/** * Wrapper function to get the author of a news article or page: Used by getNewsAuthor() and getPageAuthor(). * * @param bool $fullname False for the user name, true for the full name * * @return string */ function getAuthor($fullname = false) { global $_zp_current_zenpage_page, $_zp_current_zenpage_news; if (is_Pages()) { $obj = $_zp_current_zenpage_page; } else { if (is_News()) { $obj = $_zp_current_zenpage_news; } else { $obj = false; } } if ($obj) { if ($fullname) { $admin = Zenphoto_Authority::getAnAdmin(array('`user`=' => $obj->getAuthor(), '`valid`=' => 1)); if (is_object($admin) && $admin->getName()) { return $admin->getName(); } } return $obj->getAuthor(); } return false; }
static function notify($tab, $subtab) { if ($tab == 'users' && ($subtab = 'users')) { if (user_expiry::checkPasswordRenew()) { echo '<p class="errorbox">' . gettext('You must change your password.'), '</p>'; } else { if (Zenphoto_Authority::getAnAdmin(array('`valid`>' => 1))) { echo '<p class="notebox">' . gettext('You have users whose credentials have expired.'), '</p>'; } } } }
/** * Processes the verification POST tickets * @param string $script (we do not use this) * @return string */ static function verify($script) { //process any verifications posted if (isset($_GET['verify_federated_user'])) { $params = unserialize(pack("H*", trim(sanitize($_GET['verify_federated_user']), '.'))); if (time() - $params['date'] < 2592000) { $userobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $params['user'], '`email`=' => $params['email'], '`valid`>' => 0)); if ($userobj) { $groupname = getOption('federated_login_group'); $groupobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $groupname, '`valid`=' => 0)); if ($groupobj) { $userobj->setRights($groupobj->getRights()); $userobj->setGroup($groupname); $userobj->setObjects($groupobj->getObjects()); if (getOption('register_user_create_album')) { $userobj->createPrimealbum(); } $userobj->save(); } zp_apply_filter('register_user_verified', $userobj); if (getOption('register_logon_user_notify')) { zp_mail(gettext('Zenphoto Gallery registration'), sprintf(gettext('%1$s (%2$s) has registered for the zenphoto gallery providing an e-mail address of %3$s.'), $userobj->getName(), $userobj->getUser(), $userobj->getEmail())); } Zenphoto_Authority::logUser($userobj); header("Location: " . FULLWEBPATH . '/' . ZENFOLDER . '/admin.php'); exitZP(); } } } return $script; }
exitZP(); } } } } else { // no login form, check the cookie if (isset($_GET['ticket'])) { // password reset query $_zp_authority->validateTicket(sanitize($_GET['ticket']), sanitize(@$_GET['user'])); } else { $_zp_loggedin = $_zp_authority->checkCookieCredentials(); $cloneid = bin2hex(FULLWEBPATH); if (!$_zp_loggedin && isset($_SESSION['admin'][$cloneid])) { // "passed" login $user = unserialize($_SESSION['admin'][$cloneid]); $user2 = $_zp_authority->getAnAdmin(array('`user`=' => $user->getUser(), '`valid`=' => 1)); if ($user2 && $user->getPass() == $user2->getPass()) { Zenphoto_Authority::logUser($user2); $_zp_current_admin_obj = $user2; $_zp_loggedin = $_zp_current_admin_obj->getRights(); } } unset($cloneid); } if ($_zp_loggedin) { $locale = $_zp_current_admin_obj->getLanguage(); if (!empty($locale)) { // set his prefered language setupCurrentLocale($locale); } }
$nouser = true; $returntab = $newuser = false; for ($i = 0; $i < sanitize_numeric($_POST['totaladmins']); $i++) { $updated = false; $error = false; $userobj = NULL; $pass = trim(sanitize($_POST['pass' . $i])); $user = trim(sanitize($_POST['adminuser' . $i])); if (empty($user) && !empty($pass)) { $notify = '?mismatch=nothing'; } if (!empty($user)) { $nouser = false; if (isset($_POST[$i . '-newuser'])) { $newuser = $user; $userobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $user, '`valid`>' => 0)); if (is_object($userobj)) { $notify = '?exists'; break; } else { $what = 'new'; $userobj = Zenphoto_Authority::newAdministrator(''); $userobj->setUser($user); markUpdated(); } } else { $what = 'update'; $userobj = Zenphoto_Authority::newAdministrator($user); markUpdated(); } if (isset($_POST[$i . '-admin_name'])) {
