Talenttic_survey/CATI_Tool
2
0
Fork 0
mirror of https://github.com/ACSPRI/queXS synced 2024-04-02 12:12:16 +00:00
Code Issues Releases Activity

Moved files to the right place

Browse Source
This commit is contained in:
Adam Zammit
2017-01-09 11:46:11 +11:00
parent b838edc01a
commit abfef22f9f
60 changed files with 1294 additions and 840 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
admin/auth-admin.php
View File

@@ -51,7 +51,7 @@ if ((defined('PHP_SESSION_ACTIVE') && session_status() !== PHP_SESSION_ACTIVE) |
if (session_id() == "" || !isset($_SESSION['loginID']))
{
//need to log in
header('Location: ../include/limesurvey/admin/admin.php');
header('Location: ../login.php');
die();
}

4
admin/clients.php
View File

@@ -93,7 +93,7 @@ if (isset($_POST['client']) && !empty($_POST['client']))
/* rewrite 'password' only if not blank in edit mode */
if (isset($_GET['edit']) && $_GET['edit'] >0 && isset($_POST['password']) && !empty($_POST['password'])) {
include_once("../include/limesurvey/admin/classes/core/sha256.php");
include_once("../include/sha256.php");
$sql .=",`password` = '" . SHA256::hashing($_POST['password']) . "'";
}
@@ -111,7 +111,7 @@ if (isset($_POST['client']) && !empty($_POST['client']))
if ($db->Execute($sql)) {
include_once("../include/limesurvey/admin/classes/core/sha256.php");
include_once("../include/sha256.php");
//Insert into lime_users
$sql = "INSERT INTO " . LIME_PREFIX . "users (`users_name`,`password`,`full_name`,`parent_id`,`superadmin`,`email`,`lang`)

2
admin/operatorlist.php
View File

@@ -76,7 +76,7 @@ if (isset($_POST['submit']))
if (!empty($_POST['password']))
{
include_once("../include/limesurvey/admin/classes/core/sha256.php");
include_once("../include/sha256.php");
$sql .= ", password = '" . SHA256::hashing($_POST['password']) . "' ";
}

2
admin/operators.php
View File

@@ -115,7 +115,7 @@ if (isset($_POST['operator']) && isset($_POST['adduser']))
{
$oid = $db->Insert_ID();
include_once("../include/limesurvey/admin/classes/core/sha256.php");
include_once("../include/sha256.php");
//Insert into lime_users
$sql = "INSERT INTO " . LIME_PREFIX . "users (`users_name`,`password`,`full_name`,`parent_id`,`superadmin`,`email`,`lang`)

2
auth-interviewer.php
View File

@@ -52,6 +52,6 @@ if ((defined('PHP_SESSION_ACTIVE') && session_status() !== PHP_SESSION_ACTIVE) |
if (session_id() == "" || !isset($_SESSION['loginID']))
{
//need to log in
header('Location: include/limesurvey/admin/admin.php');
header('Location: login.php');
die();
}

2
client/auth-client.php
View File

@@ -51,6 +51,6 @@ if ((defined('PHP_SESSION_ACTIVE') && session_status() !== PHP_SESSION_ACTIVE) |
if (session_id() == "" || !isset($_SESSION['loginID']))
{
//need to log in
header('Location: ../include/limesurvey/admin/admin.php');
header('Location: ../login.php');
die();
}

