if (!$Me) { $Me = new Contact($trueuser); } $Me = $Me->activate(); // if bounced through login, add post data if (isset($_SESSION["login_bounce"]) && !$Me->is_empty()) { $lb = $_SESSION["login_bounce"]; if ($lb[0] == $Conf->dsn && $lb[2] !== "index" && $lb[2] == Navigation::page()) { foreach ($lb[3] as $k => $v) { if (!isset($_REQUEST[$k])) { $_REQUEST[$k] = $_GET[$k] = $v; } } $_REQUEST["after_login"] = 1; } unset($_SESSION["login_bounce"]); } } global $Me; initialize_user(); // Extract an error that we redirected through if (isset($_SESSION["redirect_error"])) { global $Error; $Error = $_SESSION["redirect_error"]; unset($_SESSION["redirect_error"]); } // Mark as already expired to discourage caching, but allow the browser // to cache for history buttons session_cache_limiter(""); header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); header("Cache-Control: private");
function add() { $login = $this->dbh->escape_string(trim($_REQUEST["login"])); $tmp_user_pwd = make_password(8); $salt = substr(bin2hex(get_random_bytes(125)), 0, 250); $pwd_hash = encrypt_password($tmp_user_pwd, $salt, true); $result = $this->dbh->query("SELECT id FROM ttrss_users WHERE\n\t\t\t\tlogin = '******'"); if ($this->dbh->num_rows($result) == 0) { $this->dbh->query("INSERT INTO ttrss_users\n\t\t\t\t\t(login,pwd_hash,access_level,last_login,created, salt)\n\t\t\t\t\tVALUES ('{$login}', '{$pwd_hash}', 0, null, NOW(), '{$salt}')"); $result = $this->dbh->query("SELECT id FROM ttrss_users WHERE\n\t\t\t\t\tlogin = '******' AND pwd_hash = '{$pwd_hash}'"); if ($this->dbh->num_rows($result) == 1) { $new_uid = $this->dbh->fetch_result($result, 0, "id"); print format_notice(T_sprintf("Added user <b>%s</b> with password <b>%s</b>", $login, $tmp_user_pwd)); initialize_user($new_uid); } else { print format_warning(T_sprintf("Could not create user <b>%s</b>", $login)); } } else { print format_warning(T_sprintf("User <b>%s</b> already exists.", $login)); } }
$result = db_query($link, "SELECT id FROM ttrss_users WHERE\n\t\t\t\tlogin = '******'"); $is_registered = db_num_rows($result) > 0; if ($is_registered) { print_error(__('Sorry, this username is already taken.')); print "<p><form method=\"GET\" action=\"tt-rss.php\">\n\t\t\t\t<input type=\"submit\" value=\"" . __("Return to Tiny Tiny RSS") . "\">\n\t\t\t\t</form>"; } else { $password = make_password(); $pwd_hash = encrypt_password($password, $login); db_query($link, "INSERT INTO ttrss_users \n\t\t\t\t\t(login,pwd_hash,access_level,last_login, email, created)\n\t\t\t\t\tVALUES ('{$login}', '{$pwd_hash}', 0, null, '{$email}', NOW())"); $result = db_query($link, "SELECT id FROM ttrss_users WHERE \n\t\t\t\t\tlogin = '******' AND pwd_hash = '{$pwd_hash}'"); if (db_num_rows($result) != 1) { print_error(__('Registration failed.')); print "<p><form method=\"GET\" action=\"tt-rss.php\">\n\t\t\t\t\t<input type=\"submit\" value=\"" . __("Return to Tiny Tiny RSS") . "\">\n\t\t\t\t\t</form>"; } else { $new_uid = db_fetch_result($result, 0, "id"); initialize_user($link, $new_uid); $reg_text = "Hi!\n" . "\n" . "You are receiving this message, because you (or somebody else) have opened\n" . "an account at Tiny Tiny RSS.