b2evolution PHP Cross Reference Blogging Systems

Source: /inc/users/users.ctrl.php - 454 lines - 14911 bytes - Text - Print

Description: This file implements the UI controller for settings management. This file is part of the evoCore framework - {@link http://evocore.net/} See also {@link http://sourceforge.net/projects/evocms/}.

   1  <?php
   2  /**
   3   * This file implements the UI controller for settings management.
   4   *
   5   * This file is part of the evoCore framework - {@link http://evocore.net/}
   6   * See also {@link http://sourceforge.net/projects/evocms/}.
   7   *
   8   * @copyright (c)2003-2014 by Francois Planque - {@link http://fplanque.com/}
   9   * Parts of this file are copyright (c)2004-2006 by Daniel HAHLER - {@link http://thequod.de/contact}.
  10   *
  11   * {@internal License choice
  12   * - If you have received this file as part of a package, please find the license.txt file in
  13   *   the same folder or the closest folder above for complete license terms.
  14   * - If you have received this file individually (e-g: from http://evocms.cvs.sourceforge.net/)
  15   *   then you must choose one of the following licenses before using the file:
  16   *   - GNU General Public License 2 (GPL) - http://www.opensource.org/licenses/gpl-license.php
  17   *   - Mozilla Public License 1.1 (MPL) - http://www.opensource.org/licenses/mozilla1.1.php
  18   * }}
  19   *
  20   * {@internal Open Source relicensing agreement:
  21   * Daniel HAHLER grants Francois PLANQUE the right to license
  22   * Daniel HAHLER's contributions to this file and the b2evolution project
  23   * under any OSI approved OSS license (http://www.opensource.org/licenses/).
  24   * }}
  25   *
  26   * @package admin
  27   *
  28   * {@internal Below is a list of authors who have contributed to design/coding of this file: }}
  29   * @author fplanque: Francois PLANQUE
  30   * @author blueyed: Daniel HAHLER
  31   *
  32   * @todo separate object inits and permission checks
  33   *
  34   * @version $Id: users.ctrl.php 6136 2014-03-08 07:59:48Z manuel $
  35   */
  36  if( !defined('EVO_MAIN_INIT') ) die( 'Please, do not access this page directly.' );
  37  
  38  /**
  39   * @var AdminUI_general
  40   */
  41  global $AdminUI;
  42  
  43  param( 'user_ID', 'integer', NULL );    // Note: should NOT be memorized (would kill navigation/sorting) use memorize_param() if needed
  44  
  45  param_action( 'list' );
  46  
  47  $tab = param( 'tab', 'string', '' );
  48  
  49  $AdminUI->set_path( 'users', $tab == 'stats' ? 'stats' : 'users' );
  50  
  51  if( !$current_User->check_perm( 'users', 'view' ) )
  52  { // User has no permissions to view: he can only edit his profile
  53  
  54      if( isset($user_ID) && $user_ID != $current_User->ID )
  55      { // User is trying to edit something he should not: add error message (Should be prevented by UI)
  56          $Messages->add( T_('You have no permission to view other users!'), 'error' );
  57      }
  58  
  59      // Make sure the user only edits himself:
  60      $user_ID = $current_User->ID;
  61      if( !in_array( $action, array( 'update', 'edit', 'default_settings', 'change_admin_skin' ) ) )
  62      {
  63          header_redirect( regenerate_url( 'ctrl,action', 'ctrl=user&action=edit&user_ID='.$user_ID, '', '&' ) );
  64      }
  65  }
  66  
  67  /*
  68   * Load editable objects and set $action (while checking permissions)
  69   */
  70  
  71  $UserCache = & get_UserCache();
  72  
  73  if( ! is_null($user_ID) )
  74  {   // User selected
  75      if( ($edited_User = & $UserCache->get_by_ID( $user_ID, false )) === false )
  76      {    // We could not find the User to edit:
  77          unset( $edited_User );
  78          forget_param( 'user_ID' );
  79          $Messages->add( sprintf( T_('Requested &laquo;%s&raquo; object does not exist any longer.'), T_('User') ), 'error' );
  80          $action = 'list';
  81      }
  82      elseif( $action == 'list' )
  83      { // 'list' is default, $user_ID given
