/**
* Updates a client account. Used for whomever is currently logged in.
*
* @param array $info This parameter should be a hash (e.g. $_POST or $_GET) containing keys
* named the same as the database fields.
* @return array [0]: true/false (success / failure)
* [1]: message string
*/
function ft_update_client($account_id, $info)
{
global $g_table_prefix, $LANG, $g_password_special_chars;
$success = true;
$message = $LANG["notify_account_updated"];
$info = ft_sanitize($info);
extract(ft_process_hook_calls("start", compact("account_id", "info"), array("info")), EXTR_OVERWRITE);
$client_info = ft_get_account_info($account_id);
$page = $info["page"];
switch ($page) {
case "main":
$first_name = $info["first_name"];
$last_name = $info["last_name"];
$email = $info["email"];
$username = $info["username"];
$password_clause = "";
$rules = array();
if (!empty($info["password"])) {
$required_password_chars = explode(",", $client_info["settings"]["required_password_chars"]);
if (in_array("uppercase", $required_password_chars)) {
$rules[] = "reg_exp,password,[A-Z],{$LANG["validation_client_password_missing_uppercase"]}";
}
if (in_array("number", $required_password_chars)) {
$rules[] = "reg_exp,password,[0-9],{$LANG["validation_client_password_missing_number"]}";
}
if (in_array("special_char", $required_password_chars)) {
$error = ft_eval_smarty_string($LANG["validation_client_password_missing_special_char"], array("chars" => $g_password_special_chars));
$password_special_chars = preg_quote($g_password_special_chars);
$rules[] = "reg_exp,password,[{$password_special_chars}],{$error}";
}
if (!empty($client_info["settings"]["min_password_length"])) {
$rule = ft_eval_smarty_string($LANG["validation_client_password_too_short"], array("number" => $client_info["settings"]["min_password_length"]));
$rules[] = "length>={$client_info["settings"]["min_password_length"]},password,{$rule}";
}
// encrypt the password on the assumption that it passes validation. It'll be used in the update query
$password = md5(md5($info['password']));
$password_clause = "password = '******',";
}
$errors = validate_fields($info, $rules);
// check to see if username is already taken
list($valid_username, $problem) = _ft_is_valid_username($username, $account_id);
if (!$valid_username) {
$errors[] = $problem;
}
// check the password isn't already in password history (if relevant)
if (!empty($info["password"])) {
if (!empty($client_info["settings"]["num_password_history"])) {
$encrypted_password = md5(md5($info["password"]));
if (ft_password_in_password_history($account_id, $encrypted_password, $client_info["settings"]["num_password_history"])) {
$errors[] = ft_eval_smarty_string($LANG["validation_password_in_password_history"], array("history_size" => $client_info["settings"]["num_password_history"]));
} else {
ft_add_password_to_password_history($account_id, $encrypted_password);
}
}
}
if (!empty($errors)) {
$success = false;
array_walk($errors, create_function('&$el', '$el = "• " . $el;'));
$message = implode("<br />", $errors);
return array($success, $message);
}
$query = "\n UPDATE {$g_table_prefix}accounts\n SET {$password_clause}\n first_name = '{$first_name}',\n last_name = '{$last_name}',\n username = '******',\n email = '{$email}'\n WHERE account_id = {$account_id}\n ";
if (mysql_query($query)) {
// if the password wasn't empty, reset the temporary password, in case it was set
if (!empty($info["password"])) {
mysql_query("UPDATE {$g_table_prefix}accounts SET temp_reset_password = NULL where account_id = {$account_id}");
}
} else {
ft_handle_error("Failed query in <b>" . __FUNCTION__ . "</b>: <i>{$query}</i>", mysql_error());
}
break;
case "settings":
$rules = array();
if ($client_info["settings"]["may_edit_page_titles"] == "yes") {
$rules[] = "required,page_titles,{$LANG["validation_no_titles"]}";
}
if ($client_info["settings"]["may_edit_theme"] == "yes") {
$rules[] = "required,theme,{$LANG["validation_no_theme"]}";
