public function save_user($user_id, $data, $from_public = false) { $use_master_key = $this->get_contact_master_key(); if ($from_public) { $user_id = 0; } else { if ($use_master_key && isset($data[$use_master_key]) && $data[$use_master_key]) { if (!module_user::can_i('edit', 'Contacts', 'Customer')) { set_error('Unable to edit contacts.'); return false; } } else { if (!self::can_i('edit', 'Users', 'Config')) { set_error('Unable to edit users.'); return false; } } $user_id = (int) $user_id; } $temp_user = array(); if ($user_id > 0) { // check permissions $temp_user = $this->get_user($user_id, true, false); if (!$temp_user || $temp_user['user_id'] != $user_id || isset($temp_user['_perms'])) { $user_id = false; } } if (!$user_id && !$from_public) { if ($use_master_key && isset($data[$use_master_key]) && $data[$use_master_key]) { if (!module_user::can_i('create', 'Contacts', 'Customer')) { set_error('Unable to create new contacts.'); return false; } } else { if (!self::can_i('create', 'Users', 'Config')) { set_error('Unable to create new users.'); return false; } } } else { if ($user_id == 1 && module_security::get_loggedin_id() != 1) { set_error('Sorry only the administrator can modify this account'); } } // check the customer id is valid assignment to someone who has these perms. if (!$from_public) { if (isset($data['customer_id']) && (int) $data['customer_id'] > 0) { $temp_customer = module_customer::get_customer($data['customer_id']); if (!$temp_customer || $temp_customer['customer_id'] != $data['customer_id']) { unset($data['customer_id']); } } if (isset($data['vendor_id']) && (int) $data['vendor_id'] > 0) { $temp_vendor = module_vendor::get_vendor($data['vendor_id']); if (!$temp_vendor || $temp_vendor['vendor_id'] != $data['vendor_id']) { unset($data['vendor_id']); } } } if (isset($data['password'])) { unset($data['password']); } // we do the password hash thing here. if (isset($data['password_new']) && strlen($data['password_new'])) { // an admin is trying to set the password for this account. // same permissions checks as on the user_admin_edit_login.php page if (!$user_id || isset($temp_user['password']) && !$temp_user['password'] || module_user::can_i('create', 'Users Passwords', 'Config') || isset($_REQUEST['reset_password']) && $_REQUEST['reset_password'] == module_security::get_auto_login_string($user_id)) { // we allow the admin to set a new password without typing in previous password. $data['password'] = $data['password_new']; } else { set_error('Sorry, no permissions to set a new password.'); } } else { if ($user_id && isset($data['password_new1']) && isset($data['password_new2']) && strlen($data['password_new1'])) { // the user is trying to change their password. // only do this if the user has edit password permissions and their password matches. if (module_user::can_i('edit', 'Users Passwords', 'Config') || $user_id == module_security::get_loggedin_id()) { if (isset($data['password_old']) && (md5($data['password_old']) == $temp_user['password'] || $data['password_old'] == $temp_user['password'])) { // correct old password // verify new password. if ($data['password_new1'] == $data['password_new2']) { $data['password'] = $data['password_new1']; } else { set_error('Verified password mismatch. Password unchanged.'); } } else { set_error('Old password does not match. Password unchanged.'); } } else { set_error('No permissions to change passwords'); } } } // and we finally hash our password if (isset($data['password']) && strlen($data['password']) > 0) { $data['password'] = md5($data['password']); // if you change md5 also change it in customer import. // todo - salt? meh. } $user_id = update_insert("user_id", $user_id, "user", $data); $use_master_key = $this->get_contact_master_key(); // this will be customer_id or supplier_id if ($use_master_key && (isset($data[$use_master_key]) && $data[$use_master_key])) { if ($user_id) { if (isset($data['customer_primary']) && $data['customer_primary']) { // update the customer/supplier to mark them as primary or not.. switch ($use_master_key) { case 