833
include/limesurvey/admin/admin.php
View File

@@ -1,833 +0,0 @@
<?php
/*
* LimeSurvey
* Copyright (C) 2007 The LimeSurvey Project Team / Carsten Schmitz
* All rights reserved.
* License: GNU/GPL License v2 or later, see LICENSE.php
* LimeSurvey is free software. This version may have been modified pursuant
* to the GNU General Public License, and as distributed it includes or
* is derivative of works licensed under the GNU General Public License or
* other free or open source software licenses.
* See COPYRIGHT.php for copyright notices and details.
*
* $Id: admin.php 12082 2012-01-17 04:55:39Z tmswhite $
*/
// Security Checked: POST, GET, SESSION, REQUEST, returnglobal, DB
require_once(dirname(__FILE__).'/../classes/core/startup.php');
require_once(dirname(__FILE__).'/../config-defaults.php');
require_once(dirname(__FILE__).'/../common.php');
require_once('htmleditor-functions.php');
//@ini_set('session.gc_maxlifetime', $sessionlifetime); Might cause problems in client??
// Reset FileManagerContext
$_SESSION['FileManagerContext']='';
if (!isset($surveyid)) {$surveyid=returnglobal('sid');} //SurveyID
if (!isset($ugid)) {$ugid=returnglobal('ugid');} //Usergroup-ID
if (!isset($gid)) {$gid=returnglobal('gid');} //GroupID
if (!isset($qid)) {$qid=returnglobal('qid');} //QuestionID
if (!isset($lid)) {$lid=returnglobal('lid');} //LabelID
if (!isset($code)) {$code=returnglobal('code');} // ??
if (!isset($action)) {$action=returnglobal('action');} //Desired action
if (!isset($subaction)) {$subaction=returnglobal('subaction');} //Desired subaction
if (!isset($editedaction)) {$editedaction=returnglobal('editedaction');} // for html editor integration
if (isset($_SERVER['HTTP_REFERER']))
{
$refurl = $_SERVER['HTTP_REFERER']; //store referer. Can be used for other screens and not just GlobalSettings
}
else
{
$refurl = "";
}
LimeExpressionManager::SetSurveyId($surveyid); // must be called early - it clears internal cache if a new survey is being used
if (!is_null($surveyid)) {
$sinfo = getSurveyInfo($surveyid);
LimeExpressionManager::SetEMLanguage($sinfo['surveyls_language']);
}
if ($action != 'showprintablesurvey' && substr($action,0,4)!= 'ajax')
{
$adminoutput="<div id='wrapper'>";
}
else
{
$adminoutput='';
}
if($casEnabled==true)
{
include_once("login_check_cas.php");
}
else
{
include_once('login_check.php');
}
if ( $action == 'CSRFwarn')
{
include('access_denied.php');
}
if ( $action == 'FakeGET')
{
include('access_denied.php');
}
if(isset($_SESSION['loginID']))
{
//VARIOUS DATABASE OPTIONS/ACTIONS PERFORMED HERE
if (in_array($action, array('updateemailtemplates','delsurvey','delgroup','delquestion','insertsurvey','updatesubquestions','copynewquestion','insertquestiongroup','insertCSV','insertquestion','updatesurveysettings','updatesurveysettingsandeditlocalesettings','updatesurveylocalesettings','updategroup','deactivate','savepersonalsettings','updatequestion','updateansweroptions','renumberquestions','updatedefaultvalues')))
{
include('database.php');
}
sendcacheheaders();
/* Check user right actions for validity
Currently existing user rights:
`configurator`
`create_survey`
`create_user`
`delete_user`
`manage_label`
`manage_template`
`superadmin`
*/
if ($action == 'importsurvey' || $action == 'copysurvey')
{
if ($_SESSION['USER_RIGHT_CREATE_SURVEY']==1) {include('http_importsurvey.php');}
else { include('access_denied.php');}
}
elseif ($action == 'dumpdb')
{
if ($_SESSION['USER_RIGHT_SUPERADMIN']==1) {include('dumpdb.php');}
else { include('access_denied.php');}
}
elseif ($action == 'dumplabel')
{
if ($_SESSION['USER_RIGHT_MANAGE_LABEL']==1) {include('dumplabel.php');}
else { include('access_denied.php');}
}
elseif ($action == 'exportlabelresources')
{
if ($_SESSION['USER_RIGHT_MANAGE_TEMPLATE']==1) {$_SESSION['FileManagerContext']="edit:label:$lid"; include('export_resources_zip.php');}
else { include('access_denied.php');}
}
elseif ($action == 'checkintegrity')
{
if ($_SESSION['USER_RIGHT_CONFIGURATOR']==1) {include('integritycheck.php');}
else { include('access_denied.php');}
}
elseif ($action == "globalsettings")
{
if ($_SESSION['USER_RIGHT_CONFIGURATOR']==1) {globalsettingsdisplay();}
else { include("access_denied.php");}
}
elseif ($action == "globalsettingssave")
{
if ($_SESSION['USER_RIGHT_CONFIGURATOR']==1) {globalsettingssave();}
else { include("access_denied.php");}
}
elseif ($action=='labels' || $action=='newlabelset' || $action=='insertlabelset' ||
$action=='deletelabelset' || $action=='editlabelset' || $action=='modlabelsetanswers' ||
$action=='updateset' || $action=='importlabels' ||$action == 'importlabelresources')
{
if ($_SESSION['USER_RIGHT_MANAGE_LABEL']==1) {$_SESSION['FileManagerContext']="edit:label:$lid"; include('labels.php');}
else { include('access_denied.php');}
}
elseif ($action=='templates' || $action=='templatecopy' || $action=='templatesavechanges' ||
$action=='templaterename' || $action=='templateuploadfile' || $action=='templatefiledelete' ||
$action=='templatezip' || $action=='templaterefresh' || $action=='templateupload')
{
if ($_SESSION['USER_RIGHT_MANAGE_TEMPLATE']==1) {include('templates.php');}
else { include('access_denied.php');}
}
/* Check survey right actions for validity
Currently existing survey rights:
`edit_survey_property`
`define_questions`
`browse_response`
`export`
`delete_survey`
`activate_survey`
*/
if ($action == 'activate')
{
if(bHasSurveyPermission($surveyid,'surveyactivation','update')) {include('activate.php');}
else { include('access_denied.php');}
}
elseif ($action == 'conditions')
{
if(bHasSurveyPermission($surveyid,'surveycontent','read')) {include('conditionshandling.php');}
else { include('access_denied.php');}
}
elseif ($action == 'importsurveyresources')
{
if (bHasSurveyPermission($surveyid,'surveycontent','import')) {$_SESSION['FileManagerContext']="edit:survey:$surveyid";include('import_resources_zip.php');}
else { include('access_denied.php');}
}
elseif ($action == 'exportstructureLsrcCsv')
{
if(bHasSurveyPermission($surveyid,'surveycontent','export')) {include('export_structure_lsrc.php');}
else { include('access_denied.php');}
}
elseif ($action == 'exportstructurequexml')
{
if(bHasSurveyPermission($surveyid,'surveycontent','export')) {include('export_structure_quexml.php');}
else { include('access_denied.php');}
}
elseif ($action == 'exportstructurexml')
{
if(bHasSurveyPermission($surveyid,'surveycontent','export')) {include('export_structure_xml.php');}
else { include('access_denied.php');}
}
elseif ($action == 'exportstructurecsvGroup')
{
if(bHasSurveyPermission($surveyid,'surveycontent','export')) {include('dumpgroup.php');}
else { include('access_denied.php');}
}
elseif ($action == 'exportstructureLsrcCsvGroup')
{
if(bHasSurveyPermission($surveyid,'surveycontent','export')) {include('dumpgroup.php');}
else { include('access_denied.php');}
}
elseif ($action == 'exportstructurecsvQuestion')
{
if(bHasSurveyPermission($surveyid,'surveycontent','export')) {include('dumpquestion.php');}
else { include('access_denied.php');}
}
elseif ($action == 'exportstructureLsrcCsvQuestion')
{
if(bHasSurveyPermission($surveyid,'surveycontent','export')) {include('dumpquestion.php');}
else { include('access_denied.php');}
}
elseif ($action == 'exportsurvresources')
{
if(bHasSurveyPermission($surveyid,'surveycontent','export')) {$_SESSION['FileManagerContext']="edit:survey:$surveyid";include('export_resources_zip.php');}
else { include('access_denied.php');}
}
elseif ($action == 'deactivate')
{
if(bHasSurveyPermission($surveyid,'surveyactivation','update')) {include('deactivate.php');}
else { include('access_denied.php');}
}
elseif ($action == 'deletesurvey')
{
if(bHasSurveyPermission($surveyid,'survey','delete')) {include('deletesurvey.php');}
else { include('access_denied.php');}
}
elseif ($action == 'resetsurveylogic')
{
if(bHasSurveyPermission($surveyid,'surveycontent','update')) {include('resetsurveylogic.php');}
else { include('access_denied.php');}
}
elseif ($action == 'importgroup')
{
if(bHasSurveyPermission($surveyid,'surveycontent','import')) {include('importgroup.php');}
else { include('access_denied.php');}
}
elseif ($action == 'importquestion')
{
if(bHasSurveyPermission($surveyid,'surveycontent','import')) {include('importquestion.php');}
else { include('access_denied.php');}
}
elseif ($action == 'listcolumn')
{
if(bHasSurveyPermission($surveyid,'statistics','read')) {include('listcolumn.php');}
else { include('access_denied.php');}
}
elseif ($action == 'previewquestion')
{
if(bHasSurveyPermission($surveyid,'surveycontent','read')) {include('preview.php');}
else { include('access_denied.php');}
}
elseif ($action == 'previewgroup')
{
$_SESSION['interviewer'] = true;
require_once('../index.php');
exit;
}
elseif ($action == 'showlogicfile')
{
if(bHasSurveyPermission($surveyid,'translations','read'))
{
$surveyid = sanitize_int($surveyid);
$thissurvey = getSurveyInfo($surveyid);
$_POST['sid'] = $surveyid . '|N';
$_POST['LEM_PRETTY_PRINT_ALL_SYNTAX'] = 'Y';
$_POST['surveyMode'] = 'survey';
$_POST['LEMcalledFromAdmin'] = 'Y';
$_POST['assessments'] = $thissurvey['assessments'];
LimeExpressionManager::SetDirtyFlag();
if (isset($_GET['gid'])) { $_POST['gid'] = $_GET['gid']; }
if (isset($_GET['qid'])) { $_POST['qid'] = $_GET['qid']; }
include($rootdir . '/classes/expressions/test/survey_logic_file.php');
exit;
}
else { include('access_denied.php');}
}
elseif ($action=='addgroup' || $action=='editgroup' || $action=='ordergroups')
{
if(bHasSurveyPermission($surveyid,'surveycontent','read')) {$_SESSION['FileManagerContext']="edit:group:$surveyid"; include('questiongrouphandling.php');}
else { include('access_denied.php');}
}
elseif ($action == 'saved')
{
if(bHasSurveyPermission($surveyid,'responses','read')) {include('saved.php');}
else { include('access_denied.php');}
}
//<AdV>
elseif ($action == 'translate')
{
if(bHasSurveyPermission($surveyid,'translations','read')) {$_SESSION['FileManagerContext']="edit:translate:$surveyid"; include('translate.php');}
else { include('access_denied.php'); }
}
//</AdV>
elseif ($action == 'tokens')
{
if(bHasSurveyPermission($surveyid,'tokens','read'))
{
$_SESSION['FileManagerContext']="edit:emailsettings:$surveyid";
include('tokens.php');
}
else { include('access_denied.php'); }
}
elseif ($action == 'emailtemplates')
{
$_SESSION['FileManagerContext']="edit:emailsettings:$surveyid";
}
elseif ($action == 'iteratesurvey')
{
if(bHasSurveyPermission($surveyid,'surveyactivation','update')) {include('iterate_survey.php');}
else { include('access_denied.php');}
}
elseif ($action=='showquexmlsurvey')
{
include('quexmlsurvey.php'); //Same rights as printable
}
elseif ($action=='showprintablesurvey')
{
include('printablesurvey.php'); //No special right needed to show the printable survey
}
elseif ($action=='listcolumn')
{
include('listcolumn.php');
}
// elseif ($action=='update')
// {
// if( $_SESSION['USER_RIGHT_SUPERADMIN'] == 1) include($homedir.'/update/updater.php');
// else { include('access_denied.php');}
// }
elseif ($action=='assessments' || $action=='assessmentdelete' || $action=='assessmentedit' || $action=='assessmentadd' || $action=='assessmentupdate')
{
if(bHasSurveyPermission($surveyid,'assessments','read')) {
$_SESSION['FileManagerContext']="edit:assessments:$surveyid";
include('assessments.php');
}
else { include('access_denied.php');}
}
elseif ($action == 'replacementfields')
{
switch ($editedaction)
{
case 'labels':
if ($_SESSION['USER_RIGHT_SUPERADMIN'] == 1 || $_SESSION['USER_RIGHT_MANAGE_LABEL']==1)
{
$_SESSION['FileManagerContext']="edit:label:$lid";
include('fck_LimeReplacementFields.php');exit;
}
else
{
include('access_denied.php');
}
break;
case 'newsurvey':
if ($_SESSION['USER_RIGHT_SUPERADMIN'] == 1 || $_SESSION['USER_RIGHT_CREATE_SURVEY'] == 1)
{
include('fck_LimeReplacementFields.php');exit;
}
else
{
include('access_denied.php');
}
break;
case 'editsurveylocalesettings':
case 'updatesurveysettingsandeditlocalesettings':
case 'translatetitle':
case 'translatedescription':
case 'translatewelcome':
case 'translateend':
if (bHasSurveyPermission($surveyid,'surveysettings','update') && bHasSurveyPermission($surveyid,'surveylocale','read'))
{
$_SESSION['FileManagerContext']="edit:survey:$surveyid";
include('fck_LimeReplacementFields.php');exit;
}
else
{
include('access_denied.php');
}
break;
case 'tokens': // email
case 'emailtemplates': // email
if (bHasSurveyPermission($surveyid,'tokens','update'))
{
$_SESSION['FileManagerContext']="edit:emailsettings:$surveyid";
include('fck_LimeReplacementFields.php');exit;
}
else
{
include('access_denied.php');
}
break;
case 'editquestion':
case 'copyquestion':
case 'addquestion':
case 'translatequestion':
case 'translatequestion_help':
if (bHasSurveyPermission($surveyid,'surveycontent','read'))
{
$_SESSION['FileManagerContext']="edit:question:$surveyid";
include('fck_LimeReplacementFields.php');exit;
}
else
{
include('access_denied.php');
}
break;
case 'editgroup':
case 'addgroup':
case 'translategroup':
case 'translategroup_desc':
if (bHasSurveyPermission($surveyid,'surveycontent','read'))
{
$_SESSION['FileManagerContext']="edit:group:$surveyid";
include('fck_LimeReplacementFields.php');exit;
}
else
{
include('access_denied.php');
}
break;
case 'editanswer':
case 'translateanswer':
if (bHasSurveyPermission($surveyid,'surveycontent','read'))
{
$_SESSION['FileManagerContext']="edit:answer:$surveyid";
include('fck_LimeReplacementFields.php');exit;
}
else
{
include('access_denied.php');
}
break;
case 'assessments':
case 'assessmentedit':
