inc/libs/admins_functions.php

   1 <?php
   2 /************************************************************************
   3  * MXChange v0.2.1                                    Start: 06/30/2003 *
   4  * ===============                              Last change: 11/27/2004 *
   5  *                                                                      *
   6  * -------------------------------------------------------------------- *
   7  * File              : admins_functions.php                             *
   8  * -------------------------------------------------------------------- *
   9  * Short description : Functions for the admins extension               *
  10  * -------------------------------------------------------------------- *
  11  * Kurzbeschreibung  : Funktionen fuer die admins-Erweiterung           *
  12  * -------------------------------------------------------------------- *
  13  *                                                                      *
  14  * -------------------------------------------------------------------- *
  15  * Copyright (c) 2003 - 2008 by Roland Haeder                           *
  16  * For more information visit: http://www.mxchange.org                  *
  17  *                                                                      *
  18  * This program is free software; you can redistribute it and/or modify *
  19  * it under the terms of the GNU General Public License as published by *
  20  * the Free Software Foundation; either version 2 of the License, or    *
  21  * (at your option) any later version.                                  *
  22  *                                                                      *
  23  * This program is distributed in the hope that it will be useful,      *
  24  * but WITHOUT ANY WARRANTY; without even the implied warranty of       *
  25  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the        *
  26  * GNU General Public License for more details.                         *
  27  *                                                                      *
  28  * You should have received a copy of the GNU General Public License    *
  29  * along with this program; if not, write to the Free Software          *
  30  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,               *
  31  * MA  02110-1301  USA                                                  *
  32  ************************************************************************/
  33
  34 // Some security stuff...
  35 if (ereg(basename(__FILE__), $_SERVER['PHP_SELF']))
  36 {
  37         $INC = substr(dirname(__FILE__), 0, strpos(dirname(__FILE__), "/inc") + 4) . "/security.php";
  38         require($INC);
  39 }
  40
  41 // Check ACL for menu combination
  42 function ADMINS_CHECK_ACL($act, $wht) {
  43         global $cacheArray, $_CONFIG, $cacheInstance;
  44         // If action is login or logout allow allways!
  45         $default = "allow";
  46         if (($act == "login") || ($act == "logout")) return true;
  47
  48         // Default is deny
  49         $ret = false;
  50
  51         // Get admin's defult access right
  52         if (!empty($cacheArray['admins']['def_acl'][get_session('admin_login')])) {
  53                 // Load from cache
  54                 $default = $cacheArray['admins']['def_acl'][get_session('admin_login')];
  55
  56                 // Count cache hits
  57                 $_CONFIG['cache_hits']++;
  58         } elseif (!is_object($cacheInstance)) {
  59                 // Load from database
  60                 $result = SQL_QUERY_ESC("SELECT default_acl FROM "._MYSQL_PREFIX."_admins WHERE login='%s' LIMIT 1",
  61                  array(get_session('admin_login')), __FILE__, __LINE__);
  62                 list($default) = SQL_FETCHROW($result);
  63                 SQL_FREERESULT($result);
  64         }
  65
  66         // Get admin's ID
  67         $aid = GET_ADMIN_ID(get_session('admin_login'));
  68
  69         if (!empty($wht)) {
  70                 // Check for parent menu:
  71                 // First get it's action value
  72                 $parent_action = GET_ACTION("admin", $wht);
  73
  74                 // Check with this function...
  75                 $parent = ADMINS_CHECK_ACL($parent_action, "");
  76         } else {
  77                 // Anything else is true!
  78                 $parent = false;
  79         }
  80
  81         // Shall I test for a main or sub menu? (action or what?)
  82         $lines = 0; $acl_mode = "failed";
  83         if (GET_EXT_VERSION("cache") >= "0.1.2") {
  84                 // Load only from array when there are lines!
  85                 if ((isset($cacheArray['admin_acls'])) && (is_array($cacheArray['admin_acls'])) && (count($cacheArray['admin_acls']) > 0)) {
  86                         // Load ACL from array
  87                         foreach ($cacheArray['admin_acls']['admin_id'] as $id => $aid_acls) {
  88                                 if ($aid == $aid_acls) {
  89                                         // Okay, one line was found!
  90                                         if ((!empty($act)) && ($cacheArray['admin_acls']['action_menu'][$id] == $act)) {
  91                                                 // Main menu line found
  92                                                 $acl_mode = $cacheArray['admin_acls']['access_mode'][$id];
  93                                                 $lines = 1;
  94                                         }
  95                                          elseif ((!empty($wht)) && ($cacheArray['admin_acls']['what_menu'][$id] == $wht)) {
  96                                                 // Check sub menu
  97                                                 $acl_mode = $cacheArray['admin_acls']['access_mode'][$id];
  98                                                 $lines = 1;
  99                                         }
 100                                         if ($lines == 1) {
 101                                                 // Count cache hits
 102                                                 $_CONFIG['cache_hits']++;
 103                                                 break;
 104                                         }
 105                                 }
 106                         }
 107
 108                         // No ACL found?
