SendResponse(false, "The XML format you have sent is invalid. The following field is required: {$tempEach}");
}
}
unset($tempEach);
unset($tempRequired);
// Make sure that the requesttype and requestmethod is alphanumeric
$xml->requesttype = preg_replace('/[^\w]/', '_', $xml->requesttype);
$xml->requestmethod = preg_replace('/[^\w]/', '_', $xml->requestmethod);
define('SENDSTUDIO_XML_REQUESTTYPE', strtolower($xml->requesttype));
define('SENDSTUDIO_XML_REQUESTMETHOD', strtolower($xml->requestmethod));
// -----
// ----- Get and verify user credentials
$tempAuth = new AuthenticationSystem();
$userRecord = $tempAuth->Authenticate((string) $xml->username, null, (string) $xml->usertoken);
unset($tempAuth);
// User not found
if (empty($userRecord) || !isset($userRecord['userid'])) {
SendResponse(false, 'Unable to check user details.');
}
// authentication::xmlapitest receive special treatment
if ($xml->requesttype == 'authentication' && $xml->requestmethod == 'xmlapitest') {
SendResponse(true, array(
'userid' => $userRecord['userid'],
'username' => $userRecord['username']
/**
* Process
* All the action happens here.
* If you are not logged in, it will print the login form.
* Submitting that form will then try to authenticate you.
* If you are successfully authenticated, you get redirected back to the main index page (quickstats etc).
* Otherwise, will show an error message and the login form again.
*
* @see ShowLoginForm
* @uses AuthenticationSystem::Authenticate()
*
* @return Void Doesn't return anything. Checks the action and passes it off to the appropriate area.
*/
function Process()
{
$action = IEM::requestGetGET('Action', '', 'strtolower');
switch ($action) {
case 'forgotpass':
$this->ShowForgotForm();
break;
case 'changepassword':
if (!IEM::sessionGet('ForgotUser')) {
$this->ShowForgotForm('login_error', GetLang('BadLogin_Link'));
break;
}
$userapi = GetUser(-1);
$loaded = $userapi->Load(IEM::sessionGet('ForgotUser'));
if (!$loaded) {
$this->ShowForgotForm('login_error', GetLang('BadLogin_Link'));
break;
}
$password = IEM::requestGetPOST('ss_password', false);
$confirm = IEM::requestGetPOST('ss_password_confirm', false);
if ($password == false || ($password != $confirm)) {
$this->ShowForgotForm_Step2($userapi->Get('username'), 'login_error', GetLang('PasswordsDontMatch'));
break;
}
$userapi->password = $password;
$userapi->Save();
$code = md5(uniqid(rand(), true));
$userapi->ResetForgotCode($code);
$this->ShowLoginForm('login_success', GetLang('PasswordUpdated'));
break;
case 'sendpass':
$user = GetUser(-1);
$username = IEM::requestGetPOST('ss_username', '');
/**
* Fix vulnerabilities with MySQL
* Documented here: http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/
*
* Basically MySQL is truncating values in a column
*/
$username = preg_replace('/\s+/', ' ', $username);
$username = trim($username);
/**
* -----
*/
$founduser = $user->Find($username);
if (!$founduser) {
$this->ShowForgotForm('login_error', GetLang('BadLogin_Forgot'));
break;
}
$user->Load($founduser, false);
$code = md5(uniqid(rand(), true));
$user->ResetForgotCode($code);
$link = SENDSTUDIO_APPLICATION_URL . '/admin/index.php?Page=Login&Action=ConfirmCode&user='******'&code=' . $code;
$message = sprintf(GetLang('ChangePasswordEmail'), $link);
$email_api = $this->GetApi('Email');
$email_api->Set('CharSet', SENDSTUDIO_CHARSET);