if(bHasSurveyPermission($surveyid,'assessments','read')) {
$_SESSION['FileManagerContext']="edit:assessments:$surveyid";
include('fck_LimeReplacementFields.php');
}
else { include('access_denied.php');}
break;
default:
break;
}
}
elseif ($action == 'ajaxtranslategoogleapi')
{
if(bHasSurveyPermission($surveyid,'translations','read'))
{
include('translate_google_api.php');
}
else
{
include('access_denied.php');
}
}
elseif ($action=='ajaxowneredit' || $action == 'ajaxgetusers'){
include('surveylist.php');
}
if (!isset($assessmentsoutput) && !isset($statisticsoutput) && !isset($browseoutput) &&
!isset($savedsurveyoutput) && !isset($listcolumnoutput) && !isset($conditionsoutput) &&
!isset($importoldresponsesoutput) && !isset($exportroutput) && !isset($vvoutput) &&
!isset($tokenoutput) && !isset($exportoutput) && !isset($templatesoutput) && !isset($translateoutput) && //<AdV>
!isset($iteratesurveyoutput) && (substr($action,0,4)!= 'ajax') && ($action!='update') &&
(isset($surveyid) || $action == "" || preg_match('/^(personalsettings|statistics|copysurvey|importsurvey|editsurveysettings|editsurveylocalesettings|updatesurveysettings|updatesurveysettingsandeditlocalesettings|updatedefaultvalues|ordergroups|dataentry|newsurvey|globalsettings|editusergroups|editusergroup|exportspss|surveyrights|quotas|editusers|login|browse|vvimport|vvexport|setuserrights|modifyuser|setusertemplates|deluser|adduser|userrights|usertemplates|moduser|addusertogroup|deleteuserfromgroup|globalsettingssave|savepersonalsettings|addusergroup|editusergroupindb|usergroupindb|finaldeluser|delusergroup|mailusergroup|mailsendusergroup)$/',$action)))
{
if ($action=='editsurveysettings' || $action=='editsurveylocalesettings')
{
$_SESSION['FileManagerContext']="edit:survey:$surveyid";
}
include('html_functions.php');
include('html.php');
}
if ($action == "listsurveys"){
include('html_functions.php');
include('html.php');
include('surveylist.php');
}
if ($action == 'dataentry')
{
if (bHasSurveyPermission($surveyid, 'responses','read') || bHasSurveyPermission($surveyid, 'responses','create') || bHasSurveyPermission($surveyid, 'responses','update'))
{
include('dataentry.php');
}
else
{
include('access_denied.php');
}
}
elseif ($action == 'exportresults')
{
if(bHasSurveyPermission($surveyid,'responses','export')) {include('exportresults.php');}
else { include('access_denied.php');}
}
elseif ($action == 'statistics')
{
if(bHasSurveyPermission($surveyid,'statistics','read')) {include('statistics.php');}
else { include('access_denied.php');}
}
elseif ($action == 'importoldresponses')
{
if(bHasSurveyPermission($surveyid,'responses','create')) {include('importoldresponses.php');}
else { include('access_denied.php');}
}
elseif ($action == 'exportspss')
{
if(bHasSurveyPermission($surveyid,'responses','export'))
{
include('export_data_spss.php');
}
else
{
include('access_denied.php');
}
}
elseif ($action == 'browse')
{
if(bHasSurveyPermission($surveyid,'responses','read') || bHasSurveyPermission($surveyid,'statistics','read') || bHasSurveyPermission($surveyid,'responses','export'))
{
include('browse.php');
}
else
{
include('access_denied.php');
}
}
elseif ($action == 'exportr')
{
if(bHasSurveyPermission($surveyid,'responses','export')) {include('export_data_r.php');}
else { include('access_denied.php');}
}
elseif ($action == 'vvexport')
{
if(bHasSurveyPermission($surveyid,'responses','export')) {include('vvexport.php');}
else { include('access_denied.php');}
}
elseif ($action == 'vvimport')
{
if(bHasSurveyPermission($surveyid,'responses','create')) {include('vvimport.php');}
else { include('access_denied.php');}
}
elseif ($action == 'EMtest') {
switch ($subaction) {
case 'functions':
if(bHasSurveyPermission($surveyid,'surveycontent','read')) {
include('../classes/expressions/test/functions.php');
}
else {
include('access_denied.php');
}
break;
case 'stringsplit':
if(bHasSurveyPermission($surveyid,'surveycontent','read')) {
include('../classes/expressions/test/stringsplit.php');
}
else {
include('access_denied.php');
}
break;
case 'tokenizer':
if(bHasSurveyPermission($surveyid,'surveycontent','read')) {
include('../classes/expressions/test/tokenizer.php');
}
else {
include('access_denied.php');
}
break;
case 'unit':
if(bHasSurveyPermission($surveyid,'surveycontent','read')) {
include('../classes/expressions/test/unit.php');
}
else {
include('access_denied.php');
}
break;
case 'strings_with_expressions':
if(bHasSurveyPermission($surveyid,'surveycontent','read')) {
include('../classes/expressions/test/strings_with_expressions.php');
}
else {
include('access_denied.php');
}
break;
case 'relevance':
if(bHasSurveyPermission($surveyid,'surveycontent','read')) {
include('../classes/expressions/test/relevance.php');
}
else {
include('access_denied.php');
}
break;
case 'conditions2relevance':
if (bHasSurveyPermission($surveyid, 'surveycontent', 'read'))
{
include('../classes/expressions/test/conditions2relevance.php');
}
else
{
include('access_denied.php');
}
break;
case 'navigation_test':
if($_SESSION['USER_RIGHT_CONFIGURATOR']==1) {
include('../classes/expressions/test/navigation_test.php');
}
else {
include('access_denied.php');
}
break;
case 'survey_logic_file':
if($_SESSION['USER_RIGHT_CONFIGURATOR']==1) {
include('../classes/expressions/test/survey_logic_file.php');
}
else {
include('access_denied.php');
}
break;
case 'upgrade_conditions2relevance':
if($_SESSION['USER_RIGHT_CONFIGURATOR']==1) {
include('../classes/expressions/test/upgrade_conditions2relevance.php');
}
else {
include('access_denied.php');
}
break;
default:
if(bHasSurveyPermission($surveyid,'surveycontent','read')) {
include('../classes/expressions/test/test.php');
}
else {
include('access_denied.php');
}
break;
}
exit;
}
if ($action=='addquestion' || $action=='copyquestion' || $action=='editquestion' || $action=='editdefaultvalues' ||
$action=='orderquestions' || $action=='ajaxquestionattributes' || $action=='ajaxlabelsetpicker' || $action=='ajaxlabelsetdetails')
{
if(bHasSurveyPermission($surveyid,'surveycontent','read'))
{
$_SESSION['FileManagerContext']="edit:question:$surveyid";
include('questionhandling.php');
}
else
{
include('access_denied.php');
}
}
if ($action=='adduser' || $action=='deluser'|| $action=='finaldeluser' || $action=='moduser' || $action=='setusertemplates' || $action=='usertemplates' || //Still to check
$action=='userrights' || $action=='modifyuser' || $action=='editusers' ||
$action=='addusergroup' || $action=='editusergroup' || $action=='mailusergroup' ||
$action=='delusergroup' || $action=='usergroupindb' || $action=='mailsendusergroup' ||
$action=='editusergroupindb' || $action=='editusergroups' || $action=='deleteuserfromgroup' ||
$action=='addusertogroup' || $action=='setuserrights' || $action=='setasadminchild')
{
include ('userrighthandling.php');
}
// For some output we dont want to have the standard admin menu bar
if (!isset($labelsoutput) && !isset($templatesoutput) && !isset($printablesurveyoutput) &&
!isset($assessmentsoutput) && !isset($tokenoutput) && !isset($browseoutput) && !isset($exportspssoutput) && !isset($exportroutput) &&
!isset($dataentryoutput) && !isset($statisticsoutput)&& !isset($savedsurveyoutput) && !isset($translateoutput) && //<AdV>
!isset($exportoutput) && !isset($importoldresponsesoutput) && !isset($conditionsoutput) &&
!isset($vvoutput) && !isset($listcolumnoutput) && !isset($importlabelresources) && !isset($iteratesurveyoutput) &&
(substr($action,0,4)!= 'ajax') && $action!='update' && $action!='showphpinfo')
{
$adminoutput.= showadminmenu();
}
if (isset($databaseoutput)) {$adminoutput.= $databaseoutput;}
if (isset($templatesoutput)) {$adminoutput.= $templatesoutput;}
if (isset($accesssummary )) {$adminoutput.= $accesssummary;}
if (isset($surveysummary )) {$adminoutput.= $surveysummary;}
if (isset($usergroupsummary)){$adminoutput.= $usergroupsummary;}
if (isset($usersummary )) {$adminoutput.= $usersummary;}
if (isset($groupsummary )) {$adminoutput.= $groupsummary;}
if (isset($questionsummary)) {$adminoutput.= $questionsummary;}
if (isset($vasummary )) {$adminoutput.= $vasummary;}
if (isset($addsummary )) {$adminoutput.= $addsummary;}
if (isset($answersummary )) {$adminoutput.= $answersummary;}
if (isset($cssummary )) {$adminoutput.= $cssummary;}
if (isset($listcolumnoutput)) {$adminoutput.= $listcolumnoutput;}
if (isset($ajaxoutput)) {$adminoutput.= $ajaxoutput;}
if (isset($editgroup)) {$adminoutput.= $editgroup;}
if (isset($editquestion)) {$adminoutput.= $editquestion;}
if (isset($editdefvalues)) {$adminoutput.= $editdefvalues;}
if (isset($editsurvey)) {$adminoutput.= $editsurvey;}
if (isset($translateoutput)) {$adminoutput.= $translateoutput;} //<AdV>
if (isset($quotasoutput)) {$adminoutput.= $quotasoutput;}
if (isset($labelsoutput)) {$adminoutput.= $labelsoutput;}
if (isset($listsurveys)) {$adminoutput.= $listsurveys; }
if (isset($integritycheck)) {$adminoutput.= $integritycheck;}
if (isset($ordergroups)){$adminoutput.= $ordergroups;}
if (isset($orderquestions)) {$adminoutput.= $orderquestions;}
if (isset($surveysecurity)) {$adminoutput.= $surveysecurity;}
if (isset($exportstructure)) {$adminoutput.= $exportstructure;}
if (isset($newsurvey)) {$adminoutput.= $newsurvey;}
if (isset($newgroupoutput)) {$adminoutput.= $newgroupoutput;}
if (isset($newquestionoutput)) {$adminoutput.= $newquestionoutput;}
if (isset($newanswer)) {$adminoutput.= $newanswer;}
if (isset($editanswer)) {$adminoutput.= $editanswer;}
if (isset($assessmentsoutput)) {$adminoutput.= $assessmentsoutput;}
if (isset($sHTMLOutput)) {$adminoutput.= $sHTMLOutput;}
if (isset($importsurvey)) {$adminoutput.= $importsurvey;}
if (isset($importsurveyresourcesoutput)) {$adminoutput.= $importsurveyresourcesoutput;}
if (isset($importgroup)) {$adminoutput.= $importgroup;}
if (isset($importquestion)) {$adminoutput.= $importquestion;}
if (isset($printablesurveyoutput)) {$adminoutput.= $printablesurveyoutput;}
if (isset($activateoutput)) {$adminoutput.= $activateoutput;}
if (isset($deactivateoutput)) {$adminoutput.= $deactivateoutput;}
if (isset($tokenoutput)) {$adminoutput.= $tokenoutput;}
if (isset($browseoutput)) {$adminoutput.= $browseoutput;}
if (isset($iteratesurveyoutput)) {$adminoutput.= $iteratesurveyoutput;}
if (isset($dataentryoutput)) {$adminoutput.= $dataentryoutput;}
if (isset($statisticsoutput)) {$adminoutput.= $statisticsoutput;}
if (isset($exportoutput)) {$adminoutput.= $exportoutput;}
if (isset($savedsurveyoutput)) {$adminoutput.= $savedsurveyoutput;}
if (isset($importoldresponsesoutput)) {$adminoutput.= $importoldresponsesoutput;}
if (isset($conditionsoutput)) {$adminoutput.= $conditionsoutput;}
if (isset($deletesurveyoutput)) {$adminoutput.= $deletesurveyoutput;}
if (isset($resetsurveylogicoutput)) {$adminoutput.= $resetsurveylogicoutput;}
if (isset($vvoutput)) {$adminoutput.= $vvoutput;}
if (isset($dumpdboutput)) {$adminoutput.= $dumpdboutput;}
if (isset($exportspssoutput)) {$adminoutput.= $exportspssoutput;}
if (isset($exportroutput)) {$adminoutput.= $exportroutput;}
if (isset($loginsummary)) {$adminoutput.= $loginsummary;}
if (!isset($printablesurveyoutput) && $subaction!='export' && (substr($action,0,4)!= 'ajax'))
{
if (!isset($_SESSION['metaHeader'])) {$_SESSION['metaHeader']='';}
$adminoutput = getAdminHeader($_SESSION['metaHeader']).$adminoutput; // All future output is written into this and then outputted at the end of file
unset($_SESSION['metaHeader']);
$adminoutput.= "</div>\n";
if(!isset($_SESSION['checksessionpost']))
{
$_SESSION['checksessionpost'] = '';
}
$adminoutput .= "<script type=\"text/javascript\">\n"
. "<!--\n"
. "\tfor(i=0; i<document.forms.length; i++)\n"
. "\t{\n"
. "var el = document.createElement('input');\n"
. "el.type = 'hidden';\n"
. "el.name = 'checksessionbypost';\n"
. "el.value = '".$_SESSION['checksessionpost']."';\n"
. "document.forms[i].appendChild(el);\n"
. "\t}\n"
. "\n"
. "\tfunction addHiddenElement(theform,thename,thevalue)\n"
. "\t{\n"
. "var myel = document.createElement('input');\n"
. "myel.type = 'hidden';\n"
. "myel.name = thename;\n"
. "theform.appendChild(myel);\n"
. "myel.value = thevalue;\n"
. "return myel;\n"
. "\t}\n"
. "\n"
. "\tfunction sendPost(myaction,checkcode,arrayparam,arrayval)\n"
. "\t{\n"
. "var myform = document.createElement('form');\n"
. "document.body.appendChild(myform);\n"
. "myform.action =myaction;\n"
. "myform.method = 'POST';\n"
. "for (i=0;i<arrayparam.length;i++)\n"
. "{\n"
. "\taddHiddenElement(myform,arrayparam[i],arrayval[i])\n"
. "}\n"
. "addHiddenElement(myform,'checksessionbypost',checkcode)\n"
. "myform.submit();\n"
. "\t}\n"
. "\n"
. "//-->\n"
. "</script>\n";
$adminoutput .= getAdminFooter("http://docs.limesurvey.org", $clang->gT("LimeSurvey online manual"));
}
}
else
{ //not logged in
sendcacheheaders();
$adminoutput = <<<EOD
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<!-- The above 3 meta tags *must* come first in the head; any other head content must come *after* these tags -->
<meta name="description" content="">
<meta name="author" content="">
<title>queXS Authentication</title>
<!-- Bootstrap core CSS -->
<link href="../../../include/bootstrap/css/bootstrap.min.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="../../../css/signin.css" rel="stylesheet">
</head>
<body>
<div class="container">
EOD;
$adminoutput .= $loginsummary;
$adminoutput .= "</div></body></html>";
unset($_SESSION['metaHeader']);
}
if (($action=='showphpinfo') && ($_SESSION['USER_RIGHT_CONFIGURATOR'] == 1))
{
phpinfo();
}
else
{
echo $adminoutput;
}

