} else { ?> <?php echo I18N::translate('Nothing found to cleanup'); ?> <?php } ?> </p> </form> <?php break; case 'cleanup2': foreach (User::all() as $user) { if (Filter::post('del_' . $user->getUserId()) == '1') { Log::addAuthenticationLog('Deleted user: '******'The user %s has been deleted.', Filter::escapeHtml($user->getUserName())); } } header('Location: ' . WT_BASE_URL . WT_SCRIPT_NAME); break; default: $controller->setPageTitle(I18N::translate('User administration'))->addExternalJavascript(WT_JQUERY_DATATABLES_JS_URL)->addExternalJavascript(WT_DATATABLES_BOOTSTRAP_JS_URL)->addInlineJavascript(' jQuery(".table-user-list").dataTable({ ' . I18N::datatablesI18N() . ', stateSave: true, stateDuration: 300, processing: true, serverSide: true, ajax: {
$form_language = Filter::post('form_language'); $form_timezone = Filter::post('form_timezone'); $form_contact_method = Filter::post('form_contact_method'); $form_visible_online = Filter::postBool('form_visible_online'); // Respond to form action if ($form_action && Filter::checkCsrf()) { switch ($form_action) { case 'update': if ($form_username !== Auth::user()->getUserName() && User::findByUserName($form_username)) { FlashMessages::addMessage(I18N::translate('Duplicate user name. A user with that user name already exists. Please choose another user name.')); } elseif ($form_email !== Auth::user()->getEmail() && User::findByEmail($form_email)) { FlashMessages::addMessage(I18N::translate('Duplicate email address. A user with that email already exists.')); } else { // Change username if ($form_username !== Auth::user()->getUserName()) { Log::addAuthenticationLog('User ' . Auth::user()->getUserName() . ' renamed to ' . $form_username); Auth::user()->setUserName($form_username); } // Change password if ($form_pass1 && $form_pass1 === $form_pass2) { Auth::user()->setPassword($form_pass1); } // Change other settings Auth::user()->setRealName($form_realname)->setEmail($form_email)->setPreference('language', $form_language)->setPreference('TIMEZONE', $form_timezone)->setPreference('contactmethod', $form_contact_method)->setPreference('visibleonline', $form_visible_online ? '1' : '0'); if ($form_theme === null) { Auth::user()->deletePreference('theme'); } else { Auth::user()->setPreference('theme', $form_theme); } $WT_TREE->setUserPreference(Auth::user(), 'rootid', $form_rootid); }
// Change the current language $language = Filter::post('language'); try { I18N::init($language); Session::put('locale', $language); // Remember our selection Auth::user()->setPreference('language', $language); } catch (\Exception $ex) { // Request for a non-existant language. http_response_code(406); } break; case 'masquerade': $user = User::find(Filter::postInteger('user_id')); if ($user && Auth::isAdmin() && Auth::user() !== $user) { Log::addAuthenticationLog('Masquerade as user: '******'unlink-media': // Remove links from an individual and their spouse-family records to a media object. // Used by the "unlink" option on the album (lightbox) tab. $source = Individual::getInstance(Filter::post('source', WT_REGEX_XREF), $WT_TREE); $target = Filter::post('target', WT_REGEX_XREF); if ($source && $source->canShow() && $source->canEdit() && $target) { // Consider the individual and their spouse-family records $sources = $source->getSpouseFamilies(); $sources[] = $source; foreach ($sources as $source) {
