/**
* Wrapper function to get the author of a news article or page: Used by getNewsAuthor() and getPageAuthor().
*
* @param bool $fullname False for the user name, true for the full name
*
* @return string
*/
function getAuthor($fullname = false)
{
global $_zp_current_zenpage_page, $_zp_current_zenpage_news;
if (is_Pages()) {
$obj = $_zp_current_zenpage_page;
} else {
if (is_News()) {
$obj = $_zp_current_zenpage_news;
} else {
$obj = false;
}
}
if ($obj) {
if ($fullname) {
$admin = Zenphoto_Authority::getAnAdmin(array('`user`=' => $obj->getAuthor(), '`valid`=' => 1));
if (is_object($admin) && $admin->getName()) {
return $admin->getName();
}
}
return $obj->getAuthor();
}
return false;
}
static function notify($tab, $subtab)
{
if ($tab == 'users' && ($subtab = 'users')) {
if (user_expiry::checkPasswordRenew()) {
echo '<p class="errorbox">' . gettext('You must change your password.'), '</p>';
} else {
if (Zenphoto_Authority::getAnAdmin(array('`valid`>' => 1))) {
echo '<p class="notebox">' . gettext('You have users whose credentials have expired.'), '</p>';
}
}
}
}
/**
* Processes the verification POST tickets
* @param string $script (we do not use this)
* @return string
*/
static function verify($script)
{
//process any verifications posted
if (isset($_GET['verify_federated_user'])) {
$params = unserialize(pack("H*", trim(sanitize($_GET['verify_federated_user']), '.')));
if (time() - $params['date'] < 2592000) {
$userobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $params['user'], '`email`=' => $params['email'], '`valid`>' => 0));
if ($userobj) {
$groupname = getOption('federated_login_group');
$groupobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $groupname, '`valid`=' => 0));
if ($groupobj) {
$userobj->setRights($groupobj->getRights());
$userobj->setGroup($groupname);
$userobj->setObjects($groupobj->getObjects());
if (getOption('register_user_create_album')) {
$userobj->createPrimealbum();
}
$userobj->save();
}
zp_apply_filter('register_user_verified', $userobj);
if (getOption('register_logon_user_notify')) {
zp_mail(gettext('Zenphoto Gallery registration'), sprintf(gettext('%1$s (%2$s) has registered for the zenphoto gallery providing an e-mail address of %3$s.'), $userobj->getName(), $userobj->getUser(), $userobj->getEmail()));
}
Zenphoto_Authority::logUser($userobj);
header("Location: " . FULLWEBPATH . '/' . ZENFOLDER . '/admin.php');
exitZP();
}
}
}
return $script;
}
exitZP();
}
}
}
} else {
// no login form, check the cookie
if (isset($_GET['ticket'])) {
// password reset query
$_zp_authority->validateTicket(sanitize($_GET['ticket']), sanitize(@$_GET['user']));
} else {
$_zp_loggedin = $_zp_authority->checkCookieCredentials();
$cloneid = bin2hex(FULLWEBPATH);
if (!$_zp_loggedin && isset($_SESSION['admin'][$cloneid])) {
// "passed" login
$user = unserialize($_SESSION['admin'][$cloneid]);
$user2 = $_zp_authority->getAnAdmin(array('`user`=' => $user->getUser(), '`valid`=' => 1));
if ($user2 && $user->getPass() == $user2->getPass()) {
Zenphoto_Authority::logUser($user2);
$_zp_current_admin_obj = $user2;
$_zp_loggedin = $_zp_current_admin_obj->getRights();
}
}
unset($cloneid);
}
if ($_zp_loggedin) {
$locale = $_zp_current_admin_obj->getLanguage();
if (!empty($locale)) {
// set his prefered language
setupCurrentLocale($locale);
}
}
$nouser = true;
$returntab = $newuser = false;
for ($i = 0; $i < sanitize_numeric($_POST['totaladmins']); $i++) {
$updated = false;
$error = false;
$userobj = NULL;
$pass = trim(sanitize($_POST['pass' . $i]));
$user = trim(sanitize($_POST['adminuser' . $i]));
if (empty($user) && !empty($pass)) {
$notify = '?mismatch=nothing';
}
if (!empty($user)) {
$nouser = false;
if (isset($_POST[$i . '-newuser'])) {
$newuser = $user;
$userobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $user, '`valid`>' => 0));
if (is_object($userobj)) {
$notify = '?exists';
break;
} else {
$what = 'new';
$userobj = Zenphoto_Authority::newAdministrator('');
$userobj->setUser($user);
markUpdated();
}
} else {
$what = 'update';
$userobj = Zenphoto_Authority::newAdministrator($user);
markUpdated();
}
if (isset($_POST[$i . '-admin_name'])) {
/**
* Creates a feed object from the URL parameters fetched only
*
*/
function __construct($options = NULL)
{
global $_zp_gallery, $_zp_current_admin_obj, $_zp_loggedin;
if (empty($options)) {
self::feed404();
}
$this->feedtype = $options['rss'];
parent::__construct($options);
if (isset($options['token'])) {
// The link camed from a logged in user, see if it is valid
$link = $options;