0
include/limesurvey/admin/classes/phpCAS/CAS.php → include/phpCAS/CAS.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/AuthenticationException.php → include/phpCAS/CAS/AuthenticationException.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/Autoload.php → include/phpCAS/CAS/Autoload.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/Client.php → include/phpCAS/CAS/Client.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/CookieJar.php → include/phpCAS/CAS/CookieJar.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/Exception.php → include/phpCAS/CAS/Exception.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/GracefullTerminationException.php → include/phpCAS/CAS/GracefullTerminationException.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/InvalidArgumentException.php → include/phpCAS/CAS/InvalidArgumentException.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/Languages/Catalan.php → include/phpCAS/CAS/Languages/Catalan.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/Languages/English.php → include/phpCAS/CAS/Languages/English.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/Languages/French.php → include/phpCAS/CAS/Languages/French.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/Languages/German.php → include/phpCAS/CAS/Languages/German.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/Languages/Greek.php → include/phpCAS/CAS/Languages/Greek.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/Languages/Japanese.php → include/phpCAS/CAS/Languages/Japanese.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/Languages/LanguageInterface.php → include/phpCAS/CAS/Languages/LanguageInterface.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/Languages/Spanish.php → include/phpCAS/CAS/Languages/Spanish.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/OutOfSequenceBeforeAuthenticationCallException.php → include/phpCAS/CAS/OutOfSequenceBeforeAuthenticationCallException.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/OutOfSequenceBeforeClientException.php → include/phpCAS/CAS/OutOfSequenceBeforeClientException.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/OutOfSequenceBeforeProxyException.php → include/phpCAS/CAS/OutOfSequenceBeforeProxyException.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/OutOfSequenceException.php → include/phpCAS/CAS/OutOfSequenceException.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/PGTStorage/AbstractStorage.php → include/phpCAS/CAS/PGTStorage/AbstractStorage.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/PGTStorage/Db.php → include/phpCAS/CAS/PGTStorage/Db.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/PGTStorage/File.php → include/phpCAS/CAS/PGTStorage/File.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService.php → include/phpCAS/CAS/ProxiedService.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService/Abstract.php → include/phpCAS/CAS/ProxiedService/Abstract.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService/Exception.php → include/phpCAS/CAS/ProxiedService/Exception.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService/Http.php → include/phpCAS/CAS/ProxiedService/Http.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService/Http/Abstract.php → include/phpCAS/CAS/ProxiedService/Http/Abstract.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService/Http/Get.php → include/phpCAS/CAS/ProxiedService/Http/Get.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService/Http/Post.php → include/phpCAS/CAS/ProxiedService/Http/Post.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService/Imap.php → include/phpCAS/CAS/ProxiedService/Imap.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService/Testable.php → include/phpCAS/CAS/ProxiedService/Testable.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/ProxyChain.php → include/phpCAS/CAS/ProxyChain.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/ProxyChain/AllowedList.php → include/phpCAS/CAS/ProxyChain/AllowedList.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/ProxyChain/Any.php → include/phpCAS/CAS/ProxyChain/Any.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/ProxyChain/Interface.php → include/phpCAS/CAS/ProxyChain/Interface.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/ProxyChain/Trusted.php → include/phpCAS/CAS/ProxyChain/Trusted.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/ProxyTicketException.php → include/phpCAS/CAS/ProxyTicketException.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/Request/AbstractRequest.php → include/phpCAS/CAS/Request/AbstractRequest.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/Request/CurlMultiRequest.php → include/phpCAS/CAS/Request/CurlMultiRequest.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/Request/CurlRequest.php → include/phpCAS/CAS/Request/CurlRequest.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/Request/Exception.php → include/phpCAS/CAS/Request/Exception.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/Request/MultiRequestInterface.php → include/phpCAS/CAS/Request/MultiRequestInterface.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/Request/RequestInterface.php → include/phpCAS/CAS/Request/RequestInterface.php
View File

