diff --git a/admin/auth-admin.php b/admin/auth-admin.php index f260abcb..97394bb8 100644 --- a/admin/auth-admin.php +++ b/admin/auth-admin.php @@ -51,7 +51,7 @@ if ((defined('PHP_SESSION_ACTIVE') && session_status() !== PHP_SESSION_ACTIVE) | if (session_id() == "" || !isset($_SESSION['loginID'])) { //need to log in - header('Location: ../include/limesurvey/admin/admin.php'); + header('Location: ../login.php'); die(); } diff --git a/admin/clients.php b/admin/clients.php index 8c478e61..8cd39947 100644 --- a/admin/clients.php +++ b/admin/clients.php @@ -93,7 +93,7 @@ if (isset($_POST['client']) && !empty($_POST['client'])) /* rewrite 'password' only if not blank in edit mode */ if (isset($_GET['edit']) && $_GET['edit'] >0 && isset($_POST['password']) && !empty($_POST['password'])) { - include_once("../include/limesurvey/admin/classes/core/sha256.php"); + include_once("../include/sha256.php"); $sql .=",`password` = '" . SHA256::hashing($_POST['password']) . "'"; } @@ -111,7 +111,7 @@ if (isset($_POST['client']) && !empty($_POST['client'])) if ($db->Execute($sql)) { - include_once("../include/limesurvey/admin/classes/core/sha256.php"); + include_once("../include/sha256.php"); //Insert into lime_users $sql = "INSERT INTO " . LIME_PREFIX . "users (`users_name`,`password`,`full_name`,`parent_id`,`superadmin`,`email`,`lang`) diff --git a/admin/operatorlist.php b/admin/operatorlist.php index 16821cbc..671d6fce 100644 --- a/admin/operatorlist.php +++ b/admin/operatorlist.php @@ -76,7 +76,7 @@ if (isset($_POST['submit'])) if (!empty($_POST['password'])) { - include_once("../include/limesurvey/admin/classes/core/sha256.php"); + include_once("../include/sha256.php"); $sql .= ", password = '" . SHA256::hashing($_POST['password']) . "' "; } diff --git a/admin/operators.php b/admin/operators.php index 70efe53d..1549aed5 100644 --- a/admin/operators.php +++ b/admin/operators.php @@ -115,7 +115,7 @@ if (isset($_POST['operator']) && isset($_POST['adduser'])) { $oid = $db->Insert_ID(); - include_once("../include/limesurvey/admin/classes/core/sha256.php"); + include_once("../include/sha256.php"); //Insert into lime_users $sql = "INSERT INTO " . LIME_PREFIX . "users (`users_name`,`password`,`full_name`,`parent_id`,`superadmin`,`email`,`lang`) diff --git a/auth-interviewer.php b/auth-interviewer.php index 74089770..5d77e31e 100644 --- a/auth-interviewer.php +++ b/auth-interviewer.php @@ -52,6 +52,6 @@ if ((defined('PHP_SESSION_ACTIVE') && session_status() !== PHP_SESSION_ACTIVE) | if (session_id() == "" || !isset($_SESSION['loginID'])) { //need to log in - header('Location: include/limesurvey/admin/admin.php'); + header('Location: login.php'); die(); } diff --git a/client/auth-client.php b/client/auth-client.php index 8d9db67a..0fa2893c 100644 --- a/client/auth-client.php +++ b/client/auth-client.php @@ -51,6 +51,6 @@ if ((defined('PHP_SESSION_ACTIVE') && session_status() !== PHP_SESSION_ACTIVE) | if (session_id() == "" || !isset($_SESSION['loginID'])) { //need to log in - header('Location: ../include/limesurvey/admin/admin.php'); + header('Location: ../login.php'); die(); } diff --git a/include/limesurvey/admin/admin.php b/include/limesurvey/admin/admin.php deleted file mode 100644 index 103eea80..00000000 --- a/include/limesurvey/admin/admin.php +++ /dev/null @@ -1,833 +0,0 @@ -"; -} -else -{ - $adminoutput=''; -} - -if($casEnabled==true) -{ - include_once("login_check_cas.php"); -} -else -{ - include_once('login_check.php'); -} - -if ( $action == 'CSRFwarn') -{ - include('access_denied.php'); -} - -if ( $action == 'FakeGET') -{ - include('access_denied.php'); -} - -if(isset($_SESSION['loginID'])) -{ - //VARIOUS DATABASE OPTIONS/ACTIONS PERFORMED HERE - if (in_array($action, array('updateemailtemplates','delsurvey','delgroup','delquestion','insertsurvey','updatesubquestions','copynewquestion','insertquestiongroup','insertCSV','insertquestion','updatesurveysettings','updatesurveysettingsandeditlocalesettings','updatesurveylocalesettings','updategroup','deactivate','savepersonalsettings','updatequestion','updateansweroptions','renumberquestions','updatedefaultvalues'))) - { - include('database.php'); - } - - sendcacheheaders(); - - /* Check