unset($link['token']);
$token = Zenphoto_Authority::passwordHash(serialize($link), '');
if ($token == $options['token']) {
$adminobj = Zenphoto_Authority::getAnAdmin(array('`id`=' => (int) $link['user']));
if ($adminobj) {
$_zp_current_admin_obj = $adminobj;
$_zp_loggedin = $_zp_current_admin_obj->getRights();
}
}
}
// general feed setup
$channeltitlemode = getOption('RSS_title');
$this->host = html_encode($_SERVER["HTTP_HOST"]);
//channeltitle general
switch ($channeltitlemode) {
case 'gallery':
$this->channel_title = $_zp_gallery->getBareTitle($this->locale);
break;
case 'website':
$this->channel_title = getBare($_zp_gallery->getWebsiteTitle($this->locale));
break;
case 'both':
$website_title = $_zp_gallery->getWebsiteTitle($this->locale);
$this->channel_title = $_zp_gallery->getBareTitle($this->locale);
if (!empty($website_title)) {
$this->channel_title = $website_title . ' - ' . $this->channel_title;
}
break;
}
// individual feedtype setup
switch ($this->feedtype) {
case 'gallery':
if (!getOption('RSS_album_image')) {
self::feed404();
}
$albumname = $this->getChannelTitleExtra();
if ($this->albumfolder) {
$alb = newAlbum($this->albumfolder, true, true);
if ($alb->exists) {
$albumtitle = $alb->getTitle();
if ($this->mode == 'albums' || $this->collection) {
$albumname = ' - ' . html_encode($albumtitle) . $this->getChannelTitleExtra();
}
} else {
self::feed404();
}
} else {
$albumtitle = '';
}
$albumname = $this->getChannelTitleExtra();
$this->channel_title = html_encode($this->channel_title . ' ' . getBare($albumname));
$this->imagesize = $this->getImageSize();
require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/image_album_statistics.php';
break;
case 'news':
//Zenpage News RSS
if (!getOption('RSS_articles')) {
self::feed404();
}
$titleappendix = gettext(' (Latest news)');
switch ($this->newsoption) {
case 'withalbums':
case 'withalbums_mtime':
case 'withalbums_publishdate':
case 'withalbums_latestupdated':
$titleappendix = gettext(' (Latest news and albums)');
break;
case 'withimages':
case 'withimages_mtime':
case 'withimages_publishdate':
$titleappendix = gettext(' (Latest news and images)');
break;
default:
switch ($this->sortorder) {
case 'popular':
$titleappendix = gettext(' (Most popular news)');
break;
case 'mostrated':
$titleappendix = gettext(' (Most rated news)');
break;
case 'toprated':
$titleappendix = gettext(' (Top rated news)');
break;
case 'random':
$titleappendix = gettext(' (Random news)');
break;
}
break;
}
$this->channel_title = html_encode($this->channel_title . $this->cattitle . $titleappendix);
$this->imagesize = $this->getImageSize();
$this->itemnumber = getOption("RSS_zenpage_items");
// # of Items displayed on the feed
require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/image_album_statistics.php';
require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/zenpage/zenpage-template-functions.php';
break;
case 'pages':
//Zenpage News RSS
if (!getOption('RSS_pages')) {
self::feed404();
}
switch ($this->sortorder) {
case 'popular':
$titleappendix = gettext(' (Most popular pages)');
break;
case 'mostrated':
$titleappendix = gettext(' (Most rated pages)');
break;
case 'toprated':
$titleappendix = gettext(' (Top rated pages)');
break;
case 'random':
$titleappendix = gettext(' (Random pages)');
break;
default:
$titleappendix = gettext(' (Latest pages)');
break;
}
$this->channel_title = html_encode($this->channel_title . $titleappendix);
require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/zenpage/zenpage-template-functions.php';
break;
case 'comments':
//Comments RSS
if (!getOption('RSS_comments')) {
self::feed404();
}
if ($this->id) {
switch ($this->commentfeedtype) {
case 'album':
$table = 'albums';
break;
case 'image':
$table = 'images';
break;
case 'news':
$table = 'news';
break;
case 'page':
$table = 'pages';
break;
default:
self::feed404();
break;
}
$this->itemobj = getItemByID($table, $this->id);
if ($this->itemobj) {
$title = ' - ' . $this->itemobj->getTitle();
} else {
self::feed404();
}
} else {
$this->itemobj = NULL;
$title = NULL;
}
$this->channel_title = html_encode($this->channel_title . $title . gettext(' (latest comments)'));
if (extensionEnabled('zenpage')) {
require_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/zenpage/zenpage-template-functions.php';
}
break;
case 'null':
//we just want the class instantiated
return;
}
$this->feeditems = $this->getitems();
}
/**
* Logs an attempt for a guest user to log onto the site
* Returns the "success" parameter.
