1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
|
<?php
if (preg_match("/\/includes\//", $PHP_SELF)) {
die ("You can't access this file directly!");
}
// This file contains all the functions for getting information
// about users. So, if you want to use an authentication scheme
// other than the webcal_user table, you can just create a new
// version of each function found below.
//
// Note: this application assumes that usernames (logins) are unique.
//
// Note #2: If you are using HTTP-based authentication, then you still
// need these functions and you will still need to add users to
// webcal_user.
// Set some global config variables about your system.
$user_can_update_password = true;
$admin_can_add_user = true;
$admin_can_delete_user = true;
// Check to see if a given login/password is valid. If invalid,
// the error message will be placed in $error.
// params:
// $login - user login
// $password - user password
// returns: true or false
function user_valid_login ( $login, $password ) {
global $error;
$ret = false;
$sql = "SELECT cal_login FROM webcal_user WHERE " .
"cal_login = '" . $login . "' AND cal_passwd = '" . md5($password) . "'";
$res = dbi_query ( $sql );
if ( $res ) {
$row = dbi_fetch_row ( $res );
if ( $row && $row[0] != "" ) {
// MySQL seems to do case insensitive matching, so double-check
// the login.
if ( $row[0] == $login )
$ret = true; // found login/password
else
$error = translate ("Invalid login");
} else {
$error = translate ("Invalid login");
// Could be no such user or bad password
// Check if user exists, so we can tell.
$res2 = dbi_query ( "SELECT cal_login FROM webcal_user " .
"WHERE cal_login = '$login'" );
if ( $res2 ) {
$row = dbi_fetch_row ( $res2 );
if ( $row && ! empty ( $row[0] ) ) {
// got a valid username, but wrong password
$error = translate ("Invalid login");
} else {
// No such user.
$error = translate ("Invalid login");
}
dbi_free_result ( $res2 );
}
}
dbi_free_result ( $res );
} else {
$error = translate("Database error") . ": " . dbi_error();
}
return $ret;
}
// Check to see if a given login/crypted password is valid. If invalid,
// the error message will be placed in $error.
// params:
// $login - user login
// $crypt_password - crypted user password
// returns: true or false
function user_valid_crypt ( $login, $crypt_password ) {
global $error;
$ret = false;
$salt = substr($crypt_password, 0, 2);
$sql = "SELECT cal_login, cal_passwd FROM webcal_user WHERE " .
"cal_login = '" . $login . "'";
$res = dbi_query ( $sql );
if ( $res ) {
$row = dbi_fetch_row ( $res );
if ( $row && $row[0] != "" ) {
// MySQL seems to do case insensitive matching, so double-check
// the login.
// also check if password matches
if ( ($row[0] == $login) && (crypt($row[1], $salt) == $crypt_password) )
$ret = true; // found login/password
else
//$error = translate ("Invalid login");
$error = "Invalid login";
} else {
//$error = translate ("Invalid login");
$error = "Invalid login";
}
dbi_free_result ( $res );
} else {
//$error = translate("Database error") . ": " . dbi_error();
$error = "Database error: " . dbi_error();
}
return $ret;
}
// Load info about a user (first name, last name, admin) and set
// globally.
// params:
// $user - user login
// $prefix - variable prefix to use
function user_load_variables ( $login, $prefix ) {
global $PUBLIC_ACCESS_FULLNAME, $NONUSER_PREFIX;
if ($NONUSER_PREFIX && substr($login, 0, strlen($NONUSER_PREFIX) ) == $NONUSER_PREFIX) {
nonuser_load_variables ( $login, $prefix );
return true;
}
if ( $login == "__public__" ) {
$GLOBALS[$prefix . "login"] = $login;
$GLOBALS[$prefix . "firstname"] = "";
$GLOBALS[$prefix . "lastname"] = "";
$GLOBALS[$prefix . "is_admin"] = "N";
$GLOBALS[$prefix . "email"] = "";
$GLOBALS[$prefix . "fullname"] = $PUBLIC_ACCESS_FULLNAME;
$GLOBALS[$prefix . "password"] = "";
return true;
}
$sql =
"SELECT cal_firstname, cal_lastname, cal_is_admin, cal_email, cal_passwd " .
