Пример #1
0
/**
 * Add/update user
 *
 * @param int $user_id - user ID to update (empty for new user)
 * @param array $user_data - user data
 * @param array $auth - authentication information
 * @param bool $ship_to_another - flag indicates that shipping and billing fields are different
 * @param bool $notify_user - flag indicates that user should be notified
 * @return array with user ID and profile ID if success, false otherwise
 */
function fn_update_user($user_id, $user_data, &$auth, $ship_to_another, $notify_user)
{
    /**
     * Actions before updating user
     *
     * @param int   $user_id         User ID to update (empty for new user)
     * @param array $user_data       User data
     * @param array $auth            Authentication information
     * @param bool  $ship_to_another Flag indicates that shipping and billing fields are different
     * @param bool  $notify_user     Flag indicates that user should be notified
     */
    fn_set_hook('update_user_pre', $user_id, $user_data, $auth, $ship_to_another, $notify_user);
    array_walk($user_data, 'fn_trim_helper');
    $register_at_checkout = isset($user_data['register_at_checkout']) && $user_data['register_at_checkout'] == 'Y' ? true : false;
    if (fn_allowed_for('ULTIMATE')) {
        if (AREA == 'A' && !empty($user_data['user_type']) && $user_data['user_type'] == 'C' && (empty($user_data['company_id']) || Registry::get('runtime.company_id') && $user_data['company_id'] != Registry::get('runtime.company_id'))) {
            fn_set_notification('W', __('warning'), __('access_denied'));
            return false;
        }
    }
    if (!empty($user_id)) {
        $current_user_data = db_get_row("SELECT user_id, company_id, is_root, status, user_type, user_login, lang_code, password, salt, last_passwords FROM ?:users WHERE user_id = ?i", $user_id);
        if (empty($current_user_data)) {
            fn_set_notification('E', __('error'), __('object_not_found', array('[object]' => __('user'))), '', '404');
            return false;
        }
        if (!fn_check_editable_permissions($auth, $current_user_data)) {
            fn_set_notification('E', __('error'), __('access_denied'));
            return false;
        }
        if (!empty($user_data['profile_id']) && AREA != 'A') {
            $profile_ids = db_get_fields("SELECT profile_id FROM ?:user_profiles WHERE user_id = ?i", $user_id);
            if (!in_array($user_data['profile_id'], $profile_ids)) {
                fn_set_notification('W', __('warning'), __('access_denied'));
                return false;
            }
        }
        if (fn_allowed_for('ULTIMATE')) {
            if (AREA != 'A' || empty($user_data['company_id'])) {
                //we should set company_id for the frontdend, in the backend company_id received from form
                if ($current_user_data['user_type'] == 'A') {
                    if (!isset($user_data['company_id']) || AREA != 'A' || Registry::get('runtime.company_id')) {
                        // reset administrator's company if it was not set to root
                        $user_data['company_id'] = $current_user_data['company_id'];
                    }
                } elseif (Registry::get('settings.Stores.share_users') == 'Y') {
                    $user_data['company_id'] = $current_user_data['company_id'];
                } else {
                    $user_data['company_id'] = Registry::ifGet('runtime.company_id', 1);
                }
            }
        }
        if (fn_allowed_for('MULTIVENDOR')) {
            if (AREA != 'A') {
                //we should set company_id for the frontend
                $user_data['company_id'] = $current_user_data['company_id'];
            }
        }
        $action = 'update';
    } else {
        $current_user_data = array('status' => AREA != 'A' && Registry::get('settings.General.approve_user_profiles') == 'Y' ? 'D' : (!empty($user_data['status']) ? $user_data['status'] : 'A'), 'user_type' => 'C');
        if (fn_allowed_for('ULTIMATE')) {
            if (!empty($user_data['company_id']) || Registry::get('runtime.company_id') || AREA == 'A') {
                //company_id can be received when we create user account from the backend
                $company_id = !empty($user_data['company_id']) ? $user_data['company_id'] : Registry::get('runtime.company_id');
                if (empty($company_id)) {
