Пример #1
0
function save_themename()
	{
		global $baseurl, $link, $themename, $collection_column;
		$sql="update collection set	" . $collection_column . "='" . getvalescaped("rename","") . "' where " . $collection_column . "='" . escape_check($themename)."'";
		sql_query($sql);
		header("location:".$baseurl. "/pages/" . $link);
	}
function tile_select($tile_type, $tile_style, $tile, $tile_id, $tile_width, $tile_height)
{
    /*
     * Preconfigured and the legacy tiles controlled by config.
     */
    if ($tile_type == "conf") {
        switch ($tile_style) {
            case "thmsl":
                global $usertile;
                tile_config_themeselector($tile, $tile_id, $usertile, $tile_width, $tile_height);
                exit;
            case "theme":
                tile_config_theme($tile, $tile_id, $tile_width, $tile_height);
                exit;
            case "mycol":
                tile_config_mycollection($tile, $tile_id, $tile_width, $tile_height);
                exit;
            case "advsr":
                tile_config_advancedsearch($tile, $tile_id, $tile_width, $tile_height);
                exit;
            case "mycnt":
                tile_config_mycontributions($tile, $tile_id, $tile_width, $tile_height);
                exit;
            case "hlpad":
                tile_config_helpandadvice($tile, $tile_id, $tile_width, $tile_height);
                exit;
            case "custm":
                tile_config_custom($tile, $tile_id, $tile_width, $tile_height);
                exit;
            case "pend":
                tile_config_pending($tile, $tile_id, $tile_width, $tile_height);
                exit;
        }
    }
    /*
     * Free Text Tile
     */
    if ($tile_type == "ftxt") {
        tile_freetext($tile, $tile_id, $tile_width, $tile_height);
        exit;
    }
    /*
     * Search Type tiles
     */
    if ($tile_type == "srch") {
        switch ($tile_style) {
            case "thmbs":
                $promoted_image = getvalescaped("promimg", false);
                tile_search_thumbs($tile, $tile_id, $tile_width, $tile_height, $promoted_image);
                exit;
            case "multi":
                tile_search_multi($tile, $tile_id, $tile_width, $tile_height);
                exit;
            case "blank":
                tile_search_blank($tile, $tile_id, $tile_width, $tile_height);
                exit;
        }
    }
}
Пример #3
0
function HookNewsHomeHomebeforepanels()
{
    if (getvalescaped("ajax", false)) {
        ?>
		<script>ReloadSearchBar();</script>
		<?php 
    }
}
Пример #4
0
function save_themename()
{
    global $baseurl, $link, $themename, $collection_column;
    $sql = "update collection set\t" . $collection_column . "='" . getvalescaped("rename", "") . "' where " . $collection_column . "='" . escape_check($themename) . "'";
    sql_query($sql);
    hook("after_save_themename");
    redirect("pages/" . $link);
}
Пример #5
0
function HookFilterboxSearchSearchstringprocessing()
	{
	global $search;
	$refine=trim(getvalescaped("refine_keywords", ""));
	if ($refine != "")
		$search .= ",".$refine;

	$search=refine_searchstring($search);
	}
/**
 * Validate the given field.
 * 
 * If the field validates, this function will store it in the provided conifguration
 * module and key.
 * 
 * @param string $fieldname Name of field (provided to the render functions)
 * @param string $modulename Module name to store the field in.
 * @param string $modulekey Module key
 * @param string $type Validation patthern: (bool,safe,float,int,email,regex)
 * @param string $required Optional required flag.  Defaults to true.
 * @param string $pattern If $type is 'regex' the regex pattern to use.
 * @return bool Returns true if the field was stored in the config database.
 */
function validate_field($fieldname, $modulename, $modulekey, $type, $required = true, $pattern = '')
{
    global $errorfields, $lang;
    $value = getvalescaped($fieldname, '');
    if ($value == '' && $required == true) {
        $errorfields[$fieldname] = $lang['cfg-err-fieldrequired'];
        return false;
    } elseif ($value == '' && $required == false) {
        set_module_config_key($modulename, $modulekey, $value);
    } else {
        switch ($type) {
            case 'safe':
                if (!preg_match('/^.+$/', $value)) {
                    $errorfields[$fieldname] = $lang['cfg-err-fieldsafe'];
                    return false;
                }
                break;
            case 'float':
                if (!preg_match('/^[\\d]+(\\.[\\d]*)?$/', $value)) {
                    $errorfields[$fieldname] = $lang['cfg-err-fieldnumeric'];
                    return false;
                }
                break;
            case 'int':
                if (!preg_match('/^[\\d]+$/', $value)) {
                    $errorfields[$fieldname] = $lang['cfg-err-fieldnumeric'];
                    return false;
                }
                break;
            case 'email':
                if (!preg_match('/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,4}$/i', $value)) {
                    $errorfields[$fieldname] = $lang['cfg-err-fieldemail'];
                    return false;
                }
                break;
            case 'regex':
                if (!preg_match($pattern, $value)) {
                    $errorfields[$fieldname] = $lang['cfg-err-fieldsafe'];
                    return false;
                }
                break;
            case 'bool':
                if (strtolower($value) == 'true') {
                    $value = true;
                } elseif (strtolower($value) == 'false') {
                    $value = false;
                } else {
                    $errorfields[$fieldname] = $lang['cfg-err-fieldsafe'];
                    return false;
                }
                break;
        }
        set_module_config_key($modulename, $modulekey, $value);
        return true;
    }
}
function HookDiscount_codePurchase_callbackPayment_complete()
{
    # Find out the discount code applied to this collection.
    $code = sql_value("select discount_code value from collection_resource where collection='" . getvalescaped("custom", "") . "' limit 1", "");
    # Find out the purchasing user
    # As this is a callback script being called by PayPal, there is no login/authentication and we can't therefore simply use $userref.
