$count = 0; $line = strtok($_POST['user_names'], "\n"); while ($line !== false) { // strip comments $line = preg_replace('/#.*/', '', trim($line)); if (!empty($line)) { $u = usernameToUid($line); // fetch uid $line = q($line); // escape for messages below if (!$u) { $error_mgs[] = "$langErrorDelete: " . q($line); } else { if (isset($_POST['delete'])) { // for uids with no admin rights if (get_admin_rights($u) < 0) { // delete user progress report if (deleteUser($u, true)) { $success_mgs[] = "$langWithUsername $line $langWasDeleted"; $count++; } else { $error_mgs[] = "$langErrorDelete: " . $line; } } else { $error_mgs[] = "$langDeleteAdmin $line $langNotFeasible"; } } elseif (isset($months)) { $q = Database::get()->query('UPDATE user SET expires_at = expires_at + INTERVAL ?d MONTH WHERE id = ?d', $months, $u); if ($q) {
function shib_cas_login($type) { global $surname, $givenname, $email, $status, $language, $urlServer, $is_admin, $is_power_user, $is_usermanage_user, $is_departmentmanage_user, $langUserAltAuth; $alt_auth_stud_reg = get_config('alt_auth_stud_reg'); if ($alt_auth_stud_reg == 2) { $autoregister = TRUE; } else { $autoregister = FALSE; } if ($type == 'shibboleth') { $uname = $_SESSION['shib_uname']; $email = $_SESSION['shib_email']; $shib_surname = $_SESSION['shib_surname']; $shibsettings = Database::get()->querySingle("SELECT auth_settings FROM auth WHERE auth_id = 6"); if ($shibsettings) { if ($shibsettings->auth_settings != 'shibboleth' and $shibsettings->auth_settings != '') { $shibseparator = $shibsettings->auth_settings; } if (strpos($shib_surname, $shibseparator)) { $temp = explode($shibseparator, $shib_surname); $givenname = $temp[0]; $surname = $temp[1]; } } } elseif ($type == 'cas') { $uname = $_SESSION['cas_uname']; $surname = $_SESSION['cas_surname']; $givenname = $_SESSION['cas_givenname']; $email = isset($_SESSION['cas_email']) ? $_SESSION['cas_email'] : ''; } // user is authenticated, now let's see if he is registered also in db if (get_config('case_insensitive_usernames')) { $sqlLogin = "******"; } else { $sqlLogin = "******"; } $r = Database::get()->querySingle("SELECT id, surname, username, password, givenname, status, email, lang, verified_mail\n\t\t\t\t\t\tFROM user WHERE username {$sqlLogin}", $uname); if ($r) { // if user found foreach ($r as $info) { if ($info->password != $type) { // has different auth method - redirect to home page unset($_SESSION['shib_uname']); unset($_SESSION['shib_email']); unset($_SESSION['shib_surname']); unset($_SESSION['cas_uname']); unset($_SESSION['cas_email']); unset($_SESSION['cas_surname']); unset($_SESSION['cas_givenname']); Session::Messages($langUserAltAuth, 'alert-danger'); redirect_to_home_page(); } else { // don't force email address from CAS/Shibboleth. // user might prefer a different one if (!empty($info->email)) { $email = $info->email; } if (!empty($info->status)) { $status = $info->status; } // update user information Database::get()->query("UPDATE user SET surname = ?s, givenname = ?s, email = ?s\n WHERE id = ?d", $surname, $givenname, $email, $info->id); // check for admin privileges $admin_rights = get_admin_rights($info->id); if ($admin_rights == ADMIN_USER) { $is_active = 1; // admin user is always active $_SESSION['is_admin'] = 1; $is_admin = 1; } elseif ($admin_rights == POWER_USER) { $_SESSION['is_power_user'] = 1; $is_power_user = 1; } elseif ($admin_rights == USERMANAGE_USER) { $_SESSION['is_usermanage_user'] = 1; $is_usermanage_user = 1; } elseif ($admin_rights == DEPARTMENTMANAGE_USER) { $_SESSION['is_departmentmanage_user'] = 1; $is_departmentmanage_user = 1; } $_SESSION['uid'] = $info->id; if (isset($_SESSION['langswitch'])) { $language = $_SESSION['langswitch']; } else { $language = $info->lang; } } } } elseif ($autoregister and !get_config('am_required')) { // else create him automatically if (get_config('email_verification_required')) { $verified_mail = 0; $_SESSION['mail_verification_required'] = 1; } else { $verified_mail = 2; } $_SESSION['uid'] = Database::get()->query("INSERT INTO user SET surname = ?, givenname = ?, password = ?, \n username = ?s, email = ?s, status = ?d, lang = 'el', \n registered_at = " . DBHelper::timeAfter() . ", expires_at = " . DBHelper::timeAfter(get_config('account_duration')) . ", whitelist = ''", $surname, $givenname, $type, $uname, $email, USER_STUDENT)->lastInsertID; $language = $_SESSION['langswitch'] = 'el'; } else { // user not registered, automatic registration disabled // redirect to registration screen foreach (array_keys($_SESSION) as $key) { unset($_SESSION[$key]); } session_destroy(); header("Location: {$urlServer}modules/auth/registration.php"); exit; } $_SESSION['uname'] = $uname; $_SESSION['surname'] = $surname; $_SESSION['givenname'] = $givenname; $_SESSION['email'] = $email; $_SESSION['status'] = $status; //$_SESSION['is_admin'] = $is_admin; $_SESSION['shib_user'] = 1; // now we are shibboleth user Database::get()->query("INSERT INTO loginout (loginout.id_user, loginout.ip, loginout.when, loginout.action)\n\t\t\t\t\tVALUES ({$_SESSION['uid']}, '{$_SERVER['REMOTE_ADDR']}', " . DBHelper::timeAfter() . ", 'LOGIN')"); if (get_config('email_verification_required') and get_mail_ver_status($_SESSION['uid']) == EMAIL_VERIFICATION_REQUIRED) { $_SESSION['mail_verification_required'] = 1; // init.php is already loaded so redirect from here header("Location:" . $urlServer . "modules/auth/mail_verify_change.php"); } }
session_id($session_id); session_start(); require_once '../../include/init.php'; require_once 'modules/auth/auth.inc.php'; // validate token timestamp if (!token_validate($username . $session_id, $token, 500)) { exit; } $exists = Database::get()->querySingle("SELECT 1 AS `exists` FROM user_sso WHERE username = ?s AND token = ?s AND session_id = ?s", $username, $token, $session_id); if ($exists && intval($exists->exists) === 1) { foreach (array_keys($_SESSION) as $key) { unset($_SESSION[$key]); } $user = Database::get()->querySingle("SELECT * FROM user WHERE username COLLATE utf8_bin = ?s", $username); $is_active = check_activity($user->id); $admin_rights = get_admin_rights($user->id); if ($admin_rights == ADMIN_USER) { $is_active = 1; // admin user is always active $_SESSION['is_admin'] = 1; } elseif ($admin_rights == POWER_USER) { $_SESSION['is_power_user'] = 1; } elseif ($admin_rights == USERMANAGE_USER) { $_SESSION['is_usermanage_user'] = 1; } elseif ($admin_rights == DEPARTMENTMANAGE_USER) { $_SESSION['is_departmentmanage_user'] = 1; } if ($is_active) { $_SESSION['uid'] = intval($user->id); $_SESSION['uname'] = $user->username; $_SESSION['surname'] = $user->surname;
<input type='hidden' name='u' value='$u'> </fieldset> </form> </div>"; draw($tool_content, 3, null, $head_content); exit; } if (!$u_submitted) { // if the form was not submitted // Display Actions Toolbar $ind_u = getIndirectReference($u); $tool_content .= action_bar(array( array('title' => $langUserMerge, 'url' => "mergeuser.php?u=$u", 'icon' => 'fa-share-alt', 'level' => 'primary-label', 'show' => ($u != 1 and get_admin_rights($u) < 0)), array('title' => $langChangePass, 'url' => "password.php?userid=$u", 'icon' => 'fa-key', 'level' => 'primary-label', 'show' => !(in_array($info->password, $auth_ids))), array('title' => $langEditAuth, 'url' => "$_SERVER[SCRIPT_NAME]?u=$u&edit=auth", 'icon' => 'fa-key', 'level' => 'primary'), array('title' => $langDelUser, 'url' => "deluser.php?u=$ind_u", 'icon' => 'fa-times', 'level' => 'primary', 'show' => $u > 1), array('title' => $langBack,