user right actions for validity - Currently existing user rights: - `configurator` - `create_survey` - `create_user` - `delete_user` - `manage_label` - `manage_template` - `superadmin` - */ - - if ($action == 'importsurvey' || $action == 'copysurvey') - { - if ($_SESSION['USER_RIGHT_CREATE_SURVEY']==1) {include('http_importsurvey.php');} - else { include('access_denied.php');} - } - elseif ($action == 'dumpdb') - { - if ($_SESSION['USER_RIGHT_SUPERADMIN']==1) {include('dumpdb.php');} - else { include('access_denied.php');} - } - elseif ($action == 'dumplabel') - { - if ($_SESSION['USER_RIGHT_MANAGE_LABEL']==1) {include('dumplabel.php');} - else { include('access_denied.php');} - } - elseif ($action == 'exportlabelresources') - { - if ($_SESSION['USER_RIGHT_MANAGE_TEMPLATE']==1) {$_SESSION['FileManagerContext']="edit:label:$lid"; include('export_resources_zip.php');} - else { include('access_denied.php');} - } - elseif ($action == 'checkintegrity') - { - if ($_SESSION['USER_RIGHT_CONFIGURATOR']==1) {include('integritycheck.php');} - else { include('access_denied.php');} - } - elseif ($action == "globalsettings") - { - if ($_SESSION['USER_RIGHT_CONFIGURATOR']==1) {globalsettingsdisplay();} - else { include("access_denied.php");} - } - elseif ($action == "globalsettingssave") - { - if ($_SESSION['USER_RIGHT_CONFIGURATOR']==1) {globalsettingssave();} - else { include("access_denied.php");} - } - elseif ($action=='labels' || $action=='newlabelset' || $action=='insertlabelset' || - $action=='deletelabelset' || $action=='editlabelset' || $action=='modlabelsetanswers' || - $action=='updateset' || $action=='importlabels' ||$action == 'importlabelresources') - { - if ($_SESSION['USER_RIGHT_MANAGE_LABEL']==1) {$_SESSION['FileManagerContext']="edit:label:$lid"; include('labels.php');} - else { include('access_denied.php');} - } - elseif ($action=='templates' || $action=='templatecopy' || $action=='templatesavechanges' || - $action=='templaterename' || $action=='templateuploadfile' || $action=='templatefiledelete' || - $action=='templatezip' || $action=='templaterefresh' || $action=='templateupload') - { - if ($_SESSION['USER_RIGHT_MANAGE_TEMPLATE']==1) {include('templates.php');} - else { include('access_denied.php');} - } - - - - - /* Check survey right actions for validity - Currently existing survey rights: - `edit_survey_property` - `define_questions` - `browse_response` - `export` - `delete_survey` - `activate_survey` - */ - - if ($action == 'activate') - { - if(bHasSurveyPermission($surveyid,'surveyactivation','update')) {include('activate.php');} - else { include('access_denied.php');} - } - elseif ($action == 'conditions') - { - if(bHasSurveyPermission($surveyid,'surveycontent','read')) {include('conditionshandling.php');} - else { include('access_denied.php');} - } - elseif ($action == 'importsurveyresources') - { - if (bHasSurveyPermission($surveyid,'surveycontent','import')) {$_SESSION['FileManagerContext']="edit:survey:$surveyid";include('import_resources_zip.php');} - else { include('access_denied.php');} - } - elseif ($action == 'exportstructureLsrcCsv') - { - if(bHasSurveyPermission($surveyid,'surveycontent','export')) {include('export_structure_lsrc.php');} - else { include('access_denied.php');} - } - elseif ($action == 'exportstructurequexml') - { - if(bHasSurveyPermission($surveyid,'surveycontent','export')) {include('export_structure_quexml.php');} - else { include('access_denied.php');} - } - elseif ($action == 'exportstructurexml') - { - if(bHasSurveyPermission($surveyid,'surveycontent','export')) {include('export_structure_xml.php');} - else { include('access_denied.php');} - } - elseif ($action == 'exportstructurecsvGroup') - { - if(bHasSurveyPermission($surveyid,'surveycontent','export')) {include('dumpgroup.php');} - else { include('access_denied.php');} - } - elseif ($action == 'exportstructureLsrcCsvGroup') - { - if(bHasSurveyPermission($surveyid,'surveycontent','export')) {include('dumpgroup.php');} - else { include('access_denied.php');} - } - elseif ($action == 