    $user = sql_value("select ref value from user where current_collection='" . getvalescaped("custom", "") . "'", 0);
    # Insert used discount code row
    sql_query("insert into discount_code_used (code,user) values ('" . escape_check($code) . "','{$user}')");
}
Пример #8
0
function HookFilterboxSearchSearchaftersearchcookie()
{
    global $filter_keywords, $perform_filter, $filter_pos, $search;
    $filter_keywords = getvalescaped("filter_keywords", "");
    $filter_pos = getvalescaped("cursorpos", "");
    setcookie('filter', $filter_keywords, 0, '', '', false, true);
    setcookie('filter_pos', $filter_pos, 0, '', '', false, true);
    setcookie('original_search', $search, 0, '', '', false, true);
    $perform_filter = true;
}
function HookFormat_chooserCollection_downloadReplacedownloadextension($resource, $extension)
{
    global $format_chooser_output_formats;
    $inputFormat = $resource['file_extension'];
    if (!supportsInputFormat($inputFormat)) {
        # Do not replace the extension for this resource
        return false;
    }
    $ext = strtoupper(getvalescaped('ext', getDefaultOutputFormat($inputFormat)));
    if (!in_array($ext, $format_chooser_output_formats)) {
        return false;
    }
    return strtolower($ext);
}
Пример #10
0
function HookFormat_chooserAllGetdownloadurl($ref, $size, $ext, $page = 1, $alternative = -1)
{
    global $baseurl_short;
    $profile = getvalescaped('profile', null);
    if (!empty($profile)) {
        $profile = '&profile=' . $profile;
    } else {
        $path = get_resource_path($ref, true, $size, false, $ext, -1, $page, $size == "scr" && checkperm("w") && $alternative == -1, '', $alternative);
        if (file_exists($path)) {
            return false;
        }
    }
    return $baseurl_short . 'plugins/format_chooser/pages/convert.php?ref=' . $ref . '&size=' . $size . '&ext=' . $ext . $profile . '&page=' . $page . '&alt=' . $alternative;
}
Пример #11
0
function HookRefineresultsSearchSearchstringprocessing()
	{
	global $search,$k;
	$refine=trim(getvalescaped("refine_keywords",""));
	if ($refine!="")
		{
		if ($k!="")
			{
			# Slightly different behaviour when searching within external shares. There is no search bar, so the provided string is the entirity of the search.
			$s=explode(" ",$search);
			$search=$s[0] . " " . $refine;	
			}
		else
			{
			$search.=", " . $refine;	
			}
		}
	$search=refine_searchstring($search);	
	}
Пример #12
0
function get_annotate_file_path($ref, $getfilepath, $extension)
{
    global $storageurl;
    global $storagedir;
    global $scramble_key;
    if (!file_exists($storagedir . "/annotate")) {
        mkdir($storagedir . "/annotate", 0777);
    }
    global $uniqid;
    // if setting uniqid before manual create_annotated_pdf function use
    $uniqid = getvalescaped("uniqid", $uniqid);
    //or if sent through a request
    if ($uniqid != "") {
        $uniqfolder = "/" . $uniqid;
    } else {
        $uniqfolder = "";
    }
    $tmpfolder = get_temp_dir(!$getfilepath, "annotate{$uniqfolder}");
    $file = $tmpfolder . "/{$uniqid}-annotations." . $extension;
    return $file;
}
Пример #13
0
function HookDiscount_codePurchaseAdjust_item_price($origprice, $resource, $size)
{
    global $discount_error, $discount_applied, $lang;
    # Discount pipeline support, allow multiple hook calls to modify the price multiple times
    global $purchase_pipeline_price;
    if (isset($purchase_pipeline_price[$resource][$size])) {
        $origprice = $purchase_pipeline_price[$resource][$size];
    }
    $discount_code = trim(strtoupper(getvalescaped("discount_code", "")));
    if ($discount_code == "") {
        return $origprice;
    }
    # No code specified
    # Check that the discount code exists.
    $discount_info = sql_query("select * from discount_code where upper(code)='{$discount_code}'");
    if (count($discount_info) == 0) {
        $discount_error = $lang["error-invalid-discount-code"];
        return false;
    } else {
        $discount_info = $discount_info[0];
    }
    # Check that the user has not already used this discount code
    global $userref;
    $used = sql_value("select count(*) value from discount_code_used where user='******' and upper(code)='{$discount_code}'", 0);
    if ($used > 0) {
        $discount_error = $lang["error-discount-code-already-used"];
        return false;
    }
    $discount_applied = $discount_info["percent"];
    # Update collection with code, so it can be retrieved when we get the callback from PayPal and then insert a row into discount_code_used to mark that the user has used this discount code.
