/** * Initialize view variables and check permissions. * @param int $view_id id for the view */ function view_init($view_id) { global $views, $error, $login; global $ALLOW_VIEW_OTHER, $is_admin; global $view_name, $view_type, $custom_view; //set this to prove we in are inside a custom view page $custom_view = true; if ((empty($ALLOW_VIEW_OTHER) || $ALLOW_VIEW_OTHER == 'N') && !$is_admin) { // not allowed... send_to_preferred_view(); } if (empty($view_id)) { do_redirect('views.php'); } // Find view name in $views[] $view_name = ''; $view_type = ''; $viewcnt = count($views); for ($i = 0; $i < $viewcnt; $i++) { if ($views[$i]['cal_view_id'] == $view_id) { $view_name = htmlspecialchars($views[$i]['cal_name']); $view_type = $views[$i]['cal_view_type']; } } // If view_name not found, then the specified view id does not // belong to current user. if (empty($view_name)) { $error = print_not_auth(34); } }
<?php /* $Id: edit_nonusers.php,v 1.23.2.6 2008/05/23 14:14:11 umcesrjones Exp $ */ include_once 'includes/init.php'; print_header(array('js/edit_nonuser.php/false'), '', '', true, '', true, false); if (!$is_admin) { echo print_not_auth(3, true) . ' </body> </html>'; exit; } if (!$NONUSER_PREFIX) { echo print_error_header() . translate('NONUSER_PREFIX not set') . '. </body> </html>'; exit; } $add = getValue('add'); $nid = getValue('nid'); // Adding/Editing nonuser calendar. if (($add == '1' || !empty($nid)) && empty($error)) { $userlist = user_get_users(); $button = translate('Add', true); $buttonAction = 'Add'; $nid = clean_html($nid); if (!empty($nid)) { nonuser_load_variables($nid, 'nonusertemp_'); $id_display = $nid . ' <input type="hidden" name="nid" value="' . $nid . '" />'; $button = translate('Save', true); $buttonAction = 'Save';
function send_http_login() { global $lang_file; if (strlen($lang_file)) { $not_authorized = print_not_auth(); $title = translate('Title'); $unauthorized = translate('Unauthorized'); } else { $not_authorized = 'You are not authorized.'; $title = 'WebCalendar'; $unauthorized = 'Unauthorized'; } header('WWW-Authenticate: Basic realm="' . "{$title}\""); header('HTTP/1.0 401 Unauthorized'); echo send_doctype($unauthorized) . ' </head> <body> <h2>' . $title . '</h2> ' . $not_authorized . ' </body> </html>'; exit; }
if (!empty($nonuser_lookup[$row[0]])) { $found_nonuser_cal = true; } else { $found_reg_user = true; } } dbi_free_result($res); } // Does this event contain only nonuser calendars as participants? // If so, then grant access. if ($found_nonuser_cal && !$found_reg_user) { $can_view = true; } } if (empty($error) && !$can_view) { $error = print_not_auth(8); } } if (!empty($error)) { print_header(); echo print_error($error, true) . print_trailer(); exit; } $disp = $type == 'A' ? 'attachment' : 'inline'; // Print out data now. Header('Content-Length: ' . $size); Header('Content-Type: ' . $mimetype); $description = preg_replace("/\n\r\t+/", ' ', $description); Header('Content-Description: ' . $description); // Don't allow spaces in filenames. //$filename = preg_replace ( "/\n\r\t+/", "_", $filename );
for ($i = 0, $cnt = count($views); $i < $cnt; $i++) { if ($views[$i]['cal_view_id'] == $id) { $newview = false; $viewname = $views[$i]['cal_name']; if (empty($viewname)) { $viewname = $unnameViewStr; } $viewtype = $views[$i]['cal_view_type']; $viewisglobal = $views[$i]['cal_is_global']; } } } // If view_name not found, then the specified view id does not // belong to current user. if (empty($viewname)) { $error = print_not_auth(34); } // get list of users for this view $all_users = false; if (!$newview) { $res = dbi_execute('SELECT cal_login FROM webcal_view_user WHERE cal_view_id = ?', array($id)); if ($res) { while ($row = dbi_fetch_row($res)) { $viewuser[$row[0]] = 1; if ($row[0] == '__all__') { $all_users = true; } } dbi_free_result($res); } else { $error = db_error();