$email_api->Set('Multipart', false);
$email_api->AddBody('text', $message);
$email_api->Set('Subject', GetLang('ChangePasswordSubject'));
$email_api->Set('FromAddress', SENDSTUDIO_EMAIL_ADDRESS);
$email_api->Set('ReplyTo', SENDSTUDIO_EMAIL_ADDRESS);
$email_api->Set('BounceAddress', SENDSTUDIO_EMAIL_ADDRESS);
$email_api->SetSmtp(SENDSTUDIO_SMTP_SERVER, SENDSTUDIO_SMTP_USERNAME, @base64_decode(SENDSTUDIO_SMTP_PASSWORD), SENDSTUDIO_SMTP_PORT);
$user_fullname = $user->Get('fullname');
$email_api->AddRecipient($user->emailaddress, $user_fullname, 't');
$email_api->Send();
$this->ShowForgotForm_Step2($username,'login_success', sprintf(GetLang('ChangePassword_Emailed'), $user->emailaddress));
break;
case 'confirmcode':
$user = IEM::requestGetGET('user', false, 'intval');
$code = IEM::requestGetGET('code', false, 'trim');
if (empty($user) || empty($code)) {
$this->ShowForgotForm('login_error', GetLang('BadLogin_Link'));
break;
}
$userapi = GetUser(-1);
$loaded = $userapi->Load($user, false);
if (!$loaded || $userapi->Get('forgotpasscode') != $code) {
$this->ShowForgotForm('login_error', GetLang('BadLogin_Link'));
break;
}
IEM::sessionSet('ForgotUser', $user);
$this->ShowForgotForm_Step2($userapi->Get('username'));
break;
case 'login':
$auth_system = new AuthenticationSystem();
$username = IEM::requestGetPOST('ss_username', '');
$password = IEM::requestGetPOST('ss_password', '');
$result = $auth_system->Authenticate($username, $password);
if ($result === -1) {
$this->ShowLoginForm('login_error', GetLang('PleaseWaitAWhile'));
break;
} elseif ($result === -2) {
$this->ShowLoginForm('login_error', GetLang('FreeTrial_Expiry_Login'));
break;
} elseif (!$result) {
$this->ShowLoginForm('login_error', GetLang('BadLogin'));
break;
} elseif ($result && defined('IEM_SYSTEM_ACTIVE') && !IEM_SYSTEM_ACTIVE) {
$msg = (isset($result['admintype']) && $result['admintype'] == 'a') ? 'ApplicationInactive_Admin' : 'ApplicationInactive_Regular';
$this->ShowLoginForm('login_error', GetLang($msg));
break;
}
$user = false;
$rand_check = false;
IEM::userLogin($result['userid']);
$oneyear = 365 * 24 * 3600; // one year's time.
$redirect = $this->_validateTakeMeToRedirect(IEM::requestGetPOST('ss_takemeto', 'index.php'));
header('Location: ' . SENDSTUDIO_APPLICATION_URL . '/admin/' . $redirect);
exit();
break;
default:
$msg = false; $template = false;
if ($action == 'logout') {
$this->LoadLanguageFile('Logout');
}
$this->ShowLoginForm($template, $msg);
break;
}
}
/**
* Process
* Works out what's going on.
* The API does the loading, saving, updating - this page just displays the right form(s), checks password validation and so on.
* After that, it'll print a success/failure message depending on what happened.
* It also checks to make sure that you're an admin before letting you add or delete.
* It also checks you're not going to delete your own account.
* If you're not an admin user, it won't let you edit anyone elses account and it won't let you delete your own account either.
*
* @see PrintHeader
* @see ParseTemplate
* @see IEM::getDatabase()
* @see GetUser
* @see GetLang
* @see User_API::Set
* @see PrintEditForm
* @see CheckUserSystem
* @see PrintManageUsers
* @see User_API::Find
* @see User_API::Admin
* @see PrintFooter
*
* @return Void Doesn't return anything, passes control over to the relevant function and prints that functions return message.
