[Summary view] [Print] [Text view]

   1  <?php
   2  # MantisBT - A PHP based bugtracking system
   3  
   4  # MantisBT is free software: you can redistribute it and/or modify
   5  # it under the terms of the GNU General Public License as published by
   6  # the Free Software Foundation, either version 2 of the License, or
   7  # (at your option) any later version.
   8  #
   9  # MantisBT is distributed in the hope that it will be useful,
  10  # but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  # GNU General Public License for more details.
  13  #
  14  # You should have received a copy of the GNU General Public License
  15  # along with MantisBT.  If not, see <http://www.gnu.org/licenses/>.
  16  
  17  /**
  18   * @package MantisBT
  19   * @copyright Copyright (C) 2000 - 2002  Kenzaburo Ito - kenito@300baud.org
  20   * @copyright Copyright (C) 2002 - 2011  MantisBT Team - mantisbt-dev@lists.sourceforge.net
  21   * @link http://www.mantisbt.org
  22   *
  23   * @uses core.php
  24   * @uses access_api.php
  25   * @uses authentication_api.php
  26   * @uses config_api.php
  27   * @uses constant_inc.php
  28   * @uses database_api.php
  29   * @uses email_api.php
  30   * @uses form_api.php
  31   * @uses gpc_api.php
  32   * @uses helper_api.php
  33   * @uses html_api.php
  34   * @uses lang_api.php
  35   * @uses logging_api.php
  36   * @uses print_api.php
  37   * @uses string_api.php
  38   * @uses user_api.php
  39   * @uses user_pref_api.php
  40   */
  41  
  42  /**
  43   * MantisBT Core API's
  44   */
  45  require_once ( 'core.php' );
  46  require_api( 'access_api.php' );
  47  require_api( 'authentication_api.php' );
  48  require_api( 'config_api.php' );
  49  require_api( 'constant_inc.php' );
  50  require_api( 'database_api.php' );
  51  require_api( 'email_api.php' );
  52  require_api( 'form_api.php' );
  53  require_api( 'gpc_api.php' );
  54  require_api( 'helper_api.php' );
  55  require_api( 'html_api.php' );
  56  require_api( 'lang_api.php' );
  57  require_api( 'logging_api.php' );
  58  require_api( 'print_api.php' );
  59  require_api( 'string_api.php' );
  60  require_api( 'user_api.php' );
  61  require_api( 'user_pref_api.php' );
  62  
  63  form_security_validate('manage_user_update');
  64  
  65  auth_reauthenticate();
  66  access_ensure_global_level( config_get( 'manage_user_threshold' ) );
  67  
  68  $f_protected    = gpc_get_bool( 'protected' );
  69  $f_enabled        = gpc_get_bool( 'enabled' );
  70  $f_email        = gpc_get_string( 'email', '' );
  71  $f_username        = gpc_get_string( 'username', '' );
  72  $f_realname        = gpc_get_string( 'realname', '' );
  73  $f_access_level    = gpc_get_int( 'access_level' );
  74  $f_user_id        = gpc_get_int( 'user_id' );
  75  
  76  if ( config_get( 'enable_email_notification' ) == ON ) {
  77      $f_send_email_notification = gpc_get_bool( 'send_email_notification' );
  78  } else {
  79      $f_send_email_notification = 0;
  80  }
  81  
  82  user_ensure_exists( $f_user_id );
  83  
  84  $t_user = user_get_row( $f_user_id );
  85  
  86  $f_username    = trim( $f_username );
  87  
  88  $t_old_username = $t_user['username'];
  89  
  90  if ( $f_send_email_notification ) {
  91      $t_old_realname = $t_user['realname'];
  92      $t_old_email = $t_user['email'];
  93      $t_old_access_level = $t_user['access_level'];
  94  }
  95  
  96  # Ensure that the account to be updated is of equal or lower access to the
  97  # current user.
  98  access_ensure_global_level( $t_user['access_level'] );
  99  
 100  # check that the username is unique
 101  if ( 0 != strcasecmp( $t_old_username, $f_username )
 102      && false == user_is_name_unique( $f_username ) ) {
 103      trigger_error( ERROR_USER_NAME_NOT_UNIQUE, ERROR );
 104  }
 105  
 106  user_ensure_name_valid( $f_username );
 107  
 108  $t_ldap = ( LDAP == config_get( 'login_method' ) );
 109  
 110  if ( $t_ldap && config_get( 'use_ldap_realname' ) ) {
 111      $t_realname = ldap_realname_from_username( $f_username );
 112  } else {
 113      # strip extra space from real name
 114      $t_realname = string_normalize( $f_realname );
 115      user_ensure_realname_unique( $t_old_username, $t_realname );
 116  }
 117  
 118  if ( $t_ldap && config_get( 'use_ldap_email' ) ) {
 119      $t_email = ldap_email( $f_user_id );
 120  } else {
 121      $t_email = email_append_domain( trim( $f_email ) );
 122      email_ensure_valid( $t_email );
 123      email_ensure_not_disposable( $t_email );
 124  }
 125  
 126  $c_email = $t_email;
 127  $c_username = $f_username;
 128  $c_realname = $t_realname;
 129  $c_protected = db_prepare_bool( $f_protected );
 130  $c_enabled = db_prepare_bool( $f_enabled );
 131  $c_user_id = db_prepare_int( $f_user_id );
 132  $c_access_level = db_prepare_int( $f_access_level );
 133  
 134  $t_user_table = db_get_table( 'user' );
 135  
 136  $t_old_protected = $t_user['protected'];
 137  
 138  # Ensure that users aren't escalating privileges of accounts beyond their
 139  # own global access level.
