More improved SQL queries
[mailer.git] / inc / libs / admins_functions.php
index b168a75..e23ef16 100644 (file)
  ************************************************************************/
 
 // Some security stuff...
-if (ereg(basename(__FILE__), $_SERVER['PHP_SELF']))
-{
+if (!defined('__SECURITY')) {
        $INC = substr(dirname(__FILE__), 0, strpos(dirname(__FILE__), "/inc") + 4) . "/security.php";
        require($INC);
 }
 
 // Check ACL for menu combination
 function ADMINS_CHECK_ACL($act, $wht) {
-       global $ADMINS, $ADMINS_ACLS, $_CONFIG, $CACHE;
+       global $cacheArray, $cacheInstance;
        // If action is login or logout allow allways!
        $default = "allow";
        if (($act == "login") || ($act == "logout")) return true;
@@ -48,23 +47,11 @@ function ADMINS_CHECK_ACL($act, $wht) {
        // Default is deny
        $ret = false;
 
-       // Get admin's defult access right
-       if (!empty($ADMINS['def_acl'][$_SESSION['admin_login']])) {
-               // Load from cache
-               $default = $ADMINS['def_acl'][$_SESSION['admin_login']];
-
-               // Count cache hits
-               $_CONFIG['cache_hits']++;
-       } elseif (!is_object($CACHE)) {
-               // Load from database
-               $result = SQL_QUERY_ESC("SELECT default_acl FROM "._MYSQL_PREFIX."_admins WHERE login='%s' LIMIT 1",
-                array($_SESSION['admin_login']), __FILE__, __LINE__);
-               list($default) = SQL_FETCHROW($result);
-               SQL_FREERESULT($result);
-       }
-
        // Get admin's ID
-       $aid = GET_ADMIN_ID($_SESSION['admin_login']);
+       $aid = GET_CURRENT_ADMIN_ID();
+
+       // Get admin's defult access right
+       $default = GET_ADMIN_DEFAULT_ACL($aid);
 
        if (!empty($wht)) {
                // Check for parent menu:
@@ -82,24 +69,24 @@ function ADMINS_CHECK_ACL($act, $wht) {
        $lines = 0; $acl_mode = "failed";
        if (GET_EXT_VERSION("cache") >= "0.1.2") {
                // Load only from array when there are lines!
-               if (count($ADMINS_ACLS) > 0) {
+               if ((isset($cacheArray['admin_acls'])) && (is_array($cacheArray['admin_acls'])) && (count($cacheArray['admin_acls']) > 0)) {
                        // Load ACL from array
-                       foreach ($ADMINS_ACLS['admin_id'] as $id=>$aid_acls) {
+                       foreach ($cacheArray['admin_acls']['admin_id'] as $id => $aid_acls) {
                                if ($aid == $aid_acls) {
                                        // Okay, one line was found!
-                                       if ((!empty($act)) && ($ADMINS_ACLS['action_menu'][$id] == $act)) {
+                                       if ((!empty($act)) && ($cacheArray['admin_acls']['action_menu'][$id] == $act)) {
                                                // Main menu line found
-                                               $acl_mode = $ADMINS_ACLS['access_mode'][$id];
+                                               $acl_mode = $cacheArray['admin_acls']['access_mode'][$id];
                                                $lines = 1;
                                        }
-                                        elseif ((!empty($wht)) && ($ADMINS_ACLS['what_menu'][$id] == $wht)) {
+                                        elseif ((!empty($wht)) && ($cacheArray['admin_acls']['what_menu'][$id] == $wht)) {
                                                // Check sub menu
-                                               $acl_mode = $ADMINS_ACLS['access_mode'][$id];
+                                               $acl_mode = $cacheArray['admin_acls']['access_mode'][$id];
                                                $lines = 1;
                                        }
                                        if ($lines == 1) {
                                                // Count cache hits
-                                               $_CONFIG['cache_hits']++;
+                                               incrementConfigEntry('cache_hits');
                                                break;
                                        }
                                }
@@ -119,11 +106,11 @@ function ADMINS_CHECK_ACL($act, $wht) {
                if (!empty($act))
                {
                        // Main menu
-                       $result = SQL_QUERY_ESC("SELECT access_mode FROM "._MYSQL_PREFIX."_admins_acls WHERE admin_id=%d AND action_menu='%s' LIMIT 1",
+                       $result = SQL_QUERY_ESC("SELECT access_mode FROM `{!_MYSQL_PREFIX!}_admins_acls` WHERE admin_id=%s AND action_menu='%s' LIMIT 1",
                         array(bigintval($aid), $act), __FILE__, __LINE__);
                } elseif (!empty($wht)) {
                        // Sub menu
-                       $result = SQL_QUERY_ESC("SELECT access_mode FROM "._MYSQL_PREFIX."_admins_acls WHERE admin_id=%d AND what_menu='%s' LIMIT 1",
+                       $result = SQL_QUERY_ESC("SELECT access_mode FROM `{!_MYSQL_PREFIX!}_admins_acls` WHERE admin_id=%s AND what_menu='%s' LIMIT 1",
                         array(bigintval($aid), $wht), __FILE__, __LINE__);
                }
 