*/
function Process()
{
$action = (isset($_GET['Action'])) ? strtolower($_GET['Action']) : '';
if (!in_array($action, $this->PopupWindows)) {
$this->PrintHeader();
}
$thisuser = IEM::getCurrentUser();
$checkaction = $action;
if ($action == 'generatetoken') {
$checkaction = 'manage';
}
if (!$thisuser->HasAccess('users', $checkaction)) {
$this->DenyAccess();
}
if ($action == 'processpaging') {
$this->SetPerPage($_GET['PerPageDisplay']);
$action = '';
}
switch ($action) {
case 'generatetoken':
$check_fields = array('username', 'fullname', 'emailaddress');
foreach ($check_fields as $field) {
if (!isset($_POST[$field])) {
exit;
}
$$field = $_POST[$field];
}
$user = GetUser();
echo htmlspecialchars(sha1($username . $fullname . $emailaddress . GetRealIp(true) . time() . microtime()), ENT_QUOTES, SENDSTUDIO_CHARSET);
exit;
break;
case 'save':
$userid = (isset($_GET['UserID']))
? $_GET['UserID']
: 0;
if (empty($_POST)) {
$GLOBALS['Error'] = GetLang('UserNotUpdated');
$GLOBALS['Message'] = $this->ParseTemplate('ErrorMsg', true, false);
$this->PrintEditForm($userid);
break;
}
$user = GetUser($userid);
$username = false;
$error = false;
if (isset($_POST['username'])) {
$username = $_POST['username'];
$current_username = $user->username;
if($username != $current_username && !empty($_POST['ss_p_current'])){
$GLOBALS['Error'] = "Can't change username and update password at the same time.";
$GLOBALS['Message'] = $this->ParseTemplate('ErrorMsg', true, false);
$this->PrintEditForm($userid);
return;
}
}
$userfound = $user->Find($username);
$template = false;
$duplicate_username = false;
if ($userfound && $userfound != $userid) {
$duplicate_username = true;
$error = GetLang('UserAlreadyExists');
}
$warnings = array();
$GLOBALS['Message'] = '';
if (!$duplicate_username) {
$to_check = array();
foreach (array('status' => 'isLastActiveUser', 'admintype' => 'isLastSystemAdmin') as $area => $desc) {
if (!isset($_POST[$area])) {
$to_check[] = $desc;
}
if (isset($_POST[$area]) && $_POST[$area] == '0') {
$to_check[] = $desc;
}
}
if ($user->isAdmin()) {
$to_check[] = 'isLastSystemAdmin';
}
$error = $this->CheckUserSystem($userid, $to_check);
if (!$error) {
$smtptype = (isset($_POST['smtptype']))
? $_POST['smtptype']
: 0;
// Make sure smtptype is eiter 0 or 1
if ($smtptype != 1) {
$smtptype = 0;
}
/**
* This was added, because User's API uses different names than of the HTML form names.
* HTML form names should stay the same to keep it consistant throught the application
*
* This will actually map HTML forms => User's API fields
*/
$areaMapping = array(
'trialuser' => 'trialuser',
'groupid' => 'groupid',
'username' => 'username',
'fullname' => 'fullname',
'emailaddress' => 'emailaddress',
'status' => 'status',
'admintype' => 'admintype',
'listadmintype' => 'listadmintype',
'segmentadmintype' => 'segmentadmintype',
'templateadmintype' => 'templateadmintype',
'editownsettings' => 'editownsettings',
'usertimezone' => 'usertimezone',
'textfooter' => 'textfooter',
'htmlfooter' => 'htmlfooter',
'infotips' => 'infotips',
'smtp_server' => 'smtpserver',
'smtp_u' => 'smtpusername',
'smtp_p' => 'smtppassword',
'smtp_port' => 'smtpport',
'usewysiwyg' => 'usewysiwyg',
'usexhtml' => 'usexhtml',
'enableactivitylog' => 'enableactivitylog',
'xmlapi' => 'xmlapi',
'xmltoken' => 'xmltoken',
'googlecalendarusername' => 'googlecalendarusername',
'googlecalendarpassword' => 'googlecalendarpassword',
