/** * Validates permissions and parameters. */ public function validateDelete() { // read and validate user objects parent::validateDelete(); $userIDs = array(); foreach ($this->objects as $user) { // you cannot delete yourself if ($user->userID == WCF::getUser()->userID) { continue; } $userIDs[] = $user->userID; } // list might be empty because only our own user id was given if (empty($userIDs)) { throw new ValidateActionException("Invalid object id"); } // validate groups $conditions = new PreparedStatementConditionBuilder(); $conditions->add("userID IN (?)", array($userIDs)); $sql = "SELECT\tDISTINCT groupID\n\t\t\tFROM\twcf" . WCF_N . "_user_to_group\n\t\t\t" . $conditions; $statement = WCF::getDB()->prepareStatement($sql); $statement->execute($conditions->getParameters()); $groupIDs = array(); while ($row = $statement->fetchArray()) { $groupIDs[] = $row['groupID']; } if (!UserGroup::isAccessibleGroup($groupIDs)) { throw new ValidateActionException('Insufficient permissions'); } }
/** * @see wcf\page\IPage::readParameters() */ public function readParameters() { if (isset($_REQUEST['id'])) $this->userID = intval($_REQUEST['id']); $user = new User($this->userID); if (!$user->userID) { throw new IllegalLinkException(); } $this->user = new UserEditor($user); if (!UserGroup::isAccessibleGroup($this->user->getGroupIDs())) { throw new PermissionDeniedException(); } parent::readParameters(); }
/** * @see \wcf\system\search\acp\IACPSearchResultProvider::search() */ public function search($query) { if (!WCF::getSession()->getPermission('admin.user.canEditUser')) { return array(); } $results = array(); $sql = "SELECT\t*\n\t\t\tFROM\twcf" . WCF_N . "_user\n\t\t\tWHERE\tusername LIKE ?"; $statement = WCF::getDB()->prepareStatement($sql); $statement->execute(array($query . '%')); while ($user = $statement->fetchObject('wcf\\data\\user\\User')) { if (UserGroup::isAccessibleGroup($user->getGroupIDs())) { $results[] = new ACPSearchResult($user->username, LinkHandler::getInstance()->getLink('UserEdit', array('object' => $user))); } } return $results; }
/** * @see wcf\page\IPage::readParameters() */ public function readParameters() { parent::readParameters(); if (isset($_REQUEST['id'])) { $this->userID = intval($_REQUEST['id']); } $user = new User($this->userID); if (!$user->userID) { throw new IllegalLinkException(); } $this->user = new UserEditor($user); if (!UserGroup::isAccessibleGroup($this->user->getGroupIDs())) { throw new PermissionDeniedException(); } $this->optionHandler->setUser($this->user->getDecoratedObject()); $this->optionHandler->showEmptyOptions(); }
/** * @see \wcf\page\IPage::assignVariables() */ public function assignVariables() { parent::assignVariables(); WCF::getTPL()->assign(array('editOnInit' => $this->editOnInit, 'overviewObjectType' => $this->objectType, 'profileContent' => $this->profileContent, 'userID' => $this->userID, 'user' => $this->user, 'followers' => $this->followerList->getObjects(), 'followerCount' => $this->followerList->countObjects(), 'following' => $this->followingList->getObjects(), 'followingCount' => $this->followingList->countObjects(), 'visitors' => $this->visitorList !== null ? $this->visitorList->getObjects() : array(), 'visitorCount' => $this->visitorList !== null ? $this->visitorList->countObjects() : 0, 'allowSpidersToIndexThisPage' => true, 'isAccessible' => UserGroup::isAccessibleGroup($this->user->getGroupIDs()))); }
/** * @todo add documentation */ protected function fetchUsers($loopFunction = null) { // select users $sql = "SELECT user.* FROM wcf".WCF_N."_user user LEFT JOIN wcf".WCF_N."_user_option_value option_value ON (option_value.userID = user.userID) ".$this->conditions; $statement = WCF::getDB()->prepareStatement($sql); $statement->execute(array($this->conditions->getParameters())); $users = array(); while ($row = $statement->fetchArray()) { $users[$row['userID']] = $row; } // select group ids $conditions = new PreparedStatementConditionBuilder(); $conditions->add("userID = ?", array(array_keys($users))); $sql = "SELECT userID, groupID FROM wcf".WCF_N."_user_to_group ".$conditions; $statement = WCF::getDB()->prepareStatement($sql); $statement->execute($conditions->getParameters()); $groupIDs = array(); while ($row = $statement->fetchArray()) { if (!is_array($groupIDs[$row['userID']])) { $groupIDs[$row['userID']] = array(); } $groupIDs[$row['userID']][] = $row['groupID']; } foreach ($users as $userID => $userData) { if (!UserGroup::isAccessibleGroup($groupIDs[$userID])) { throw new PermissionDeniedException(); } if ($loopFunction !== null) { $loopFunction($userID, $userData); } $userIDArray[] = $userID; $this->affectedUsers++; } return $userIDArray; }