@@ -144,12 +131,12 @@ function ADMINS_CHECK_ACL($act, $wht) {
 
 // Create email link to admins's account
 function ADMINS_CREATE_EMAIL_LINK($email, $mod="admin") {
-       $locked = " AND status='CONFIRMED'";
+       $locked = " AND `status`='CONFIRMED'";
        if (IS_ADMIN()) $locked = "";
        if (strpos("@", $email) > 0) {
                // Create email link
                $result = SQL_QUERY_ESC("SELECT id
-FROM "._MYSQL_PREFIX."_admins
+FROM `{!_MYSQL_PREFIX!}_admins`
 WHERE email='%s'".$locked." LIMIT 1",
  array($email), __FILE__, __LINE__);
 
@@ -159,14 +146,14 @@ WHERE email='%s'".$locked." LIMIT 1",
                        list($uid) = SQL_FETCHROW($result);
 
                        // Rewrite email address to contact link
-                       $email = URL."/modules.php?module=".$mod."&what=user_contct&u_id=".bigintval($uid);
+                       $email = "{!URL!}/modules.php?module=".$mod."&what=user_contct&u_id=".bigintval($uid);
                }
 
                // Free memory
                SQL_FREERESULT($result);
        } elseif (bigintval($email) > 0) {
                // Direct ID given
-               $email = URL."/modules.php?module=".$mod."&what=admins_contct&admin=".bigintval($email);
+               $email = "{!URL!}/modules.php?module=".$mod."&what=admins_contct&admin=".bigintval($email);
        }
 
        // Return rewritten (?) email address
@@ -175,18 +162,18 @@ WHERE email='%s'".$locked." LIMIT 1",
 
 // Change a lot admin account
 function ADMINS_CHANGE_ADMIN_ACCOUNT($POST) {
-       global $CACHE;
+       global $cacheInstance;
 
        // Begin the update
-       $CACHE_UPDATE = "0";
-       foreach ($POST['login'] as $id=>$login) {
+       $cache_update = 0;
+       foreach ($POST['login'] as $id => $login) {
                // Secure ID number
                $id = bigintval($id);
 
                // When both passwords match update admin account
                if ($POST['pass1'][$id] == $POST['pass2'][$id]) {
                        // Save only when both passwords are the same (also when they are empty)
-                       $ADD = ""; $CACHE_UPDATE = "1";
+                       $ADD = ""; $cache_update = "1";
 
                        // Generate hash
                        $hash = generateHash($POST['pass1'][$id]);
@@ -195,44 +182,62 @@ function ADMINS_CHANGE_ADMIN_ACCOUNT($POST) {
                        if (!empty($POST['pass1'][$id])) $ADD = sprintf(", password='%s'", SQL_ESCAPE($hash));
 
                        // Get admin's ID
-                       $salt = substr(GET_ADMIN_HASH($_SESSION['admin_login']), 0, -40);
-                       $aid = GET_ADMIN_ID($_SESSION['admin_login']);
+                       $aid = GET_CURRENT_ADMIN_ID();
+                       $salt = substr(GET_ADMIN_HASH($aid), 0, -40);
 