'user_language' => 'user_language',
'adminnotify_email' => 'adminnotify_email',
'adminnotify_send_flag' => 'adminnotify_send_flag',
'adminnotify_send_threshold' => 'adminnotify_send_threshold',
'adminnotify_send_emailtext' => 'adminnotify_send_emailtext',
'adminnotify_import_flag' => 'adminnotify_import_flag',
'adminnotify_import_threshold' => 'adminnotify_import_threshold',
'adminnotify_import_emailtext' => 'adminnotify_import_emailtext'
);
$group = API_USERGROUPS::getRecordById($_POST['groupid']);
$totalEmails = (int) $group['limit_totalemailslimit'];
$unlimitedEmails = $totalEmails == 0;
// set fields
foreach ($areaMapping as $p => $area) {
$val = (isset($_POST[$p])) ? $_POST[$p] : '';
if ($area == 'username') {
$match = preg_match("~[^A-z0-9]+~", $val);
if(!empty($match)){
$error = 'The Username field can only contain alphanumeric characters.';
}
}
if ($area == 'fullname') {
$match = preg_match("~[^A-z 0-9]+~", $val);
if(!empty($match)){
$error = 'The Full Name field can only contain alphanumeric characters and spaces.';
}
}
if (in_array($area, array('status', 'editownsettings'))) {
if ($userid == $thisuser->userid) {
$val = $thisuser->$area;
}
}
$user->Set($area, $val);
}
// activity type
$activity = IEM::requestGetPOST('eventactivitytype', '', 'trim');
if (!empty($activity)) {
$activity_array = explode("\n", $activity);
for ($i = 0, $j = count($activity_array); $i < $j; ++$i) {
$activity_array[$i] = trim($activity_array[$i]);
}
} else {
$activity_array = array();
}
$user->Set('eventactivitytype', $activity_array);
// the 'limit' things being on actually means unlimited. so check if the value is NOT set.
foreach (array('permonth', 'perhour', 'maxlists') as $p => $area) {
$limit_check = 'limit' . $area;
$val = 0;
if (!isset($_POST[$limit_check])) {
$val = (isset($_POST[$area]))
? $_POST[$area]
: 0;
}
$user->Set($area, $val);
}
if (SENDSTUDIO_MAXHOURLYRATE > 0) {
if ($user->Get('perhour') == 0 || ($user->Get('perhour') > SENDSTUDIO_MAXHOURLYRATE)) {
$user_hourly = $this->FormatNumber($user->Get('perhour'));
if ($user->Get('perhour') == 0) {
$user_hourly = GetLang('UserPerHour_Unlimited');
}
$warnings[] = sprintf(GetLang('UserPerHourOverMaxHourlyRate'), $this->FormatNumber(SENDSTUDIO_MAXHOURLYRATE), $user_hourly);
}
}
if ($smtptype == 0) {
$user->Set('smtpserver', '');
$user->Set('smtpusername', '');
$user->Set('smtppassword', '');
$user->Set('smtpport', 25);
}
if ($_POST['ss_p'] != '') {
if ($_POST['ss_p_current'] == ''){
$error = GetLang('CurrentPasswordMissing');
} else {
$auth_system = new AuthenticationSystem();
$username = IEM::requestGetPOST('username', '');
$password = IEM::requestGetPOST('ss_p_current', '');
$result = $auth_system->Authenticate($username, $password);
if ($result === -1) {
$error = GetLang('CurrentPasswordError');
} elseif ($result === -2) {
$error = GetLang('CurrentPasswordError');
} elseif (!$result) {
$error = GetLang('CurrentPasswordError');
} elseif ($result && defined('IEM_SYSTEM_ACTIVE') && !IEM_SYSTEM_ACTIVE) {
$error = GetLang('CurrentPasswordError');
}
}
if(!empty($result) && $result > 0){
if ($_POST['ss_p_confirm'] != '' && $_POST['ss_p_confirm'] == $_POST['ss_p']) {
$user->Set('password', $_POST['ss_p']);
} else {
$error = GetLang('PasswordsDontMatch');
}
}
}
}
if (!$error) {
$user->RevokeAccess();
$temp = array();
if (!empty($_POST['permissions'])) {