 140  access_ensure_global_level( $f_access_level );
 141  
 142  # check that we are not downgrading the last administrator
 143  $t_admin_threshold = config_get_global( 'admin_site_threshold' );
 144  if ( user_is_administrator( $f_user_id ) &&
 145       $f_access_level < $t_admin_threshold &&
 146       user_count_level( $t_admin_threshold ) <= 1 ) {
 147      trigger_error( ERROR_USER_CHANGE_LAST_ADMIN, ERROR );
 148  }
 149  
 150  # Project specific access rights override global levels, hence, for users who are changed
 151  # to be administrators, we have to remove project specific rights.
 152  if ( ( $f_access_level >= $t_admin_threshold ) && ( !user_is_administrator( $f_user_id ) ) ) {
 153      user_delete_project_specific_access_levels( $f_user_id );
 154  }
 155  
 156  # if the user is already protected and the admin is not removing the
 157  #  protected flag then don't update the access level and enabled flag.
 158  #  If the user was unprotected or the protected flag is being turned off
 159  #  then proceed with a full update.
 160  $query_params = Array();
 161  if ( $f_protected && $t_old_protected ) {
 162      $query = "UPDATE $t_user_table
 163              SET username=" . db_param() . ", email=" . db_param() . ",
 164                  protected=" . db_param() . ", realname=" . db_param() . "
 165              WHERE id=" . db_param();
 166      $query_params = Array( $c_username, $c_email, $c_protected, $c_realname, $c_user_id );
 167  } else {
 168      $query = "UPDATE $t_user_table
 169              SET username=" . db_param() . ", email=" . db_param() . ",
 170                  access_level=" . db_param() . ", enabled=" . db_param() . ",
 171                  protected=" . db_param() . ", realname=" . db_param() . "
 172              WHERE id=" . db_param();
 173      $query_params = Array( $c_username, $c_email, $c_access_level, $c_enabled, $c_protected, $c_realname, $c_user_id );
 174  }
 175  
 176  $result = db_query_bound( $query, $query_params );
 177  
 178  if ( $f_send_email_notification ) {
 179      lang_push( user_pref_get_language( $f_user_id ) );
 180      $t_changes = "";
 181      if ( strcmp( $f_username, $t_old_username ) ) {
 182          $t_changes .= lang_get( 'username_label' ) . lang_get( 'word_separator' ) . $t_old_username . ' => ' . $f_username . "\n";
 183      }
 184      if ( strcmp( $t_realname, $t_old_realname ) ) {
 185          $t_changes .= lang_get( 'realname_label' ) . lang_get( 'word_separator' ) . $t_old_realname . ' => ' . $t_realname . "\n";
 186      }
 187      if ( strcmp( $t_email, $t_old_email ) ) {
 188          $t_changes .= lang_get( 'email_label' ) . lang_get( 'word_separator' ) . $t_old_email . ' => ' . $t_email . "\n";
 189      }
 190      if ( strcmp( $f_access_level, $t_old_access_level ) ) {
 191          $t_old_access_string = get_enum_element( 'access_levels', $t_old_access_level );
 192          $t_new_access_string = get_enum_element( 'access_levels', $f_access_level );
 193          $t_changes .= lang_get( 'access_level_label' ) . lang_get( 'word_separator' ) . $t_old_access_string . ' => ' . $t_new_access_string . "\n\n";
 194      }
 195      if ( !empty( $t_changes ) ) {
 196          $t_subject = '[' . config_get( 'window_title' ) . '] ' . lang_get( 'email_user_updated_subject' );
 197          $t_updated_msg = lang_get( 'email_user_updated_msg' );
 198          $t_message = $t_updated_msg . "\n\n" . config_get( 'path' ) . 'account_page.php' . "\n\n" . $t_changes;
 199          email_store( $t_email, $t_subject, $t_message );
 200          log_event( LOG_EMAIL, sprintf( 'Account update notification sent to ' . $f_username . ' (' . $t_email . ')' ) );
 201          if ( config_get( 'email_send_using_cronjob' ) == OFF ) {
 202              email_send_all();
 203          }
 204      }
 205      lang_pop();
 206  }
 207  
 208  $t_redirect_url = 'manage_user_edit_page.php?user_id=' . $c_user_id;
 209  
 210  form_security_purge('manage_user_update');
 211  
 212  html_page_top( null, $result ? $t_redirect_url : null );
 213  ?>
 214  
 215  <br />
 216  <div>
 217  <?php
 218  if ( $f_protected && $t_old_protected ) {                # PROTECTED
 219      echo lang_get( 'manage_user_protected_msg' ) . '<br />';
 220  } else if ( $result ) {                    # SUCCESS
 221      echo lang_get( 'operation_successful' ) . '<br />';
 222  }
 223  
 224  print_bracket_link( $t_redirect_url, lang_get( 'proceed' ) );
 225  ?>
 226  </div>
 227  
 228  <?php
 229  html_page_bottom();