                    $company_id = fn_check_user_type_admin_area($user_data['user_type']) ? $user_data['company_id'] : fn_get_default_company_id();
                }
                $user_data['company_id'] = $current_user_data['company_id'] = $company_id;
            } else {
                fn_set_notification('W', __('warning'), __('access_denied'));
                return false;
            }
        }
        $action = 'add';
        $user_data['lang_code'] = !empty($user_data['lang_code']) ? $user_data['lang_code'] : CART_LANGUAGE;
        $user_data['timestamp'] = TIME;
    }
    $original_password = '';
    $current_user_data['password'] = !empty($current_user_data['password']) ? $current_user_data['password'] : '';
    $current_user_data['salt'] = !empty($current_user_data['salt']) ? $current_user_data['salt'] : '';
    // Set the user type
    $user_data['user_type'] = fn_check_user_type($user_data, $current_user_data);
    if (Registry::get('runtime.company_id') && !fn_allowed_for('ULTIMATE') && (!fn_check_user_type_admin_area($user_data['user_type']) || isset($current_user_data['company_id']) && $current_user_data['company_id'] != Registry::get('runtime.company_id'))) {
        fn_set_notification('W', __('warning'), __('access_denied'));
        return false;
    }
    // Check if this user needs login/password
    if (fn_user_need_login($user_data['user_type'])) {
        // Check if user_login already exists
        // FIXME
        if (!isset($user_data['email'])) {
            $user_data['email'] = db_get_field("SELECT email FROM ?:users WHERE user_id = ?i", $user_id);
        }
        $is_exist = fn_is_user_exists($user_id, $user_data);
        if ($is_exist) {
            fn_set_notification('E', __('error'), __('error_user_exists'), '', 'user_exist');
            return false;
        }
        // Check the passwords
        if (!empty($user_data['password1']) || !empty($user_data['password2'])) {
            $original_password = trim($user_data['password1']);
            $user_data['password1'] = !empty($user_data['password1']) ? trim($user_data['password1']) : '';
            $user_data['password2'] = !empty($user_data['password2']) ? trim($user_data['password2']) : '';
        }
        // if the passwords are not set and this is not a forced password check
        // we will not update password, otherwise let's check password
        if (!empty($_SESSION['auth']['forced_password_change']) || !empty($user_data['password1']) || !empty($user_data['password2'])) {
            $valid_passwords = true;
            if ($user_data['password1'] != $user_data['password2']) {
                $valid_passwords = false;
                fn_set_notification('E', __('error'), __('error_passwords_dont_match'));
            }
            // PCI DSS Compliance
            if (fn_check_user_type_admin_area($user_data['user_type'])) {
                $msg = array();
                // Check password length
                $min_length = Registry::get('settings.Security.min_admin_password_length');
                if (strlen($user_data['password1']) < $min_length || strlen($user_data['password2']) < $min_length) {
                    $valid_passwords = false;
                    $msg[] = str_replace("[number]", $min_length, __('error_password_min_symbols'));
                }
                // Check password content
                if (Registry::get('settings.Security.admin_passwords_must_contain_mix') == 'Y') {
                    $tmp_result = preg_match('/\\d+/', $user_data['password1']) && preg_match('/\\D+/', $user_data['password1']) && preg_match('/\\d+/', $user_data['password2']) && preg_match('/\\D+/', $user_data['password2']);
                    if (!$tmp_result) {
                        $valid_passwords = false;
                        $msg[] = __('error_password_content');
                    }
                }
                if ($msg) {
                    fn_set_notification('E', __('error'), implode('<br />', $msg));
                }
                // Check last 4 passwords
                if (!empty($user_id)) {
                    $prev_passwords = !empty($current_user_data['last_passwords']) ? explode(',', $current_user_data['last_passwords']) : array();
                    if (!empty($_SESSION['auth']['forced_password_change'])) {
                        // if forced password change - new password can't be equal to current password.
