inc/libs/admins_functions.php

   1 <?php
   2 /************************************************************************
   3  * MXChange v0.2.1                                    Start: 06/30/2003 *
   4  * ===============                              Last change: 11/27/2004 *
   5  *                                                                      *
   6  * -------------------------------------------------------------------- *
   7  * File              : admins_functions.php                             *
   8  * -------------------------------------------------------------------- *
   9  * Short description : Functions for the admins extension               *
  10  * -------------------------------------------------------------------- *
  11  * Kurzbeschreibung  : Funktionen fuer die admins-Erweiterung           *
  12  * -------------------------------------------------------------------- *
  13  *                                                                      *
  14  * -------------------------------------------------------------------- *
  15  * Copyright (c) 2003 - 2008 by Roland Haeder                           *
  16  * For more information visit: http://www.mxchange.org                  *
  17  *                                                                      *
  18  * This program is free software; you can redistribute it and/or modify *
  19  * it under the terms of the GNU General Public License as published by *
  20  * the Free Software Foundation; either version 2 of the License, or    *
  21  * (at your option) any later version.                                  *
  22  *                                                                      *
  23  * This program is distributed in the hope that it will be useful,      *
  24  * but WITHOUT ANY WARRANTY; without even the implied warranty of       *
  25  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the        *
  26  * GNU General Public License for more details.                         *
  27  *                                                                      *
  28  * You should have received a copy of the GNU General Public License    *
  29  * along with this program; if not, write to the Free Software          *
  30  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,               *
  31  * MA  02110-1301  USA                                                  *
  32  ************************************************************************/
  33
  34 // Some security stuff...
  35 if (!defined('__SECURITY')) {
  36         $INC = substr(dirname(__FILE__), 0, strpos(dirname(__FILE__), "/inc") + 4) . "/security.php";
  37         require($INC);
  38 }
  39
  40 // Check ACL for menu combination
  41 function ADMINS_CHECK_ACL($act, $wht) {
  42         global $cacheArray, $_CONFIG, $cacheInstance;
  43         // If action is login or logout allow allways!
  44         $default = "allow";
  45         if (($act == "login") || ($act == "logout")) return true;
  46
  47         // Default is deny
  48         $ret = false;
  49
  50         // Get admin's ID
  51         $aid = GET_ADMIN_ID(get_session('admin_login'));
  52
  53         // Get admin's defult access right
  54         $default = GET_ADMIN_DEFAULT_ACL($aid);
  55
  56
  57         if (!empty($wht)) {
  58                 // Check for parent menu:
  59                 // First get it's action value
  60                 $parent_action = GET_ACTION("admin", $wht);
  61
  62                 // Check with this function...
  63                 $parent = ADMINS_CHECK_ACL($parent_action, "");
  64         } else {
  65                 // Anything else is true!
  66                 $parent = false;
  67         }
  68
  69         // Shall I test for a main or sub menu? (action or what?)
  70         $lines = 0; $acl_mode = "failed";
  71         if (GET_EXT_VERSION("cache") >= "0.1.2") {
  72                 // Load only from array when there are lines!
  73                 if ((isset($cacheArray['admin_acls'])) && (is_array($cacheArray['admin_acls'])) && (count($cacheArray['admin_acls']) > 0)) {
  74                         // Load ACL from array
  75                         foreach ($cacheArray['admin_acls']['admin_id'] as $id => $aid_acls) {
  76                                 if ($aid == $aid_acls) {
  77                                         // Okay, one line was found!
  78                                         if ((!empty($act)) && ($cacheArray['admin_acls']['action_menu'][$id] == $act)) {
  79                                                 // Main menu line found
  80                                                 $acl_mode = $cacheArray['admin_acls']['access_mode'][$id];
  81                                                 $lines = 1;
  82                                         }
  83                                          elseif ((!empty($wht)) && ($cacheArray['admin_acls']['what_menu'][$id] == $wht)) {
  84                                                 // Check sub menu
  85                                                 $acl_mode = $cacheArray['admin_acls']['access_mode'][$id];
  86                                                 $lines = 1;
  87                                         }
  88                                         if ($lines == 1) {
  89                                                 // Count cache hits
  90                                                 if (isset($_CONFIG['cache_hits'])) { $_CONFIG['cache_hits']++; } else { $_CONFIG['cache_hits'] = 1; }
  91                                                 break;
  92                                         }
  93                                 }
  94                         }
  95
  96                         // No ACL found?
