}
// check that the user exists
$user = $db->query_first("
SELECT user.*,
IF(moderator.moderatorid IS NULL, 0, 1) AS ismoderator
FROM " . TABLE_PREFIX . "user AS user
LEFT JOIN " . TABLE_PREFIX . "moderator AS moderator ON(moderator.userid = user.userid AND moderator.forumid <> -1)
WHERE user.username = '******'username']) . "'
");
if (!$user OR $user['userid'] == $vbulletin->userinfo['userid'])
{
print_stop_message('invalid_user_specified');
}
if (is_unalterable_user($user['userid']))
{
print_stop_message('user_is_protected_from_alteration_by_undeletableusers_var');
}
cache_permissions($user);
// Non-admins can't ban administrators, supermods or moderators
if (!($vbulletin->userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel']))
{
if ($user['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'] OR $user['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['ismoderator'] OR $user['ismoderator'])
{
print_stop_message('no_permission_ban_non_registered_users');
}
}
else if ($user['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'])
$sourceinfo = vB_Api::instanceInternal('user')->fetchUserInfo($sourceuserid);
} catch (vB_Exception_Api $ex) {
print_stop_message2($ex->getMessage());
}
if (!$sourceinfo) {
print_stop_message2('invalid_source_username_specified');
}
try {
$destinfo = vB_Api::instanceInternal('user')->fetchUserInfo($destuserid);
} catch (vB_Exception_Api $ex) {
print_stop_message2($ex->getMessage());
}
if (!$destinfo) {
print_stop_message2('invalid_destination_username_specified');
}
if (is_unalterable_user($sourceinfo['userid']) or is_unalterable_user($destinfo['userid'])) {
print_stop_message2('user_is_protected_from_alteration_by_undeletableusers_var');
}
print_form_header('usertools', 'reallydomerge');
construct_hidden_code('sourceuserid', $sourceinfo['userid']);
construct_hidden_code('destuserid', $destinfo['userid']);
print_table_header($vbphrase['confirm_merge']);
print_description_row(construct_phrase($vbphrase['are_you_sure_you_want_to_merge_x_into_y'], $vbulletin->GPC['sourceuser'], $vbulletin->GPC['destuser']));
print_submit_row($vbphrase['yes'], '', 2, $vbphrase['no']);
}
// ###################### Start Do Merge #######################
if ($_POST['do'] == 'reallydomerge') {
// Get info on both users
$vbulletin->input->clean_array_gpc('p', array('sourceuserid' => vB_Cleaner::TYPE_INT, 'destuserid' => vB_Cleaner::TYPE_INT));
try {
$sourceinfo = vB_Api::instanceInternal('user')->fetchUserInfo($vbulletin->GPC['sourceuserid']);
construct_hidden_code('minposts', $vbulletin->GPC['minposts']);
construct_hidden_code('joindate[day]', $vbulletin->GPC['joindate']['day']);
construct_hidden_code('joindate[month]', $vbulletin->GPC['joindate']['month']);
construct_hidden_code('joindate[year]', $vbulletin->GPC['joindate']['year']);
construct_hidden_code('order', $order);
print_table_header(construct_phrase($vbphrase['showing_users_x_to_y_of_z'], 1, $numusers, $numusers), 7);
print_cells_row(array('Userid', $vbphrase['username'], $vbphrase['email'], $vbphrase['post_count'], $vbphrase['last_activity'], $vbphrase['join_date'], '<input type="checkbox" name="allbox" onclick="js_check_all(this.form)" title="' . $vbphrase['check_all'] . '" checked="checked" />'), 1);
while ($user = $db->fetch_array($users)) {
$cell = array();
$cell[] = $user['userid'];
$cell[] = "<a href=\"user.php?" . $vbulletin->session->vars['sessionurl'] . "do=edit&u={$user['userid']}\" target=\"_blank\">{$user['username']}</a><br /><span class=\"smallfont\">{$user['title']}" . iif($user['moderatorid'], ', Moderator', '') . "</span>";
$cell[] = "<a href=\"mailto:{$user['email']}\">{$user['email']}</a>";
$cell[] = vb_number_format($user['posts']);
$cell[] = vbdate($vbulletin->options['dateformat'], $user['lastactivity']);
$cell[] = vbdate($vbulletin->options['dateformat'], $user['joindate']);
if ($user['userid'] == $vbulletin->userinfo['userid'] or $user['usergroupid'] == 6 or $user['usergroupid'] == 5 or $user['moderatorid'] or is_unalterable_user($user['userid'])) {
$cell[] = '<input type="button" class="button" value=" ! " onclick="js_alert_no_permission()" />';
} else {
$cell[] = "<input type=\"checkbox\" name=\"users[{$user['userid']}]\" value=\"1\" checked=\"checked\" tabindex=\"1\" />";
}
print_cells_row($cell);
}
print_description_row('<center><span class="smallfont">
<b>' . $vbphrase['action'] . ':
<label for="dw_delete"><input type="radio" name="dowhat" value="delete" id="dw_delete" tabindex="1" />' . $vbphrase['delete'] . '</label>
<label for="dw_move"><input type="radio" name="dowhat" value="move" id="dw_move" tabindex="1" />' . $vbphrase['move'] . '</label>
<select name="movegroup" tabindex="1" class="bginput">' . $groupslist . '</select></b>
</span></center>', 0, 7);
print_submit_row($vbphrase['go'], $vbphrase['check_all'], 7);
echo '<p>' . $vbphrase['this_action_is_not_reversible'] . '</p>';
} else {
/**
* Insert or Update an user
*
* @param integer $userid Userid to be updated. Set to 0 if you want to insert a new user.
