/** name:rowsForSelect parm:string Table_id parm:string First_Letters return:array rows Returns an array of rows that can be put into a drop-down select box. The first column is always "_value" and the second is always "_display". The second parameter, if provided, filters to the results so that only values of _display that start with "First_Letters" are returned. For a multiple-column primary key, this routine will filter for any pk column that exists in the session array "ajaxvars". This feature is controlled by an (as-yet undocumented) feature in [[ahInputsComprehensive]] that can make inputs use Ajax when their value changes to store their value in the session on the server. This was created 1/15/07 to work with Ajax-dynamic-list from dhtmlgoodies.com. */ function RowsForSelect($table_id, $firstletters = '', $matches = array(), $distinct = '', $allcols = false) { $table = DD_TableRef($table_id); // Determine which columns to pull and get them // KFD 10/8/07, a DISTINCT means we are pulling a single column of // a multiple column key, pull only that column if ($distinct != '') { $proj = $distinct; } else { if (ArraySafe($table['projections'], 'dropdown') == '') { if (!vgfGet('x6')) { $proj = $table['pks']; } else { $proj = $table['projections']['_uisearch']; } } else { $proj = $table['projections']['dropdown']; } } $aproj = explode(',', $proj); $acollist = array(); foreach ($aproj as $aproj1) { $acollist[] = "COALESCE({$aproj1},'')"; } $collist = str_replace(',', " || ' - ' || ", $proj); //$collist = implode(" || ' - ' || ",$acollist); //syslog($collist); // Get the primary key, and resolve which view we have perms for // KFD 10/8/07, do only one column if passed if ($distinct != '') { $pk = $distinct; } else { $pk = $table['pks']; } $view_id = ddtable_idResolve($table_id); // Initialize the filters $aWhere = array(); // Generate a filter for each pk that exists in session ajaxvars. // There is a BIG unchecked for issue here, which is that a multi-column // PK must have *all but one* column supplied, and it then returns // the unsupplied column. $pkeys = explode(',', $table['pks']); $ajaxvars = afromGP('adl_'); foreach ($pkeys as $index => $pkey) { if (isset($ajaxvars[$pkey])) { $aWhere[] = "{$pkey}=" . SQLFC($ajaxvars[$pkey]); // This is important! Unset the pk column, we'll pick the leftover unset($pkeys[$index]); } } // If we did the multi-pk route, provide the missing column // as the key value if (count($ajaxvars) > 0) { $pk = implode(',', $pkeys); } // Determine if this is a filtered table if (isset($table['flat']['flag_noselect'])) { $aWhere[] = "COALESCE(flag_noselect,'N')<>'Y'"; } // Add more matches on foreach ($matches as $matchcol => $matchval) { $aWhere[] = $matchcol . ' = ' . SQLFC($matchval); } // See if there is a hardcoded filter in the program class $obj = dispatchObject($table_id); if (method_exists($obj, 'aSelect_where')) { $aWhere[] = $obj->aSelect_where(); if (ConfigGet('LOG_SQL', 'Y') == 'Y') { sysLog(LOG_NOTICE, $obj->aSelect_Where()); } } // If "firstletters" have been passed, we will filter each // select column on it // // KFD 8/8/07, a comma in first letters now means look in // 1st column only + second column only $SLimit = ''; $xWhere = array(); if ($firstletters == '*') { // do nothing, no where clauses } elseif ($firstletters != '') { $SLimit = "Limit 40 "; if (strpos($firstletters, ',') === false) { // original code, search all columns $implode = ' OR '; foreach ($aproj as $aproj1) { $type_id = $table['flat'][$aproj1]['type_id']; $subs = ''; if (!in_array($type_id, array('char', 'vchar', 'text'))) { $subs = '::varchar'; } $sl = strlen($firstletters); $xWhere[] = "SUBSTRING(LOWER({$aproj1}{$subs}) FROM 1 FOR {$sl})" . "=" . strtolower(SQLFC($firstletters)); } } else { // New code 8/8/07, search first column, 2nd, third only, // based on existence of commas $implode = ' AND '; $afl = explode(',', $firstletters); foreach ($afl as $x => $fl) { $type_id = $table['flat'][$aproj1]['type_id']; $subs = ''; if (!in_array($type_id, array('char', 'vchar', 'text'))) { $subs = '::varchar'; } $sl = strlen($fl); $xWhere[] = "SUBSTRING(LOWER({$aproj[$x + 1]}{$subs}) FROM 1 FOR {$sl})" . "=" . strtolower(SQLFC($fl)); } } } if (count($xWhere) > 0) { $aWhere[] = "(" . implode($implode, $xWhere) . ")"; } // Finish off the where clause if (count($aWhere) > 0) { $SWhere = "WHERE " . implode(' AND ', $aWhere); } else { $SWhere = ''; } // Execute and return $sDistinct = $distinct != '' ? ' DISTINCT ' : ''; $SOB = $aproj[0]; if ($allcols) { # KFD 6/9/08, added in automatic ordering on queuopos column $OB = isset($table['flat']['queuepos']) ? 'queuepos' : '2'; $sq = "SELECT skey,{$proj}\n FROM {$view_id}\n {$SWhere}\n ORDER BY {$OB} {$SLimit}"; } else { $sq = "SELECT {$sDistinct} {$pk} as _value,{$collist} as _display\n FROM {$view_id}\n {$SWhere}\n ORDER BY {$SOB} {$SLimit} "; } /* openlog(false,LOG_NDELAY,LOG_USER); if ( ConfigGet( 'flag_syslog', 'Y' ) == 'Y' ) { syslog(LOG_INFO,$table['projections']['dropdown']); syslogbodyRows (LOG_INFO,$sq); } closelog(); */ if (ConfigGet('flag_syslog', 'Y') == 'Y') { syslog(LOG_INFO, $sq); } $rows = SQL_Allrows($sq); return $rows; }
function Login_Process() { $arg2 = $this->directlogin == true ? 'direct' : ''; // only process if user hit "post" if (gp('gp_posted', '', false) == '') { return; } vgfSet('LoginAttemptOK', false); // Error title vgfSet('ERROR_TITLE', '*'); // If the user supplied a loginUID, this is a post and we // must process the request. $ale = vgaGet('login_errors', array()); $app = $GLOBALS['AG']['application']; $em000 = isset($ale['000']) ? $ale['000'] : "That username/password combination did not work. Please try again."; $em001 = isset($ale['001']) ? $ale['001'] : "That username/password combination did not work. Please try again."; $em002 = isset($ale['002']) ? $ale['002'] : "That username/password combination did not work. Please try again."; $em099 = isset($ale['099']) ? $ale['099'] : "That username/password combination did not work. Please try again."; $terror = ""; $uid = gp('loginUID'); $uid = MakeUserID($uid); //$uid = str_replace('@','_',$uid); //$uid = str_replace('.','_',$uid); $pwd = gp("loginPWD", "", false); // First check, never allow the database server's superuser // account // if ($uid == "postgres") { ErrorAdd($em000); if (vgfGet('loglogins', false)) { sysLog(LOG_WARNING, "Andromeda:{$app}:Bad login attempt as postgres"); fwLogEntry('1011', 'Attempt login as postgres', '', $arg2); } return; } $app = $GLOBALS['AG']['application']; if (substr($uid, 0, strlen($app)) == $app) { ErrorAdd($em001); if (vgfGet('loglogins', false)) { sysLog(LOG_WARNING, "Andromeda:{$app}:Bad login attempt as group role"); fwLogEntry('1012', 'Attempt login as group role', $uid, $arg2); } return; } // Begin with a connection attempt. // on fail, otherwise continue $tcs = @SQL_CONN($uid, $pwd); if ($tcs === false) { ErrorAdd($em099); if (vgfGet('loglogins', false)) { sysLog(LOG_NOTICE, "Andromeda:{$app}:Bad login