  97                         if ($acl_mode == "failed") {
  98                                 $acl_mode = "";
  99                                 $lines = 0;
 100                         }
 101                 } else {
 102                         // No lines here
 103                         $lines = 0;
 104                 }
 105         } else {
 106                 // Old version, so load it from database
 107                 if (!empty($act))
 108                 {
 109                         // Main menu
 110                         $result = SQL_QUERY_ESC("SELECT access_mode FROM "._MYSQL_PREFIX."_admins_acls WHERE admin_id=%s AND action_menu='%s' LIMIT 1",
 111                          array(bigintval($aid), $act), __FILE__, __LINE__);
 112                 } elseif (!empty($wht)) {
 113                         // Sub menu
 114                         $result = SQL_QUERY_ESC("SELECT access_mode FROM "._MYSQL_PREFIX."_admins_acls WHERE admin_id=%s AND what_menu='%s' LIMIT 1",
 115                          array(bigintval($aid), $wht), __FILE__, __LINE__);
 116                 }
 117
 118                 // Get number of lines
 119                 $lines = SQL_NUMROWS($result);
 120
 121                 // Load ACL
 122                 list($acl_mode) = SQL_FETCHROW($result);
 123                 SQL_FREERESULT($result);
 124         }
 125
 126         // Check ACL and (maybe) allow
 127         if ((($default == "allow") && ($lines == 0)) || (($default == "deny") && ($lines == "1") && ($acl_mode == "allow")) || (($lines == 0) && ($parent))) $ret = true;
 128
 129         // Return value
 130         return $ret;
 131 }
 132
 133 // Create email link to admins's account
 134 function ADMINS_CREATE_EMAIL_LINK($email, $mod="admin") {
 135         $locked = " AND status='CONFIRMED'";
 136         if (IS_ADMIN()) $locked = "";
 137         if (strpos("@", $email) > 0) {
 138                 // Create email link
 139                 $result = SQL_QUERY_ESC("SELECT id
 140 FROM "._MYSQL_PREFIX."_admins
 141 WHERE email='%s'".$locked." LIMIT 1",
 142  array($email), __FILE__, __LINE__);
 143
 144                 // Is there an entry?
 145                 if (SQL_NUMROWS($result) == 1) {
 146                         // Load userid
 147                         list($uid) = SQL_FETCHROW($result);
 148
 149                         // Rewrite email address to contact link
 150                         $email = URL."/modules.php?module=".$mod."&amp;what=user_contct&amp;u_id=".bigintval($uid);
 151                 }
 152
 153                 // Free memory
 154                 SQL_FREERESULT($result);
 155         } elseif (bigintval($email) > 0) {
 156                 // Direct ID given
 157                 $email = URL."/modules.php?module=".$mod."&amp;what=admins_contct&amp;admin=".bigintval($email);
 158         }
 159
 160         // Return rewritten (?) email address
 161         return $email;
 162 }
 163
 164 // Change a lot admin account
 165 function ADMINS_CHANGE_ADMIN_ACCOUNT($POST) {
 166         global $cacheInstance;
 167
 168         // Begin the update
 169         $cache_update = 0;
 170         foreach ($POST['login'] as $id => $login) {
 171                 // Secure ID number
 172                 $id = bigintval($id);
 173
 174                 // When both passwords match update admin account
 175                 if ($POST['pass1'][$id] == $POST['pass2'][$id]) {
 176                         // Save only when both passwords are the same (also when they are empty)
 177                         $ADD = ""; $cache_update = "1";
 178
 179                         // Generate hash
 180                         $hash = generateHash($POST['pass1'][$id]);
 181
 182                         // Save password when set
 183                         if (!empty($POST['pass1'][$id])) $ADD = sprintf(", password='%s'", SQL_ESCAPE($hash));
 184
 185                         // Get admin's ID
 186                         $aid = GET_ADMIN_ID(get_session('admin_login'));
 187                         $salt = substr(GET_ADMIN_HASH($aid), 0, -40);
 188
 189                         // Rewrite cookie when it's own account
 190                         if ($aid == $id) {
 191                                 // Set timeout cookie
 192                                 set_session("admin_last", time());
 193
 194                                 if ($login != get_session('admin_login')) {
 195                                         // Update login cookie
 196                                         set_session("admin_login", $login);
 197
 198                                         // Update password cookie as well?