}
if ($client_info["settings"]["may_edit_logout_url"] == "yes") {
$rules[] = "required,logout_url,{$LANG["validation_no_logout_url"]}";
}
if ($client_info["settings"]["may_edit_language"] == "yes") {
$rules[] = "required,ui_language,{$LANG["validation_no_ui_language"]}";
}
if ($client_info["settings"]["may_edit_timezone_offset"] == "yes") {
$rules[] = "required,timezone_offset,{$LANG["validation_no_timezone_offset"]}";
}
if ($client_info["settings"]["may_edit_sessions_timeout"] == "yes") {
$rules[] = "required,sessions_timeout,{$LANG["validation_no_sessions_timeout"]}";
$rules[] = "digits_only,sessions_timeout,{$LANG["validation_invalid_sessions_timeout"]}";
}
if ($client_info["settings"]["may_edit_date_format"] == "yes") {
$rules[] = "required,date_format,{$LANG["validation_no_date_format"]}";
}
$errors = validate_fields($info, $rules);
if (!empty($errors)) {
$success = false;
array_walk($errors, create_function('&$el', '$el = "• " . $el;'));
$message = implode("<br />", $errors);
return array($success, $message);
}
// update the main accounts table. Only update those settings they're ALLOWED to
$settings = array();
if ($client_info["settings"]["may_edit_language"] == "yes") {
$settings["ui_language"] = $info["ui_language"];
}
if ($client_info["settings"]["may_edit_timezone_offset"] == "yes") {
$settings["timezone_offset"] = $info["timezone_offset"];
}
if ($client_info["settings"]["may_edit_logout_url"] == "yes") {
$settings["logout_url"] = $info["logout_url"];
}
if ($client_info["settings"]["may_edit_sessions_timeout"] == "yes") {
$settings["sessions_timeout"] = $info["sessions_timeout"];
}
if ($client_info["settings"]["may_edit_theme"] == "yes") {
$settings["theme"] = $info["theme"];
$settings["swatch"] = "";
if (isset($info["{$info["theme"]}_theme_swatches"])) {
$settings["swatch"] = $info["{$info["theme"]}_theme_swatches"];
}
}
if ($client_info["settings"]["may_edit_date_format"] == "yes") {
$settings["date_format"] = $info["date_format"];
}
if (!empty($settings)) {
$sql_rows = array();
while (list($column, $value) = each($settings)) {
$sql_rows[] = "{$column} = '{$value}'";
}
$sql = implode(",\n", $sql_rows);
$query = "\n UPDATE {$g_table_prefix}accounts\n SET {$sql}\n WHERE account_id = {$account_id}\n ";
mysql_query($query) or ft_handle_error("Failed query in <b>" . __FUNCTION__ . "</b>: <i>{$query}</i>", mysql_error());
}
$settings = array();
if (isset($info["page_titles"])) {
$settings["page_titles"] = $info["page_titles"];
}
if (isset($info["footer_text"])) {
$settings["footer_text"] = $info["footer_text"];
}
if (isset($info["max_failed_login_attempts"])) {
$settings["max_failed_login_attempts"] = $info["max_failed_login_attempts"];
}
if (!empty($settings)) {
ft_set_account_settings($account_id, $settings);
}
break;
}
extract(ft_process_hook_calls("end", compact("account_id", "info"), array("success", "message")), EXTR_OVERWRITE);
// update sessions
$_SESSION["ft"]["settings"] = ft_get_settings();
$_SESSION["ft"]["account"] = ft_get_account_info($account_id);
$_SESSION["ft"]["account"]["is_logged_in"] = true;
return array($success, $message);
}
/**
* Updates the administrator account. With the addition of the "UI Language" option, this action
* gets a little more complicated. The problem is that we can't just update the UI language in
* sessions *within* this function, because by the time this function is called, the appropriate
* language file is already in memory and being used. So, to get around this problem, the login
* information form now passes along both the new and old UI languages. If it's different, AFTER
* this function is called, you need to reset sessions and refresh the page. So be aware that
* this problem is NOT handled by this function, see:
* /admin/accounts/index.php to see how it's solved.
*
* @param array $infohash This parameter should be a hash (e.g. $_POST or $_GET) containing the
* following keys: first_name, last_name, user_name, password.
