function ona_delete_record($table = "", $where = "") { global $onadb; return db_delete_record($onadb, $table, $where); }
function ws_save($window_name, $form = '') { global $conf, $self, $mysql; // Make sure they have permission if (!auth('admin')) { $response = new xajaxResponse(); $response->addScript("alert('Permission denied!');"); return $response->getXML(); } // Don't allow this in the demo account! if ($_SESSION['auth']['client']['url'] == 'demo') { $response = new xajaxResponse(); $response->addScript("alert('Feature disabled in this demo!');"); return $response->getXML(); } // Instantiate the xajaxResponse object $response = new xajaxResponse(); $js = ''; // Make sure they're logged in if (!loggedIn()) { return $response->getXML(); } // Validate input if (!$form['fname'] or !$form['lname'] or !$form['username']) { $js .= "alert('Error! First name, last name, and username are required fields!');"; $response->addScript($js); return $response->getXML(); } if (!$form['id'] and !$form['passwd']) { $js .= "alert('Error! A password is required to create a new employee!');"; $response->addScript($js); return $response->getXML(); } // Usernames are stored in lower case $form['username'] = strtolower($form['username']); // md5sum the password if there is one if ($form['passwd']) { $form['passwd'] = md5($form['passwd']); } // Create a new record? if (!$form['id']) { list($status, $rows) = db_insert_record($mysql, 'users', array('client_id' => $_SESSION['auth']['client']['id'], 'active' => 1, 'fname' => $form['fname'], 'lname' => $form['lname'], 'username' => $form['username'], 'passwd' => $form['passwd'], 'ctime' => date_mangle(time()), 'mtime' => date_mangle(time()))); printmsg("NOTICE => Added new user: {$form['username']} client url: {$_SESSION['auth']['client']['url']}", 0); } else { list($status, $rows, $record) = db_get_record($mysql, 'users', array('id' => $form['id'], 'client_id' => $_SESSION['auth']['client']['id'])); if ($rows != 1 or $record['id'] != $form['id']) { $js .= "alert('Error! The record requested could not be loaded from the database!');"; $response->addScript($js); return $response->getXML(); } if (strlen($form['passwd']) < 32) { $form['passwd'] = $record['passwd']; } list($status, $rows) = db_update_record($mysql, 'users', array('id' => $form['id']), array('fname' => $form['fname'], 'lname' => $form['lname'], 'username' => $form['username'], 'passwd' => $form['passwd'], 'mtime' => date_mangle(time()), 'active' => 1)); printmsg("NOTICE => Updated user: {$form['username']} client url: {$_SESSION['auth']['client']['url']}", 0); } // If the module returned an error code display a popup warning if ($status) { printmsg("ERROR => User add/edit failed! {$self['error']}", 0); $js .= "alert('Save failed. Contact the webmaster if this problem persists.');"; $response->addScript($js); return $response->getXML(); } $js .= "removeElement('{$window_name}');"; $js .= "xajax_window_submit('user_list', xajax.getFormValues('user_list_filter_form'), 'display_list');"; // Handle the "admin" flag list($status, $rows, $user) = db_get_record($mysql, 'users', array('username' => $form['username'], 'client_id' => $_SESSION['auth']['client']['id'], 'active' => 1)); list($status, $rows, $perm) = db_get_record($mysql, 'permissions', array('name' => 'admin')); list($status, $rows, $acl) = db_get_record($mysql, 'acl', array('user_id' => $user['id'], 'perm_id' => $perm['id'])); if ($form['admin'] and !$acl['id'] and $user['id'] and $perm['id']) { // Give the user the permission list($status, $rows) = db_insert_record($mysql, 'acl', array('user_id' => $user['id'], 'perm_id' => $perm['id'])); } else { if (!$form['admin'] and $acl['id'] and $user['id'] and $perm['id'] and $_SESSION['auth']['user']['id'] != $user['id']) { // Take the permission away, UNLESS THEY ARE TRYING TO MODIFY THEIR OWN ACCOUNT! list($status, $rows) = db_delete_record($mysql, 'acl', array('user_id' => $user['id'], 'perm_id' => $perm['id'])); } else { if ($_SESSION['auth']['user']['id'] == $user['id']) { // IF they did try to remove their own admin status, give them a popup and tell them they can't do that. $js .= "alert('WARNING => You can\\'t change your own admin status!');"; } } } // Insert the new table into the window $response->addScript($js); return $response->getXML(); }