foreach ($_POST['permissions'] as $area => $p) {
foreach ($p as $subarea => $k) {
$temp[$subarea] = $user->GrantAccess($area, $subarea);
}
}
}
}
}
if (!$error) {
$result = $user->Save();
if ($result) {
FlashMessage(GetLang('UserUpdated'), SS_FLASH_MSG_SUCCESS, IEM::urlFor('Users'));
} else {
$GLOBALS['Message'] = GetFlashMessages();
$GLOBALS['Error'] = GetLang('UserNotUpdated');
$GLOBALS['Message'] .= $this->ParseTemplate('ErrorMsg', true, false);
}
} else {
$GLOBALS['Error'] = $error;
$GLOBALS['Message'] = $this->ParseTemplate('ErrorMsg', true, false);
}
if (!empty($warnings)) {
$GLOBALS['Warning'] = implode('<br/>', $warnings);
$GLOBALS['Message'] .= $this->ParseTemplate('WarningMsg', true, false);
}
$this->PrintEditForm($userid);
break;
case 'add':
$temp = get_available_user_count();
if ($temp['normal'] == 0 && $temp['trial'] == 0) {
$this->PrintManageUsers();
break;
}
$this->PrintEditForm(0);
break;
case 'delete':
$users = IEM::requestGetPOST('users', array(), 'intval');
$deleteData = (IEM::requestGetPOST('deleteData', 0, 'intval') == 1);
$this->DeleteUsers($users, $deleteData);
break;
case 'create':
$user = New User_API();
$warnings = array();
$fields = array(
'trialuser', 'username', 'fullname', 'emailaddress',
'status', 'admintype', 'editownsettings',
'listadmintype', 'segmentadmintype', 'usertimezone',
'textfooter', 'htmlfooter', 'templateadmintype',
'infotips', 'smtpserver',
'smtpusername', 'smtpport', 'usewysiwyg',
'enableactivitylog', 'xmlapi', 'xmltoken',
'googlecalendarusername','googlecalendarpassword',
'adminnotify_email','adminnotify_send_flag','adminnotify_send_threshold',
'adminnotify_send_emailtext','adminnotify_import_flag','adminnotify_import_threshold',
'adminnotify_import_emailtext'
);
$error = false;
if (!$user->Find($_POST['username'])) {
foreach ($fields as $area) {
$val = (isset($_POST[$area])) ? $_POST[$area] : '';
if ($area == 'username') {
$match = preg_match("~[^A-z0-9]+~", $val);
if(!empty($match)){
$error = 'The Username field can only contain alphanumeric characters.';
}
}
if ($area == 'fullname') {
$match = preg_match("~[^A-z 0-9]+~", $val);
if(!empty($match)){
$error = 'The Full Name field can only contain alphanumeric characters and spaces.';
}
}
$user->Set($area, $val);
}
// activity type
$activity = IEM::requestGetPOST('eventactivitytype', '', 'trim');
if (!empty($activity)) {
$activity_array = explode("\n", $activity);
for ($i = 0, $j = count($activity_array); $i < $j; ++$i) {
$activity_array[$i] = trim($activity_array[$i]);
}
} else {
$activity_array = array();
}
$user->Set('eventactivitytype', $activity_array);
// the 'limit' things being on actually means unlimited. so check if the value is NOT set.
foreach (array('permonth', 'perhour', 'maxlists') as $p => $area) {
$limit_check = 'limit' . $area;
$val = 0;
if (!isset($_POST[$limit_check])) {
$val = (isset($_POST[$area]))
? $_POST[$area]
: 0;
}
$user->Set($area, $val);
}
if (SENDSTUDIO_MAXHOURLYRATE > 0) {
if ($user->Get('perhour') == 0 || ($user->Get('perhour') > SENDSTUDIO_MAXHOURLYRATE)) {
$user_hourly = $this->FormatNumber($user->Get('perhour'));
if ($user->Get('perhour') == 0) {
$user_hourly = GetLang('UserPerHour_Unlimited');
}
$warnings[] = sprintf(GetLang('UserPerHourOverMaxHourlyRate'), $this->FormatNumber(SENDSTUDIO_MAXHOURLYRATE), $user_hourly);
}
}
// this has a different post value otherwise firefox tries to pre-fill it.