/** * Validates accessible groups. * * @param boolean $ignoreOwnUser */ protected function __validateAccessibleGroups($ignoreOwnUser = true) { if ($ignoreOwnUser) { if (in_array(WCF::getUser()->userID, $this->objectIDs)) { unset($this->objectIDs[array_search(WCF::getUser()->userID, $this->objectIDs)]); if (isset($this->objects[WCF::getUser()->userID])) { unset($this->objects[WCF::getUser()->userID]); } } } // list might be empty because only our own user id was given if (empty($this->objectIDs)) { throw new UserInputException('objectIDs'); } // validate groups $conditions = new PreparedStatementConditionBuilder(); $conditions->add("userID IN (?)", array($this->objectIDs)); $sql = "SELECT\tDISTINCT groupID\n\t\t\tFROM\twcf" . WCF_N . "_user_to_group\n\t\t\t" . $conditions; $statement = WCF::getDB()->prepareStatement($sql); $statement->execute($conditions->getParameters()); $groupIDs = array(); while ($row = $statement->fetchArray()) { $groupIDs[] = $row['groupID']; } if (!UserGroup::isAccessibleGroup($groupIDs)) { throw new PermissionDeniedException(); } }
/** * Gets the list of results. */ protected function readUsers() { // get user ids $userIDs = array(); $sql = "SELECT\t\tuser_table.userID\n\t\t\tFROM\t\twcf" . WCF_N . "_user user_table\n\t\t\t" . (isset($this->options[$this->sortField]) ? "LEFT JOIN wcf" . WCF_N . "_user_option_value user_option_value ON (user_option_value.userID = user_table.userID)" : '') . "\n\t\t\t" . $this->conditions . "\n\t\t\tORDER BY\t" . ($this->sortField != 'email' && isset($this->options[$this->sortField]) ? 'user_option_value.userOption' . $this->options[$this->sortField]['optionID'] : $this->sortField) . " " . $this->sortOrder; $statement = WCF::getDB()->prepareStatement($sql, $this->itemsPerPage, ($this->pageNo - 1) * $this->itemsPerPage); $statement->execute($this->conditions->getParameters()); while ($row = $statement->fetchArray()) { $userIDs[] = $row['userID']; } // get user data if (count($userIDs)) { $userToGroups = array(); // get group ids $conditions = new PreparedStatementConditionBuilder(); $conditions->add("user_table.userID IN (?)", array($userIDs)); $sql = "SELECT\tuserID, groupID\n\t\t\t\tFROM\twcf" . WCF_N . "_user_to_group user_table\n\t\t\t\t" . $conditions; $statement = WCF::getDB()->prepareStatement($sql); $statement->execute($conditions->getParameters()); while ($row = $statement->fetchArray()) { $userToGroups[$row['userID']][] = $row['groupID']; } $sql = "SELECT\t\toption_value.*, user_table.*\n\t\t\t\tFROM\t\twcf" . WCF_N . "_user user_table\n\t\t\t\tLEFT JOIN\twcf" . WCF_N . "_user_option_value option_value\n\t\t\t\tON\t\t(option_value.userID = user_table.userID)\n\t\t\t\t" . $conditions . "\n\t\t\t\tORDER BY\t" . ($this->sortField != 'email' && isset($this->options[$this->sortField]) ? 'option_value.userOption' . $this->options[$this->sortField]['optionID'] : 'user_table.' . $this->sortField) . " " . $this->sortOrder; $statement = WCF::getDB()->prepareStatement($sql); $statement->execute($conditions->getParameters()); while ($row = $statement->fetchArray()) { $row['groupIDs'] = implode(',', $userToGroups[$row['userID']]); $accessible = UserGroup::isAccessibleGroup($userToGroups[$row['userID']]); $row['accessible'] = $accessible; $row['deletable'] = $accessible && WCF::getSession()->getPermission('admin.user.canDeleteUser') && $row['userID'] != WCF::getUser()->userID ? 1 : 0; $row['editable'] = $accessible && WCF::getSession()->getPermission('admin.user.canEditUser') ? 