} // check that the user exists $user = $db->query_first(" SELECT user.*, IF(moderator.moderatorid IS NULL, 0, 1) AS ismoderator FROM " . TABLE_PREFIX . "user AS user LEFT JOIN " . TABLE_PREFIX . "moderator AS moderator ON(moderator.userid = user.userid AND moderator.forumid <> -1) WHERE user.username = '******'username']) . "' "); if (!$user OR $user['userid'] == $vbulletin->userinfo['userid']) { print_stop_message('invalid_user_specified'); } if (is_unalterable_user($user['userid'])) { print_stop_message('user_is_protected_from_alteration_by_undeletableusers_var'); } cache_permissions($user); // Non-admins can't ban administrators, supermods or moderators if (!($vbulletin->userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'])) { if ($user['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'] OR $user['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['ismoderator'] OR $user['ismoderator']) { print_stop_message('no_permission_ban_non_registered_users'); } } else if ($user['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'])
$sourceinfo = vB_Api::instanceInternal('user')->fetchUserInfo($sourceuserid); } catch (vB_Exception_Api $ex) { print_stop_message2($ex->getMessage()); } if (!$sourceinfo) { print_stop_message2('invalid_source_username_specified'); } try { $destinfo = vB_Api::instanceInternal('user')->fetchUserInfo($destuserid); } catch (vB_Exception_Api $ex) { print_stop_message2($ex->getMessage()); } if (!$destinfo) { print_stop_message2('invalid_destination_username_specified'); } if (is_unalterable_user($sourceinfo['userid']) or is_unalterable_user($destinfo['userid'])) { print_stop_message2('user_is_protected_from_alteration_by_undeletableusers_var'); } print_form_header('usertools', 'reallydomerge'); construct_hidden_code('sourceuserid', $sourceinfo['userid']); construct_hidden_code('destuserid', $destinfo['userid']); print_table_header($vbphrase['confirm_merge']); print_description_row(construct_phrase($vbphrase['are_you_sure_you_want_to_merge_x_into_y'], $vbulletin->GPC['sourceuser'], $vbulletin->GPC['destuser'])); print_submit_row($vbphrase['yes'], '', 2, $vbphrase['no']); } // ###################### Start Do Merge ####################### if ($_POST['do'] == 'reallydomerge') { // Get info on both users $vbulletin->input->clean_array_gpc('p', array('sourceuserid' => vB_Cleaner::TYPE_INT, 'destuserid' => vB_Cleaner::TYPE_INT)); try { $sourceinfo = vB_Api::instanceInternal('user')->fetchUserInfo($vbulletin->GPC['sourceuserid']);
construct_hidden_code('minposts', $vbulletin->GPC['minposts']); construct_hidden_code('joindate[day]', $vbulletin->GPC['joindate']['day']); construct_hidden_code('joindate[month]', $vbulletin->GPC['joindate']['month']); construct_hidden_code('joindate[year]', $vbulletin->GPC['joindate']['year']); construct_hidden_code('order', $order); print_table_header(construct_phrase($vbphrase['showing_users_x_to_y_of_z'], 1, $numusers, $numusers), 7); print_cells_row(array('Userid', $vbphrase['username'], $vbphrase['email'], $vbphrase['post_count'], $vbphrase['last_activity'], $vbphrase['join_date'], '<input type="checkbox" name="allbox" onclick="js_check_all(this.form)" title="' . $vbphrase['check_all'] . '" checked="checked" />'), 1); while ($user = $db->fetch_array($users)) { $cell = array(); $cell[] = $user['userid']; $cell[] = "<a href=\"user.php?" . $vbulletin->session->vars['sessionurl'] . "do=edit&u={$user['userid']}\" target=\"_blank\">{$user['username']}</a><br /><span class=\"smallfont\">{$user['title']}" . iif($user['moderatorid'], ', Moderator', '') . "</span>"; $cell[] = "<a href=\"mailto:{$user['email']}\">{$user['email']}</a>"; $cell[] = vb_number_format($user['posts']); $cell[] = vbdate($vbulletin->options['dateformat'], $user['lastactivity']); $cell[] = vbdate($vbulletin->options['dateformat'], $user['joindate']); if ($user['userid'] == $vbulletin->userinfo['userid'] or $user['usergroupid'] == 6 or $user['usergroupid'] == 5 or $user['moderatorid'] or is_unalterable_user($user['userid'])) { $cell[] = '<input type="button" class="button" value=" ! " onclick="js_alert_no_permission()" />'; } else { $cell[] = "<input type=\"checkbox\" name=\"users[{$user['userid']}]\" value=\"1\" checked=\"checked\" tabindex=\"1\" />"; } print_cells_row($cell); } print_description_row('<center><span class="smallfont"> <b>' . $vbphrase['action'] . ': <label for="dw_delete"><input type="radio" name="dowhat" value="delete" id="dw_delete" tabindex="1" />' . $vbphrase['delete'] . '</label> <label for="dw_move"><input type="radio" name="dowhat" value="move" id="dw_move" tabindex="1" />' . $vbphrase['move'] . '</label> <select name="movegroup" tabindex="1" class="bginput">' . $groupslist . '</select></b> </span></center>', 0, 7); print_submit_row($vbphrase['go'], $vbphrase['check_all'], 7); echo '<p>' . $vbphrase['this_action_is_not_reversible'] . '</p>'; } else {