*
* @param bool $success
* @param string $user
* @param string $pass
* @param string $athority what kind of login
* @return bool
*/
static function guestLoginLogger($success, $user, $pass, $athority)
{
switch (getOption('logger_log_type')) {
case 'all':
break;
case 'success':
if (!$success) {
return false;
}
break;
case 'fail':
if ($success) {
return true;
}
break;
}
$name = '';
if ($success) {
$admin = Zenphoto_Authority::getAnAdmin(array('`user`=' => $user, '`valid`=' => 1));
$pass = '';
// mask it from display
if (is_object($admin)) {
$name = $admin->getName();
}
}
security_logger::Logger((int) ($success && true), $user, $name, 'Front-end', $athority, $pass);
return $success;
}
/**
* This is the cookie processor filter handler
* it invokes the child class check() method to see if there is a valid visitor to the site
* The check() method should return "false" if there is no valid visitor or an array of
* User information if there is one.
*
* If there is a valid user, the user name is checked against Zenphoto users. If such user exists
* he will be automatically logged in. If no user by that userid exists a transient user will be
* created and logged in. User details are filled in from the user information in the passed array.
*
* Most enteries in the result array are simply stored into the user property of the same name. However,
* there are some special handling items that may be present:
* <ul>
* <li>groups: an array of the user's group membership</li>
* <li>objects: a Zenphoto "managed object list" array</li>
* <li>album: the name of the user's primary album</li>
* <li>logout_link: information that the plugin can use when a user loggs out</li>
* </ul>
*
* All the above may be missing. However, if there is no groups entry, there needs to be an
* entry for the user's rights otherwise he will have none. There should not be both a rights entry
* and a groups entry as they are mutually exclusive.
*
* album and objects entries should come last in the list so all other properties are processed first as
* these methods may modify other properties.
*
* @param BIT $authorized
*/
function check($authorized)
{
global $_zp_current_admin_obj;
if (!$authorized) {
// not logged in via normal Zenphoto handling
if ($result = $this->user()) {
$user = $result['user'];
$searchfor = array('`user`=' => $user, '`valid`=' => 1);
$userobj = Zenphoto_Authority::getAnAdmin($searchfor);
if (!$userobj) {
unset($result['id']);
unset($result['user']);
$authority = '';
// create a transient user
$userobj = new Zenphoto_Administrator('', 1);
$userobj->setUser($user);
$userobj->setRights(NO_RIGHTS);
// just incase none get set
// Flag as external credentials for completeness
$properties = array_keys($result);
// the list of things we got from the external authority
array_unshift($properties, $this->auth);
$userobj->setCredentials($properties);
// populate the user properties
$member = false;
// no group membership (yet)
foreach ($result as $key => $value) {
switch ($key) {
case 'authority':
$authority = '::' . $value;
unset($result['authority']);
break;
case 'groups':
// find the corresponding Zenphoto group (if it exists)
$rights = NO_RIGHTS;
$objects = array();
$groups = $value;
foreach ($groups as $key => $group) {
$groupobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $group, '`valid`=' => 0));
if ($groupobj) {
$member = true;
$rights = $groupobj->getRights() | $rights;
$objects = array_merge($groupobj->getObjects(), $objects);
if ($groupobj->getName() == 'template') {
unset($groups[$key]);
}
} else {
unset($groups[$key]);
}
}
if ($member) {
$userobj->setGroup(implode(',', $groups));
$userobj->setRights($rights);
$userobj->setObjects($objects);
}
break;
case 'defaultgroup':