* @param string $password Password for the user. Empty means no change. May be overriden by the $extra array
* @param array $user Basic user information such as email or home page
* * username
* * email
* * usertitle
* * birthday
* * usergroupid (will get no_permissions exception without administrate user permissions)
* * membergroupids (will get no_permissions exception without administrate user permissions)
* * list not complete
* @param array $options vB options for the user
* @param array $adminoptions Admin Override Options for the user
* @param array $userfield User's User Profile Field data
* @param array $notificationOptions
* @param array $hvinput Human Verify input data. @see vB_Api_Hv::verifyToken()
* @param array $extra Generic flags or data to affect processing.
* * registration
* * email
* * newpass
* * password
* * acnt_settings
* @return integer New or updated userid.
*/
public function save($userid, $password, $user, $options, $adminoptions, $userfield, $notificationOptions = array(), $hvinput = array(), $extra = array())
{
$db = vB::getDbAssertor();
$vboptions = vB::getDatastore()->getValue('options');
$userContext = vB::getUserContext();
$currentUserId = $userContext->fetchUserId();
$userid = intval($userid);
$coppauser = false;
//set up some booleans to control behavior. This is done to simply/document the later code
$newuser = !$userid;
$canadminusers = $this->hasAdminPermission('canadminusers');
$adminoverride = ($canadminusers and empty($extra['acnt_settings']) and empty($extra['acnt_settings']));
$changingCurrentUser = $userid == $currentUserId;
// Not sure why we do this at all. The caller should handle this appropriately.
// We shouldn't set $userid = $currentUserId if $userid == 0 here
// Cause we may need to allow logged-in user to register again
if ($userid < 0 and $currentUserId) {
$userid = $currentUserId;
}
//we'll need this all over the place if this isn't a new user.
if (!$newuser) {
$userinfo = vB_User::fetchUserInfo($userid);
}
//check some permissions. If we can admin users we can skip all of these checks. Some checks
//only apply to some cases, such as registering a newuser. We also check various fields
//in some cases and not others.
if (!$canadminusers) {
if ($newuser) {
// Check if registration is allowed
if (!$vboptions['allowregistration']) {
throw new vB_Exception_Api('noregister');
}
// Check Multiple Registrations Per User
if ($currentUserId and !$vboptions['allowmultiregs']) {
$currentUser = vB::getCurrentSession()->fetch_userinfo();
throw new vB_Exception_Api('signing_up_but_currently_logged_in_msg', array($currentUser['username'], $vboptions['frontendurl'] . '/auth/logout?logouthash=' . $currentUser['logouthash']));
}
// If it's a new registration, we need to verify the HV
// VBV-9386: HV is disabled when accessing through the VB_API in vb4.
// Tere is also a comment saying that it should be enabled once it goes live???
if (!defined('VB_API') or defined('VB_API') and VB_API !== true) {
vB_Api::instanceInternal('hv')->verifyToken($hvinput, 'register');
}
// Verify Stop Forum Spam
$nospam = vB_StopForumSpam::instance();
if (!$nospam->checkRegistration($user['username'], vB::getRequest()->getIpAddress(), $user['email'])) {
throw new vB_Exception_Api('noregister');
}
} else {
//attempting to update somebody else's profile -- only admins can do this
if (!$changingCurrentUser) {
throw new vB_Exception_Api('no_permission');
}
//we need to handle this more gracefully -- this is kindof weird.
if (!$userContext->hasPermission('genericpermissions', 'canmodifyprofile')) {
// User can only update email and password
return $this->saveEmailPassword($extra);
}
if (isset($user['privacy_options']) and !$userContext->hasPermission('usercsspermissions', 'caneditprivacy')) {
// User doesn't have permission to update privacy
throw new vB_Exception_Api('no_permission');
}
if (isset($options['invisible']) and !empty($options['invisible']) and !$userContext->hasPermission('genericpermissions', 'caninvisible')) {
// User doesn't have permission to go invisible
throw new vB_Exception_Api('no_permission');
}
}
//handle some fields that users should not be able to set (the admin can do what he wants)
if (isset($user['usergroupid'])) {
throw new vB_Exception_Api('no_permission');
}
if (isset($user['membergroupids'])) {
throw new vB_Exception_Api('no_permission');
}
}
/*
* Some checks for all cases.
*/
//check the user title length. Skip for any administrator. Not sure if we should be checking for edit user permissions or not, but
//it's not a major issue if admins can set their own titles to something really long so changing it at this point is not wise.
if (isset($user['usertitle']) and vB_String::vbStrlen($user['usertitle']) > $vboptions['ctMaxChars'] and !$userContext->isAdministrator()) {
throw new vB_Exception_Api('please_enter_user_title_with_at_least_x_characters', $vboptions['ctMaxChars']);
}
//don't allow changes to an unalterable user unless the user themselves requests it. We might want to lock down what the
//user can edit in this case.
require_once DIR . '/includes/adminfunctions.php';
if (!$changingCurrentUser and is_unalterable_user($userid)) {
throw new vB_Exception_Api('user_is_protected_from_alteration_by_undeletableusers_var');
}
$olduser = array();
if ($userid != 0) {
// Get old user information
$olduser = $db->getRow('user_fetchforupdating', array(vB_dB_Query::TYPE_KEY => vB_dB_Query::QUERY_STORED, 'userid' => $userid));
if (!$olduser) {
throw new vB_Exception_Api('invalid_user_specified');
}
}
// if birthday is required
if ($vboptions['reqbirthday'] and empty($olduser['birthday']) and empty($user['birthday'])) {
if (count($userfield)) {
throw new vB_Exception_Api('birthdayfield');
} else {
throw new vB_Exception_Api('birthdayfield_nonprofile_tab');
}
}
/*
* If we are changing the password or email from the account setting we need to validate the users
* existing password.