 199                                         if (!empty($ADD)) set_session("admin_md5", $hash);
 200                                 } elseif (generateHash($POST['pass1'][$id], $salt) != get_session('admin_md5')) {
 201                                         // Update password cookie
 202                                         set_session("admin_md5", $hash);
 203                                 }
 204                         } // END - if
 205
 206                         // Get default ACL from admin to check if we can allow him to change the default ACL
 207                         $default = GET_ADMIN_DEFAULT_ACL(GET_ADMIN_ID(get_session('admin_login')));
 208
 209                         // Update admin account
 210                         if ($default == "allow") {
 211                                 // Allow changing default ACL
 212                                 $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_admins SET
 213 login='%s'".$ADD.",
 214 email='%s',
 215 default_acl='%s',
 216 la_mode='%s'
 217 WHERE id=%s LIMIT 1",
 218  array(
 219         $login,
 220         $POST['email'][$id],
 221         $POST['mode'][$id],
 222         $POST['la_mode'][$id],
 223         $id
 224 ), __FILE__, __LINE__);
 225                         } else {
 226                                 // Do not allow it here
 227                                 $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_admins SET
 228 login='%s'".$ADD.",
 229 email='%s',
 230 la_mode='%s'
 231 WHERE id=%s LIMIT 1",
 232  array(
 233         $login,
 234         $POST['email'][$id],
 235         $POST['la_mode'][$id],
 236         $id
 237 ), __FILE__, __LINE__);
 238                         }
 239
 240                         // Purge cache
 241                         CACHE_PURGE_ADMIN_MENU($id);
 242
 243                         // Admin account saved
 244                         $MSG = ADMIN_ACCOUNT_SAVED;
 245                 } else {
 246                         // Passwords did not match
 247                         $MSG = ADMINS_ERROR_PASS_MISMATCH;
 248                 }
 249
 250                 // Display message
 251                 if (!empty($MSG)) {
 252                         LOAD_TEMPLATE("admin_settings_saved", false, "<SPAN class=\"admin_done\">".$MSG."</SPAN>");
 253                 }
 254         }
 255
 256         // Remove cache file
 257         if ((EXT_IS_ACTIVE("cache")) && ($cache_update == "1")) {
 258                 if ($cacheInstance->cache_file("admins", true)) $cacheInstance->cache_destroy();
 259         }
 260 }
 261
 262 // Make admin accounts editable
 263 function ADMINS_EDIT_ADMIN_ACCOUNTS ($POST) {
 264         // Begin the edit loop
 265         $SW = 2; $OUT = "";
 266         foreach ($POST['sel'] as $id => $sel) {
 267                 // Secure ID number
 268                 $id = bigintval($id);
 269
 270                 // Get the admin's data
 271                 $result = SQL_QUERY_ESC("SELECT login, email, default_acl AS mode, la_mode FROM "._MYSQL_PREFIX."_admins WHERE id=%s LIMIT 1",
 272                  array($id), __FILE__, __LINE__);
 273                 if ((SQL_NUMROWS($result) == 1) && ($sel == 1)) {
 274                         // Entry found
 275                         $content = SQL_FETCHARRAY($result);
 276                         SQL_FREERESULT($result);
 277
 278                         // Prepare some more data for the template
 279                         $content['sw'] = $SW;
 280                         $content['id'] = $id;
 281
 282                         // Shall we allow changing default ACL?
 283                         if ($content['mode'] == "allow") {
 284                                 // Allow chaning it
 285                                 $content['mode']    = ADD_OPTION_LINES("/ARRAY/", array("allow", "deny"), array(ADMINS_ALLOW_MODE, ADMINS_DENY_MODE), $content['mode']);
 286                         } else {
 287                                 // Don't allow it
 288                                 $content['mode'] = "&nbsp;";
 289                         }
 290                         $content['la_mode'] = ADD_OPTION_LINES("/ARRAY/", array("global", "OLD", "NEW"), array(ADMINS_GLOBAL_LA_SETTING, ADMINS_OLD_LA_SETTING, ADMINS_NEW_LA_SETTING), $content['la_mode']);
 291
 292                         // Load row template and switch color
 293                         $OUT .= LOAD_TEMPLATE("admin_edit_admins_row", true, $content);
 294                         $SW = 3 - $SW;
 295                 }
 296         }
 297         define('__ADMINS_ROWS', $OUT);
 298
 299         // Load template
 300         LOAD_TEMPLATE("admin_edit_admins");
 301 }
 302
 303 // Delete given admin accounts
 304 function ADMINS_DELETE_ADMIN_ACCOUNTS ($POST) {
 305         // Check if this account is the last one which cannot be deleted...