    global $usercollection;
    sql_query("update collection_resource set discount_code='" . $discount_code . "' where collection='" . $usercollection . "'");
    $return = round((100 - $discount_info["percent"]) / 100 * $origprice, 2);
    $purchase_pipeline_price[$resource][$size] = $return;
    # Use this price instead for future hook calls.
    return $return;
}
function HookUser_preferencesuser_preferencesSaveadditionaluserpreferences()
{
    global $user_preferences_change_username, $user_preferences_change_email, $user_preferences_change_name, $userref, $useremail, $username, $userfullname, $lang;
    $newUsername = trim(safe_file_name(getvalescaped('username', $username)));
    $newEmail = getvalescaped('email', $userfullname);
    $newFullname = getvalescaped('fullname', $userfullname);
    # Check if a user with that username already exists
    if ($user_preferences_change_username && $username != $newUsername) {
        $existing = sql_query('select ref from user where username=\'' . escape_check($newUsername) . '\'');
        if (!empty($existing)) {
            $GLOBALS['errorUsername'] = $lang['useralreadyexists'];
            return false;
        }
    }
    # Check if a user with that email already exists
    if ($user_preferences_change_email && $useremail != $newEmail) {
        $existing = sql_query('select ref from user where email=\'' . escape_check($newEmail) . '\'');
        if (!empty($existing)) {
            $GLOBALS['errorEmail'] = $lang['useremailalreadyexists'];
            return false;
        }
    }
    # Store changed values in DB, and update the global variables as header.php is included next
    if ($user_preferences_change_username && $username != $newUsername) {
        sql_query("update user set username='******' where ref='" . $userref . "'");
        $username = $newUsername;
    }
    if ($user_preferences_change_email && $useremail != $newEmail) {
        sql_query("update user set email='" . escape_check($newEmail) . "' where ref='" . $userref . "'");
        $useremail = $newEmail;
    }
    if ($user_preferences_change_name && $userfullname != $newFullname) {
        sql_query("update user set fullname='" . escape_check($newFullname) . "' where ref='" . $userref . "'");
        $userfullname = $newFullname;
    }
    return getvalescaped('currentpassword', '') == '' || getvalescaped('password', '') == '' && getvalescaped('password2', '') == '';
}
Пример #15
0
<?php
include "../include/db.php";
include "../include/general.php";
include "../include/authenticate.php";
include_once "../include/collections_functions.php";

$offset=getvalescaped("offset",0);
$ref=getvalescaped("ref","",true);

# Check access
if (!collection_readable($ref)) {exit($lang["no_access_to_collection"]);}

# pager
$per_page=getvalescaped("per_page_list_log",15);setcookie("per_page_list_log",$per_page, 0, '', '', false, true);

include "../include/header.php";
$log=get_collection_log($ref, $offset+$per_page);
$results=count($log);
$totalpages=ceil($results/$per_page);
$curpage=floor($offset/$per_page)+1;

$url=$baseurl . "/pages/collection_log.php?ref=" . $ref;
$jumpcount=1;

?>

<?php
# Fetch and translate collection name
$colinfo = get_collection($ref);
$colname = i18n_get_collection_name($colinfo);
if (!checkperm("b"))
Пример #16
0
include '../../../include/db.php';
//include '../../../include/authenticate.php'; if ( ! checkperm('u')) exit('Permission denied.');
include '../../../include/general.php';
// Stupid function to provide default values
function val($val, $default = NULL)
{
    return empty($val) ? $default : $val;
}
// Get posted values
$referrer = base64_decode(getvalescaped('referrer', base64_encode('../../../index.php')));
$ref = (int) getvalescaped('ref', -999);
$time = time();
$status = getvalescaped('status', 'approved');
$name = getvalescaped('name', NULL);
$signature = getvalescaped('signature', NULL);
$comment = getvalescaped('comment', NULL);
// Validate
$valid = TRUE;
if (empty($name) or empty($signature) or !in_array($status, array('approved', 'minor', 'major'))) {
    $valid = FALSE;
}
// If no $_POST or this resource doesn't exist then redirect back to resource
if (empty($_POST) or !$valid or $ref === -999 or (int) sql_value("SELECT COUNT(*) AS value FROM resource WHERE ref = {$ref}", 0) < 1) {
    redirect($referrer);
}
// Insert a new history item
sql_query("INSERT INTO approval (ref, posted, comment, name, signature, status) VALUES ({$ref}, NOW(), '{$comment}', '{$name}', '{$signature}', '{$status}')");
// Update resource approval field
sql_query("UPDATE resource SET approval_status = '{$status}' WHERE ref = {$ref}");
// Get approval plugin settings
$settings = get_plugin_config('approval');
Пример #17
0
<?php

include "../../../include/db.php";
include "../../../include/general.php";
include "../../../include/authenticate.php";
if (!checkperm("u")) {
    exit("Permission denied.");
}
if (!isset($magictouch_account_id)) {
    $magictouch_account_id = "";
}
if (!isset($magictouch_secure)) {
    $magictouch_secure = "http";
}
if (getval("submit", "") != "") {
    $resourcetype = getvalescaped("resourcetype", "");
    $f = fopen("../config/config.php", "w");
    fwrite($f, "<?php \$embedvideo_resourcetype='{$resourcetype}'; ?>");
    fclose($f);
    redirect("pages/team/team_home.php");
}
$resource_types = get_resource_types();
include "../../../include/header.php";
?>
<div class="BasicsBox"> 
  <h2>&nbsp;</h2>
  <h1><?php 
