/**
* Initialize view variables and check permissions.
* @param int $view_id id for the view
*/
function view_init($view_id)
{
global $views, $error, $login;
global $ALLOW_VIEW_OTHER, $is_admin;
global $view_name, $view_type, $custom_view;
//set this to prove we in are inside a custom view page
$custom_view = true;
if ((empty($ALLOW_VIEW_OTHER) || $ALLOW_VIEW_OTHER == 'N') && !$is_admin) {
// not allowed...
send_to_preferred_view();
}
if (empty($view_id)) {
do_redirect('views.php');
}
// Find view name in $views[]
$view_name = '';
$view_type = '';
$viewcnt = count($views);
for ($i = 0; $i < $viewcnt; $i++) {
if ($views[$i]['cal_view_id'] == $view_id) {
$view_name = htmlspecialchars($views[$i]['cal_name']);
$view_type = $views[$i]['cal_view_type'];
}
}
// If view_name not found, then the specified view id does not
// belong to current user.
if (empty($view_name)) {
$error = print_not_auth(34);
}
}
<?php
/* $Id: edit_nonusers.php,v 1.23.2.6 2008/05/23 14:14:11 umcesrjones Exp $ */
include_once 'includes/init.php';
print_header(array('js/edit_nonuser.php/false'), '', '', true, '', true, false);
if (!$is_admin) {
echo print_not_auth(3, true) . '
</body>
</html>';
exit;
}
if (!$NONUSER_PREFIX) {
echo print_error_header() . translate('NONUSER_PREFIX not set') . '.
</body>
</html>';
exit;
}
$add = getValue('add');
$nid = getValue('nid');
// Adding/Editing nonuser calendar.
if (($add == '1' || !empty($nid)) && empty($error)) {
$userlist = user_get_users();
$button = translate('Add', true);
$buttonAction = 'Add';
$nid = clean_html($nid);
if (!empty($nid)) {
nonuser_load_variables($nid, 'nonusertemp_');
$id_display = $nid . '
<input type="hidden" name="nid" value="' . $nid . '" />';
$button = translate('Save', true);
$buttonAction = 'Save';
function send_http_login()
{
global $lang_file;
if (strlen($lang_file)) {
$not_authorized = print_not_auth();
$title = translate('Title');
$unauthorized = translate('Unauthorized');
} else {
$not_authorized = 'You are not authorized.';
$title = 'WebCalendar';
$unauthorized = 'Unauthorized';
}
header('WWW-Authenticate: Basic realm="' . "{$title}\"");
header('HTTP/1.0 401 Unauthorized');
echo send_doctype($unauthorized) . '
</head>
<body>
<h2>' . $title . '</h2>
' . $not_authorized . '
</body>
</html>';
exit;
}
if (!empty($nonuser_lookup[$row[0]])) {
$found_nonuser_cal = true;
} else {
$found_reg_user = true;
}
}
dbi_free_result($res);
}
// Does this event contain only nonuser calendars as participants?
// If so, then grant access.
if ($found_nonuser_cal && !$found_reg_user) {
$can_view = true;
}
}
if (empty($error) && !$can_view) {
$error = print_not_auth(8);
}
}
if (!empty($error)) {
print_header();
echo print_error($error, true) . print_trailer();
exit;
}
$disp = $type == 'A' ? 'attachment' : 'inline';
// Print out data now.
Header('Content-Length: ' . $size);
Header('Content-Type: ' . $mimetype);
$description = preg_replace("/\n\r\t+/", ' ', $description);
Header('Content-Description: ' . $description);
// Don't allow spaces in filenames.