if (get_admin_rights($user) > 0) { $tool_content .= "<div class='alert alert-warning'>" . sprintf($langCantDeleteAdmin, $u_desc) . ' ' . $langIfDeleteAdmin . "</div>"; } else { $tool_content .= "<div class='alert alert-warning'>$langConfirmDeleteQuestion1 $u_desc<br> $langConfirmDeleteQuestion3 </div> <form method='post' action='$_SERVER[SCRIPT_NAME]?u=$iuid'> <input class='btn btn-danger' type='submit' name='doit' value='$langDelete'> </form>"; } } else { $tool_content .= "<div class='alert alert-danger'>$langErrorDelete</div>"; } } else { if (get_admin_rights($user) > 0) { Session::Messages($langTryDeleteAdmin, 'alert-danger'); redirect_to_home_page("modules/admin/deluser.php?u=$iuid"); } else { if (deleteUser($user, true)) { Session::Messages("$langWithUsername \"$u_account\" ($u_realname) $langWasDeleted.", 'alert-info'); } else { Session::Messages($langErrorDelete, 'alert-danger'); } redirect_to_home_page('modules/admin/listusers.php'); } } draw($tool_content, 3);
@file mergeuser.php @Description: Merge two users */ $require_usermanage_user = true; require_once '../../include/baseTheme.php'; require_once 'modules/auth/auth.inc.php'; $toolName = $langUserMerge; $navigation[] = array('url' => 'index.php', 'name' => $langAdmin); $navigation[] = array('url' => 'listusers.php', 'name' => $langListUsersActions); if (isset($_REQUEST['u'])) { $u = intval($_REQUEST['u']); $navigation[] = array('url' => "edituser.php?u=$u", 'name' => $langEditUser); if ($u == 1 or get_admin_rights($u) >= 0) { $tool_content = "<div class='alert alert-danger'>$langUserMergeAdminForbidden</div>"; draw($tool_content, 3); exit; } $info = Database::get()->querySingle("SELECT * FROM user WHERE id = ?s", $u); if ($info) { $info = (array) $info; $auth_id = isset($auth_ids[$info['password']]) ? $auth_ids[$info['password']] : 1; $legend = q(sprintf($langUserMergeLegend, $info['username'])); $status_names = array(USER_GUEST => $langGuest, USER_TEACHER => $langTeacher, USER_STUDENT => $langStudent); $target = false; $pageName = $legend; $tool_content .= action_bar(array( array('title' => $langBack,
$current_auth = 1; $auth_names[1] = get_auth_info(1); foreach (get_auth_active_methods() as $auth) { $auth_names[$auth] = get_auth_info($auth); if ($info->password == $auth_ids[$auth]) { $current_auth = $auth; } } $tool_content .= "<div class='form-wrapper'>\n <form class='form-horizontal' role='form' method='post' action='{$_SERVER['SCRIPT_NAME']}'>\n <fieldset> \n <div class='form-group'>\n <label class='col-sm-2 control-label'>{$langEditAuthMethod}</label>\n <div class='col-sm-10'>" . selection($auth_names, 'auth', intval($current_auth), "class='form-control'") . "</div>\n </div>\n <div class='col-sm-offset-2 col-sm-10'>\n <input class='btn btn-primary' type='submit' name='submit_editauth' value='{$langModify}'>\n </div> \n <input type='hidden' name='u' value='{$u}'>\n </fieldset>\n </form>\n </div>"; draw($tool_content, 3, null, $head_content); exit; } if (!$u_submitted) { // if the form was not submitted // Display Actions Toolbar $tool_content .= action_bar(array(array('title' => $langUserMerge, 'url' => "mergeuser.php?u={$u}", 'icon' => 'fa-share-alt', 'level' => 'primary-label', 'show' => $u != 1 and get_admin_rights($u) < 0), array('title' => $langChangePass, 'url' => "password.php?userid={$u}", 'icon' => 'fa-key', 'level' => 'primary-label', 'show' => !in_array($info->password, $auth_ids)), array('title' => $langEditAuth, 'url' => "{$_SERVER['SCRIPT_NAME']}?u={$u}&edit=auth", 'icon' => 'fa-key', 'level' => 'primary'), array('title' => $langDelUser, 'url' => "deluser.php?u={$u}", 'icon' => 'fa-times', 'level' => 'primary'), array('title' => $langBack, 'url' => "listusers.php", 'icon' => 'fa-reply', 'level' => 'primary'))); $tool_content .