if (!$member && isset($result['defaultgroup'])) {
// No Zenphoto group, use the default group
$group = $result['defaultgroup'];
$groupobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $group, '`valid`=' => 0));
if ($groupobj) {
$rights = $groupobj->getRights();
$objects = $groupobj->getObjects();
if ($groupobj->getName() != 'template') {
$group = NULL;
}
$userobj->setGroup($group);
$userobj->setRights($rights);
$userobj->setObjects($objects);
}
}
break;
case 'objects':
$userobj->setObjects($objects);
break;
case 'album':
$userobj->createPrimealbum(false, $value);
break;
default:
$userobj->set($key, $value);
break;
}
}
$properties = array_keys($result);
// the list of things we got from the external authority
array_unshift($properties, $this->auth . $authority);
$userobj->setCredentials($properties);
}
if (isset($result['logout_link'])) {
$userobj->logout_link = $result['logout_link'];
}
$_zp_current_admin_obj = $userobj;
$authorized = $_zp_current_admin_obj->getRights();
}
}
return $authorized;
}
static function check($authorized)
{
global $_zp_current_admin_obj;
if (!$authorized) {
// not logged in via normal Zenphoto handling
// PHP-CGI auth fixd
if (isset($_SERVER['HTTP_AUTHORIZATION'])) {
$auth_params = explode(":", base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
$_SERVER['PHP_AUTH_USER'] = $auth_params[0];
unset($auth_params[0]);
$_SERVER['PHP_AUTH_PW'] = implode('', $auth_params);
}
if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
$auth_params = explode(":", base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6)));
$_SERVER['PHP_AUTH_USER'] = $auth_params[0];
unset($auth_params[0]);
$_SERVER['PHP_AUTH_PW'] = implode('', $auth_params);
}
if (array_key_exists('PHP_AUTH_USER', $_SERVER) && array_key_exists('PHP_AUTH_PW', $_SERVER)) {
$user = $_SERVER['PHP_AUTH_USER'];
$pass = $_SERVER['PHP_AUTH_PW'];
if (getOption('http_auth_trust')) {
$userobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $user, '`valid`=' => 1));
} else {
$userobj = Zenphoto_Authority::checkLogon($user, $pass);
}
if ($userobj) {
$_zp_current_admin_obj = $userobj;
$_zp_current_admin_obj->logout_link = false;
$authorized = $_zp_current_admin_obj->getRights();
}
}
}
return $authorized;
}
static function post_processor()
{
global $admin_e, $admin_n, $user, $_zp_authority, $_zp_captcha, $_zp_gallery, $_notify, $_link, $_message;
//Handle registration
if (isset($_POST['username']) && !empty($_POST['username'])) {
$_notify = 'honeypot';
// honey pot check
}
if (getOption('register_user_captcha')) {
if (isset($_POST['code'])) {
$code = sanitize($_POST['code'], 3);
$code_ok = sanitize($_POST['code_h'], 3);
} else {
$code = '';
$code_ok = '';
}
if (!$_zp_captcha->checkCaptcha($code, $code_ok)) {
$_notify = 'invalidcaptcha';
}
}
$admin_n = trim(sanitize($_POST['admin_name']));
if (empty($admin_n)) {
$_notify = 'incomplete';
}
if (isset($_POST['admin_email'])) {
$admin_e = trim(sanitize($_POST['admin_email']));
} else {
$admin_e = trim(sanitize($_POST['user']));
}
if (!is_valid_email_zp($admin_e)) {
$_notify = 'invalidemail';
}
$pass = trim(sanitize($_POST['pass']));
$user = trim(sanitize($_POST['user']));
if (empty($pass)) {
$_notify = 'empty';
} else {
if (!empty($user) && !empty($admin_n) && !empty($admin_e)) {
if (isset($_POST['disclose_password']) || $pass == trim(sanitize($_POST['pass_r']))) {
$currentadmin = Zenphoto_Authority::getAnAdmin(array('`user`=' => $user, '`valid`>' => 0));
if (is_object($currentadmin)) {
$_notify = 'exists';
}
if (empty($_notify)) {
$userobj = Zenphoto_Authority::newAdministrator('');
$userobj->transient = false;
$userobj->setUser($user);
$userobj->setPass($pass);
$userobj->setName($admin_n);
$userobj->setEmail($admin_e);
$userobj->setRights(0);