//$filename = preg_replace ( "/\n\r\t+/", "_", $filename );
for ($i = 0, $cnt = count($views); $i < $cnt; $i++) {
if ($views[$i]['cal_view_id'] == $id) {
$newview = false;
$viewname = $views[$i]['cal_name'];
if (empty($viewname)) {
$viewname = $unnameViewStr;
}
$viewtype = $views[$i]['cal_view_type'];
$viewisglobal = $views[$i]['cal_is_global'];
}
}
}
// If view_name not found, then the specified view id does not
// belong to current user.
if (empty($viewname)) {
$error = print_not_auth(34);
}
// get list of users for this view
$all_users = false;
if (!$newview) {
$res = dbi_execute('SELECT cal_login FROM webcal_view_user WHERE cal_view_id = ?', array($id));
if ($res) {
while ($row = dbi_fetch_row($res)) {
$viewuser[$row[0]] = 1;
if ($row[0] == '__all__') {
$all_users = true;
}
}
dbi_free_result($res);
} else {
$error = db_error();
<?php
/* $Id: nonusers_handler.php,v 1.23.2.5 2012/02/28 02:07:45 cknudsen Exp $ */
include_once 'includes/init.php';
require_valide_referring_url();
load_user_layers();
$nid = getValue('nid');
$old_admin = getValue('old_admin');
$nfirstname = getValue('nfirstname');
$nlastname = getValue('nlastname');
$nadmin = getValue('nadmin');
$ispublic = getValue('ispublic');
$action = getValue('action');
$delete = getValue('delete');
if (!$is_admin) {
echo print_not_auth(3, true) . print_trailer();
exit;
}
$error = '';
if ($action == 'Delete' || $action == translate('Delete')) {
// delete this nonuser calendar
$user = $nid;
// Get event ids for all events this user is a participant.
$events = get_users_event_ids($user);
// Now count number of participants in each event...
// If just 1, then save id to be deleted.
$delete_em = array();
for ($i = 0, $cnt = count($events); $i < $cnt; $i++) {
$res = dbi_execute('SELECT COUNT( * ) FROM webcal_entry_user
WHERE cal_id = ?', array($events[$i]));
if ($res) {
// This error should get caught before here anyhow,
// so no need to translate this. This is just in case. :-)
$error = 'Invalid characters in login.';
} else {
if (empty($user)) {
// Username cannot be blank. This is currently the only place
// that calls addUser that is located in $user_inc.
$error = $blankUserStr;
} else {
user_add_user($user, $upassword1, $ufirstname, $ulastname, $uemail, $uis_admin, $u_enabled);
activity_log(0, $login, $user, LOG_USER_ADD, "{$ufirstname} {$ulastname}" . (empty($uemail) ? '' : " <{$uemail}>"));
}
}
}
} else {
if (!empty($add) && !access_can_access_function(ACCESS_USER_MANAGEMENT)) {
$error = print_not_auth(15);
} else {
// Don't allow a user to change themself to an admin by setting
// uis_admin in the URL by hand. They must be admin beforehand.
if (!$is_admin) {
$uis_admin = 'N';
}
user_update_user($user, $ufirstname, $ulastname, $uemail, $uis_admin, $uenabled);
activity_log(0, $login, $user, LOG_USER_UPDATE, "{$ufirstname} {$ulastname}" . (empty($uemail) ? '' : " <{$uemail}>"));
}
}
}
}
}
echo error_check('users.php', false);
$error = translate('You have not added any categories.');
}
}
}
// Make sure user is a participant.
$res = dbi_execute('SELECT cal_status FROM webcal_entry_user
WHERE cal_id = ? AND cal_login = ?', array($id, $login));
if ($res) {
if ($row = dbi_fetch_row($res)) {
if ($row[0] == 'D') {
// User deleted themself.
$error = print_not_auth(31);
}
} else {
// Not a participant for this event.
$error = print_not_auth(32);
}
dbi_free_result($res);
} else {
$error = db_error();
}
$cat_id = getValue('cat_id', '-?[0-9,\\-]*', true);
$cat_ids = $cat_name = array();
$catNames = '';
// Get user's categories for this event.
$globals_found = false;
$categories = get_categories_by_id($id, $login, true);
if (!empty($categories)) {
$catNames = implode(', ', $categories);
$keys = array_keys($categories);
$catList = implode(',', $keys);
* this will include which functions the user can access and
* (if $ALLOW_VIEW_OTHER is 'Y') which calendars thay can view/edit/approve
* - update the database (form handler)
*
* Input Parameters:
* user - specifies which user to manage, a form will be presented
* that allows editing rights of this user
*
* access_N - where N is 0 to ACCESS_NUMBER_FUNCTIONS as defined in
* includes/access.php. Each should be either 'Y' or 'N'.