<?php /* $Id: nonusers_handler.php,v 1.23.2.5 2012/02/28 02:07:45 cknudsen Exp $ */ include_once 'includes/init.php'; require_valide_referring_url(); load_user_layers(); $nid = getValue('nid'); $old_admin = getValue('old_admin'); $nfirstname = getValue('nfirstname'); $nlastname = getValue('nlastname'); $nadmin = getValue('nadmin'); $ispublic = getValue('ispublic'); $action = getValue('action'); $delete = getValue('delete'); if (!$is_admin) { echo print_not_auth(3, true) . print_trailer(); exit; } $error = ''; if ($action == 'Delete' || $action == translate('Delete')) { // delete this nonuser calendar $user = $nid; // Get event ids for all events this user is a participant. $events = get_users_event_ids($user); // Now count number of participants in each event... // If just 1, then save id to be deleted. $delete_em = array(); for ($i = 0, $cnt = count($events); $i < $cnt; $i++) { $res = dbi_execute('SELECT COUNT( * ) FROM webcal_entry_user WHERE cal_id = ?', array($events[$i])); if ($res) {
// This error should get caught before here anyhow, // so no need to translate this. This is just in case. :-) $error = 'Invalid characters in login.'; } else { if (empty($user)) { // Username cannot be blank. This is currently the only place // that calls addUser that is located in $user_inc. $error = $blankUserStr; } else { user_add_user($user, $upassword1, $ufirstname, $ulastname, $uemail, $uis_admin, $u_enabled); activity_log(0, $login, $user, LOG_USER_ADD, "{$ufirstname} {$ulastname}" . (empty($uemail) ? '' : " <{$uemail}>")); } } } } else { if (!empty($add) && !access_can_access_function(ACCESS_USER_MANAGEMENT)) { $error = print_not_auth(15); } else { // Don't allow a user to change themself to an admin by setting // uis_admin in the URL by hand. They must be admin beforehand. if (!$is_admin) { $uis_admin = 'N'; } user_update_user($user, $ufirstname, $ulastname, $uemail, $uis_admin, $uenabled); activity_log(0, $login, $user, LOG_USER_UPDATE, "{$ufirstname} {$ulastname}" . (empty($uemail) ? '' : " <{$uemail}>")); } } } } } echo error_check('users.php', false);
$error = translate('You have not added any categories.'); } } } // Make sure user is a participant. $res = dbi_execute('SELECT cal_status FROM webcal_entry_user WHERE cal_id = ? AND cal_login = ?', array($id, $login)); if ($res) { if ($row = dbi_fetch_row($res)) { if ($row[0] == 'D') { // User deleted themself. $error = print_not_auth(31); } } else { // Not a participant for this event. $error = print_not_auth(32); } dbi_free_result($res); } else { $error = db_error(); } $cat_id = getValue('cat_id', '-?[0-9,\\-]*', true); $cat_ids = $cat_name = array(); $catNames = ''; // Get user's categories for this event. $globals_found = false; $categories = get_categories_by_id($id, $login, true); if (!empty($categories)) { $catNames = implode(', ', $categories); $keys = array_keys($categories); $catList = implode(',', $keys);
* this will include which functions the user can access and * (if $ALLOW_VIEW_OTHER is 'Y') which calendars thay can view/edit/approve * - update the database (form handler) * * Input Parameters: * user - specifies which user to manage, a form will be presented * that allows editing rights of this user * * access_N - where N is 0 to ACCESS_NUMBER_FUNCTIONS as defined in * includes/access.php. Each should be either 'Y' or 'N'. */ include_once 'includes/init.php'; require_valide_referring_url(); $allow_view_other = !empty($ALLOW_VIEW_OTHER) && $ALLOW_VIEW_OTHER == 'Y'; if (!access_is_enabled()) { echo print_not_auth(1); exit; } // translate ( 'Database error' ) $dbErrStr = translate('Database error XXX.'); $defConfigStr = translate('DEFAULT CONFIGURATION'); $goStr = ' </select> <input type="submit" value="' . translate('Go') . '" /> </form>'; $saveStr = translate('Save'); $undoStr = translate('Undo'); $saved = ''; // Are we handling the access form? // If so, do that, then redirect. // Handle function access first.