  84          if( $user_ID == $current_User->ID || $current_User->check_perm( 'users', 'edit' ) )
  85          {
  86              $action = 'edit';
  87          }
  88          else
  89          {
  90              $action = 'view';
  91          }
  92          header_redirect( regenerate_url( 'ctrl,action', 'ctrl=user&action='.$action.'&user_ID='.$user_ID, '', '&' ) );
  93      }
  94  
  95      if( $action != 'list' )
  96      { // check edit permissions
  97          if( ! $current_User->check_perm( 'users', 'edit' )
  98              && $edited_User->ID != $current_User->ID )
  99          { // user is only allowed to _view_ other user's profiles
 100              $Messages->add( T_('You have no permission to edit other users!'), 'error' );
 101              header_redirect( regenerate_url( 'ctrl,action', 'ctrl=user&amp;action=view&amp;user_ID='.$user_ID ) );
 102          }
 103          elseif( $demo_mode && $edited_User->ID <= 3 )
 104          { // Demo mode restrictions: users created by install process cannot be edited
 105              $Messages->add( T_('You cannot edit the admin and demo users profile in demo mode!'), 'error' );
 106  
 107              if( strpos( $action, 'delete_' ) === 0 || $action == 'promote' )
 108              { // Fallback to list/view action
 109                  $action = 'list';
 110              }
 111              else
 112              {
 113                  header_redirect( regenerate_url( 'ctrl,action', 'ctrl=user&amp;action=view&amp;user_ID='.$user_ID ) );
 114              }
 115          }
 116      }
 117  }
 118  
 119  /*
 120   * Perform actions, if there were no errors:
 121   */
 122  if( !$Messages->has_errors() )
 123  { // no errors
 124      switch( $action )
 125      {
 126          case 'change_admin_skin':
 127              // Skin switch from menu
 128              param( 'new_admin_skin', 'string', true );
 129              param( 'redirect_to', 'url', '' );
 130  
 131              $UserSettings->set( 'admin_skin', $new_admin_skin );
 132              $UserSettings->dbupdate();
 133              $Messages->add( sprintf( T_('Admin skin changed to &laquo;%s&raquo;'), $new_admin_skin ), 'success' );
 134  
 135              header_redirect();
 136              /* EXITED */
 137              break;
 138  
 139          case 'promote':
 140              param( 'prom', 'string', true );
 141  
 142              if( !isset($edited_User)
 143                  || ! in_array( $prom, array('up', 'down') )
 144                  || ( $prom == 'up' && $edited_User->get('level') > 9 )
 145                  || ( $prom == 'down' && $edited_User->get('level') < 1 )
 146                )
 147              {
 148                  $Messages->add( T_('Invalid promotion.'), 'error' );
 149              }
 150              else
 151              {
 152                  $sql = '
 153                      UPDATE T_users
 154                         SET user_level = user_level '.( $prom == 'up' ? '+' : '-' ).' 1
 155                       WHERE user_ID = '.$edited_User->ID;
 156  
 157                  if( $DB->query( $sql ) )
 158                  {
 159                      $Messages->add( T_('User level changed.'), 'success' );
 160                  }
 161                  else
 162                  {
 163                      $Messages->add( sprintf( 'Couldn\'t change %s\'s level.', $edited_User->login ), 'error' );
 164                  }
 165              }
 166              break;
 167  
 168  
 169          case 'delete':
 170              /*
 171               * Delete user
 172               */
 173  
 174              // Check that this action request is not a CSRF hacked request:
 175              $Session->assert_received_crumb( 'user' );
 176  
 177              if( !isset($edited_User) )
 178                  debug_die( 'no User set' );
 179  
 180              if( $edited_User->ID == $current_User->ID )
 181              {
 182                  $Messages->add( T_('You can\'t delete yourself!'), 'error' );
 183                  $action = 'view';
 184                  break;
 185              }
 186              if( $edited_User->ID == 1 )