* @param integer $user_id the administrator's user ID
* @return array [0]: true/false (success / failure)
* [1]: message string
*/
function ft_update_admin_account($infohash, $account_id)
{
global $g_table_prefix, $g_root_url, $LANG;
$success = true;
$message = $LANG["notify_account_updated"];
$infohash = ft_sanitize($infohash);
extract(ft_process_hook_calls("start", compact("infohash", "account_id"), array("infohash")), EXTR_OVERWRITE);
$rules = array();
$rules[] = "required,first_name,{$LANG["validation_no_first_name"]}";
$rules[] = "required,last_name,{$LANG["validation_no_last_name"]}";
$rules[] = "required,email,{$LANG["validation_no_email"]}";
$rules[] = "required,theme,{$LANG["validation_no_theme"]}";
$rules[] = "required,login_page,{$LANG["validation_no_login_page"]}";
$rules[] = "required,logout_url,{$LANG["validation_no_account_logout_url"]}";
$rules[] = "required,ui_language,{$LANG["validation_no_ui_language"]}";
$rules[] = "required,sessions_timeout,{$LANG["validation_no_sessions_timeout"]}";
$rules[] = "required,date_format,{$LANG["validation_no_date_format"]}";
$rules[] = "required,username,{$LANG["validation_no_username"]}";
$rules[] = "if:password!=,required,password_2,{$LANG["validation_no_account_password_confirmed"]}";
$rules[] = "if:password!=,same_as,password,password_2,{$LANG["validation_passwords_different"]}";
$errors = validate_fields($infohash, $rules);
if (!empty($errors)) {
$success = false;
array_walk($errors, create_function('&$el', '$el = "• " . $el;'));
$message = implode("<br />", $errors);
return array($success, $message);
}
$first_name = $infohash["first_name"];
$last_name = $infohash["last_name"];
$email = $infohash["email"];
$theme = $infohash["theme"];
$login_page = $infohash["login_page"];
$logout_url = $infohash["logout_url"];
$ui_language = $infohash["ui_language"];
$timezone_offset = $infohash["timezone_offset"];
$sessions_timeout = $infohash["sessions_timeout"];
$date_format = $infohash["date_format"];
$username = $infohash["username"];
$password = $infohash["password"];
$swatch = "";
if (isset($infohash["{$theme}_theme_swatches"])) {
$swatch = $infohash["{$theme}_theme_swatches"];
}
// if the password is defined, md5 it
$password_sql = !empty($password) ? "password = '******', " : "";
// check to see if username is already taken
list($valid_username, $problem) = _ft_is_valid_username($username, $account_id);
if (!$valid_username) {
return array(false, $problem);
}
$query = "\n UPDATE {$g_table_prefix}accounts\n SET {$password_sql}\n first_name = '{$first_name}',\n last_name = '{$last_name}',\n email = '{$email}',\n theme = '{$theme}',\n swatch = '{$swatch}',\n login_page = '{$login_page}',\n logout_url = '{$logout_url}',\n ui_language = '{$ui_language}',\n timezone_offset = '{$timezone_offset}',\n sessions_timeout = '{$sessions_timeout}',\n date_format = '{$date_format}',\n username = '******'\n WHERE account_id = {$account_id}\n ";
mysql_query($query) or ft_handle_error("Failed query in <b>" . __FUNCTION__ . "</b>: <i>{$query}</i>", mysql_error());
// update the settings
$_SESSION["ft"]["settings"] = ft_get_settings();
$_SESSION["ft"]["account"] = ft_get_account_info($account_id);
$_SESSION["ft"]["account"]["is_logged_in"] = true;
// if the password just changed, update sessions and empty any temporary password that happens to have been
// stored
if (!empty($password)) {
$_SESSION["ft"]["account"] = ft_get_account_info($account_id);
$_SESSION["ft"]["account"]["is_logged_in"] = true;
$_SESSION["ft"]["account"]["password"] = md5(md5($password));
mysql_query("UPDATE {$g_table_prefix}accounts SET temp_reset_password = NULL where account_id = {$account_id}");
}
extract(ft_process_hook_calls("end", compact("infohash", "account_id"), array("success", "message")), EXTR_OVERWRITE);
return array($success, $message);
}
/**
* Creates a client account in the database.
*
* @param array $account_info this has has 4 required keys: first_name, last_name, user_name, password
*
* The password is automatically encrypted by this function.
