0byt3m1n1
Path:
/
data
/
applications
/
aps.bak
/
b2evolution
/
4.1.5b-1.bak
/
standard
/
htdocs
/
inc
/
users
/
[
Home
]
File: users.ctrl.php
<?php /** * This file implements the UI controller for settings management. * * This file is part of the evoCore framework - {@link http://evocore.net/} * See also {@link http://sourceforge.net/projects/evocms/}. * * @copyright (c)2003-2011 by Francois Planque - {@link http://fplanque.com/} * Parts of this file are copyright (c)2004-2006 by Daniel HAHLER - {@link http://thequod.de/contact}. * * {@internal License choice * - If you have received this file as part of a package, please find the license.txt file in * the same folder or the closest folder above for complete license terms. * - If you have received this file individually (e-g: from http://evocms.cvs.sourceforge.net/) * then you must choose one of the following licenses before using the file: * - GNU General Public License 2 (GPL) - http://www.opensource.org/licenses/gpl-license.php * - Mozilla Public License 1.1 (MPL) - http://www.opensource.org/licenses/mozilla1.1.php * }} * * {@internal Open Source relicensing agreement: * Daniel HAHLER grants Francois PLANQUE the right to license * Daniel HAHLER's contributions to this file and the b2evolution project * under any OSI approved OSS license (http://www.opensource.org/licenses/). * }} * * @package admin * * {@internal Below is a list of authors who have contributed to design/coding of this file: }} * @author fplanque: Francois PLANQUE * @author blueyed: Daniel HAHLER * * @todo separate object inits and permission checks * * @version $Id: users.ctrl.php 1231 2012-04-17 05:42:06Z attila $ */ if( !defined('EVO_MAIN_INIT') ) die( 'Please, do not access this page directly.' ); /** * @var AdminUI_general */ global $AdminUI; param( 'user_ID', 'integer', NULL ); // Note: should NOT be memorized (would kill navigation/sorting) use memorize_param() if needed param_action( 'list' ); $AdminUI->set_path( 'users', 'users' ); if( !$current_User->check_perm( 'users', 'view' ) ) { // User has no permissions to view: he can only edit his profile if( isset($user_ID) && $user_ID != $current_User->ID ) { // User is trying to edit something he should not: add error message (Should be prevented by UI) $Messages->add( T_('You have no permission to view other users!'), 'error' ); } // Make sure the user only edits himself: $user_ID = $current_User->ID; if( !in_array( $action, array( 'update', 'edit', 'default_settings' ) ) ) { header_redirect( regenerate_url( 'ctrl,action', 'ctrl=user&action=edit&user_ID='.$user_ID ) ); } } /* * Load editable objects and set $action (while checking permissions) */ $UserCache = & get_UserCache(); if( ! is_null($user_ID) ) { // User selected if( ($edited_User = & $UserCache->get_by_ID( $user_ID, false )) === false ) { // We could not find the User to edit: unset( $edited_User ); forget_param( 'user_ID' ); $Messages->add( sprintf( T_('Requested «%s» object does not exist any longer.'), T_('User') ), 'error' ); $action = 'list'; } elseif( $action == 'list' ) { // 'list' is default, $user_ID given if( $user_ID == $current_User->ID || $current_User->check_perm( 'users', 'edit' ) ) { $action = 'edit'; } else { $action = 'view'; } header_redirect( regenerate_url( 'ctrl,action', 'ctrl=user&action='.$action.'&user_ID='.$user_ID, '', '&' ) ); } if( $action != 'list' ) { // check edit permissions if( ! $current_User->check_perm( 'users', 'edit' ) && $edited_User->ID != $current_User->ID ) { // user is only allowed to _view_ other user's profiles $Messages->add( T_('You have no permission to edit other users!'), 'error' ); header_redirect( regenerate_url( 'ctrl,action', 'ctrl=user&action=view&user_ID='.$user_ID ) ); } elseif( $demo_mode && $edited_User->ID <= 3 ) { // Demo mode restrictions: users created by install process cannot be edited $Messages->add( T_('You cannot edit the admin and demo users profile in demo mode!'), 'error' ); if( strpos( $action, 'delete_' ) === 0 || $action == 'promote' ) { // Fallback to list/view action $action = 'list'; } else { header_redirect( regenerate_url( 'ctrl,action', 'ctrl=user&action=view&user_ID='.$user_ID ) ); } } } } /* * Perform actions, if there were no errors: */ if( !$Messages->has_errors() ) { // no errors switch( $action ) { case 'change_admin_skin': // Skin switch from menu param( 'new_admin_skin', 'string', true ); param( 'redirect_to', 'string', '' ); $UserSettings->set( 'admin_skin', $new_admin_skin ); $UserSettings->dbupdate(); $Messages->add( sprintf( T_('Admin skin changed to «%s»'), $new_admin_skin ), 'success' ); header_redirect(); /* EXITED */ break; case 'promote': param( 'prom', 'string', true ); if( !isset($edited_User) || ! in_array( $prom, array('up', 'down') ) || ( $prom == 'up' && $edited_User->get('level') > 9 ) || ( $prom == 'down' && $edited_User->get('level') < 1 ) ) { $Messages->add( T_('Invalid promotion.'), 'error' ); } else { $sql = ' UPDATE T_users SET user_level = user_level '.