echo $lang["embed_video_configuration"];
?>
</h1>
Пример #18
0
<?php

include "../../include/db.php";
include "../../include/authenticate.php";
include "../../include/general.php";
if (!in_array("api_core", $plugins)) {
    die("no access");
}
include "../../include/header.php";
?>
<div class="BasicsBox">
<p><a  onClick="return CentralSpaceLoad(this,true);" href="<?php 
if (getvalescaped("back", "") != "") {
    echo $baseurl_short . getvalescaped("back", "");
} else {
    echo $baseurl_short . "pages/change_password.php";
}
?>
">&lt; <?php 
echo $lang["back"];
?>
</a></p><h1><?php 
echo $lang["apiaccess"];
?>
</h1>
</div>

<?php 
if (!$enable_remote_apis || $api_scramble_key == "abcdef123") {
    echo $lang["remoteapisnotavailable"];
    exit;
function perform_login()
{
    global $api, $scramble_key, $enable_remote_apis, $lang, $max_login_attempts_wait_minutes, $max_login_attempts_per_ip, $max_login_attempts_per_username, $global_cookies, $username, $password, $password_hash;
    if (!$api && (strlen($password) == 32 || strlen($password) == 64) && getval("userkey", "") != md5($username . $scramble_key)) {
        exit("Invalid password.");
        # Prevent MD5s being entered directly while still supporting direct entry of plain text passwords (for systems that were set up prior to MD5 password encryption was added). If a special key is sent, which is the md5 hash of the username and the secret scramble key, then allow a login using the MD5 password hash as the password. This is for the 'log in as this user' feature.
    }
    if (strlen($password) != 64) {
        # Provided password is not a hash, so generate a hash.
        //$password_hash=md5("RS" . $username . $password);
        $password_hash = hash('sha256', md5("RS" . $username . $password));
    } else {
        $password_hash = $password;
    }
    // ------- Automatic migration of md5 hashed or plain text passwords to SHA256 hashed passwords ------------
    // This is necessary because older systems being upgraded may still have passwords stored using md5 hashes or even possibly stored in plain text.
    // Updated March 2015 - select password_reset_hash to force dbstruct that will update password column varchar(100) if not already
    $accountstoupdate = sql_query("select username, password, password_reset_hash from user where length(password)<>64");
    foreach ($accountstoupdate as $account) {
        $oldpassword = $account["password"];
        if (strlen($oldpassword) != 32) {
            $oldpassword = md5("RS" . $account["username"] . $oldpassword);
        }
        // Needed if we have a really old password, or if password has been manually reset in db for some reason
        $new_password_hash = hash('sha256', $oldpassword);
        sql_query("update user set password='******' where username='******'");
    }
    $ip = get_ip();
    # This may change the $username, $password, and $password_hash
    $externalresult = hook("externalauth", "", array($username, $password));
    #Attempt external auth if configured
    # Generate a new session hash.
    $session_hash = generate_session_hash($password_hash);
    # Check the provided credentials
    $valid = sql_query("select ref,usergroup,account_expires from user where username='******' and password='******'");
    # Prepare result array
    $result = array();
    $result['valid'] = false;
    if (count($valid) >= 1) {
        # Account expiry
        $userref = $valid[0]["ref"];
        $usergroup = $valid[0]["usergroup"];
        $expires = $valid[0]["account_expires"];
        if ($expires != "" && $expires != "0000-00-00 00:00:00" && strtotime($expires) <= time()) {
            $result['error'] = $lang["accountexpired"];
            return $result;
        }
        $result['valid'] = true;
        $result['session_hash'] = $session_hash;
        $result['password_hash'] = $password_hash;
        $result['ref'] = $userref;
        # Update the user record.
        # Omit updating session has if using an API, because we don't want API usage to log users out, and there is no 'session' to remember in such a case.
        if ($api) {
            $session_hash_sql = "";
        } else {
            $session_hash_sql = "session='" . escape_check($session_hash) . "',";
        }
        sql_query("update user set {$session_hash_sql} last_active=now(),login_tries=0,lang='" . getvalescaped("language", "") . "' where ref='{$userref}'");
        # Log this
        daily_stat("User session", $userref);
        if (!$api) {
            sql_query("insert into resource_log(date,user,resource,type) values (now()," . ($userref != "" ? "'{$userref}'" : "null") . ",0,'l')");
        }
        # Blank the IP address lockout counter for this IP
        sql_query("delete from ip_lockout where ip='" . escape_check($ip) . "'");
        return $result;
    }
    # Invalid login
    if (isset($externalresult["error"])) {
        $result['error'] = $externalresult["error"];
    } else {
        $result['error'] = $lang["loginincorrect"];
    }
    hook("loginincorrect");
    # Add / increment a lockout value for this IP
    $lockouts = sql_value("select count(*) value from ip_lockout where ip='" . escape_check($ip) . "' and tries<'" . $max_login_attempts_per_ip . "'", "");
    if ($lockouts > 0) {
        # Existing row with room to move
        $tries = sql_value("select tries value from ip_lockout where ip='" . escape_check($ip) . "'", 0);
        $tries++;