$smtp_password = '';
if (isset($_POST['smtp_p'])) {
$smtp_password = $_POST['smtp_p'];
}
$user->Set('smtppassword', $smtp_password);
if ($_POST['ss_p'] != '') {
if ($_POST['ss_p_confirm'] != '' && $_POST['ss_p_confirm'] == $_POST['ss_p']) {
$user->Set('password', $_POST['ss_p']);
} else {
$error = GetLang('PasswordsDontMatch');
}
}
if (!$error) {
if (!empty($_POST['permissions'])) {
foreach ($_POST['permissions'] as $area => $p) {
foreach ($p as $subarea => $k) {
$user->GrantAccess($area, $subarea);
}
}
}
if (!empty($_POST['lists'])) {
$user->GrantListAccess($_POST['lists']);
}
if (!empty($_POST['templates'])) {
$user->GrantTemplateAccess($_POST['templates']);
}
if (!empty($_POST['segments'])) {
$user->GrantSegmentAccess($_POST['segments']);
}
$GLOBALS['Message'] = '';
if (!empty($warnings)) {
$GLOBALS['Warning'] = implode('<br/>', $warnings);
$GLOBALS['Message'] .= $this->ParseTemplate('WarningMsg', true, false);
}
$user->Set('gettingstarted', 0);
$user->Set('groupid', (int) IEM_Request::getParam('groupid'));
$result = $user->Create();
if ($result == '-1') {
FlashMessage(GetLang('UserNotCreated_License'), SS_FLASH_MSG_ERROR, IEM::urlFor('Users'));
break;
} else {
if ($result) {
FlashMessage(GetLang('UserCreated'), SS_FLASH_MSG_SUCCESS, IEM::urlFor('Users'));
break;
} else {
FlashMessage(GetLang('UserNotCreated'), SS_FLASH_MSG_ERROR, IEM::urlFor('Users'));
}
}
} else {
$GLOBALS['Error'] = $error;
}
} else {
$GLOBALS['Error'] = GetLang('UserAlreadyExists');
}
$GLOBALS['Message'] = $this->ParseTemplate('ErrorMsg', true, false);
$details = array();
foreach (array('FullName', 'EmailAddress', 'Status', 'AdminType', 'ListAdminType', 'SegmentAdminType', 'TemplateAdminType', 'InfoTips', 'forcedoubleoptin', 'forcespamcheck', 'smtpserver', 'smtpusername', 'smtpport') as $area) {
$lower = strtolower($area);
$val = (isset($_POST[$lower])) ? $_POST[$lower] : '';
$details[$area] = $val;
}
$this->PrintEditForm(0, $details);
break;
case 'edit':
$userid = IEM::requestGetGET('UserID', 0, 'intval');
if ($userid == 0) {
$this->DenyAccess();
}
$this->PrintEditForm($userid);
break;
case 'sendpreviewdisplay':
$this->PrintHeader(true);
$this->SendTestPreviewDisplay('index.php?Page=Users&Action=SendPreview', 'self.parent.getSMTPPreviewParameters()');
$this->PrintFooter(true);
break;
case 'testgooglecalendar':
$status = array(
'status' => false,
'message' => ''
);
try {
$details = array(
'username' => $_REQUEST['gcusername'],
'password' => $_REQUEST['gcpassword']
);
$this->GoogleCalendarAdd($details, true);
$status['status'] = true;
$status['message'] = GetLang('GooglecalendarTestSuccess');
} catch (Exception $e) {
$status['message'] = GetLang('GooglecalendarTestFailure');
}
print GetJSON($status);
break;
case 'sendpreview':
$this->SendTestPreview();
break;
default:
$this->PrintManageUsers();
break;
}
if (!in_array($action, $this->PopupWindows)) {
$this->PrintFooter();
}
}