I18N::init($webmaster->getPreference('language')); $user = User::findByUserName($user_name); $edit_user_url = WT_BASE_URL . "admin_users.php?action=edit&user_id=" . $user->getUserId(); $mail1_body = I18N::translate('Hello administrator…') . Mail::EOL . Mail::EOL . I18N::translate('A new user (%1$s) has requested an account (%2$s) and verified an email address (%3$s).', $user->getRealNameHtml(), Filter::escapeHtml($user->getUserName()), Filter::escapeHtml($user->getEmail())) . Mail::EOL . Mail::EOL . I18N::translate('You need to review the account details.') . Mail::EOL . Mail::EOL . '<a href="' . $edit_user_url . '">' . $edit_user_url . '</a>' . Mail::EOL . Mail::EOL . I18N::translate('Set the status to “approved”.') . Mail::EOL . I18N::translate('Set the access level for each tree.') . Mail::EOL . I18N::translate('Link the user account to an individual.'); $mail1_subject = I18N::translate('New user at %s', WT_BASE_URL . ' ' . $WT_TREE->getTitle()); // Change to the new user’s language I18N::init($user->getPreference('language')); $controller->setPageTitle(I18N::translate('User verification')); $controller->pageHeader(); echo '<div id="login-register-page">'; echo '<h2>' . I18N::translate('User verification') . '</h2>'; echo '<div id="user-verify">'; if ($user && $user->checkPassword($user_password) && $user->getPreference('reg_hashcode') === $user_hashcode) { Mail::send($WT_TREE, $webmaster->getEmail(), $webmaster->getRealName(), $WT_TREE->getPreference('WEBTREES_EMAIL'), $WT_TREE->getPreference('WEBTREES_EMAIL'), $mail1_subject, $mail1_body); $mail1_method = $webmaster->getPreference('CONTACT_METHOD'); if ($mail1_method != 'messaging3' && $mail1_method != 'mailto' && $mail1_method != 'none') { Database::prepare("INSERT INTO `##message` (sender, ip_address, user_id, subject, body) VALUES (? ,? ,? ,? ,?)")->execute(array($user_name, WT_CLIENT_IP, $webmaster->getUserId(), $mail1_subject, Filter::unescapeHtml($mail1_body))); } $user->setPreference('verified', '1')->setPreference('reg_timestamp', date('U'))->deletePreference('reg_hashcode'); Log::addAuthenticationLog('User ' . $user_name . ' verified their email address'); echo '<p>', I18N::translate('You have confirmed your request to become a registered user.'), '</p>'; echo '<p>', I18N::translate('The administrator has been informed. As soon as they give you permission to login, you can login with your user name and password.'), '</p>'; } else { echo '<p class="warning">'; echo I18N::translate('Could not verify the information you entered. Please try again or contact the site administrator for more information.'); echo '</p>'; } echo '</div>'; echo '</div>'; break; }
if (preg_match('/(?!' . preg_quote(WT_BASE_URL, '/') . ')(((?:ftp|http|https):\\/\\/)[a-zA-Z0-9.-]+)/', $subject . $body, $match)) { $errors .= '<p class="ui-state-error">' . I18N::translate('You are not allowed to send messages that contain external links.') . '</p>' . '<p class="ui-state-highlight">' . I18N::translate('You should delete the “%1$s” from “%2$s” and try again.', $match[2], $match[1]) . '</p>' . Log::addAuthenticationLog('Possible spam message from "' . $from_name . '"/"' . $from_email . '", subject="' . $subject . '", body="' . $body . '"'); $action = 'compose'; } $from = $from_email; } // Ensure the user always visits this page twice - once to compose it and again to send it. // This makes it harder for spammers. switch ($action) { case 'compose': Session::put('good_to_send', true); break; case 'send': // Only send messages if we've come straight from the compose page. if (!Session::get('good_to_send')) { Log::addAuthenticationLog('Attempt to send a message without visiting the compose page. Spam attack?'); $action = 'compose'; } if (!Filter::checkCsrf()) { $action = 'compose'; } Session::forget('good_to_send'); break; } switch ($action) { case 'compose': $controller->pageHeader()->addInlineJavascript(' function checkForm(frm) { if (frm.subject.value === "") { alert("' . I18N::translate('Please enter a message subject.') . '"); document.messageform.subject.focus();
/** * Check that the POST request contains the CSRF token generated above. * * @return bool */ public static function checkCsrf() { if (self::post('csrf') !== self::getCsrfToken()) { // Oops. Something is not quite right Log::addAuthenticationLog('CSRF mismatch - session expired or malicious attack'); FlashMessages::addMessage(I18N::translate('This form has expired. Try again.'), 'error'); return false; } return true; }