Esempio n. 1
0
function handleUserMgmt()
{
    global $urlRequestRoot, $cmsFolder, $moduleFolder, $templateFolder, $sourceFolder;
    require_once "{$sourceFolder}/{$moduleFolder}/form/viewregistrants.php";
    if (isset($_GET['userid'])) {
        $_GET['userid'] = escape($_GET['userid']);
    }
    if (isset($_POST['editusertype'])) {
        $_POST['editusertype'] = escape($_POST['editusertype']);
    }
    if (isset($_POST['user_selected_activate'])) {
        foreach ($_POST as $key => $var) {
            if (substr($key, 0, 9) == "selected_") {
                if (!mysql_query("UPDATE " . MYSQL_DATABASE_PREFIX . "users SET user_activated=1 WHERE user_id='" . substr($key, 9) . "'")) {
                    $result = mysql_query("SELECT `user_fullname` FROM `" . MYSQL_DATABASE_PREFIX . "users` WHERE `user_id`='" . substr($key, 9) . "'");
                    if ($result) {
                        $row = mysql_fetch_assoc($result);
                        displayerror("Couldn't activate user, {$row['user_fullname']}");
                    }
                }
            }
        }
        return registeredUsersList($_POST['editusertype'], "edit", false);
    }
    if (isset($_POST['user_selected_deactivate'])) {
        foreach ($_POST as $key => $var) {
            if (substr($key, 0, 9) == "selected_") {
                if ((int) substr($key, 9) == ADMIN_USERID) {
                    displayerror("You cannot deactivate administrator!");
                    continue;
                }
                if (!mysql_query("UPDATE " . MYSQL_DATABASE_PREFIX . "users SET user_activated=0 WHERE user_id='" . substr($key, 9) . "'")) {
                    $result = mysql_query("SELECT `user_fullname` FROM `" . MYSQL_DATABASE_PREFIX . "users` WHERE `user_id`='" . substr($key, 9) . "'");
                    if ($result) {
                        $row = mysql_fetch_assoc($result);
                        displayerror("Couldn't deactivate user, {$row['user_fullname']}");
                    }
                }
            }
        }
        return registeredUsersList($_POST['editusertype'], "edit", false);
    }
    if (isset($_POST['user_selected_delete'])) {
        $done = true;
        foreach ($_POST as $key => $var) {
            if (substr($key, 0, 9) == "selected_") {
                if ((int) substr($key, 9) == ADMIN_USERID) {
                    displayerror("You cannot delete administrator!");
                    continue;
                }
                $query = "DELETE FROM `" . MYSQL_DATABASE_PREFIX . "users` WHERE `user_id` = '" . substr($key, 9) . "'";
                if (mysql_query($query)) {
                    $query = "DELETE FROM `" . MYSQL_DATABASE_PREFIX . "openid_users` WHERE `user_id` = '" . substr($key, 9) . "'";
                    if (!mysql_query($query)) {
                        $done = false;
                    }
                } else {
                    $done = false;
                }
            }
        }
        if (!$done) {
            displayerror("Some problem in deleting selected users");
        }
        return registeredUsersList($_POST['editusertype'], "edit", false);
    }
    if (isset($_POST['user_activate'])) {
        $query = "UPDATE " . MYSQL_DATABASE_PREFIX . "users SET user_activated=1 WHERE user_id='{$_GET['userid']}'";
        if (mysql_query($query)) {
            displayInfo("User Successfully Activated!");
        } else {
            displayerror("User Not Activated!");
        }
        return registeredUsersList($_POST['editusertype'], "edit", false);
    } else {
        if (isset($_POST['activate_all_users'])) {
            $query = "UPDATE " . MYSQL_DATABASE_PREFIX . "users SET user_activated=1";
            if (mysql_query($query)) {
                displayInfo("All users activated successfully!");
            } else {
                displayerror("Users Not Deactivated!");
            }
            return;
        } else {
            if (isset($_POST['user_deactivate'])) {
                if ($_GET['userid'] == ADMIN_USERID) {
                    displayError("You cannot deactivate administrator!");
                    return registeredUsersList($_POST['editusertype'], "edit", false);
                }
                $query = "UPDATE " . MYSQL_DATABASE_PREFIX . "users SET user_activated=0 WHERE user_id='{$_GET['userid']}'";
                if (mysql_query($query)) {
                    displayInfo("User Successfully Deactivated!");
                } else {
                    displayerror("User Not Deactivated!");
                }
                return registeredUsersList($_POST['editusertype'], "edit", false);
            } else {
                if (isset($_POST['deactivate_all_users'])) {
                    $query = "UPDATE " . MYSQL_DATABASE_PREFIX . "users SET user_activated=0 WHERE user_id != " . ADMIN_USERID;
                    if (mysql_query($query)) {
                        displayInfo("All users deactivated successfully except Administrator!");
                    } else {
                        displayerror("Users Not Deactivated!");
                    }
                    return;
                } else {
                    if (isset($_POST['user_delete'])) {
                        $userId = $_GET['userid'];
                        if ($userId == ADMIN_USERID) {
                            displayError("You cannot delete administrator!");
                            return registeredUsersList($_POST['editusertype'], "edit", false);
                        }
                        $query = "DELETE FROM `" . MYSQL_DATABASE_PREFIX . "users` WHERE `user_id` = '{$userId}'";
                        if (mysql_query($query)) {
                            $query = "DELETE FROM `" . MYSQL_DATABASE_PREFIX . "openid_users` WHERE `user_id` = '{$userId}'";
                            if (mysql_query($query)) {
                                displayinfo("User Successfully Deleted!");
                            } else {
                                displayerror("User not deleted from OpenID database!");
                            }
                        } else {
                            displayerror("User Not Deleted!");