                        $prev_passwords[] = $current_user_data['password'];
                    }
                    if (in_array(fn_generate_salted_password($user_data['password1'], $current_user_data['salt']), $prev_passwords)) {
                        $valid_passwords = false;
                        fn_set_notification('E', __('error'), __('error_password_was_used'));
                    } else {
                        if (count($prev_passwords) >= 5) {
                            array_shift($prev_passwords);
                        }
                        $user_data['last_passwords'] = implode(',', $prev_passwords);
                    }
                }
            }
            // PCI DSS Compliance
            if (!$valid_passwords) {
                return false;
            }
            $user_data['salt'] = fn_generate_salt();
            $user_data['password'] = fn_generate_salted_password($user_data['password1'], $user_data['salt']);
            if ($user_data['password'] != $current_user_data['password'] && !empty($user_id)) {
                // if user set current password - there is no necessity to update password_change_timestamp
                $user_data['password_change_timestamp'] = $_SESSION['auth']['password_change_timestamp'] = TIME;
            }
            unset($_SESSION['auth']['forced_password_change']);
            fn_delete_notification('password_expire');
        }
    }
    $user_data['status'] = AREA != 'A' || empty($user_data['status']) ? $current_user_data['status'] : $user_data['status'];
    // only administrator can change user status
    // Fill the firstname, lastname and phone from the billing address if the profile was created or updated through the admin area.
    if (AREA == 'A' || Registry::get('settings.Checkout.address_position') == 'billing_first') {
        $main_address_zone = BILLING_ADDRESS_PREFIX;
        $alt_address_zone = SHIPPING_ADDRESS_PREFIX;
    } else {
        $main_address_zone = SHIPPING_ADDRESS_PREFIX;
        $alt_address_zone = BILLING_ADDRESS_PREFIX;
    }
    $user_data = fn_fill_contact_info_from_address($user_data, $main_address_zone, $alt_address_zone);
    if (!fn_allowed_for('ULTIMATE')) {
        //for ult company_id was set before
        fn_set_company_id($user_data);
    }
    if (!empty($current_user_data['is_root']) && $current_user_data['is_root'] == 'Y') {
        $user_data['is_root'] = 'Y';
    } else {
        $user_data['is_root'] = 'N';
    }
    // check if it is a root admin
    $is_root_admin_exists = db_get_field("SELECT user_id FROM ?:users WHERE company_id = ?i AND is_root = 'Y' AND user_id != ?i", $user_data['company_id'], !empty($user_id) ? $user_id : 0);
    $user_data['is_root'] = empty($is_root_admin_exists) && $user_data['user_type'] !== 'C' ? 'Y' : 'N';
    unset($user_data['user_id']);
    if (!empty($user_id)) {
        db_query("UPDATE ?:users SET ?u WHERE user_id = ?i", $user_data, $user_id);
        fn_clean_usergroup_links($user_id, $current_user_data['user_type'], $user_data['user_type']);
        fn_log_event('users', 'update', array('user_id' => $user_id));
    } else {
        if (!isset($user_data['password_change_timestamp'])) {
            $user_data['password_change_timestamp'] = 1;
        }
        $user_id = db_query("INSERT INTO ?:users ?e", $user_data);
        fn_log_event('users', 'create', array('user_id' => $user_id));
    }
    $user_data['user_id'] = $user_id;
    // Set/delete insecure password notification
    if (AREA == 'A' && Registry::get('config.demo_mode') != true && !empty($user_data['password1'])) {
        if (!fn_compare_login_password($user_data, $user_data['password1'])) {
            fn_delete_notification('insecure_password');
        } else {
            $lang_var = 'warning_insecure_password_email';
            fn_set_notification('E', __('warning'), __($lang_var, array('[link]' => fn_url("profiles.update?user_id=" . $user_id))), 'K', 'insecure_password');
        }
    }
    if (empty($user_data['user_login'])) {
        // if we're using email as login or user type does not require login, fill login field
        db_query("UPDATE ?:users SET user_login = '******' WHERE user_id = ?i AND user_login = ''", $user_id, $user_id);
    }
    // Fill shipping info with billing if needed