0
include/limesurvey/admin/classes/phpCAS/CAS/TypeMismatchException.php → include/phpCAS/CAS/TypeMismatchException.php
View File

0
include/limesurvey/admin/classes/phpCAS/LICENSE → include/phpCAS/LICENSE
View File

0
include/limesurvey/admin/classes/phpCAS/NOTICE → include/phpCAS/NOTICE
View File

0
include/limesurvey/admin/classes/phpCAS/README.md → include/phpCAS/README.md
View File

0
include/limesurvey/admin/classes/core/sha256.php → include/sha256.php
View File

11
login.php Normal file
View File

@@ -0,0 +1,11 @@
<?php
if($casEnabled==true)
{
include_once("login_check_cas.php");
}
else
{
include_once('login_check.php');
}

254
login_check.php Normal file
View File

@@ -0,0 +1,254 @@
<?php
/*
* LimeSurvey
* Copyright (C) 2007 The LimeSurvey Project Team / Carsten Schmitz
* All rights reserved.
* License: GNU/GPL License v2 or later, see LICENSE.php
* LimeSurvey is free software. This version may have been modified pursuant
* to the GNU General Public License, and as distributed it includes or
* is derivative of works licensed under the GNU General Public License or
* other free or open source software licenses.
* See COPYRIGHT.php for copyright notices and details.
*
* $Id: login_check.php 12211 2012-01-26 17:02:27Z shnoulle $
*/
if (!isset($dbprefix) || isset($_REQUEST['dbprefix'])) {die("Cannot run this script directly");}
if (!isset($action)) {$action=returnglobal('action');}
/*
* New feature since version 1.81: One time passwords
* The user can call the limesurvey login at /limesurvey/admin and pass username and
* a one time password which was previously written into the users table (column one_time_pw) by
* an external application.
* Furthermore there is a setting in config-defaults which has to be turned on (default = off)
* to enable the usage of one time passwords.
*/
//check if data was passed by URL
if(isset($_GET['user']) && isset($_GET['onepass']))
{
//take care of passed data
$user = sanitize_user($_GET['user']);
$pw = sanitize_paranoid_string(md5($_GET['onepass']));
//check if setting $use_one_time_passwords exists in config file
if(isset($use_one_time_passwords))
{
//$use_one_time_passwords switched OFF but data was passed by URL: Show error message
if($use_one_time_passwords === false)
{
//create an error message
$loginsummary = "<br />".$clang->gT("Data for username and one time password was received but the usage of one time passwords is disabled at your configuration settings. Please add the following line to config.php to enable one time passwords: ")."<br />";
$loginsummary .= '<br /><em>$use_one_time_passwords = true;</em><br />';
$loginsummary .= "<br /><br /><a href='$scriptname'>".$clang->gT("Continue")."</a><br />&nbsp;\n";
}
//Data was passed, using one time passwords is enabled
else
{
//check if user exists in DB
$query = "SELECT uid, users_name, password, one_time_pw, dateformat, full_name, htmleditormode, questionselectormode, templateeditormode FROM ".db_table_name('users')." WHERE users_name=".$connect->qstr($user);
$ADODB_FETCH_MODE = ADODB_FETCH_ASSOC; //Checked
$result = $connect->SelectLimit($query, 1) or safe_die ($query."<br />".$connect->ErrorMsg());
if(!$result)
{
echo "<br />".$connect->ErrorMsg();
}
if ($result->RecordCount() < 1)
{
// wrong or unknown username
$loginsummary = sprintf($clang->gT("No one-time password found for user %s"),htmlspecialchars($user))."<br />";
if ($sessionhandler=='db')
{
adodb_session_regenerate_id();
}
else
{
session_regenerate_id();
}
}
else
{
//get one time pw from db
$srow = $result->FetchRow();
$otpw = $srow['one_time_pw'];
//check if passed password and one time password from database DON'T match
if($pw != $otpw)
{
//no match -> warning
$loginsummary = "<p>".$clang->gT("Passed single-use password was wrong or user doesn't exist")."<br />";
$loginsummary .= "<br /><br /><a href='$scriptname'>".$clang->gT("Continue")."</a><br />&nbsp;\n";
}
//both passwords match
else
{
//delete one time password in database
$uquery = "UPDATE ".db_table_name('users')."
SET one_time_pw=''
WHERE users_name='".db_quote($user)."'";
$uresult = $connect->Execute($uquery);
//data necessary for following functions
$_SESSION['user'] = $srow['users_name'];
$_SESSION['checksessionpost'] = sRandomChars(10);
$_SESSION['loginID'] = $srow['uid'];
$_SESSION['dateformat'] = $srow['dateformat'];
$_SESSION['htmleditormode'] = $srow['htmleditormode'];
$_SESSION['questionselectormode'] = $srow['questionselectormode'];
$_SESSION['templateeditormode'] = $srow['templateeditormode'];
$_SESSION['full_name'] = $srow['full_name'];
GetSessionUserRights($_SESSION['loginID']);
// Check if the user has changed his default password
if (strtolower($srow['password'])=='password')
{
$_SESSION['pw_notify']=true;
$_SESSION['flashmessage']=$clang->gT("Warning: You are still using the default password ('password'). Please change your password and re-login again.");
}
else
{
$_SESSION['pw_notify']=false;
}
//delete passed information
unset($_GET['user']);
unset($_GET['onepass']);
} //else -> passwords match
} //else -> password found
} //else -> one time passwords enabled
} //else -> one time passwords set
} //else -> data was passed by URL
// check data for login
if( isset($_POST['user']) && isset($_POST['password']) ||
($action == "forgotpass") || ($action == "login") ||
($action == "logout") ||
($useWebserverAuth === true && !isset($_SESSION['loginID'])) )
{
include("usercontrol.php");
}
// login form
if(!isset($_SESSION['loginID']) && $action != "forgotpass" && ($action != "logout" || ($action == "logout" && !isset($_SESSION['loginID'])))) // && $action != "login") // added by Dennis
{
if($action == "forgotpassword")
{
$loginsummary = '
<form class="form-signin" name="forgotpassword" id="forgotpassword" method="post" action="'.$homeurl.'/admin.php" >
<h2>'.$clang->gT('You have to enter user name and email.').'</h2><br/>
<p><label for="user">'.$clang->gT('Username').'</label><input name="user" id="user" class="form-control" placeholder="'.$clang->gT('Username').'" required autofocus type="text" size="60" maxlength="60" value="" /></p>
<p><label for="email">'.$clang->gT('Email').'</label><input name="email" id="email" class="form-control" placeholder="'.$clang->gT('Email').'" required type="text" size="60" maxlength="60" value="" /></p>
<input type="hidden" name="action" value="forgotpass" />
<p><button class="action btn btn-lg btn-primary btn-block" type="submit">'.$clang->gT('Check Data').'</button></p>
<p><a href="'.$scriptname.'">'.$clang->gT('Main Admin Screen').'</a></p>
</form>
';
}
elseif (!isset($loginsummary))
{ // could be at login or after logout
$refererargs=''; // If this is a direct access to admin.php, no args are given
// If we are called from a link with action and other args set, get them
if (isset($_SERVER['QUERY_STRING']) && $_SERVER['QUERY_STRING'])
{
$refererargs = html_escape($_SERVER['QUERY_STRING']);
}
//include("database.php");
$sIp = getIPAddress();
$query = "SELECT * FROM ".db_table_name('failed_login_attempts'). " WHERE ip='$sIp';";
$ADODB_FETCH_MODE = ADODB_FETCH_ASSOC;
$result = $connect->query($query) or safe_die ($query."<br />".$connect->ErrorMsg());
$bCannotLogin = false;
$intNthAttempt = 0;
if ($result!==false && $result->RecordCount() >= 1)
{
$field = $result->FetchRow();
$intNthAttempt = $field['number_attempts'];
if ($intNthAttempt>=$maxLoginAttempt){
$bCannotLogin = true;
}
$iLastAttempt = strtotime($field['last_attempt']);
if (time() > $iLastAttempt + $timeOutTime){
$bCannotLogin = false;
$query = "DELETE FROM ".db_table_name('failed_login_attempts'). " WHERE ip='$sIp';";
$result = $connect->query($query) or safe_die ($query."<br />".$connect->ErrorMsg());
}
}
$loginsummary ="";
if (!$bCannotLogin)
{
if (!isset($logoutsummary))
{
$loginsummary = "<form name='loginform' id='loginform' class='form-signin' method='post' action='$homeurl/admin.php' ><h2>".$clang->gT("You have to login first.")."</h2><br />";
}
else
{
$loginsummary = "<form name='loginform' id='loginform' class='form-signin' method='post' action='$homeurl/admin.php' ><br /><strong>".$logoutsummary."</strong><br /><br />";
}
$loginsummary .= "<p><label for='user'>".$clang->gT("Username")."</label>
<input class='form-control' placeholder='".$clang->gT("Username")."' required autofocus name='user' id='user' type='text' size='40' maxlength='40' value='' /></p>
<p><label for='password'>".$clang->gT("Password")."</label>
<input name='password' id='password' class='form-control' placeholder='".$clang->gT("Password")."' required type='password' size='40' maxlength='40' /></p>
<p><label for='loginlang'>".$clang->gT("Language")."</label>
<select id='loginlang' class='form-control' name='loginlang'>\n";
$loginsummary .='<option value="default" selected="selected">'.$clang->gT('Default').'</option>';
$lan=array();
foreach (getlanguagedata(true) as $langkey=>$languagekind)
{
array_push($lan,$langkey);
}
foreach (getlanguagedata(true) as $langkey=>$languagekind)
{
//The following conditional statements select the browser language in the language drop down box and echoes the other options.
$loginsummary .= "\t\t\t\t<option value='$langkey'>".$languagekind['nativedescription']." - ".$languagekind['description']."</option>\n";
}
$loginsummary .= "\t\t\t</select></p>\n
<input type='hidden' name='action' value='login' />
<input type='hidden' name='refererargs' value='".$refererargs."' />
<p><button class='action btn btn-lg btn-primary btn-block' type='submit'>".$clang->gT("Login")."</button></p>";
}
else{
$loginsummary .= "<p>".sprintf($clang->gT("You have exceeded you maximum login attempts. Please wait %d minutes before trying again"),($timeOutTime/60))."<br /></p>";
}
if ($display_user_password_in_email === true)
{
$loginsummary .= "<a href='$scriptname?action=forgotpassword'>".$clang->gT("Forgot Your Password?")."</a><br />&nbsp;\n";
}
$loginsummary .= " </form><br />";
$loginsummary .= " <script type='text/javascript'>\n";
$loginsummary .= " document.getElementById('user').focus();\n";
$loginsummary .= " </script>\n";
}
}