 187              {
 188                  $Messages->add( T_('You can\'t delete User #1!'), 'error' );
 189                  $action = 'view';
 190                  break;
 191              }
 192  
 193              if( param( 'deltype', 'string', '', true ) == 'spammer' )
 194              { // If we delete user as spammer we also should remove the comments and the messages
 195                  $edited_User->delete_cascades = array_merge( $edited_User->delete_cascades, array(
 196                          array( 'table'=>'T_comments', 'fk'=>'comment_author_ID', 'msg'=>T_('%d comments by this user') ),
 197                          array( 'table'=>'T_messaging__message', 'fk'=>'msg_author_user_ID', 'msg'=>T_('%d private messages sent by this user') ),
 198                      ) );
 199              }
 200  
 201              $fullname = $edited_User->dget( 'fullname' );
 202              if( param( 'confirm', 'integer', 0 ) )
 203              { // confirmed, Delete from DB:
 204                  if ( ! empty( $fullname ) )
 205                  {
 206                      $msg = sprintf( T_('User &laquo;%s&raquo; [%s] deleted.'), $fullname, $edited_User->dget( 'login' ) );
 207                  }
 208                  else
 209                  {
 210                      $msg = sprintf( T_('User &laquo;%s&raquo; deleted.'), $edited_User->dget( 'login' ) );
 211                  }
 212  
 213                  $deleted_user_ID = $edited_User->ID;
 214                  $deleted_user_email = $edited_User->get( 'email' );
 215                  $edited_User->dbdelete( $Messages );
 216                  unset($edited_User);
 217                  forget_param('user_ID');
 218                  $Messages->add( $msg, 'success' );
 219  
 220                  // Find other users with the same email address
 221                  $message_same_email_users = find_users_with_same_email( $deleted_user_ID, $deleted_user_email, T_('Note: the same email address (%s) is still in use by: %s') );
 222                  if( $message_same_email_users !== false )
 223                  {
 224                      $Messages->add( $message_same_email_users, 'note' );
 225                  }
 226  
 227                  $action = 'list';
 228                  // Redirect so that a reload doesn't write to the DB twice:
 229                  header_redirect( '?ctrl=users', 303 ); // Will EXIT
 230                  // We have EXITed already at this point!!
 231              }
 232              else
 233              {    // not confirmed, Check for restrictions:
 234                  memorize_param( 'user_ID', 'integer', true );
 235                  if ( ! empty( $fullname ) )
 236                  {
 237                      $msg = sprintf( T_('Cannot delete User &laquo;%s&raquo; [%s]'), $fullname, $edited_User->dget( 'login' ) );
 238                  }
 239                  else
 240                  {
 241                      $msg = sprintf( T_('Cannot delete User &laquo;%s&raquo;'), $edited_User->dget( 'login' ) );
 242                  }
 243  
 244                  if( ! $edited_User->check_delete( $msg ) )
 245                  { // There are restrictions:
 246                      $action = 'view';
 247                  }
 248              }
 249              break;
 250  
 251  
 252          case 'del_settings_set':
 253              // Delete a set of an array type setting:
 254              param( 'plugin_ID', 'integer', true );
 255              param( 'set_path' );
 256  
 257              $admin_Plugins = & get_Plugins_admin();
 258              $admin_Plugins->restart();
 259              $edit_Plugin = & $admin_Plugins->get_by_ID($plugin_ID);
 260  
 261              load_funcs('plugins/_plugin.funcs.php');
 262              _set_setting_by_path( $edit_Plugin, 'UserSettings', $set_path, NULL );
 263  
 264              $edit_Plugin->Settings->dbupdate();
 265  
 266              $action = 'edit';
 267  
 268              break;
 269  
 270  
 271          case 'add_settings_set': // delegates to edit_settings