                        // Rewrite cookie when it's own account
                        if ($aid == $id) {
-                               // Timeout
-                               $TIMEOUT = time() + bigintval($_SESSION['admin_to']);
-
                                // Set timeout cookie
-                               set_session("admin_last", time());
+                               set_session('admin_last', time());
 
-                               if ($login != $_SESSION['admin_login']) {
+                               if ($login != get_session('admin_login')) {
                                        // Update login cookie
-                                       set_session("admin_login", $login);
+                                       set_session('admin_login', $login);
 
                                        // Update password cookie as well?
-                                       if (!empty($ADD)) set_session("admin_md5", $hash);
-                               } elseif (generateHash($POST['pass1'][$id], $salt) != $_SESSION['admin_md5']) {
+                                       if (!empty($ADD)) set_session('admin_md5', $hash);
+                               } elseif (generateHash($POST['pass1'][$id], $salt) != get_session('admin_md5')) {
                                        // Update password cookie
-                                       set_session("admin_md5", $hash);
+                                       set_session('admin_md5', $hash);
                                }
+                       } // END - if
 
-                       }
+                       // Get default ACL from admin to check if we can allow him to change the default ACL
+                       $default = GET_ADMIN_DEFAULT_ACL(GET_CURRENT_ADMIN_ID());
 
                        // Update admin account
-                       $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_admins SET
+                       if ($default == "allow") {
+                               // Allow changing default ACL
+                               SQL_QUERY_ESC("UPDATE `{!_MYSQL_PREFIX!}_admins` SET
 login='%s'".$ADD.",
 email='%s',
 default_acl='%s',
 la_mode='%s'
-WHERE id=%d LIMIT 1",
- array(
-       $login,
-       $POST['email'][$id],
-       $POST['mode'][$id],
-       $POST['la_mode'][$id],
-       $id
-), __FILE__, __LINE__);
+WHERE id=%s LIMIT 1",
+                                       array(
+                                               $login,
+                                               $POST['email'][$id],
+                                               $POST['mode'][$id],
+                                               $POST['la_mode'][$id],
+                                               $id
+                                       ), __FILE__, __LINE__);
+                       } else {
+                               // Do not allow it here
+                               SQL_QUERY_ESC("UPDATE `{!_MYSQL_PREFIX!}_admins` SET
+login='%s'".$ADD.",
+email='%s',
+la_mode='%s'
+WHERE id=%s LIMIT 1",
+                                       array(
+                                               $login,
+                                               $POST['email'][$id],
+                                               $POST['la_mode'][$id],
+                                               $id
+                                       ), __FILE__, __LINE__);
+                       }
+
+                       // Purge cache
+                       CACHE_PURGE_ADMIN_MENU($id);
 
                        // Admin account saved
                        $MSG = ADMIN_ACCOUNT_SAVED;
@@ -243,36 +248,45 @@ WHERE id=%d LIMIT 1",
 
                // Display message
                if (!empty($MSG)) {
-                       LOAD_TEMPLATE("admin_settings_saved", false, "<SPAN class=\"admin_done\">".$MSG."</SPAN>");
+                       LOAD_TEMPLATE("admin_settings_saved", false, $MSG);
                }
        }
 
        // Remove cache file
-       if ((EXT_IS_ACTIVE("cache")) && ($CACHE_UPDATE == "1")) {
-               if ($CACHE->cache_file("admins", true)) $CACHE->cache_destroy();
-       }
+       RUN_FILTER('post_admin_edited', $_POST);
 }
 
 // Make admin accounts editable
 function ADMINS_EDIT_ADMIN_ACCOUNTS ($POST) {
+       // "Resolve" current's admin access mode
+       $currMode = GET_ADMIN_DEFAULT_ACL(GET_CURRENT_ADMIN_ID());
+
        // Begin the edit loop
        $SW = 2; $OUT = "";
-       foreach ($POST['sel'] as $id=>$sel) {
+       foreach ($POST['sel'] as $id => $sel) {
                // Secure ID number
                $id = bigintval($id);
 