$userobj->setObjects(NULL);
$userobj->setGroup('');
$userobj->setCustomData('');
$userobj->setLanguage(getUserLocale());
if (extensionEnabled('userAddressFields')) {
$addresses = getOption('register_user_address_info');
$userinfo = register_user::getUserInfo(0);
$_comment_form_save_post = serialize($userinfo);
if ($addresses == 'required') {
if (!isset($userinfo['street']) || empty($userinfo['street'])) {
$userobj->transient = true;
$userobj->msg .= ' ' . gettext('You must supply the street field.');
}
if (!isset($userinfo['city']) || empty($userinfo['city'])) {
$userobj->transient = true;
$userobj->msg .= ' ' . gettext('You must supply the city field.');
}
if (!isset($userinfo['state']) || empty($userinfo['state'])) {
$userobj->transient = true;
$userobj->msg .= ' ' . gettext('You must supply the state field.');
}
if (!isset($userinfo['country']) || empty($userinfo['country'])) {
$userobj->transient = true;
$userobj->msg .= ' ' . gettext('You must supply the country field.');
}
if (!isset($userinfo['postal']) || empty($userinfo['postal'])) {
$userobj->transient = true;
$userobj->msg .= ' ' . gettext('You must supply the postal code field.');
}
}
zp_setCookie('reister_user_form_addresses', $_comment_form_save_post);
userAddressFields::setCustomData($userobj, $userinfo);
}
zp_apply_filter('register_user_registered', $userobj);
if ($userobj->transient) {
if (empty($_notify)) {
$_notify = 'filter';
}
} else {
$userobj->save();
if (MOD_REWRITE) {
$verify = '?verify=';
} else {
$verify = '&verify=';
}
$_link = PROTOCOL . "://" . $_SERVER['HTTP_HOST'] . register_user::getLink() . $verify . bin2hex(serialize(array('user' => $user, 'email' => $admin_e)));
$_message = sprintf(get_language_string(getOption('register_user_text')), $_link, $admin_n, $user, $pass);
$_notify = zp_mail(get_language_string(gettext('Registration confirmation')), $_message, array($user => $admin_e));
if (empty($_notify)) {
$_notify = 'accepted';
}
}
}
} else {
$_notify = 'mismatch';
}
} else {
$_notify = 'incomplete';
}
}
}
}
}
}
$notify = '&saved';
} else {
$notify = '&post_error';
}
header("Location: " . FULLWEBPATH . "/" . ZENFOLDER . '/' . PLUGIN_FOLDER . '/user_groups/user_groups-tab.php?page=users&tab=groups&subpage=' . $subpage . $notify);
exitZP();
case 'saveauserassignments':
if (isset($_POST['checkForPostTruncation'])) {
for ($i = 0; $i < $_POST['totalusers']; $i++) {
if (isset($_POST[$i . 'group'])) {
$newgroups = sanitize($_POST[$i . 'group']);
$username = trim(sanitize($_POST[$i . '-user'], 3));
$userobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $username, '`valid`>=' => 1));
user_groups::merge_rights($userobj, $newgroups);
$userobj->save();
}
}
$notify = '&saved';
} else {
$notify = '&post_error';
}
header("Location: " . FULLWEBPATH . "/" . ZENFOLDER . '/' . PLUGIN_FOLDER . '/user_groups/user_groups-tab.php?page=users&tab=assignments&subpage=' . $subpage . $notify);
exitZP();
}
}
printAdminHeader('users');
$background = '';
?>
$ordered[$key] = $admin['date'];
}
}
asort($ordered);
$adminordered = array();
foreach ($ordered as $key => $user) {
$adminordered[] = $admins[$key];
}
$msg = NULL;
if (isset($_GET['action'])) {
$action = sanitize($_GET['action']);
XSRFdefender($action);
if ($action == 'expiry') {
foreach ($_POST as $key => $action) {
if (strpos($key, 'r_') === 0) {
$userobj = Zenphoto_Authority::getAnAdmin(array('`id`=' => str_replace('r_', '', postIndexDecode($key))));
if ($userobj) {
switch ($action) {
case 'delete':
$userobj->remove();
break;
case 'disable':
$userobj->setValid(2);
$userobj->save();
break;
case 'enable':
$userobj->setValid(1);
$userobj->save();
break;
case 'renew':
$newdate = getOption('user_expiry_interval') * 86400 + strtotime($userobj->getDateTime());