= "<div class='form-wrapper'>\n <form class='form-horizontal' role='form' name='edituser' method='post' action='{$_SERVER['SCRIPT_NAME']}' onsubmit='return validateNodePickerForm();'>\n <fieldset> \n <div class='form-group'>\n <label class='col-sm-2 control-label'>{$langSurname}</label>\n <div class='col-sm-10'>\n <input type='text' name='lname' size='50' value='" . q($info->surname) . "'>\n </div>\n </div>\n <div class='form-group'>\n <label class='col-sm-2 control-label'>{$langName}</label>\n <div class='col-sm-10'>\n <input type='text' name='fname' size='50' value='" . q($info->givenname) . "'>\n </div>\n </div>"; if (!in_array($info->password, $auth_ids)) { $tool_content .= "<div class='form-group'>\n <label class='col-sm-2 control-label'>{$langUsername}</label>\n <div class='col-sm-10'>\n <input type='text' name='username' size='50' value='" . q($info->username) . "'>\n </div>\n </div>"; } else { // means that it is external auth method, so the user cannot change this password switch ($info->password) { case "pop3": $auth = 2; break; case "imap": $auth = 3; break; case "ldap": $auth = 4; break;
function shib_cas_login($type) { global $surname, $givenname, $email, $status, $language, $session, $urlServer, $is_admin, $is_power_user, $is_usermanage_user, $is_departmentmanage_user, $langUserAltAuth, $langRegistrationDenied; $alt_auth_stud_reg = get_config('alt_auth_stud_reg'); if ($alt_auth_stud_reg == 2) { $autoregister = TRUE; } else { $autoregister = FALSE; } if ($type == 'shibboleth') { $uname = $_SESSION['shib_uname']; $email = $_SESSION['shib_email']; $shib_surname = $_SESSION['shib_surname']; $shibsettings = Database::get()->querySingle("SELECT auth_settings FROM auth WHERE auth_id = 6"); if ($shibsettings) { if ($shibsettings->auth_settings != 'shibboleth' and $shibsettings->auth_settings != '') { $shibseparator = $shibsettings->auth_settings; } if (strpos($shib_surname, $shibseparator)) { $temp = explode($shibseparator, $shib_surname); $givenname = $temp[0]; $surname = $temp[1]; } } } elseif ($type == 'cas') { $uname = $_SESSION['cas_uname']; $surname = $_SESSION['cas_surname']; $givenname = $_SESSION['cas_givenname']; $email = isset($_SESSION['cas_email']) ? $_SESSION['cas_email'] : ''; $am = isset($_SESSION['cas_userstudentid']) ? $_SESSION['cas_userstudentid'] : ''; } // Attributes passed to login_hook() $attributes = array(); if (isset($_SESSION['cas_attributes'])) { foreach ($_SESSION['cas_attributes'] as $name => $value) { $attributes[strtolower($name)] = $value; } } // user is authenticated, now let's see if he is registered also in db if (get_config('case_insensitive_usernames')) { $sqlLogin = "******"; } else { $sqlLogin = "******"; } $info = Database::get()->querySingle("SELECT id, surname, username, password, givenname, status, email, lang, verified_mail FROM user WHERE username $sqlLogin", $uname); if ($info) { // if user found if ($info->password != $type) { // has different auth method - redirect to home page unset($_SESSION['shib_uname']); unset($_SESSION['shib_email']); unset($_SESSION['shib_surname']); unset($_SESSION['cas_uname']); unset($_SESSION['cas_email']); unset($_SESSION['cas_surname']); unset($_SESSION['cas_givenname']); unset($_SESSION['cas_userstudentid']); Session::Messages($langUserAltAuth, 'alert-danger'); redirect_to_home_page(); } else { // don't force email address from CAS/Shibboleth. // user might prefer a different one if (!empty($info->email)) { $email = $info->email; } $userObj = new User(); $options = login_hook(array( 'user_id' => $info->id, 'attributes' => $attributes, 'status' => $info->status, 'departments' => $userObj->getDepartmentIds($info->id), 'am' => $am)); if (!