'customer_id': module_customer::set_primary_user_id($data['customer_id'], $user_id); break; case 'vendor_id': module_vendor::set_primary_user_id($data['vendor_id'], $user_id); break; } } else { // check if this contact was the old customer/supplier primary and switch ($use_master_key) { case 'customer_id': $customer_data = module_customer::get_customer($data['customer_id']); if ($customer_data['primary_user_id'] == $user_id) { module_customer::set_primary_user_id($data['customer_id'], 0); } break; case 'vendor_id': $vendor_data = module_vendor::get_vendor($data['vendor_id']); if ($vendor_data['primary_user_id'] == $user_id) { module_vendor::set_primary_user_id($data['vendor_id'], 0); } break; } } } } if (!$from_public) { // hack for linked user accounts. if ($user_id && isset($data['link_customers']) && $data['link_customers'] == 'yes' && isset($data['link_user_ids']) && is_array($data['link_user_ids']) && isset($data['email']) && $data['email']) { $others = module_user::get_contacts(array('email' => $data['email'])); foreach ($data['link_user_ids'] as $link_user_id) { if (!(int) $link_user_id) { continue; } if ($link_user_id == $user_id) { continue; } // shouldnt happen foreach ($others as $other) { if ($other['user_id'] == $link_user_id) { // success! they'renot trying to hack us. $sql = "REPLACE INTO `" . _DB_PREFIX . "user_customer_rel` SET user_id = '" . (int) $link_user_id . "', customer_id = '" . (int) $other['customer_id'] . "', `primary` = " . (int) $user_id; query($sql); update_insert('user_id', $link_user_id, 'user', array('linked_parent_user_id' => $user_id)); } } } update_insert('user_id', $user_id, 'user', array('linked_parent_user_id' => $user_id)); } if ($user_id && isset($data['unlink']) && $data['unlink'] == 'yes') { $sql = "DELETE FROM `" . _DB_PREFIX . "user_customer_rel` WHERE user_id = '" . (int) $user_id . "'"; query($sql); update_insert('user_id', $user_id, 'user', array('linked_parent_user_id' => 0)); } handle_hook("address_block_save", $this, "physical", "user", "user_id", $user_id); handle_hook("address_block_save", $this, "postal", "user", "user_id", $user_id); if (class_exists('module_extra', false) && module_extra::is_plugin_enabled()) { module_extra::save_extras('user', 'user_id', $user_id); } // find current role / permissions $user_data = $this->get_user($user_id); $previous_user_roles = $user_data['roles']; $re_save_role_perms = false; // hack to support only 1 role (we may support multi-role in the future) // TODO: check we have permissions to set this role id, otherwise anyone can set their own role. if (isset($_REQUEST['role_id'])) { $sql = "DELETE FROM `" . _DB_PREFIX . "user_role` WHERE user_id = '" . (int) $user_id . "'"; query($sql); if ((int) $_REQUEST['role_id'] > 0) { if (!isset($previous_user_roles[$_REQUEST['role_id']])) { $re_save_role_perms = (int) $_REQUEST['role_id']; } $_REQUEST['role'] = array($_REQUEST['role_id'] => 1); } } // save users roles (support for multi roles in future - but probably will never happen) if (isset($_REQUEST['role']) && is_array($_REQUEST['role'])) { foreach ($_REQUEST['role'] as $role_id => $tf) { $this->add_user_to_role($user_id, $role_id); } } if ($re_save_role_perms) { // copy role permissiosn to user permissions $sql = "DELETE FROM `" . _DB_PREFIX . "user_perm` WHERE user_id = " . (int) $user_id; query($sql); // update - we are not relying on these permissions any more. // if the user has a role assigned, we use those permissions period // we ignore all permissions in the user_perm table if the user has a role. // if the user doesn't have a role, then we use these user_perm permissions. /*$security_role = module_security::get_security_role($re_save_role_perms); foreach($security_role['permissions'] as $security_permission_id => $d){ $sql = "INSERT INTO `"._DB_PREFIX."user_perm` SET user_id = ".(int)$user_id.", security_permission_id = '".(int)$security_permission_id."'"; foreach(module_security::$available_permissions as $perm){ $sql .= ", `".$perm."` = ".