                        }
                        return registeredUsersList($_POST['editusertype'], "edit", false);
                    } else {
                        if (isset($_POST['user_info']) || isset($_POST['user_info_update'])) {
                            if (isset($_POST['user_info_update'])) {
                                $updates = array();
                                $userId = $_GET['userid'];
                                $query = "SELECT * FROM `" . MYSQL_DATABASE_PREFIX . "users` WHERE `user_id`='{$userId}'";
                                $row = mysql_fetch_assoc(mysql_query($query));
                                $errors = false;
                                if (isset($_POST['user_name']) && $row['user_name'] != $_POST['user_name']) {
                                    $chkquery = "SELECT * FROM `" . MYSQL_DATABASE_PREFIX . "users` WHERE `user_name`='" . escape($_POST['user_name']) . "'";
                                    $result = mysql_query($chkquery) or die("failed  : {$chkquery}");
                                    if (mysql_num_rows($result) > 0) {
                                        displayerror("User Name already exists in database!");
                                        $errors = true;
                                    }
                                }
                                if (isset($_POST['user_name']) && $_POST['user_name'] != '' && $_POST['user_name'] != $row['user_name']) {
                                    $updates[] = "`user_name` = '" . escape($_POST['user_name']) . "'";
                                }
                                if (isset($_POST['user_email']) && $_POST['user_email'] != '' && $_POST['user_email'] != $row['user_email']) {
                                    $updates[] = "`user_email` = '" . escape($_POST['user_email']) . "'";
                                }
                                if (isset($_POST['user_fullname']) && $_POST['user_fullname'] != '' && $_POST['user_fullname'] != $row['user_fullname']) {
                                    $updates[] = "`user_fullname` = '" . escape($_POST['user_fullname']) . "'";
                                }
                                if ($_POST['user_password'] != '') {
                                    if ($_POST['user_password'] != $_POST['user_password2']) {
                                        displayerror('Error! The New Password you entered does not match the password you typed in the Confirmation Box.');
                                        $errors = true;
                                    } else {
                                        if (md5($_POST['user_password']) != $row['user_password']) {
                                            $updates[] = "`user_password` = MD5('{$_POST['user_password']}')";
                                        }
                                    }
                                }
                                if (isset($_POST['user_regdate']) && $_POST['user_regdate'] != '' && $_POST['user_regdate'] != $row['user_regdate']) {
                                    $updates[] = "`user_regdate` = '" . escape($_POST['user_regdate']) . "'";
                                }
                                if (isset($_POST['user_lastlogin']) && $_POST['user_lastlogin'] != '' && $_POST['user_lastlogin'] != $row['user_lastlogin']) {
                                    $updates[] = "`user_lastlogin` = '" . escape($_POST['user_lastlogin']) . "'";
                                }
                                if ($_GET['userid'] != ADMIN_USERID && (isset($_POST['user_activated']) ? 1 : 0) != $row['user_activated']) {
                                    $checked = isset($_POST['user_activated']) ? 1 : 0;
                                    $updates[] = "`user_activated` = {$checked}";
                                }
                                if (isset($_POST['user_loginmethod']) && $_POST['user_loginmethod'] != '' && $_POST['user_loginmethod'] != $row['user_loginmethod']) {
                                    $updates[] = "`user_loginmethod` = '" . escape($_POST['user_loginmethod']) . "'";
                                    if ($_POST['user_loginmethod'] != 'db') {
                                        displaywarning("Please make sure " . strtoupper(escape($_POST['user_loginmethod'])) . " is configured properly, otherwise the user will not be able to login to the website.");
                                    }
                                }
                                if (!$errors) {
                                    if (count($updates) > 0) {
                                        $profileQuery = 'UPDATE `' . MYSQL_DATABASE_PREFIX . 'users` SET ' . join($updates, ', ') . " WHERE `user_id` = " . escape($_GET['userid']) . "'";
                                        $profileResult = mysql_query($profileQuery);
                                        if (!$profileResult) {
                                            displayerror('An error was encountered while attempting to process your request.' . $profileQuery);
                                            $errors = true;
                                        }
                                    }
                                    global $sourceFolder, $moduleFolder;
                                    require_once "{$sourceFolder}/{$moduleFolder}/form/registrationformsubmit.php";
                                    require_once "{$sourceFolder}/{$moduleFolder}/form/registrationformgenerate.php";
                                    if (!$errors && !submitRegistrationForm(0, $userId, true, true)) {
                                        displayerror('An error was encountered while attempting to process your request.' . $profileQuery);
                                        $errors = true;
                                    } else {
                                        displayinfo('All fields updated successfully!');
                                    }
                                }
                            }
                            $userid = $_GET['userid'];
