/**
* Adds the user to the system and set password. Also makes it part of the
* login group for the current application.
*
* The fourth parameter defaults to 'Y' and determines if the user should be
* started as an active user.
*
* This routine connects to the node manager database itself, you do not
* have to connect to the node manager before calling it.
*
* Any errors are registred with [[ErrorAdd]]. Check for success by
* calling [[Errors]]. If it returns true the command failed.
*
* INPUTS
* string $UID User Id
* string $PWD Password (Default '')
* string $email Email (Default '')
* string $user_active Start as active user? (Y=yes, N=no) (Default 'Y')
* RETURN
* boolean True if success, False if failure
*/
function UserAdd($UID, $PWD = '', $email = '', $user_active = 'Y')
{
$NEVERUSED = $user_active;
$UID = MakeUserID($UID);
scDBConn_Push('usermaint');
SQL("INSERT INTO users (user_id,member_password,email) " . " values ('{$UID}','{$PWD}','{$email}')");
if (Errors()) {
scDBConn_Pop();
return false;
}
$app = $GLOBALS['AG']['application'];
SQL("INSERT INTO usersxgroups (user_id,group_id)" . " values ('{$UID}','{$app}')");
//SQL("ALTER USER $UID password '$PWD'");
scDBConn_Pop();
return true;
}
function Login_Process()
{
$arg2 = $this->directlogin == true ? 'direct' : '';
// only process if user hit "post"
if (gp('gp_posted', '', false) == '') {
return;
}
vgfSet('LoginAttemptOK', false);
// Error title
vgfSet('ERROR_TITLE', '*');
// If the user supplied a loginUID, this is a post and we
// must process the request.
$ale = vgaGet('login_errors', array());
$app = $GLOBALS['AG']['application'];
$em000 = isset($ale['000']) ? $ale['000'] : "That username/password combination did not work. Please try again.";
$em001 = isset($ale['001']) ? $ale['001'] : "That username/password combination did not work. Please try again.";
$em002 = isset($ale['002']) ? $ale['002'] : "That username/password combination did not work. Please try again.";
$em099 = isset($ale['099']) ? $ale['099'] : "That username/password combination did not work. Please try again.";
$terror = "";
$uid = gp('loginUID');
$uid = MakeUserID($uid);
//$uid = str_replace('@','_',$uid);
//$uid = str_replace('.','_',$uid);
$pwd = gp("loginPWD", "", false);
// First check, never allow the database server's superuser
// account
//
if ($uid == "postgres") {
ErrorAdd($em000);
if (vgfGet('loglogins', false)) {
sysLog(LOG_WARNING, "Andromeda:{$app}:Bad login attempt as postgres");
fwLogEntry('1011', 'Attempt login as postgres', '', $arg2);
}
return;
}
$app = $GLOBALS['AG']['application'];
if (substr($uid, 0, strlen($app)) == $app) {
ErrorAdd($em001);
if (vgfGet('loglogins', false)) {
sysLog(LOG_WARNING, "Andromeda:{$app}:Bad login attempt as group role");
fwLogEntry('1012', 'Attempt login as group role', $uid, $arg2);
}
return;
}
// Begin with a connection attempt.
// on fail, otherwise continue
$tcs = @SQL_CONN($uid, $pwd);
if ($tcs === false) {
ErrorAdd($em099);
if (vgfGet('loglogins', false)) {
sysLog(LOG_NOTICE, "Andromeda:{$app}:Bad login attempt server rejected");
fwLogEntry('1013', 'Server rejected username/password', $uid, $arg2);
}
return;
} else {
SQL_CONNCLOSE($tcs);
}
// The rest of this routine uses an admin connection. If we
// have an error, we must close the connection before returning!
// ...yes, yes, that's bad form, all complaints to /dev/null
//
if (vgfGet('loglogins', false)) {
fwLogEntry('1010', 'Login OK', $uid, $arg2);
}
scDBConn_Push();
// See if they are a root user. If not, do they have an
// active account?