        if ($tries == $max_login_attempts_per_ip) {
            # Show locked out message.
            $result['error'] = str_replace("?", $max_login_attempts_wait_minutes, $lang["max_login_attempts_exceeded"]);
        }
        # Increment
        sql_query("update ip_lockout set last_try=now(),tries=tries+1 where ip='" . escape_check($ip) . "'");
    } else {
        # New row
        sql_query("delete from ip_lockout where ip='" . escape_check($ip) . "'");
        sql_query("insert into ip_lockout (ip,tries,last_try) values ('" . escape_check($ip) . "',1,now())");
    }
    # Increment a lockout value for any matching username.
    $ulocks = sql_query("select ref,login_tries,login_last_try from user where username='******'");
    if (count($ulocks) > 0) {
        $tries = $ulocks[0]["login_tries"];
        if ($tries == "") {
            $tries = 1;
        } else {
            $tries++;
        }
        if ($tries > $max_login_attempts_per_username) {
            $tries = 1;
        }
        if ($tries == $max_login_attempts_per_username) {
            # Show locked out message.
            $result['error'] = str_replace("?", $max_login_attempts_wait_minutes, $lang["max_login_attempts_exceeded"]);
        }
        sql_query("update user set login_tries='{$tries}',login_last_try=now() where username='******'");
    }
    return $result;
}
 * @package ResourceSpace
 * @subpackage Pages_Team
 */
include dirname(__FILE__) . "/../../../include/db.php";
include dirname(__FILE__) . "/../../../include/general.php";
include dirname(__FILE__) . "/../../../include/authenticate.php";
if (!checkperm("o")) {
    exit("Permission denied.");
}
include_once dirname(__FILE__) . "/../inc/news_functions.php";
$ref = getvalescaped("ref", "", true);
$offset = getvalescaped("offset", 0);
$findtext = getvalescaped("findtext", "");
$date = getval("date", date("Y-m-d H:i:s"));
$title = getvalescaped("title", 0);
$body = getvalescaped("body", 0);
# get ref value from database, unless it is set to new
if (getval("ref", "") == "new") {
    $createnews = true;
} else {
    $news = get_news($ref, "", "");
    $createnews = false;
}
if (getval("save", "") != "") {
    # Save news
    if ($createnews) {
        add_news($date, $title, $body);
    } else {
        update_news($ref, $date, $title, $body);
    }
    redirect("plugins/news/pages/news_edit.php?findtext=" . $findtext . "&offset=" . $offset);
Пример #21
0
    # External access support (authenticate only if no key provided, or if invalid access key provided)
    $k = getvalescaped("k", "");
    if ($k == "" || !check_access_key(getvalescaped("ref", "", true), $k)) {
        include "../include/authenticate.php";
    }
}
$ref = getvalescaped("ref", "", true);
$size = getvalescaped("size", "");
$ext = getvalescaped("ext", "");
if (!preg_match('/^[a-zA-Z0-9]+$/', $ext)) {
    $ext = "jpg";
}
$alternative = getvalescaped("alternative", -1);
$page = getvalescaped("page", 1);
$usage = getvalescaped("usage", "-1");
$usagecomment = getvalescaped("usagecomment", "");
$resource_data = get_resource_data($ref);
if ($direct_download_noauth && $direct) {
    # if this is a direct download and direct downloads w/o authentication are enabled, allow regardless of permissions
    $allowed = true;
} else {
    # Permissions check
    $allowed = resource_download_allowed($ref, $size, $resource_data["resource_type"], $alternative);
}
if (!$allowed) {
    # This download is not allowed. How did the user get here?
    exit("Permission denied");