115
login_check_cas.php Normal file
View File

@@ -0,0 +1,115 @@
<?php
/*
* LimeSurvey
* Copyright (C) 2007 The LimeSurvey Project Team / Carsten Schmitz
* All rights reserved.
* License: GNU/GPL License v2 or later, see LICENSE.php
* LimeSurvey is free software. This version may have been modified pursuant
* to the GNU General Public License, and as distributed it includes or
* is derivative of works licensed under the GNU General Public License or
* other free or open source software licenses.
* See COPYRIGHT.php for copyright notices and details.
*
* $Id: login_check_cas.php 12211 2012-01-26 17:02:27Z shnoulle $
*/
if (!isset($dbprefix) || isset($_REQUEST['dbprefix'])) {die("Cannot run this script directly");}
if (!isset($action)) {$action=returnglobal('action');}
//
// phpCAS simple client
//
if(!isset($_SESSION['CASauthenticated']) || (isset($_SESSION['CASauthenticated']) && $_SESSION['CASauthenticated']==FALSE) || (isset($_REQUEST['action']) && $_REQUEST['action'] =='logout') )
{
//echo "bla";
// import phpCAS lib
include_once('include/phpCAS/CAS.php');
// phpCAS::setDebug();
phpCAS::client(CAS_VERSION_2_0, $casAuthServer,$casAuthPort, $casAuthUri);
phpCAS::setNoCasServerValidation();
if (isset($_REQUEST['action']) && $_REQUEST['action']=='logout')
{
phpCAS::handleLogoutRequests();
//session_unset();
phpCAS::logout();
session_destroy();
session_write_close();
//phpCAS::forceAuthentication();
}
else
{
// force CAS authentication
$auth = phpCAS::forceAuthentication();
if($auth)
{
$query = "SELECT uid, users_name, password, one_time_pw, dateformat, full_name, htmleditormode, questionselectormode, templateeditormode FROM ".db_table_name('users')." WHERE users_name=".$connect->qstr(phpCAS::getUser());
$ADODB_FETCH_MODE = ADODB_FETCH_ASSOC; //Checked
$result = $connect->SelectLimit($query, 1) or safe_die ($query."<br />".$connect->ErrorMsg());
if(!$result)
{
echo "<br />".$connect->ErrorMsg();
}
if ($result->RecordCount() < 1)
{
// wrong or unknown username
$loginsummary = sprintf($clang->gT("No user"))."<br />";
if ($sessionhandler=='db')
{
adodb_session_regenerate_id();
}
else
{
session_regenerate_id();
}
}
else
{
$srow = $result->FetchRow();
$_SESSION['user'] = $srow['users_name'];
$_SESSION['checksessionpost'] = sRandomChars(10);
$_SESSION['loginID'] = $srow['uid'];
$_SESSION['dateformat'] = $srow['dateformat'];
$_SESSION['htmleditormode'] = $srow['htmleditormode'];
$_SESSION['questionselectormode'] = $srow['questionselectormode'];
$_SESSION['templateeditormode'] = $srow['templateeditormode'];
$_SESSION['full_name'] = $srow['full_name'];
GetSessionUserRights($_SESSION['loginID']);
$auth = TRUE;
$_SESSION['CASauthenticated'] = $auth;
//go to queXS
$loc = "";
if ($_SESSION['USER_RIGHT_SUPERADMIN'] == 1)
$loc = "admin";
else
{
$utest = $connect->GetOne("SELECT username FROM client WHERE username = '" . $_SESSION['user'] . "'");
if (!empty($utest))
$loc = "client";
}
header('Location: ' . QUEXS_URL . $loc);
die();
}
}
else
{
$auth = FALSE;
$_SESSION['CASauthenticated'] = $auth;
}
}
}
?>