$root = false;
$admin = false;
$group_id_eff = '';
$results = SQL("\n Select oid\n FROM pg_roles \n WHERE rolname = CAST('{$uid}' as name)\n AND rolsuper= true");
$cr = SQL_NUMROWS($results);
if ($cr != 0) {
$root = true;
} else {
$results = SQL("Select * from users WHERE LOWER(user_id)='{$uid}'" . "AND (user_disabled<>'Y' or user_disabled IS NULL)");
$cr = SQL_NUMROWS($results);
if ($cr == 0) {
scDBConn_Pop();
ErrorAdd($em002);
sysLog(LOG_WARNING, "Andromeda:{$app}:Bad login attempt code 002");
return;
} else {
$userinfo = SQL_Fetch_Array($results);
$group_id_eff = $userinfo['group_id_eff'];
SessionSet('user_name', $userinfo['user_name']);
}
}
// Flag if the user is an administrator
if ($root == true) {
$admin = true;
} else {
$results = SQL("select count(*) as admin from usersxgroups " . "where user_id='{$uid}' and group_id ='{$app}" . "_admin'");
$row = SQL_FETCH_ARRAY($results);
$admin = intval($row["admin"]) > 0 ? true : false;
}
// Get the users' groups
$groups = "";
if ($root) {
$results = SQL("\n select group_id \n from zdd.groups \n where COALESCE(grouplist,'')=''");
} else {
$results = SQL("select group_id from usersxgroups WHERE LOWER(user_id)='{$uid}'");
}
while ($row = SQL_FETCH_ARRAY($results)) {
$agroups[] = "'" . trim($row['group_id']) . "'";
#$groups.=ListDelim($groups)."'".trim($row["group_id"])."'";
}
$groups = array();
if (!empty($agroups)) {
$groups = implode(",", $agroups);
}
//scDBConn_Pop();
// We have a successful login. If somebody else was already
// logged in, we need to wipe out that person's session. But
// don't do this if there was an anonymous login.
if (LoggedIn()) {
$uid_previous = SessionGet('UID');
if ($uid != $uid_previous) {
//Session_Destroy();
SessionReset();
//Index_Hidden_Session_Start(false);
}
}
// We know who they are and that they can connect,
// see if there is any app-specific confirmation required
//
if (function_exists('app_login_process')) {
//echo "Calling the process now";
if (!app_login_process($uid, $pwd, $admin, $groups)) {
return;
}
}
// Protect the session from hijacking, generate a new ID
Session_regenerate_id();
// We now have a successful connection, set some
// flags and lets go
//
vgfSet('LoginAttemptOK', true);
SessionSet("UID", $uid);
SessionSet("PWD", $pwd);
SessionSet("ADMIN", $admin);
SessionSet("ROOT", $root);
SessionSet("GROUP_ID_EFF", $group_id_eff);
SessionSet("groups", $groups);
if (gp('gpz_page') == '') {
# KFD 9/12/08, extra command to not change page
if (gp('st2keep') != 1) {
gpSet('gp_page', '');
}
}
$GLOBALS['session_st'] = 'N';
// for "N"ormal
// -------------------------------------------------------------------
// We are about to make the menu. Before doing so, see if there
// are any variables set for the menu layout. Set defaults and then
// load from database.
//
$this->pmenu = array('MENU_TYPE' => vgaGet('MENU_TYPE', 'div'), 'MENU_CLASS_MODL' => vgaGet('MENU_CLASS_MODL', 'modulename'), 'MENU_CLASS_ITEM' => vgaGet('MENU_CLASS_ITEM', 'menuentry'), 'MENU_TICK' => vgaGET('MENU_TICK', ' - '));
//$sql = "SELECT * from variables WHERE variable like 'MENU%'";
//$dbres = SQL($sql);
//while ($row = SQL_FETCH_ARRAY($dbres)) {
// $this->pmenu[trim($row['variable'])]=trim($row['variable_value']);
//}
// -------------------------------------------------------------------
// KFD 10/28/06, Modified to examine "nomenu" instead of permsel
// pulls all tables user has nomenu='N'. The basic idea is
// to remove from $AGMENU the stuff they don't see
//
// GET AGMENU
$AGMENU = array();
// avoid compiler warning, populated next line
include "ddmodules.php";
// Pull distinct modules person has any menu options in.