*/
//we allow stuff for the account profile page to be passed separately in the $extra array.
//we shouldn't but cleaning that up is a larger task.
if (!empty($extra['acnt_settings'])) {
if (!empty($extra['email'])) {
$user['email'] = $extra['email'];
}
//new password to set
if (!empty($extra['newpass'])) {
$password = $extra['newpass'];
}
//the user's existing password -- needed to verify to set certain sensative fields.
if (!empty($extra['password'])) {
$user['password'] = $extra['password'];
}
}
//if we are setting the password or the email we may need to check the user's existing
//password as an extra precaution.
// * If this is an existing user
// * If we are changing the password or email
// * If we are not overriding as an admin
if (!$newuser and (!empty($password) or !empty($user['email'])) and !$adminoverride) {
$loginlib = vB_Library::instance('login');
if (!$user['password']) {
throw new vB_Exception_Api('enter_current_password');
}
$login = array_intersect_key($userinfo, array_flip(array('userid', 'token', 'scheme')));
$auth = $loginlib->verifyPasswordFromInfo($login, array(array('password' => $user['password'], 'encoding' => 'text')));
if (!$auth['auth']) {
throw new vB_Exception_Api('badpassword', vB5_Route::buildUrl('lostpw|fullurl'));
}
}
//this is the user's existing password which we don't need now that we've verified it.
//attempting to set it to the DM, which we do below for all user fields causes problems.
unset($user['password']);
//if this is a newuser we need to have a password -- even if this is an admin creating the user
if ($newuser and empty($password)) {
throw new vB_Exception_Api('invalid_password_specified');
}
/*
* If we got this far, we basically have permission to update the user in the way we requested.
*/
$bf_misc_useroptions = vB::getDatastore()->getValue('bf_misc_useroptions');
$bf_misc_adminoptions = vB::getDatastore()->getValue('bf_misc_adminoptions');
$bf_misc_notificationoptions = vB::getDatastore()->getValue('bf_misc_usernotificationoptions');
$usergroupcache = vB::getDatastore()->getValue('usergroupcache');
$user['ipaddress'] = vB::getRequest()->getIpAddress();
$olduser = array_merge($olduser, convert_bits_to_array($olduser['options'], $bf_misc_useroptions));
$olduser = array_merge($olduser, convert_bits_to_array($olduser['adminoptions'], $bf_misc_adminoptions));
$olduser = array_merge($olduser, convert_bits_to_array($olduser['notification_options'], $bf_misc_notificationoptions));
// get threaded mode options
if (isset($olduser['threadedmode']) and ($olduser['threadedmode'] == 1 or $olduser['threadedmode'] == 2)) {
$threaddisplaymode = $olduser['threadedmode'];
} else {
if (isset($olduser['postorder']) and $olduser['postorder'] == 0) {
$threaddisplaymode = 0;
} else {
$threaddisplaymode = 3;
}
}
$olduser['threadedmode'] = $threaddisplaymode;
// Let's handle this at API level, ignore list is causing problems in the data manager
//handle ignorelist
if (isset($user['ignorelist'])) {
$user['ignorelist'] = $this->updateIgnorelist($userid, explode(',', $user['ignorelist']));
} else {
$user['ignorelist'] = array();
}
// init data manager
$userdata = new vB_Datamanager_User(vB_DataManager_Constants::ERRTYPE_ARRAY_UNPROCESSED);
/*
* If this was called from the account settings or registration pages
* (not the Admin Control Panel) then we shouldn't be setting admin override.
* Should also make sure that the admin is logged in and its not just a case of someone
* telling the API that we're in the ACP
*/
if ($adminoverride) {
$userdata->adminoverride = true;
}
$updateUGPCache = false;
// set existing info if this is an update
if (!$newuser) {
// birthday
if (!$adminoverride and $user['birthday'] and $olduser['birthday'] and $user['birthday'] != $olduser['birthday'] and $vboptions['reqbirthday']) {
throw new vB_Exception_Api('has_no_permission_change_birthday');
}
// update buddy list
$user['buddylist'] = array();
foreach (explode(' ', $userinfo['buddylist']) as $buddy) {
if (in_array($buddy, $user['ignorelist']) === false) {
$user['buddylist'][] = $buddy;
}
}
$userinfo['posts'] = intval($user['posts']);
// update usergroups cache if needed...
$uInfoMUgpIds = explode(',', trim($userinfo['membergroupids']));
$uInfoUgpId = trim($userinfo['usergroupid']);
$uIGpIds = explode(',', trim($userinfo['infractiongroupids']));
$mUgpIds = isset($user['membergroupids']) ? $user['membergroupids'] : false;
$ugpId = isset($user['usergroupid']) ? trim($user['usergroupid']) : false;
$iGpIds = isset($user['infractiongroupids']) ? explode(',', trim($user['infractiongroupids'])) : false;
if ($ugpId and $uInfoUgpId != $ugpId or $mUgpIds and array_diff($uInfoMUgpIds, $mUgpIds) or $iGpIds and array_diff($iGpIds, $uIGpIds)) {
$updateUGPCache = true;
}
$userdata->set_existing($userinfo);
} else {
if ($this->useCoppa()) {
if (empty($user['birthday'])) {
throw new vB_Exception_Api('under_thirteen_registration_denied');
}
if ($this->needsCoppa($user['birthday'])) {
if ($vboptions['usecoppa'] == 2) {
throw new vB_Exception_Api('under_thirteen_registration_denied');
} else {
if (empty($user['parentemail'])) {
throw new vB_Exception_Api('coppa_rules_description');
}
$userdata->set_info('coppauser', true);
$userdata->set_info('coppapassword', $password);
$options['coppauser'] = 1;
$coppauser = true;
}
} else {
if ($vboptions['moderatenewmembers']) {
$userdata->set_info('usergroupid', 4);
} else {
if ($vboptions['verifyemail']) {
$userdata->set_info('usergroupid', 3);
} else {
$userdata->set_info('usergroupid', 2);
}
}
}
}
}
//should not be required with the new password code.