// This will only be used if $username is not __public__. if (isset($USER_REMOTE_ACCESS) && $username != '__public__') { if ($USER_REMOTE_ACCESS > 0) { // plus confidential $allow_access[] = 'C'; } if ($USER_REMOTE_ACCESS == 2) { // plus private $allow_access[] = 'R'; } } user_load_variables($login, 'rss_'); $creator = $username == '__public__' ? 'Public' : $rss_fullname; if ($username != '__public__' && (empty($USER_RSS_ENABLED) || $USER_RSS_ENABLED != 'Y')) { header('Content-Type: text/plain'); echo print_not_auth(29); exit; } $cat_id = ''; if ($CATEGORIES_ENABLED == 'Y') { $x = getValue('cat_id', '-?[0-9]+', true); if (!empty($x)) { load_user_categories(); $cat_id = $x; $category = $categories[$cat_id]['cat_name']; } } if ($load_layers) { load_user_layers($username); } // Calculate date range.
if ($allow_user_override) { $username = getValue('user'); if (empty($username)) { $username = '******'; } } else { if (getValue('user') != '') { $error = print_not_auth(); } } // Set for use elsewhere as a global $login = $username; // Load user preferences for DISPLAY_UNAPPROVED load_user_preferences(); if ($public_must_be_enabled && $PUBLIC_ACCESS != 'Y') { $error = print_not_auth(21); } if ($error == '') { if ($allow_user_override) { $u = getValue('user', "[A-Za-z0-9_\\.=@,\\-]+", true); if (!empty($u)) { $username = $u; $login = $u; $TIMEZONE = get_pref_setting($username, 'TIMEZONE'); $DISPLAY_UNAPPROVED = get_pref_setting($username, 'DISPLAY_UNAPPROVED'); $DISPLAY_TASKS_IN_GRID = get_pref_setting($username, 'DISPLAY_TASKS_IN_GRID'); // We also set $login since some functions assume that it is set. } } $get_unapproved = !empty($DISPLAY_UNAPPROVED) && $DISPLAY_UNAPPROVED == 'Y'; if ($CATEGORIES_ENABLED == 'Y') {
<?php /* $Id: select_user.php,v 1.35.2.2 2008/02/12 01:47:52 cknudsen Exp $ */ include_once 'includes/init.php'; print_header(); echo ' <h2>' . translate('View Another Users Calendar') . '</h2>'; if ($ALLOW_VIEW_OTHER != 'Y' && !$is_admin) { $error = print_not_auth(7); echo ' <blockquote>' . $error . '</blockquote>'; } else { if ($PUBLIC_ACCESS == 'Y' && $login == '__public__' && $PUBLIC_ACCESS_OTHERS != 'Y') { $error = print_not_auth(35); echo ' <blockquote>' . $error . '</blockquote>'; } else { $userlist = get_my_users('', 'view'); if ($NONUSER_ENABLED == 'Y') { $nonusers = get_my_nonusers($login, true); $userlist = $NONUSER_AT_TOP == 'Y' ? array_merge($nonusers, $userlist) : array_merge($userlist, $nonusers); } if (strstr($STARTVIEW, 'view')) { $url = 'month.php'; } else { $url = $STARTVIEW; if ($url == 'month' || $url == 'day' || $url == 'week' || $url == 'year') { $url .= '.php'; } } ob_start();
$editLayerStr = translate('Edit layer'); $editStr = translate('Edit'); $deleteStr = translate('Delete'); $deleteLayerStr = translate('Delete layer'); $areYouSureStr = translate('Are you sure you want to delete this XXX?'); $sourceStr = translate('Source'); $colorStr = translate('Color'); $duplicatesStr = translate('Duplicates'); $noStr = translate('No'); $yesStr = translate('Yes'); $disabledStr = translate('Disabled'); $enableLayersStr = translate('Enable layers'); print_header(); ob_start(); if ($ALLOW_VIEW_OTHER != 'Y') { echo print_not_auth(7); } else { echo ' <h2>' . ($updating_public ? translate($PUBLIC_ACCESS_FULLNAME) . ' ' : '') . translate('Layers') . ' <img src="images/help.gif" alt="' . translate('Help') . '" class="help" onclick="window.open( ' . '\'help_layers.php\', \'cal_help\', \'dependent,menubar,scrollbars,' . 