 272              // Add a new set to an array type setting:
 273              param( 'plugin_ID', 'integer', true );
 274              param( 'set_path', 'string', '' );
 275  
 276              $admin_Plugins = & get_Plugins_admin();
 277              $admin_Plugins->restart();
 278              $edit_Plugin = & $admin_Plugins->get_by_ID($plugin_ID);
 279  
 280              load_funcs('plugins/_plugin.funcs.php');
 281              _set_setting_by_path( $edit_Plugin, 'UserSettings', $set_path, array() );
 282  
 283              $edit_Plugin->Settings->dbupdate();
 284  
 285              $action = 'edit';
 286  
 287              break;
 288  
 289          case 'search':
 290              // Quick search
 291  
 292              // Check that this action request is not a CSRF hacked request:
 293              $Session->assert_received_crumb( 'user' );
 294  
 295              param( 'user_search', 'string', '' );
 296              set_param( 'keywords', $user_search );
 297              set_param( 'filter', 'new' );
 298  
 299              load_class( 'users/model/_userlist.class.php', 'UserList' );
 300              $UserList = new UserList( 'admin', $UserSettings->get('results_per_page'), 'users_', array( 'join_city' => false ) );
 301              $UserList->load_from_Request();
 302              // Make query to get a count of users
 303              $UserList->query();
 304  
 305              if( $UserList->total_rows == 1 )
 306              {    // If we find only one user by quick search we do a redirect to user's edit page
 307                  $User = $UserList->rows[0];
 308                  if( !empty( $User ) )
 309                  {
 310                      header_redirect( '?ctrl=user&user_tab=profile&user_ID='.$User->user_ID );
 311                  }
 312              }
 313  
 314              // Unset the filter to avoid the step 1 in the function $UserList->query() on the users list
 315              set_param( 'filter', '' );
 316  
 317              break;
 318  
 319          case 'remove_sender_customization':
 320              // Check that this action request is not a CSRF hacked request:
 321              $Session->assert_received_crumb( 'users' );
 322  
 323              // Check required permission
 324              $current_User->check_perm( 'users', 'edit', true );
 325  
 326              // get the type of the removable sender customization
 327              $type = param( 'type', 'string', true );
 328  
 329              // Set remove custom settings query
 330              $remove_query = 'DELETE FROM T_users__usersettings WHERE uset_name = "%s" AND uset_value != %s';
 331              if( $type == 'sender_email' )
 332              { // Remove custom sender emails
 333                  $DB->query( sprintf( $remove_query, 'notification_sender_email', $DB->quote( $Settings->get( 'notification_sender_email' ) ) ) );
 334              }
 335              elseif( $type == 'sender_name' )
 336              { // Remove custom sender names
 337                  $DB->query( sprintf( $remove_query, 'notification_sender_name', $DB->quote( $Settings->get( 'notification_sender_name' ) ) ) );
 338              }
 339              else
 340              { // The customization param is not valid
 341                  debug_die('Invalid remove sender customization action!');
 342              }
 343  
 344              $Messages->add( T_('Customizations have been removed!' ), 'success' );
 345              $redirect_to = param( 'redirect_to', 'url', regenerate_url( 'action' ) );
 346              // Redirect so that a reload doesn't write to the DB twice:
 347              header_redirect( $redirect_to );
 348              /* EXITED */
 349              break;
 350      }
 351  }
 352  
 353  // require css for jQuery UI
 354  require_css( $rsc_url.'css/jquery/smoothness/jquery-ui.css' );
 355  
 356  // We might delegate to this action from above:
 357  /*if( $action == 'edit' )
 358  {
 359      $Plugins->trigger_event( 'PluginUserSettingsEditAction', $tmp_params = array( 'User' => & $edited_User ) );