*/
include_once 'includes/init.php';
require_valide_referring_url();
$allow_view_other = !empty($ALLOW_VIEW_OTHER) && $ALLOW_VIEW_OTHER == 'Y';
if (!access_is_enabled()) {
echo print_not_auth(1);
exit;
}
// translate ( 'Database error' )
$dbErrStr = translate('Database error XXX.');
$defConfigStr = translate('DEFAULT CONFIGURATION');
$goStr = '
</select>
<input type="submit" value="' . translate('Go') . '" />
</form>';
$saveStr = translate('Save');
$undoStr = translate('Undo');
$saved = '';
// Are we handling the access form?
// If so, do that, then redirect.
// Handle function access first.
// This will only be used if $username is not __public__.
if (isset($USER_REMOTE_ACCESS) && $username != '__public__') {
if ($USER_REMOTE_ACCESS > 0) {
// plus confidential
$allow_access[] = 'C';
}
if ($USER_REMOTE_ACCESS == 2) {
// plus private
$allow_access[] = 'R';
}
}
user_load_variables($login, 'rss_');
$creator = $username == '__public__' ? 'Public' : $rss_fullname;
if ($username != '__public__' && (empty($USER_RSS_ENABLED) || $USER_RSS_ENABLED != 'Y')) {
header('Content-Type: text/plain');
echo print_not_auth(29);
exit;
}
$cat_id = '';
if ($CATEGORIES_ENABLED == 'Y') {
$x = getValue('cat_id', '-?[0-9]+', true);
if (!empty($x)) {
load_user_categories();
$cat_id = $x;
$category = $categories[$cat_id]['cat_name'];
}
}
if ($load_layers) {
load_user_layers($username);
}
// Calculate date range.
if ($allow_user_override) {
$username = getValue('user');
if (empty($username)) {
$username = '******';
}
} else {
if (getValue('user') != '') {
$error = print_not_auth();
}
}
// Set for use elsewhere as a global
$login = $username;
// Load user preferences for DISPLAY_UNAPPROVED
load_user_preferences();
if ($public_must_be_enabled && $PUBLIC_ACCESS != 'Y') {
$error = print_not_auth(21);
}
if ($error == '') {
if ($allow_user_override) {
$u = getValue('user', "[A-Za-z0-9_\\.=@,\\-]+", true);
if (!empty($u)) {
$username = $u;
$login = $u;
$TIMEZONE = get_pref_setting($username, 'TIMEZONE');
$DISPLAY_UNAPPROVED = get_pref_setting($username, 'DISPLAY_UNAPPROVED');
$DISPLAY_TASKS_IN_GRID = get_pref_setting($username, 'DISPLAY_TASKS_IN_GRID');
// We also set $login since some functions assume that it is set.
}
}
$get_unapproved = !empty($DISPLAY_UNAPPROVED) && $DISPLAY_UNAPPROVED == 'Y';
if ($CATEGORIES_ENABLED == 'Y') {
<?php
/* $Id: select_user.php,v 1.35.2.2 2008/02/12 01:47:52 cknudsen Exp $ */
include_once 'includes/init.php';
print_header();
echo '
<h2>' . translate('View Another Users Calendar') . '</h2>';
if ($ALLOW_VIEW_OTHER != 'Y' && !$is_admin) {
$error = print_not_auth(7);
echo '
<blockquote>' . $error . '</blockquote>';
} else {
if ($PUBLIC_ACCESS == 'Y' && $login == '__public__' && $PUBLIC_ACCESS_OTHERS != 'Y') {
$error = print_not_auth(35);
echo '
<blockquote>' . $error . '</blockquote>';
} else {
$userlist = get_my_users('', 'view');
if ($NONUSER_ENABLED == 'Y') {
$nonusers = get_my_nonusers($login, true);
$userlist = $NONUSER_AT_TOP == 'Y' ? array_merge($nonusers, $userlist) : array_merge($userlist, $nonusers);
}
if (strstr($STARTVIEW, 'view')) {
$url = 'month.php';
} else {
$url = $STARTVIEW;
if ($url == 'month' || $url == 'day' || $url == 'week' || $url == 'year') {
$url .= '.php';
}
}
ob_start();
$editLayerStr = translate('Edit layer');