$sq = "SELECT DISTINCT module\n FROM zdd.perm_tabs \n WHERE nomenu='N'\n AND group_id iN ({$groups})";
$modules = SQL_AllRows($sq, 'module');
$AGkeys = array_keys($AGMENU);
foreach ($AGkeys as $AGkey) {
if (!isset($modules[$AGkey])) {
unset($AGMENU[$AGkey]);
}
}
// Now recurse the remaining modules and do the same trick
// for each one, removing the tables that don't exist
foreach ($AGMENU as $module => $moduleinfo) {
$sq = "SELECT DISTINCT table_id\n FROM zdd.perm_tabs \n WHERE nomenu='N'\n AND module = '{$module}'\n AND group_id iN ({$groups})";
$tables = SQL_AllRows($sq, 'table_id');
$tkeys = array_keys($moduleinfo['items']);
foreach ($tkeys as $tkey) {
if (!isset($tables[$tkey])) {
unset($AGMENU[$module]['items'][$tkey]);
}
}
}
// KFD 12/18/06. Put all table permissions into session
$table_perms = SQL_AllRows("Select distinct table_id FROM zdd.perm_tabs\n WHERE group_id IN ({$groups})\n AND nomenu='N'", 'table_id');
SessionSet('TABLEPERMSMENU', array_keys($table_perms));
$table_perms = SQL_AllRows("Select distinct table_id FROM zdd.perm_tabs\n WHERE group_id IN ({$groups})\n AND permsel='Y'", 'table_id');
SessionSet('TABLEPERMSSEL', array_keys($table_perms));
$table_perms = SQL_AllRows("Select distinct table_id FROM zdd.perm_tabs\n WHERE group_id IN ({$groups})\n AND permins='Y'", 'table_id');
SessionSet('TABLEPERMSINS', array_keys($table_perms));
$table_perms = SQL_AllRows("Select distinct table_id FROM zdd.perm_tabs\n WHERE group_id IN ({$groups})\n AND permupd='Y'", 'table_id');
SessionSet('TABLEPERMSUPD', array_keys($table_perms));
$table_perms = SQL_AllRows("Select distinct table_id FROM zdd.perm_tabs\n WHERE group_id IN ({$groups})\n AND permdel='Y'", 'table_id');
SessionSet('TABLEPERMSDEL', array_keys($table_perms));
//echo "<div style='background-color:white'>";
//echo "$uid $groups $group_id_eff";
//hprint_r(SessionGet('TABLEPERMSMENU'));
//hprint_r(SessionGet('TABLEPERMSSEL'));
//echo "</div>";
// KFD 7/9/07, we always use joomla templates now, don't need
// options to turn them off
//if(defined('_ANDROMEDA_JOOMLA')) {
// In a hybrid situation, put the menu into the session
SessionSet('AGMENU', $AGMENU);
//}
$HTML_Menu = "";
$WML_Menu = "";
/*
foreach ($AGMENU as $key=>$module) {
//if($key=="datadict") continue;
//if($key=="sysref") continue;
$HTML_Module="";
$WML_Module="";
foreach($module["items"] as $itemname=>$item) {
if (!isset($item["mode"])) { $item["mode"]="normal"; }
switch ($item["mode"]) {
case "normal":
$ins=false;
$extra=array();
if($item['menu_parms']<>'') {
$aextras=explode('&',$item['menu_parms']);
foreach($aextras as $aextra) {
list($var,$value)=explode("=",$aextra);
$extra[$var]=$value;
}
}
$HTML_Module.=$this->_MenuItem(
$item['description'],$itemname,$ins,$extra
);
$WML_Module.="<div>";
$WML_Module.=hLink(
'',$item['description'],'?gp_page='.$itemname
);
$WML_Module.="</div>";
break;
case "ins":
//if ($admin || isset($tables_ins[$item["name"]])) {
$HTML_Module.=$this->_MenuItem(
$item['description'],$itemname,true
);
//}
break;