*
* It also accepts the following optional keys:
* account_status: "active", "disabled", "pending"
* ui_language: (should only be one of the languages currently supported by the script, e.g. "en_us")
* timezone_offset: +- an integer value, for each hour
* sessions_timeout:
* date_format:
* login_page:
* logout_url:
* theme:
* menu_id:
*
* @return array [0] true / false
* [1] an array of error codes (if false) or the new account ID
*/
function ft_api_create_client_account($account_info)
{
global $g_api_debug, $g_table_prefix;
$account_info = ft_sanitize($account_info);
$error_codes = array();
// check all the valid fields
if (!isset($account_info["first_name"]) || empty($account_info["first_name"])) {
$error_codes[] = 700;
}
if (!isset($account_info["last_name"]) || empty($account_info["last_name"])) {
$error_codes[] = 701;
}
if (!isset($account_info["email"]) || empty($account_info["email"])) {
$error_codes[] = 702;
}
if (!ft_is_valid_email($account_info["email"])) {
$error_codes[] = 703;
}
if (!isset($account_info["username"]) || empty($account_info["username"])) {
$error_codes[] = 704;
} else {
if (preg_match('/[^A-Za-z0-9]/', $account_info["username"])) {
$error_codes[] = 705;
}
if (!_ft_is_valid_username($account_info["username"])) {
$error_codes[] = 706;
}
}
if (!isset($account_info["password"]) || empty($account_info["password"])) {
$error_codes[] = 707;
} else {
if (preg_match('/[^A-Za-z0-9]/', $account_info["password"])) {
$error_codes[] = 708;
}
}
if (!empty($error_codes)) {
if ($g_api_debug) {
$page_vars = array("message_type" => "error", "error_codes" => $error_codes);
ft_display_page("error.tpl", $page_vars);
exit;
} else {
return array(false, $error_codes);
}
}
$first_name = $account_info["first_name"];
$last_name = $account_info["last_name"];
$email = $account_info["email"];
$username = $account_info["username"];
$password = md5(md5($account_info["password"]));
$settings = ft_get_settings();
$account_status = isset($account_info["account_status"]) ? $account_info["account_status"] : "pending";
$language = isset($account_info["ui_language"]) ? $account_info["ui_language"] : $settings["default_language"];
$timezone_offset = isset($account_info["timezone_offset"]) ? $account_info["timezone_offset"] : $settings["default_timezone_offset"];
$sessions_timeout = isset($account_info["sessions_timeout"]) ? $account_info["sessions_timeout"] : $settings["default_sessions_timeout"];
$date_format = isset($account_info["date_format"]) ? $account_info["date_format"] : $settings["default_date_format"];
$login_page = isset($account_info["login_page"]) ? $account_info["login_page"] : $settings["default_login_page"];
$logout_url = isset($account_info["logout_url"]) ? $account_info["logout_url"] : $settings["default_logout_url"];
$theme = isset($account_info["theme"]) ? $account_info["theme"] : $settings["default_theme"];
$menu_id = isset($account_info["menu_id"]) ? $account_info["menu_id"] : $settings["default_client_menu_id"];
// first, insert the record into the accounts table. This contains all the settings common to ALL
// accounts (including the administrator and any other future account types)
$query = "\n INSERT INTO {$g_table_prefix}accounts (account_type, account_status, ui_language, timezone_offset, sessions_timeout,\n date_format, login_page, logout_url, theme, menu_id, first_name, last_name, email, username, password)\n VALUES ('client', '{$account_status}', '{$language}', '{$timezone_offset}', '{$sessions_timeout}',\n '{$date_format}', '{$login_page}', '{$logout_url}', '{$theme}', {$menu_id}, '{$first_name}', '{$last_name}', '{$email}',\n '{$username}', '{$password}')\n ";
if (!mysql_query($query)) {
if ($g_api_debug) {
$page_vars = array("message_type" => "error", "error_code" => 709, "error_type" => "user", "debugging" => "Failed query in <b>" . __FUNCTION__ . "</b>: <i>{$query}</i> " . mysql_error());
ft_display_page("error.tpl", $page_vars);
exit;
} else {
return array(false, $error_codes);
}
}
$new_user_id = mysql_insert_id();
// now create all the custom client account settings, most of which are based on the default values
// in the settings table
$account_settings = array("client_notes" => "", "company_name" => "", "page_titles" => $settings["default_page_titles"], "footer_text" => $settings["default_footer_text"], "may_edit_page_titles" => $settings["clients_may_edit_page_titles"], "may_edit_footer_text" => $settings["clients_may_edit_footer_text"], "may_edit_theme" => $settings["clients_may_edit_theme"], "may_edit_logout_url" => $settings["clients_may_edit_logout_url"], "may_edit_language" => $settings["clients_may_edit_ui_language"], "may_edit_timezone_offset" => $settings["clients_may_edit_timezone_offset"], "may_edit_sessions_timeout" => $settings["clients_may_edit_sessions_timeout"], "may_edit_date_format" => $settings["clients_may_edit_date_format"]);
ft_set_account_settings($new_user_id, $account_settings);
return array(true, $new_user_id);
}