907
usercontrol.php Normal file
View File

@@ -0,0 +1,907 @@
<?php
/*
* LimeSurvey
* Copyright (C) 2007 The LimeSurvey Project Team / Carsten Schmitz
* All rights reserved.
* License: GNU/GPL License v2 or later, see LICENSE.php
* LimeSurvey is free software. This version may have been modified pursuant
* to the GNU General Public License, and as distributed it includes or
* is derivative of works licensed under the GNU General Public License or
* other free or open source software licenses.
* See COPYRIGHT.php for copyright notices and details.
*
* $Id: usercontrol.php 12260 2012-01-31 00:32:32Z c_schmitz $
*/
// Security Checked: POST, GET, SESSION, REQUEST, returnglobal, DB
if (isset($_REQUEST['homedir'])) {die('You cannot start this script directly');}
include_once("login_check.php"); //Login Check dies also if the script is started directly
require_once($homedir."/classes/core/sha256.php");
if (isset($_POST['user'])) {$postuser=sanitize_user($_POST['user']);}
if (isset($_POST['email'])) {$postemail=sanitize_email($_POST['email']);}
if (isset($_POST['loginlang'])) {$postloginlang=sanitize_languagecode($_POST['loginlang']);}
if (isset($_POST['new_user'])) {$postnew_user=sanitize_user($_POST['new_user']);}
if (isset($_POST['new_email'])) {$postnew_email=sanitize_email($_POST['new_email']);}
if (isset($_POST['new_full_name'])) {$postnew_full_name=sanitize_userfullname($_POST['new_full_name']);}
if (isset($_POST['uid'])) {$postuserid=sanitize_int($_POST['uid']);}
if (isset($_POST['full_name'])) {$postfull_name=sanitize_userfullname($_POST['full_name']);}
if (!isset($_SESSION['loginID']))
{
// If Web server Authent delegation is ON, then
// read the loginname. This can be either PHP_AUTH_USER or
// REMOTE_USER
if ($useWebserverAuth === true &&
!isset($_SERVER['PHP_AUTH_USER']) &&
isset($_SERVER['REMOTE_USER']) )
{
$_SERVER['PHP_AUTH_USER'] = $_SERVER['REMOTE_USER'];
}
if($action == "forgotpass" && $display_user_password_in_email === true)
{
$loginsummary = "<br /><strong>".$clang->gT("Forgot password")."</strong><br />\n";
if (isset($postuser) && isset($postemail))
{
include("database.php");
$emailaddr = $postemail;
$query = "SELECT users_name, password, uid FROM ".db_table_name('users')." WHERE users_name=".$connect->qstr($postuser)." AND email=".$connect->qstr($emailaddr);
$result = db_select_limit_assoc($query, 1) or safe_die ($query."<br />".$connect->ErrorMsg()); // Checked
if ($result->RecordCount() < 1)
{
// wrong or unknown username and/or email
$loginsummary .= "<br />".$clang->gT("User name and/or email not found!")."<br />";
$loginsummary .= "<br /><br /><a href='$scriptname?action=forgotpassword'>".$clang->gT("Continue")."</a></div><br />&nbsp;\n";
}
else
{
$fields = $result->FetchRow();
// send Mail
$new_pass = createPassword();
$body = sprintf($clang->gT("Your user data for accessing %s"),$sitename). "<br />\n";;
$body .= $clang->gT("Username") . ": " . $fields['users_name'] . "<br />\n";
$body .= $clang->gT("New password") . ": " . $new_pass . "<br />\n";
$subject = $clang->gT("User data","unescaped");
$to = $emailaddr;
$from = $siteadminemail;
if(SendEmailMessage(null, $body, $subject, $to, $from, $sitename, false,$siteadminbounce))
{
$query = "UPDATE ".db_table_name('users')." SET password='".SHA256::hashing($new_pass)."' WHERE uid={$fields['uid']}";
$connect->Execute($query); //Checked
$loginsummary .= "<br />".$clang->gT("Username").": {$fields['users_name']}<br />".$clang->gT("Email").": {$emailaddr}<br />";
$loginsummary .= "<br />".$clang->gT("An email with your login data was sent to you.");
$loginsummary .= "<br /><br /><a href='$scriptname'>".$clang->gT("Continue")."</a><br />&nbsp;\n";
}
else
{
$tmp = str_replace("{NAME}", "<strong>".$fields['users_name']."</strong>", $clang->gT("Email to {NAME} ({EMAIL}) failed."));
$loginsummary .= "<br />".str_replace("{EMAIL}", $emailaddr, $tmp) . "<br />";
$loginsummary .= "<br /><br /><a href='$scriptname?action=forgotpassword'>".$clang->gT("Continue")."</a><br />&nbsp;\n";
}
}
}
}
elseif($action == "login" && $useWebserverAuth === false) // normal login
{
$loginsummary = '';
if (isset($postuser) && isset($_POST['password']))
{
include("database.php");
$sIp = getIPAddress();
$query = "SELECT * FROM ".db_table_name('failed_login_attempts'). " WHERE ip='$sIp';";
$ADODB_FETCH_MODE = ADODB_FETCH_ASSOC;
$result = $connect->query($query);
$bLoginAttempted = false;
$bCannotLogin = false;
$intNthAttempt = 0;
if ($result!==false && $result->RecordCount() >= 1)
{
$bLoginAttempted = true;
$field = $result->FetchRow();
$intNthAttempt = $field['number_attempts'];
if ($intNthAttempt>=$maxLoginAttempt){
$bCannotLogin = true;
}
$iLastAttempt = strtotime($field['last_attempt']);
if (time() > $iLastAttempt + $timeOutTime){
$bCannotLogin = false;
$query = "DELETE FROM ".db_table_name('failed_login_attempts'). " WHERE ip='$sIp';";
$result = $connect->query($query) or safe_die ($query."<br />".$connect->ErrorMsg());
}
}
if(!$bCannotLogin){
$query = "SELECT * FROM ".db_table_name('users')." WHERE users_name=".$connect->qstr($postuser);
$result = $connect->SelectLimit($query, 1) or safe_die ($query."<br />".$connect->ErrorMsg());
if ($result->RecordCount() < 1)
{
$query = fGetLoginAttemptUpdateQry($bLoginAttempted,$sIp);
$result = $connect->Execute($query) or safe_die ($query."<br />".$connect->ErrorMsg());;
if ($result)
{
// wrong or unknown username
$loginsummary .= "<p>".$clang->gT("Incorrect username and/or password!")."</p><br />";
if ($intNthAttempt+1>=$maxLoginAttempt)
$loginsummary .= sprintf($clang->gT("You have exceeded you maximum login attempts. Please wait %d minutes before trying again"),($timeOutTime/60))."<br />";
$loginsummary .= "<br /><a href='$scriptname'>".$clang->gT("Continue")."</a><br />&nbsp;\n";
}
}
else
{
$fields = $result->FetchRow();
if (SHA256::hashing($_POST['password']) == $fields['password'])
{
// Anmeldung ERFOLGREICH
if (strtolower($_POST['password'])=='password')
{
$_SESSION['pw_notify']=true;
$_SESSION['flashmessage']=$clang->gT("Warning: You are still using the default password ('password'). Please change your password and re-login again.");
}
else
{
$_SESSION['pw_notify']=false;
} // Check if the user has changed his default password
if ($sessionhandler=='db')
{
adodb_session_regenerate_id();
}
else
{
session_regenerate_id();
}
$_SESSION['loginID'] = intval($fields['uid']);
$_SESSION['user'] = $fields['users_name'];
$_SESSION['full_name'] = $fields['full_name'];
$_SESSION['htmleditormode'] = $fields['htmleditormode'];
$_SESSION['questionselectormode'] = $fields['questionselectormode'];
$_SESSION['templateeditormode'] = $fields['templateeditormode'];
$_SESSION['dateformat'] = $fields['dateformat'];
// Compute a checksession random number to test POSTs
$_SESSION['checksessionpost'] = sRandomChars(10);
if (isset($postloginlang) && $postloginlang!='default')
{
$_SESSION['adminlang'] = $postloginlang;
$clang = new limesurvey_lang($postloginlang);
$uquery = "UPDATE {$dbprefix}users "
. "SET lang='{$postloginlang}' "
. "WHERE uid={$_SESSION['loginID']}";
$uresult = $connect->Execute($uquery); // Checked
}
else
{
if ( $fields['lang']=='auto' && isset( $_SERVER["HTTP_ACCEPT_LANGUAGE"] ) )
{
$browlang=strtolower( $_SERVER["HTTP_ACCEPT_LANGUAGE"] );
$browlang=str_replace(' ', '', $browlang);
$browlang=explode( ",", $browlang);
$browlang=$browlang[0];
$browlang=explode( ";", $browlang);
$browlang=$browlang[0];
$check=0;
$value=26;
if ($browlang!="zh-hk" && $browlang!="zh-tw" && $browlang!="es-mx" && $browlang!="pt-br")
{
$browlang=explode( "-",$browlang);
$browlang=$browlang[0];
}
$_SESSION['adminlang']=$browlang;
}
else
{
$_SESSION['adminlang'] = $fields['lang'];
}
$clang = new limesurvey_lang($_SESSION['adminlang']);
}
$login = true;
$loginsummary .= "<div class='messagebox ui-corner-all'>\n";
$loginsummary .= "<div class='header ui-widget-header'>" . $clang->gT("Logged in") . "</div>";
$loginsummary .= "<br />".sprintf($clang->gT("Welcome %s!"),$_SESSION['full_name'])."<br />&nbsp;";
$loginsummary .= "</div>\n";
if (isset($_POST['refererargs']) && $_POST['refererargs'] &&
strpos($_POST['refererargs'], "action=logout") === FALSE)
{
require_once("../classes/inputfilter/class.inputfilter_clean.php");
$myFilter = new InputFilter('','',1,1,1);
// Prevent XSS attacks
$sRefererArg=$myFilter->process($_POST['refererargs']);
$_SESSION['metaHeader']="<meta http-equiv=\"refresh\""
. " content=\"1;URL={$scriptname}?".$sRefererArg."\" />";
$loginsummary .= "<p><font size='1'><i>".$clang->gT("Reloading screen. Please wait.")."</i></font>\n";
}
$loginsummary .= "<br /><br />\n";
GetSessionUserRights($_SESSION['loginID']);
//go to queXS
$loc = "";
if ($_SESSION['USER_RIGHT_SUPERADMIN'] == 1)
$loc = "admin";
else
{
$utest = $connect->GetOne("SELECT username FROM client WHERE username = '" . $_SESSION['user'] . "'");
if (!empty($utest))
$loc = "client";
}
header('Location: ' . QUEXS_URL . $loc);
die();
}
else
{
$query = fGetLoginAttemptUpdateQry($bLoginAttempted,$sIp);
$result = $connect->Execute($query) or safe_die ($query."<br />".$connect->ErrorMsg());;
if ($result)
{
// wrong or unknown username
$loginsummary .= "<p>".$clang->gT("Incorrect username and/or password!")."<br />";
if ($intNthAttempt+1>=$maxLoginAttempt)
$loginsummary .= sprintf($clang->gT("You have exceeded you maximum login attempts. Please wait %d minutes before trying again"),($timeOutTime/60))."<br />";
$loginsummary .= "<br /><a href='$scriptname'>".$clang->gT("Continue")."</a><br />&nbsp;\n";
}
}
}
}
else{
$loginsummary .= "<p>".sprintf($clang->gT("You have exceeded you maximum login attempts. Please wait %d minutes before trying again"),($timeOutTime/60))."<br />";
$loginsummary .= "<br /><a href='$scriptname'>".$clang->gT("Continue")."</a><br />&nbsp;\n";
}
}
}
elseif($useWebserverAuth === true && !isset($_SERVER['PHP_AUTH_USER'])) // LimeSurvey expects webserver auth but it has not been achieved
{
$loginsummary .= "<br />".$clang->gT("LimeSurvey is setup to use the webserver authentication, but it seems you have not already been authenticated")."<br />";
$loginsummary .= "<br /><br />".$clang->gT("Please contact your system administrator")."<br />&nbsp;\n";
}
elseif($useWebserverAuth === true && isset($_SERVER['PHP_AUTH_USER'])) // normal login through webserver authentication
{
$action = 'login';
// we'll include database.php
// we need to unset surveyid
// that could be set if the user clicked on
// a link with all params before first auto-login
unset($surveyid);
$loginsummary = '';
// getting user name, optionnally mapped
if (isset($userArrayMap) && is_array($userArrayMap) &&
isset($userArrayMap[$_SERVER['PHP_AUTH_USER']]))
{
$mappeduser=$userArrayMap[$_SERVER['PHP_AUTH_USER']];
}
else
{
$mappeduser=$_SERVER['PHP_AUTH_USER'];
}
include("database.php");
$query = "SELECT uid, users_name, password, parent_id, email, lang, htmleditormode, questionselectormode, templateeditormode, dateformat FROM ".db_table_name('users')." WHERE users_name=".$connect->qstr($mappeduser);
$ADODB_FETCH_MODE = ADODB_FETCH_ASSOC; //Checked
$result = $connect->SelectLimit($query, 1) or safe_die ($query."<br />".$connect->ErrorMsg());
if ($result->RecordCount() < 1)
{
// In case the hook function is defined
// overrite the default auto-import profile
// by this function's result
if (function_exists("hook_get_autouserprofile"))
{
// If defined this function returns an array
// describing the defaukt profile for this user
$WebserverAuth_autouserprofile = hook_get_autouserprofile($mappeduser);
}
if (isset($WebserverAuth_autocreateUser) &&
$WebserverAuth_autocreateUser === true &&
isset($WebserverAuth_autouserprofile) &&
is_array ($WebserverAuth_autouserprofile) &&
count($WebserverAuth_autouserprofile) > 0 )
{ // user doesn't exist but auto-create user is set
$isAuthenticated=false;
$new_pass = createPassword();
$uquery = "INSERT INTO {$dbprefix}users "
."(users_name, password,full_name,parent_id,lang,email,create_survey,create_user,delete_user,superadmin,configurator,manage_template,manage_label) "
."VALUES ("
. $connect->qstr($mappeduser).", "
. "'".SHA256::hashing($new_pass)."', "
. "'".db_quote($WebserverAuth_autouserprofile['full_name'])."', "
. getInitialAdmin_uid()." , "
. "'".$WebserverAuth_autouserprofile['lang']."', "
. "'".db_quote($WebserverAuth_autouserprofile['email'])."', "
. intval($WebserverAuth_autouserprofile['create_survey']).","
. intval($WebserverAuth_autouserprofile['create_user']).","
. intval($WebserverAuth_autouserprofile['delete_user']).","
. intval($WebserverAuth_autouserprofile['superadmin']).","
. intval($WebserverAuth_autouserprofile['configurator']).","
. intval($WebserverAuth_autouserprofile['manage_template']).","
. intval($WebserverAuth_autouserprofile['manage_label'])
.")";
$uresult = $connect->Execute($uquery); //Checked
if ($uresult)
{
$isAuthenticated=true;
$newqid = $connect->Insert_ID("{$dbprefix}users","uid");
$arrayTemplates=explode(",",$WebserverAuth_autouserprofile['templatelist']);
foreach ($arrayTemplates as $tplname)
{
$template_query = "INSERT INTO {$dbprefix}templates_rights VALUES('$newqid','$tplname','1')";
$connect->Execute($template_query); //Checked
}
// read again user from newly created entry
$result = $connect->SelectLimit($query, 1) or safe_die ($query."<br />".$connect->ErrorMsg());//Checked
}
else
{
$loginsummary .= "<br />".$clang->gT("Auto-import of user failed!")."<br />";
$loginsummary .= "<br /><br /><a href='$scriptname'>".$clang->gT("Continue")."</a><br />&nbsp;\n";
$isAuthenticated=false;
}
}
else
{
$query = fGetLoginAttemptUpdateQry($bLoginAttempted,$sIp);
$result = $connect->Execute($query) or safe_die ($query."<br />".$connect->ErrorMsg());;
if ($result)
{
// wrong or unknown username
$loginsummary .= "<p>".$clang->gT("Incorrect username and/or password!")."<br />";
if ($intNthAttempt+1>=$maxLoginAttempt)
$loginsummary .= sprintf($clang->gT("You have exceeded you maximum login attempts. Please wait %d minutes before trying again"),($timeOutTime/60))."<br />";
$loginsummary .= "<br /><a href='$scriptname'>".$clang->gT("Continue")."</a><br />&nbsp;\n";
}
$isAuthenticated=false;
}
}
else
{ // User already exists
$isAuthenticated=true;
}
if ($isAuthenticated ===true)
{ // user exists and was authenticated by webserver
$fields = $result->FetchRow();
$_SESSION['loginID'] = intval($fields['uid']);
$_SESSION['user'] = $fields['users_name'];
$_SESSION['adminlang'] = $fields['lang'];
$_SESSION['htmleditormode'] = $fields['htmleditormode'];
$_SESSION['questionselectormode'] = $fields['questionselectormode'];
$_SESSION['templateeditormode'] = $fields['templateeditormode'];
$_SESSION['dateformat'] = $fields['dateformat'];
$_SESSION['checksessionpost'] = sRandomChars(10);
$_SESSION['pw_notify']=false;
$clang = new limesurvey_lang($_SESSION['adminlang']);
$login = true;
$loginsummary .= "<br /><span style='font-weight:bold;'>" .sprintf($clang->gT("Welcome %s!"),$_SESSION['user']) . "</span><br />";
$loginsummary .= $clang->gT("You logged in successfully.");
if (isset($_SERVER['QUERY_STRING']) && $_SERVER['QUERY_STRING'] &&
strpos($_SERVER['QUERY_STRING'], "action=logout") === FALSE)
{
$_SESSION['metaHeader']="<meta http-equiv=\"refresh\""
. " content=\"1;URL={$scriptname}?".$_SERVER['QUERY_STRING']."\" />";
$loginsummary .= "<p><font size='1'><i>".$clang->gT("Reloading screen. Please wait.")."</i></font>\n";
}
$loginsummary .= "<br /><br />\n";
GetSessionUserRights($_SESSION['loginID']);
}
}
}
elseif ($action == "logout")
{
killSession();
$logoutsummary = '<p>'.$clang->gT("Logout successful.");
}
elseif ($action == "adduser" && $_SESSION['USER_RIGHT_CREATE_USER'])
{
$addsummary = "<div class='header ui-widget-header'>".$clang->gT("Add user")."</div>\n";
$new_user = FlattenText($postnew_user,true);
$new_email = FlattenText($postnew_email,true);
$new_full_name = FlattenText($postnew_full_name,true);
$valid_email = true;
if(!validate_email($new_email))
{
$valid_email = false;
$addsummary .= "<div class='messagebox ui-corner-all'><div class='warningheader'>".$clang->gT("Failed to add user")."</div><br />\n" . " " . $clang->gT("The email address is not valid.")."<br />\n";
}
if(empty($new_user))
{
if($valid_email) $addsummary .= "<br /><strong>".$clang->gT("Failed to add user")."</strong><br />\n" . " ";
$addsummary .= $clang->gT("A username was not supplied or the username is invalid.")."<br />\n";
}
elseif($valid_email)
{
$new_pass = createPassword();
$uquery = "INSERT INTO {$dbprefix}users (users_name, password,full_name,parent_id,lang,email,create_survey,create_user,delete_user,superadmin,configurator,manage_template,manage_label)
VALUES ('".db_quote($new_user)."', '".SHA256::hashing($new_pass)."', '".db_quote($new_full_name)."', {$_SESSION['loginID']}, 'auto', '".db_quote($new_email)."',0,0,0,0,0,0,0)";
$uresult = $connect->Execute($uquery); //Checked
if($uresult)
{
$newqid = $connect->Insert_ID("{$dbprefix}users","uid");
// add default template to template rights for user
$template_query = "INSERT INTO {$dbprefix}templates_rights VALUES('$newqid','default','1')";
$connect->Execute($template_query); //Checked
// add new user to userlist
$squery = "SELECT uid, users_name, password, parent_id, email, create_survey, configurator, create_user, delete_user, superadmin, manage_template, manage_label FROM ".db_table_name('users')." WHERE uid='{$newqid}'"; //added by Dennis