'height=400,width=400,innerHeight=420,outerWidth=420\' );" /></h2> ' . display_admin_link() . translate('Layers are currently') . ' <strong>'; if ($layers_enabled) { echo translate('Enabled') . '</strong>. (<a class="nav" ' . 'href="layers_toggle.php?status=off' . $u_url . '">' . translate('Disable Layers') . '</a>)<br />' . ($is_admin && empty($public) && (!empty($PUBLIC_ACCESS) && $PUBLIC_ACCESS == 'Y') ? ' <blockquote> <a href="layers.php?public=1">' . translate('Click here') . ' ' . translate('to modify the layers settings for the') . ' ' . translate($PUBLIC_ACCESS_FULLNAME) . ' ' . translate('calendar') . '.</a> </blockquote>' : '') . ' <a href="edit_layer.php' . ($updating_public ? '?public=1' : '') . '">' . translate('Add layer') . '</a><br />'; $layer_count = 1; if ($layers) { foreach ($layers as $layer) { user_load_variables($layer['cal_layeruser'], 'layer'); echo '
* "Advanced Search" adds the ability to search other users' calendars. * We do a number of security checks to make sure this is allowed. * * @author Craig Knudsen <*****@*****.**> * @copyright Craig Knudsen, <*****@*****.**>, http://www.k5n.us/cknudsen * @license http://www.gnu.org/licenses/gpl.html GNU GPL * @package WebCalendar * @version $Id: search_handler.php,v 1.46.2.8 2012/02/28 02:07:45 cknudsen Exp $ */ include_once 'includes/init.php'; require_valide_referring_url(); $error = ''; // Disable if public access and OVERRIDE_PUBLIC in use if ($login == '__public__' && !empty($OVERRIDE_PUBLIC) && $OVERRIDE_PUBLIC == 'Y') { print_header(); echo print_not_auth(); print_trailer(); exit; } $keywords = getValue('keywords'); $advanced = getValue('advanced'); if (strlen($keywords) == 0) { $error = translate('You must enter one or more search keywords') . '.'; } $matches = 0; // Determine if this user is allowed to search the calendar of other users $search_others = false; // show "Advanced Search" if ($single_user == 'Y') { $search_others = false; }
$pass_length = 8; $salt = 'abchefghjkmnpqrstuvwxyz0123456789'; srand((double) microtime() * 1000000); $i = 0; while ($i < $pass_length) { $pass .= substr($salt, rand() % 33, 1); $i++; } return $pass; } $uemail = $ufirstname = $ulastname = $upassword1 = $upassword2 = $user = ''; // We can limit what domain is allowed to self register. // $self_registration_domain should have this format "192.168.220.0:255.255.240.0"; $valid_ip = validate_domain(); if (empty($valid_ip)) { $error = print_not_auth(36); } // We could make $control a unique value if necessary. $control = getPostValue('control'); if (empty($error) && !empty($control)) { $uemail = getPostValue('uemail'); $ufirstname = getPostValue('ufirstname'); $uis_admin = 'N'; $ulastname = getPostValue('ulastname'); $user = trim(getPostValue('user')); // translate ( 'Illegal characters in login' ) if ($user != addslashes($user)) { $error = str_replace('XXX', htmlentities($user), translate('Illegal characters in login XXX.')); } // Check to make sure user doesn't already exist. check_username($user);