 360      $Session->delete( 'core.changepwd.request_id' ); // delete the request_id for password change request (from /htsrv/login.php)
 361  }*/
 362  
 363  
 364  $AdminUI->breadcrumbpath_init( false );  // fp> I'm playing with the idea of keeping the current blog in the path here...
 365  $AdminUI->breadcrumbpath_add( T_('Users'), '?ctrl=users' );
 366  if( $tab == 'stats' )
 367  {    // Users stats
 368      $AdminUI->breadcrumbpath_add( T_('Stats'), '?ctrl=users&amp;tab=stats' );
 369  }
 370  else
 371  {    // Users list
 372      $AdminUI->breadcrumbpath_add( T_('List'), '?ctrl=users' );
 373      $AdminUI->top_block = get_user_quick_search_form();
 374      if( $current_User->check_perm( 'users', 'edit', false ) )
 375      {    // Include to edit user level
 376          require_js( 'jquery/jquery.jeditable.js', 'rsc_url' );
 377      }
 378      load_funcs( 'regional/model/_regional.funcs.php' );
 379  }
 380  
 381  
 382  // Display <html><head>...</head> section! (Note: should be done early if actions do not redirect)
 383  $AdminUI->disp_html_head();
 384  
 385  // Display title, menu, messages, etc. (Note: messages MUST be displayed AFTER the actions)
 386  $AdminUI->disp_body_top();
 387  
 388  /*
 389   * Display appropriate payload:
 390   */
 391  switch( $action )
 392  {
 393      case 'nil':
 394          // Display NO payload!
 395          break;
 396  
 397      case 'delete':
 398          $deltype = param( 'deltype', 'string', '' ); // spammer
 399  
 400          $AdminUI->disp_payload_begin();
 401  
 402          // We need to ask for confirmation:
 403          $fullname = $edited_User->dget( 'fullname' );
 404          if ( ! empty( $fullname ) )
 405          {
 406              $msg = sprintf( T_('Delete user &laquo;%s&raquo; [%s]?'), $fullname, $edited_User->dget( 'login' ) );
 407          }
 408          else
 409          {
 410              $msg = sprintf( T_('Delete user &laquo;%s&raquo;?'), $edited_User->dget( 'login' ) );
 411          }
 412  
 413          $confirm_messages = array();
 414          if( $deltype != 'spammer' )
 415          { // Display this note for standard deleting
 416              $confirm_messages[] = array( T_('Note: this will not automatically delete private messages sent/received by this user. However, this will delete any new orphan private messages (which no longer have any existing sender or recipient).'), 'note' );
 417              $confirm_messages[] = array( T_('Note: this will not delete comments made by this user. Instead it will transform them from member to visitor comments.'), 'note' );
 418          }
 419  
 420          // Find other users with the same email address
 421          $message_same_email_users = find_users_with_same_email( $edited_User->ID, $edited_User->get( 'email' ), T_('Note: this user has the same email address (%s) as: %s') );
 422          if( $message_same_email_users !== false )
 423          {
 424              $confirm_messages[] = array( $message_same_email_users, 'note' );
 425          }
 426  
 427          $edited_User->confirm_delete( $msg, 'user', $action, get_memorized( 'action' ), $confirm_messages );
 428  
 429          // Display user identity form:
 430          $AdminUI->disp_view( 'users/views/_user_identity.form.php' );
 431          $AdminUI->disp_payload_end();
 432          break;
 433  
 434      case 'promote':
 435      default:
 436          // Display user list:
 437          // NOTE: we don't want this (potentially very long) list to be displayed again and again)
 438          $AdminUI->disp_payload_begin();
 439          if( $tab == 'stats' )
 440          {
 441              $AdminUI->disp_view( 'users/views/_user_stats.view.php' );
 442          }
 443          else
 444          {
 445              $AdminUI->disp_view( 'users/views/_user_list.view.php' );
 446          }
 447          $AdminUI->disp_payload_end();
 448  }
 449  
 450  
 451  // Display body bottom, debug info and close </html>:
 452  $AdminUI->disp_global_footer();
 453  
 454  ?>

title

Description

title

Description

title

Description

title

title

Body