                            $query = "SELECT * FROM `" . MYSQL_DATABASE_PREFIX . "users` WHERE `user_id`={$userid}";
                            $columnList = getColumnList(0, false, false, false, false, false);
                            $xcolumnIds = array_keys($columnList);
                            $xcolumnNames = array_values($columnList);
                            $row = mysql_fetch_assoc(mysql_query($query));
                            $userfieldprettynames = array("User ID", "Username", "Email", "Full Name", "Password", "Registration", "Last Login", "Activated", "Login Method");
                            $userinfo = "<fieldset><legend>Edit User Information</legend><form name='user_info_edit' action='./+admin&subaction=useradmin&userid={$userid}' method='post'>";
                            $usertablefields = array_merge(getTableFieldsName('users'), $xcolumnNames);
                            for ($i = 0; $i < count($usertablefields); $i++) {
                                if (isset($_POST[$usertablefields[$i] . '_sel'])) {
                                    $userinfo .= "<input type='hidden' name='{$usertablefields[$i]}_sel' value='checked'/>";
                                }
                            }
                            $userinfo .= "<input type='hidden' name='not_first_time' />";
                            $userinfo .= userProfileForm($userfieldprettynames, $row, false, true);
                            $userinfo .= "<input type='submit' value='Update' name='user_info_update' />\n\t\t<input type='reset' value='Reset' /></form></fieldset>";
                            return $userinfo;
                        } else {
                            if (isset($_POST['view_reg_users']) || isset($_POST['save_reg_users_excel'])) {
                                return registeredUsersList("all", "view", false);
                            } else {
                                if (isset($_POST['edit_reg_users'])) {
                                    return registeredUsersList("all", "edit", false);
                                } else {
                                    if (isset($_POST['view_activated_users']) || isset($_POST['save_activated_users_excel'])) {
                                        return registeredUsersList("activated", "view", false);
                                    } else {
                                        if (isset($_POST['edit_activated_users'])) {
                                            return registeredUsersList("activated", "edit", false);
                                        } else {
                                            if (isset($_POST['view_nonactivated_users']) || isset($_POST['save_nonactivated_users_excel'])) {
                                                return registeredUsersList("nonactivated", "view", false);
                                            } else {
                                                if (isset($_POST['edit_nonactivated_users'])) {
                                                    return registeredUsersList("nonactivated", "edit", false);
                                                } else {
                                                    if (isset($_GET['subsubaction']) && $_GET['subsubaction'] == 'search') {
                                                        $results = "";
                                                        $userfieldprettynames = array("User ID", "Username", "Email", "Full Name", "Password", "Registration", "Last Login", "Activated", "Login Method");
                                                        $usertablefields = getTableFieldsName('users');
                                                        $first = true;
                                                        $qstring = "";
                                                        foreach ($usertablefields as $field) {
                                                            if (isset($_POST[$field]) && $_POST[$field] != '') {
                                                                if ($first == false) {
                                                                    $qstring .= $_POST['user_search_op'] == 'and' ? " AND " : " OR ";
                                                                }
                                                                $val = escape($_POST[$field]);
                                                                if ($field == 'user_activated') {
                                                                    ${$field . '_lastval'} = $val = isset($_POST[$field]) ? 1 : 0;
                                                                } else {
                                                                    ${$field . '_lastval'} = $val;
                                                                }
                                                                $qstring .= "`{$field}` LIKE CONVERT( _utf8 '%{$val}%'USING latin1 ) ";
                                                                $first = false;
                                                            }
                                                        }
                                                        if ($qstring != "") {
                                                            $query = "SELECT * FROM `" . MYSQL_DATABASE_PREFIX . "users` WHERE {$qstring} ";
                                                            $resultSearch = mysql_query($query);
                                                            if (mysql_num_rows($resultSearch) > 0) {
                                                                $num = mysql_num_rows($resultSearch);
                                                                $userInfo = array();
                                                                while ($row = mysql_fetch_assoc($resultSearch)) {
                                                                    $userInfo['user_id'][] = $row['user_id'];
                                                                    $userInfo['user_name'][] = $row['user_name'];
                                                                    $userInfo['user_email'][] = $row['user_email'];
