1<?php 2# MantisBT - A PHP based bugtracking system 3 4# MantisBT is free software: you can redistribute it and/or modify 5# it under the terms of the GNU General Public License as published by 6# the Free Software Foundation, either version 2 of the License, or 7# (at your option) any later version. 8# 9# MantisBT is distributed in the hope that it will be useful, 10# but WITHOUT ANY WARRANTY; without even the implied warranty of 11# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12# GNU General Public License for more details. 13# 14# You should have received a copy of the GNU General Public License 15# along with MantisBT. If not, see <http://www.gnu.org/licenses/>. 16 17/** 18 * Update User 19 * 20 * @package MantisBT 21 * @copyright Copyright 2000 - 2002 Kenzaburo Ito - kenito@300baud.org 22 * @copyright Copyright 2002 MantisBT Team - mantisbt-dev@lists.sourceforge.net 23 * @link http://www.mantisbt.org 24 * 25 * @uses core.php 26 * @uses access_api.php 27 * @uses authentication_api.php 28 * @uses config_api.php 29 * @uses constant_inc.php 30 * @uses database_api.php 31 * @uses email_api.php 32 * @uses form_api.php 33 * @uses gpc_api.php 34 * @uses helper_api.php 35 * @uses html_api.php 36 * @uses lang_api.php 37 * @uses logging_api.php 38 * @uses print_api.php 39 * @uses string_api.php 40 * @uses user_api.php 41 * @uses user_pref_api.php 42 */ 43 44require_once( 'core.php' ); 45require_api( 'access_api.php' ); 46require_api( 'authentication_api.php' ); 47require_api( 'config_api.php' ); 48require_api( 'constant_inc.php' ); 49require_api( 'database_api.php' ); 50require_api( 'email_api.php' ); 51require_api( 'form_api.php' ); 52require_api( 'gpc_api.php' ); 53require_api( 'helper_api.php' ); 54require_api( 'html_api.php' ); 55require_api( 'lang_api.php' ); 56require_api( 'logging_api.php' ); 57require_api( 'print_api.php' ); 58require_api( 'string_api.php' ); 59require_api( 'user_api.php' ); 60require_api( 'user_pref_api.php' ); 61 62form_security_validate( 'manage_user_update' ); 63 64auth_reauthenticate(); 65access_ensure_global_level( config_get( 'manage_user_threshold' ) ); 66 67$f_protected = gpc_get_bool( 'protected' ); 68$f_enabled = gpc_get_bool( 'enabled' ); 69$f_email = gpc_get_string( 'email', '' ); 70$f_username = gpc_get_string( 'username', '' ); 71$f_realname = gpc_get_string( 'realname', '' ); 72$f_access_level = gpc_get_int( 'access_level' ); 73$f_user_id = gpc_get_int( 'user_id' ); 74 75if( config_get( 'enable_email_notification' ) == ON ) { 76 $f_send_email_notification = gpc_get_bool( 'send_email_notification' ); 77} else { 78 $f_send_email_notification = 0; 79} 80 81user_ensure_exists( $f_user_id ); 82 83$t_user = user_get_row( $f_user_id ); 84 85$f_username = trim( $f_username ); 86 87$t_old_username = $t_user['username']; 88$t_old_access_level = $t_user['access_level']; 89 90if( $f_send_email_notification ) { 91 $t_old_realname = $t_user['realname']; 92 $t_old_email = $t_user['email']; 93} 94 95# Ensure that the account to be updated is of equal or lower access to the 96# current user. 97access_ensure_global_level( $t_user['access_level'] ); 98 99# check that the username is unique 100if( 0 != strcasecmp( $t_old_username, $f_username ) 101 && false == user_is_name_unique( $f_username ) ) { 102 trigger_error( ERROR_USER_NAME_NOT_UNIQUE, ERROR ); 103} 104 105user_ensure_name_valid( $f_username ); 106 107$t_ldap = ( LDAP == config_get_global( 'login_method' ) ); 108 109if( $t_ldap && config_get_global( 'use_ldap_realname' ) ) { 110 $t_realname = ldap_realname_from_username( $f_username ); 111} else { 112 # strip extra space from real name 113 $t_realname = string_normalize( $f_realname ); 114} 115 116if( $t_ldap && config_get_global( 'use_ldap_email' ) ) { 117 $t_email = ldap_email( $f_user_id ); 118} else { 119 $t_email = trim( $f_email ); 120 email_ensure_valid( $t_email ); 121 email_ensure_not_disposable( $t_email ); 122 user_ensure_email_unique( $t_email, $f_user_id ); 123} 124 125$c_email = $t_email; 126$c_username = $f_username; 127$c_realname = $t_realname; 128$c_protected = (bool)$f_protected; 129$c_enabled = (bool)$f_enabled; 130$c_user_id = (int)$f_user_id; 131$c_access_level = (int)$f_access_level; 132 133$t_old_protected = $t_user['protected']; 134 135# Ensure that users aren't escalating privileges of accounts beyond their 136# own global access level. 