if (empty($user)) { // asking to create a new user if (!$is_admin) { // must be admin... if (!access_can_access_function(ACCESS_USER_MANAGEMENT)) { $error = print_not_auth(15); } } if (!$admin_can_add_user) { // if adding users is not allowed... $error = print_not_auth(16); } } else { // User is editing their account info if (!access_can_access_function(ACCESS_ACCOUNT_INFO)) { $error = print_not_auth(17); } } $disableCustom = true; $INC = array('js/edit_user.php/false'); print_header($INC, '', '', $disableCustom, '', true, false); if (!empty($error)) { echo print_error($error); } else { ?> <table> <tr><td style="vertical-align:top; width:50%;"> <h2><?php if (!empty($user)) { user_load_variables($user, 'u'); echo translate('Edit User');
$_SERVER['PHP_AUTH_PW'] = $_SERVER['PHP_AUTH_USER'] = ''; unset($_SERVER['PHP_AUTH_USER']); unset($_SERVER['PHP_AUTH_PW']); header('WWW-Authenticate: Basic realm="' . $appStr . '"'); header('HTTP/1.0 401 Unauthorized'); exit; } } load_global_settings(); load_user_preferences(); $WebCalendar->setLanguage(); // Load user name, etc. user_load_variables($login, ''); // Make sure the have privileges to access the activity log if (!$is_admin || access_is_enabled() && !access_can_access_function(ACCESS_ACTIVITY_LOG)) { die_miserable_death(print_not_auth(2)); } $charset = empty($LANGUAGE) ? 'iso-8859-1' : translate('charset'); // This should work ok with RSS, may need to hardcode fallback value. $lang = languageToAbbrev($LANGUAGE == 'Browser-defined' || $LANGUAGE == 'none' ? $lang : $LANGUAGE); if ($lang == 'en') { $lang = 'en-us'; } //the RSS 2.0 default. $appStr = generate_application_name(); $descr = $appStr . ' - ' . translate('Activity Log'); // header ( 'Content-type: application/rss+xml'); header('Content-type: text/xml'); echo '<?xml version="1.0" encoding="' . $charset . '"?> <rss version="2.0" xml:lang="' . $lang . '"> <channel>
$user = preg_replace('/\\.[iI][fF][bB]$/', '', $user); } if ($user == 'public') { $user = '******'; } load_global_settings(); // Load user preferences (to get the DISPLAY_UNAPPROVED and // FREEBUSY_ENABLED pref for this user). $login = $user; load_user_preferences(); $WebCalendar->setLanguage(); // Load user name, etc. user_load_variables($user, 'publish_'); if (empty($FREEBUSY_ENABLED) || $FREEBUSY_ENABLED != 'Y') { header('Content-Type: text/plain'); echo 'user='******'No user specified.'); if (empty($user)) { die_miserable_death($no_user); } $get_unapproved = false; $datem = date('m'); $dateY = date('Y'); // Start date is beginning of this month. $startdate = mktime(0, 0, 0, $datem, 0, $dateY); // End date is one year from now. // Seems kind of arbitrary, eh? $enddate = mktime(0, 0, 0, $datem, 1, $dateY + 1);
$nouser = translate('No user specified'); // Make sure they specified a username. if (empty($user)) { echo send_doctype($errorStr); echo <<<EOT </head> <body> <h2>{$errorStr}</h2> {$nouser}. </body> </html> EOT; exit; } // Load user preferences (to get the USER_PUBLISH_ENABLED and // DISPLAY_UNAPPROVED setting for this user). $login = $user; load_user_preferences(); if (empty($USER_PUBLISH_ENABLED) || $USER_PUBLISH_ENABLED != 'Y') { header('Content-Type: text/plain'); echo print_not_auth(25); exit; } // Load user name, etc. user_load_variables($user, 'publish_'); // header ( 'Content-Type: text/plain' ); header('Content-Type: text/calendar'); header('Content-Disposition: attachment; filename="' . $user . '.ics"'); $use_all_dates = true; $type = 'publish'; export_ical();