                                                                    $userInfo['user_fullname'][] = $row['user_fullname'];
                                                                    $userInfo['user_password'][] = $row['user_password'];
                                                                    $userInfo['user_lastlogin'][] = $row['user_lastlogin'];
                                                                    $userInfo['user_regdate'][] = $row['user_regdate'];
                                                                    $userInfo['user_activated'][] = $row['user_activated'];
                                                                    $userInfo['user_loginmethod'][] = $row['user_loginmethod'];
                                                                }
                                                                $results = registeredUsersList("all", "edit", false, $userInfo);
                                                            } else {
                                                                displayerror("No users matched your query!");
                                                            }
                                                        }
                                                        $searchForm = "<form name='user_search_form' action='./+admin&subaction=useradmin&subsubaction=search' method='POST'><h3>Search User</h3>";
                                                        $xcolumnNames = array_keys(getColumnList(0, false, false, false, false, false));
                                                        $usertablefields2 = array_merge($usertablefields, $xcolumnNames);
                                                        for ($i = 0; $i < count($usertablefields2); $i++) {
                                                            if (isset($_POST[$usertablefields2[$i] . '_sel'])) {
                                                                $searchForm .= "<input type='hidden' name='{$usertablefields2[$i]}_sel' value='checked'/>";
                                                            }
                                                        }
                                                        $searchForm .= "<input type='hidden' name='not_first_time' />";
                                                        $infoarray = array();
                                                        foreach ($usertablefields as $field) {
                                                            if (isset(${$field . '_lastval'})) {
                                                                $infoarray[$field] = ${$field . '_lastval'};
                                                            } else {
                                                                $infoarray[$field] = "";
                                                            }
                                                        }
                                                        $searchForm .= userProfileForm($userfieldprettynames, $infoarray, true, false);
                                                        $searchForm .= "Operation : <input type='radio' name='user_search_op' value='and'  />AND  <input type='radio' name='user_search_op' value='or' checked='true' />OR<br/><br/><input type='submit' onclick name='user_search_submit' value='Search' /><input type='reset' value='Clear' /></form>";
                                                        return $results . $searchForm;
                                                    } else {
                                                        if (isset($_GET['subsubaction']) && $_GET['subsubaction'] == 'create') {
                                                            $userfieldprettynamesarray = array("User ID", "Username", "Email", "Full Name", "Password", "Registration", "Last Login", "Activated", "Login Method");
                                                            $usertablefields = getTableFieldsName('users');
                                                            if (isset($_POST['create_user_submit'])) {
                                                                $incomplete = false;
                                                                foreach ($usertablefields as $field) {
                                                                    if ($field != 'user_regdate' && $field != 'user_lastlogin' && $field != 'user_activated' && (isset($_POST[$field]) && $_POST[$field] == "")) {
                                                                        displayerror("New user could not be created. Some fields are missing!{$field}");
                                                                        $incomplete = true;
                                                                        break;
                                                                    }
                                                                    ${$field} = escape($_POST[$field]);
                                                                }
                                                                if (!$incomplete) {
                                                                    $user_id = $_GET['userid'];
                                                                    $chkquery = "SELECT COUNT(user_id) FROM `" . MYSQL_DATABASE_PREFIX . "users` WHERE `user_id`='{$user_id}' OR `user_name`='{$user_name}' OR `user_email`='{$user_email}'";
                                                                    $result = mysql_query($chkquery);
                                                                    $row = mysql_fetch_row($result);
                                                                    if ($row[0] > 0) {
                                                                        displayerror("Another user with the same name or email already exists!");
                                                                    } else {
                                                                        if ($user_password != $_POST['user_password2']) {
                                                                            displayerror("Passwords mismatch!");
