/** * Administrator function used to update a client account. It updates one tab at a time - determined by the * second $tab_num parameter. * * @param array $infohash This parameter should be a hash (e.g. $_POST or $_GET) containing keys * named the same as the database fields. * @param integer $tab_num the tab number (1-3: 1=main, 2=styles, 3=permissions) * @return array [0]: true/false (success / failure) * [1]: message string */ function ft_admin_update_client($infohash, $tab_num) { global $g_table_prefix, $g_debug, $LANG, $g_password_special_chars; extract(ft_process_hook_calls("start", compact("infohash", "tab_num"), array("infohash", "tab_num")), EXTR_OVERWRITE); $success = true; $message = $LANG["notify_client_account_updated"]; $form_vals = ft_sanitize($infohash); $account_id = $form_vals["client_id"]; switch ($tab_num) { // MAIN tab case "1": $rules = array(); $rules[] = "required,first_name,{$LANG["validation_no_client_first_name"]}"; $rules[] = "required,last_name,{$LANG["validation_no_client_last_name"]}"; $rules[] = "required,email,{$LANG["validation_no_client_email"]}"; $rules[] = "valid_email,email,{$LANG["validation_invalid_email"]}"; $rules[] = "required,username,{$LANG["validation_no_client_username"]}"; $rules[] = "if:password!=,required,password_2,{$LANG["validation_no_account_password_confirmed"]}"; $rules[] = "if:password!=,same_as,password,password_2,{$LANG["validation_passwords_different"]}"; $account_settings = ft_get_account_settings($account_id); if ($account_settings["min_password_length"] != "" && !empty($form_vals["password"])) { $rule = ft_eval_smarty_string($LANG["validation_client_password_too_short"], array("number" => $account_settings["min_password_length"])); $rules[] = "length>={$account_settings["min_password_length"]},password,{$rule}"; } if (!empty($form_vals["password"])) { $required_password_chars = explode(",", $account_settings["required_password_chars"]); if (in_array("uppercase", $required_password_chars)) { $rules[] = "reg_exp,password,[A-Z],{$LANG["validation_client_password_missing_uppercase"]}"; } if (in_array("number", $required_password_chars)) { $rules[] = "reg_exp,password,[0-9],{$LANG["validation_client_password_missing_number"]}"; } if (in_array("special_char", $required_password_chars)) { $error = ft_eval_smarty_string($LANG["validation_client_password_missing_special_char"], array("chars" => $g_password_special_chars)); $password_special_chars = preg_quote($g_password_special_chars); $rules[] = "reg_exp,password,[{$password_special_chars}],{$error}"; } } $errors = validate_fields($form_vals, $rules); // check the username isn't already taken $username = $form_vals['username']; list($valid_username, $problem) = _ft_is_valid_username($username, $account_id); if (!$valid_username) { $errors[] = $problem; } if (!empty($form_vals["password"])) { // check the password isn't already in password history (if relevant) if (!empty($account_settings["num_password_history"])) { $encrypted_password = md5(md5($form_vals["password"])); if (ft_password_in_password_history($account_id, $encrypted_password, $account_settings["num_password_history"])) { $errors[] = ft_eval_smarty_string($LANG["validation_password_in_password_history"], array("history_size" => $account_settings["num_password_history"])); } else { ft_add_password_to_password_history($account_id, $encrypted_password); } } } if (!empty($errors)) { $success = false; array_walk($errors, create_function('&$el', '$el = "• " . $el;')); $message = implode("<br />", $errors); return array($success, $message); } $account_status = $form_vals['account_status']; $first_name = $form_vals['first_name']; $last_name = $form_vals['last_name']; $email = $form_vals['email']; $password = $form_vals['password']; // if the password is defined, md5 it $password_sql = !empty($password) ? "password = '******', " : ""; $query = "\n UPDATE {$g_table_prefix}accounts\n SET {$password_sql}\n account_status = '{$account_status}',\n first_name = '{$first_name}',\n last_name = '{$last_name}',\n email = '{$email}',\n username = '******'\n WHERE account_id = {$account_id}\n "; // execute the query $result = @mysql_query($query); if (!