foreach ($form_list_array as $value) { $form_id = $value['form_id']; if (!empty($user_input['perm_editentries_' . $form_id])) { $user_input['perm_viewentries_' . $form_id] = 1; } //if all permission are empty, don't do insert if (empty($user_input['perm_editform_' . $form_id]) && empty($user_input['perm_editentries_' . $form_id]) && empty($user_input['perm_viewentries_' . $form_id])) { continue; } $params = array($form_id, $user_id, $user_input['perm_editform_' . $form_id], $user_input['perm_editentries_' . $form_id], $user_input['perm_viewentries_' . $form_id]); $query = "INSERT INTO \r\n\t\t\t\t\t\t\t\t\t`" . MF_TABLE_PREFIX . "permissions` (\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t`form_id`, \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t`user_id`, \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t`edit_form`, \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t`edit_entries`, \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t`view_entries`) \r\n\t\t\t\t\t\t\t\tVALUES (?, ?, ?, ?, ?);"; mf_do_query($query, $params, $dbh); } //send notification email to the user, if enabled if (!empty($user_input['send_login'])) { mf_send_login_info($dbh, $user_id, $user_input['user_password']); } //redirect to manage_users page and display success message $_SESSION['MF_SUCCESS'] = 'A new user has been added.'; $ssl_suffix = mf_get_ssl_suffix(); header("Location: http{$ssl_suffix}://" . $_SERVER['HTTP_HOST'] . mf_get_dirname($_SERVER['PHP_SELF']) . "/manage_users.php"); exit; } } $current_nav_tab = 'users'; require 'includes/header.php'; ?> <div id="content" class="full"> <div class="post add_user">
$input = mf_sanitize($_POST); if (empty($input['np']) && empty($input['user_id'])) { die("Error! You can't open this file directly"); } else { $new_password_plain = $input['np']; $user_id = (int) $input['user_id']; $send_login_info = (int) $input['send_login']; } //check permissions and privileges //normal user should only be able to change his own password //check user privileges, is this user has privilege to administer MachForm? if (!empty($_SESSION['mf_user_privileges']['priv_administer'])) { //this is administrator, allowed to change the password of any other user's password //except the main administrator password if ($user_id == 1 && $_SESSION['mf_user_id'] != 1) { die("Access Denied. You don't have permission to change Main Administrator password."); } } else { $user_id = $_SESSION['mf_user_id']; //this is normal user, make sure he only change his own password } $hasher = new PasswordHash(8, FALSE); $new_password_hash = $hasher->HashPassword($new_password_plain); $query = "UPDATE " . MF_TABLE_PREFIX . "users SET user_password = ? WHERE user_id = ?"; $params = array($new_password_hash, $user_id); mf_do_query($query, $params, $dbh); //if send_login parameter exist, resend the login information to user if (!empty($send_login_info)) { mf_send_login_info($dbh, $user_id, $new_password_plain); } echo '{"status" : "ok"}';