/** * Updates a client account. Used for whomever is currently logged in. * * @param array $info This parameter should be a hash (e.g. $_POST or $_GET) containing keys * named the same as the database fields. * @return array [0]: true/false (success / failure) * [1]: message string */ function ft_update_client($account_id, $info) { global $g_table_prefix, $LANG, $g_password_special_chars; $success = true; $message = $LANG["notify_account_updated"]; $info = ft_sanitize($info); extract(ft_process_hook_calls("start", compact("account_id", "info"), array("info")), EXTR_OVERWRITE); $client_info = ft_get_account_info($account_id); $page = $info["page"]; switch ($page) { case "main": $first_name = $info["first_name"]; $last_name = $info["last_name"]; $email = $info["email"]; $username = $info["username"]; $password_clause = ""; $rules = array(); if (!empty($info["password"])) { $required_password_chars = explode(",", $client_info["settings"]["required_password_chars"]); if (in_array("uppercase", $required_password_chars)) { $rules[] = "reg_exp,password,[A-Z],{$LANG["validation_client_password_missing_uppercase"]}"; } if (in_array("number", $required_password_chars)) { $rules[] = "reg_exp,password,[0-9],{$LANG["validation_client_password_missing_number"]}"; } if (in_array("special_char", $required_password_chars)) { $error = ft_eval_smarty_string($LANG["validation_client_password_missing_special_char"], array("chars" => $g_password_special_chars)); $password_special_chars = preg_quote($g_password_special_chars); $rules[] = "reg_exp,password,[{$password_special_chars}],{$error}"; } if (!empty($client_info["settings"]["min_password_length"])) { $rule = ft_eval_smarty_string($LANG["validation_client_password_too_short"], array("number" => $client_info["settings"]["min_password_length"])); $rules[] = "length>={$client_info["settings"]["min_password_length"]},password,{$rule}"; } // encrypt the password on the assumption that it passes validation. It'll be used in the update query $password = md5(md5($info['password'])); $password_clause = "password = '******',"; } $errors = validate_fields($info, $rules); // check to see if username is already taken list($valid_username, $problem) = _ft_is_valid_username($username, $account_id); if (!$valid_username) { $errors[] = $problem; } // check the password isn't already in password history (if relevant) if (!empty($info["password"])) { if (!empty($client_info["settings"]["num_password_history"])) { $encrypted_password = md5(md5($info["password"])); if (ft_password_in_password_history($account_id, $encrypted_password, $client_info["settings"]["num_password_history"])) { $errors[] = ft_eval_smarty_string($LANG["validation_password_in_password_history"], array("history_size" => $client_info["settings"]["num_password_history"])); } else { ft_add_password_to_password_history($account_id, $encrypted_password); } } } if (!empty($errors)) { $success = false; array_walk($errors, create_function('&$el', '$el = "• " . $el;')); $message = implode("<br />", $errors); return array($success, $message); } $query = "\n UPDATE {$g_table_prefix}accounts\n SET {$password_clause}\n first_name = '{$first_name}',\n last_name = '{$last_name}',\n username = '******',\n email = '{$email}'\n WHERE account_id = {$account_id}\n "; if (mysql_query($query)) { // if the password wasn't empty, reset the temporary password, in case it was set if (!empty($info["password"])) { mysql_query("UPDATE {$g_table_prefix}accounts SET temp_reset_password = NULL where account_id = {$account_id}"); } } else { ft_handle_error("Failed query in <b>" . __FUNCTION__ . "</b>: <i>{$query}</i>", mysql_error()); } break; case "settings": $rules = array(); if ($client_info["settings"]["may_edit_page_titles"] == "yes") { $rules[] = "required,page_titles,{$LANG["validation_no_titles"]}"; } if ($client_info["settings"]["may_edit_theme"] == "yes") { $rules[] = "required,theme,{$LANG["validation_no_theme"]}"; } if ($client_info["settings"]["may_edit_logout_url"] == "yes") { $rules[] = "required,logout_url,{$LANG["validation_no_logout_url"]}"; } if ($client_info["settings"]["may_edit_language"] == "yes") { $rules[] = "required,ui_language,{$LANG["validation_no_ui_language"]}"; } if ($client_info["settings"]["may_edit_timezone_offset"] == "yes") { $rules[] = "required,timezone_offset,{$LANG["validation_no_timezone_offset"]}"; } if ($client_info["settings"]["may_edit_sessions_timeout"] == "yes") { $rules[] = "required,sessions_timeout,{$LANG["validation_no_sessions_timeout"]}"; $rules[] = "digits_only,sessions_timeout,{$LANG["validation_invalid_sessions_timeout"]}"; } if ($client_info["settings"]["may_edit_date_format"] == "yes") { $rules[] = "required,date_format,{$LANG["validation_no_date_format"]}"; } $errors = validate_fields($info, $rules); if (!empty($errors)) { $success = false; array_walk($errors, create_function('&$el', '$el = "• " . $el;')); $message = implode("<br />", $errors); return array($success, $message); } // update the main accounts table. Only update those settings they're ALLOWED to $settings = array(); if ($client_info["settings"]["may_edit_language"] == "yes") { $settings["ui_language"] = $info["ui_language"]; } if ($client_info["settings"]["may_edit_timezone_offset"] == "yes") { $settings["timezone_offset"] = $info["timezone_offset"]; } if ($client_info["settings"]["may_edit_logout_url"] == "yes") { $settings["logout_url"] = $info["logout_url"]; } if ($client_info["settings"]["may_edit_sessions_timeout"] == "yes") { $settings["sessions_timeout"] = $info["sessions_timeout"]; } if ($client_info["settings"]["may_edit_theme"] == "yes") { $settings["theme"] = $info["theme"]; $settings["swatch"] = ""; if (isset($info["{$info["theme"]}_theme_swatches"])) { $settings["swatch"] = $info["{$info["theme"]}_theme_swatches"]; } } if ($client_info["settings"]["may_edit_date_format"] == "yes") { $settings["date_format"] = $info["date_format"]; } if (!empty($settings)) { $sql_rows = array(); while (list($column, $value) = each($settings)) { $sql_rows[] = "{$column} = '{$value}'"; } $sql = implode(",\n", $sql_rows); $query = "\n UPDATE {$g_table_prefix}accounts\n SET {$sql}\n WHERE account_id = {$account_id}\n "; mysql_query($query) or ft_handle_error("Failed query in <b>" . __FUNCTION__ . "</b>: <i>{$query}</i>", mysql_error()); } $settings = array(); if (isset($info["page_titles"])) { $settings["page_titles"] = $info["page_titles"]; } if (isset($info["footer_text"])) { $settings["footer_text"] = $info["footer_text"]; } if (isset($info["max_failed_login_attempts"])) { $settings["max_failed_login_attempts"] = $info["max_failed_login_attempts"]; } if (!empty($settings)) { ft_set_account_settings($account_id, $settings); } break; } extract(ft_process_hook_calls("end", compact("account_id", "info"), array("success", "message")), EXTR_OVERWRITE); // update sessions $_SESSION["ft"]["settings"] = ft_get_settings(); $_SESSION["ft"]["account"] = ft_get_account_info($account_id); $_SESSION["ft"]["account"]["is_logged_in"] = true; return array($success, $message); }
/** * Updates the administrator account. With the addition of the "UI Language" option, this action * gets a little more complicated. The problem is that we can't just update the UI language in * sessions *within* this function, because by the time this function is called, the appropriate * language file is already in memory and being used. So, to get around this problem, the login * information form now passes along both the new and old UI languages. If it's different, AFTER * this function is called, you need to reset sessions and refresh the page. So be aware that * this problem is NOT handled by this function, see: * /admin/accounts/index.php to see how it's solved. * * @param array $infohash This parameter should be a hash (e.g. $_POST or $_GET) containing the * following keys: first_name, last_name, user_name, password. * @param integer $user_id the administrator's user ID * @return array [0]: true/false (success / failure) * [1]: message string */ function ft_update_admin_account($infohash, $account_id) { global $g_table_prefix, $g_root_url, $LANG; $success = true; $message = $LANG["notify_account_updated"]; $infohash = ft_sanitize($infohash); extract(ft_process_hook_calls("start", compact("infohash", "account_id"), array("infohash")), EXTR_OVERWRITE); $rules = array(); $rules[] = "required,first_name,{$LANG["validation_no_first_name"]}"; $rules[] = "required,last_name,{$LANG["validation_no_last_name"]}"; $rules[] = "required,email,{$LANG["validation_no_email"]}"; $rules[] = "required,theme,{$LANG["validation_no_theme"]}"; $rules[] = "required,login_page,{$LANG["validation_no_login_page"]}"; $rules[] = "required,logout_url,{$LANG["validation_no_account_logout_url"]}"; $rules[] = "required,ui_language,{$LANG["validation_no_ui_language"]}"; $rules[] = "required,sessions_timeout,{$LANG["validation_no_sessions_timeout"]}"; $rules[] = "required,date_format,{$LANG["validation_no_date_format"]}"; $rules[] = "required,username,{$LANG["validation_no_username"]}"; $rules[] = "if:password!=,required,password_2,{$LANG["validation_no_account_password_confirmed"]}"; $rules[] = "if:password!=,same_as,password,password_2,{$LANG["validation_passwords_different"]}"; $errors = validate_fields($infohash, $rules); if (!empty($errors)) { $success = false; array_walk($errors, create_function('&$el', '$el = "• " . $el;')); $message = implode("<br />", $errors); return array($success, $message); } $first_name = $infohash["first_name"]; $last_name = $infohash["last_name"]; $email = $infohash["email"]; $theme = $infohash["theme"]; $login_page = $infohash["login_page"]; $logout_url = $infohash["logout_url"]; $ui_language = $infohash["ui_language"]; $timezone_offset = $infohash["timezone_offset"]; $sessions_timeout = $infohash["sessions_timeout"]; $date_format = $infohash["date_format"]; $username = $infohash["username"]; $password = $infohash["password"]; $swatch = ""; if (isset($infohash["{$theme}_theme_swatches"])) { $swatch = $infohash["{$theme}_theme_swatches"]; } // if the password is defined, md5 it $password_sql = !empty($password) ? "password = '******', " : ""; // check to see if username is already taken list($valid_username, $problem) = _ft_is_valid_username($username, $account_id); if (!$valid_username) { return array(false, $problem); } $query = "\n UPDATE {$g_table_prefix}accounts\n SET {$password_sql}\n first_name = '{$first_name}',\n last_name = '{$last_name}',\n email = '{$email}',\n theme = '{$theme}',\n swatch = '{$swatch}',\n login_page = '{$login_page}',\n logout_url = '{$logout_url}',\n ui_language = '{$ui_language}',\n timezone_offset = '{$timezone_offset}',\n sessions_timeout = '{$sessions_timeout}',\n date_format = '{$date_format}',\n username = '******'\n WHERE account_id = {$account_id}\n "; mysql_query($query) or ft_handle_error("Failed query in <b>" . __FUNCTION__ . "</b>: <i>{$query}</i>", mysql_error()); // update the settings $_SESSION["ft"]["settings"] = ft_get_settings(); $_SESSION["ft"]["account"] = ft_get_account_info($account_id); $_SESSION["ft"]["account"]["is_logged_in"] = true; // if the password just changed, update sessions and empty any temporary password that happens to have been // stored if (!empty($password)) { $_SESSION["ft"]["account"] = ft_get_account_info($account_id); $_SESSION["ft"]["account"]["is_logged_in"] = true; $_SESSION["ft"]["account"]["password"] = md5(md5($password)); mysql_query("UPDATE {$g_table_prefix}accounts SET temp_reset_password = NULL where account_id = {$account_id}"); } extract(ft_process_hook_calls("end", compact("infohash", "account_id"), array("success", "message")), EXTR_OVERWRITE); return array($success, $message); }
/** * Creates a client account in the database. * * @param array $account_info this has has 4 required keys: first_name, last_name, user_name, password * * The password is automatically encrypted by this function. * * It also accepts the following optional keys: * account_status: "active", "disabled", "pending" * ui_language: (should only be one of the languages currently supported by the script, e.g. "en_us") * timezone_offset: +- an integer value, for each hour * sessions_timeout: * date_format: * login_page: * logout_url: * theme: * menu_id: * * @return array [0] true / false * [1] an array of error codes (if false) or the new account ID */ function ft_api_create_client_account($account_info) { global $g_api_debug, $g_table_prefix; $account_info = ft_sanitize($account_info); $error_codes = array(); // check all the valid fields if (!isset($account_info["first_name"]) || empty($account_info["first_name"])) { $error_codes[] = 700; } if (!isset($account_info["last_name"]) || empty($account_info["last_name"])) { $error_codes[] = 701; } if (!isset($account_info["email"]) || empty($account_info["email"])) { $error_codes[] = 702; } if (!ft_is_valid_email($account_info["email"])) { $error_codes[] = 703; } if (!isset($account_info["username"]) || empty($account_info["username"])) { $error_codes[] = 704; } else { if (preg_match('/[^A-Za-z0-9]/', $account_info["username"])) { $error_codes[] = 705; } if (!