\n" . "\n" . "Your login information is as follows:\n" . "\n" . "Login: {$login}\n" . "Password: {$password}\n" . "\n" . "Don't forget to login at least once to your new account, otherwise\n" . "it will be deleted in 24 hours.\n" . "\n" . "If that wasn't you, just ignore this message. Thanks."; $mail = new PHPMailer(); $mail->PluginDir = "lib/phpmailer/"; $mail->SetLanguage("en", "lib/phpmailer/language/"); $mail->CharSet = "UTF-8"; $mail->From = DIGEST_FROM_ADDRESS; $mail->FromName = DIGEST_FROM_NAME; $mail->AddAddress($email); if (DIGEST_SMTP_HOST) { $mail->Host = DIGEST_SMTP_HOST; $mail->Mailer = "smtp"; $mail->Username = DIGEST_SMTP_LOGIN; $mail->Password = DIGEST_SMTP_PASSWORD; } // $mail->IsHTML(true);
$is_registered = db_num_rows($result) > 0; if ($is_registered) { print_error(__('Sorry, this username is already taken.')); print "<p><form method=\"GET\" action=\"index.php\">\n\t\t\t\t<input type=\"submit\" value=\"" . __("Return to Tiny Tiny RSS") . "\">\n\t\t\t\t</form>"; } else { $password = make_password(); $salt = substr(bin2hex(get_random_bytes(125)), 0, 250); $pwd_hash = encrypt_password($password, $salt, true); db_query("INSERT INTO ttrss_users\n\t\t\t\t\t(login,pwd_hash,access_level,last_login, email, created, salt)\n\t\t\t\t\tVALUES ('{$login}', '{$pwd_hash}', 0, null, '{$email}', NOW(), '{$salt}')"); $result = db_query("SELECT id FROM ttrss_users WHERE\n\t\t\t\t\tlogin = '******' AND pwd_hash = '{$pwd_hash}'"); if (db_num_rows($result) != 1) { print_error(__('Registration failed.')); print "<p><form method=\"GET\" action=\"index.php\">\n\t\t\t\t\t<input type=\"submit\" value=\"" . __("Return to Tiny Tiny RSS") . "\">\n\t\t\t\t\t</form>"; } else { $new_uid = db_fetch_result($result, 0, "id"); initialize_user($new_uid); $reg_text = "Hi!\n" . "\n" . "You are receiving this message, because you (or somebody else) have opened\n" . "an account at Tiny Tiny RSS.\n" . "\n" . "Your login information is as follows:\n" . "\n" . "Login: {$login}\n" . "Password: {$password}\n" . "\n" . "Don't forget to login at least once to your new account, otherwise\n" . "it will be deleted in 24 hours.\n" . "\n" . "If that wasn't you, just ignore this message. Thanks."; $mail = new ttrssMailer(); $mail->IsHTML(false); $rc = $mail->quickMail($email, "", "Registration information for Tiny Tiny RSS", $reg_text, false); if (!$rc) { print_error($mail->ErrorInfo); } unset($reg_text); unset($mail); unset($rc); $reg_text = "Hi!\n" . "\n" . "New user had registered at your Tiny Tiny RSS installation.\n" . "\n" . "Login: {$login}\n" . "Email: {$email}\n"; $mail = new ttrssMailer(); $mail->IsHTML(false); $rc = $mail->quickMail(REG_NOTIFY_ADDRESS, "", "Registration notice for Tiny Tiny RSS", $reg_text, false); if (!$rc) {
function module_pref_users($link) { global $access_level_names; if (!SINGLE_USER_MODE && $_SESSION["access_level"] < 10) { print __("Your access level is insufficient to open this tab."); return; } $subop = $_REQUEST["subop"]; if ($subop == "user-details") { $uid = sprintf("%d", $_REQUEST["id"]); print "<div id=\"infoBoxTitle\">" . __('User details') . "</div>"; print "<div class='infoBoxContents'>"; $result = db_query($link, "SELECT login,\n\t\t\t\t" . SUBSTRING_FOR_DATE . "(last_login,1,16) AS last_login,\n\t\t\t\taccess_level,\n\t\t\t\t(SELECT COUNT(int_id) FROM ttrss_user_entries \n\t\t\t\t\tWHERE