/** * Insert or Update an user * * @param integer $userid Userid to be updated. Set to 0 if you want to insert a new user. * @param string $password Password for the user. Empty means no change. May be overriden by the $extra array * @param array $user Basic user information such as email or home page * * username * * email * * usertitle * * birthday * * usergroupid (will get no_permissions exception without administrate user permissions) * * membergroupids (will get no_permissions exception without administrate user permissions) * * list not complete * @param array $options vB options for the user * @param array $adminoptions Admin Override Options for the user * @param array $userfield User's User Profile Field data * @param array $notificationOptions * @param array $hvinput Human Verify input data. @see vB_Api_Hv::verifyToken() * @param array $extra Generic flags or data to affect processing. * * registration * * email * * newpass * * password * * acnt_settings * @return integer New or updated userid. */ public function save($userid, $password, $user, $options, $adminoptions, $userfield, $notificationOptions = array(), $hvinput = array(), $extra = array()) { $db = vB::getDbAssertor(); $vboptions = vB::getDatastore()->getValue('options'); $userContext = vB::getUserContext(); $currentUserId = $userContext->fetchUserId(); $userid = intval($userid); $coppauser = false; //set up some booleans to control behavior. This is done to simply/document the later code $newuser = !$userid; $canadminusers = $this->hasAdminPermission('canadminusers'); $adminoverride = ($canadminusers and empty($extra['acnt_settings']) and empty($extra['acnt_settings'])); $changingCurrentUser = $userid == $currentUserId; // Not sure why we do this at all. The caller should handle this appropriately. // We shouldn't set $userid = $currentUserId if $userid == 0 here // Cause we may need to allow logged-in user to register again if ($userid < 0 and $currentUserId) { $userid = $currentUserId; } //we'll need this all over the place if this isn't a new user. if (!$newuser) { $userinfo = vB_User::fetchUserInfo($userid); } //check some permissions. If we can admin users we can skip all of these checks. Some checks //only apply to some cases, such as registering a newuser. We also check various fields //in some cases and not others. if (!$canadminusers) { if ($newuser) { // Check if registration is allowed if (!$vboptions['allowregistration']) { throw new vB_Exception_Api('noregister'); } // Check Multiple Registrations Per User if ($currentUserId and !$vboptions['allowmultiregs']) { $currentUser = vB::getCurrentSession()->fetch_userinfo(); throw new vB_Exception_Api('signing_up_but_currently_logged_in_msg', array($currentUser['username'], $vboptions['frontendurl'] . '/auth/logout?logouthash=' . $currentUser['logouthash'])); } // If it's a new registration, we need to verify the HV // VBV-9386: HV is disabled when accessing through the VB_API in vb4. // Tere is also a comment saying that it should be enabled once it goes live??? if (!defined('VB_API') or defined('VB_API') and VB_API !== true) { vB_Api::instanceInternal('hv')->verifyToken($hvinput, 'register'); } // Verify Stop Forum Spam $nospam = vB_StopForumSpam::instance(); if (!$nospam->checkRegistration($user['username'], vB::getRequest()->getIpAddress(), $user['email'])) { throw new vB_Exception_Api('noregister'); } } else { //attempting to update somebody else's profile -- only admins can do this if (!$changingCurrentUser) { throw new vB_Exception_Api('no_permission'); } //we need to handle this more gracefully -- this is kindof weird. if (!$userContext->hasPermission('genericpermissions', 'canmodifyprofile')) { // User can only update email and password return $this->saveEmailPassword($extra); } if (isset($user['privacy_options']) and !$userContext->hasPermission('usercsspermissions', 'caneditprivacy')) { // User doesn't have permission to update privacy throw new vB_Exception_Api('no_permission'); } if (isset($options['invisible']) and !empty($options['invisible']) and !$userContext->hasPermission('genericpermissions', 'caninvisible')) { // User doesn't have permission to go invisible throw new vB_Exception_Api('no_permission'); } } //handle some fields that users should not be able to set (the admin can do what he wants) if (isset($user['usergroupid'])) { throw new vB_Exception_Api('no_permission'); } if (isset($user['membergroupids'])) { throw new vB_Exception_Api('no_permission'); } } /* * Some checks for all cases. */ //check the user title length. Skip for any administrator. Not sure if we should be checking for edit user permissions or not, but //it's not a major issue if admins can set their own titles to something really long so changing it at this point is not wise. if (isset($user['usertitle']) and vB_String::vbStrlen($user['usertitle']) > $vboptions['ctMaxChars'] and !$userContext->isAdministrator()) { throw new vB_Exception_Api('please_enter_user_title_with_at_least_x_characters', $vboptions['ctMaxChars']); } //don't allow changes to an unalterable user unless the user themselves requests it. We might want to lock down what the //user can edit in this case. require_once DIR . '/includes/adminfunctions.php'; if (!$changingCurrentUser and is_unalterable_user($userid)) { throw new vB_Exception_Api('user_is_protected_from_alteration_by_undeletableusers_var'); } $olduser = array(); if ($userid != 0) { // Get old user information $olduser = $db->getRow('user_fetchforupdating', array(vB_dB_Query::TYPE_KEY => vB_dB_Query::QUERY_STORED, 'userid' => $userid)); if (!