    if (empty($ship_to_another)) {
        $profile_fields = fn_get_profile_fields($user_data['user_type']);
        $use_default = AREA == 'A' ? true : false;
        fn_fill_address($user_data, $profile_fields, $use_default);
    }
    $user_data['profile_id'] = fn_update_user_profile($user_id, $user_data, $action);
    $user_data = fn_get_user_info($user_id, true, $user_data['profile_id']);
    if ($register_at_checkout) {
        $user_data['register_at_checkout'] = 'Y';
    }
    $lang_code = AREA == 'A' && !empty($user_data['lang_code']) ? $user_data['lang_code'] : CART_LANGUAGE;
    if (!fn_allowed_for('ULTIMATE:FREE')) {
        $user_data['usergroups'] = db_get_hash_array("SELECT lnk.link_id, lnk.usergroup_id, lnk.status, a.type, b.usergroup" . " FROM ?:usergroup_links as lnk" . " INNER JOIN ?:usergroups as a ON a.usergroup_id = lnk.usergroup_id AND a.status != 'D'" . " LEFT JOIN ?:usergroup_descriptions as b ON b.usergroup_id = a.usergroup_id AND b.lang_code = ?s" . " WHERE a.status = 'A' AND lnk.user_id = ?i AND lnk.status != 'D' AND lnk.status != 'F'", 'usergroup_id', $lang_code, $user_id);
    }
    // Send notifications to customer
    if (!empty($notify_user)) {
        $from = 'company_users_department';
        if (fn_allowed_for('MULTIVENDOR')) {
            // Vendor administrator's notification
            // is sent from root users department
            if ($user_data['user_type'] == 'V') {
                $from = 'default_company_users_department';
            }
        }
        // Notify customer about profile activation (when update profile only)
        if ($action == 'update' && $current_user_data['status'] === 'D' && $user_data['status'] === 'A') {
            Mailer::sendMail(array('to' => $user_data['email'], 'from' => $from, 'data' => array('user_data' => $user_data), 'tpl' => 'profiles/profile_activated.tpl', 'company_id' => $user_data['company_id']), fn_check_user_type_admin_area($user_data['user_type']) ? 'A' : 'C', $lang_code);
        }
        // Notify customer about profile add/update
        $prefix = $action == 'add' ? 'create' : 'update';
        // Send password to user only if it was created by admin or vendor
        if (AREA != 'C' && $auth['user_id'] != $user_id) {
            $password = $original_password;
        } else {
            $password = null;
        }
        Mailer::sendMail(array('to' => $user_data['email'], 'from' => $from, 'data' => array('password' => $password, 'user_data' => $user_data), 'tpl' => 'profiles/' . $prefix . '_profile.tpl', 'company_id' => $user_data['company_id']), fn_check_user_type_admin_area($user_data['user_type']) ? 'A' : 'C', $lang_code);
    }
    if ($action == 'add') {
        if (AREA != 'A') {
            if (Registry::get('settings.General.approve_user_profiles') == 'Y') {
                fn_set_notification('W', __('important'), __('text_profile_should_be_approved'));
                // Notify administrator about new profile
                Mailer::sendMail(array('to' => 'company_users_department', 'from' => 'company_users_department', 'reply_to' => $user_data['email'], 'data' => array('user_data' => $user_data), 'tpl' => 'profiles/activate_profile.tpl', 'company_id' => $user_data['company_id']), 'A', Registry::get('settings.Appearance.backend_default_language'));
            } else {
                fn_set_notification('N', __('information'), __('text_profile_is_created'));
            }
        }
        if (!is_null($auth)) {
            if (!empty($auth['order_ids'])) {
                db_query("UPDATE ?:orders SET user_id = ?i WHERE order_id IN (?n)", $user_id, $auth['order_ids']);
            }
        }
    } else {
        if (AREA == 'C') {
            fn_set_notification('N', __('information'), __('text_profile_is_updated'));
        }
    }
    fn_set_hook('update_profile', $action, $user_data, $current_user_data);
    return array($user_id, !empty($user_data['profile_id']) ? $user_data['profile_id'] : false);
}
Пример #2
0
/**
 * Updates administrator password
 *
 * @param string $new_password Value of new password
 */
function fn_settings_wizard_update_password($new_password)
{
    if (!empty($new_password)) {
        $salt = fn_generate_salt();
        $password = fn_generate_salted_password($new_password, $salt);