owner_uid = id) AS stored_articles,\n\t\t\t\t" . SUBSTRING_FOR_DATE . "(created,1,16) AS created\n\t\t\t\tFROM ttrss_users \n\t\t\t\tWHERE id = '{$uid}'"); if (db_num_rows($result) == 0) { print "<h1>" . __('User not found') . "</h1>"; return; } // print "<h1>User Details</h1>"; $login = db_fetch_result($result, 0, "login"); print "<table width='100%'>"; $last_login = date(get_pref($link, 'LONG_DATE_FORMAT'), strtotime(db_fetch_result($result, 0, "last_login"))); $created = date(get_pref($link, 'LONG_DATE_FORMAT'), strtotime(db_fetch_result($result, 0, "created"))); $access_level = db_fetch_result($result, 0, "access_level"); $stored_articles = db_fetch_result($result, 0, "stored_articles"); print "<tr><td>" . __('Registered') . "</td><td>{$created}</td></tr>"; print "<tr><td>" . __('Last logged in') . "</td><td>{$last_login}</td></tr>"; $result = db_query($link, "SELECT COUNT(id) as num_feeds FROM ttrss_feeds\n\t\t\t\tWHERE owner_uid = '{$uid}'"); $num_feeds = db_fetch_result($result, 0, "num_feeds"); print "<tr><td>" . __('Subscribed feeds count') . "</td><td>{$num_feeds}</td></tr>"; print "</table>"; print "<h1>" . __('Subscribed feeds') . "</h1>"; $result = db_query($link, "SELECT id,title,site_url FROM ttrss_feeds\n\t\t\t\tWHERE owner_uid = '{$uid}' ORDER BY title"); print "<ul class=\"userFeedList\">"; $row_class = "odd"; while ($line = db_fetch_assoc($result)) { $icon_file = ICONS_URL . "/" . $line["id"] . ".ico"; if (file_exists($icon_file) && filesize($icon_file) > 0) { $feed_icon = "<img class=\"tinyFeedIcon\" src=\"{$icon_file}\">"; } else { $feed_icon = "<img class=\"tinyFeedIcon\" src=\"images/blank_icon.gif\">"; } print "<li class=\"{$row_class}\">{$feed_icon} <a href=\"" . $line["site_url"] . "\">" . $line["title"] . "</a></li>"; $row_class = toggleEvenOdd($row_class); } if (db_num_rows($result) < $num_feeds) { // FIXME - add link to show ALL subscribed feeds here somewhere print "<li><img \n\t\t\t\t\tclass=\"tinyFeedIcon\" src=\"images/blank_icon.gif\"> ...</li>"; } print "</ul>"; print "<div align='center'>\n\t\t\t\t<button onclick=\"closeInfoBox()\">" . __("Close this window") . "</button></div>"; print "</div>"; return; } if ($subop == "edit") { $id = db_escape_string($_REQUEST["id"]); print "<div id=\"infoBoxTitle\">" . __('User Editor') . "</div>"; print "<div class=\"infoBoxContents\">"; print "<form id=\"user_edit_form\" onsubmit='return false'>"; print "<input type=\"hidden\" name=\"id\" value=\"{$id}\">"; print "<input type=\"hidden\" name=\"op\" value=\"pref-users\">"; print "<input type=\"hidden\" name=\"subop\" value=\"editSave\">"; $result = db_query($link, "SELECT * FROM ttrss_users WHERE id = '{$id}'"); $login = db_fetch_result($result, 0, "login"); $access_level = db_fetch_result($result, 0, "access_level"); $email = db_fetch_result($result, 0, "email"); $sel_disabled = $id == $_SESSION["uid"] ? "disabled" : ""; print "<div class=\"dlgSec\">" . __("User") . "</div>"; print "<div class=\"dlgSecCont\">"; if ($sel_disabled) { print "<input type=\"hidden\" name=\"login\" value=\"{$login}\">"; print "<input size=\"30\" style=\"font-size : 16px\" \n\t\t\t\t\tonkeypress=\"return filterCR(event, userEditSave)\" {$sel_disabled}\n\t\t\t\t\tvalue=\"{$login}\">"; } else { print "<input size=\"30\" style=\"font-size : 16px\" \n\t\t\t\t\tonkeypress=\"return filterCR(event, userEditSave)\" {$sel_disabled}\n\t\t\t\t\tname=\"login\" value=\"{$login}\">"; } print "</div>"; print "<div class=\"dlgSec\">" . __("Authentication") . "</div>"; print "<div class=\"dlgSecCont\">"; print __('Access level: ') . " "; if (!