'exportstructurecsvQuestion') - { - if(bHasSurveyPermission($surveyid,'surveycontent','export')) {include('dumpquestion.php');} - else { include('access_denied.php');} - } - elseif ($action == 'exportstructureLsrcCsvQuestion') - { - if(bHasSurveyPermission($surveyid,'surveycontent','export')) {include('dumpquestion.php');} - else { include('access_denied.php');} - } - elseif ($action == 'exportsurvresources') - { - if(bHasSurveyPermission($surveyid,'surveycontent','export')) {$_SESSION['FileManagerContext']="edit:survey:$surveyid";include('export_resources_zip.php');} - else { include('access_denied.php');} - } - elseif ($action == 'deactivate') - { - if(bHasSurveyPermission($surveyid,'surveyactivation','update')) {include('deactivate.php');} - else { include('access_denied.php');} - } - elseif ($action == 'deletesurvey') - { - if(bHasSurveyPermission($surveyid,'survey','delete')) {include('deletesurvey.php');} - else { include('access_denied.php');} - } - elseif ($action == 'resetsurveylogic') - { - if(bHasSurveyPermission($surveyid,'surveycontent','update')) {include('resetsurveylogic.php');} - else { include('access_denied.php');} - } - elseif ($action == 'importgroup') - { - if(bHasSurveyPermission($surveyid,'surveycontent','import')) {include('importgroup.php');} - else { include('access_denied.php');} - } - elseif ($action == 'importquestion') - { - if(bHasSurveyPermission($surveyid,'surveycontent','import')) {include('importquestion.php');} - else { include('access_denied.php');} - } - elseif ($action == 'listcolumn') - { - if(bHasSurveyPermission($surveyid,'statistics','read')) {include('listcolumn.php');} - else { include('access_denied.php');} - } - elseif ($action == 'previewquestion') - { - if(bHasSurveyPermission($surveyid,'surveycontent','read')) {include('preview.php');} - else { include('access_denied.php');} - } - elseif ($action == 'previewgroup') - { - $_SESSION['interviewer'] = true; - require_once('../index.php'); - exit; - - } - elseif ($action == 'showlogicfile') - { - if(bHasSurveyPermission($surveyid,'translations','read')) - { - $surveyid = sanitize_int($surveyid); - $thissurvey = getSurveyInfo($surveyid); - $_POST['sid'] = $surveyid . '|N'; - $_POST['LEM_PRETTY_PRINT_ALL_SYNTAX'] = 'Y'; - $_POST['surveyMode'] = 'survey'; - $_POST['LEMcalledFromAdmin'] = 'Y'; - $_POST['assessments'] = $thissurvey['assessments']; - LimeExpressionManager::SetDirtyFlag(); - if (isset($_GET['gid'])) { $_POST['gid'] = $_GET['gid']; } - if (isset($_GET['qid'])) { $_POST['qid'] = $_GET['qid']; } - include($rootdir . '/classes/expressions/test/survey_logic_file.php'); - exit; - } - else { include('access_denied.php');} - } - elseif ($action=='addgroup' || $action=='editgroup' || $action=='ordergroups') - { - if(bHasSurveyPermission($surveyid,'surveycontent','read')) {$_SESSION['FileManagerContext']="edit:group:$surveyid"; include('questiongrouphandling.php');} - else { include('access_denied.php');} - } - elseif ($action == 'saved') - { - if(bHasSurveyPermission($surveyid,'responses','read')) {include('saved.php');} - else { include('access_denied.php');} - } - // - elseif ($action == 'translate') - { - if(bHasSurveyPermission($surveyid,'translations','read')) {$_SESSION['FileManagerContext']="edit:translate:$surveyid"; include('translate.php');} - else { include('access_denied.php'); } - } - // - elseif ($action == 'tokens') - { - if(bHasSurveyPermission($surveyid,'tokens','read')) - { - $_SESSION['FileManagerContext']="edit:emailsettings:$surveyid"; - include('tokens.php'); - } - else { include('access_denied.php'); } - } - elseif ($action == 'emailtemplates') - { - $_SESSION['FileManagerContext']="edit:emailsettings:$surveyid"; - } - elseif ($action == 'iteratesurvey') - { - if(bHasSurveyPermission($surveyid,'surveyactivation','update')) {include('iterate_survey.php');} - else { include('access_denied.php');} - } - elseif ($action=='showquexmlsurvey') - { - include('quexmlsurvey.php'); //Same rights as printable - } - elseif ($action=='showprintablesurvey') - { - include('printablesurvey.php'); //No special right needed to show the printable survey - } - elseif ($action=='listcolumn') - { - include('listcolumn.php'); - } -// elseif ($action=='update') -// { -// if( $_SESSION['USER_RIGHT_SUPERADMIN'] == 1) include($homedir.'