0byt3m1n1
Path:
/
data
/
applications
/
aps.bak
/
webcalendar
/
1.2.3-0
/
standard
/
htdocs
/
[
Home
]
File: edit_user_handler.php
<?php /* $Id: edit_user_handler.php,v 1.47.2.11 2008/04/25 15:14:19 umcesrjones Exp $ */ // There is the potential for a lot of mischief from users trying to access this // file in ways they shouldn't. Users may try to type in a URL to get around // functions that are not being displayed on the web page to them. include_once 'includes/init.php'; load_user_layers (); $delete = getPostValue ( 'delete' ); $formtype = getPostValue ( 'formtype' ); $add = getPostValue ( 'add' ); $user = getPostValue ( 'user' ); $ufirstname = getPostValue ( 'ufirstname' ); $ulastname = getPostValue ( 'ulastname' ); $uemail = getPostValue ( 'uemail' ); $upassword1 = getPostValue ( 'upassword1' ); $upassword2 = getPostValue ( 'upassword2' ); $uis_admin = getPostValue ( 'uis_admin' ); $uenabled = getPostValue ( 'uenabled' ); $error = ''; if ( ! $is_admin ) $user = $login; $deleteStr = translate ( 'Deleting users not supported.' ); $notIdenticalStr = translate ( 'The passwords were not identical.' ); $noPasswordStr = translate ( 'You have not entered a password.' ); $blankUserStr = translate ( 'Username cannot be blank.' ); // Don't let them edit users if they'e not authorized. if ( empty ( $user ) ) { // Asking to create a new user. Must be admin... if ( ! $is_admin && ! access_can_access_function ( ACCESS_USER_MANAGEMENT ) ) send_to_preferred_view (); if ( ! $admin_can_add_user ) { // If adding users is not allowed... send_to_preferred_view (); exit; } } else { // User is editing their account info. if ( ! access_can_access_function ( ACCESS_ACCOUNT_INFO ) ) send_to_preferred_view (); } // Handle delete. if ( ! empty ( $delete ) && $formtype == 'edituser' ) { if ( access_can_access_function ( ACCESS_USER_MANAGEMENT ) ) { if ( $admin_can_delete_user ) { user_delete_user ( $user ); // Will also delete user's events. activity_log ( 0, $login, $user, LOG_USER_DELETE, '' ); } else $error = $deleteStr; } else $error = print_not_auth (15); } else { // Handle update of password. if ( $formtype == 'setpassword' && strlen ( $user ) ) { if ( ! access_can_access_function ( ACCESS_USER_MANAGEMENT ) && ! access_can_access_function ( ACCESS_ACCOUNT_INFO ) ) $error = print_not_auth (17); else if ( $upassword1 != $upassword2 ) $error = $notIdenticalStr; else { if ( strlen ( $upassword1 ) ) { if ( $user_can_update_password ) { user_update_user_password ( $user, $upassword1 ); activity_log ( 0, $login, $user, LOG_USER_UPDATE, translate ( 'Set Password' ) ); } else $error = print_not_auth (18); } else $error = $noPasswordStr; } } else { // Handle update of user info. if ( $formtype == 'edituser' ) { if ( ! empty ( $add ) && $is_admin ) { if ( $upassword1 != $upassword2 ) $error = $notIdenticalStr; else { if ( addslashes ( $user ) != $user ) // This error should get caught before here anyhow, // so no need to translate this. This is just in case. :-) $error = 'Invalid characters in login.'; else { if ( empty ( $user ) ) // Username cannot be blank. This is currently the only place // that calls addUser that is located in $user_inc. $error = $blankUserStr; else { user_add_user ( $user, $upassword1, $ufirstname, $ulastname, $uemail, $uis_admin, $u_enabled ); activity_log ( 0, $login, $user, LOG_USER_ADD, "$ufirstname $ulastname" . ( empty ( $uemail ) ? '' : " <$uemail>" ) ); } } } } else { if ( ! empty ( $add ) && ! access_can_access_function ( ACCESS_USER_MANAGEMENT ) ) $error = print_not_auth (15); else { // Don't allow a user to change themself to an admin by setting // uis_admin in the URL by hand. They must be admin beforehand. if ( ! $is_admin ) $uis_admin = 'N'; user_update_user ( $user, $ufirstname, $ulastname, $uemail, $uis_admin, $uenabled ); activity_log ( 0, $login, $user, LOG_USER_UPDATE, "$ufirstname $ulastname" . ( empty ( $uemail ) ? '' : " <$uemail>" ) ); } } } } } echo error_check ( 'users.php', false ); ?>