/** * Creates a feed object from the URL parameters fetched only * */ function __construct($options = NULL) { global $_zp_gallery, $_zp_current_admin_obj, $_zp_loggedin; if (empty($options)) { self::feed404(); } $this->feedtype = $options['rss']; parent::__construct($options); if (isset($options['token'])) { // The link camed from a logged in user, see if it is valid $link = $options; unset($link['token']); $token = Zenphoto_Authority::passwordHash(serialize($link), ''); if ($token == $options['token']) { $adminobj = Zenphoto_Authority::getAnAdmin(array('`id`=' => (int) $link['user'])); if ($adminobj) { $_zp_current_admin_obj = $adminobj; $_zp_loggedin = $_zp_current_admin_obj->getRights(); } } } // general feed setup $channeltitlemode = getOption('RSS_title'); $this->host = html_encode($_SERVER["HTTP_HOST"]); //channeltitle general switch ($channeltitlemode) { case 'gallery': $this->channel_title = $_zp_gallery->getBareTitle($this->locale); break; case 'website': $this->channel_title = getBare($_zp_gallery->getWebsiteTitle($this->locale)); break; case 'both': $website_title = $_zp_gallery->getWebsiteTitle($this->locale); $this->channel_title = $_zp_gallery->getBareTitle($this->locale); if (!empty($website_title)) { $this->channel_title = $website_title . ' - ' . $this->channel_title; } break; } // individual feedtype setup switch ($this->feedtype) { case 'gallery': if (!getOption('RSS_album_image')) { self::feed404(); } $albumname = $this->getChannelTitleExtra(); if ($this->albumfolder) { $alb = newAlbum($this->albumfolder, true, true); if ($alb->exists) { $albumtitle = $alb->getTitle(); if ($this->mode == 'albums' || $this->collection) { $albumname = ' - ' . html_encode($albumtitle) . $this->getChannelTitleExtra(); } } else { self::feed404(); } } else { $albumtitle = ''; } $albumname = $this->getChannelTitleExtra(); $this->channel_title = html_encode($this->channel_title . ' ' . getBare($albumname)); $this->imagesize = $this->getImageSize(); require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/image_album_statistics.php'; break; case 'news': //Zenpage News RSS if (!getOption('RSS_articles')) { self::feed404(); } $titleappendix = gettext(' (Latest news)'); switch ($this->newsoption) { case 'withalbums': case 'withalbums_mtime': case 'withalbums_publishdate': case 'withalbums_latestupdated': $titleappendix = gettext(' (Latest news and albums)'); break; case 'withimages': case 'withimages_mtime': case 'withimages_publishdate': $titleappendix = gettext(' (Latest news and images)'); break; default: switch ($this->sortorder) { case 'popular': $titleappendix = gettext(' (Most popular news)'); break; case 'mostrated': $titleappendix = gettext(' (Most rated news)'); break; case 'toprated': $titleappendix = gettext(' (Top rated news)'); break; case 'random': $titleappendix = gettext(' (Random news)'); break; } break; } $this->channel_title = html_encode($this->channel_title . $this->cattitle . $titleappendix); $this->imagesize = $this->getImageSize(); $this->itemnumber = getOption("RSS_zenpage_items"); // # of Items displayed on the feed require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/image_album_statistics.php'; require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/zenpage/zenpage-template-functions.php'; break; case 'pages': //Zenpage News RSS if (!getOption('RSS_pages')) { self::feed404(); } switch ($this->sortorder) { case 'popular': $titleappendix = gettext(' (Most popular pages)'); break; case 'mostrated': $titleappendix = gettext(' (Most rated pages)'); break; case 'toprated': $titleappendix = gettext(' (Top rated pages)'); break; case 'random': $titleappendix = gettext(' (Random pages)'); break; default: $titleappendix = gettext(' (Latest pages)'); break; } $this->channel_title = html_encode($this->channel_title . $titleappendix); require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/zenpage/zenpage-template-functions.php'; break; case 'comments': //Comments