1 : 0; $row['isMarked'] = intval(in_array($row['userID'], $this->markedUsers)); $this->users[] = new User(null, $row); } // get special columns foreach ($this->users as $key => $user) { foreach ($this->columns as $column) { switch ($column) { case 'email': $this->columnValues[$user->userID][$column] = '<a href="mailto:' . StringUtil::encodeHTML($user->email) . '">' . StringUtil::encodeHTML($user->email) . '</a>'; break; case 'registrationDate': $this->columnValues[$user->userID][$column] = DateUtil::format(DateUtil::getDateTimeByTimestamp($user->{$column}), DateUtil::DATE_FORMAT); break; default: if (isset($this->options[$column])) { if ($this->options[$column]->outputClass) { $this->options[$column]->setOptionValue($user); $outputObj = $this->options[$column]->getOutputObject(); $this->columnValues[$user->userID][$column] = $outputObj->getOutput($user, $this->options[$column]->getDecoratedObject(), $user->{$column}); } else { $this->columnValues[$user->userID][$column] = StringUtil::encodeHTML($user->{$column}); } } break; } } } } }
/** * Returns the ids of the users which can be deleted. * * @return array<integer> */ protected function validateDelete() { // check permissions if (!WCF::getSession()->getPermission('admin.user.canDeleteUser')) { return 0; } // user cannot delete itself $userIDs = array_keys($this->objects); foreach ($userIDs as $index => $userID) { if ($userID == WCF::getUser()->userID) { unset($userIDs[$index]); } } // no valid users found if (empty($userIDs)) return array(); // fetch user to group associations $conditions = new PreparedStatementConditionBuilder(); $conditions->add("userID IN (?)", array($userIDs)); $sql = "SELECT userID, groupID FROM wcf".WCF_N."_user_to_group ".$conditions; $statement = WCF::getDB()->prepareStatement($sql); $statement->execute($conditions->getParameters()); $userToGroup = array(); while ($row = $statement->fetchArray()) { if (!isset($userToGroup[$row['userID']])) { $userToGroup[$row['userID']] = array(); } $userToGroup[$row['userID']][] = $row['groupID']; } // validate if user's group is accessible for current user foreach ($userIDs as $userID) { if (!isset($userToGroup[$userID]) || !UserGroup::isAccessibleGroup($userToGroup[$userID])) { unset($userIDs[$userID]); } } return $userIDs; }
/** * Fetches a list of users. * * @param mixed $loopFunction * @return array<integer> */ public function fetchUsers($loopFunction = null) { // select users $sql = "SELECT\t\tuser_table.*\n\t\t\tFROM\t\twcf" . WCF_N . "_user user_table\n\t\t\tLEFT JOIN\twcf" . WCF_N . "_user_option_value option_value\n\t\t\tON\t\t(option_value.userID = user_table.userID)\n\t\t\t" . $this->conditions; $statement = WCF::getDB()->prepareStatement($sql); $statement->execute($this->conditions->getParameters()); $users = array(); while ($row = $statement->fetchArray()) { $users[$row['userID']] = $row; } if (empty($users)) { return array(); } // select group ids $conditions = new PreparedStatementConditionBuilder(); $conditions->add("userID IN (?)", array(array_keys($users))); $sql = "SELECT\tuserID, groupID\n\t\t\tFROM\twcf" . WCF_N . "_user_to_group\n\t\t\t" . $conditions; $statement = WCF::getDB()->prepareStatement($sql); $statement->execute($conditions->getParameters()); $groupIDs = array(); while ($row = $statement->fetchArray()) { if (!isset($groupIDs[$row['userID']])) { $groupIDs[$row['userID']] = array(); } $groupIDs[$row['userID']][] = $row['groupID']; } foreach ($users as $userID => $userData) { if (!empty($groupIDs[$userID]) && !UserGroup::isAccessibleGroup($groupIDs[$userID])) { throw new PermissionDeniedException(); } if ($loopFunction !== null) { $loopFunction($userID, $userData); } $userIDs[] = $userID; $this->affectedUsers++; } return $userIDs; }