"FROM webcal_user WHERE cal_login = '" . $login . "'";
$res = dbi_query ( $sql );
if ( $res ) {
if ( $row = dbi_fetch_row ( $res ) ) {
$GLOBALS[$prefix . "login"] = $login;
$GLOBALS[$prefix . "firstname"] = $row[0];
$GLOBALS[$prefix . "lastname"] = $row[1];
$GLOBALS[$prefix . "is_admin"] = $row[2];
$GLOBALS[$prefix . "email"] = empty ( $row[3] ) ? "" : $row[3];
if ( strlen ( $row[0] ) && strlen ( $row[1] ) )
$GLOBALS[$prefix . "fullname"] = "$row[0] $row[1]";
else
$GLOBALS[$prefix . "fullname"] = $login;
$GLOBALS[$prefix . "password"] = $row[4];
}
dbi_free_result ( $res );
} else {
$error = translate ("Database error") . ": " . dbi_error ();
return false;
}
return true;
}
// Add a new user.
// params:
// $user - user login
// $password - user password
// $firstname - first name
// $lastname - last name
// $email - email address
// $admin - is admin? ("Y" or "N")
function user_add_user ( $user, $password, $firstname, $lastname, $email,
$admin ) {
global $error;
if ( $user == "__public__" ) {
$error = translate ("Invalid user login");
return false;
}
if ( strlen ( $email ) )
$uemail = "'" . $email . "'";
else
$uemail = "NULL";
if ( strlen ( $firstname ) )
$ufirstname = "'" . $firstname . "'";
else
$ufirstname = "NULL";
if ( strlen ( $lastname ) )
$ulastname = "'" . $lastname . "'";
else
$ulastname = "NULL";
if ( strlen ( $password ) )
$upassword = "'" . md5($password) . "'";
else
$upassword = "NULL";
if ( $admin != "Y" )
$admin = "N";
$sql = "INSERT INTO webcal_user " .
"( cal_login, cal_lastname, cal_firstname, " .
"cal_is_admin, cal_passwd, cal_email ) " .
"VALUES ( '$user', $ulastname, $ufirstname, " .
"'$admin', $upassword, $uemail )";
if ( ! dbi_query ( $sql ) ) {
$error = translate ("Database error") . ": " . dbi_error ();
return false;
}
return true;
}
// Update a user
// params:
// $user - user login
// $firstname - first name
// $lastname - last name
// $email - email address
// $admin - is admin?
function user_update_user ( $user, $firstname, $lastname, $email, $admin ) {
global $error;
if ( $user == "__public__" ) {
$error = translate ("Invalid user login");
return false;
}
if ( strlen ( $email ) )
$uemail = "'" . $email . "'";
else
$uemail = "NULL";
if ( strlen ( $firstname ) )
$ufirstname = "'" . $firstname . "'";
else
$ufirstname = "NULL";
if ( strlen ( $lastname ) )
$ulastname = "'" . $lastname . "'";
else
$ulastname = "NULL";
if ( $admin != "Y" )
$admin = "N";
$sql = "UPDATE webcal_user SET cal_lastname = $ulastname, " .
"cal_firstname = $ufirstname, cal_email = $uemail," .
"cal_is_admin = '$admin' WHERE cal_login = '$user'";
if ( ! dbi_query ( $sql ) ) {
$error = translate ("Database error") . ": " . dbi_error ();
return false;
}
return true;
}
// Update user password
// params:
// $user - user login
// $password - last name
function user_update_user_password ( $user, $password ) {
global $error;
$sql = "UPDATE webcal_user SET cal_passwd = '".md5($password)."' " .
"WHERE cal_login = '$user'";
if ( ! dbi_query ( $sql ) ) {
$error = translate ("Database error") . ": " . dbi_error ();
return false;
}
return true;
}
// Delete a user from the system.
// We assume that we've already checked to make sure this user doesn't
// have events still in the database.
// params:
// $user - user to delete
function user_delete_user ( $user ) {
// Get event ids for all events this user is a participant
$events = array ();
$res = dbi_query ( "SELECT webcal_entry.cal_id " .