}
# additional access check, as the resource download may be allowed, but access restriction should force watermark.
$access = get_resource_access($ref);
$use_watermark = check_use_watermark($ref);
Пример #22
0
			<?php 
        for ($n = 1; $n <= 150; $n++) {
            $date = time() + 60 * 60 * 24 * $n;
            ?>
<option <?php 
            $d = date("D", $date);
            if ($d == "Sun" || $d == "Sat") {
                ?>
style="background-color:#cccccc"<?php 
            }
            ?>
 value="<?php 
            echo date("Y-m-d", $date);
            ?>
" <?php 
            if (substr(getvalescaped("editexpiration", ""), 0, 10) == date("Y-m-d", $date)) {
                echo "selected";
            }
            ?>
><?php 
            echo nicedate(date("Y-m-d", $date), false, true);
            ?>
</option>
				<?php 
        }
        ?>
			</select>
			<div class="clearerleft"> </div>
			</div>
			
			<div class="QuestionSubmit" style="padding-top:0;margin-top:0;">
        $permission = trim($permission);
        if ($permission == "") {
            continue;
        }
        if (isset($sql_permision_filter)) {
            $sql_permision_filter .= " and ";
        } else {
            $sql_permision_filter = "(";
        }
        $permission = preg_replace('(\\W+)', '\\\\\\\\$0', $permission);
        // we need to pass two "\" before the escaped char for regex to take it literally (doubled here as sql_query() will convert most of them)
        $sql_permision_filter .= "usergroup.permissions regexp binary '^{$permission}|,{$permission},|,{$permission}\$|^{$permission}\$'";
    }
    $sql_permision_filter .= ")";
}
$offset = getvalescaped("offset", 0);
$order_by = getval("orderby", "name");
$groups = sql_query("\n\tselect \n\t\tusergroup.ref as ref,\n\t\tusergroup.name as name,\n\t\tcount(user.ref) as users,\n\t\tparentusergroup.ref as pref,\n\t\tif (usergroup.parent is not null and usergroup.parent<>'' and usergroup.parent<>'0' and (parentusergroup.name is null or parentusergroup.name=''),usergroup.ref,parentusergroup.ref) as pref,\n\t\tif (usergroup.parent is not null and usergroup.parent<>'' and usergroup.parent<>'0' and (parentusergroup.name is null or parentusergroup.name=''),'orphaned',parentusergroup.name) as pname,\n\t\t(usergroup.parent is not null and usergroup.parent<>'' and usergroup.parent<>'0' and (parentusergroup.name is null or parentusergroup.name='')) as orphaned\n\tfrom\n\t\tusergroup \n\tleft outer join usergroup parentusergroup\n\ton \t\n\t\tusergroup.parent=parentusergroup.ref\n\tleft outer join user\n\ton\n\t\tusergroup.ref=user.usergroup where true" . ($find == "" ? "" : " and (usergroup.ref like '%{$find}%' or usergroup.name like '%{$find}%' or parentusergroup.name like '%{$find}%')") . ($filter_by_parent == "" ? "" : " and parentusergroup.ref={$filter_by_parent}") . ($filter_by_permissions == "" ? "" : " and {$sql_permision_filter}") . " group by\n\t\tusergroup.ref\n\torder by {$order_by}");
# pager
$per_page = 15;
$results = count($groups);
$totalpages = ceil($results / $per_page);
$curpage = floor($offset / $per_page) + 1;
$url = "admin_group_management.php?" . ($order_by ? "orderby={$order_by}" : "");
function addColumnHeader($orderName, $labelKey)
{
    global $baseurl, $order_by, $filter_by_parent, $filter_by_permissions, $find, $lang;
    if ($order_by == $orderName) {
        $image = '<span class="ASC"></span>';
    } else {
        if ($order_by == $orderName . ' desc') {
Пример #24
0
function save_site_text($page, $name, $language, $group)
{
    # Saves the submitted site text changes to the database.
    if ($group == "") {
        $g = "null";
        $gc = "is";
    } else {
        $g = "'" . $group . "'";
        $gc = "=";
    }
    global $custom, $newcustom, $defaultlanguage;
    if ($newcustom) {
        $test = sql_query("select * from site_text where page='{$page}' and name='{$name}'");
        if (count($test) > 0) {
            return true;
        }
    }
    if ($custom == "") {
        $custom = 0;
    }
    if (getval("deletecustom", "") != "") {
        sql_query("delete from site_text where page='{$page}' and name='{$name}'");
    } elseif (getval("deleteme", "") != "") {
        sql_query("delete from site_text where page='{$page}' and name='{$name}' and specific_to_group {$gc} {$g}");
    } elseif (getval("copyme", "") != "") {
        sql_query("insert into site_text(page,name,text,language,specific_to_group,custom) values ('{$page}','{$name}','" . getvalescaped("text", "") . "','{$language}',{$g},'{$custom}')");
    } elseif (getval("newhelp", "") != "") {
        global $newhelp;
        $check = sql_query("select * from site_text where page = 'help' and name='{$newhelp}'");
        if (!isset($check[0])) {
            sql_query("insert into site_text(page,name,text,language,specific_to_group) values ('{$page}','{$newhelp}','','{$language}',{$g})");
        }
    } else {
        $text = sql_query("select * from site_text where page='{$page}' and name='{$name}' and language='{$language}' and specific_to_group {$gc} {$g}");
        if (count($text) == 0) {
            # Insert a new row for this language/group.
            sql_query("insert into site_text(page,name,language,specific_to_group,text,custom) values ('{$page}','{$name}','{$language}',{$g},'" . getvalescaped("text", "") . "','{$custom}')");
        } else {
            # Update existing row
            sql_query("update site_text set text='" . getvalescaped("text", "") . "' where page='{$page}' and name='{$name}' and language='{$language}' and specific_to_group {$gc} {$g}");