attempt server rejected"); fwLogEntry('1013', 'Server rejected username/password', $uid, $arg2); } return; } else { SQL_CONNCLOSE($tcs); } // The rest of this routine uses an admin connection. If we // have an error, we must close the connection before returning! // ...yes, yes, that's bad form, all complaints to /dev/null // if (vgfGet('loglogins', false)) { fwLogEntry('1010', 'Login OK', $uid, $arg2); } scDBConn_Push(); // See if they are a root user. If not, do they have an // active account? $root = false; $admin = false; $group_id_eff = ''; $results = SQL("\n Select oid\n FROM pg_roles \n WHERE rolname = CAST('{$uid}' as name)\n AND rolsuper= true"); $cr = SQL_NUMROWS($results); if ($cr != 0) { $root = true; } else { $results = SQL("Select * from users WHERE LOWER(user_id)='{$uid}'" . "AND (user_disabled<>'Y' or user_disabled IS NULL)"); $cr = SQL_NUMROWS($results); if ($cr == 0) { scDBConn_Pop(); ErrorAdd($em002); sysLog(LOG_WARNING, "Andromeda:{$app}:Bad login attempt code 002"); return; } else { $userinfo = SQL_Fetch_Array($results); $group_id_eff = $userinfo['group_id_eff']; SessionSet('user_name', $userinfo['user_name']); } } // Flag if the user is an administrator if ($root == true) { $admin = true; } else { $results = SQL("select count(*) as admin from usersxgroups " . "where user_id='{$uid}' and group_id ='{$app}" . "_admin'"); $row = SQL_FETCH_ARRAY($results); $admin = intval($row["admin"]) > 0 ? true : false; } // Get the users' groups $groups = ""; if ($root) { $results = SQL("\n select group_id \n from zdd.groups \n where COALESCE(grouplist,'')=''"); } else { $results = SQL("select group_id from usersxgroups WHERE LOWER(user_id)='{$uid}'"); } while ($row = SQL_FETCH_ARRAY($results)) { $agroups[] = "'" . trim($row['group_id']) . "'"; #$groups.=ListDelim($groups)."'".trim($row["group_id"])."'"; } $groups = array(); if (!empty($agroups)) { $groups = implode(",", $agroups); } //scDBConn_Pop(); // We have a successful login. If somebody else was already // logged in, we need to wipe out that person's session. But // don't do this if there was an anonymous login. if (LoggedIn()) { $uid_previous = SessionGet('UID'); if ($uid != $uid_previous) { //Session_Destroy(); SessionReset(); //Index_Hidden_Session_Start(false); } } // We know who they are and that they can connect, // see if there is any app-specific confirmation required // if (function_exists('app_login_process')) { //echo "Calling the process now"; if (!app_login_process($uid, $pwd, $admin, $groups)) { return; } } // Protect the session from hijacking, generate a new ID Session_regenerate_id(); // We now have a successful connection, set some // flags and lets go // vgfSet('LoginAttemptOK', true); SessionSet("UID", $uid); SessionSet("PWD", $pwd); SessionSet("ADMIN", $admin); SessionSet("ROOT", $root); SessionSet("GROUP_ID_EFF", $group_id_eff); SessionSet("groups", $groups); if (gp('gpz_page') == '') { # KFD 9/12/08, extra command to not change page if (gp('st2keep') != 1) { gpSet('gp_page', ''); } } $GLOBALS['session_st'] = 'N'; // for "N"ormal // ------------------------------------------------------------------- // We are about to make the menu. Before doing so, see if there // are any variables set for the menu layout. Set defaults and then // load from database. // $this->pmenu = array('MENU_TYPE' => vgaGet('MENU_TYPE', 'div'), 'MENU_CLASS_MODL' => vgaGet('MENU_CLASS_MODL', 'modulename'), 'MENU_CLASS_ITEM' => vgaGet('MENU_CLASS_ITEM', 'menuentry'), 