$sel_disabled) { print_select_hash("access_level", $access_level, $access_level_names, $sel_disabled); } else { print_select_hash("", $access_level, $access_level_names, $sel_disabled); print "<input type=\"hidden\" name=\"access_level\" value=\"{$access_level}\">"; } print "<br/>"; print __('Change password to') . " <input size=\"20\" onkeypress=\"return filterCR(event, userEditSave)\"\n\t\t\t\tname=\"password\">"; print "</div>"; print "<div class=\"dlgSec\">" . __("Options") . "</div>"; print "<div class=\"dlgSecCont\">"; print __('E-mail: ') . " <input size=\"30\" name=\"email\" onkeypress=\"return filterCR(event, userEditSave)\"\n\t\t\t\tvalue=\"{$email}\">"; print "</div>"; print "</table>"; print "</form>"; print "<div class=\"dlgButtons\">\n\t\t\t\t<button onclick=\"return userEditSave()\">" . __('Save') . "</button>\n\t\t\t\t<button onclick=\"return userEditCancel()\">" . __('Cancel') . "</button></div>"; print "</div>"; return; } if ($subop == "editSave") { if (!WEB_DEMO_MODE && $_SESSION["access_level"] >= 10) { $login = db_escape_string(trim($_REQUEST["login"])); $uid = db_escape_string($_REQUEST["id"]); $access_level = (int) $_REQUEST["access_level"]; $email = db_escape_string(trim($_REQUEST["email"])); $password = db_escape_string(trim($_REQUEST["password"])); if ($password) { $pwd_hash = encrypt_password($password, $login); $pass_query_part = "pwd_hash = '{$pwd_hash}', "; print_notice(T_sprintf('Changed password of user <b>%s</b>.', $login)); } else { $pass_query_part = ""; } db_query($link, "UPDATE ttrss_users SET {$pass_query_part} login = '******', \n\t\t\t\t\taccess_level = '{$access_level}', email = '{$email}' WHERE id = '{$uid}'"); } } else { if ($subop == "remove") { if ($_SESSION["access_level"] >= 10) { $ids = split(",", db_escape_string($_REQUEST["ids"])); foreach ($ids as $id) { if ($id != $_SESSION["uid"]) { db_query($link, "DELETE FROM ttrss_tags WHERE owner_uid = '{$id}'"); db_query($link, "DELETE FROM ttrss_feeds WHERE owner_uid = '{$id}'"); db_query($link, "DELETE FROM ttrss_users WHERE id = '{$id}'"); } } } } else { if ($subop == "add") { if ($_SESSION["access_level"] >= 10) { $login = db_escape_string(trim($_REQUEST["login"])); $tmp_user_pwd = make_password(8); $pwd_hash = encrypt_password($tmp_user_pwd, $login); $result = db_query($link, "SELECT id FROM ttrss_users WHERE \n\t\t\t\t\tlogin = '******'"); if (db_num_rows($result) == 0) { db_query($link, "INSERT INTO ttrss_users \n\t\t\t\t\t\t(login,pwd_hash,access_level,last_login,created)\n\t\t\t\t\t\tVALUES ('{$login}', '{$pwd_hash}', 0, null, NOW())"); $result = db_query($link, "SELECT id FROM ttrss_users WHERE \n\t\t\t\t\t\tlogin = '******' AND pwd_hash = '{$pwd_hash}'"); if (db_num_rows($result) == 1) { $new_uid = db_fetch_result($result, 0, "id"); print_notice(T_sprintf("Added user <b>%s</b> with password <b>%s</b>", $login, $tmp_user_pwd)); initialize_user($link, $new_uid); } else { print_warning(T_sprintf("Could not create user <b>%s</b>", $login)); } } else { print_warning(T_sprintf("User <b>%s</b> already exists.", $login)); } } } else { if ($subop == "resetPass") { if (!WEB_DEMO_MODE && $_SESSION["access_level"] >= 10) { $uid = db_escape_string($_REQUEST["id"]); $result = db_query($link, "SELECT login,email \n\t\t\t\t\tFROM ttrss_users WHERE id = '{$uid}'"); $login = db_fetch_result($result, 0, "login"); $email = db_fetch_result($result, 0, "email"); $tmp_user_pwd = make_password(8); $pwd_hash = encrypt_password($tmp_user_pwd, $login); db_query($link, "UPDATE ttrss_users SET pwd_hash = '{$pwd_hash}'\n\t\t\t\t\tWHERE id = '{$uid}'"); print_notice(T_sprintf("Changed password of user <b>%s</b>\n\t\t\t\t\t to <b>%s</b>", $login, $tmp_user_pwd)); if ($email) { print_notice(T_sprintf("Notifying <b>%s</b>.", $email)); require_once "lib/MiniTemplator.class.php"; $tpl = new MiniTemplator(); $tpl->readTemplateFromFile("templates/resetpass_template.txt"); $tpl->setVariable('LOGIN', $login); $tpl->setVariable('NEWPASS', $tmp_user_pwd); $tpl->addBlock('message'); $message = ""; $tpl->generateOutputToString($message); $mail = new PHPMailer(); $mail->PluginDir = "lib/phpmailer/"; $mail->SetLanguage("en", "lib/phpmailer/language/"); $mail->CharSet = "UTF-8"; $mail->From = DIGEST_FROM_ADDRESS; $mail->FromName = DIGEST_FROM_NAME; $mail->AddAddress($email, $login); if (DIGEST_SMTP_HOST) { $mail->Host = DIGEST_SMTP_HOST; $mail->Mailer = "smtp"; $mail->SMTPAuth = DIGEST_SMTP_LOGIN != ''; $mail->Username = DIGEST_SMTP_LOGIN; $mail->Password = DIGEST_SMTP_PASSWORD; } $mail->IsHTML(false); $mail->Subject = __("[tt-rss] Password change notification"); $mail->Body = $message; $rc = $mail->Send(); if (!$rc) { print_error($mail->ErrorInfo); } /* mail("$login <$email>", "Password reset notification", "Hi, $login.\n". "\n". "Your password for this TT-RSS installation was reset by". " an administrator.\n". "\n". "Your new password is $tmp_user_pwd, please remember". " it for later reference.\n". "\n". "Sincerely, TT-RSS Mail Daemon.", "From: " . MAIL_FROM); */ } print "</div>"; } } } } } set_pref($link, "_PREFS_ACTIVE_TAB", "userConfig"); $user_search = db_escape_string($_REQUEST["search"]); if (array_key_exists("search", $_REQUEST)) { $_SESSION["prefs_user_search"] = $user_search; } else { $user_search = $_SESSION["prefs_user_search"]; } print "<div style='float : right'>\n\t\t\t<input id=\"user_search\" size=\"20\" type=\"search\"\n\t\t\t\tonfocus=\"javascript:disableHotkeys();\" \n\t\t\t\tonblur=\"javascript:enableHotkeys();\"\n\t\t\t\tonchange=\"javascript:updateUsersList()\" value=\"{$user_search}\">\n\t\t\t<button onclick=\"javascript:updateUsersList()\">" . __('Search') . "</button>\n\t\t\t</div>"; $sort = db_escape_string($_REQUEST["sort"]); if (!