/update/updater.php'); -// else { include('access_denied.php');} -// } - elseif ($action=='assessments' || $action=='assessmentdelete' || $action=='assessmentedit' || $action=='assessmentadd' || $action=='assessmentupdate') - { - if(bHasSurveyPermission($surveyid,'assessments','read')) { - $_SESSION['FileManagerContext']="edit:assessments:$surveyid"; - include('assessments.php'); - } - else { include('access_denied.php');} - } - elseif ($action == 'replacementfields') - { - switch ($editedaction) - { - case 'labels': - if ($_SESSION['USER_RIGHT_SUPERADMIN'] == 1 || $_SESSION['USER_RIGHT_MANAGE_LABEL']==1) - { - $_SESSION['FileManagerContext']="edit:label:$lid"; - include('fck_LimeReplacementFields.php');exit; - } - else - { - include('access_denied.php'); - } - break; - case 'newsurvey': - if ($_SESSION['USER_RIGHT_SUPERADMIN'] == 1 || $_SESSION['USER_RIGHT_CREATE_SURVEY'] == 1) - { - include('fck_LimeReplacementFields.php');exit; - } - else - { - include('access_denied.php'); - } - break; - case 'editsurveylocalesettings': - case 'updatesurveysettingsandeditlocalesettings': - case 'translatetitle': - case 'translatedescription': - case 'translatewelcome': - case 'translateend': - if (bHasSurveyPermission($surveyid,'surveysettings','update') && bHasSurveyPermission($surveyid,'surveylocale','read')) - { - $_SESSION['FileManagerContext']="edit:survey:$surveyid"; - include('fck_LimeReplacementFields.php');exit; - } - else - { - include('access_denied.php'); - } - break; - case 'tokens': // email - case 'emailtemplates': // email - if (bHasSurveyPermission($surveyid,'tokens','update')) - { - $_SESSION['FileManagerContext']="edit:emailsettings:$surveyid"; - include('fck_LimeReplacementFields.php');exit; - } - else - { - include('access_denied.php'); - } - break; - case 'editquestion': - case 'copyquestion': - case 'addquestion': - case 'translatequestion': - case 'translatequestion_help': - if (bHasSurveyPermission($surveyid,'surveycontent','read')) - { - $_SESSION['FileManagerContext']="edit:question:$surveyid"; - include('fck_LimeReplacementFields.php');exit; - } - else - { - include('access_denied.php'); - } - break; - case 'editgroup': - case 'addgroup': - case 'translategroup': - case 'translategroup_desc': - if (bHasSurveyPermission($surveyid,'surveycontent','read')) - { - $_SESSION['FileManagerContext']="edit:group:$surveyid"; - include('fck_LimeReplacementFields.php');exit; - } - else - { - include('access_denied.php'); - } - break; - case 'editanswer': - case 'translateanswer': - if (bHasSurveyPermission($surveyid,'surveycontent','read')) - { - $_SESSION['FileManagerContext']="edit:answer:$surveyid"; - include('fck_LimeReplacementFields.php');exit; - } - else - { - include('access_denied.php'); - } - break; - case 'assessments': - case 'assessmentedit': - if(bHasSurveyPermission($surveyid,'assessments','read')) { - $_SESSION['FileManagerContext']="edit:assessments:$surveyid"; - include('fck_LimeReplacementFields.php'); - } - else { include('access_denied.php');} - break; - default: - break; - } - } - elseif ($action == 'ajaxtranslategoogleapi') - { - if(bHasSurveyPermission($surveyid,'translations','read')) - { - include('translate_google_api.php'); - } - else - { - include('access_denied.php'); - } - } - elseif ($action=='ajaxowneredit' || $action == 'ajaxgetusers'){ - - include('surveylist.php'); - } - if (!isset($assessmentsoutput) && !isset($statisticsoutput) && !isset($browseoutput) && - !isset($savedsurveyoutput) && !isset($listcolumnoutput) && !isset($conditionsoutput) && - !isset($importoldresponsesoutput) && !isset($exportroutput) && !isset($vvoutput) && - !isset($tokenoutput) && !isset($exportoutput) && !isset($templatesoutput) && !isset($translateoutput) && // - !isset($iteratesurveyoutput) && (substr($action,0,4)!= 'ajax') && ($action!