$olduser) { throw new vB_Exception_Api('invalid_user_specified'); } } // if birthday is required if ($vboptions['reqbirthday'] and empty($olduser['birthday']) and empty($user['birthday'])) { if (count($userfield)) { throw new vB_Exception_Api('birthdayfield'); } else { throw new vB_Exception_Api('birthdayfield_nonprofile_tab'); } } /* * If we are changing the password or email from the account setting we need to validate the users * existing password. */ //we allow stuff for the account profile page to be passed separately in the $extra array. //we shouldn't but cleaning that up is a larger task. if (!empty($extra['acnt_settings'])) { if (!empty($extra['email'])) { $user['email'] = $extra['email']; } //new password to set if (!empty($extra['newpass'])) { $password = $extra['newpass']; } //the user's existing password -- needed to verify to set certain sensative fields. if (!empty($extra['password'])) { $user['password'] = $extra['password']; } } //if we are setting the password or the email we may need to check the user's existing //password as an extra precaution. // * If this is an existing user // * If we are changing the password or email // * If we are not overriding as an admin if (!$newuser and (!empty($password) or !empty($user['email'])) and !$adminoverride) { $loginlib = vB_Library::instance('login'); if (!$user['password']) { throw new vB_Exception_Api('enter_current_password'); } $login = array_intersect_key($userinfo, array_flip(array('userid', 'token', 'scheme'))); $auth = $loginlib->verifyPasswordFromInfo($login, array(array('password' => $user['password'], 'encoding' => 'text'))); if (!$auth['auth']) { throw new vB_Exception_Api('badpassword', vB5_Route::buildUrl('lostpw|fullurl')); } } //this is the user's existing password which we don't need now that we've verified it. //attempting to set it to the DM, which we do below for all user fields causes problems. unset($user['password']); //if this is a newuser we need to have a password -- even if this is an admin creating the user if ($newuser and empty($password)) { throw new vB_Exception_Api('invalid_password_specified'); } /* * If we got this far, we basically have permission to update the user in the way we requested. */ $bf_misc_useroptions = vB::getDatastore()->getValue('bf_misc_useroptions'); $bf_misc_adminoptions = vB::getDatastore()->getValue('bf_misc_adminoptions'); $bf_misc_notificationoptions = vB::getDatastore()->getValue('bf_misc_usernotificationoptions'); $usergroupcache = vB::getDatastore()->getValue('usergroupcache'); $user['ipaddress'] = vB::getRequest()->getIpAddress(); $olduser = array_merge($olduser, convert_bits_to_array($olduser['options'], $bf_misc_useroptions)); $olduser = array_merge($olduser, convert_bits_to_array($olduser['adminoptions'], $bf_misc_adminoptions)); $olduser = array_merge($olduser, convert_bits_to_array($olduser['notification_options'], $bf_misc_notificationoptions)); // get threaded mode options if (isset($olduser['threadedmode']) and ($olduser['threadedmode'] == 1 or $olduser['threadedmode'] == 2)) { $threaddisplaymode = $olduser['threadedmode']; } else { if (isset($olduser['postorder']) and $olduser['postorder'] == 0) { $threaddisplaymode = 0; } else { $threaddisplaymode = 3; } } $olduser['threadedmode'] = $threaddisplaymode; // Let's handle this at API level, ignore list is causing problems in the data manager //handle ignorelist if (isset($user['ignorelist'])) { $user['ignorelist'] = $this->updateIgnorelist($userid, explode(',', $user['ignorelist'])); } else { $user['ignorelist'] = array(); } // init data manager $userdata = new vB_Datamanager_User(vB_DataManager_Constants::ERRTYPE_ARRAY_UNPROCESSED); /* * If this was called from the account settings or registration pages * (not the Admin Control Panel) then we shouldn't be setting admin override. * Should also make sure that the admin is logged in and its not just a case of someone * telling the API that we're in the ACP */ if ($adminoverride) { $userdata->adminoverride = true; } $updateUGPCache = false; // set existing info if this is an update if (!$newuser) { // birthday if (!$adminoverride and $user['birthday'] and $olduser['birthday'] and $user['birthday'] != $olduser['birthday'] and $vboptions['reqbirthday']) { throw new vB_Exception_Api('has_no_permission_change_birthday'); } // update buddy list $user['buddylist'] = array(); foreach (explode(' ', $userinfo['buddylist']) as $buddy) { if (in_array($buddy, $user['ignorelist']) === false) { $user['buddylist'][] = $buddy; } } $userinfo['posts'] = intval($user['posts']); // update usergroups cache if needed... $uInfoMUgpIds = explode(',', trim($userinfo['membergroupids'])); $uInfoUgpId = trim($userinfo['usergroupid']); $uIGpIds = explode(',', trim($userinfo['infractiongroupids'])); $mUgpIds = isset($user['membergroupids']) ? $user['membergroupids'] : false; $ugpId = isset($user['usergroupid']) ? trim($user['usergroupid']) : false; $iGpIds = isset($user['infractiongroupids']) ? explode(',', trim($user['infractiongroupids'])) : false; if ($ugpId and $uInfoUgpId != $ugpId or $mUgpIds and array_diff($uInfoMUgpIds, $mUgpIds) or $iGpIds and array_diff($iGpIds, $uIGpIds)) { $updateUGPCache = true; } $userdata->set_existing($userinfo); } else { if ($this->useCoppa()) { if (empty($user['birthday'])) { throw new vB_Exception_Api('under_thirteen_registration_denied'); } if ($this->needsCoppa($user['birthday'])) { if ($vboptions['usecoppa'] == 2) { throw new vB_Exception_Api('under_thirteen_registration_denied'); } else { if (empty($user['parentemail'])) { throw new vB_Exception_Api('coppa_rules_description'); } $userdata->set_info('coppauser', true); $userdata->set_info('coppapassword', $password); $options['coppauser'] = 1; $coppauser = true; } } else { if ($vboptions['moderatenewmembers']) { $userdata->set_info('usergroupid', 4); } else { if ($vboptions['verifyemail']) { $userdata->set_info('usergroupid', 3); } else { $userdata->set_info('usergroupid', 2); } } } } } //should not be required with the new password code. // if no username is provided then is taken from old userinfo, datamanager needs username always set to perform password checks. //$username = (empty($user['username']) ? $userinfo['username'] : $user['username']); //$userdata->set('username', $username); //unset($user['username']); // user options foreach ($bf_misc_useroptions as $key => $val) { if (isset($options["{$key}"])) { $userdata->set_bitfield('options', $key, $options["{$key}"]); } else { if (isset($olduser["{$key}"])) { $userdata->set_bitfield('options', $key, $olduser["{$key}"]); } } } foreach ($adminoptions as $key => $val) { $userdata->set_bitfield('adminoptions', $key, $val); } // notification options foreach ($notificationOptions as $key => $val) { // @TODO related to VBV-92 if ($olduser["{$key}"] != $val) { $userdata->set_bitfield('notification_options', $key, $val); } else { if ($olduser["{$key}"] == $val) { $userdata->set_bitfield('notification_options', $key, $olduser["{$key}"]); } } } $displaygroupid = (array_key_exists('displaygroupid', $user) and intval($user['displaygroupid'])) ? $user['displaygroupid'] : ''; if (isset($user['usergroupid']) and $user['usergroupid']) { $displaygroupid = $user['usergroupid']; } elseif (isset($olduser['usergroupid']) and $olduser['usergroupid']) { $displaygroupid = $olduser['usergroupid']; } // custom user title if (isset($user['usertitle']) and $user['usertitle']) { $userdata->set_usertitle($user['usertitle'], $user['customtitle'] ? false : true, $usergroupcache["{$displaygroupid}"], $userContext->hasPermission('genericpermissions', 'canusecustomtitle'), $userContext->isAdministrator()); unset($user['usertitle'], $user['customtitle']); } else { if (isset($user['usertitle']) and empty($user['usertitle']) and empty($user['customtitle'])) { $userdata->set_usertitle('', true, $usergroupcache["{$displaygroupid}"], $userContext->hasPermission('genericpermissions', 'canusecustomtitle'), $userContext->isAdministrator()); unset($user['usertitle'], $user['customtitle']); } } // privacy_options $privacyChanged = false; if (isset($user['privacy_options']) and $user['privacy_options']) { foreach ($user['privacy_options'] as $opt => $val) { if (!in_array($opt, $this->privacyOptions)) { unset($user['privacy_options'][$opt]); } } // check if we need to update cached values... if ($olduser['privacy_options']) { $check = unserialize($olduser['privacy_options']); $diff = array_diff_assoc($user['privacy_options'], $check); if (!empty($diff)) { $privacyChanged = true; } } $user['privacy_options'] = serialize($user['privacy_options']); } // Update from user fields foreach ($user as $key => $val) { if (!$userid or $olduser["{$key}"] != $val) { $userdata->set($key, $val); } } $membergroupids = false; if (isset($user['membergroupids']) and is_array($user['membergroupids'])) { $membergroupids = $user['membergroupids']; } //add facebook user group for new users being registered with FB //not entirely thrilled with putting this here, but doing it in a less //fragile way requires a greater refactoring of the registration code if ($newuser and $vboptions['facebookusergroupid']) { $fblib = vB_Library::instance('facebook'); if ($fblib->isFacebookEnabled() and $fblib->userIsLoggedIn()) { if (is_array($membergroupids)) { $membergroupids[] = $vboptions['facebookusergroupid']; } else { $membergroupids = array($vboptions['facebookusergroupid']); } } } //actually set the usergroup array if we have one if (is_array($membergroupids)) { $userdata->set('membergroupids', $membergroupids); } // custom profile fields if (!empty($userfield) and is_array($userfield)) { $userdata->set_userfields($userfield, true, 'admin'); } // handles ignorelist and buddylist correctly $userdata->set('ignorelist', $user['ignorelist']); $userdata->set('buddylist', isset($user['buddylist']) ? $user['buddylist'] : array()); // timezone if (empty($user['timezoneoffset']) and $newuser) { $userdata->set('timezoneoffset', $vboptions['timeoffset']); } //the secret really isn't related to the password, but we want to change it //periodically and for now "every time the user changes their