RSS if (!getOption('RSS_comments')) { self::feed404(); } if ($this->id) { switch ($this->commentfeedtype) { case 'album': $table = 'albums'; break; case 'image': $table = 'images'; break; case 'news': $table = 'news'; break; case 'page': $table = 'pages'; break; default: self::feed404(); break; } $this->itemobj = getItemByID($table, $this->id); if ($this->itemobj) { $title = ' - ' . $this->itemobj->getTitle(); } else { self::feed404(); } } else { $this->itemobj = NULL; $title = NULL; } $this->channel_title = html_encode($this->channel_title . $title . gettext(' (latest comments)')); if (extensionEnabled('zenpage')) { require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/zenpage/zenpage-template-functions.php'; } break; case 'null': //we just want the class instantiated return; } $this->feeditems = $this->getitems(); }
/** * Logs an attempt for a guest user to log onto the site * Returns the "success" parameter. * * @param bool $success * @param string $user * @param string $pass * @param string $athority what kind of login * @return bool */ static function guestLoginLogger($success, $user, $pass, $athority) { switch (getOption('logger_log_type')) { case 'all': break; case 'success': if (!$success) { return false; } break; case 'fail': if ($success) { return true; } break; } $name = ''; if ($success) { $admin = Zenphoto_Authority::getAnAdmin(array('`user`=' => $user, '`valid`=' => 1)); $pass = ''; // mask it from display if (is_object($admin)) { $name = $admin->getName(); } } security_logger::Logger((int) ($success && true), $user, $name, 'Front-end', $athority, $pass); return $success; }
/** * This is the cookie processor filter handler * it invokes the child class check() method to see if there is a valid visitor to the site * The check() method should return "false" if there is no valid visitor or an array of * User information if there is one. * * If there is a valid user, the user name is checked against Zenphoto users. If such user exists * he will be automatically logged in. If no user by that userid exists a transient user will be * created and logged in. User details are filled in from the user information in the passed array. * * Most enteries in the result array are simply stored into the user property of the same name. However, * there are some special handling items that may be present: * <ul> * <li>groups: an array of the user's group membership</li> * <li>objects: a Zenphoto "managed object list" array</li> * <li>album: the name of the user's primary album</li> * <li>logout_link: information that the plugin can use when a user loggs out</li> * </ul> * * All the above may be missing. However, if there is no groups entry, there needs to be an * entry for the user's rights otherwise he will have none. There should not be both a rights entry * and a groups entry as they are mutually exclusive. * * album and objects entries should come last in the list so all other properties are processed first as * these methods may modify other properties. * * @param BIT $authorized */ function check($authorized) { global $_zp_current_admin_obj; if (!$authorized) { // not logged in via normal Zenphoto handling if ($result = $this->user()) { $user = $result['user']; $searchfor = array('`user`=' => $user, '`valid`=' => 1); $userobj = Zenphoto_Authority::getAnAdmin($searchfor); if (!$userobj) { unset($result['id']); unset($result['user']); $authority = ''; // create a transient user $userobj = new Zenphoto_Administrator('', 1); $userobj->setUser($user); $userobj->setRights(NO_RIGHTS); // just incase none get set // Flag as external credentials for completeness $properties = array_keys($result); // the list of things we got from the external authority array_unshift($properties, $this->auth); $userobj->setCredentials($properties); // populate the user properties $member = false; // no group membership (yet) foreach ($result as $key => $value) { switch ($key) { case 'authority': $authority = '::' . $value; unset($result['authority']); break; case 'groups': // find the