// if no username is provided then is taken from old userinfo, datamanager needs username always set to perform password checks.
//$username = (empty($user['username']) ? $userinfo['username'] : $user['username']);
//$userdata->set('username', $username);
//unset($user['username']);
// user options
foreach ($bf_misc_useroptions as $key => $val) {
if (isset($options["{$key}"])) {
$userdata->set_bitfield('options', $key, $options["{$key}"]);
} else {
if (isset($olduser["{$key}"])) {
$userdata->set_bitfield('options', $key, $olduser["{$key}"]);
}
}
}
foreach ($adminoptions as $key => $val) {
$userdata->set_bitfield('adminoptions', $key, $val);
}
// notification options
foreach ($notificationOptions as $key => $val) {
// @TODO related to VBV-92
if ($olduser["{$key}"] != $val) {
$userdata->set_bitfield('notification_options', $key, $val);
} else {
if ($olduser["{$key}"] == $val) {
$userdata->set_bitfield('notification_options', $key, $olduser["{$key}"]);
}
}
}
$displaygroupid = (array_key_exists('displaygroupid', $user) and intval($user['displaygroupid'])) ? $user['displaygroupid'] : '';
if (isset($user['usergroupid']) and $user['usergroupid']) {
$displaygroupid = $user['usergroupid'];
} elseif (isset($olduser['usergroupid']) and $olduser['usergroupid']) {
$displaygroupid = $olduser['usergroupid'];
}
// custom user title
if (isset($user['usertitle']) and $user['usertitle']) {
$userdata->set_usertitle($user['usertitle'], $user['customtitle'] ? false : true, $usergroupcache["{$displaygroupid}"], $userContext->hasPermission('genericpermissions', 'canusecustomtitle'), $userContext->isAdministrator());
unset($user['usertitle'], $user['customtitle']);
} else {
if (isset($user['usertitle']) and empty($user['usertitle']) and empty($user['customtitle'])) {
$userdata->set_usertitle('', true, $usergroupcache["{$displaygroupid}"], $userContext->hasPermission('genericpermissions', 'canusecustomtitle'), $userContext->isAdministrator());
unset($user['usertitle'], $user['customtitle']);
}
}
// privacy_options
$privacyChanged = false;
if (isset($user['privacy_options']) and $user['privacy_options']) {
foreach ($user['privacy_options'] as $opt => $val) {
if (!in_array($opt, $this->privacyOptions)) {
unset($user['privacy_options'][$opt]);
}
}
// check if we need to update cached values...
if ($olduser['privacy_options']) {
$check = unserialize($olduser['privacy_options']);
$diff = array_diff_assoc($user['privacy_options'], $check);
if (!empty($diff)) {
$privacyChanged = true;
}
}
$user['privacy_options'] = serialize($user['privacy_options']);
}
// Update from user fields
foreach ($user as $key => $val) {
if (!$userid or $olduser["{$key}"] != $val) {
$userdata->set($key, $val);
}
}
$membergroupids = false;
if (isset($user['membergroupids']) and is_array($user['membergroupids'])) {
$membergroupids = $user['membergroupids'];
}
//add facebook user group for new users being registered with FB
//not entirely thrilled with putting this here, but doing it in a less
//fragile way requires a greater refactoring of the registration code
if ($newuser and $vboptions['facebookusergroupid']) {
$fblib = vB_Library::instance('facebook');
if ($fblib->isFacebookEnabled() and $fblib->userIsLoggedIn()) {
if (is_array($membergroupids)) {
$membergroupids[] = $vboptions['facebookusergroupid'];
} else {
$membergroupids = array($vboptions['facebookusergroupid']);
}
}
}
//actually set the usergroup array if we have one
if (is_array($membergroupids)) {
$userdata->set('membergroupids', $membergroupids);
}
// custom profile fields
if (!empty($userfield) and is_array($userfield)) {
$userdata->set_userfields($userfield, true, 'admin');
}
// handles ignorelist and buddylist correctly
$userdata->set('ignorelist', $user['ignorelist']);
$userdata->set('buddylist', isset($user['buddylist']) ? $user['buddylist'] : array());
// timezone
if (empty($user['timezoneoffset']) and $newuser) {
$userdata->set('timezoneoffset', $vboptions['timeoffset']);
}
//the secret really isn't related to the password, but we want to change it
//periodically and for now "every time the user changes their password"
//works (we previously used the password salt so that's when it got changed
//prior to the refactor).
if (!empty($password)) {
$userdata->set('secret', vB_Library::instance('user')->generateUserSecret());
}
// save data
$newuserid = $userdata->save();
if ($userdata->has_errors(false)) {
throw $userdata->get_exception();
}
//a bit of a hack. If the DM save function runs an update of an existing user then
//it returns true rather than the userid (despite what the comments say). However its
//not clear how to handle that in the DM (which looks like it could be use to alter
//multiple users wholesale, in which case we really don't have an ID. Better to catch it here.
if ($newuserid === true) {
$newuserid = $userid;
}
//if we have a new password, then let's set it.
