echo lang_get('update_user_button');
?>
" />
</td>
</tr>
</table>
</form>
</div>
<br />
<!-- RESET AND DELETE -->
<?php
$t_reset = $t_user['id'] != auth_get_current_user_id() && helper_call_custom_function('auth_can_change_password', array());
$t_unlock = OFF != config_get('max_failed_login_count') && $t_user['failed_login_count'] > 0;
$t_delete = !(user_is_administrator($t_user_id) && user_count_level(config_get_global('admin_site_threshold')) <= 1);
if ($t_reset || $t_unlock || $t_delete) {
?>
<div class="border center">
<!-- Reset/Unlock Button -->
<?php
if ($t_reset || $t_unlock) {
?>
<form method="post" action="manage_user_reset.php">
<?php
echo form_security_field('manage_user_reset');
?>
<input type="hidden" name="user_id" value="<?php
echo $t_user['id'];
?>
user_ensure_realname_valid($f_realname);
user_ensure_realname_unique($f_username, $f_realname);
$f_email = email_append_domain($f_email);
email_ensure_valid($f_email);
$c_email = db_prepare_string($f_email);
$c_username = db_prepare_string($f_username);
$c_realname = db_prepare_string($f_realname);
$c_protected = db_prepare_bool($f_protected);
$c_enabled = db_prepare_bool($f_enabled);
$c_user_id = db_prepare_int($f_user_id);
$c_access_level = db_prepare_int($f_access_level);
$t_user_table = config_get('mantis_user_table');
$t_old_protected = user_get_field($f_user_id, 'protected');
# check that we are not downgrading the last administrator
$t_old_access = user_get_field($f_user_id, 'access_level');
if (ADMINISTRATOR == $t_old_access && $t_old_access != $f_access_level && 1 >= user_count_level(ADMINISTRATOR)) {
trigger_error(ERROR_USER_CHANGE_LAST_ADMIN, ERROR);
}
# Project specific access rights override global levels, hence, for users who are changed
# to be administrators, we have to remove project specific rights.
if ($c_access_level >= ADMINISTRATOR && !user_is_administrator($c_user_id)) {
user_delete_project_specific_access_levels($c_user_id);
}
# if the user is already protected and the admin is not removing the
# protected flag then don't update the access level and enabled flag.
# If the user was unprotected or the protected flag is being turned off
# then proceed with a full update.
if ($f_protected && $t_old_protected) {
$query = "UPDATE {$t_user_table}\n\t \t\tSET username='******', email='{$c_email}',\n\t \t\t\tprotected='{$c_protected}', realname='{$c_realname}'\n\t \t\tWHERE id='{$c_user_id}'";
} else {
$query = "UPDATE {$t_user_table}\n\t \t\tSET username='******', email='{$c_email}',\n\t \t\t\taccess_level='{$c_access_level}', enabled='{$c_enabled}',\n\t \t\t\tprotected='{$c_protected}', realname='{$c_realname}'\n\t \t\tWHERE id='{$c_user_id}'";
*/
/**
* MantisBT Core API's
*/
require_once 'core.php';
form_security_validate('account_delete');
auth_ensure_user_authenticated();
current_user_ensure_unprotected();
# Only allow users to delete their own accounts if allow_account_delete = ON or
# the user has permission to manage user accounts.
if (OFF == config_get('allow_account_delete') && !access_has_global_level(config_get('manage_user_threshold'))) {
print_header_redirect('account_page.php');
}
# check that we are not deleting the last administrator account
$t_admin_threshold = config_get_global('admin_site_threshold');
if (current_user_is_administrator() && user_count_level($t_admin_threshold) <= 1) {
trigger_error(ERROR_USER_CHANGE_LAST_ADMIN, ERROR);
}
helper_ensure_confirmed(lang_get('confirm_delete_msg'), lang_get('delete_account_button'));
form_security_purge('account_delete');
$t_user_id = auth_get_current_user_id();
auth_logout();
user_delete($t_user_id);
html_page_top1();
html_page_top2a();
?>
<br />
<div align="center">
<?php
echo lang_get('account_removed_msg') . '<br />';
}
$c_email = $t_email;
$c_username = $f_username;
$c_realname = $t_realname;
$c_protected = db_prepare_bool($f_protected);
$c_enabled = db_prepare_bool($f_enabled);
$c_user_id = db_prepare_int($f_user_id);
$c_access_level = db_prepare_int($f_access_level);
$t_user_table = db_get_table('user');
$t_old_protected = $t_user['protected'];
# Ensure that users aren't escalating privileges of accounts beyond their
# own global access level.
access_ensure_global_level($f_access_level);
# check that we are not downgrading the last administrator
$t_admin_threshold = config_get_global('admin_site_threshold');
if (user_is_administrator($f_user_id) && $f_access_level < $t_admin_threshold && user_count_level($t_admin_threshold) <= 1) {
trigger_error(ERROR_USER_CHANGE_LAST_ADMIN, ERROR);
}
# Project specific access rights override global levels, hence, for users who are changed
# to be administrators, we have to remove project specific rights.
if ($f_access_level >= $t_admin_threshold && !user_is_administrator($f_user_id)) {
user_delete_project_specific_access_levels($f_user_id);
