source: trunk/include/functions_user.inc.php @ 680

Last change on this file since 680 was 680, checked in by plg, 20 years ago
  • deletion of calculated permissions when deleting a user
  • taking into account locked categories during permissions calculation
  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 9.6 KB
Line 
1<?php
2// +-----------------------------------------------------------------------+
3// | PhpWebGallery - a PHP based picture gallery                           |
4// | Copyright (C) 2002-2003 Pierrick LE GALL - pierrick@phpwebgallery.net |
5// | Copyright (C) 2003-2005 PhpWebGallery Team - http://phpwebgallery.net |
6// +-----------------------------------------------------------------------+
7// | branch        : BSF (Best So Far)
8// | file          : $RCSfile$
9// | last update   : $Date: 2005-01-08 11:23:52 +0000 (Sat, 08 Jan 2005) $
10// | last modifier : $Author: plg $
11// | revision      : $Revision: 680 $
12// +-----------------------------------------------------------------------+
13// | This program is free software; you can redistribute it and/or modify  |
14// | it under the terms of the GNU General Public License as published by  |
15// | the Free Software Foundation                                          |
16// |                                                                       |
17// | This program is distributed in the hope that it will be useful, but   |
18// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
19// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
20// | General Public License for more details.                              |
21// |                                                                       |
22// | You should have received a copy of the GNU General Public License     |
23// | along with this program; if not, write to the Free Software           |
24// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
25// | USA.                                                                  |
26// +-----------------------------------------------------------------------+
27
28// validate_mail_address verifies whether the given mail address has the
29// right format. ie someone@domain.com "someone" can contain ".", "-" or
30// even "_". Exactly as "domain". The extension doesn't have to be
31// "com". The mail address can also be empty.
32// If the mail address doesn't correspond, an error message is returned.
33function validate_mail_address( $mail_address )
34{
35  global $lang;
36
37  if ( $mail_address == '' )
38  {
39    return '';
40  }
41  $regex = '/^[\w-]+(\.[\w-]+)*@[\w-]+(\.[\w-]+)*\.[a-z]+$/';
42  if ( !preg_match( $regex, $mail_address ) )
43  {
44    return $lang['reg_err_mail_address'];
45  }
46}
47
48function register_user($login, $password, $password_conf,
49                       $mail_address, $status = 'guest')
50{
51  global $lang, $conf;
52
53  $errors = array();
54  // login must not
55  //      1. be empty
56  //      2. start ou end with space character
57  //      3. include ' or " characters
58  //      4. be already used
59  if ($login == '')
60  {
61    array_push($errors, $lang['reg_err_login1']);
62  }
63  if (ereg("^.* $", $login))
64  {
65    array_push($errors, $lang['reg_err_login2']);
66  }
67  if (ereg("^ .*$", $login))
68  {
69    array_push($errors, $lang['reg_err_login3']);
70  }
71
72  if (ereg("'", $login) or ereg("\"", $login))
73  {
74    array_push($errors, $lang['reg_err_login4']);
75  }
76  else
77  {
78    $query = '
79SELECT id
80  FROM '.USERS_TABLE.'
81  WHERE username = \''.$login.'\'
82;';
83    $result = pwg_query($query);
84    if (mysql_num_rows($result) > 0)
85    {
86      array_push($errors, $lang['reg_err_login5']);
87    }
88  }
89  // given password must be the same as the confirmation
90  if ($password != $password_conf)
91  {
92    array_push($errors, $lang['reg_err_pass']);
93  }
94
95  $error_mail_address = validate_mail_address($mail_address);
96  if ($error_mail_address != '')
97  {
98    array_push($errors, $error_mail_address);
99  }
100
101  // if no error until here, registration of the user
102  if (count($errors) == 0)
103  {
104    $insert = array();
105    $insert['username'] = $login;
106    $insert['password'] = md5($password);
107    $insert['status'] = $status;
108    $insert['template'] = $conf['default_template'];
109    $insert['nb_image_line'] = $conf['nb_image_line'];
110    $insert['nb_line_page'] = $conf['nb_line_page'];
111    $insert['language'] = $conf['default_language'];
112    $insert['recent_period'] = $conf['recent_period'];
113    $insert['expand'] = boolean_to_string($conf['auto_expand']);
114    $insert['show_nb_comments'] = boolean_to_string($conf['show_nb_comments']);
115    if ( $mail_address != '' )
116    {
117      $insert['mail_address'] = $mail_address;
118    }
119    if ($conf['default_maxwidth'] != '')
120    {
121      $insert['maxwidth'] = $conf['default_maxwidth'];
122    }
123    if ($conf['default_maxheight'] != '')
124    {
125      $insert['maxheight'] = $conf['default_maxheight'];
126    }
127
128    $query = '
129INSERT INTO '.USERS_TABLE.'
130  ('.implode(',', array_keys($insert)).')