if (!empty($password)) {
try {
//lookup the history for the user we are editing, which is not necesarily the
//user that we currently are.
if ($changinCurrentUser) {
$history = $userContext->getUsergroupLimit('passwordhistory');
} else {
if ($adminoverride) {
$history = 0;
} else {
$history = vB::getUserContext($userid)->getUsergroupLimit('passwordhistory');
}
}
$loginlib = vB_Library::instance('login');
$loginlib->setPassword($newuserid, $password, array('passwordhistorylength' => $history), array('passwordhistory' => $adminoverride));
} catch (Exception $e) {
//if this is a new user, deleted it if we fail to set the intial password.
if ($newuser) {
$db->delete('user', array('userid' => $newuserid));
}
throw $e;
}
}
if ($updateUGPCache) {
vB_Cache::instance(vB_Cache::CACHE_FAST)->event('perms_changed');
}
if ($privacyChanged) {
vB_Cache::instance()->event('userPrivacyChg_' . $userid);
}
// clear user info cached
$this->library->clearUserInfo(array($newuserid));
// update session's languageid, VBV-11318
if (isset($user['languageid'])) {
vB::getCurrentSession()->set('languageid', $user['languageid']);
}
if ($newuser and $vboptions['newuseremail'] != '') {
// Prepare email data
$customfields = '';
if (!empty($userfield) and is_array($userfield)) {
$customfields = $userdata->set_userfields($userfield, true, 'register');
}
$maildata = vB_Api::instanceInternal('phrase')->fetchEmailPhrases('newuser', array($user['username'], vB::getDatastore()->getOption('bbtitle'), vB5_Route::buildUrl('profile|fullurl', array('userid' => $user['userid'])), $user['email'], $user['birthday'], $user['ipaddress'], $customfields), array(vB::getDatastore()->getOption('bbtitle')));
// Send out the emails
$newemails = explode(' ', $vboptions['newuseremail']);
foreach ($newemails as $toemail) {
if (trim($toemail)) {
vB_Mail::vbmail($toemail, $maildata['subject'], $maildata['message'], false);
}
}
}
// Check if we need to send out activate email
$verifyEmail = (defined('VB_AREA') and VB_AREA == 'AdminCP') ? false : true;
if ($newuser and $vboptions['verifyemail'] and $verifyEmail) {
$this->library->sendActivateEmail($newuserid);
}
// Check if we need to send out welcome email
if ($newuser and $userdata->fetch_field('usergroupid') == 2 and $vboptions['welcomemail']) {
// Send welcome mail
$username = trim(unhtmlspecialchars($user['username']));
$maildata = vB_Api::instanceInternal('phrase')->fetchEmailPhrases('welcomemail', array($username, $vboptions['bbtitle']), array($vboptions['bbtitle']), isset($user['languageid']) ? $user['languageid'] : vB::getDatastore()->getOption('languageid'));
vB_Mail::vbmail($user['email'], $maildata['subject'], $maildata['message'], true);
}
return $newuserid;
}
cache_permissions($userinfo, false);
if ($vbulletin->userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'] and $userinfo['permissions']['genericpermissions'] & $vbulletin->bf_ugp_genericpermissions['canuseavatar'] and ($userinfo['permissions']['avatarmaxwidth'] > 0 or $userinfo['permissions']['avatarmaxheight'] > 0)) {
print_yes_no_row($vbphrase['resize_image_to_users_maximum_allowed_size'], 'resize');
}
print_input_row($vbphrase['enter_image_url'], 'avatarurl', 'http://www.');
print_upload_row($vbphrase['upload_image_from_computer'], 'upload');
construct_hidden_code('userid', $vbulletin->GPC['userid']);
print_submit_row($vbphrase['save']);
}
// ###################### Start Update Avatar ################
if ($_POST['do'] == 'updateavatar') {
if (!can_moderate(0, 'caneditavatar')) {
print_stop_message('no_permission_avatars');
}
$vbulletin->input->clean_array_gpc('p', array('avatarid' => TYPE_INT, 'avatarurl' => TYPE_STR, 'resize' => TYPE_BOOL));
if (is_unalterable_user($vbulletin->GPC['userid'])) {
print_stop_message('user_is_protected_from_alteration_by_undeletableusers_var');
}
$useavatar = iif($vbulletin->GPC['avatarid'] == -1, 0, 1);
$userinfo = fetch_userinfo($vbulletin->GPC['userid']);
if (!$userinfo) {
print_stop_message('invalid_user_specified');
}
// init user datamanager
$userdata =& datamanager_init('User', $vbulletin, ERRTYPE_CP);
$userdata->set_existing($userinfo);
if ($useavatar) {
if (!$vbulletin->GPC['avatarid']) {
// custom avatar
$vbulletin->input->clean_gpc('f', 'upload', TYPE_FILE);
require_once DIR . '/includes/class_upload.php';
{
$trimmed_postmessage = substr($vbulletin->GPC['message'], 0, $vbulletin->options['postmaxchars']);
}
else
{
$trimmed_postmessage =& $vbulletin->GPC['message'];
}
$infdata->set_info('message', $trimmed_postmessage);
($hook = vBulletinHook::fetch_hook('infraction_update_process')) ? eval($hook) : false;
$infdata->save();
// Ban
require_once(DIR . '/includes/adminfunctions.php');
if (!empty($banlist) AND $points = $infdata->fetch_field('points') AND !is_unalterable_user($userinfo['userid']))
{
if ($banusergroupid)
{
// check to see if there is already a ban record for this user in the userban table
if ($bancheck)
{
if (($liftdate == 0 OR $bancheck['liftdate'] < $liftdate) AND $bancheck['liftdate'] != 0)