$editStr = translate('Edit');
$deleteStr = translate('Delete');
$deleteLayerStr = translate('Delete layer');
$areYouSureStr = translate('Are you sure you want to delete this XXX?');
$sourceStr = translate('Source');
$colorStr = translate('Color');
$duplicatesStr = translate('Duplicates');
$noStr = translate('No');
$yesStr = translate('Yes');
$disabledStr = translate('Disabled');
$enableLayersStr = translate('Enable layers');
print_header();
ob_start();
if ($ALLOW_VIEW_OTHER != 'Y') {
echo print_not_auth(7);
} else {
echo '
<h2>' . ($updating_public ? translate($PUBLIC_ACCESS_FULLNAME) . ' ' : '') . translate('Layers') . ' <img src="images/help.gif" alt="' . translate('Help') . '" class="help" onclick="window.open( ' . '\'help_layers.php\', \'cal_help\', \'dependent,menubar,scrollbars,' . 'height=400,width=400,innerHeight=420,outerWidth=420\' );" /></h2>
' . display_admin_link() . translate('Layers are currently') . ' <strong>';
if ($layers_enabled) {
echo translate('Enabled') . '</strong>. (<a class="nav" ' . 'href="layers_toggle.php?status=off' . $u_url . '">' . translate('Disable Layers') . '</a>)<br />' . ($is_admin && empty($public) && (!empty($PUBLIC_ACCESS) && $PUBLIC_ACCESS == 'Y') ? '
<blockquote>
<a href="layers.php?public=1">' . translate('Click here') . ' ' . translate('to modify the layers settings for the') . ' ' . translate($PUBLIC_ACCESS_FULLNAME) . ' ' . translate('calendar') . '.</a>
</blockquote>' : '') . '
<a href="edit_layer.php' . ($updating_public ? '?public=1' : '') . '">' . translate('Add layer') . '</a><br />';
$layer_count = 1;
if ($layers) {
foreach ($layers as $layer) {
user_load_variables($layer['cal_layeruser'], 'layer');
echo '
* "Advanced Search" adds the ability to search other users' calendars.
* We do a number of security checks to make sure this is allowed.
*
* @author Craig Knudsen <*****@*****.**>
* @copyright Craig Knudsen, <*****@*****.**>, http://www.k5n.us/cknudsen
* @license http://www.gnu.org/licenses/gpl.html GNU GPL
* @package WebCalendar
* @version $Id: search_handler.php,v 1.46.2.8 2012/02/28 02:07:45 cknudsen Exp $
*/
include_once 'includes/init.php';
require_valide_referring_url();
$error = '';
// Disable if public access and OVERRIDE_PUBLIC in use
if ($login == '__public__' && !empty($OVERRIDE_PUBLIC) && $OVERRIDE_PUBLIC == 'Y') {
print_header();
echo print_not_auth();
print_trailer();
exit;
}
$keywords = getValue('keywords');
$advanced = getValue('advanced');
if (strlen($keywords) == 0) {
$error = translate('You must enter one or more search keywords') . '.';
}
$matches = 0;
// Determine if this user is allowed to search the calendar of other users
$search_others = false;
// show "Advanced Search"
if ($single_user == 'Y') {
$search_others = false;
}
$pass_length = 8;
$salt = 'abchefghjkmnpqrstuvwxyz0123456789';
srand((double) microtime() * 1000000);
$i = 0;
while ($i < $pass_length) {
$pass .= substr($salt, rand() % 33, 1);
$i++;
}
return $pass;
}
$uemail = $ufirstname = $ulastname = $upassword1 = $upassword2 = $user = '';
// We can limit what domain is allowed to self register.
// $self_registration_domain should have this format "192.168.220.0:255.255.240.0";
$valid_ip = validate_domain();
if (empty($valid_ip)) {
$error = print_not_auth(36);
}
// We could make $control a unique value if necessary.