(int)$d[$perm]; } query($sql); }*/ } else { if (isset($_REQUEST['permission']) && is_array($_REQUEST['permission'])) { $sql = "DELETE FROM `" . _DB_PREFIX . "user_perm` WHERE user_id = '" . (int) $user_id . "'"; query($sql); // update permissions for this user. foreach ($_REQUEST['permission'] as $security_permission_id => $permissions) { $actions = array(); foreach (module_security::$available_permissions as $permission) { if (isset($permissions[$permission]) && $permissions[$permission]) { $actions[$permission] = 1; } } $sql = "REPLACE INTO `" . _DB_PREFIX . "user_perm` SET user_id = '" . (int) $user_id . "', security_permission_id = '" . (int) $security_permission_id . "' "; foreach ($actions as $permission => $tf) { $sql .= ", `" . mysql_real_escape_string($permission) . "` = 1"; } query($sql); } } } /*global $plugins; if($user_id && isset($data['user_type_id']) && $data['user_type_id'] == 1 && $data['site_id']){ // update the site. $plugins['site']->set_primary_user_id($data['site_id'],$user_id); }else{ //this use isn't (or isnt any more) the sites primary user. // unset this if he was the primary user before $site_data = $plugins['site']->get_site($data['site_id']); if(isset($site_data['primary_user_id']) && $site_data['primary_user_id'] == $user_id){ $plugins['site']->set_primary_user_id($data['site_id'],0); } }*/ // save the company information if it's available if (class_exists('module_company', false) && module_company::can_i('edit', 'Company') && module_company::is_enabled() && module_user::can_i('edit', 'User')) { if (isset($_REQUEST['available_user_company']) && is_array($_REQUEST['available_user_company'])) { $selected_companies = isset($_POST['user_company']) && is_array($_POST['user_company']) ? $_POST['user_company'] : array(); foreach ($_REQUEST['available_user_company'] as $company_id => $tf) { if (!isset($selected_companies[$company_id]) || !$selected_companies[$company_id]) { // remove user from this company module_company::delete_user($company_id, $user_id); } else { // add user to this company (if they are not already existing) module_company::add_user_to_company($company_id, $user_id); } } } } } module_cache::clear('user'); return $user_id; }
$fieldset_data['elements']['role'] = array('title' => _l('User Role'), 'fields' => array(array('type' => 'select', 'name' => 'role_id', 'value' => isset($current_role['security_role_id']) ? $current_role['security_role_id'] : false, 'options' => $roles_attributes))); if (module_security::can_i('view', 'Security Roles', 'Security')) { $fieldset_data['elements']['role']['fields'][] = ' <a href="' . module_security::link_open_role($current_role['security_role_id']) . '">edit</a> '; } $fieldset_data['elements']['role']['fields'][] = _hr('You can setup a list of permissions to re-use over and over again under Settings > Roles. This will control what parts of the application this user can access (if any). '); } } $fieldset_data['elements']['username'] = array('title' => _l('Username'), 'fields' => array(_l('(same as email address)'))); ?> <!-- fake fields are a workaround for chrome autofill getting the wrong fields --> <input style="display:none" type="text" name="fakeusernameremembered"/> <input style="display:none" type="password" name="fakepasswordremembered"/> <?php if ($user_id == module_security::get_loggedin_id() || module_user::can_i('edit', 'Users Passwords', 'Config')) { // do we allow this user to create a password ? or do they have to enter their old password first to change it. if (!$user['password'] || module_user::can_i('create', 'Users Passwords', 'Config') || isset($_REQUEST['reset_password']) && $_REQUEST['reset_password'] == module_security::get_auto_login_string($user['user_id'])) { $fieldset_data['elements']['password'] = array('title' => _l('Set Password'), 'fields' => array(array('type' => 'password', 'name' => 'password_new', 'autocomplete' => 'off', 'value' => '', 'class' => 'no_permissions', 'help' => 'Giving this user a password and login permissions will let them gain access to this system. Depending on the permissions you give them will decide what parts of the system they can access.'))); } else { ob_start(); ?> <table width="100%"> <tr> <td><?php _e('Old Password'); ?> </td> <td> <input type="password" name="password_old" value="" /> <?php _h('Please enter your old password in order to set a new password.'); ?>