{
// there is already a record - just update this record
$db->query_write("
UPDATE " . TABLE_PREFIX . "userban SET
bandate = " . TIMENOW . ",
liftdate = $liftdate,
adminid = " . $vbulletin->userinfo['userid'] . ",
reason = '" . $db->escape_string($vbulletin->GPC['banreason']) . "'
/**
* Add a leader for an usergroup
*
* @param int $usergroupid
* @param int $userid
* @return int New usergroupleader ID
*/
public function addLeader($usergroupid, $userid)
{
$this->checkHasAdminPermission('canadminpermissions');
require_once DIR . '/includes/adminfunctions.php';
$usergroupid = intval($usergroupid);
$userid = intval($userid);
if ($usergroup = vB::getDbAssertor()->getRow('usergroup', array(vB_dB_Query::TYPE_KEY => vB_dB_Query::QUERY_SELECT, vB_dB_Query::CONDITIONS_KEY => array(array('field' => 'usergroupid', 'value' => $usergroupid, 'operator' => 'EQ'), array('field' => 'ispublicgroup', 'value' => 1, 'operator' => 'EQ'), array('field' => 'usergroupid', 'value' => 7, 'operator' => 'GT'))))) {
if ($user = vB::getDbAssertor()->getRow('user', array(vB_dB_Query::TYPE_KEY => vB_dB_Query::QUERY_SELECT, 'userid' => $userid))) {
if (is_unalterable_user($user['userid'])) {
throw new vB_Exception_Api('user_is_protected_from_alteration_by_undeletableusers_var');
}
if ($preexists = vB::getDbAssertor()->getRow('user', array(vB_dB_Query::TYPE_KEY => vB_dB_Query::QUERY_SELECT, vB_dB_Query::CONDITIONS_KEY => array(array('field' => 'usergroupid', 'value' => $usergroupid, 'operator' => vB_dB_Query::OPERATOR_EQ), array('field' => 'userid', 'value' => $user['userid'], 'operator' => vB_dB_Query::OPERATOR_EQ))))) {
throw new vB_Exception_Api('invalid_usergroup_leader_specified');
}
// update leader's member groups if necessary
if (strpos(",{$user['membergroupids']},", "," . $usergroupid . ",") === false and $user['usergroupid'] != $usergroupid) {
if (empty($user['membergroupids'])) {
$membergroups = $usergroupid;
} else {
$membergroups = "{$user['membergroupids']}," . $usergroupid;
}
$userdm = new vB_Datamanager_User(vB_DataManager_Constants::ERRTYPE_ARRAY_UNPROCESSED);
$userdm->set_existing($user);
$userdm->set('membergroupids', $membergroups);
$userdm->save();
unset($userdm);
}
// insert into usergroupleader table
/*insert query*/
return vB::getDbAssertor()->assertQuery('vBForum:usergroupleader', array(vB_dB_Query::TYPE_KEY => vB_dB_Query::QUERY_INSERT, 'userid' => $user['userid'], 'usergroupid' => $usergroupid));
} else {
throw new vB_Exception_Api('invalid_user_specified');
}
} else {
throw new vB_Exception_Api('cant_add_usergroup_leader');
}
}
/**
* Determines if this infraction triggers an automatic ban, and if so, returns the automatic ban information
*
* @param array User Info for the user to ban
* @param array Data for the infraction that's being given
* @param array Infraction level infrmation for the infraction that's being given
* @param bool Is this a warning?
*/
protected function getAutomaticBanToApply(array $userInfo, array $data, array $infractionLevelInfo, $isWarning)
{
if ($isWarning or $infractionLevelInfo['points'] < 1) {
// warnings don't change points or number of infractions and thus can't trigger a ban
return false;
}
require_once DIR . '/includes/adminfunctions.php';
if (is_unalterable_user($userInfo['userid'])) {
return false;
}
$userInfractions = $this->getUserInfractions($userInfo['userid']);
// number of active & expired infractions for an infraction-based ban
$currentUserInfractions = $userInfractions['statistics']['total'];
// number of active infraction points for a points-based ban
$currentUserPoints = $userInfractions['statistics']['points'];
// find the longest available ban
$banList = $this->getAutomaticBanList();
$banToApply = false;
foreach ($banList as $ban) {
if ($ban['usergroup'] != -1 and $ban['usergroup'] != $userInfo['usergroup']) {
continue;
}
if ($ban['method'] == 'points' and $currentUserPoints + $infractionLevelInfo['points'] >= $ban['amount'] or $ban['method'] == 'infractions' and $currentUserInfractions + 1 >= $ban['amount']) {
if ($ban['liftdate'] == 0) {
// stop at the first non-expiring ban
$banToApply = $ban;
break;
} else {
if (empty($banToApply['liftdate']) or $ban['liftdate'] > $banToApply['liftdate']) {
// find the longest ban
$banToApply = $ban;
}
}
}
}
if (!$banToApply) {
// no applicable ban found, nothing to do
return false;
}
$currentBan = $this->assertor->getRow('userban', array('userid' => $userInfo['userid']));
if ($currentBan and ($currentBan['liftdate'] == 0 or $currentBan['liftdate'] > $banToApply['liftdate'] and $banToApply['liftdate'] != 0)) {
// user is already banned longer than we would ban them for
return false;
}
// we have a ban to apply, but no reason was specified
if (empty($data['banreason'])) {
throw new vB_Exception_Api('invalid_banreason');
}
return $banToApply;
}
function do_ban_user()
{
global $vbulletin, $db, $vbphrase;
require_once DIR . '/includes/functions_banning.php';