                // Get the admin's data
-               $result = SQL_QUERY_ESC("SELECT login, email, default_acl AS mode, la_mode FROM "._MYSQL_PREFIX."_admins WHERE id=%d LIMIT 1",
-                array($id), __FILE__, __LINE__);
+               $result = SQL_QUERY_ESC("SELECT login, email, default_acl AS mode, la_mode FROM `{!_MYSQL_PREFIX!}_admins` WHERE id=%s LIMIT 1",
+                       array($id), __FILE__, __LINE__);
                if ((SQL_NUMROWS($result) == 1) && ($sel == 1)) {
                        // Entry found
                        $content = SQL_FETCHARRAY($result);
                        SQL_FREERESULT($result);
 
                        // Prepare some more data for the template
-                       $content['sw']          = $SW;
-                       $content['id']          = $id;
-                       $content['mode']    = ADD_OPTION_LINES("/ARRAY/", array("allow", "deny"), array(ADMINS_ALLOW_MODE, ADMINS_DENY_MODE), $content['mode']);
+                       $content['sw'] = $SW;
+                       $content['id'] = $id;
+
+                       // Shall we allow changing default ACL?
+                       if ($currMode == "allow") {
+                               // Allow chaning it
+                               $content['mode']    = ADD_OPTION_LINES("/ARRAY/", array("allow", "deny"), array(constant('ADMINS_ALLOW_MODE'), constant('ADMINS_DENY_MODE')), $content['mode']);
+                       } else {
+                               // Don't allow it
+                               $content['mode'] = "&nbsp;";
+                       }
                        $content['la_mode'] = ADD_OPTION_LINES("/ARRAY/", array("global", "OLD", "NEW"), array(ADMINS_GLOBAL_LA_SETTING, ADMINS_OLD_LA_SETTING, ADMINS_NEW_LA_SETTING), $content['la_mode']);
 
                        // Load row template and switch color
@@ -289,27 +303,25 @@ function ADMINS_EDIT_ADMIN_ACCOUNTS ($POST) {
 // Delete given admin accounts
 function ADMINS_DELETE_ADMIN_ACCOUNTS ($POST) {
        // Check if this account is the last one which cannot be deleted...
-       $result_main = SQL_QUERY("SELECT id FROM "._MYSQL_PREFIX."_admins", __FILE__, __LINE__);
+       $result_main = SQL_QUERY("SELECT id FROM `{!_MYSQL_PREFIX!}_admins`", __FILE__, __LINE__);
        $accounts = SQL_NUMROWS($result_main);
        SQL_FREERESULT($result_main);
        if ($accounts > 1) {
                // Delete accounts
                $SW = 2; $OUT = "";
-               foreach ($POST['sel'] as $id=>$sel) {
+               foreach ($POST['sel'] as $id => $sel) {
                        // Secure ID number
                        $id = bigintval($id);
 
                        // Get the admin's data
-                       $result = SQL_QUERY_ESC("SELECT login, email, default_acl AS mode, la_mode FROM "._MYSQL_PREFIX."_admins WHERE id=%d LIMIT 1",
+                       $result = SQL_QUERY_ESC("SELECT login, email, default_acl AS mode, la_mode FROM `{!_MYSQL_PREFIX!}_admins` WHERE id=%s LIMIT 1",
                         array($id), __FILE__, __LINE__);
                        if (SQL_NUMROWS($result) == 1) {
                                // Entry found
                                $content = SQL_FETCHARRAY($result);
                                SQL_FREERESULT($result);
-                               $eval = "\$content['mode'] = ADMINS_".strtoupper($content['mode'])."_MODE;";
-                               eval($eval);
-                               $eval = "\$content['la_mode'] = ADMINS_".strtoupper($content['la_mode'])."_LA_SETTING;";
-                               eval($eval);
+                               $content['mode'] = constant('ADMINS_'.strtoupper($content['mode']).'_MODE');
+                               $content['la_mode'] = constant('ADMINS_'.strtoupper($content['la_mode']).'_LA_SETTING');
 
                                // Prepare some more data
                                $content['sw'] = $SW;
@@ -326,49 +338,47 @@ function ADMINS_DELETE_ADMIN_ACCOUNTS ($POST) {
                LOAD_TEMPLATE("admin_del_admins");
        } else {
                // Cannot delete last account!
-               LOAD_TEMPLATE("admin_settings_saved", false, ADMIN_ADMINS_CANNOT_DELETE_LAST);
+               LOAD_TEMPLATE("admin_settings_saved", false, getMessage('ADMIN_ADMINS_CANNOT_DELETE_LAST'));
        }
 }
 