'MENU_TICK' => vgaGET('MENU_TICK', ' - ')); //$sql = "SELECT * from variables WHERE variable like 'MENU%'"; //$dbres = SQL($sql); //while ($row = SQL_FETCH_ARRAY($dbres)) { // $this->pmenu[trim($row['variable'])]=trim($row['variable_value']); //} // ------------------------------------------------------------------- // KFD 10/28/06, Modified to examine "nomenu" instead of permsel // pulls all tables user has nomenu='N'. The basic idea is // to remove from $AGMENU the stuff they don't see // // GET AGMENU $AGMENU = array(); // avoid compiler warning, populated next line include "ddmodules.php"; // Pull distinct modules person has any menu options in. $sq = "SELECT DISTINCT module\n FROM zdd.perm_tabs \n WHERE nomenu='N'\n AND group_id iN ({$groups})"; $modules = SQL_AllRows($sq, 'module'); $AGkeys = array_keys($AGMENU); foreach ($AGkeys as $AGkey) { if (!isset($modules[$AGkey])) { unset($AGMENU[$AGkey]); } } // Now recurse the remaining modules and do the same trick // for each one, removing the tables that don't exist foreach ($AGMENU as $module => $moduleinfo) { $sq = "SELECT DISTINCT table_id\n FROM zdd.perm_tabs \n WHERE nomenu='N'\n AND module = '{$module}'\n AND group_id iN ({$groups})"; $tables = SQL_AllRows($sq, 'table_id'); $tkeys = array_keys($moduleinfo['items']); foreach ($tkeys as $tkey) { if (!isset($tables[$tkey])) { unset($AGMENU[$module]['items'][$tkey]); } } } // KFD 12/18/06. Put all table permissions into session $table_perms = SQL_AllRows("Select distinct table_id FROM zdd.perm_tabs\n WHERE group_id IN ({$groups})\n AND nomenu='N'", 'table_id'); SessionSet('TABLEPERMSMENU', array_keys($table_perms)); $table_perms = SQL_AllRows("Select distinct table_id FROM zdd.perm_tabs\n WHERE group_id IN ({$groups})\n AND permsel='Y'", 'table_id'); SessionSet('TABLEPERMSSEL', array_keys($table_perms)); $table_perms = SQL_AllRows("Select distinct table_id FROM zdd.perm_tabs\n WHERE group_id IN ({$groups})\n AND permins='Y'", 'table_id'); SessionSet('TABLEPERMSINS', array_keys($table_perms)); $table_perms = SQL_AllRows("Select distinct table_id FROM zdd.perm_tabs\n WHERE group_id IN ({$groups})\n AND permupd='Y'", 'table_id'); SessionSet('TABLEPERMSUPD', array_keys($table_perms)); $table_perms = SQL_AllRows("Select distinct table_id FROM zdd.perm_tabs\n WHERE group_id IN ({$groups})\n AND permdel='Y'", 'table_id'); SessionSet('TABLEPERMSDEL', array_keys($table_perms)); //echo "<div style='background-color:white'>"; //echo "$uid $groups $group_id_eff"; //hprint_r(SessionGet('TABLEPERMSMENU')); //hprint_r(SessionGet('TABLEPERMSSEL')); //echo "</div>"; // KFD 7/9/07, we always use joomla templates now, don't need // options to turn them off //if(defined('_ANDROMEDA_JOOMLA')) { // In a hybrid situation, put the menu into the session SessionSet('AGMENU', $AGMENU); //} $HTML_Menu = ""; $WML_Menu = ""; /* foreach ($AGMENU as $key=>$module) { //if($key=="datadict") continue; //if($key=="sysref") continue; $HTML_Module=""; $WML_Module=""; foreach($module["items"] as $itemname=>$item) { if (!isset($item["mode"])) { $item["mode"]="normal"; } switch ($item["mode"]) { case "normal": $ins=false; $extra=array(); if($item['menu_parms']<>'') { $aextras=explode('&',$item['menu_parms']); foreach($aextras as $aextra) { list($var,$value)=explode("=",$aextra); $extra[$var]=$value; } } $HTML_Module.=$this->_MenuItem( $item['description'],$itemname,$ins,$extra ); $WML_Module.="<div>"; $WML_Module.=hLink( '',$item['description'],'?gp_page='.$itemname ); $WML_Module.