( $prom == 'up' ? '+' : '-' ).' 1 WHERE user_ID = '.$edited_User->ID; if( $DB->query( $sql ) ) { $Messages->add( T_('User level changed.'), 'success' ); } else { $Messages->add( sprintf( 'Couldn\'t change %s\'s level.', $edited_User->login ), 'error' ); } } break; case 'delete': /* * Delete user */ // Check that this action request is not a CSRF hacked request: $Session->assert_received_crumb( 'user' ); if( !isset($edited_User) ) debug_die( 'no User set' ); if( $edited_User->ID == $current_User->ID ) { $Messages->add( T_('You can\'t delete yourself!'), 'error' ); $action = 'view'; break; } if( $edited_User->ID == 1 ) { $Messages->add( T_('You can\'t delete User #1!'), 'error' ); $action = 'view'; break; } $fullname = $edited_User->dget( 'fullname' ); if( param( 'confirm', 'integer', 0 ) ) { // confirmed, Delete from DB: if ( ! empty( $fullname ) ) { $msg = sprintf( T_('User «%s» [%s] deleted.'), $fullname, $edited_User->dget( 'login' ) ); } else { $msg = sprintf( T_('User «%s» deleted.'), $edited_User->dget( 'login' ) ); } $edited_User->dbdelete( $Messages ); unset($edited_User); forget_param('user_ID'); $Messages->add( $msg, 'success' ); $action = 'list'; // Redirect so that a reload doesn't write to the DB twice: header_redirect( '?ctrl=users', 303 ); // Will EXIT // We have EXITed already at this point!! } else { // not confirmed, Check for restrictions: memorize_param( 'user_ID', 'integer', true ); if ( ! empty( $fullname ) ) { $msg = sprintf( T_('Cannot delete User «%s» [%s]'), $fullname, $edited_User->dget( 'login' ) ); } else { $msg = sprintf( T_('Cannot delete User «%s»'), $edited_User->dget( 'login' ) ); } if( ! $edited_User->check_delete( $msg ) ) { // There are restrictions: $action = 'view'; } } break; case 'del_settings_set': // Delete a set of an array type setting: param( 'plugin_ID', 'integer', true ); param( 'set_path' ); $admin_Plugins = & get_Plugins_admin(); $admin_Plugins->restart(); $edit_Plugin = & $admin_Plugins->get_by_ID($plugin_ID); load_funcs('plugins/_plugin.funcs.php'); _set_setting_by_path( $edit_Plugin, 'UserSettings', $set_path, NULL ); $edit_Plugin->Settings->dbupdate(); $action = 'edit'; break; case 'add_settings_set': // delegates to edit_settings // Add a new set to an array type setting: param( 'plugin_ID', 'integer', true ); param( 'set_path', 'string', '' ); $admin_Plugins = & get_Plugins_admin(); $admin_Plugins->restart(); $edit_Plugin = & $admin_Plugins->get_by_ID($plugin_ID); load_funcs('plugins/_plugin.funcs.php'); _set_setting_by_path( $edit_Plugin, 'UserSettings', $set_path, array() ); $edit_Plugin->Settings->dbupdate(); $action = 'edit'; break; } } // We might delegate to this action from above: /*if( $action == 'edit' ) { $Plugins->trigger_event( 'PluginUserSettingsEditAction', $tmp_params = array( 'User' => & $edited_User ) ); $Session->delete( 'core.changepwd.request_id' ); // delete the request_id for password change request (from /htsrv/login.php) }*/ $AdminUI->breadcrumbpath_init( false ); // fp> I'm playing with the idea of keeping the current blog in the path here... $AdminUI->breadcrumbpath_add( T_('Users'), '?ctrl=users' ); // Display <html><head>...</head> section! (Note: should be done early if actions do not redirect) $AdminUI->disp_html_head(); // Display title, menu, messages, etc. (Note: messages MUST be displayed AFTER the actions) $AdminUI->disp_body_top(); /* * Display appropriate payload: */ switch( $action ) { case 'nil': // Display NO payload! break; case 'delete': $AdminUI->disp_payload_begin(); // We need to ask for confirmation: $fullname = $edited_User->dget( 'fullname' ); if ( ! empty( $fullname ) ) { $msg = sprintf( T_('Delete user «%s» [%s]?'), $fullname, $edited_User->dget( 'login' ) ); } else { $msg = sprintf( T_('Delete user «%s»?'), $edited_User->dget( 'login' ) ); } $edited_User->confirm_delete( $msg, 'user', $action, get_memorized( 'action' ) ); // Display user identity form: $AdminUI->disp_view( 'users/views/_user_identity.form.php' ); $AdminUI->disp_payload_end(); break; case 'promote': default: // Display user list: // NOTE: we don't want this (potentially very long) list to be displayed again and again) $AdminUI->disp_payload_begin(); $AdminUI->disp_view( 'users/views/_user_list.view.php' ); $AdminUI->disp_payload_end(); } // Display body bottom, debug info and close </html>: $AdminUI->disp_global_footer(); /* * $Log: users.ctrl.php,v $ */ ?>