 // Remove the given accounts
 function ADMINS_REMOVE_ADMIN_ACCOUNTS ($POST) {
        // Begin removal
-       $CACHE_UPDATE = "0";
-       foreach ($POST['sel'] as $id=>$del) {
+       $cache_update = 0;
+       foreach ($POST['sel'] as $id => $del) {
                // Secure ID number
                $id = bigintval($id);
 
                // Delete only when it's not your own account!
-               if (($del == 1) && (GET_ADMIN_ID($_SESSION['admin_login']) != $id)) {
+               if (($del == 1) && (GET_CURRENT_ADMIN_ID() != $id)) {
                        // Rewrite his tasks to all admins
-                       $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_task_system SET assigned_admin='0' WHERE assigned_admin='%s'",
+                       SQL_QUERY_ESC("UPDATE `{!_MYSQL_PREFIX!}_task_system` SET assigned_admin=0 WHERE assigned_admin=%s",
                         array($id), __FILE__, __LINE__);
 
                        // Remove account
-                       $result = SQL_QUERY_ESC("DELETE LOW_PRIORITY FROM "._MYSQL_PREFIX."_admins WHERE id=%d LIMIT 1",
-                        array($id), __FILE__, __LINE__);
+                       SQL_QUERY_ESC("DELETE LOW_PRIORITY FROM `{!_MYSQL_PREFIX!}_admins` WHERE id=%s LIMIT 1",
+                               array($id), __FILE__, __LINE__);
 
-                       $CACHE_UPDATE = "1";
+                       // Purge cache
+                       CACHE_PURGE_ADMIN_MENU($id);
+                       $cache_update = "1";
                }
        }
 
        // Remove cache if cache system is activated
-       if ((EXT_IS_ACTIVE("cache")) && ($CACHE_UPDATE == "1")) {
-               if ($CACHE->cache_file("admins", true)) $CACHE->cache_destroy();
-       }
+       RUN_FILTER('post_admin_deleted', $_POST);
 }
 
 // List all admin accounts
 function ADMINS_LIST_ADMIN_ACCOUNTS() {
        // Select all admin accounts
-       $result = SQL_QUERY("SELECT id, login, email, default_acl AS mode, la_mode FROM "._MYSQL_PREFIX."_admins ORDER BY login ASC", __FILE__, __LINE__);
+       $result = SQL_QUERY("SELECT id, login, email, default_acl AS mode, la_mode FROM `{!_MYSQL_PREFIX!}_admins` ORDER BY login ASC", __FILE__, __LINE__);
        $SW = 2; $OUT = "";
        while ($content = SQL_FETCHARRAY($result)) {
                // Compile some variables
-               $eval = "\$content['mode'] = ADMINS_".strtoupper($content['mode'])."_MODE;";
-               eval($eval);
-               $eval = "\$content['la_mode'] = ADMINS_".strtoupper($content['la_mode'])."_LA_SETTING;";
-               eval($eval);
+               $content['mode'] = constant('ADMINS_'.strtoupper($content['mode']).'_MODE');
+               $content['la_mode'] = constant('ADMINS_'.strtoupper($content['la_mode']).'_LA_SETTING');
 
                // Prepare some more data
                $content['sw']         = $SW;
@@ -387,5 +397,16 @@ function ADMINS_LIST_ADMIN_ACCOUNTS() {
        LOAD_TEMPLATE("admin_list_admins");
 }
 
+// Filter for adding extra data to the query
+function FILTER_ADD_EXTRA_SQL_DATA ($ADD = "") {
+       // Is the admins extension updated? (should be!)
+       if (GET_EXT_VERSION("admins") >= "0.3")   $ADD .= ", default_acl AS def_acl";
+       if (GET_EXT_VERSION("admins") >= "0.6.7") $ADD .= ", la_mode";
+       if (GET_EXT_VERSION("admins") >= "0.7.2") $ADD .= ", login_failures, UNIX_TIMESTAMP(last_failure) AS last_failure";
+
+       // Return it
+       return $ADD;
+}
+
 //
 ?>