131  VALUES
132  (';
133    $is_first = true;
134    foreach (array_keys($insert) as $field)
135    {
136      if (!$is_first)
137      {
138        $query.= ',';
139      }
140      $query.= "'".$insert[$field]."'";
141      $is_first = false;
142    }
143    $query.= ')
144;';
145    pwg_query($query);
146  }
147  return $errors;
148}
149
150function update_user( $user_id, $mail_address, $status,
151                      $use_new_password = false, $password = '' )
152{
153  $error = array();
154  $i = 0;
155 
156  $error_mail_address = validate_mail_address( $mail_address );
157  if ( $error_mail_address != '' )
158  {
159    $error[$i++] = $error_mail_address;
160  }
161
162  if ( sizeof( $error ) == 0 )
163  {
164    $query = 'UPDATE '.USERS_TABLE;
165    $query.= " SET status = '".$status."'";
166    if ( $use_new_password )
167    {
168      $query.= ", password = '".md5( $password )."'";
169    }
170    $query.= ', mail_address = ';
171    if ( $mail_address != '' )
172    {
173      $query.= "'".$mail_address."'";
174    }
175    else
176    {
177      $query.= 'NULL';
178    }
179    $query.= ' WHERE id = '.$user_id;
180    $query.= ';';
181    pwg_query( $query );
182  }
183  return $error;
184}
185
186function check_login_authorization($guest_allowed = true)
187{
188  global $user,$lang,$conf,$template;
189
190  if ($user['is_the_guest'] and !$guest_allowed)
191  {
192    echo '<div style="text-align:center;">'.$lang['only_members'].'<br />';
193    echo '<a href="./identification.php">'.$lang['ident_title'].'</a></div>';
194    exit();
195  }
196
197  if ($conf['gallery_locked'])
198  {
199    echo '<div style="text-align:center;">';
200    echo $lang['gallery_locked_message'];
201    echo '</div>';
202    if ($user['status'] != 'admin')
203    {
204      exit();
205    }
206  }
207}
208
209function setup_style($style)
210{
211  return new Template(PHPWG_ROOT_PATH.'template/'.$style);
212}
213
214function getuserdata($user)
215{
216  $sql = "SELECT * FROM " . USERS_TABLE;
217  $sql.= " WHERE ";
218  $sql .= ( ( is_integer($user) ) ? "id = $user" : "username = '" .  str_replace("\'", "''", $user) . "'" ) . " AND id <> " . ANONYMOUS;
219  $result = pwg_query($sql);
220  return ( $row = mysql_fetch_array($result) ) ? $row : false;
221}
222
223/*
224 * deletes favorites of the current user if he's not allowed to see them
225 *
226 * @return void
227 */
228function check_user_favorites()
229{
230  global $user;
231
232  if ($user['forbidden_categories'] == '')
233  {
234    return;
235  }
236 
237  $query = '
238SELECT f.image_id
239  FROM '.FAVORITES_TABLE.' AS f INNER JOIN '.IMAGE_CATEGORY_TABLE.' AS ic
240    ON f.image_id = ic.image_id
241  WHERE f.user_id = '.$user['id'].'
242    AND ic.category_id IN ('.$user['forbidden_categories'].')
243;';
244  $result = pwg_query($query);
245  $elements = array();
246  while ($row = mysql_fetch_array($result))
247  {
248    array_push($elements, $row['image_id']);
249  }
250
251  if (count($elements) > 0)
252  {
253    $query = '
254DELETE FROM '.FAVORITES_TABLE.'
255  WHERE image_id IN ('.implode(',', $elements).')
256    AND user_id = '.$user['id'].'
257;';
258    pwg_query($query);
259  }
260}
261
262/**
263 * update table user_forbidden for the given user
264 *
265 * table user_forbidden contains calculated data. Calculation is based on
266 * private categories minus categories authorized to the groups the user
267 * belongs to minus the categories directly authorized to the user
268 *
269 * @param int user_id
270 * @param string user_status
271 * @return string forbidden_categories
272 */
273function calculate_permissions($user_id, $user_status)
274{
275  $private_array = array();
276  $authorized_array = array();
277
278  $query = '
279SELECT id
280  FROM '.CATEGORIES_TABLE.'
281  WHERE status = \'private\'
282;';
283  $result = pwg_query($query);
284  while ($row = mysql_fetch_array($result))
285  {
286    array_push($private_array, $row['id']);
287  }
288
289  // if user is not an admin, locked categories can be considered as private$
290  if ($user_status != 'admin')
291  {
292    $query = '
293SELECT id
294  FROM '.CATEGORIES_TABLE.'
295  WHERE visible = \'false\'
296;';
297    $result = pwg_query($query);
298    while ($row = mysql_fetch_array($result))
299    {
300      array_push($private_array, $row['id']);
301    }
302
303    $private_array = array_unique($private_array);
304  }
305 
306  // retrieve category ids directly authorized to the user
307  $query = '
308SELECT cat_id
309  FROM '.USER_ACCESS_TABLE.'
310  WHERE user_id = '.$user_id.'
311;';
312  $result = pwg_query($query);
313  while ($row = mysql_fetch_array($result))
314  {
315    array_push($authorized_array, $row['cat_id']);
316  }
317
318  // retrieve category ids authorized to the groups the user belongs to
319  $query = '
320SELECT cat_id
321  FROM '.USER_GROUP_TABLE.' AS ug INNER JOIN '.GROUP_ACCESS_TABLE.' AS ga
322    ON ug.group_id = ga.group_id
323  WHERE ug.user_id = '.$user_id.'
324;';
325  $result = pwg_query($query);
326  while ($row = mysql_fetch_array($result))
327  {
328    array_push($authorized_array, $row['cat_id']);
329  }
330
331  // uniquify ids : some private categories might be authorized for the
332  // groups and for the user
333  $authorized_array = array_unique($authorized_array);
334
335  // only unauthorized private categories are forbidden
336  $forbidden_array = array_diff($private_array, $authorized_array);
337
338  $query = '
339DELETE FROM '.USER_FORBIDDEN_TABLE.'
340  WHERE user_id = '.$user_id.'
341;';
342  pwg_query($query);
343
344  $forbidden_categories = implode(',', $forbidden_array);
345 
346  $query = '
347INSERT INTO '.USER_FORBIDDEN_TABLE.'
348  (user_id,need_update,forbidden_categories)
349  VALUES
350  ('.$user_id.',\'false\',\''.$forbidden_categories.'\')
351;';
352  pwg_query($query);
353 
354  return $forbidden_categories;
355}
356?>
Note: See TracBrowser for help on using the repository browser.