password" //works (we previously used the password salt so that's when it got changed //prior to the refactor). if (!empty($password)) { $userdata->set('secret', vB_Library::instance('user')->generateUserSecret()); } // save data $newuserid = $userdata->save(); if ($userdata->has_errors(false)) { throw $userdata->get_exception(); } //a bit of a hack. If the DM save function runs an update of an existing user then //it returns true rather than the userid (despite what the comments say). However its //not clear how to handle that in the DM (which looks like it could be use to alter //multiple users wholesale, in which case we really don't have an ID. Better to catch it here. if ($newuserid === true) { $newuserid = $userid; } //if we have a new password, then let's set it. if (!empty($password)) { try { //lookup the history for the user we are editing, which is not necesarily the //user that we currently are. if ($changinCurrentUser) { $history = $userContext->getUsergroupLimit('passwordhistory'); } else { if ($adminoverride) { $history = 0; } else { $history = vB::getUserContext($userid)->getUsergroupLimit('passwordhistory'); } } $loginlib = vB_Library::instance('login'); $loginlib->setPassword($newuserid, $password, array('passwordhistorylength' => $history), array('passwordhistory' => $adminoverride)); } catch (Exception $e) { //if this is a new user, deleted it if we fail to set the intial password. if ($newuser) { $db->delete('user', array('userid' => $newuserid)); } throw $e; } } if ($updateUGPCache) { vB_Cache::instance(vB_Cache::CACHE_FAST)->event('perms_changed'); } if ($privacyChanged) { vB_Cache::instance()->event('userPrivacyChg_' . $userid); } // clear user info cached $this->library->clearUserInfo(array($newuserid)); // update session's languageid, VBV-11318 if (isset($user['languageid'])) { vB::getCurrentSession()->set('languageid', $user['languageid']); } if ($newuser and $vboptions['newuseremail'] != '') { // Prepare email data $customfields = ''; if (!empty($userfield) and is_array($userfield)) { $customfields = $userdata->set_userfields($userfield, true, 'register'); } $maildata = vB_Api::instanceInternal('phrase')->fetchEmailPhrases('newuser', array($user['username'], vB::getDatastore()->getOption('bbtitle'), vB5_Route::buildUrl('profile|fullurl', array('userid' => $user['userid'])), $user['email'], $user['birthday'], $user['ipaddress'], $customfields), array(vB::getDatastore()->getOption('bbtitle'))); // Send out the emails $newemails = explode(' ', $vboptions['newuseremail']); foreach ($newemails as $toemail) { if (trim($toemail)) { vB_Mail::vbmail($toemail, $maildata['subject'], $maildata['message'], false); } } } // Check if we need to send out activate email $verifyEmail = (defined('VB_AREA') and VB_AREA == 'AdminCP') ? false : true; if ($newuser and $vboptions['verifyemail'] and $verifyEmail) { $this->library->sendActivateEmail($newuserid); } // Check if we need to send out welcome email if ($newuser and $userdata->fetch_field('usergroupid') == 2 and $vboptions['welcomemail']) { // Send welcome mail $username = trim(unhtmlspecialchars($user['username'])); $maildata = vB_Api::instanceInternal('phrase')->fetchEmailPhrases('welcomemail', array($username, $vboptions['bbtitle']), array($vboptions['bbtitle']), isset($user['languageid']) ? $user['languageid'] : vB::getDatastore()->getOption('languageid')); vB_Mail::vbmail($user['email'], $maildata['subject'], $maildata['message'], true); } return $newuserid; }
cache_permissions($userinfo, false); if ($vbulletin->userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'] and $userinfo['permissions']['genericpermissions'] & $vbulletin->bf_ugp_genericpermissions['canuseavatar'] and ($userinfo['permissions']['avatarmaxwidth'] > 0 or $userinfo['permissions']['avatarmaxheight'] > 0)) { print_yes_no_row($vbphrase['resize_image_to_users_maximum_allowed_size'], 'resize'); } print_input_row($vbphrase['enter_image_url'], 'avatarurl', 'http://www.'); print_upload_row($vbphrase['upload_image_from_computer'], 'upload'); construct_hidden_code('userid', $vbulletin->GPC['userid']); print_submit_row($vbphrase['save']); } // ###################### Start Update Avatar ################ if ($_POST['do'] == 'updateavatar') { if (!can_moderate(0, 'caneditavatar')) { print_stop_message('no_permission_avatars'); } $vbulletin->input->clean_array_gpc('p', array('avatarid' => TYPE_INT, 'avatarurl' => TYPE_STR, 'resize' => TYPE_BOOL)); if (is_unalterable_user($vbulletin->GPC['userid'])) { print_stop_message('user_is_protected_from_alteration_by_undeletableusers_var'); } $useavatar = iif($vbulletin->GPC['avatarid'] == -1, 0, 1); $userinfo = fetch_userinfo($vbulletin->GPC['userid']); if (!$userinfo) { print_stop_message('invalid_user_specified'); } // init user datamanager $userdata =& datamanager_init('User', $vbulletin, ERRTYPE_CP); $userdata->set_existing($userinfo); if ($useavatar) { if (!$vbulletin->GPC['avatarid']) { // custom avatar $vbulletin->input->clean_gpc('f', 'upload', TYPE_FILE); require_once DIR . '/includes/class_upload.php';