$control = getPostValue('control');
if (empty($error) && !empty($control)) {
$uemail = getPostValue('uemail');
$ufirstname = getPostValue('ufirstname');
$uis_admin = 'N';
$ulastname = getPostValue('ulastname');
$user = trim(getPostValue('user'));
// translate ( 'Illegal characters in login' )
if ($user != addslashes($user)) {
$error = str_replace('XXX', htmlentities($user), translate('Illegal characters in login XXX.'));
}
// Check to make sure user doesn't already exist.
check_username($user);
if (empty($user)) {
// asking to create a new user
if (!$is_admin) {
// must be admin...
if (!access_can_access_function(ACCESS_USER_MANAGEMENT)) {
$error = print_not_auth(15);
}
}
if (!$admin_can_add_user) {
// if adding users is not allowed...
$error = print_not_auth(16);
}
} else {
// User is editing their account info
if (!access_can_access_function(ACCESS_ACCOUNT_INFO)) {
$error = print_not_auth(17);
}
}
$disableCustom = true;
$INC = array('js/edit_user.php/false');
print_header($INC, '', '', $disableCustom, '', true, false);
if (!empty($error)) {
echo print_error($error);
} else {
?>
<table>
<tr><td style="vertical-align:top; width:50%;">
<h2><?php
if (!empty($user)) {
user_load_variables($user, 'u');
echo translate('Edit User');
$_SERVER['PHP_AUTH_PW'] = $_SERVER['PHP_AUTH_USER'] = '';
unset($_SERVER['PHP_AUTH_USER']);
unset($_SERVER['PHP_AUTH_PW']);
header('WWW-Authenticate: Basic realm="' . $appStr . '"');
header('HTTP/1.0 401 Unauthorized');
exit;
}
}
load_global_settings();
load_user_preferences();
$WebCalendar->setLanguage();
// Load user name, etc.
user_load_variables($login, '');
// Make sure the have privileges to access the activity log
if (!$is_admin || access_is_enabled() && !access_can_access_function(ACCESS_ACTIVITY_LOG)) {
die_miserable_death(print_not_auth(2));
}
$charset = empty($LANGUAGE) ? 'iso-8859-1' : translate('charset');
// This should work ok with RSS, may need to hardcode fallback value.
$lang = languageToAbbrev($LANGUAGE == 'Browser-defined' || $LANGUAGE == 'none' ? $lang : $LANGUAGE);
if ($lang == 'en') {
$lang = 'en-us';
}
//the RSS 2.0 default.
$appStr = generate_application_name();
$descr = $appStr . ' - ' . translate('Activity Log');
// header ( 'Content-type: application/rss+xml');
header('Content-type: text/xml');
echo '<?xml version="1.0" encoding="' . $charset . '"?>
<rss version="2.0" xml:lang="' . $lang . '">
<channel>
$user = preg_replace('/\\.[iI][fF][bB]$/', '', $user);
}
if ($user == 'public') {
$user = '******';
}
load_global_settings();
// Load user preferences (to get the DISPLAY_UNAPPROVED and
// FREEBUSY_ENABLED pref for this user).
$login = $user;
load_user_preferences();
$WebCalendar->setLanguage();
// Load user name, etc.
user_load_variables($user, 'publish_');
if (empty($FREEBUSY_ENABLED) || $FREEBUSY_ENABLED != 'Y') {
header('Content-Type: text/plain');
echo 'user='******'No user specified.');
if (empty($user)) {
die_miserable_death($no_user);
}
$get_unapproved = false;
$datem = date('m');
$dateY = date('Y');
// Start date is beginning of this month.
$startdate = mktime(0, 0, 0, $datem, 0, $dateY);
// End date is one year from now.
// Seems kind of arbitrary, eh?
$enddate = mktime(0, 0, 0, $datem, 1, $dateY + 1);
$nouser = translate('No user specified');
// Make sure they specified a username.
if (empty($user)) {
echo send_doctype($errorStr);
echo <<<EOT
</head>
<body>
<h2>{$errorStr}</h2>
{$nouser}.
</body>
</html>
EOT;
exit;
}
// Load user preferences (to get the USER_PUBLISH_ENABLED and
// DISPLAY_UNAPPROVED setting for this user).