/** * @see wcf\form\IForm::validate() */ public function validate() { // validate static user options try { $this->validateUsername($this->username); } catch (UserInputException $e) { $this->errorType[$e->getField()] = $e->getType(); } try { $this->validateEmail($this->email, $this->confirmEmail); } catch (UserInputException $e) { $this->errorType[$e->getField()] = $e->getType(); } try { $this->validatePassword($this->password, $this->confirmPassword); } catch (UserInputException $e) { $this->errorType[$e->getField()] = $e->getType(); } // validate user groups if (!empty($this->groupIDs)) { $conditions = new PreparedStatementConditionBuilder(); $conditions->add("groupID IN (?)", array($this->groupIDs)); $conditions->add("groupType NOT IN (?)", array(array(UserGroup::GUESTS, UserGroup::EVERYONE, UserGroup::USERS))); $sql = "SELECT groupID FROM wcf".WCF_N."_user_group ".$conditions; $statement = WCF::getDB()->prepareStatement($sql); $statement->execute($conditions->getParameters()); $this->groupIDs = array(); while ($row = $statement->fetchArray()) { if (UserGroup::isAccessibleGroup(array($row['groupID']))) { $this->groupIDs[] = $row['groupID']; } } } // validate user language $language = LanguageFactory::getInstance()->getLanguage($this->languageID); if ($language === null || !$language->languageID) { // use default language $this->languageID = LanguageFactory::getInstance()->getDefaultLanguageID(); } // validate visible languages foreach ($this->visibleLanguages as $key => $visibleLanguage) { $language = LanguageFactory::getInstance()->getLanguage($visibleLanguage); if (!$language->languageID || !$language->hasContent) { unset($this->visibleLanguages[$key]); } } if (empty($this->visibleLanguages) && ($language = LanguageFactory::getInstance()->getLanguage($this->languageID)) && $language->hasContent) { $this->visibleLanguages[] = $this->languageID; } // validate dynamic options parent::validate(); }
/** * Returns true if the active user can edit this user. * * @return boolean */ public function canEdit() { return (WCF::getSession()->getPermission('admin.user.canEditUser') && UserGroup::isAccessibleGroup($this->getGroupIDs())); }
/** * Validates accessible groups. * * @return array<integer> */ protected function __validateAccessibleGroups(array $userIDs, $ignoreOwnUser = true) { if ($ignoreOwnUser) { foreach ($userIDs as $index => $userID) { if ($userID == WCF::getUser()->userID) { unset($userIDs[$index]); } } } // no valid users found if (empty($userIDs)) { return array(); } // fetch user to group associations $conditions = new PreparedStatementConditionBuilder(); $conditions->add("userID IN (?)", array($userIDs)); $sql = "SELECT\tuserID, groupID\n\t\t\tFROM\twcf" . WCF_N . "_user_to_group\n\t\t\t" . $conditions; $statement = WCF::getDB()->prepareStatement($sql); $statement->execute($conditions->getParameters()); $userToGroup = array(); while ($row = $statement->fetchArray()) { if (!isset($userToGroup[$row['userID']])) { $userToGroup[$row['userID']] = array(); } $userToGroup[$row['userID']][] = $row['groupID']; } // validate if user's group is accessible for current user foreach ($userIDs as $userID) { if (!isset($userToGroup[$userID]) || !UserGroup::isAccessibleGroup($userToGroup[$userID])) { unset($userIDs[$userID]); } } return $userIDs; }
/** * Returns true if current user may edit this group. * * @return boolean */ public function isEditable() { // insufficient permissions if (!WCF::getSession()->getPermission('admin.user.canEditGroup')) { return false; } // user cannot edit this group if (!UserGroup::isAccessibleGroup(array($this->groupID))) { return false; } return true; }
/** * @see wcf\form\IForm::save() */ public function save() { parent::save(); $conditions = new PreparedStatementConditionBuilder(); $conditions->add("userID IN (?)", array($this->userIDs)); $sql = "SELECT\tuserID, groupID\n\t\t\tFROM\twcf" . WCF_N . "_user_to_group\n\t\t\t" . $conditions; $statement = WCF::getDB()->prepareStatement($sql); $statement->execute($conditions->getParameters()); $groups = array(); while ($row = $statement->fetchArray()) { $groups[$row['userID']][] = $row['groupID']; } foreach ($this->users as $user) { if (!UserGroup::isAccessibleGroup($groups[$user->userID])) { throw new PermissionDeniedException(); } $groupsIDs = array_merge($groups[$user->userID], $this->groupIDs); $groupsIDs = array_unique($groupsIDs); $userEditor = new UserEditor($user); $userEditor->addToGroups($groupsIDs, true, false); } ClipboardHandler::getInstance()->removeItems($this->typeID); SessionHandler::resetSessions($this->userIDs); $this->saved(); WCF::getTPL()->assign('message', 'wcf.acp.user.assignToGroup.success'); WCF::getTPL()->display('success'); exit; }