"FROM webcal_entry, webcal_entry_user " .
"WHERE webcal_entry.cal_id = webcal_entry_user.cal_id " .
"AND webcal_entry_user.cal_login = '$user'" );
if ( $res ) {
while ( $row = dbi_fetch_row ( $res ) ) {
$events[] = $row[0];
}
}
// Now count number of participants in each event...
// If just 1, then save id to be deleted
$delete_em = array ();
for ( $i = 0; $i < count ( $events ); $i++ ) {
$res = dbi_query ( "SELECT COUNT(*) FROM webcal_entry_user " .
"WHERE cal_id = " . $events[$i] );
if ( $res ) {
if ( $row = dbi_fetch_row ( $res ) ) {
if ( $row[0] == 1 )
$delete_em[] = $events[$i];
}
dbi_free_result ( $res );
}
}
// Now delete events that were just for this user
for ( $i = 0; $i < count ( $delete_em ); $i++ ) {
dbi_query ( "DELETE FROM webcal_entry WHERE cal_id = " . $delete_em[$i] );
}
// Delete user participation from events
dbi_query ( "DELETE FROM webcal_entry_user WHERE cal_login = '$user'" );
// Delete preferences
dbi_query ( "DELETE FROM webcal_user_pref WHERE cal_login = '$user'" );
// Delete from groups
dbi_query ( "DELETE FROM webcal_group_user WHERE cal_login = '$user'" );
// Delete bosses & assistants
dbi_query ( "DELETE FROM webcal_asst WHERE cal_boss = '$user'" );
dbi_query ( "DELETE FROM webcal_asst WHERE cal_assistant = '$user'" );
// Delete user's views
$delete_em = array ();
$res = dbi_query ( "SELECT cal_view_id FROM webcal_view " .
"WHERE cal_owner = '$user'" );
if ( $res ) {
while ( $row = dbi_fetch_row ( $res ) ) {
$delete_em[] = $row[0];
}
dbi_free_result ( $res );
}
for ( $i = 0; $i < count ( $delete_em ); $i++ ) {
dbi_query ( "DELETE FROM webcal_view_user WHERE cal_view_id = " .
$delete_em[$i] );
}
dbi_query ( "DELETE FROM webcal_view WHERE cal_owner = '$user'" );
// Delete layers
dbi_query ( "DELETE FROM webcal_user_layers WHERE cal_login = '$user'" );
// Delete any layers other users may have that point to this user.
dbi_query ( "DELETE FROM webcal_user_layers WHERE cal_layeruser = '$user'" );
// Delete user
dbi_query ( "DELETE FROM webcal_user WHERE cal_login = '$user'" );
}
// Get a list of users and return info in an array.
function user_get_users () {
global $public_access, $PUBLIC_ACCESS_FULLNAME;
$count = 0;
$ret = array ();
if ( $public_access == "Y" )
$ret[$count++] = array (
"cal_login" => "__public__",
"cal_lastname" => "",
"cal_firstname" => "",
"cal_is_admin" => "N",
"cal_email" => "",
"cal_password" => "",
"cal_fullname" => $PUBLIC_ACCESS_FULLNAME );
$res = dbi_query ( "SELECT cal_login, cal_lastname, cal_firstname, " .
"cal_is_admin, cal_email, cal_passwd FROM webcal_user " .
"ORDER BY cal_lastname, cal_firstname, cal_login" );
if ( $res ) {
while ( $row = dbi_fetch_row ( $res ) ) {
if ( strlen ( $row[1] ) && strlen ( $row[2] ) )
$fullname = "$row[2] $row[1]";
else
$fullname = $row[0];
$ret[$count++] = array (
"cal_login" => $row[0],
"cal_lastname" => $row[1],
"cal_firstname" => $row[2],
"cal_is_admin" => $row[3],
"cal_email" => empty ( $row[4] ) ? "" : $row[4],
"cal_password" => $row[5],
"cal_fullname" => $fullname
);
}
dbi_free_result ( $res );
}
return $ret;
}
?>
|