                                                                        } else {
                                                                            if (isset($_POST['user_activated'])) {
                                                                                $user_activated = 1;
                                                                            }
                                                                            $query = "INSERT INTO `" . MYSQL_DATABASE_PREFIX . "users` (`user_id` ,`user_name` ,`user_email` ,`user_fullname` ,`user_password` ,`user_regdate` ,`user_lastlogin` ,`user_activated`,`user_loginmethod`)VALUES ('{$user_id}' ,'{$user_name}' ,'{$user_email}' ,'{$user_fullname}' , MD5('{$user_password}') ,CURRENT_TIMESTAMP , '', '{$user_activated}','{$user_loginmethod}')";
                                                                            $result = mysql_query($query) or die(mysql_error());
                                                                            global $sourceFolder, $moduleFolder;
                                                                            require_once "{$sourceFolder}/{$moduleFolder}/form/registrationformsubmit.php";
                                                                            require_once "{$sourceFolder}/{$moduleFolder}/form/registrationformgenerate.php";
                                                                            if (mysql_affected_rows() && submitRegistrationForm(0, $user_id, true, true)) {
                                                                                displayinfo("User {$user_fullname} Successfully Created!");
                                                                            } else {
                                                                                displayerror("Failed to create user");
                                                                            }
                                                                        }
                                                                    }
                                                                }
                                                            }
                                                            $nextUserId = getNextUserId();
                                                            $userForm = "<form name='user_create_form' action='./+admin&subaction=useradmin&subsubaction=create&userid={$nextUserId}' method='POST'><h3>Create New User</h3>";
                                                            $xcolumnNames = array_values(getColumnList(0, false, false, false, false, false));
                                                            $usertablefields2 = array_merge($usertablefields, $xcolumnNames);
                                                            $calpath = "{$urlRequestRoot}/{$cmsFolder}/{$moduleFolder}";
                                                            $userForm .= '<link rel="stylesheet" type="text/css" media="all" href="' . $calpath . '/form/calendar/calendar.css" title="Aqua" />' . '<script type="text/javascript" src="' . $calpath . '/form/calendar/calendar.js"></script>';
                                                            for ($i = 0; $i < count($usertablefields2); $i++) {
                                                                if (isset($_POST[$usertablefields2[$i] . '_sel'])) {
                                                                    $userForm .= "<input type='hidden' name='{$usertablefields2[$i]}_sel' value='checked'/>";
                                                                }
                                                            }
                                                            $userForm .= "<input type='hidden' name='not_first_time' />";
                                                            $infoarray = array();
                                                            foreach ($usertablefields as $field) {
                                                                $infoarray[$field] = "";
                                                            }
                                                            $infoarray['user_id'] = $nextUserId;
                                                            $userForm .= userProfileForm($userfieldprettynamesarray, $infoarray, false, true);
                                                            $userForm .= "<input type='submit' onclick name='create_user_submit' value='Create' /><input type='reset' value='Clear' /></form>";
                                                            return $userForm;
                                                        }
                                                    }
                                                }
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}
switch ($GLOBALS["action"]) {
    case "register":
        $template->setPage("Title", "User Registeration");
        $template->setPage("Content", userProfileForm());
        break;
    case "editregister":
        $template->setPage("Title", "User Edit-Registeration");
        $template->setPage("Content", userProfileForm());
        break;
    case "adduser":
        $template->setPage("Title", "Add-AdminUser::Registeration");
        $template->setPage("Content", userProfileForm(true));
        break;
    case "edituser":
        $template->setPage("Title", "Edit-AdminUser::Registeration");
        $template->setPage("Content", userProfileForm(true));
        break;
    case "viewusers":
        $template->setPage("Title", "Preview::AdminUsers ");
        //$content ="<p>Some information on user profile viewer (Table list of Admin.)</p>";//
        $template->setPage("Content", usersDetailTable());
        break;
    case "profile":
        $template->setPage("Title", "Preview::Profile");
        //$content ="<p>Some information on user profile viewer (Table list of Admin.)</p>";
        $template->setPage("Content", $content);
        break;
    case "delete":
        echo delUser();
        header("Location: index.php");
        break;