$sort || $sort == "undefined") { $sort = "login"; } print "<button onclick=\"javascript:addUser()\">" . __('Create user') . "</button>"; print "\n\t\t\t<button onclick=\"javascript:selectedUserDetails()\">" . __('Details') . "</button>\n\t\t\t<button onclick=\"javascript:editSelectedUser()\">" . __('Edit') . "</button>\n\t\t\t<button onclick=\"javascript:removeSelectedUsers()\">" . __('Remove') . "</button>\n\t\t\t<button onclick=\"javascript:resetSelectedUserPass()\">" . __('Reset password') . "</button>"; print "</div>"; if ($user_search) { $user_search = split(" ", $user_search); $tokens = array(); foreach ($user_search as $token) { $token = trim($token); array_push($tokens, "(UPPER(login) LIKE UPPER('%{$token}%'))"); } $user_search_query = "(" . join($tokens, " AND ") . ") AND "; } else { $user_search_query = ""; } $result = db_query($link, "SELECT \n\t\t\t\tid,login,access_level,email,\n\t\t\t\t" . SUBSTRING_FOR_DATE . "(last_login,1,16) as last_login,\n\t\t\t\t" . SUBSTRING_FOR_DATE . "(created,1,16) as created\n\t\t\tFROM \n\t\t\t\tttrss_users\n\t\t\tWHERE\n\t\t\t\t{$user_search_query}\n\t\t\t\tid > 0\n\t\t\tORDER BY {$sort}"); if (db_num_rows($result) > 0) { // print "<div id=\"infoBoxShadow\"><div id=\"infoBox\">PLACEHOLDER</div></div>"; print "<p><table width=\"100%\" cellspacing=\"0\" \n\t\t\tclass=\"prefUserList\" id=\"prefUserList\">"; print "<tr><td class=\"selectPrompt\" colspan=\"8\">\n\t\t\t\t" . __('Select:') . " \n\t\t\t\t\t<a href=\"javascript:selectPrefRows('user', true)\">" . __('All') . "</a>,\n\t\t\t\t\t<a href=\"javascript:selectPrefRows('user', false)\">" . __('None') . "</a>\n\t\t\t\t</td</tr>"; print "<tr class=\"title\">\n\t\t\t\t\t<td align='center' width=\"5%\"> </td>\n\t\t\t\t\t<td width=''><a href=\"javascript:updateUsersList('login')\">" . __('Login') . "</a></td>\n\t\t\t\t\t<td width='20%'><a href=\"javascript:updateUsersList('access_level')\">" . __('Access Level') . "</a></td>\n\t\t\t\t\t<td width='20%'><a href=\"javascript:updateUsersList('created')\">" . __('Registered') . "</a></td>\n\t\t\t\t\t<td width='20%'><a href=\"javascript:updateUsersList('last_login')\">" . __('Last login') . "</a></td></tr>"; $lnum = 0; while ($line = db_fetch_assoc($result)) { $class = $lnum % 2 ? "even" : "odd"; $uid = $line["id"]; $edit_uid = $_REQUEST["id"]; if ($subop == "edit" && $uid != $edit_uid) { $class .= "Grayed"; $this_row_id = ""; } else { $this_row_id = "id=\"UMRR-{$uid}\""; } print "<tr class=\"{$class}\" {$this_row_id}>"; $line["login"] = htmlspecialchars($line["login"]); # $line["last_login"] = date(get_pref($link, 'SHORT_DATE_FORMAT'), # strtotime($line["last_login"])); if (get_pref($link, 'HEADLINES_SMART_DATE')) { $line["last_login"] = smart_date_time(strtotime($line["last_login"])); $line["created"] = smart_date_time(strtotime($line["created"])); } else { $line["last_login"] = date(get_pref($link, 'SHORT_DATE_FORMAT'), strtotime($line["last_login"])); $line["created"] = date(get_pref($link, 'SHORT_DATE_FORMAT'), strtotime($line["created"])); } print "<td align='center'><input onclick='toggleSelectPrefRow(this, \"user\");' \n\t\t\t\ttype=\"checkbox\" id=\"UMCHK-{$uid}\"></td>"; $onclick = "onclick='editUser({$uid})' title='" . __('Click to edit') . "'"; print "<td {$onclick}>" . $line["login"] . "</td>"; if (!$line["email"]) { $line["email"] = " "; } print "<td {$onclick}>" . $access_level_names[$line["access_level"]] . "</td>"; print "<td {$onclick}>" . $line["created"] . "</td>"; print "<td {$onclick}>" . $line["last_login"] . "</td>"; print "</tr>"; ++$lnum; } print "</table>"; } else { print "<p>"; if (!$user_search) { print_warning(__('No users defined.')); } else { print_warning(__('No matching users found.')); } print "</p>"; } }