{ $trimmed_postmessage = substr($vbulletin->GPC['message'], 0, $vbulletin->options['postmaxchars']); } else { $trimmed_postmessage =& $vbulletin->GPC['message']; } $infdata->set_info('message', $trimmed_postmessage); ($hook = vBulletinHook::fetch_hook('infraction_update_process')) ? eval($hook) : false; $infdata->save(); // Ban require_once(DIR . '/includes/adminfunctions.php'); if (!empty($banlist) AND $points = $infdata->fetch_field('points') AND !is_unalterable_user($userinfo['userid'])) { if ($banusergroupid) { // check to see if there is already a ban record for this user in the userban table if ($bancheck) { if (($liftdate == 0 OR $bancheck['liftdate'] < $liftdate) AND $bancheck['liftdate'] != 0) { // there is already a record - just update this record $db->query_write(" UPDATE " . TABLE_PREFIX . "userban SET bandate = " . TIMENOW . ", liftdate = $liftdate, adminid = " . $vbulletin->userinfo['userid'] . ", reason = '" . $db->escape_string($vbulletin->GPC['banreason']) . "'
/** * Add a leader for an usergroup * * @param int $usergroupid * @param int $userid * @return int New usergroupleader ID */ public function addLeader($usergroupid, $userid) { $this->checkHasAdminPermission('canadminpermissions'); require_once DIR . '/includes/adminfunctions.php'; $usergroupid = intval($usergroupid); $userid = intval($userid); if ($usergroup = vB::getDbAssertor()->getRow('usergroup', array(vB_dB_Query::TYPE_KEY => vB_dB_Query::QUERY_SELECT, vB_dB_Query::CONDITIONS_KEY => array(array('field' => 'usergroupid', 'value' => $usergroupid, 'operator' => 'EQ'), array('field' => 'ispublicgroup', 'value' => 1, 'operator' => 'EQ'), array('field' => 'usergroupid', 'value' => 7, 'operator' => 'GT'))))) { if ($user = vB::getDbAssertor()->getRow('user', array(vB_dB_Query::TYPE_KEY => vB_dB_Query::QUERY_SELECT, 'userid' => $userid))) { if (is_unalterable_user($user['userid'])) { throw new vB_Exception_Api('user_is_protected_from_alteration_by_undeletableusers_var'); } if ($preexists = vB::getDbAssertor()->getRow('user', array(vB_dB_Query::TYPE_KEY => vB_dB_Query::QUERY_SELECT, vB_dB_Query::CONDITIONS_KEY => array(array('field' => 'usergroupid', 'value' => $usergroupid, 'operator' => vB_dB_Query::OPERATOR_EQ), array('field' => 'userid', 'value' => $user['userid'], 'operator' => vB_dB_Query::OPERATOR_EQ))))) { throw new vB_Exception_Api('invalid_usergroup_leader_specified'); } // update leader's member groups if necessary if (strpos(",{$user['membergroupids']},", "," . $usergroupid . ",") === false and $user['usergroupid'] != $usergroupid) { if (empty($user['membergroupids'])) { $membergroups = $usergroupid; } else { $membergroups = "{$user['membergroupids']}," . $usergroupid; } $userdm = new vB_Datamanager_User(vB_DataManager_Constants::ERRTYPE_ARRAY_UNPROCESSED); $userdm->set_existing($user); $userdm->set('membergroupids', $membergroups); $userdm->save(); unset($userdm); } // insert into usergroupleader table /*insert query*/ return vB::getDbAssertor()->assertQuery('vBForum:usergroupleader', array(vB_dB_Query::TYPE_KEY => vB_dB_Query::QUERY_INSERT, 'userid' => $user['userid'], 'usergroupid' => $usergroupid)); } else { throw new vB_Exception_Api('invalid_user_specified'); } } else { throw new vB_Exception_Api('cant_add_usergroup_leader'); } }
/** * Determines if this infraction triggers an automatic ban, and if so, returns the automatic ban information * * @param array User Info for the user to ban * @param array Data for the infraction that's being given * @param array Infraction level infrmation for the infraction that's being given * @param bool Is this a warning? */ protected function getAutomaticBanToApply(array $userInfo, array $data, array $infractionLevelInfo, $isWarning) { if ($isWarning or $infractionLevelInfo['points'] < 1) { // warnings don't change points or number of infractions and thus can't trigger a ban return false; } require_once DIR . '/includes/adminfunctions.php'; if (is_unalterable_user($userInfo['userid'])) { return false; } $userInfractions = $this->getUserInfractions($userInfo['userid']); // number of active & expired infractions for an infraction-based ban $currentUserInfractions = $userInfractions['statistics']['total']; // number of active infraction points for a points-based ban $currentUserPoints = $userInfractions['statistics']['points']; // find the longest available ban $banList = $this->getAutomaticBanList(); $banToApply = false; foreach ($banList as $ban) { if ($ban['usergroup'] != -1 and $ban['usergroup'] != $userInfo['usergroup']) { continue; } if ($ban['method'] == 'points' and $currentUserPoints + $infractionLevelInfo['points'] >= $ban['amount'] or $ban['method'] == 'infractions' and $currentUserInfractions + 1 >= $ban['amount']) { if ($ban['liftdate'] == 0) { // stop at the first non-expiring ban $banToApply = $ban; break; } else { if (empty($banToApply['liftdate']) or $ban['liftdate'] > $banToApply['liftdate']) { // find the longest ban $banToApply = $ban; } } } } if (!$banToApply) { // no applicable ban found, nothing to do return false; } $currentBan = $this->assertor->getRow('userban', array('userid' => $userInfo['userid'])); if ($currentBan and ($currentBan['liftdate'] == 0 or $currentBan['liftdate'] > $banToApply['liftdate'] and $banToApply['liftdate'] != 0)) { // user is already banned longer than we would ban them for return false; } // we have a ban to apply, but no reason was specified if (empty($data['banreason'])) { throw new vB_Exception_Api('invalid_banreason'); } return $banToApply; }