="</div>"; break; case "ins": //if ($admin || isset($tables_ins[$item["name"]])) { $HTML_Module.=$this->_MenuItem( $item['description'],$itemname,true ); //} break; #$HTML_Module.= # "\n<font class=\"tablename\">- <a href=\"index.php?gp_page=".$itemname."\">". # $item["description"]."</a></font><br />"; } } // the module is defined AFTER its contents so it can be // left off if it has no entries if ($HTML_Module!="") { $HTML_Menu.=$this->_MenuModule($module['description']); $HTML_Menu.=$HTML_Module; } if ($WML_Module!="") { $WML_Menu.="<div><b>".$module['description']."</b></div>"; $WML_Menu.=$WML_Module; } } */ DynamicSave("menu_" . $uid . ".php", $HTML_Menu); DynamicSave("menu_wml_" . $uid . ".php", $WML_Menu); // ------------------------------------------------------------------- // Fetch and cache user preferences if (vgaGet('member_profiles')) { cacheMember_Profiles(); } // ------------------------------------------------------------------- // Now find the user's table permissions more precisely table by table $sql = "select p.table_id,\n\t\t\t\tmax(case when p.permins='Y' then 1 else 0 end) as permins,\n\t\t\t\tmax(case when p.permupd='Y' then 1 else 0 end) as permupd,\n\t\t\t\tmax(case when p.permdel='Y' then 1 else 0 end) as permdel,\n\t\t\t\tmax(case when p.permsel='Y' then 1 else 0 end) as permsel\n\t\t\t\tfrom zdd.perm_tabs P\n\t\t\t\tWHERE group_id in ({$groups})\n\t\t\t\tGROUP BY p.table_id"; //echo $sql; $results = SQL($sql); $HTML_Perms = "<?php\n\$table_perms = array();\n"; while ($row = SQL_FETCH_ARRAY($results)) { $tn = $row["table_id"]; $ti = $row["permins"]; $tu = $row["permupd"]; $td = $row["permdel"]; $ts = $row["permsel"]; $HTML_Perms .= "\$table_perms[\"{$tn}\"]=array(\"ins\"=>{$ti},\"upd\"=>{$tu},\"del\"=>{$td},\"sel\"=>{$ts});\n"; } $HTML_Perms .= "?>\n"; DynamicSave("perms_" . $uid . ".php", $HTML_Perms); /* October 28, 2006, KFD. Rem'd this all out, column and row security made this irrelevant // ------------------------------------------------------------------- // Find out if this user has any UID Columns, columns that create // filters on the user's UID $sql = "Select column_id FROM groupuids WHERE group_id IN ($groups)"; //echo $sql; $results = SQL($sql); $groupuids = array(); while ($row = SQL_FETCH_ARRAY($results)) { //echo "Found this one".$row["column_id"]; $groupuids[$row["column_id"]] = $row["column_id"]; } SessionSet("groupuids",$groupuids); */ scDBConn_Pop(); return; }
function gs_log($level, $msg, $logfile = null, $fifo = false) { global $gs_is_in_gs_log; static $log_to = null; static $logfiles = array(); static $levels = array(GS_LOG_DEBUG => array('v' => 'debug', 'sll' => LOG_DEBUG), GS_LOG_NOTICE => array('v' => 'note', 'sll' => LOG_INFO), GS_LOG_WARNING => array('v' => 'WARN', 'sll' => LOG_WARNING), GS_LOG_FATAL => array('v' => 'ERROR', 'sll' => LOG_ERR)); static $syslog_opened = false; static $syslog_facility = null; if (@$gs_is_in_gs_log) { return false; } # prevent recursive calls to gs_log() if ($level > GS_LOG_LEVEL) { return true; } $gs_is_in_gs_log = true; if ($log_to === null) { $log_to = gs_get_conf('GS_LOG_TO'); } $level_info = array_key_exists($level, $levels) ? $levels[$level] : array('v' => '???? ', 'sll' => LOG_WARNING); //$msg = str_replace(GS_DIR, '<GS_DIR>', $msg); $msg = str_replace(GS_DIR, '', $msg); $backtrace = debug_backtrace(); if (is_array($backtrace) && isset($backtrace[0])) { $file = @$backtrace[0]['file']; if (subStr($file, 0, strLen(GS_DIR)) === GS_DIR) { $file = str_replace(GS_DIR, '', $file); } $line = @$backtrace[0]['line']; } else { $file = ''; $line = 0; } if ($fifo) { $log_to = 'file'; } if ($log_to === 'file') { $dateFn = GS_LOG_GMT ? 