 109                         if ($acl_mode == "failed") {
 110                                 $acl_mode = "";
 111                                 $lines = 0;
 112                         }
 113                 } else {
 114                         // No lines here
 115                         $lines = 0;
 116                 }
 117         } else {
 118                 // Old version, so load it from database
 119                 if (!empty($act))
 120                 {
 121                         // Main menu
 122                         $result = SQL_QUERY_ESC("SELECT access_mode FROM "._MYSQL_PREFIX."_admins_acls WHERE admin_id=%s AND action_menu='%s' LIMIT 1",
 123                          array(bigintval($aid), $act), __FILE__, __LINE__);
 124                 } elseif (!empty($wht)) {
 125                         // Sub menu
 126                         $result = SQL_QUERY_ESC("SELECT access_mode FROM "._MYSQL_PREFIX."_admins_acls WHERE admin_id=%s AND what_menu='%s' LIMIT 1",
 127                          array(bigintval($aid), $wht), __FILE__, __LINE__);
 128                 }
 129
 130                 // Get number of lines
 131                 $lines = SQL_NUMROWS($result);
 132
 133                 // Load ACL
 134                 list($acl_mode) = SQL_FETCHROW($result);
 135                 SQL_FREERESULT($result);
 136         }
 137
 138         // Check ACL and (maybe) allow
 139         if ((($default == "allow") && ($lines == 0)) || (($default == "deny") && ($lines == "1") && ($acl_mode == "allow")) || (($lines == 0) && ($parent))) $ret = true;
 140
 141         // Return value
 142         return $ret;
 143 }
 144
 145 // Create email link to admins's account
 146 function ADMINS_CREATE_EMAIL_LINK($email, $mod="admin") {
 147         $locked = " AND status='CONFIRMED'";
 148         if (IS_ADMIN()) $locked = "";
 149         if (strpos("@", $email) > 0) {
 150                 // Create email link
 151                 $result = SQL_QUERY_ESC("SELECT id
 152 FROM "._MYSQL_PREFIX."_admins
 153 WHERE email='%s'".$locked." LIMIT 1",
 154  array($email), __FILE__, __LINE__);
 155
 156                 // Is there an entry?
 157                 if (SQL_NUMROWS($result) == 1) {
 158                         // Load userid
 159                         list($uid) = SQL_FETCHROW($result);
 160
 161                         // Rewrite email address to contact link
 162                         $email = URL."/modules.php?module=".$mod."&amp;what=user_contct&amp;u_id=".bigintval($uid);
 163                 }
 164
 165                 // Free memory
 166                 SQL_FREERESULT($result);
 167         } elseif (bigintval($email) > 0) {
 168                 // Direct ID given
 169                 $email = URL."/modules.php?module=".$mod."&amp;what=admins_contct&amp;admin=".bigintval($email);
 170         }
 171
 172         // Return rewritten (?) email address
 173         return $email;
 174 }
 175
 176 // Change a lot admin account
 177 function ADMINS_CHANGE_ADMIN_ACCOUNT($POST) {
 178         global $cacheInstance;
 179
 180         // Begin the update
 181         $cacheInstance_UPDATE = "0";
 182         foreach ($POST['login'] as $id => $login) {
 183                 // Secure ID number
 184                 $id = bigintval($id);
 185
 186                 // When both passwords match update admin account
 187                 if ($POST['pass1'][$id] == $POST['pass2'][$id]) {
 188                         // Save only when both passwords are the same (also when they are empty)
 189                         $ADD = ""; $cacheInstance_UPDATE = "1";
 190
 191                         // Generate hash
 192                         $hash = generateHash($POST['pass1'][$id]);
 193
 194                         // Save password when set
 195                         if (!empty($POST['pass1'][$id])) $ADD = sprintf(", password='%s'", SQL_ESCAPE($hash));
 196
 197                         // Get admin's ID
 198                         $salt = substr(GET_ADMIN_HASH(get_session('admin_login')), 0, -40);
 199                         $aid = GET_ADMIN_ID(get_session('admin_login'));
 200
 201                         // Rewrite cookie when it's own account
 202                         if ($aid == $id) {
 203                                 // Set timeout cookie
 204                                 set_session("admin_last", time());
 205
 206                                 if ($login != get_session('admin_login')) {
 207                                         // Update login cookie
 208                                         set_session("admin_login", $login);
 209
 210                                         // Update password cookie as well?