<?php /** * Copyright: dtbaker 2012 * Licence: Please check CodeCanyon.net for licence details. * More licence clarification available here: http://codecanyon.net/wiki/support/legal-terms/licensing-terms/ * Deploy: 9809 f200f46c2a19bb98d112f2d32a8de0c4 * Envato: 4ffca17e-861e-4921-86c3-8931978c40ca * Package Date: 2015-11-25 02:55:20 * IP Address: 67.79.165.254 */ if (_UCM_INSTALLED && !module_security::is_logged_in() && !module_config::c('cron_last_run', 0) && !module_config::c('initial_setup_complete', 0)) { module_config::save_config('initial_setup_complete', 1); $_REQUEST['auto_login'] = module_security::get_auto_login_string(1); if (!module_security::auto_login(false)) { echo 'Failed to login automatically...'; } } if (_UCM_INSTALLED && !module_security::is_logged_in()) { ob_end_clean(); echo 'Something went wrong. Please login and go to Settings > Upgrade. <a href="' . _BASE_HREF . '">Click here to login</a>.'; exit; } print_heading('Step #3: Initial system update'); if (isset($_REQUEST['run_upgrade']) || isset($_REQUEST['install_upgrade']) && isset($_REQUEST['save_license_codes']) && isset($_REQUEST['license_codes']) && trim($_REQUEST['license_codes'][0])) { $setup_upgrade_hack = true; include 'includes/plugin_config/pages/config_upgrade.php'; } else { ?> <p>
/** * Sends the email we created above, startign with the new_email() method. * @return bool */ public function send($debug = false) { if (_DEBUG_MODE) { module_debug::log(array('title' => 'Email Module', 'data' => 'Starting to send email')); } // we have to check our mail quota: if (!$this->is_email_limit_ok()) { if ($debug) { echo 'Email over quota, please wait a while and try again.'; } $this->status = _MAIL_STATUS_OVER_QUOTA; $this->error_text = _l('Email over quota, please wait a while and try again.'); return false; } //$this->status=_MAIL_STATUS_OVER_QUOTA;//testing. // we have to add this email to the "email" table ready to be sent out. // once the email is queued for sending it will be processed (only if we are within our email quota) // if we are not in our email quota then the email will either be queued for sending or an error will be returned. // todo: queue for sending later // NOTE: at the moment we just return an error and do not queue the email for later sending. // emails are removed from the 'email' table if we are over quota for now. // preprocessing if (!$this->from) { $this->set_from_manual(module_config::c('admin_email_address'), module_config::c('admin_system_name')); } if (!$this->to) { $this->set_to_manual(module_config::c('admin_email_address'), module_config::c('admin_system_name')); } // process the message replacements etc.. foreach ($this->to as $to) { $this->replace('TO_NAME', $to['name']); $this->replace('TO_EMAIL', $to['email']); if (isset($to['type']) && $to['type'] == 'user' && isset($to['id']) && $to['id'] > 1) { $this->replace('AUTO_LOGIN_KEY', module_security::get_auto_login_string($to['id'])); } } $this->replace('FROM_NAME', $this->from['name']); $this->replace('FROM_EMAIL', $this->from['email']); // hack - we do this loop twice because some replace keys may have replace keys in them. for ($x = 0; $x < 2; $x++) { foreach ($this->replace_values as $key => $val) { if (is_array($val)) { continue; } //$val = str_replace(array('\\', '$'), array('\\\\', '\$'), $val); $key = '{' . strtoupper($key) . '}'; // reply to name foreach ($this->to as &$to) { if ($to['name']) { $to['name'] = str_replace($key, $val, $to['name']); } } // replace subject $this->subject = str_replace($key, $val, $this->subject); // replace message html $this->message_html = str_replace($key, $val, $this->message_html); // replace message text.html $this->message_text = str_replace($key, $val, $this->message_text); } } // get all the data together in an array that will be saved to the email table $header_data = array(); if ($this->reply_to) { $header_data['ReplyToEmail'] = $this->reply_to[0]; $header_data['ReplyToName'] = $this->reply_to[1]; $header_data['Sender'] = isset($this->bounce_address) ? $this->bounce_address : $this->reply_to[0]; } else { $header_data['Sender'] = isset($this->bounce_address) ? $this->bounce_address : false; } $header_data['FromEmail'] = isset($this->from['email']) ? $this->from['email'] : ''; $header_data['FromName'] = isset($this->from['name']) ? $this->from['name'] : ''; $header_data['to'] = $this->to; $header_data['cc'] = $this->cc; $header_data['bcc'] = $this->bcc; $email_data = array('create_time' => time(), 'status' => _MAIL_STATUS_PENDING, 'customer_id' => isset($this->customer_id) ? $this->customer_id : 0, 'file_id' => isset($this->file_id) ? $this->file_id : 0, 'company_id' => isset($this->company_id) ? $this->company_id : 0, 'newsletter_id' => isset($this->newsletter_id) ? $this->newsletter_id : 0, 'send_id' => isset($this->send_id) ? $this->send_id : 0, 'debug' => isset($this->debug_message) ? $this->debug_message : '', 'message_id' => $this->message_id, 'subject' => $this->subject, 'headers' => $header_data, 'custom_data' => json_encode($this->custom_data), 'html_content' => $this->message_html, 'text_content' => $this->message_text, 'attachments' => array()); foreach ($this->email_fields as $fieldname => $fd) { if ($fieldname != 'email_id' && property_exists($this, $fieldname) && !isset($email_data[$fieldname])) { $email_data[$fieldname] = $this->{"{$fieldname}"}; } } if ($this->attachments) { foreach ($this->attachments as $file) { if (is_array($file)) { $file_path = $file['path']; $file_name = $file['name']; } else { $file_path = $file; $file_name = ''; } if (is_file($file_path)) { // todo - sanatise this. // ticket.php : $file_path = 'includes/plugin_ticket/attachments/'.$attachment['ticket_message_attachment_id']; // pdfs : temp/Invoice_asdf.pdf temp/Quote_asdf.pdf etc.. // newsletters : includes/plugin_file/upload/ // custom data : includes/plugin_data/upload/ $path = realpath($file_path); // only allow sending from certain folders. if (strlen($path) && (stripos($path, _UCM_FOLDER) === 0 || is_uploaded_file($path))) { if (stripos($path, _UCM_FOLDER . 'includes/plugin_ticket/attachments/') === 0 || stripos($path, _UCM_FOLDER . 'temp/') === 0 || stripos($path, _UCM_FOLDER . 'includes/plugin_file/upload/') === 0 || stripos($path, _UCM_FOLDER . 'includes/plugin_data/upload/') === 0 || is_uploaded_file($path)) { $email_data['attachments'][$path] = $file_name; } else { //echo "Not match $path <br>"; } } else { //echo "Not match $path with "._UCM_FOLDER; } } } } if ($this->prevent_duplicates) { if ($debug) { echo "checking for duplicate emails within 2 hours..."; } $sql = "SELECT * FROM `" . _DB_PREFIX . "email` WHERE `create_time` >= " . (int) (time() - 7200) . " AND `subject` = '" . mysql_real_escape_string($email_data['subject']) . "' "; $found_field = false; foreach (array('invoice_id', 'job_id', 'website_id', 'quote_id') as $prevent_default_check) { if (property_exists($this, $prevent_default_check) && isset($email_data[$prevent_default_check]) && (int) $email_data[$prevent_default_check] > 0) { $sql .= " AND `" . $prevent_default_check . "` = " . (int) $email_data[$prevent_default_check]; $found_field = true; } } if ($found_field) { $previous = qa($sql); if (count($previous)) { // check content matches. $found_previous = false; foreach ($previous as $prev) { if (md5($this->message_html) == md5($prev['html_content'])) { $found_previous = true; break; } } if ($found_previous) { if ($debug) { echo " - found previous email (id: "; } if ($debug) { foreach ($previous as $p) { echo $p['email_id'] . ":" . $p['subject'] . ' '; } } if ($debug) { echo ")! NOT sending this email!! "; } return false; } } if ($debug) { echo " - no previous emails found, sending... "; } } } $email_id = update_insert('email_id', false, 'email', $email_data); //echo '<pre>'.$email_id;print_r($email_data);exit; $this->_send_queued_email($email_id, $debug); $this->email_id = $email_id; return $this->status == _MAIL_STATUS_SENT; }