$result) { $success = false; $message = $LANG["notify_client_account_not_updated"]; if ($g_debug) { $message .= "<br/>Query: {$query}<br />Error: " . mysql_error(); } } $new_account_settings = array("client_notes" => $form_vals["client_notes"], "company_name" => $form_vals["company_name"]); ft_set_account_settings($account_id, $new_account_settings); break; // SETTINGS tab // SETTINGS tab case "2": $rules = array(); $rules[] = "required,page_titles,{$LANG["validation_no_titles"]}"; $rules[] = "required,menu_id,{$LANG["validation_no_menu"]}"; $rules[] = "required,theme,{$LANG["validation_no_theme"]}"; $rules[] = "required,login_page,{$LANG["validation_no_client_login_page"]}"; $rules[] = "required,logout_url,{$LANG["validation_no_logout_url"]}"; $rules[] = "required,ui_language,{$LANG["validation_no_ui_language"]}"; $rules[] = "required,sessions_timeout,{$LANG["validation_no_sessions_timeout"]}"; $rules[] = "digits_only,sessions_timeout,{$LANG["validation_invalid_sessions_timeout"]}"; $rules[] = "required,date_format,{$LANG["validation_no_date_format"]}"; $errors = validate_fields($form_vals, $rules); if (!empty($errors)) { $success = false; array_walk($errors, create_function('&$el', '$el = "• " . $el;')); $message = implode("<br />", $errors); return array($success, $message); } // update the main accounts table $ui_language = $form_vals['ui_language']; $timezone_offset = $form_vals['timezone_offset']; $login_page = $form_vals['login_page']; $logout_url = $form_vals['logout_url']; $menu_id = $form_vals['menu_id']; $theme = $form_vals['theme']; $sessions_timeout = $form_vals['sessions_timeout']; $date_format = $form_vals['date_format']; $swatch = ""; if (isset($infohash["{$theme}_theme_swatches"])) { $swatch = $infohash["{$theme}_theme_swatches"]; } $query = "\n UPDATE {$g_table_prefix}accounts\n SET ui_language = '{$ui_language}',\n timezone_offset = '{$timezone_offset}',\n login_page = '{$login_page}',\n logout_url = '{$logout_url}',\n menu_id = {$menu_id},\n theme = '{$theme}',\n swatch = '{$swatch}',\n sessions_timeout = '{$sessions_timeout}',\n date_format = '{$date_format}'\n WHERE account_id = {$account_id}\n "; // execute the query $result = @mysql_query($query); if (!$result) { $success = false; $message = $LANG["notify_client_account_not_updated"]; if ($g_debug) { $message .= "<br/>Query: {$query}<br />Error: " . mysql_error(); } return array($success, $message); } $may_edit_page_titles = isset($infohash["may_edit_page_titles"]) ? "yes" : "no"; $may_edit_footer_text = isset($infohash["may_edit_footer_text"]) ? "yes" : "no"; $may_edit_theme = isset($infohash["may_edit_theme"]) ? "yes" : "no"; $may_edit_logout_url = isset($infohash["may_edit_logout_url"]) ? "yes" : "no"; $may_edit_language = isset($infohash["may_edit_language"]) ? "yes" : "no"; $may_edit_timezone_offset = isset($infohash["may_edit_timezone_offset"]) ? "yes" : "no"; $may_edit_sessions_timeout = isset($infohash["may_edit_sessions_timeout"]) ? "yes" : "no"; $may_edit_date_format = isset($infohash["may_edit_date_format"]) ? "yes" : "no"; $may_edit_max_failed_login_attempts = isset($infohash["may_edit_max_failed_login_attempts"]) ? "yes" : "no"; $max_failed_login_attempts = $infohash["max_failed_login_attempts"]; $min_password_length = $infohash["min_password_length"]; $num_password_history = $infohash["num_password_history"]; $required_password_chars = isset($infohash["required_password_chars"]) && is_array($infohash["required_password_chars"]) ? implode(",", $infohash["required_password_chars"]) : ""; $forms_page_default_message = $infohash["forms_page_default_message"]; // update the client custom account settings table $settings = array("page_titles" => $form_vals["page_titles"], "footer_text" => $form_vals["footer_text"], "may_edit_page_titles" => $may_edit_page_titles, "may_edit_footer_text" => $may_edit_footer_text, "may_edit_theme" => $may_edit_theme, "may_edit_logout_url" => $may_edit_logout_url, "may_edit_language" => $may_edit_language, "may_edit_timezone_offset" => $may_edit_timezone_offset, "may_edit_sessions_timeout" => $may_edit_sessions_timeout, "may_edit_max_failed_login_attempts" => $may_edit_max_failed_login_attempts, "max_failed_login_attempts" => $max_failed_login_attempts, "required_password_chars" => $required_password_chars, "min_password_length" => $min_password_length, "num_password_history" => $num_password_history, "forms_page_default_message" => $forms_page_default_message); ft_set_account_settings($account_id, $settings); break; // FORMS tab // FORMS tab case "3": // clear out the old mappings for the client-forms and client-Views. This section re-inserts everything mysql_query("DELETE FROM {$g_table_prefix}client_forms WHERE account_id = {$account_id}"); mysql_query("DELETE FROM {$g_table_prefix}client_views WHERE account_id = {$account_id}"); mysql_query("DELETE FROM {$g_table_prefix}public_form_omit_list WHERE account_id = {$account_id}"); mysql_query("DELETE FROM {$g_table_prefix}public_view_omit_list WHERE account_id = {$account_id}"); $num_form_rows = $infohash["num_forms"]; $client_forms = array(); // stores the form IDs of all forms this client has been added to $client_form_views = array(); // stores the view IDs of each form this client is associated with for ($i = 1; $i <= $num_form_rows; $i++) { // ignore blank and empty form rows if (!isset($infohash["form_row_{$i}"]) || empty($infohash["form_row_{$i}"])) { continue; } $form_id = $infohash["form_row_{$i}"]; $client_forms[] = $form_id; $client_form_views[$form_id] = array(); // find out a little info about this form. If it's a public form, the user is already (implicitly) assigned // to it, so don't bother inserting a redundant record into the client_forms table $form_info_query = mysql_query("SELECT access_type FROM {$g_table_prefix}forms WHERE form_id = {$form_id}"); $form_info = mysql_fetch_assoc($form_info_query); if ($form_info["access_type"] != "public") { mysql_query("INSERT INTO {$g_table_prefix}client_forms (account_id, form_id) VALUES ({$account_id}, {$form_id})"); } // if this form was previously an "admin" type, it no longer is! By adding this client to the form, it's now // changed to a "private" access type if ($form_info["access_type"] == "admin") { mysql_query("UPDATE {$g_table_prefix}forms SET access_type = 'private' WHERE form_id = {$form_id}"); } // now loop through selected Views. Get View info if (!isset($infohash["row_{$i}_selected_views"])) { continue; } $client_form_views[$form_id] = $infohash["row_{$i}_selected_views"]; foreach ($infohash["row_{$i}_selected_views"] as $view_id) { $view_info_query = mysql_query("SELECT access_type FROM {$g_table_prefix}views WHERE view_id = {$view_id}"); $view_info = mysql_fetch_assoc($view_info_query); if ($view_info["access_type"] != "public") { mysql_query("INSERT INTO {$g_table_prefix}client_views (account_id, view_id) VALUES ({$account_id}, {$view_id})"); } // if this View was previously an "admin" type, it no longer is! By adding this client to the View, it's now // changed to a "private" access type if ($view_info["access_type"] == "admin") { mysql_query("UPDATE {$g_table_prefix}views SET access_type = 'private' WHERE view_id = {$view_id}"); } } } // now all the ADDING the forms/Views is done, we look at all other public forms in the database and if this // update request didn't include that form, add this client to its omit list. Same goes for the form Views $public_form_query = mysql_query("SELECT form_id, access_type FROM {$g_table_prefix}forms"); while ($form_info = mysql_fetch_assoc($public_form_query)) { $form_id = $form_info["form_id"]; $form_is_public = $form_info["access_type"] == "public" ? true : false; if ($form_is_public && !in_array($form_id, $client_forms)) { mysql_query("INSERT INTO {$g_table_prefix}public_form_omit_list (account_id, form_id) VALUES ({$account_id}, {$form_id})"); } if (in_array($form_id, $client_forms)) { $public_view_query = mysql_query("SELECT view_id, access_type FROM {$g_table_prefix}views WHERE form_id = {$form_id}"); while ($view_info = mysql_fetch_assoc($public_view_query)) { $view_id = $view_info["view_id"]; $view_is_public = $view_info["access_type"] == "public" ? true : false; if ($view_is_public && !in_array($view_id, $client_form_views[$form_id])) { mysql_query("INSERT INTO {$g_table_prefix}public_view_omit_list (account_id, view_id) VALUES ({$account_id}, {$view_id})"); } } } } break; } extract(ft_process_hook_calls("end", compact("infohash", "tab_num"), array("success", "message")), EXTR_OVERWRITE); return array($success, $message); }
/** * Updates a client account. Used for whomever is currently logged in. * * @param array $info This parameter should be a hash (e.g. $_POST or $_GET) containing keys * named the same as the database fields. * @return array [0]: true/false (success / failure) * [1]: message string */ function ft_update_client($account_id, $info) { global $g_table_prefix, $LANG, $g_password_special_chars; $success = true; $message = $LANG["notify_account_updated"]; $info = ft_sanitize($info); extract(ft_process_hook_calls("start", compact("account_id", "info"), array("info")), EXTR_OVERWRITE); $client_info = ft_get_account_info($account_id); $page = $info["page"]; switch ($page) { case "main": $first_name = $info["first_name"]; $last_name = $info["last_name"]; $email = $info["email"]; $username = $info["username"]; $password_clause = ""; $rules = array(); if (!empty($info["password"])) { $required_password_chars = explode(",", $client_info["settings"]["required_password_chars"]); if (in_array("uppercase", $required_password_chars)) { $rules[] = "reg_exp,password,[A-Z],{$LANG["validation_client_password_missing_uppercase"]}"; } if (in_array("number", $required_password_chars)) { $rules[] = "reg_exp,password,[0-9],{$LANG["validation_client_password_missing_number"]}"; } if (in_array("special_char", $required_password_chars)) { $error = ft_eval_smarty_string($LANG["validation_client_password_missing_special_char"], array("chars" => $g_password_special_chars)); $password_special_chars = preg_quote($g_password_special_chars); $rules[] = "reg_exp,password,[{$password_special_chars}],{$error}"; } if (!empty($client_info["settings"]["min_password_length"])) { $rule = ft_eval_smarty_string($LANG["validation_client_password_too_short"], array("number" => $client_info["settings"]["min_password_length"])); $rules[] = "length>={$client_info["settings"]["min_password_length"]},password,{$rule}"; } // encrypt the password on the assumption that it passes validation. It'll be used in the update query $password = md5(md5($info['password'])); $password_clause = "password = '******',"; } $errors = validate_fields($info, $rules); // check to see if username is already taken list($valid_username, $problem) = _ft_is_valid_username($username, $account_id); if (!$valid_username) { $errors[] = $problem; } // check the password isn't already in password history (if relevant) if (!empty($info["password"])) { if (!empty($client_info["settings"]["num_password_history"])) { $encrypted_password = md5(md5($info["password"])); if (ft_password_in_password_history($account_id, $encrypted_password, $client_info["settings"]["num_password_history"])) { $errors[] = ft_eval_smarty_string($LANG["validation_password_in_password_history"], array("history_size" => $client_info["settings"]["num_password_history"])); } else { ft_add_password_to_password_history($account_id, $encrypted_password); } } } if (!empty($errors)) { $success = false; array_walk($errors, create_function('&$el', '$el = "• " . $el;')); $message = implode("<br />", $errors); return array($success, $message); } $query = "\n UPDATE {$g_table_prefix}accounts\n SET {$password_clause}\n first_name = '{$first_name}',\n last_name = '{$last_name}',\n username = '******',\n email = '{$email}'\n WHERE account_id = {$account_id}\n "; if (mysql_query($query)) { // if the password wasn't empty, reset the temporary password, in case it was set if (!empty($info["password"])) { mysql_query("UPDATE {$g_table_prefix}accounts SET temp_reset_password = NULL where account_id = {$account_id}"); } } else { ft_handle_error("Failed query in <b>" . __FUNCTION__ . "</b>: <i>{$query}</i>", mysql_error()); } break; case "settings": $rules = array(); if ($client_info["settings"]["may_edit_page_titles"] == "yes") { $rules[] = "required,page_titles,{$LANG["validation_no_titles"]}"; } if ($client_info["settings"]["may_edit_theme"] == "yes") { $rules[] = "required,theme,{$LANG["validation_no_theme"]}"; } if ($client_info["settings"]["may_edit_logout_url"] == "yes") { $rules[] = "required,logout_url,{$LANG["validation_no_logout_url"]}"; } if ($client_info["settings"]["may_edit_language"] == "yes") { $rules[] = "required,ui_language,{$LANG["validation_no_ui_language"]}"; } if ($client_info["settings"]["may_edit_timezone_offset"] == "yes") { $rules[] = "required,timezone_offset,{$LANG["validation_no_timezone_offset"]}"; } if ($client_info["settings"]["may_edit_sessions_timeout"] == "yes") { $rules[] = "required,sessions_timeout,{$LANG["validation_no_sessions_timeout"]}"; $rules[] = "digits_only,sessions_timeout,{$LANG["validation_invalid_sessions_timeout"]}"; } if ($client_info["settings"]["may_edit_date_format"] == "yes") { $rules[] = "required,date_format,{$LANG["validation_no_date_format"]}"; } $errors = validate_fields($info, $rules); if (!empty($errors)) { $success = false; array_walk($errors, create_function('&$el', '$el = "• " . $el;')); $message = implode("<br />", $errors); return array($success, $message); } // update the main accounts table. Only update those settings they're ALLOWED to $settings = array(); if ($client_info["settings"]["may_edit_language"] == "yes") { $settings["ui_language"] = $info["ui_language"]; } if ($client_info["settings"]["may_edit_timezone_offset"] == "yes") { $settings["timezone_offset"] = $info["timezone_offset"]; } if ($client_info["settings"]["may_edit_logout_url"] == "yes") { $settings["logout_url"] = $info["logout_url"]; } if ($client_info["settings"]["may_edit_sessions_timeout"] == "yes") { $settings["sessions_timeout"] = $info["sessions_timeout"]; } if ($client_info["settings"]["may_edit_theme"] == "yes") { $settings["theme"] = $info["theme"]; $settings["swatch"] = ""; if (isset($info["{$info["theme"]}_theme_swatches"])) { $settings["swatch"] = $info["{$info["theme"]}_theme_swatches"]; } } if ($client_info["settings"]["may_edit_date_format"] == "yes") { $settings["date_format"] = $info["date_format"]; } if (!empty($settings)) { $sql_rows = array(); while (list($column, $value) = each($settings)) { $sql_rows[] = "{$column} = '{$value}'"; } $sql = implode(",\n", $sql_rows); $query = "\n UPDATE {$g_table_prefix}accounts\n SET {$sql}\n WHERE account_id = {$account_id}\n "; mysql_query($query) or ft_handle_error("Failed query in <b>" . __FUNCTION__ . "</b>: <i>{$query}</i>", mysql_error()); } $settings = array(); if (isset($info["page_titles"])) { $settings["page_titles"] = $info["page_titles"]; } if (isset($info["footer_text"])) { $settings["footer_text"] = $info["footer_text"]; } if (isset($info["max_failed_login_attempts"])) { $settings["max_failed_login_attempts"] = $info["max_failed_login_attempts"]; } if (!empty($settings)) { ft_set_account_settings($account_id, $settings); } break; } extract(ft_process_hook_calls("end", compact("account_id", "info"), array("success", "message")), EXTR_OVERWRITE); // update sessions $_SESSION["ft"]["settings"] = ft_get_settings(); $_SESSION["ft"]["account"] = ft_get_account_info($account_id); $_SESSION["ft"]["account"]["is_logged_in"] = true; return array($success, $message); }