function do_ban_user() { global $vbulletin, $db, $vbphrase; require_once DIR . '/includes/functions_banning.php'; require_once DIR . '/includes/adminfunctions.php'; $canbanuser = ($vbulletin->userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'] or can_moderate(0, 'canbanusers')) ? true : false; $canunbanuser = ($vbulletin->userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'] or can_moderate(0, 'canunbanusers')) ? true : false; // check banning permissions if (!$canbanuser and !$canunbanuser) { standard_error(fetch_error('no_permission_ban_users')); } $vbulletin->input->clean_array_gpc('p', array('usergroupid' => TYPE_INT, 'period' => TYPE_STR, 'reason' => TYPE_NOHTML, 'userid' => TYPE_INT)); $vbulletin->GPC['reason'] = prepare_remote_utf8_string($vbulletin->GPC['reason']); if (!$canbanuser) { standard_error(fetch_error('no_permission_ban_users')); } /*$liftdate = convert_date_to_timestamp($vbulletin->GPC['period']); echo " <p>Period: {$vbulletin->GPC['period']}</p> <p>Banning <b>{$vbulletin->GPC['username']}</b> into usergroup <i>" . $vbulletin->usergroupcache["{$vbulletin->GPC['usergroupid']}"]['title'] . "</i></p> <table> <tr><td>Time now:</td><td>" . vbdate('g:ia l jS F Y', TIMENOW, false, false) . "</td></tr> <tr><td>Lift date:</td><td>" . vbdate('g:ia l jS F Y', $liftdate, false, false) . "</td></tr> </table>"; exit;*/ // check that the target usergroup is valid if (!isset($vbulletin->usergroupcache["{$vbulletin->GPC['usergroupid']}"]) or $vbulletin->usergroupcache["{$vbulletin->GPC['usergroupid']}"]['genericoptions'] & $vbulletin->bf_ugp_genericoptions['isnotbannedgroup']) { standard_error(fetch_error('invalid_usergroup_specified')); } // check that the user exists $user = $db->query_first("\n\t\tSELECT user.*,\n\t\t\tIF(moderator.moderatorid IS NULL, 0, 1) AS ismoderator\n\t\tFROM " . TABLE_PREFIX . "user AS user\n\t\tLEFT JOIN " . TABLE_PREFIX . "moderator AS moderator ON(moderator.userid = user.userid AND moderator.forumid <> -1)\n\t\tWHERE user.userid = " . $vbulletin->GPC['userid'] . "\n\t"); if (!$user or $user['userid'] == $vbulletin->userinfo['userid']) { standard_error(fetch_error('invalid_user_specified')); } if (is_unalterable_user($user['userid'])) { standard_error(fetch_error('user_is_protected_from_alteration_by_undeletableusers_var')); } cache_permissions($user); // Non-admins can't ban administrators, supermods or moderators if (!($vbulletin->userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'])) { if ($user['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'] or $user['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['ismoderator'] or $user['ismoderator']) { standard_error(fetch_error('no_permission_ban_non_registered_users')); } } else { if ($user['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel']) { standard_error(fetch_error('no_permission_ban_non_registered_users')); } } // check that the number of days is valid if ($vbulletin->GPC['period'] != 'PERMANENT' and !preg_match('#^(D|M|Y)_[1-9][0-9]?$#', $vbulletin->GPC['period'])) { standard_error(fetch_error('invalid_ban_period_specified')); } // if we've got this far all the incoming data is good if ($vbulletin->GPC['period'] == 'PERMANENT') { // make this ban permanent $liftdate = 0; } else { // get the unixtime for when this ban will be lifted $liftdate = convert_date_to_timestamp($vbulletin->GPC['period']); } // check to see if there is already a ban record for this user in the userban table if ($check = $db->query_first("SELECT userid, liftdate FROM " . TABLE_PREFIX . "userban WHERE userid = {$user['userid']}")) { if ($liftdate and $liftdate < $check['liftdate']) { if (!($vbulletin->userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel']) and !can_moderate(0, 'canunbanusers')) { standard_error(fetch_error('no_permission_un_ban_users')); } } // there is already a record - just update this record $db->query_write("\n\t\t\tUPDATE " . TABLE_PREFIX . "userban SET\n\t\t\tbandate = " . TIMENOW . ",\n\t\t\tliftdate = {$liftdate},\n\t\t\tadminid = " . $vbulletin->userinfo['userid'] . ",\n\t\t\treason = '" . $db->escape_string($vbulletin->GPC['reason']) . "'\n\t\t\tWHERE userid = {$user['userid']}\n\t\t"); } else { // insert a record into the userban table /*insert query*/ $db->query_write("\n\t\t\tINSERT INTO " . TABLE_PREFIX . "userban\n\t\t\t(userid, usergroupid, displaygroupid, customtitle, usertitle, adminid, bandate, liftdate, reason)\n\t\t\tVALUES\n\t\t\t({$user['userid']}, {$user['usergroupid']}, {$user['displaygroupid']}, {$user['customtitle']}, '" . $db->escape_string($user['usertitle']) . "', " . $vbulletin->userinfo['userid'] . ", " . TIMENOW . ", {$liftdate}, '" . $db->escape_string($vbulletin->GPC['reason']) . "')\n\t\t"); } // update the user record $userdm =& datamanager_init('User', $vbulletin, ERRTYPE_SILENT); $userdm->set_existing($user); $userdm->set('usergroupid', $vbulletin->GPC['usergroupid']); $userdm->set('displaygroupid', 0); // update the user's title if they've specified a special user title for the banned group if ($vbulletin->usergroupcache["{$vbulletin->GPC['usergroupid']}"]['usertitle'] != '') { $userdm->set('usertitle', $vbulletin->usergroupcache["{$vbulletin->GPC['usergroupid']}"]['usertitle']); $userdm->set('customtitle', 0); } $userdm->save(); unset($userdm); return array('success' => true); }