require_once DIR . '/includes/adminfunctions.php';
$canbanuser = ($vbulletin->userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'] or can_moderate(0, 'canbanusers')) ? true : false;
$canunbanuser = ($vbulletin->userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'] or can_moderate(0, 'canunbanusers')) ? true : false;
// check banning permissions
if (!$canbanuser and !$canunbanuser) {
standard_error(fetch_error('no_permission_ban_users'));
}
$vbulletin->input->clean_array_gpc('p', array('usergroupid' => TYPE_INT, 'period' => TYPE_STR, 'reason' => TYPE_NOHTML, 'userid' => TYPE_INT));
$vbulletin->GPC['reason'] = prepare_remote_utf8_string($vbulletin->GPC['reason']);
if (!$canbanuser) {
standard_error(fetch_error('no_permission_ban_users'));
}
/*$liftdate = convert_date_to_timestamp($vbulletin->GPC['period']);
echo "
<p>Period: {$vbulletin->GPC['period']}</p>
<p>Banning <b>{$vbulletin->GPC['username']}</b> into usergroup <i>" . $vbulletin->usergroupcache["{$vbulletin->GPC['usergroupid']}"]['title'] . "</i></p>
<table>
<tr><td>Time now:</td><td>" . vbdate('g:ia l jS F Y', TIMENOW, false, false) . "</td></tr>
<tr><td>Lift date:</td><td>" . vbdate('g:ia l jS F Y', $liftdate, false, false) . "</td></tr>
</table>";
exit;*/
// check that the target usergroup is valid
if (!isset($vbulletin->usergroupcache["{$vbulletin->GPC['usergroupid']}"]) or $vbulletin->usergroupcache["{$vbulletin->GPC['usergroupid']}"]['genericoptions'] & $vbulletin->bf_ugp_genericoptions['isnotbannedgroup']) {
standard_error(fetch_error('invalid_usergroup_specified'));
}
// check that the user exists
$user = $db->query_first("\n\t\tSELECT user.*,\n\t\t\tIF(moderator.moderatorid IS NULL, 0, 1) AS ismoderator\n\t\tFROM " . TABLE_PREFIX . "user AS user\n\t\tLEFT JOIN " . TABLE_PREFIX . "moderator AS moderator ON(moderator.userid = user.userid AND moderator.forumid <> -1)\n\t\tWHERE user.userid = " . $vbulletin->GPC['userid'] . "\n\t");
if (!$user or $user['userid'] == $vbulletin->userinfo['userid']) {
standard_error(fetch_error('invalid_user_specified'));
}
if (is_unalterable_user($user['userid'])) {
standard_error(fetch_error('user_is_protected_from_alteration_by_undeletableusers_var'));
}
cache_permissions($user);
// Non-admins can't ban administrators, supermods or moderators
if (!($vbulletin->userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'])) {
if ($user['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'] or $user['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['ismoderator'] or $user['ismoderator']) {
standard_error(fetch_error('no_permission_ban_non_registered_users'));
}
} else {
if ($user['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel']) {
standard_error(fetch_error('no_permission_ban_non_registered_users'));
}
}
// check that the number of days is valid
if ($vbulletin->GPC['period'] != 'PERMANENT' and !preg_match('#^(D|M|Y)_[1-9][0-9]?$#', $vbulletin->GPC['period'])) {
standard_error(fetch_error('invalid_ban_period_specified'));
}
// if we've got this far all the incoming data is good
if ($vbulletin->GPC['period'] == 'PERMANENT') {
// make this ban permanent
$liftdate = 0;
} else {
// get the unixtime for when this ban will be lifted
$liftdate = convert_date_to_timestamp($vbulletin->GPC['period']);
}
// check to see if there is already a ban record for this user in the userban table
if ($check = $db->query_first("SELECT userid, liftdate FROM " . TABLE_PREFIX . "userban WHERE userid = {$user['userid']}")) {
if ($liftdate and $liftdate < $check['liftdate']) {
if (!($vbulletin->userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel']) and !can_moderate(0, 'canunbanusers')) {
standard_error(fetch_error('no_permission_un_ban_users'));
}
}
// there is already a record - just update this record
$db->query_write("\n\t\t\tUPDATE " . TABLE_PREFIX . "userban SET\n\t\t\tbandate = " . TIMENOW . ",\n\t\t\tliftdate = {$liftdate},\n\t\t\tadminid = " . $vbulletin->userinfo['userid'] . ",\n\t\t\treason = '" . $db->escape_string($vbulletin->GPC['reason']) . "'\n\t\t\tWHERE userid = {$user['userid']}\n\t\t");
} else {
// insert a record into the userban table
/*insert query*/
$db->query_write("\n\t\t\tINSERT INTO " . TABLE_PREFIX . "userban\n\t\t\t(userid, usergroupid, displaygroupid, customtitle, usertitle, adminid, bandate, liftdate, reason)\n\t\t\tVALUES\n\t\t\t({$user['userid']}, {$user['usergroupid']}, {$user['displaygroupid']}, {$user['customtitle']}, '" . $db->escape_string($user['usertitle']) . "', " . $vbulletin->userinfo['userid'] . ", " . TIMENOW . ", {$liftdate}, '" . $db->escape_string($vbulletin->GPC['reason']) . "')\n\t\t");
}
// update the user record
$userdm =& datamanager_init('User', $vbulletin, ERRTYPE_SILENT);
$userdm->set_existing($user);
$userdm->set('usergroupid', $vbulletin->GPC['usergroupid']);
$userdm->set('displaygroupid', 0);
// update the user's title if they've specified a special user title for the banned group