$login = $user;
load_user_preferences();
if (empty($USER_PUBLISH_ENABLED) || $USER_PUBLISH_ENABLED != 'Y') {
header('Content-Type: text/plain');
echo print_not_auth(25);
exit;
}
// Load user name, etc.
user_load_variables($user, 'publish_');
// header ( 'Content-Type: text/plain' );
header('Content-Type: text/calendar');
header('Content-Disposition: attachment; filename="' . $user . '.ics"');
$use_all_dates = true;
$type = 'publish';
export_ical();
<p><a title="' . $addStr . '" href="' . $addurl . '" class="nav">' . $addStr . '</a></p>';
dbi_free_result($res);
} else {
$error = $invalidID;
}
}
// Load the specified report.
if (empty($error) && empty($list)) {
$res = dbi_execute('SELECT cal_login, cal_report_id, cal_is_global,
cal_report_type, cal_include_header, cal_report_name, cal_time_range,
cal_user, cal_allow_nav, cal_cat_id, cal_include_empty, cal_update_date
FROM webcal_report WHERE cal_report_id = ?', array($report_id));
if ($res) {
if ($row = dbi_fetch_row($res)) {
if ($row[2] != 'Y' && $login != $row[0]) {
$error = print_not_auth(14);
} else {
$i = 0;
$report_login = $row[$i++];
$report_id = $row[$i++];
$report_is_global = $row[$i++];
$report_type = $row[$i++];
$report_include_header = $row[$i++];
$report_name = $row[$i++];
$report_time_range = $row[$i++];
$test_report_user = $row[$i++];
// If this report type specifies a specific user,
// then we will use that user even if a user was passed in via URL.
if (!empty($test_report_user)) {
$report_user = $test_report_user;
}
<?php
/* $Id: layers_toggle.php,v 1.29.2.2 2008/03/11 13:57:24 cknudsen Exp $ */
include_once 'includes/init.php';
load_user_layers();
$status = getValue('status', '(on|off)', true);
$public = getValue('public');
if ($ALLOW_VIEW_OTHER != 'Y') {
print_header();
echo print_not_auth(7) . print_trailer();
exit;
}
$updating_public = false;
$url = 'layers.php';
if ($is_admin && !empty($public) && $PUBLIC_ACCESS == 'Y') {
$updating_public = true;
$layer_user = '******';
$url .= '?public=1';
} else {
$layer_user = $login;
}
dbi_execute('DELETE FROM webcal_user_pref WHERE cal_login = ?
AND cal_setting = \'LAYERS_STATUS\'', array($layer_user));
$sql = 'INSERT INTO webcal_user_pref ( cal_login, cal_setting, cal_value )
VALUES ( ?, \'LAYERS_STATUS\', ? )';
if (!dbi_execute($sql, array($layer_user, $status == 'off' ? 'N' : 'Y'))) {
$error = translate('Unable to update preference') . ': ' . dbi_error() . '<br /><br /><span class="bold">SQL:</span> ' . $sql;
break;
}
if (empty($error)) {
do_redirect($url);
* @version $Id: edit_remotes.php,v 1.17.2.4 2007/11/12 20:47:48 umcesrjones Exp $
* @package WebCalendar
* @subpackage Edit Remotes
*
* Security
* $REMOTES_ENABLED must be enabled under System Settings and if
* if UAC is enabled, then the user must be allowed to ACCESS_IMPORT.
*/
include_once 'includes/init.php';
print_header(array('js/edit_remotes.php/false', 'js/visible.php'), '', '', true);
$error = '';
if (!$NONUSER_PREFIX) {
$error = translate('NONUSER_PREFIX not set');
}
if ($REMOTES_ENABLED != 'Y' || access_is_enabled() && !access_can_access_function(ACCESS_IMPORT)) {
$error = print_not_auth(11);
}
if ($error) {
echo print_error($error) . '
</body>
</html>';
exit;
}
$add = getValue('add');
$nid = getValue('nid');
// Adding/Editing remote calendar.
if (($add == '1' || !empty($nid)) && empty($error)) {
$userlist = get_nonuser_cals($login, true);
if (empty($nid)) {
$id_display = '<input type="text" name="nid" id="nid" size="20" ' . 'maxlength="20" onchange="check_name();" /> ' . translate('word characters only');
$lableStr = translate('Add Remote Calendar');