}
# if the user is already protected and the admin is not removing the
# protected flag then don't update the access level and enabled flag.
# If the user was unprotected or the protected flag is being turned off
# then proceed with a full update.
$query_params = array();
if ($f_protected && $t_old_protected) {
$query = "UPDATE {$t_user_table}\n\t\t\tSET username="******", email=" . db_param() . ",\n\t\t\t\tprotected=" . db_param() . ", realname=" . db_param() . "\n\t\t\tWHERE id=" . db_param();
$query_params = array($c_username, $c_email, $c_protected, $c_realname, $c_user_id);
auth_reauthenticate();
access_ensure_global_level( config_get( 'manage_user_threshold' ) );
$f_user_id = gpc_get_int( 'user_id' );
$t_user = user_get_row( $f_user_id );
# Ensure that the account to be deleted is of equal or lower access to the
# current user.
access_ensure_global_level( $t_user['access_level'] );
# check that we are not deleting the last administrator account
$t_admin_threshold = config_get_global( 'admin_site_threshold' );
if ( user_is_administrator( $f_user_id ) &&
user_count_level( $t_admin_threshold ) <= 1 ) {
trigger_error( ERROR_USER_CHANGE_LAST_ADMIN, ERROR );
}
# If an administrator is trying to delete their own account, use
# account_delete.php instead as it is handles logging out and redirection
# of users who have just deleted their own accounts.
if ( auth_get_current_user_id() == $f_user_id ) {
form_security_purge( 'manage_user_delete' );
print_header_redirect( 'account_delete.php?account_delete_token=' . form_security_token( 'account_delete' ), true, false );
}
helper_ensure_confirmed( lang_get( 'delete_account_sure_msg' ) .
'<br/>' . lang_get( 'username_label' ) . lang_get( 'word_separator' ) . $t_user['username'],
lang_get( 'delete_account_button' ) );
email_ensure_not_disposable($t_email);
}
$c_email = $t_email;
$c_username = $f_username;
$c_realname = $t_realname;
$c_protected = (bool) $f_protected;
$c_enabled = (bool) $f_enabled;
$c_user_id = (int) $f_user_id;
$c_access_level = (int) $f_access_level;
$t_old_protected = $t_user['protected'];
# Ensure that users aren't escalating privileges of accounts beyond their
# own global access level.
access_ensure_global_level($f_access_level);
# check that we are not downgrading the last administrator
$t_admin_threshold = config_get_global('admin_site_threshold');
if (user_is_administrator($f_user_id) && user_count_level($t_admin_threshold, true) <= 1) {
if ($f_access_level < $t_admin_threshold || $c_enabled === false) {
trigger_error(ERROR_USER_CHANGE_LAST_ADMIN, ERROR);
}
}
# Project specific access rights override global levels, hence, for users who are changed
# to be administrators, we have to remove project specific rights.
if ($f_access_level >= $t_admin_threshold && !user_is_administrator($f_user_id)) {
user_delete_project_specific_access_levels($f_user_id);
}
# if the user is already protected and the admin is not removing the
# protected flag then don't update the access level and enabled flag.
# If the user was unprotected or the protected flag is being turned off
# then proceed with a full update.
$t_query_params = array();
if ($f_protected && $t_old_protected) {
</form>
</div>
<div id="manage-user-actions-div" class="form-container">
<?php if( helper_call_custom_function( 'auth_can_change_password', array() ) ) { ?>
<form id="manage-user-reset-form" method="post" action="manage_user_reset.php" class="action-button">
<fieldset>
<?php echo form_security_field( 'manage_user_reset' ) ?>
<input type="hidden" name="user_id" value="<?php echo $t_user['id'] ?>" />
<span><input type="submit" class="button" value="<?php echo lang_get( 'reset_password_button' ) ?>" /></span>
</fieldset>
</form>
<?php } ?>
<!-- Delete Button -->
<?php if ( !( ( user_is_administrator( $t_user_id ) && ( user_count_level( config_get_global( 'admin_site_threshold' ) ) <= 1 ) ) ) ) { ?>
<form id="manage-user-delete-form" method="post" action="manage_user_delete.php" class="action-button">
<fieldset>
<?php echo form_security_field( 'manage_user_delete' ) ?>
<input type="hidden" name="user_id" value="<?php echo $t_user['id'] ?>" />
<span><input type="submit" class="button" value="<?php echo lang_get( 'delete_user_button' ) ?>" /></span>
</fieldset>
</form>
<?php } ?>
</div>
<?php if( !$t_ldap ) { ?>
<div class="important-msg">
<?php
if ( ( ON == config_get( 'send_reset_password' ) ) && ( ON == config_get( 'enable_email_notification' ) ) ) {
echo lang_get( 'reset_password_msg' );
<?php
echo form_security_field('manage_user_reset');
?>
<input type="hidden" name="user_id" value="<?php
echo $t_user['id'];
?>
" />
<input type="submit" class="button" value="<?php
echo lang_get('reset_password_button');
?>
" />
</form>
<!-- Delete Button -->
<?php
if (!(ADMINISTRATOR <= $t_user['access_level'] && 1 >= user_count_level(ADMINISTRATOR))) {
?>
<form method="post" action="manage_user_delete.php">
<?php
echo form_security_field('manage_user_delete');
?>
<input type="hidden" name="user_id" value="<?php
echo $t_user['id'];
?>
" />
<input type="submit" class="button" value="<?php
echo lang_get('delete_user_button');
?>
" />
</form>