corresponding Zenphoto group (if it exists) $rights = NO_RIGHTS; $objects = array(); $groups = $value; foreach ($groups as $key => $group) { $groupobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $group, '`valid`=' => 0)); if ($groupobj) { $member = true; $rights = $groupobj->getRights() | $rights; $objects = array_merge($groupobj->getObjects(), $objects); if ($groupobj->getName() == 'template') { unset($groups[$key]); } } else { unset($groups[$key]); } } if ($member) { $userobj->setGroup(implode(',', $groups)); $userobj->setRights($rights); $userobj->setObjects($objects); } break; case 'defaultgroup': if (!$member && isset($result['defaultgroup'])) { // No Zenphoto group, use the default group $group = $result['defaultgroup']; $groupobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $group, '`valid`=' => 0)); if ($groupobj) { $rights = $groupobj->getRights(); $objects = $groupobj->getObjects(); if ($groupobj->getName() != 'template') { $group = NULL; } $userobj->setGroup($group); $userobj->setRights($rights); $userobj->setObjects($objects); } } break; case 'objects': $userobj->setObjects($objects); break; case 'album': $userobj->createPrimealbum(false, $value); break; default: $userobj->set($key, $value); break; } } $properties = array_keys($result); // the list of things we got from the external authority array_unshift($properties, $this->auth . $authority); $userobj->setCredentials($properties); } if (isset($result['logout_link'])) { $userobj->logout_link = $result['logout_link']; } $_zp_current_admin_obj = $userobj; $authorized = $_zp_current_admin_obj->getRights(); } } return $authorized; }
static function check($authorized) { global $_zp_current_admin_obj; if (!$authorized) { // not logged in via normal Zenphoto handling // PHP-CGI auth fixd if (isset($_SERVER['HTTP_AUTHORIZATION'])) { $auth_params = explode(":", base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6))); $_SERVER['PHP_AUTH_USER'] = $auth_params[0]; unset($auth_params[0]); $_SERVER['PHP_AUTH_PW'] = implode('', $auth_params); } if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) { $auth_params = explode(":", base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6))); $_SERVER['PHP_AUTH_USER'] = $auth_params[0]; unset($auth_params[0]); $_SERVER['PHP_AUTH_PW'] = implode('', $auth_params); } if (array_key_exists('PHP_AUTH_USER', $_SERVER) && array_key_exists('PHP_AUTH_PW', $_SERVER)) { $user = $_SERVER['PHP_AUTH_USER']; $pass = $_SERVER['PHP_AUTH_PW']; if (getOption('http_auth_trust')) { $userobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $user, '`valid`=' => 1)); } else { $userobj = Zenphoto_Authority::checkLogon($user, $pass); } if ($userobj) { $_zp_current_admin_obj = $userobj; $_zp_current_admin_obj->logout_link = false; $authorized = $_zp_current_admin_obj->getRights(); } } } return $authorized; }
static function post_processor() { global $admin_e, $admin_n, $user, $_zp_authority, $_zp_captcha, $_zp_gallery, $_notify, $_link, $_message; //Handle registration if (isset($_POST['username']) && !empty($_POST['username'])) { $_notify = 'honeypot'; // honey pot check } if (getOption('register_user_captcha')) { if (isset($_POST['code'])) { $code = sanitize($_POST['code'], 3); $code_ok = sanitize($_POST['code_h'], 3); } else { $code = ''; $code_ok = ''; } if (!$_zp_captcha->checkCaptcha($code, $code_ok)) { $_notify = 'invalidcaptcha'; } } $admin_n = trim(sanitize($_POST['admin_name'])); if (empty($admin_n)) { $_notify = 'incomplete'; } if (isset($_POST['admin_email'])) { $admin_e = trim(sanitize($_POST['admin_email'])); } else { $admin_e = trim(sanitize($_POST['user'])); } if (!is_valid_email_zp($admin_e)) { $_notify = 'invalidemail'; } $pass = trim(sanitize($_POST['pass'])); $user = trim(sanitize($_POST['user'])); if (empty($pass)) { $_notify = 'empty'; } else { if (!empty($user) && !empty($admin_n) && !empty($admin_e)) { if (isset($_POST['disclose_password']) || $pass == trim(sanitize($_POST['pass_r']))) { $currentadmin = Zenphoto_Authority::getAnAdmin(array('`user`=' => $user, '`valid`>' => 