if ($vbulletin->usergroupcache["{$vbulletin->GPC['usergroupid']}"]['usertitle'] != '') {
$userdm->set('usertitle', $vbulletin->usergroupcache["{$vbulletin->GPC['usergroupid']}"]['usertitle']);
$userdm->set('customtitle', 0);
}
$userdm->save();
unset($userdm);
return array('success' => true);
}
{
if (can_moderate(0, '', $userinfo['userid'], $userinfo['usergroupid'] . (trim($userinfo['membergroupids']) ? ",$userinfo[membergroupids]" : ''))
OR $userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel']
OR $userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['ismoderator']
OR is_unalterable_user($userinfo['userid']))
{
eval(standard_error(fetch_error('no_permission_ban_non_registered_users')));
}
}
}
else
{
foreach ($user_cache AS $userid => $userinfo)
{
if ($userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel']
OR is_unalterable_user($userinfo['userid']))
{
eval(standard_error(fetch_error('no_permission_ban_non_registered_users')));
}
}
}
}
($hook = vBulletinHook::fetch_hook('inlinemod_spam_permission')) ? eval($hook) : false;
}
if ($_POST['do'] == 'spamconfirm')
{
$vbulletin->input->clean_array_gpc('p', array(
'deleteother' => TYPE_BOOL,
'report' => TYPE_BOOL,
'useraction' => TYPE_NOHTML,
$vbphrase['post_count'],
$vbphrase['last_activity'],
$vbphrase['join_date'],
'<input type="checkbox" name="allbox" onclick="js_check_all(this.form)" title="' . $vbphrase['check_all'] . '" checked="checked" />'
), 1);
while ($user = $db->fetch_array($users))
{
$cell = array();
$cell[] = $user['userid'];
$cell[] = "<a href=\"user.php?" . $vbulletin->session->vars['sessionurl'] . "do=edit&u=$user[userid]\" target=\"_blank\">$user[username]</a><br /><span class=\"smallfont\">$user[title]" . ($user['moderatorid'] ? ", " . $vbphrase['moderator'] : "" ) . "</span>";
$cell[] = "<a href=\"mailto:$user[email]\">$user[email]</a>";
$cell[] = vb_number_format($user['posts']);
$cell[] = vbdate($vbulletin->options['dateformat'], $user['lastactivity']);
$cell[] = vbdate($vbulletin->options['dateformat'], $user['joindate']);
if ($user['userid'] == $vbulletin->userinfo['userid'] OR $user['usergroupid'] == 6 OR $user['usergroupid'] == 5 OR $user['moderatorid'] OR is_unalterable_user($user['userid']))
{
$cell[] = '<input type="button" class="button" value=" ! " onclick="js_alert_no_permission()" />';
}
else
{
$cell[] = "<input type=\"checkbox\" name=\"users[$user[userid]]\" value=\"1\" checked=\"checked\" tabindex=\"1\" />";
}
print_cells_row($cell);
}
print_description_row('<center><span class="smallfont">
<b>' . $vbphrase['action'] . ':
<label for="dw_delete"><input type="radio" name="dowhat" value="delete" id="dw_delete" tabindex="1" />' . $vbphrase['delete'] . '</label>
<label for="dw_move"><input type="radio" name="dowhat" value="move" id="dw_move" tabindex="1" />' . $vbphrase['move'] . '</label>
<select name="movegroup" tabindex="1" class="bginput">' . $groupslist . '</select></b>
</span></center>', 0, 7);
if ($vbulletin->GPC['useraction'] == 'ban') {
require_once DIR . '/includes/adminfunctions.php';
require_once DIR . '/includes/functions_banning.php';
if (!($vbulletin->userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'] or can_moderate(0, 'canbanusers'))) {
print_no_permission();
}
// check that user has permission to ban the person they want to ban
if (!($vbulletin->userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'])) {
foreach ($user_cache as $userid => $userinfo) {
if (can_moderate(0, '', $userinfo['userid'], $userinfo['usergroupid'] . (trim($userinfo['membergroupids']) ? ",{$userinfo['membergroupids']}" : '')) or $userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'] or $userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['ismoderator'] or is_unalterable_user($userinfo['userid'])) {
eval(standard_error(fetch_error('no_permission_ban_non_registered_users')));
}
}
} else {
foreach ($user_cache as $userid => $userinfo) {
if ($userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'] or is_unalterable_user($userinfo['userid'])) {
eval(standard_error(fetch_error('no_permission_ban_non_registered_users')));
}
}
}
}
($hook = vBulletinHook::fetch_hook('inlinemod_spam_permission')) ? eval($hook) : false;
}
if ($_POST['do'] == 'spamconfirm') {
$vbulletin->input->clean_array_gpc('p', array('deleteother' => TYPE_BOOL, 'report' => TYPE_BOOL, 'useraction' => TYPE_NOHTML, 'userid' => TYPE_ARRAY_UINT, 'type' => TYPE_NOHTML, 'deletetype' => TYPE_UINT, 'deletereason' => TYPE_STR, 'keepattachments' => TYPE_BOOL));
if (!empty($user_cache)) {
// Calculate this regardless, real thread + post count is important.
$additional_threads = $db->query_read_slave("SELECT COUNT(*) AS total, postuserid AS userid FROM " . TABLE_PREFIX . "thread WHERE postuserid IN (" . implode(', ', array_keys($user_cache)) . ") GROUP BY postuserid");
while ($additional_thread = $db->fetch_array($additional_threads)) {
$user_cache["{$additional_thread['userid']}"]['thread_count'] = intval($additional_thread['total']);
}
