/**
* Process information given to new/edit account form
*
* @global array $SUPPORTED_LANGS Languages that are supported by the AUR
* @param string $TYPE Either "edit" for editing or "new" for registering an account
* @param string $A Form to use, either UpdateAccount or NewAccount
* @param string $U The username for the account
* @param string $T The account type for the user
* @param string $S Whether or not the account is suspended
* @param string $E The e-mail address for the user
* @param string $H Whether or not the e-mail address should be hidden
* @param string $P The password for the user
* @param string $C The confirmed password for the user
* @param string $R The real name of the user
* @param string $L The language preference of the user
* @param string $I The IRC nickname of the user
* @param string $K The PGP fingerprint of the user
* @param string $PK The list of public SSH keys
* @param string $J The inactivity status of the user
* @param string $UID The user ID of the modified account
* @param string $N The username as present in the database
*
* @return array Boolean indicating success and message to be printed
*/
function process_account_form($TYPE, $A, $U = "", $T = "", $S = "", $E = "", $H = "", $P = "", $C = "", $R = "", $L = "", $I = "", $K = "", $PK = "", $J = "", $UID = 0, $N = "")
{
global $SUPPORTED_LANGS;
$error = '';
$message = '';
if (is_ipbanned()) {
$error = __('Account registration has been disabled ' . 'for your IP address, probably due ' . 'to sustained spam attacks. Sorry for the ' . 'inconvenience.');
}
$dbh = DB::connect();
if (isset($_COOKIE['AURSID'])) {
$editor_user = uid_from_sid($_COOKIE['AURSID']);
} else {
$editor_user = null;
}
if (empty($E) || empty($U)) {
$error = __("Missing a required field.");
}
if ($TYPE != "new" && !$UID) {
$error = __("Missing User ID");
}
if (!$error && !valid_username($U)) {
$length_min = config_get_int('options', 'username_min_len');
$length_max = config_get_int('options', 'username_max_len');
$error = __("The username is invalid.") . "<ul>\n" . "<li>" . __("It must be between %s and %s characters long", $length_min, $length_max) . "</li>" . "<li>" . __("Start and end with a letter or number") . "</li>" . "<li>" . __("Can contain only one period, underscore or hyphen.") . "</li>\n</ul>";
}
if (!$error && $P && $C && $P != $C) {
$error = __("Password fields do not match.");
}
if (!$error && $P != '' && !good_passwd($P)) {
$length_min = config_get_int('options', 'passwd_min_len');
$error = __("Your password must be at least %s characters.", $length_min);
}
if (!$error && !valid_email($E)) {
$error = __("The email address is invalid.");
}
if (!$error && $K != '' && !valid_pgp_fingerprint($K)) {
$error = __("The PGP key fingerprint is invalid.");
}
if (!$error && !empty($PK)) {
$ssh_keys = array_filter(array_map('trim', explode("\n", $PK)));
$ssh_fingerprints = array();
foreach ($ssh_keys as &$ssh_key) {
if (!valid_ssh_pubkey($ssh_key)) {
$error = __("The SSH public key is invalid.");
break;
}
$ssh_fingerprint = ssh_key_fingerprint($ssh_key);
if (!$ssh_fingerprint) {
$error = __("The SSH public key is invalid.");
break;
}
$tokens = explode(" ", $ssh_key);
$ssh_key = $tokens[0] . " " . $tokens[1];
$ssh_fingerprints[] = $ssh_fingerprint;
}
/*
* Destroy last reference to prevent accidentally overwriting
* an array element.
*/
unset($ssh_key);
}
if (isset($_COOKIE['AURSID'])) {
$atype = account_from_sid($_COOKIE['AURSID']);
if ($atype == "User" && $T > 1 || $atype == "Trusted User" && $T > 2) {
$error = __("Cannot increase account permissions.");
}
}
if (!$error && !array_key_exists($L, $SUPPORTED_LANGS)) {
$error = __("Language is not currently supported.");
}
if (!$error) {
/*
* Check whether the user name is available.
* TODO: Fix race condition.
*/
$q = "SELECT COUNT(*) AS CNT FROM Users ";
$q .= "WHERE Username = "******"edit") {
$q .= " AND ID != " . intval($UID);
}
$result = $dbh->query($q);
$row = $result->fetch(PDO::FETCH_NUM);
if ($row[0]) {
$error = __("The username, %s%s%s, is already in use.", "<strong>", htmlspecialchars($U, ENT_QUOTES), "</strong>");
}
}
if (!$error) {
/*
* Check whether the e-mail address is available.
* TODO: Fix race condition.
*/
$q = "SELECT COUNT(*) AS CNT FROM Users ";
$q .= "WHERE Email = " . $dbh->quote($E);
if ($TYPE == "edit") {
$q .= " AND ID != " . intval($UID);
}
$result = $dbh->query($q);
$row = $result->fetch(PDO::FETCH_NUM);
if ($row[0]) {
$error = __("The address, %s%s%s, is already in use.", "<strong>", htmlspecialchars($E, ENT_QUOTES), "</strong>");
}
}
if (!$error && count($ssh_keys) > 0) {
/*
* Check whether any of the SSH public keys is already in use.
* TODO: Fix race condition.