        db_query('UPDATE ?:users SET salt = ?s, password = ?s WHERE user_id = ?i', $salt, $password, 1);
    }
}
Пример #3
0
/**
 * Регистрация на сайте и в таблице uLogin
 * @param Array $u_user - данные о пользователе, полученные от uLogin
 * @param int $in_db - при значении 1 необходимо переписать данные в таблице ?:ulogin
 * @return bool|int|Error
 */
function fn_ulogin_registration_user($u_user, $in_db = 0)
{
    if (!isset($u_user['email'])) {
        Tygh::$app['view']->assign('ulogin_title', __('ulogin_auth_error_title'));
        Tygh::$app['view']->assign('ulogin_error', __('ulogin_auth_error_msg'));
        Tygh::$app['view']->assign('backurl', $_GET['backurl']);
        Tygh::$app['view']->display('addons/ulogin/views/ulogin/error.tpl');
        exit;
    }
    $u_user['network'] = isset($u_user['network']) ? $u_user['network'] : '';
    $u_user['phone'] = isset($u_user['phone']) ? $u_user['phone'] : '';
    // данные о пользователе есть в ulogin_table, но отсутствуют в Базе
    if ($in_db == 1) {
        db_query('DELETE FROM ?:ulogin WHERE identity = ?s', $u_user['identity']);
    }
    $user_id = fn_ulogin_getUserInfoByEmail($u_user['email']);
    // $check_m_user == 1 -> есть пользователь с таким email
    $check_m_user = !empty($user_id) ? 1 : 0;
    $auth = $_SESSION['auth'];
    $current_user = isset($auth['user_id']) ? $auth['user_id'] : 0;
    // $isLoggedIn == true -> ползователь онлайн
    $isLoggedIn = !empty($current_user) ? 1 : 0;
    if (!$check_m_user && !$isLoggedIn) {
        // отсутствует пользователь с таким email в базе -> регистрация
        $date = explode('.', $u_user['bdate']);
        $user_data = array();
        $user_data['email'] = $u_user['email'];
        $user_data['user_login'] = fn_ulogin_generateNickname($u_user['first_name'], $u_user['last_name'], $u_user['nickname'], $u_user['bdate']);
        $user_data['user_type'] = 'C';
        $user_data['is_root'] = 'N';
        $user_data['salt'] = fn_generate_salt();
        $user_data['password1'] = $user_data['password2'] = fn_generate_password();
        $user_data['b_firstname'] = $u_user['first_name'];
        $user_data['s_firstname'] = $u_user['first_name'];
        $user_data['b_lastname'] = $u_user['last_name'];
        $user_data['s_lastname'] = $u_user['last_name'];
        $user_data['b_phone'] = isset($u_user['phone']) ? trim(preg_replace('/[^0-9]/', ' ', $u_user['phone'])) : '';
        $user_data['s_phone'] = isset($u_user['phone']) ? trim(preg_replace('/[^0-9]/', ' ', $u_user['phone'])) : '';
        $user_data['b_city'] = isset($u_user['city']) ? $u_user['city'] : '';
        $user_data['s_city'] = isset($u_user['city']) ? $u_user['city'] : '';
        $user_data['birthday'] = isset($date['2']) ? $date['2'] : '';
        list($user_data['user_id'], $profile_id) = fn_update_user('', $user_data, $auth, true, true, true);
        $u_user_data = array('user_id' => $user_data['user_id'], 'identity' => $u_user['identity'], 'network' => $u_user['network']);
        db_query("INSERT INTO ?:ulogin ?e", $u_user_data);
        return $user_data['user_id'];
    } else {
        // существует пользователь с таким email или это текущий пользователь
        if (!isset($u_user["verified_email"]) || intval($u_user["verified_email"]) != 1) {
            Tygh::$app['view']->assign('token', $_REQUEST['token']);
            Tygh::$app['view']->display('addons/ulogin/views/ulogin/confirm.tpl');
            exit;
        }
        if (intval($u_user["verified_email"]) == 1) {
            $user_id = $isLoggedIn ? $current_user : $user_id;
            $other_u = db_get_row("SELECT identity FROM ?:ulogin WHERE user_id = ?i", $user_id);
            if ($other_u) {
                if (!$isLoggedIn && !isset($u_user['merge_account'])) {
                    Tygh::$app['view']->assign('token', $_REQUEST['token']);
                    Tygh::$app['view']->assign('identity', $other_u['identity']);
                    Tygh::$app['view']->display('addons/ulogin/views/ulogin/merge.tpl');
                    exit;
                }
            }
            $u_user_data = array('user_id' => $user_id, 'identity' => $u_user['identity'], 'network' => $u_user['network']);
            db_query("INSERT INTO ?:ulogin ?e", $u_user_data);
            return $user_id;
        }
    }
    return false;
}