0)); if (is_object($currentadmin)) { $_notify = 'exists'; } if (empty($_notify)) { $userobj = Zenphoto_Authority::newAdministrator(''); $userobj->transient = false; $userobj->setUser($user); $userobj->setPass($pass); $userobj->setName($admin_n); $userobj->setEmail($admin_e); $userobj->setRights(0); $userobj->setObjects(NULL); $userobj->setGroup(''); $userobj->setCustomData(''); $userobj->setLanguage(getUserLocale()); if (extensionEnabled('userAddressFields')) { $addresses = getOption('register_user_address_info'); $userinfo = register_user::getUserInfo(0); $_comment_form_save_post = serialize($userinfo); if ($addresses == 'required') { if (!isset($userinfo['street']) || empty($userinfo['street'])) { $userobj->transient = true; $userobj->msg .= ' ' . gettext('You must supply the street field.'); } if (!isset($userinfo['city']) || empty($userinfo['city'])) { $userobj->transient = true; $userobj->msg .= ' ' . gettext('You must supply the city field.'); } if (!isset($userinfo['state']) || empty($userinfo['state'])) { $userobj->transient = true; $userobj->msg .= ' ' . gettext('You must supply the state field.'); } if (!isset($userinfo['country']) || empty($userinfo['country'])) { $userobj->transient = true; $userobj->msg .= ' ' . gettext('You must supply the country field.'); } if (!isset($userinfo['postal']) || empty($userinfo['postal'])) { $userobj->transient = true; $userobj->msg .= ' ' . gettext('You must supply the postal code field.'); } } zp_setCookie('reister_user_form_addresses', $_comment_form_save_post); userAddressFields::setCustomData($userobj, $userinfo); } zp_apply_filter('register_user_registered', $userobj); if ($userobj->transient) { if (empty($_notify)) { $_notify = 'filter'; } } else { $userobj->save(); if (MOD_REWRITE) { $verify = '?verify='; } else { $verify = '&verify='; } $_link = PROTOCOL . "://" . $_SERVER['HTTP_HOST'] . register_user::getLink() . $verify . bin2hex(serialize(array('user' => $user, 'email' => $admin_e))); $_message = sprintf(get_language_string(getOption('register_user_text')), $_link, $admin_n, $user, $pass); $_notify = zp_mail(get_language_string(gettext('Registration confirmation')), $_message, array($user => $admin_e)); if (empty($_notify)) { $_notify = 'accepted'; } } } } else { $_notify = 'mismatch'; } } else { $_notify = 'incomplete'; } } }
} } } $notify = '&saved'; } else { $notify = '&post_error'; } header("Location: " . FULLWEBPATH . "/" . ZENFOLDER . '/' . PLUGIN_FOLDER . '/user_groups/user_groups-tab.php?page=users&tab=groups&subpage=' . $subpage . $notify); exitZP(); case 'saveauserassignments': if (isset($_POST['checkForPostTruncation'])) { for ($i = 0; $i < $_POST['totalusers']; $i++) { if (isset($_POST[$i . 'group'])) { $newgroups = sanitize($_POST[$i . 'group']); $username = trim(sanitize($_POST[$i . '-user'], 3)); $userobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $username, '`valid`>=' => 1)); user_groups::merge_rights($userobj, $newgroups); $userobj->save(); } } $notify = '&saved'; } else { $notify = '&post_error'; } header("Location: " . FULLWEBPATH . "/" . ZENFOLDER . '/' . PLUGIN_FOLDER . '/user_groups/user_groups-tab.php?page=users&tab=assignments&subpage=' . $subpage . $notify); exitZP(); } } printAdminHeader('users'); $background = ''; ?>
$ordered[$key] = $admin['date']; } } asort($ordered); $adminordered = array(); foreach ($ordered as $key => $user) { $adminordered[] = $admins[$key]; } $msg = NULL; if (isset($_GET['action'])) { $action = sanitize($_GET['action']); XSRFdefender($action); if ($action == 'expiry') { foreach ($_POST as $key => $action) { if (strpos($key, 'r_') === 0) { $userobj = Zenphoto_Authority::getAnAdmin(array('`id`=' => str_replace('r_', '', postIndexDecode($key)))); if ($userobj) { switch ($action) { case 'delete': $userobj->remove(); break; case 'disable': $userobj->setValid(2); $userobj->save(); break; case 'enable': $userobj->setValid(1); $userobj->save(); break; case 'renew': $newdate = getOption('user_expiry_interval') * 86400 + strtotime($userobj->getDateTime());