 306         $result_main = SQL_QUERY("SELECT id FROM "._MYSQL_PREFIX."_admins", __FILE__, __LINE__);
 307         $accounts = SQL_NUMROWS($result_main);
 308         SQL_FREERESULT($result_main);
 309         if ($accounts > 1) {
 310                 // Delete accounts
 311                 $SW = 2; $OUT = "";
 312                 foreach ($POST['sel'] as $id => $sel) {
 313                         // Secure ID number
 314                         $id = bigintval($id);
 315
 316                         // Get the admin's data
 317                         $result = SQL_QUERY_ESC("SELECT login, email, default_acl AS mode, la_mode FROM "._MYSQL_PREFIX."_admins WHERE id=%s LIMIT 1",
 318                          array($id), __FILE__, __LINE__);
 319                         if (SQL_NUMROWS($result) == 1) {
 320                                 // Entry found
 321                                 $content = SQL_FETCHARRAY($result);
 322                                 SQL_FREERESULT($result);
 323                                 $content['mode'] = constant('ADMINS_'.strtoupper($content['mode']).'_MODE');
 324                                 $content['la_mode'] = constant('ADMINS_'.strtoupper($content['la_mode']).'_LA_SETTING');
 325
 326                                 // Prepare some more data
 327                                 $content['sw'] = $SW;
 328                                 $content['id'] = $id;
 329
 330                                 // Load row template and switch color
 331                                 $OUT .= LOAD_TEMPLATE("admin_del_admins_row", true, $content);
 332                                 $SW = 3 - $SW;
 333                         }
 334                 }
 335                 define('__ADMINS_ROWS', $OUT);
 336
 337                 // Load template
 338                 LOAD_TEMPLATE("admin_del_admins");
 339         } else {
 340                 // Cannot delete last account!
 341                 LOAD_TEMPLATE("admin_settings_saved", false, ADMIN_ADMINS_CANNOT_DELETE_LAST);
 342         }
 343 }
 344
 345 // Remove the given accounts
 346 function ADMINS_REMOVE_ADMIN_ACCOUNTS ($POST) {
 347         // Begin removal
 348         $cache_update = 0;
 349         foreach ($POST['sel'] as $id => $del) {
 350                 // Secure ID number
 351                 $id = bigintval($id);
 352
 353                 // Delete only when it's not your own account!
 354                 if (($del == 1) && (GET_ADMIN_ID(get_session('admin_login')) != $id)) {
 355                         // Rewrite his tasks to all admins
 356                         $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_task_system SET assigned_admin=0 WHERE assigned_admin=%s",
 357                          array($id), __FILE__, __LINE__);
 358
 359                         // Remove account
 360                         $result = SQL_QUERY_ESC("DELETE LOW_PRIORITY FROM "._MYSQL_PREFIX."_admins WHERE id=%s LIMIT 1",
 361                          array($id), __FILE__, __LINE__);
 362
 363                         // Purge cache
 364                         CACHE_PURGE_ADMIN_MENU($id);
 365                         $cache_update = "1";
 366                 }
 367         }
 368
 369         // Remove cache if cache system is activated
 370         if ((EXT_IS_ACTIVE("cache")) && ($cache_update == "1")) {
 371                 if ($cacheInstance->cache_file("admins", true)) $cacheInstance->cache_destroy();
 372         }
 373 }
 374
 375 // List all admin accounts
 376 function ADMINS_LIST_ADMIN_ACCOUNTS() {
 377         // Select all admin accounts
 378         $result = SQL_QUERY("SELECT id, login, email, default_acl AS mode, la_mode FROM "._MYSQL_PREFIX."_admins ORDER BY login ASC", __FILE__, __LINE__);
 379         $SW = 2; $OUT = "";
 380         while ($content = SQL_FETCHARRAY($result)) {
 381                 // Compile some variables
 382                 $content['mode'] = constant('ADMINS_'.strtoupper($content['mode']).'_MODE');
 383                 $content['la_mode'] = constant('ADMINS_'.strtoupper($content['la_mode']).'_LA_SETTING');
 384
 385                 // Prepare some more data
 386                 $content['sw']         = $SW;
 387                 $content['email_link'] = CREATE_EMAIL_LINK($content['id']);
 388
 389                 // Load row template and switch color
 390                 $OUT .= LOAD_TEMPLATE("admin_list_admins_row", true, $content);
 391                 $SW = 3 - $SW;
 392         }
 393
 394         // Free memory
 395         SQL_FREERESULT($result);
 396         define('__ADMINS_ROWS', $OUT);
 397
 398         // Load template
 399         LOAD_TEMPLATE("admin_list_admins");
 400 }
 401
 402 //
 403 ?>