'gmDate' : 'date'; if (strLen($line) < 4) { $line = str_pad($line, 4, ' ', STR_PAD_LEFT); } $msg = $dateFn('Y-m-d H:i:s') . ' [' . str_pad($level_info['v'], 5) . '] ' . $file . ':' . $line . ': ' . $msg . "\n"; if (!$logfile) { $logfile = GS_LOG_FILE; } if (@subStr($logfile, 0, 1) != '/') { $logfile = '/var/log/gemeinschaft/' . $logfile; } if (!@array_key_exists($logfile, $logfiles)) { $sudo = posix_getEUid() == 0 ? '' : 'sudo '; # if the logfile should be a fifo but isn't then remove it so # it will be created as a fifo if ($fifo && file_exists($logfile) && !@is_fifo($logfile)) { $err = 0; $out = array(); @exec($sudo . 'rm -f ' . qsa($logfile) . ' 1>>/dev/null 2>>/dev/null', $out, $err); if ($err != 0) { # probably permission denied $gs_is_in_gs_log = false; return false; } clearStatCache(); } if (!@file_exists($logfile)) { $err = 0; $out = array(); @exec($sudo . 'mkdir -p ' . qsa(dirName($logfile)) . ' 1>>/dev/null 2>>/dev/null', $out, $err); if ($err != 0) { # probably permission denied $gs_is_in_gs_log = false; return false; } if ($fifo) { $err = 0; $out = array(); @exec($sudo . 'mkfifo ' . qsa($logfile) . ' 1>>/dev/null 2>>/dev/null', $out, $err); if ($err != 0) { # probably permission denied $gs_is_in_gs_log = false; return false; } } } //@chmod($logfile, 0666); # in octal mode! @exec($sudo . 'chmod 0666 ' . qsa($logfile) . ' 1>>/dev/null 2>>/dev/null'); if (!$fifo) { $logfiles[$logfile] = @fOpen($logfile, 'ab'); # might fail if permission denied } else { $logfiles[$logfile] = fOpen($logfile, 'ab+'); # The trick is to open the FIFO for reading *and writing*. # "a" : open(..., O_WRONLY|O_CREAT|O_APPEND|O_LARGEFILE, ...) # "a+": open(..., O_RDWR |O_CREAT|O_APPEND|O_LARGEFILE, ...) # O_WRONLY blocks for FIFOs. O_RDWR does not. } if (!$logfiles[$logfile]) { $gs_is_in_gs_log = false; return false; } } if ($fifo) { @stream_set_blocking($fd, false); # not even really needed # Just to be sure check that the stream will not block. # However by using the above trick it will not block anyways. $select = array($logfiles[$logfile]); # needs to be passed by reference $null = null; # needs to be passed by reference if (stream_select($null, $select, $null, 0, 0) < 1) { $gs_is_in_gs_log = false; return false; } } $ok = @fWrite($logfiles[$logfile], $msg, strLen($msg)) !== false; } elseif ($log_to === 'syslog') { if ($syslog_facility === null) { $fac_name = strToUpper(gs_get_conf('GS_LOG_SYSLOG_FACILITY')); if (in_array($fac_name, array('LOCAL0', 'LOCAL1', 'LOCAL2', 'LOCAL3', 'LOCAL4', 'LOCAL5', 'LOCAL6', 'LOCAL7', 'USER', 'MAIL', 'DAEMON', 'AUTH', 'AUTHPRIV', 'SYSLOG', 'LPR', 'NEWS', 'UUCP', 'CRON'), true) && defined('LOG_' . $fac_name)) { $syslog_facility = constant('LOG_' . $fac_name); } else { $syslog_facility = LOG_USER; } } if (subStr($file, -4) === '.php') { $file = subStr($file, 0, -4); } if (strLen($file) <= 32) { $tag = $file; } else { $tag = baseName($file); } $msg = $tag . '#' . $line . ': (' . $level_info['v'] . ') ' . $msg; if (!$syslog_opened) { if (!$syslog_facility) { $syslog_facility = LOG_LOCAL5; } $syslog_opened = @openLog('gemeinschaft', LOG_ODELAY, $syslog_facility); } $sll = @$level_info['sll']; if ($sll === null) { $sll = LOG_WARNING; } $ok = @sysLog($sll, addCSlashes($msg, "\\\r\n\t....ÿ")); } else { $ok = false; } $gs_is_in_gs_log = false; return $ok; }