        }
        # Language clean up - remove all entries that are exactly the same as the default text.
        $defaulttext = sql_value("select text value from site_text where page='{$page}' and name='{$name}' and language='{$defaultlanguage}' and specific_to_group {$gc} {$g}", "");
        sql_query("delete from site_text where page='{$page}' and name='{$name}' and language!='{$defaultlanguage}' and trim(text)='" . trim(escape_check($defaulttext)) . "'");
    }
}
# Fetch collection data
$cinfo = get_collection($collection);
if ($cinfo === false) {
    exit("Collection not found.");
}
$commentdata = get_collection_resource_comment($ref, $collection);
$comment = $commentdata["comment"];
$rating = $commentdata["rating"];
# Check access
if (!collection_readable($collection)) {
    exit("Access denied.");
}
if (getval("submitted", "") != "") {
    # Save comment
    $comment = trim(getvalescaped("comment", ""));
    $rating = trim(getvalescaped("rating", ""));
    save_collection_resource_comment($ref, $collection, $comment, $rating);
    if ($k == "") {
        redirect($baseurl_short . "pages/search.php?refreshcollectionframe=true&search=!collection" . $collection);
    } else {
        # Stay on this page for external access users (no access to search)
        refresh_collection_frame();
    }
}
include "../include/header.php";
?>
<div class="BasicsBox">
<h1><?php 
echo $lang["collectioncomments"];
?>
</h1>
Пример #26
0
    # Save license data
    # Construct expiry date
    $expires = getvalescaped("expires_year", "") . "-" . getvalescaped("expires_month", "") . "-" . getvalescaped("expires_day", "");
    # Construct usage
    $license_usage = "";
    if (isset($_POST["license_usage"])) {
        $license_usage = escape_check(join(", ", $_POST["license_usage"]));
    }
    if ($ref == "new") {
        # New record
        sql_query("insert into resource_license (resource,outbound,holder,license_usage,description,expires) values ('" . getvalescaped("resource", "") . "', '" . getvalescaped("outbound", "") . "', '" . getvalescaped("holder", "") . "', '{$license_usage}', '" . getvalescaped("description", "") . "', '{$expires}')");
        $ref = sql_insert_id();
        resource_log($resource, "", "", $lang["new_license"] . " " . $ref);
    } else {
        # Existing record
        sql_query("update resource_license set outbound='" . getvalescaped("outbound", "") . "',holder='" . getvalescaped("holder", "") . "', license_usage='{$license_usage}',description='" . getvalescaped("description", "") . "',expires='{$expires}' where ref='{$ref}' and resource='{$resource}'");
        resource_log($resource, "", "", $lang["edit_license"] . " " . $ref);
    }
    redirect("pages/view.php?ref=" . $resource);
}
# Fetch license data
if ($ref == "new") {
    # Set default values for the creation of a new record.
    $license = array("resource" => $resource, "outbound" => 1, "holder" => "", "license_usage" => "", "description" => "", "expires" => date("Y-m-d"));
} else {
    $license = sql_query("select * from resource_license where ref='{$ref}'");
    if (count($license) == 0) {
        exit("License not found.");
    }
    $license = $license[0];
    $resource = $license["resource"];
Пример #27
0
/**
 * Performs the login using the global $username, and $password. Since the "externalauth" hook
 * is allowed to change the credentials later on, the $password_hash needs to be global as well.
 *
 * @return array Containing the login details ('valid' determines whether or not the login succeeded).
 */
function perform_login()
{
    global $api, $scramble_key, $enable_remote_apis, $lang, $max_login_attempts_wait_minutes, $max_login_attempts_per_ip, $max_login_attempts_per_username, $global_cookies, $username, $password, $password_hash;
    if (!$api && strlen($password) == 32 && getval("userkey", "") != md5($username . $scramble_key)) {
        exit("Invalid password.");
        # Prevent MD5s being entered directly while still supporting direct entry of plain text passwords (for systems that were set up prior to MD5 password encryption was added). If a special key is sent, which is the md5 hash of the username and the secret scramble key, then allow a login using the MD5 password hash as the password. This is for the 'log in as this user' feature.
    }
    if (strlen($password) != 32) {
        # Provided password is not a hash, so generate a hash.
        $password_hash = md5("RS" . $username . $password);
    } else {
        $password_hash = $password;
    }
    $ip = get_ip();
    # This may change the $username, $password, and $password_hash
    hook("externalauth", "", array($username, $password));
    #Attempt external auth if configured
    $session_hash = md5($password_hash . $username . $password . date("Y-m-d"));
    if ($enable_remote_apis) {
        $session_hash = md5($password_hash . $username . date("Y-m-d"));
    }
    // no longer necessary to omit password in this hash for api support
    $valid = sql_query("select ref,usergroup from user where lower(username)='" . escape_check($username) . "' and (password='******' or password='******')");
    # Prepare result array
    $result = array();
    $result['valid'] = false;
    if (count($valid) >= 1) {
        # Account expiry
        $expires = sql_value("select account_expires value from user where username='******' and password='******'", "");
        if ($expires != "" && $expires != "0000-00-00 00:00:00" && strtotime($expires) <= time()) {
            $result['error'] = $lang["accountexpired"];
            return $result;
        }
        $result['valid'] = true;
        $result['session_hash'] = $session_hash;
        $result['password_hash'] = $password_hash;
        # Update the user record. Set the password hash again in case a plain text password was provided.
        sql_query("update user set password='******',session='" . escape_check($session_hash) . "',last_active=now(),login_tries=0,lang='" . getvalescaped("language", "") . "' where lower(username)='" . escape_check($username) . "' and (password='******' or password='******')");
        # Log this
        $userref = $valid[0]["ref"];
        $usergroup = $valid[0]["usergroup"];
        daily_stat("User session", $userref);
        sql_query("insert into resource_log(date,user,resource,type) values (now()," . ($userref != "" ? "'{$userref}'" : "null") . ",0,'l')");
        # Blank the IP address lockout counter for this IP
        sql_query("delete from ip_lockout where ip='" . escape_check($ip) . "'");
        return $result;
    }
    # Invalid login
    $result['error'] = $lang["loginincorrect"];
    hook("loginincorrect");
    # Add / increment a lockout value for this IP
    $lockouts = sql_value("select count(*) value from ip_lockout where ip='" . escape_check($ip) . "' and tries<'" . $max_login_attempts_per_ip . "'", "");
    if ($lockouts > 0) {
        # Existing row with room to move
        $tries = sql_value("select tries value from ip_lockout where ip='" . escape_check($ip) . "'", 0);
        $tries++;
