permissions period
// we ignore all permissions in the user_perm table if the user has a role.
// if the user doesn't have a role, then we use these user_perm permissions.
/*$security_role = module_security::get_security_role($re_save_role_perms);
foreach($security_role['permissions'] as $security_permission_id => $d){
$sql = "INSERT INTO `"._DB_PREFIX."user_perm` SET user_id = ".(int)$user_id.", security_permission_id = '".(int)$security_permission_id."'";
foreach(module_security::$available_permissions as $perm){
$sql .= ", `".$perm."` = ".(int)$d[$perm];
}
query($sql);
}*/
} else {
if (isset($_REQUEST['permission']) && is_array($_REQUEST['permission'])) {
$sql = "DELETE FROM `" . _DB_PREFIX . "user_perm` WHERE user_id = '" . (int) $user_id . "'";
query($sql);
// update permissions for this user.
foreach ($_REQUEST['permission'] as $security_permission_id => $permissions) {
$actions = array();
foreach (module_security::$available_permissions as $permission) {
if (isset($permissions[$permission]) && $permissions[$permission]) {
$actions[$permission] = 1;
}
}
$sql = "REPLACE INTO `" . _DB_PREFIX . "user_perm` SET user_id = '" . (int) $user_id . "', security_permission_id = '" . (int) $security_permission_id . "' ";
foreach ($actions as $permission => $tf) {
$sql .= ", `" . mysql_real_escape_string($permission) . "` = 1";
}
query($sql);
}
}
}
/*global $plugins;
if($user_id && isset($data['user_type_id']) && $data['user_type_id'] == 1 && $data['site_id']){
// update the site.
$plugins['site']->set_primary_user_id($data['site_id'],$user_id);
}else{
//this use isn't (or isnt any more) the sites primary user.
// unset this if he was the primary user before
$site_data = $plugins['site']->get_site($data['site_id']);
if(isset($site_data['primary_user_id']) && $site_data['primary_user_id'] == $user_id){
$plugins['site']->set_primary_user_id($data['site_id'],0);
}
}*/
// save the company information if it's available
if (class_exists('module_company', false) && module_company::can_i('edit', 'Company') && module_company::is_enabled() && module_user::can_i('edit', 'User')) {
if (isset($_REQUEST['available_user_company']) && is_array($_REQUEST['available_user_company'])) {
$selected_companies = isset($_POST['user_company']) && is_array($_POST['user_company']) ? $_POST['user_company'] : array();
foreach ($_REQUEST['available_user_company'] as $company_id => $tf) {
if (!isset($selected_companies[$company_id]) || !$selected_companies[$company_id]) {
// remove user from this company
module_company::delete_user($company_id, $user_id);
} else {
// add user to this company (if they are not already existing)
module_company::add_user_to_company($company_id, $user_id);
}
}
}
}
}
module_cache::clear('user');
return $user_id;
}