<p><a title="' . $addStr . '" href="' . $addurl . '" class="nav">' . $addStr . '</a></p>'; dbi_free_result($res); } else { $error = $invalidID; } } // Load the specified report. if (empty($error) && empty($list)) { $res = dbi_execute('SELECT cal_login, cal_report_id, cal_is_global, cal_report_type, cal_include_header, cal_report_name, cal_time_range, cal_user, cal_allow_nav, cal_cat_id, cal_include_empty, cal_update_date FROM webcal_report WHERE cal_report_id = ?', array($report_id)); if ($res) { if ($row = dbi_fetch_row($res)) { if ($row[2] != 'Y' && $login != $row[0]) { $error = print_not_auth(14); } else { $i = 0; $report_login = $row[$i++]; $report_id = $row[$i++]; $report_is_global = $row[$i++]; $report_type = $row[$i++]; $report_include_header = $row[$i++]; $report_name = $row[$i++]; $report_time_range = $row[$i++]; $test_report_user = $row[$i++]; // If this report type specifies a specific user, // then we will use that user even if a user was passed in via URL. if (!empty($test_report_user)) { $report_user = $test_report_user; }
<?php /* $Id: layers_toggle.php,v 1.29.2.2 2008/03/11 13:57:24 cknudsen Exp $ */ include_once 'includes/init.php'; load_user_layers(); $status = getValue('status', '(on|off)', true); $public = getValue('public'); if ($ALLOW_VIEW_OTHER != 'Y') { print_header(); echo print_not_auth(7) . print_trailer(); exit; } $updating_public = false; $url = 'layers.php'; if ($is_admin && !empty($public) && $PUBLIC_ACCESS == 'Y') { $updating_public = true; $layer_user = '******'; $url .= '?public=1'; } else { $layer_user = $login; } dbi_execute('DELETE FROM webcal_user_pref WHERE cal_login = ? AND cal_setting = \'LAYERS_STATUS\'', array($layer_user)); $sql = 'INSERT INTO webcal_user_pref ( cal_login, cal_setting, cal_value ) VALUES ( ?, \'LAYERS_STATUS\', ? )'; if (!dbi_execute($sql, array($layer_user, $status == 'off' ? 'N' : 'Y'))) { $error = translate('Unable to update preference') . ': ' . dbi_error() . '<br /><br /><span class="bold">SQL:</span> ' . $sql; break; } if (empty($error)) { do_redirect($url);
* @version $Id: edit_remotes.php,v 1.17.2.4 2007/11/12 20:47:48 umcesrjones Exp $ * @package WebCalendar * @subpackage Edit Remotes * * Security * $REMOTES_ENABLED must be enabled under System Settings and if * if UAC is enabled, then the user must be allowed to ACCESS_IMPORT. */ include_once 'includes/init.php'; print_header(array('js/edit_remotes.php/false', 'js/visible.php'), '', '', true); $error = ''; if (!$NONUSER_PREFIX) { $error = translate('NONUSER_PREFIX not set'); } if ($REMOTES_ENABLED != 'Y' || access_is_enabled() && !access_can_access_function(ACCESS_IMPORT)) { $error = print_not_auth(11); } if ($error) { echo print_error($error) . ' </body> </html>'; exit; } $add = getValue('add'); $nid = getValue('nid'); // Adding/Editing remote calendar. if (($add == '1' || !empty($nid)) && empty($error)) { $userlist = get_nonuser_cals($login, true); if (empty($nid)) { $id_display = '<input type="text" name="nid" id="nid" size="20" ' . 'maxlength="20" onchange="check_name();" /> ' . translate('word characters only'); $lableStr = translate('Add Remote Calendar');