        if ($tries == $max_login_attempts_per_ip) {
            # Show locked out message.
            $result['error'] = str_replace("?", $max_login_attempts_wait_minutes, $lang["max_login_attempts_exceeded"]);
        }
        # Increment
        sql_query("update ip_lockout set last_try=now(),tries=tries+1 where ip='" . escape_check($ip) . "'");
    } else {
        # New row
        sql_query("delete from ip_lockout where ip='" . escape_check($ip) . "'");
        sql_query("insert into ip_lockout (ip,tries,last_try) values ('" . escape_check($ip) . "',1,now())");
    }
    # Increment a lockout value for any matching username.
    $ulocks = sql_query("select ref,login_tries,login_last_try from user where username='******'");
    if (count($ulocks) > 0) {
        $tries = $ulocks[0]["login_tries"];
        if ($tries == "") {
            $tries = 1;
        } else {
            $tries++;
        }
        if ($tries > $max_login_attempts_per_username) {
            $tries = 1;
        }
        if ($tries == $max_login_attempts_per_username) {
            # Show locked out message.
            $result['error'] = str_replace("?", $max_login_attempts_wait_minutes, $lang["max_login_attempts_exceeded"]);
        }
        sql_query("update user set login_tries='{$tries}',login_last_try=now() where username='******'");
    }
    return $result;
}
Пример #28
0
$origsizes = getimagesize($originalpath);
$cropwidth = $cropsizes[0];
$cropheight = $cropsizes[1];
$origwidth = $origsizes[0];
$origheight = $origsizes[1];
// if we've been told to do something
if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'docrop') {
    $width = getvalescaped('width', '', true);
    $height = getvalescaped('height', '', true);
    $xcoord = getvalescaped('xcoord', '', true);
    $ycoord = getvalescaped('ycoord', '', true);
    $description = getvalescaped('description', '');
    $cropsize = getvalescaped('cropsize', '', true);
    $new_width = getvalescaped('new_width', '', true);
    $new_height = getvalescaped('new_height', '', true);
    $alt_type = getvalescaped('alt_type', '');
    if (isset($_REQUEST['flip']) && $_REQUEST['flip'] == 1 && !$cropperestricted) {
        $flip = true;
    } else {
        $flip = false;
    }
    if (isset($_REQUEST['rotation']) && is_numeric($_REQUEST['rotation']) && $_REQUEST['rotation'] > 0 && $_REQUEST['rotation'] < 360 && !$cropperestricted) {
        $rotation = $_REQUEST['rotation'];
    } else {
        $rotation = 0;
    }
    if (isset($_REQUEST['filename']) && $cropper_custom_filename) {
        $filename = $_REQUEST['filename'];
    } else {
        $filename = '';
    }
$cinfo = get_collection($collection);
if ($cinfo === false) {
    exit("Collection not found.");
}
# Check access
if (!$cinfo["request_feedback"]) {
    exit("Access denied.");
}
# Check that comments have been added.
$comments = get_collection_comments($collection);
if (count($comments) == 0 && $feedback_resource_select == false) {
    $errors = $lang["feedbacknocomments"];
}
if (getval("save", "") != "") {
    # Save comment
    $comment = trim(getvalescaped("comment", ""));
    send_collection_feedback($collection, $comment);
    # Stay on this page for external access users (no access to search)
    refresh_collection_frame();
    $done = true;
}
$headerinsert .= "<script src=\"../lib/lightbox/js/jquery.lightbox-0.5.min.js\" type=\"text/javascript\"></script>";
$headerinsert .= "<link type=\"text/css\" href=\"../lib/lightbox/css/jquery.lightbox-0.5.css?css_reload_key=" . $css_reload_key . "\" rel=\"stylesheet\">";
include "../include/header.php";
?>
<script type="text/javascript">
	jQuery(document).ready(function(){
		jQuery('.lightbox').lightBox(); 
	
	});
    if ($deleted_usercoll && count($c) > 0) {
        # Select the first collection in the dropdown box.
        $usercollection = $c[0]["ref"];
        set_user_collection($userref, $usercollection);
    }
    # User has deleted their last collection? add a new one.
    if (count($c) == 0) {
        # No collections to select. Create them a new collection.
        $name = get_mycollection_name($userref);
        $usercollection = create_collection($userref, $name);
        set_user_collection($userref, $usercollection);
    }
    refresh_collection_frame($usercollection);
}
hook('customcollectionmanage');
$removeall = getvalescaped("removeall", "");
if ($removeall != "") {
    remove_all_resources_from_collection($removeall);
    refresh_collection_frame($usercollection);
}
include "../include/header.php";
?>
  <div class="BasicsBox">
    <h2>&nbsp;</h2>
    <h1><?php 
echo $lang["managemycollections"];
?>
</h1>
    <p class="tight"><?php 
echo text("introtext");
?>