 211                                         if (!empty($ADD)) set_session("admin_md5", $hash);
 212                                 } elseif (generateHash($POST['pass1'][$id], $salt) != get_session('admin_md5')) {
 213                                         // Update password cookie
 214                                         set_session("admin_md5", $hash);
 215                                 }
 216
 217                         }
 218
 219                         // Get default ACL from admin to check if we can allow him to change the default ACL
 220                         $result = SQL_QUERY_ESC("SELECT default_acl FROM "._MYSQL_PREFIX."_admins WHERE login='%s' LIMIT 1",
 221                          array(get_session('admin_login')), __FILE__, __LINE__);
 222                         list($default) = SQL_FETCHROW($result);
 223
 224                         // Free result
 225                         SQL_FREERESULT($result);
 226
 227                         // Update admin account
 228                         if ($default == "allow") {
 229                                 // Allow changing default ACL
 230                                 $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_admins SET
 231 login='%s'".$ADD.",
 232 email='%s',
 233 default_acl='%s',
 234 la_mode='%s'
 235 WHERE id=%s LIMIT 1",
 236  array(
 237         $login,
 238         $POST['email'][$id],
 239         $POST['mode'][$id],
 240         $POST['la_mode'][$id],
 241         $id
 242 ), __FILE__, __LINE__);
 243                         } else {
 244                                 // Do not allow it here
 245                                 $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_admins SET
 246 login='%s'".$ADD.",
 247 email='%s',
 248 la_mode='%s'
 249 WHERE id=%s LIMIT 1",
 250  array(
 251         $login,
 252         $POST['email'][$id],
 253         $POST['la_mode'][$id],
 254         $id
 255 ), __FILE__, __LINE__);
 256                         }
 257
 258                         // Admin account saved
 259                         $MSG = ADMIN_ACCOUNT_SAVED;
 260                 } else {
 261                         // Passwords did not match
 262                         $MSG = ADMINS_ERROR_PASS_MISMATCH;
 263                 }
 264
 265                 // Display message
 266                 if (!empty($MSG)) {
 267                         LOAD_TEMPLATE("admin_settings_saved", false, "<SPAN class=\"admin_done\">".$MSG."</SPAN>");
 268                 }
 269         }
 270
 271         // Remove cache file
 272         if ((EXT_IS_ACTIVE("cache")) && ($cacheInstance_UPDATE == "1")) {
 273                 if ($cacheInstance->cache_file("admins", true)) $cacheInstance->cache_destroy();
 274         }
 275 }
 276
 277 // Make admin accounts editable
 278 function ADMINS_EDIT_ADMIN_ACCOUNTS ($POST) {
 279         // Begin the edit loop
 280         $SW = 2; $OUT = "";
 281         foreach ($POST['sel'] as $id => $sel) {
 282                 // Secure ID number
 283                 $id = bigintval($id);
 284
 285                 // Get the admin's data
 286                 $result = SQL_QUERY_ESC("SELECT login, email, default_acl AS mode, la_mode FROM "._MYSQL_PREFIX."_admins WHERE id=%s LIMIT 1",
 287                  array($id), __FILE__, __LINE__);
 288                 if ((SQL_NUMROWS($result) == 1) && ($sel == 1)) {
 289                         // Entry found
 290                         $content = SQL_FETCHARRAY($result);
 291                         SQL_FREERESULT($result);
 292
 293                         // Prepare some more data for the template
 294                         $content['sw']          = $SW;
 295                         $content['id']          = $id;
 296
 297                         // Shall we allow changing default ACL?
 298                         if ($content['mode'] == "allow") {
 299                                 // Allow chaning it
 300                                 $content['mode']    = ADD_OPTION_LINES("/ARRAY/", array("allow", "deny"), array(ADMINS_ALLOW_MODE, ADMINS_DENY_MODE), $content['mode']);
 301                         } else {
 302                                 // Don't allow it
 303                                 $content['mode'] = "&nbsp;";
 304                         }
 305                         $content['la_mode'] = ADD_OPTION_LINES("/ARRAY/", array("global", "OLD", "NEW"), array(ADMINS_GLOBAL_LA_SETTING, ADMINS_OLD_LA_SETTING, ADMINS_NEW_LA_SETTING), $content['la_mode']);
 306
 307                         // Load row template and switch color
 308                         $OUT .= LOAD_TEMPLATE("admin_edit_admins_row", true, $content);
 309                         $SW = 3 - $SW;
 310                 }
 311         }
 312         define('__ADMINS_ROWS', $OUT);
 313
 314         // Load template
 315         LOAD_TEMPLATE("admin_edit_admins");
 316 }
 317
 318 // Delete given admin accounts
 319 function ADMINS_DELETE_ADMIN_ACCOUNTS ($POST) {
 320         // Check if this account is the last one which cannot be deleted...