{ if (can_moderate(0, '', $userinfo['userid'], $userinfo['usergroupid'] . (trim($userinfo['membergroupids']) ? ",$userinfo[membergroupids]" : '')) OR $userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'] OR $userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['ismoderator'] OR is_unalterable_user($userinfo['userid'])) { eval(standard_error(fetch_error('no_permission_ban_non_registered_users'))); } } } else { foreach ($user_cache AS $userid => $userinfo) { if ($userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'] OR is_unalterable_user($userinfo['userid'])) { eval(standard_error(fetch_error('no_permission_ban_non_registered_users'))); } } } } ($hook = vBulletinHook::fetch_hook('inlinemod_spam_permission')) ? eval($hook) : false; } if ($_POST['do'] == 'spamconfirm') { $vbulletin->input->clean_array_gpc('p', array( 'deleteother' => TYPE_BOOL, 'report' => TYPE_BOOL, 'useraction' => TYPE_NOHTML,
$vbphrase['post_count'], $vbphrase['last_activity'], $vbphrase['join_date'], '<input type="checkbox" name="allbox" onclick="js_check_all(this.form)" title="' . $vbphrase['check_all'] . '" checked="checked" />' ), 1); while ($user = $db->fetch_array($users)) { $cell = array(); $cell[] = $user['userid']; $cell[] = "<a href=\"user.php?" . $vbulletin->session->vars['sessionurl'] . "do=edit&u=$user[userid]\" target=\"_blank\">$user[username]</a><br /><span class=\"smallfont\">$user[title]" . ($user['moderatorid'] ? ", " . $vbphrase['moderator'] : "" ) . "</span>"; $cell[] = "<a href=\"mailto:$user[email]\">$user[email]</a>"; $cell[] = vb_number_format($user['posts']); $cell[] = vbdate($vbulletin->options['dateformat'], $user['lastactivity']); $cell[] = vbdate($vbulletin->options['dateformat'], $user['joindate']); if ($user['userid'] == $vbulletin->userinfo['userid'] OR $user['usergroupid'] == 6 OR $user['usergroupid'] == 5 OR $user['moderatorid'] OR is_unalterable_user($user['userid'])) { $cell[] = '<input type="button" class="button" value=" ! " onclick="js_alert_no_permission()" />'; } else { $cell[] = "<input type=\"checkbox\" name=\"users[$user[userid]]\" value=\"1\" checked=\"checked\" tabindex=\"1\" />"; } print_cells_row($cell); } print_description_row('<center><span class="smallfont"> <b>' . $vbphrase['action'] . ': <label for="dw_delete"><input type="radio" name="dowhat" value="delete" id="dw_delete" tabindex="1" />' . $vbphrase['delete'] . '</label> <label for="dw_move"><input type="radio" name="dowhat" value="move" id="dw_move" tabindex="1" />' . $vbphrase['move'] . '</label> <select name="movegroup" tabindex="1" class="bginput">' . $groupslist . '</select></b> </span></center>', 0, 7);
if ($vbulletin->GPC['useraction'] == 'ban') { require_once DIR . '/includes/adminfunctions.php'; require_once DIR . '/includes/functions_banning.php'; if (!($vbulletin->userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'] or can_moderate(0, 'canbanusers'))) { print_no_permission(); } // check that user has permission to ban the person they want to ban if (!($vbulletin->userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'])) { foreach ($user_cache as $userid => $userinfo) { if (can_moderate(0, '', $userinfo['userid'], $userinfo['usergroupid'] . (trim($userinfo['membergroupids']) ? ",{$userinfo['membergroupids']}" : '')) or $userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'] or $userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['ismoderator'] or is_unalterable_user($userinfo['userid'])) { eval(standard_error(fetch_error('no_permission_ban_non_registered_users'))); } } } else { foreach ($user_cache as $userid => $userinfo) { if ($userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'] or is_unalterable_user($userinfo['userid'])) { eval(standard_error(fetch_error('no_permission_ban_non_registered_users'))); } } } } ($hook = vBulletinHook::fetch_hook('inlinemod_spam_permission')) ? eval($hook) : false; } if ($_POST['do'] == 'spamconfirm') { $vbulletin->input->clean_array_gpc('p', array('deleteother' => TYPE_BOOL, 'report' => TYPE_BOOL, 'useraction' => TYPE_NOHTML, 'userid' => TYPE_ARRAY_UINT, 'type' => TYPE_NOHTML, 'deletetype' => TYPE_UINT, 'deletereason' => TYPE_STR, 'keepattachments' => TYPE_BOOL)); if (!empty($user_cache)) { // Calculate this regardless, real thread + post count is important. $additional_threads = $db->query_read_slave("SELECT COUNT(*) AS total, postuserid AS userid FROM " . TABLE_PREFIX . "thread WHERE postuserid IN (" . implode(', ', array_keys($user_cache)) . ") GROUP BY postuserid"); while ($additional_thread = $db->fetch_array($additional_threads)) { $user_cache["{$additional_thread['userid']}"]['thread_count'] = intval($additional_thread['total']); }