$sresult = db_execute_assoc($squery);//Checked
$srow = $sresult->FetchRow();
$userlist = getuserlist();
array_push($userlist, array("user"=>$srow['users_name'], "uid"=>$srow['uid'], "email"=>$srow['email'],
"password"=>$srow["password"], "parent_id"=>$srow['parent_id'], // "level"=>$level,
"create_survey"=>$srow['create_survey'], "configurator"=>$srow['configurator'], "create_user"=>$srow['create_user'],
"delete_user"=>$srow['delete_user'], "superadmin"=>$srow['superadmin'], "manage_template"=>$srow['manage_template'],
"manage_label"=>$srow['manage_label']));
// send Mail
$body = sprintf($clang->gT("Hello %s,",'unescaped'), $new_full_name)."<br /><br />\n";
$body .= sprintf($clang->gT("this is an automated email to notify that a user has been created for you on the site '%s'.",'unescaped'), $sitename)."<br /><br />\n";
$body .= $clang->gT("You can use now the following credentials to log into the site:",'unescaped')."<br />\n";
$body .= $clang->gT("Username",'unescaped') . ": " . $new_user . "<br />\n";
if ($useWebserverAuth === false)
{ // authent is not delegated to web server
// send password (if authorized by config)
if ($display_user_password_in_email === true)
{
$body .= $clang->gT("Password",'unescaped') . ": " . $new_pass . "<br />\n";
}
else
{
$body .= $clang->gT("Password",'unescaped') . ": " . $clang->gT("Please ask your LimeSurvey administrator for your password.") . "<br />\n";
}
}
$body .= "<a href='" . $homeurl . "/admin.php'>".$clang->gT("Click here to log in.",'unescaped')."</a><br /><br />\n";
$body .= sprintf($clang->gT('If you have any questions regarding this mail please do not hesitate to contact the site administrator at %s. Thank you!','unescaped'),$siteadminemail)."<br />\n";
$subject = sprintf($clang->gT("User registration at '%s'","unescaped"),$sitename);
$to = $new_user." <$new_email>";
$from = $siteadminname." <$siteadminemail>";
$addsummary .="<div class='messagebox ui-corner-all'>";
if(SendEmailMessage(null, $body, $subject, $to, $from, $sitename, true, $siteadminbounce))
{
$addsummary .= "<br />".$clang->gT("Username").": $new_user<br />".$clang->gT("Email").": $new_email<br />";
$addsummary .= "<br />".$clang->gT("An email with a generated password was sent to the user.");
}
else
{
// has to be sent again or no other way
$tmp = str_replace("{NAME}", "<strong>".$new_user."</strong>", $clang->gT("Email to {NAME} ({EMAIL}) failed."));
$addsummary .= "<br />".str_replace("{EMAIL}", $new_email, $tmp) . "<br />";
}
$addsummary .= "<br />\t\t\t<form method='post' action='$scriptname'>"
."<input type='submit' value='".$clang->gT("Set user permissions")."'>"
."<input type='hidden' name='action' value='setuserrights'>"
."<input type='hidden' name='user' value='{$new_user}'>"
."<input type='hidden' name='uid' value='{$newqid}'>"
."</form></div>";
}
else{
$addsummary .= "<div class='messagebox ui-corner-all'><div class='warningheader'>".$clang->gT("Failed to add user")."</div><br />\n" . " " . $clang->gT("The user name already exists.")."<br />\n";
}
}
$addsummary .= "<p><input type=\"submit\" onclick=\"window.open('$scriptname?action=editusers', '_self')\" value=\"".$clang->gT("Continue")."\"/></div>\n";
}
elseif (($action == "deluser" || $action == "finaldeluser") && ($_SESSION['USER_RIGHT_SUPERADMIN'] == 1 || $_SESSION['USER_RIGHT_DELETE_USER'] ))
{
$addsummary = "<div class=\"header\">".$clang->gT("Deleting user")."</div>\n";
$addsummary .= "<div class=\"messagebox\">\n";
// CAN'T DELETE ORIGINAL SUPERADMIN
// Initial SuperAdmin has parent_id == 0
$adminquery = "SELECT uid FROM {$dbprefix}users WHERE parent_id=0";
$adminresult = db_select_limit_assoc($adminquery, 1);//Checked
$row=$adminresult->FetchRow();
if($row['uid'] == $postuserid) // it's the original superadmin !!!
{
$addsummary .= "<div class=\"warningheader\">".$clang->gT("Initial Superadmin cannot be deleted!")."</div>\n";
}
else
{
if (isset($postuserid))
{
$sresultcount = 0;// 1 if I am parent of $postuserid
if ($_SESSION['USER_RIGHT_SUPERADMIN'] != 1)
{
$squery = "SELECT uid FROM {$dbprefix}users WHERE uid=$postuserid AND parent_id=".$_SESSION['loginID'];
$sresult = $connect->Execute($squery); //Checked
$sresultcount = $sresult->RecordCount();
}
if ($_SESSION['USER_RIGHT_SUPERADMIN'] == 1 || $sresultcount > 0 || $postuserid == $_SESSION['loginID'])
{
$transfer_surveys_to = 0;
$query = "SELECT users_name, uid FROM ".db_table_name('users').";";
$result = db_execute_assoc($query) or safe_die($connect->ErrorMsg());
$current_user = $_SESSION['loginID'];
if($result->RecordCount() == 2) {
$action = "finaldeluser";
while($rows = $result->FetchRow()){
$intUid = $rows['uid'];
$selected = '';
if ($intUid == $current_user)
$selected = " selected='selected'";
if ($postuserid != $intUid)
$transfer_surveys_to = $intUid;
}
}
$query = "SELECT sid FROM ".db_table_name('surveys')." WHERE owner_id = $postuserid ;";
$result = db_execute_assoc($query) or safe_die($connect->ErrorMsg());
if($result->RecordCount() == 0) {
$action = "finaldeluser";
}
if ($action=="finaldeluser")
{
if (isset($_POST['transfer_surveys_to'])) {$transfer_surveys_to=sanitize_int($_POST['transfer_surveys_to']);}
if ($transfer_surveys_to > 0){
$query = "UPDATE ".db_table_name('surveys')." SET owner_id = $transfer_surveys_to WHERE owner_id=$postuserid";
$result = db_execute_assoc($query) or safe_die($connect->ErrorMsg());
}
$squery = "SELECT parent_id FROM {$dbprefix}users WHERE uid=".$postuserid;
$sresult = $connect->Execute($squery); //Checked
$fields = $sresult->FetchRow($sresult);
if (isset($fields[0]))
{
$uquery = "UPDATE ".db_table_name('users')." SET parent_id={$fields[0]} WHERE parent_id=".$postuserid; // added by Dennis
$uresult = $connect->Execute($uquery); //Checked
}
//DELETE USER FROM TABLE
$dquery="DELETE FROM {$dbprefix}users WHERE uid=".$postuserid; // added by Dennis
$dresult=$connect->Execute($dquery); //Checked
// Delete user rights
$dquery="DELETE FROM {$dbprefix}survey_permissions WHERE uid=".$postuserid;
$dresult=$connect->Execute($dquery); //Checked
if($postuserid == $_SESSION['loginID'])
{
killSession(); // user deleted himself
header( "Location: " . $homeurl . "/admin.php");
die();
}
$addsummary .= "<br />".$clang->gT("Username").": {$postuser}<br /><br />\n";
$addsummary .= "<div class=\"successheader\">".$clang->gT("Success!")."</div>\n";
if ($transfer_surveys_to>0){
$sTransferred_to = getUserNameFromUid($transfer_surveys_to);
$addsummary .= sprintf($clang->gT("All of the user's surveys were transferred to %s."),$sTransferred_to);
}
$addsummary .= "<br/><input type=\"submit\" onclick=\"window.open('$scriptname?action=editusers', '_self')\" value=\"".$clang->gT("Continue")."\"/>\n";
}
else
{
$current_user = $_SESSION['loginID'];
$addsummary .= "<br />".$clang->gT("Transfer the user's surveys to: ")."\n";
$addsummary .= "<form method='post' name='deluserform' action='admin.php?action=finaldeluser'><select name='transfer_surveys_to'>\n";
$query = "SELECT users_name, uid FROM ".db_table_name('users').";";
$result = db_execute_assoc($query) or safe_die($connect->ErrorMsg());
if($result->RecordCount() > 0) {
while($rows = $result->FetchRow()){
$intUid = $rows['uid'];
$sUsersName = $rows['users_name'];
$selected = '';
if ($intUid == $current_user)
$selected = " selected='selected'";
if ($postuserid != $intUid)
$addsummary .= "<option value='$intUid'$selected>$sUsersName</option>\n";
}
}
$addsummary .= "</select><input type='hidden' name='uid' value='$postuserid'>";
$addsummary .= "<input type='hidden' name='user' value='$postuser'>";
$addsummary .= "<input type='hidden' name='action' value='finaldeluser'><br /><br />";
$addsummary .= "<input type='submit' value='".$clang->gT("Delete User")."'></form>";
}
}
else
{
include("access_denied.php");
}
}
else
{
$addsummary .= "<div class=\"warningheader\">".$clang->gT("Could not delete user. User was not supplied.")."</div>\n";
$addsummary .= "<br/><input type=\"submit\" onclick=\"window.open('$scriptname?action=editusers', '_self')\" value=\"".$clang->gT("Continue")."\"/>\n";
}
}
$addsummary .= "</div>\n";
}
elseif ($action == "moduser")
{
$addsummary = "<div class='header ui-widget-header'>".$clang->gT("Editing user")."</div>\n";
$addsummary .= "<div class=\"messagebox\">\n";
$squery = "SELECT uid FROM {$dbprefix}users WHERE uid=$postuserid AND parent_id=".$_SESSION['loginID'];
$sresult = $connect->Execute($squery); //Checked
$sresultcount = $sresult->RecordCount();
if(($_SESSION['USER_RIGHT_SUPERADMIN'] == 1 || $postuserid == $_SESSION['loginID'] ||
($sresultcount > 0 && $_SESSION['USER_RIGHT_CREATE_USER'])) && !($demoModeOnly == true && $postuserid == 1)
)
{
$users_name = html_entity_decode($postuser, ENT_QUOTES, 'UTF-8');
$email = html_entity_decode($postemail,ENT_QUOTES, 'UTF-8');
$sPassword = html_entity_decode($_POST['pass'],ENT_QUOTES, 'UTF-8');
if ($sPassword=='%%unchanged%%') $sPassword='';
$full_name = html_entity_decode($postfull_name,ENT_QUOTES, 'UTF-8');
$valid_email = true;
if(!validate_email($email))
{
$valid_email = false;
$failed = true;
$addsummary .= "<div class=\"warningheader\">".$clang->gT("Could not modify user data.")."</div><br />\n"
. " ".$clang->gT("Email address is not valid.")."<br />\n";
}
elseif($valid_email)
{
$failed = false;
if(empty($sPassword))
{
$uquery = "UPDATE ".db_table_name('users')." SET email='".db_quote($email)."', full_name='".db_quote($full_name)."' WHERE uid=".$postuserid;
} else {
$uquery = "UPDATE ".db_table_name('users')." SET email='".db_quote($email)."', full_name='".db_quote($full_name)."', password='".SHA256::hashing($sPassword)."' WHERE uid=".$postuserid;
}
$uresult = $connect->Execute($uquery);//Checked
if($uresult && empty($sPassword))
{
$addsummary .= "<br />".$clang->gT("Username").": $users_name<br />".$clang->gT("Password").": (".$clang->gT("Unchanged").")<br /><br />\n";
$addsummary .= "<div class=\"successheader\">".$clang->gT("Success!")."</div>\n";
} elseif($uresult && !empty($sPassword))
{
if ($display_user_password_in_html === true)
{
$displayedPwd = $sPassword;
}
else
{
$displayedPwd = preg_replace('/./','*',$sPassword);
}
$addsummary .= "<br />".$clang->gT("Username").": $users_name<br />".$clang->gT("Password").": {$displayedPwd}<br /><br />\n";
$addsummary .= "<div class=\"successheader\">".$clang->gT("Success!")."</div>\n";
}
else
{
// Username and/or email adress already exists.
$addsummary .= "<div class=\"warningheader\">".$clang->gT("Could not modify user data.")."</div><br />\n"
. " ".$clang->gT("Email address already exists.")."<br />\n";
}
}
if($failed)
{
$addsummary .= "<br /><form method='post' action='$scriptname'>"
."<input type='submit' value='".$clang->gT("Back")."'>"
."<input type='hidden' name='action' value='modifyuser'>"
."<input type='hidden' name='uid' value='{$postuserid}'>"
."</form>";
}
else
{
$addsummary .= "<br/><input type=\"submit\" onclick=\"window.open('$scriptname?action=editusers', '_self')\" value=\"".$clang->gT("Continue")."\"/>\n";
}
}
else
{
include("access_denied.php");
}
$addsummary .= "</div>\n";
}
elseif ($action == "userrights")
{
$addsummary = "<div class='header ui-widget-header'>".$clang->gT("Set user permissions")."</div>\n";
$addsummary .= "<div class=\"messagebox\">\n";
// A user can't modify his own rights ;-)
if($postuserid != $_SESSION['loginID'])
{
$squery = "SELECT uid FROM {$dbprefix}users WHERE uid=$postuserid AND parent_id=".$_SESSION['loginID'];
$sresult = $connect->Execute($squery); // Checked
$sresultcount = $sresult->RecordCount();
if($_SESSION['USER_RIGHT_SUPERADMIN'] != 1 && $sresultcount > 0)
{ // Not Admin, just a user with childs
$rights = array();
// Forbids Allowing more privileges than I have
if(isset($_POST['create_survey']) && $_SESSION['USER_RIGHT_CREATE_SURVEY'])$rights['create_survey']=1; else $rights['create_survey']=0;
if(isset($_POST['configurator']) && $_SESSION['USER_RIGHT_CONFIGURATOR'])$rights['configurator']=1; else $rights['configurator']=0;
if(isset($_POST['create_user']) && $_SESSION['USER_RIGHT_CREATE_USER'])$rights['create_user']=1; else $rights['create_user']=0;
if(isset($_POST['delete_user']) && $_SESSION['USER_RIGHT_DELETE_USER'])$rights['delete_user']=1; else $rights['delete_user']=0;
$rights['superadmin']=0; // ONLY Initial Superadmin can give this right
if(isset($_POST['manage_template']) && $_SESSION['USER_RIGHT_MANAGE_TEMPLATE'])$rights['manage_template']=1; else $rights['manage_template']=0;
if(isset($_POST['manage_label']) && $_SESSION['USER_RIGHT_MANAGE_LABEL'])$rights['manage_label']=1; else $rights['manage_label']=0;
if ($postuserid<>1) setuserrights($postuserid, $rights);
$addsummary .= "<div class=\"successheader\">".$clang->gT("User permissions were updated successfully.")."</div>\n";
$addsummary .= "<br/><input type=\"submit\" onclick=\"window.open('$scriptname?action=editusers', '_self')\" value=\"".$clang->gT("Continue")."\"/>\n";
}
elseif ($_SESSION['USER_RIGHT_SUPERADMIN'] == 1)
{
$rights = array();
if(isset($_POST['create_survey']))$rights['create_survey']=1; else $rights['create_survey']=0;
if(isset($_POST['configurator']))$rights['configurator']=1; else $rights['configurator']=0;
if(isset($_POST['create_user']))$rights['create_user']=1; else $rights['create_user']=0;
if(isset($_POST['delete_user']))$rights['delete_user']=1; else $rights['delete_user']=0;
// Only Initial Superadmin can give this right
if(isset($_POST['superadmin']))
{
// Am I original Superadmin ?
// Initial SuperAdmin has parent_id == 0
$adminquery = "SELECT uid FROM {$dbprefix}users WHERE parent_id=0";
$adminresult = db_select_limit_assoc($adminquery, 1);
$row=$adminresult->FetchRow();
if($row['uid'] == $_SESSION['loginID']) // it's the original superadmin !!!
{
$rights['superadmin']=1;
}
else
{
$rights['superadmin']=0;
}
}
else
{
$rights['superadmin']=0;
}
if(isset($_POST['manage_template']))$rights['manage_template']=1; else $rights['manage_template']=0;
if(isset($_POST['manage_label']))$rights['manage_label']=1; else $rights['manage_label']=0;
setuserrights($postuserid, $rights);
$addsummary .= "<div class=\"successheader\">".$clang->gT("User permissions were updated successfully.")."</div>\n";
$addsummary .= "<br/><input type=\"submit\" onclick=\"window.open('$scriptname?action=editusers', '_self')\" value=\"".$clang->gT("Continue")."\"/>\n";
}
else
{
include("access_denied.php");
}
}
else
{
$addsummary .= "<div class=\"warningheader\">".$clang->gT("You are not allowed to change your own permissions!")."</div>\n";
$addsummary .= "<br/><input type=\"submit\" onclick=\"window.open('$scriptname?action=editusers', '_self')\" value=\"".$clang->gT("Continue")."\"/>\n";
}
$addsummary .= "</div>\n";
}
elseif ($action == "usertemplates")
{
$addsummary = "<div class='header ui-widget-header'>".$clang->gT("Set template permissions")."</div>\n";
$addsummary .= "<div class=\"messagebox\">\n";
// SUPERADMINS AND MANAGE_TEMPLATE USERS CAN SET THESE RIGHTS
if( $_SESSION['USER_RIGHT_SUPERADMIN'] == 1 || $_SESSION['USER_RIGHT_MANAGE_TEMPLATE'] == 1)
{
$templaterights = array();
$tquery = "SELECT * FROM ".$dbprefix."templates";
$tresult = db_execute_assoc($tquery);
while ($trow = $tresult->FetchRow()) {
if (isset($_POST[$trow["folder"]."_use"]))
$templaterights[$trow["folder"]] = 1;
else
$templaterights[$trow["folder"]] = 0;
}
foreach ($templaterights as $key => $value) {
$uquery = "INSERT INTO {$dbprefix}templates_rights (uid,".db_quote_id('folder').",".db_quote_id('use').") VALUES ({$postuserid},'".$key."',$value)";
$uresult = $connect->execute($uquery);
if (!$uresult)
{
$uquery = "UPDATE {$dbprefix}templates_rights SET ".db_quote_id('use')."=$value where ".db_quote_id('folder')."='$key' AND uid=".$postuserid;
$uresult = $connect->execute($uquery);
}
}
if ($uresult)
{
$addsummary .= "<div class=\"successheader\">".$clang->gT("Template permissions were updated successfully.")."</div>\n";
$addsummary .= "<br/><input type=\"submit\" onclick=\"window.open('$scriptname?action=editusers', '_self')\" value=\"".$clang->gT("Continue")."\"/>\n";
}
else
{
$addsummary .= "<div class=\"warningheader\">".$clang->gT("Error")."</div>\n";
$addsummary .= "<br />".$clang->gT("Error while updating usertemplates.")."<br />\n";
$addsummary .= "<br/><input type=\"submit\" onclick=\"window.open('$scriptname?action=editusers', '_self')\" value=\"".$clang->gT("Continue")."\"/>\n";
}
}
else
{
include("access_denied.php");
}
$addsummary .= "</div>\n";
}
function getInitialAdmin_uid()
{
global $dbprefix;
// Initial SuperAdmin has parent_id == 0
$adminquery = "SELECT uid FROM {$dbprefix}users WHERE parent_id=0";
$adminresult = db_select_limit_assoc($adminquery, 1);
$row=$adminresult->FetchRow();
return $row['uid'];
}
function fGetLoginAttemptUpdateQry($la,$sIp)
{
$timestamp = date("Y-m-d H:i:s");
if ($la)
$query = "UPDATE ".db_table_name('failed_login_attempts')
." SET number_attempts=number_attempts+1, last_attempt = '$timestamp' WHERE ip='$sIp'";
else
$query = "INSERT INTO ".db_table_name('failed_login_attempts') . "(ip, number_attempts,last_attempt)"
." VALUES('$sIp',1,'$timestamp')";
return $query;
}
function getUserNameFromUid($uid){
$query = "SELECT users_name, uid FROM ".db_table_name('users')." WHERE uid = $uid;";
$result = db_execute_assoc($query) or safe_die($connect->ErrorMsg());
if($result->RecordCount() > 0) {
while($rows = $result->FetchRow()){
return $rows['users_name'];
}
}
}