 321         $result_main = SQL_QUERY("SELECT id FROM "._MYSQL_PREFIX."_admins", __FILE__, __LINE__);
 322         $accounts = SQL_NUMROWS($result_main);
 323         SQL_FREERESULT($result_main);
 324         if ($accounts > 1) {
 325                 // Delete accounts
 326                 $SW = 2; $OUT = "";
 327                 foreach ($POST['sel'] as $id => $sel) {
 328                         // Secure ID number
 329                         $id = bigintval($id);
 330
 331                         // Get the admin's data
 332                         $result = SQL_QUERY_ESC("SELECT login, email, default_acl AS mode, la_mode FROM "._MYSQL_PREFIX."_admins WHERE id=%s LIMIT 1",
 333                          array($id), __FILE__, __LINE__);
 334                         if (SQL_NUMROWS($result) == 1) {
 335                                 // Entry found
 336                                 $content = SQL_FETCHARRAY($result);
 337                                 SQL_FREERESULT($result);
 338                                 $eval = "\$content['mode'] = ADMINS_".strtoupper($content['mode'])."_MODE;";
 339                                 eval($eval);
 340                                 $eval = "\$content['la_mode'] = ADMINS_".strtoupper($content['la_mode'])."_LA_SETTING;";
 341                                 eval($eval);
 342
 343                                 // Prepare some more data
 344                                 $content['sw'] = $SW;
 345                                 $content['id'] = $id;
 346
 347                                 // Load row template and switch color
 348                                 $OUT .= LOAD_TEMPLATE("admin_del_admins_row", true, $content);
 349                                 $SW = 3 - $SW;
 350                         }
 351                 }
 352                 define('__ADMINS_ROWS', $OUT);
 353
 354                 // Load template
 355                 LOAD_TEMPLATE("admin_del_admins");
 356         } else {
 357                 // Cannot delete last account!
 358                 LOAD_TEMPLATE("admin_settings_saved", false, ADMIN_ADMINS_CANNOT_DELETE_LAST);
 359         }
 360 }
 361
 362 // Remove the given accounts
 363 function ADMINS_REMOVE_ADMIN_ACCOUNTS ($POST) {
 364         // Begin removal
 365         $cacheInstance_UPDATE = "0";
 366         foreach ($POST['sel'] as $id => $del) {
 367                 // Secure ID number
 368                 $id = bigintval($id);
 369
 370                 // Delete only when it's not your own account!
 371                 if (($del == 1) && (GET_ADMIN_ID(get_session('admin_login')) != $id)) {
 372                         // Rewrite his tasks to all admins
 373                         $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_task_system SET assigned_admin=0 WHERE assigned_admin=%s",
 374                          array($id), __FILE__, __LINE__);
 375
 376                         // Remove account
 377                         $result = SQL_QUERY_ESC("DELETE LOW_PRIORITY FROM "._MYSQL_PREFIX."_admins WHERE id=%s LIMIT 1",
 378                          array($id), __FILE__, __LINE__);
 379
 380                         $cacheInstance_UPDATE = "1";
 381                 }
 382         }
 383
 384         // Remove cache if cache system is activated
 385         if ((EXT_IS_ACTIVE("cache")) && ($cacheInstance_UPDATE == "1")) {
 386                 if ($cacheInstance->cache_file("admins", true)) $cacheInstance->cache_destroy();
 387         }
 388 }
 389
 390 // List all admin accounts
 391 function ADMINS_LIST_ADMIN_ACCOUNTS() {
 392         // Select all admin accounts
 393         $result = SQL_QUERY("SELECT id, login, email, default_acl AS mode, la_mode FROM "._MYSQL_PREFIX."_admins ORDER BY login ASC", __FILE__, __LINE__);
 394         $SW = 2; $OUT = "";
 395         while ($content = SQL_FETCHARRAY($result)) {
 396                 // Compile some variables
 397                 $eval = "\$content['mode'] = ADMINS_".strtoupper($content['mode'])."_MODE;";
 398                 eval($eval);
 399                 $eval = "\$content['la_mode'] = ADMINS_".strtoupper($content['la_mode'])."_LA_SETTING;";
 400                 eval($eval);
 401
 402                 // Prepare some more data
 403                 $content['sw']         = $SW;
 404                 $content['email_link'] = CREATE_EMAIL_LINK($content['id']);
 405
 406                 // Load row template and switch color
 407                 $OUT .= LOAD_TEMPLATE("admin_list_admins_row", true, $content);
 408                 $SW = 3 - $SW;
 409         }
 410
 411         // Free memory
 412         SQL_FREERESULT($result);
 413         define('__ADMINS_ROWS', $OUT);
 414
 415         // Load template
 416         LOAD_TEMPLATE("admin_list_admins");
 417 }
 418
 419 //
 420 ?>