*/
$q = "SELECT Fingerprint FROM SSHPubKeys ";
$q .= "WHERE Fingerprint IN (";
$q .= implode(',', array_map(array($dbh, 'quote'), $ssh_fingerprints));
$q .= ")";
if ($TYPE == "edit") {
$q .= " AND UserID != " . intval($UID);
}
$result = $dbh->query($q);
$row = $result->fetch(PDO::FETCH_NUM);
if ($row) {
$error = __("The SSH public key, %s%s%s, is already in use.", "<strong>", htmlspecialchars($row[0], ENT_QUOTES), "</strong>");
}
}
if ($error) {
$message = "<ul class='errorlist'><li>" . $error . "</li></ul>\n";
return array(false, $message);
}
if ($TYPE == "new") {
/* Create an unprivileged user. */
$salt = generate_salt();
if (empty($P)) {
$send_resetkey = true;
$email = $E;
} else {
$send_resetkey = false;
$P = salted_hash($P, $salt);
}
$U = $dbh->quote($U);
$E = $dbh->quote($E);
$P = $dbh->quote($P);
$salt = $dbh->quote($salt);
$R = $dbh->quote($R);
$L = $dbh->quote($L);
$I = $dbh->quote($I);
$K = $dbh->quote(str_replace(" ", "", $K));
$q = "INSERT INTO Users (AccountTypeID, Suspended, ";
$q .= "InactivityTS, Username, Email, Passwd, Salt, ";
$q .= "RealName, LangPreference, IRCNick, PGPKey) ";
$q .= "VALUES (1, 0, 0, {$U}, {$E}, {$P}, {$salt}, {$R}, {$L}, ";
$q .= "{$I}, {$K})";
$result = $dbh->exec($q);
if (!$result) {
$message = __("Error trying to create account, %s%s%s.", "<strong>", htmlspecialchars($U, ENT_QUOTES), "</strong>");
return array(false, $message);
}
$uid = $dbh->lastInsertId();
account_set_ssh_keys($uid, $ssh_keys, $ssh_fingerprints);
$message = __("The account, %s%s%s, has been successfully created.", "<strong>", htmlspecialchars($U, ENT_QUOTES), "</strong>");
$message .= "<p>\n";
if ($send_resetkey) {
send_resetkey($email, true);
$message .= __("A password reset key has been sent to your e-mail address.");
$message .= "</p>\n";
} else {
$message .= __("Click on the Login link above to use your account.");
$message .= "</p>\n";
}
} else {
/* Modify an existing account. */
$q = "SELECT InactivityTS FROM Users WHERE ";
$q .= "ID = " . intval($UID);
$result = $dbh->query($q);
$row = $result->fetch(PDO::FETCH_NUM);
if ($row[0] && $J) {
$inactivity_ts = $row[0];
} elseif ($J) {
$inactivity_ts = time();
} else {
$inactivity_ts = 0;
}
$q = "UPDATE Users SET ";
$q .= "Username = "******", AccountTypeID = " . intval($T);
}
if ($S) {
/* Ensure suspended users can't keep an active session */
delete_user_sessions($UID);
$q .= ", Suspended = 1";
} else {
$q .= ", Suspended = 0";
}
$q .= ", Email = " . $dbh->quote($E);
if ($H) {
$q .= ", HideEmail = 1";
} else {
$q .= ", HideEmail = 0";
}
if ($P) {
$salt = generate_salt();
$hash = salted_hash($P, $salt);
$q .= ", Passwd = '{$hash}', Salt = '{$salt}'";
}
$q .= ", RealName = " . $dbh->quote($R);
$q .= ", LangPreference = " . $dbh->quote($L);
$q .= ", IRCNick = " . $dbh->quote($I);
$q .= ", PGPKey = " . $dbh->quote(str_replace(" ", "", $K));
$q .= ", InactivityTS = " . $inactivity_ts;
$q .= " WHERE ID = " . intval($UID);
$result = $dbh->exec($q);
$ssh_key_result = account_set_ssh_keys($UID, $ssh_keys, $ssh_fingerprints);
if ($result === false || $ssh_key_result === false) {
$message = __("No changes were made to the account, %s%s%s.", "<strong>", htmlspecialchars($U, ENT_QUOTES), "</strong>");
} else {
$message = __("The account, %s%s%s, has been successfully modified.", "<strong>", htmlspecialchars($U, ENT_QUOTES), "</strong>");
}
}
return array(true, $message);
}
if (isset($_COOKIE["AURSID"])) {
header('Location: /');
exit;
}
$error = '';
if (isset($_GET['resetkey'], $_POST['email'], $_POST['password'], $_POST['confirm'])) {
$resetkey = $_GET['resetkey'];
$email = $_POST['email'];
$password = $_POST['password'];
$confirm = $_POST['confirm'];
$uid = uid_from_email($email);
if (empty($email) || empty($password)) {
$error = __('Missing a required field.');
} elseif ($password != $confirm) {
$error = __('Password fields do not match.');
} elseif (!good_passwd($password)) {
$length_min = config_get_int('options', 'passwd_min_len');
$error = __("Your password must be at least %s characters.", $length_min);
} elseif ($uid == null) {
$error = __('Invalid e-mail.');
}
if (empty($error)) {
$salt = generate_salt();
$hash = salted_hash($password, $salt);
$error = password_reset($hash, $salt, $resetkey, $email);
}
} elseif (isset($_POST['email'])) {
$email = $_POST['email'];
$username = username_from_id(uid_from_email($email));
if (empty($email)) {
$error = __('Missing a required field.');