137access_ensure_global_level( $f_access_level ); 138 139# check that we are not downgrading the last administrator 140$t_admin_threshold = config_get_global( 'admin_site_threshold' ); 141if( user_is_administrator( $f_user_id ) && 142 user_count_level( $t_admin_threshold, /* enabled */ true ) <= 1 ) { 143 if( $f_access_level < $t_admin_threshold || $c_enabled === false ) { 144 trigger_error( ERROR_USER_CHANGE_LAST_ADMIN, ERROR ); 145 } 146} 147 148# Project specific access rights override global levels, hence, for users who are changed 149# to be administrators, we have to remove project specific rights. 150if( ( $f_access_level != $t_old_access_level ) && ( $f_access_level >= $t_admin_threshold ) && 151 ( !user_is_administrator( $f_user_id ) ) ) { 152 user_delete_project_specific_access_levels( $f_user_id ); 153} 154 155# if the user is already protected and the admin is not removing the 156# protected flag then don't update the access level and enabled flag. 157# If the user was unprotected or the protected flag is being turned off 158# then proceed with a full update. 159$t_query_params = array(); 160if( $f_protected && $t_old_protected ) { 161 $t_query = 'UPDATE {user} 162 SET username=' . db_param() . ', email=' . db_param() . ', 163 protected=' . db_param() . ', realname=' . db_param() . ' 164 WHERE id=' . db_param(); 165 $t_query_params = array( $c_username, $c_email, $c_protected, $c_realname, $c_user_id ); 166 # Prevent e-mail notification for a change that did not happen 167 $f_access_level = $t_old_access_level; 168} else { 169 $t_query = 'UPDATE {user} 170 SET username=' . db_param() . ', email=' . db_param() . ', 171 access_level=' . db_param() . ', enabled=' . db_param() . ', 172 protected=' . db_param() . ', realname=' . db_param() . ' 173 WHERE id=' . db_param(); 174 $t_query_params = array( $c_username, $c_email, $c_access_level, $c_enabled, $c_protected, $c_realname, $c_user_id ); 175} 176 177$t_result = db_query( $t_query, $t_query_params ); 178 179event_signal( 'EVENT_MANAGE_USER_UPDATE', array( $c_user_id ) ); 180 181if( $f_send_email_notification ) { 182 lang_push( user_pref_get_language( $f_user_id ) ); 183 $t_changes = ''; 184 185 if( strcmp( $f_username, $t_old_username ) ) { 186 $t_changes .= lang_get( 'username_label' ) . ' ' . $t_old_username . ' => ' . $f_username . "\n"; 187 } 188 189 if( strcmp( $t_realname, $t_old_realname ) ) { 190 $t_changes .= lang_get( 'realname_label' ) . ' ' . $t_old_realname . ' => ' . $t_realname . "\n"; 191 } 192 193 if( strcmp( $t_email, $t_old_email ) ) { 194 $t_changes .= lang_get( 'email_label' ) . ' ' . $t_old_email . ' => ' . $t_email . "\n"; 195 } 196 197 if( strcmp( $f_access_level, $t_old_access_level ) ) { 198 $t_old_access_string = get_enum_element( 'access_levels', $t_old_access_level ); 199 $t_new_access_string = get_enum_element( 'access_levels', $f_access_level ); 200 $t_changes .= lang_get( 'access_level_label' ) . ' ' . $t_old_access_string . ' => ' . $t_new_access_string . "\n\n"; 201 } 202 203 if( !empty( $t_changes ) ) { 204 $t_subject = '[' . config_get( 'window_title' ) . '] ' . lang_get( 'email_user_updated_subject' ); 205 $t_updated_msg = lang_get( 'email_user_updated_msg' ); 206 $t_message = $t_updated_msg . "\n\n" . config_get_global( 'path' ) . 'account_page.php' . "\n\n" . $t_changes; 207 208 if( null === email_store( $t_email, $t_subject, $t_message ) ) { 209 log_event( LOG_EMAIL, 'Notification was NOT sent to ' . $f_username ); 210 } else { 211 log_event( LOG_EMAIL, 'Account update notification sent to ' . $f_username . ' (' . $t_email . ')' ); 212 if( config_get( 'email_send_using_cronjob' ) == OFF ) { 213 email_send_all(); 214 } 215 } 216 } 217 218 lang_pop(); 219} 220 221$t_redirect_url = 'manage_user_edit_page.php?user_id=' . $c_user_id; 222 223form_security_purge( 'manage_user_update' ); 224 225layout_page_header( null, $t_result ? $t_redirect_url : null ); 226 227layout_page_begin( 'manage_overview_page.php' ); 228 229if( $f_protected && $t_old_protected ) { 230 # PROTECTED 231 html_operation_warning( $t_redirect_url, lang_get( 'manage_user_protected_msg' ) ); 232} else if( $t_result ) { 233 # SUCCESS 234 html_operation_successful( $t_redirect_url ); 235} 236 237layout_page_end(); 238