#$HTML_Module.=
# "\n<font class=\"tablename\">- <a href=\"index.php?gp_page=".$itemname."\">".
# $item["description"]."</a></font><br />";
}
}
// the module is defined AFTER its contents so it can be
// left off if it has no entries
if ($HTML_Module!="") {
$HTML_Menu.=$this->_MenuModule($module['description']);
$HTML_Menu.=$HTML_Module;
}
if ($WML_Module!="") {
$WML_Menu.="<div><b>".$module['description']."</b></div>";
$WML_Menu.=$WML_Module;
}
}
*/
DynamicSave("menu_" . $uid . ".php", $HTML_Menu);
DynamicSave("menu_wml_" . $uid . ".php", $WML_Menu);
// -------------------------------------------------------------------
// Fetch and cache user preferences
if (vgaGet('member_profiles')) {
cacheMember_Profiles();
}
// -------------------------------------------------------------------
// Now find the user's table permissions more precisely table by table
$sql = "select p.table_id,\n\t\t\t\tmax(case when p.permins='Y' then 1 else 0 end) as permins,\n\t\t\t\tmax(case when p.permupd='Y' then 1 else 0 end) as permupd,\n\t\t\t\tmax(case when p.permdel='Y' then 1 else 0 end) as permdel,\n\t\t\t\tmax(case when p.permsel='Y' then 1 else 0 end) as permsel\n\t\t\t\tfrom zdd.perm_tabs P\n\t\t\t\tWHERE group_id in ({$groups})\n\t\t\t\tGROUP BY p.table_id";
//echo $sql;
$results = SQL($sql);
$HTML_Perms = "<?php\n\$table_perms = array();\n";
while ($row = SQL_FETCH_ARRAY($results)) {
$tn = $row["table_id"];
$ti = $row["permins"];
$tu = $row["permupd"];
$td = $row["permdel"];
$ts = $row["permsel"];
$HTML_Perms .= "\$table_perms[\"{$tn}\"]=array(\"ins\"=>{$ti},\"upd\"=>{$tu},\"del\"=>{$td},\"sel\"=>{$ts});\n";
}
$HTML_Perms .= "?>\n";
DynamicSave("perms_" . $uid . ".php", $HTML_Perms);
/* October 28, 2006, KFD. Rem'd this all out, column and row security
made this irrelevant
// -------------------------------------------------------------------
// Find out if this user has any UID Columns, columns that create
// filters on the user's UID
$sql = "Select column_id FROM groupuids WHERE group_id IN ($groups)";
//echo $sql;
$results = SQL($sql);
$groupuids = array();
while ($row = SQL_FETCH_ARRAY($results)) {
//echo "Found this one".$row["column_id"];
$groupuids[$row["column_id"]] = $row["column_id"];
}
SessionSet("groupuids",$groupuids);
*/
scDBConn_Pop();
return;
}
function PW_ForgotPage1()
{
// KFD 11/13/06. Heavily modified for new system, threw out
// the older code entirely, now that all apps have a users
// table built into them.
$eml = trim(gp('txt_email'));
$seml = SQLFC(strtolower($eml));
$heml = hx($eml);
$ueml = urlencode($eml);
//$leml= MakeUserId(strtolower($eml));
$db2 = scDBConn_Push('usermaint');
$sq = "Select skey,user_id,member_password,email FROM users " . " where LOWER(email)={$seml}";
$member = SQL_AllRows($sq);
// Nothing of any kind is a bummer, we can't do anything
if (count($member) == 0) {
ErrorAdd('There are no active accounts with that email address');
} else {
$leml = MakeUserID($eml);
$member = $member[0];
// If we know who they are, send a password and allow them to change it
$user_pwkey = md5($member['member_password'] . $leml . time());
//$ref=$_SERVER['HTTP_REFERER'];
$http = httpWebSite() . "/";
$row = array('skey' => $member['skey'], 'user_pwkey' => $user_pwkey);
$UID = $member['user_id'];
$PWD = $member['member_password'];
// KFD 12/21/06. Done for medinfo originally. If UID looks like
// the email, send the email instead
$emailUID = $member['email'];
$table_dd = DD_Tableref('users');
SQLX_Update($table_dd, $row);
$emailuser_id = OptionGet('EMAIL_USERID', 'N') == 'Y' ? $emailUID : $leml;
$text_email = "\nYour username and password are: {$emailuser_id} and {$PWD}.\n \nIf you would like to change your password, click here:\n<{$http}?gp_page=x_password&gpp=2&eml={$ueml}&hash={$user_pwkey}>\n";
scDBConn_Pop();
//echo $text_email;
EmailSend($eml, 'System Access Request', $text_email);
?>
<b>Email Has Been Sent</b>. An email has been sent to you with information
needed to access the system.
<?php
gpSet('gpp', 'X');
}
}