$options['accept']) { foreach (array_keys($_SESSION) as $key) { unset($_SESSION[$key]); } Session::Messages($langRegistrationDenied, 'alert-warning'); redirect_to_home_page(); } $status = $options['status']; // update user information Database::get()->query("UPDATE user SET surname = ?s, givenname = ?s, email = ?s, status = ?d WHERE id = ?d", $surname, $givenname, $email, $status, $info->id); $userObj->refresh($info->id, $options['departments']); user_hook($_SESSION['uid']); // check for admin privileges $admin_rights = get_admin_rights($info->id); if ($admin_rights == ADMIN_USER) { $is_active = 1; // admin user is always active $_SESSION['is_admin'] = 1; $is_admin = 1; } elseif ($admin_rights == POWER_USER) { $_SESSION['is_power_user'] = 1; $is_power_user = 1; } elseif ($admin_rights == USERMANAGE_USER) { $_SESSION['is_usermanage_user'] = 1; $is_usermanage_user = 1; } elseif ($admin_rights == DEPARTMENTMANAGE_USER) { $_SESSION['is_departmentmanage_user'] = 1; $is_departmentmanage_user = 1; } $_SESSION['uid'] = $info->id; if (isset($_SESSION['langswitch'])) { $language = $_SESSION['langswitch']; } else { $language = $info->lang; } } } elseif ($autoregister and !(get_config('am_required') and empty($am))) { // if user not found and autoregister enabled, create user $verified_mail = EMAIL_UNVERIFIED; if (isset($_SESSION['cas_email'])) { $verified_mail = EMAIL_VERIFIED; } else { // redirect user to mail_verify_change.php $_SESSION['mail_verification_required'] = 1; } $options = login_hook(array( 'user_id' => null, 'attributes' => $attributes, 'am' => $am)); if (!$options['accept']) { foreach (array_keys($_SESSION) as $key) { unset($_SESSION[$key]); } Session::Messages($langRegistrationDenied, 'alert-warning'); redirect_to_home_page(); } $status = $options['status']; $_SESSION['uid'] = Database::get()->query("INSERT INTO user SET surname = ?s, givenname = ?s, password = ?s, username = ?s, email = ?s, status = ?d, lang = ?s, am = ?s, verified_mail = ?d, registered_at = " . DBHelper::timeAfter() . ", expires_at = " . DBHelper::timeAfter(get_config('account_duration')) . ", whitelist = ''", $surname, $givenname, $type, $uname, $email, $status, $language, $options['am'], $verified_mail)->lastInsertID; $userObj = new User(); $userObj->refresh($_SESSION['uid'], $options['departments']); user_hook($_SESSION['uid']); } else { // user not registered, automatic registration disabled // redirect to registration screen foreach (array_keys($_SESSION) as $key) { unset($_SESSION[$key]); } session_destroy(); redirect_to_home_page('modules/auth/registration.php'); exit; } $_SESSION['uname'] = $uname; $_SESSION['surname'] = $surname; $_SESSION['givenname'] = $givenname; $_SESSION['email'] = $email; $_SESSION['status'] = $status; //$_SESSION['is_admin'] = $is_admin; $_SESSION['shib_user'] = 1; // now we are shibboleth user Database::get()->query("INSERT INTO loginout (loginout.id_user, loginout.ip, loginout.when, loginout.action) VALUES ($_SESSION[uid], '$_SERVER[REMOTE_ADDR]', " . DBHelper::timeAfter() . ", 'LOGIN')"); $session->setLoginTimestamp(); if (get_config('email_verification_required') and get_mail_ver_status($_SESSION['uid']) == EMAIL_VERIFICATION_REQUIRED) { $_SESSION['mail_verification_required'] = 1; // init.php is already loaded so redirect from here redirect_to_home_page('modules/auth/mail_verify_change.php'); } }