_ft_is_valid_username($account_info["username"])) { $error_codes[] = 706; } } if (!isset($account_info["password"]) || empty($account_info["password"])) { $error_codes[] = 707; } else { if (preg_match('/[^A-Za-z0-9]/', $account_info["password"])) { $error_codes[] = 708; } } if (!empty($error_codes)) { if ($g_api_debug) { $page_vars = array("message_type" => "error", "error_codes" => $error_codes); ft_display_page("error.tpl", $page_vars); exit; } else { return array(false, $error_codes); } } $first_name = $account_info["first_name"]; $last_name = $account_info["last_name"]; $email = $account_info["email"]; $username = $account_info["username"]; $password = md5(md5($account_info["password"])); $settings = ft_get_settings(); $account_status = isset($account_info["account_status"]) ? $account_info["account_status"] : "pending"; $language = isset($account_info["ui_language"]) ? $account_info["ui_language"] : $settings["default_language"]; $timezone_offset = isset($account_info["timezone_offset"]) ? $account_info["timezone_offset"] : $settings["default_timezone_offset"]; $sessions_timeout = isset($account_info["sessions_timeout"]) ? $account_info["sessions_timeout"] : $settings["default_sessions_timeout"]; $date_format = isset($account_info["date_format"]) ? $account_info["date_format"] : $settings["default_date_format"]; $login_page = isset($account_info["login_page"]) ? $account_info["login_page"] : $settings["default_login_page"]; $logout_url = isset($account_info["logout_url"]) ? $account_info["logout_url"] : $settings["default_logout_url"]; $theme = isset($account_info["theme"]) ? $account_info["theme"] : $settings["default_theme"]; $menu_id = isset($account_info["menu_id"]) ? $account_info["menu_id"] : $settings["default_client_menu_id"]; // first, insert the record into the accounts table. This contains all the settings common to ALL // accounts (including the administrator and any other future account types) $query = "\n INSERT INTO {$g_table_prefix}accounts (account_type, account_status, ui_language, timezone_offset, sessions_timeout,\n date_format, login_page, logout_url, theme, menu_id, first_name, last_name, email, username, password)\n VALUES ('client', '{$account_status}', '{$language}', '{$timezone_offset}', '{$sessions_timeout}',\n '{$date_format}', '{$login_page}', '{$logout_url}', '{$theme}', {$menu_id}, '{$first_name}', '{$last_name}', '{$email}',\n '{$username}', '{$password}')\n "; if (!mysql_query($query)) { if ($g_api_debug) { $page_vars = array("message_type" => "error", "error_code" => 709, "error_type" => "user", "debugging" => "Failed query in <b>" . __FUNCTION__ . "</b>: <i>{$query}</i> " . mysql_error()); ft_display_page("error.tpl", $page_vars); exit; } else { return array(false, $error_codes); } } $new_user_id = mysql_insert_id(); // now create all the custom client account settings, most of which are based on the default values // in the settings table $account_settings = array("client_notes" => "", "company_name" => "", "page_titles" => $settings["default_page_titles"], "footer_text" => $settings["default_footer_text"], "may_edit_page_titles" => $settings["clients_may_edit_page_titles"], "may_edit_footer_text" => $settings["clients_may_edit_footer_text"], "may_edit_theme" => $settings["clients_may_edit_theme"], "may_edit_logout_url" => $settings["clients_may_edit_logout_url"], "may_edit_language" => $settings["clients_may_edit_ui_language"], "may_edit_timezone_offset" => $settings["clients_may_edit_timezone_offset"], "may_edit_sessions_timeout" => $settings["clients_may_edit_sessions_timeout"], "may_edit_date_format" => $settings["clients_may_edit_date_format"]); ft_set_account_settings($new_user_id, $account_settings); return array(true, $new_user_id); }