='update') && - (isset($surveyid) || $action == "" || preg_match('/^(personalsettings|statistics|copysurvey|importsurvey|editsurveysettings|editsurveylocalesettings|updatesurveysettings|updatesurveysettingsandeditlocalesettings|updatedefaultvalues|ordergroups|dataentry|newsurvey|globalsettings|editusergroups|editusergroup|exportspss|surveyrights|quotas|editusers|login|browse|vvimport|vvexport|setuserrights|modifyuser|setusertemplates|deluser|adduser|userrights|usertemplates|moduser|addusertogroup|deleteuserfromgroup|globalsettingssave|savepersonalsettings|addusergroup|editusergroupindb|usergroupindb|finaldeluser|delusergroup|mailusergroup|mailsendusergroup)$/',$action))) - { - if ($action=='editsurveysettings' || $action=='editsurveylocalesettings') - { - $_SESSION['FileManagerContext']="edit:survey:$surveyid"; - } - include('html_functions.php'); - include('html.php'); - } - - if ($action == "listsurveys"){ - include('html_functions.php'); - include('html.php'); - include('surveylist.php'); - } - - if ($action == 'dataentry') - { - if (bHasSurveyPermission($surveyid, 'responses','read') || bHasSurveyPermission($surveyid, 'responses','create') || bHasSurveyPermission($surveyid, 'responses','update')) - { - include('dataentry.php'); - } - else - { - include('access_denied.php'); - } - } - elseif ($action == 'exportresults') - { - if(bHasSurveyPermission($surveyid,'responses','export')) {include('exportresults.php');} - else { include('access_denied.php');} - } - elseif ($action == 'statistics') - { - if(bHasSurveyPermission($surveyid,'statistics','read')) {include('statistics.php');} - else { include('access_denied.php');} - } - elseif ($action == 'importoldresponses') - { - if(bHasSurveyPermission($surveyid,'responses','create')) {include('importoldresponses.php');} - else { include('access_denied.php');} - } - elseif ($action == 'exportspss') - { - if(bHasSurveyPermission($surveyid,'responses','export')) - { - include('export_data_spss.php'); - } - else - { - include('access_denied.php'); - } - } - elseif ($action == 'browse') - { - if(bHasSurveyPermission($surveyid,'responses','read') || bHasSurveyPermission($surveyid,'statistics','read') || bHasSurveyPermission($surveyid,'responses','export')) - { - include('browse.php'); - } - else - { - include('access_denied.php'); - } - } - elseif ($action == 'exportr') - { - if(bHasSurveyPermission($surveyid,'responses','export')) {include('export_data_r.php');} - else { include('access_denied.php');} - } - elseif ($action == 'vvexport') - { - if(bHasSurveyPermission($surveyid,'responses','export')) {include('vvexport.php');} - else { include('access_denied.php');} - } - elseif ($action == 'vvimport') - { - if(bHasSurveyPermission($surveyid,'responses','create')) {include('vvimport.php');} - else { include('access_denied.php');} - } - elseif ($action == 'EMtest') { - switch ($subaction) { - case 'functions': - if(bHasSurveyPermission($surveyid,'surveycontent','read')) { - include('../classes/expressions/test/functions.php'); - } - else { - include('access_denied.php'); - } - break; - case 'stringsplit': - if(bHasSurveyPermission($surveyid,'surveycontent','read')) { - include('../classes/expressions/test/stringsplit.php'); - } - else { - include('access_denied.php'); - } - break; - case 'tokenizer': - if(bHasSurveyPermission($surveyid,'surveycontent','read')) { - include('../classes/expressions/test/tokenizer.php'); - } - else { - include('access_denied.php'); - } - break; - case 'unit': - if(bHasSurveyPermission($surveyid,'surveycontent','read')) { - include('../classes/expressions/test/unit.php'); - } - else { - include('access_denied.php'); - } - break; - case 'strings_with_expressions': - if(bHasSurveyPermission($surveyid,'surveycontent','read')) { - include('../classes/expressions/test/strings_with_expressions.php'); - } - else { - include('access_denied.php'); - } - break; - case 'relevance': - if(bHasSurveyPermission($surveyid,'surveycontent','read')) { - include('../classes/expressions/test/relevance.php'); - } - else { - include('access_denied.php'); - } - break; - case 'conditions2relevance': - if (bHasSurveyPermission($surveyid, 'surveycontent', 'read')) - { - include('../classes/expressions/test/conditions2relevance.php'); - } - else - { - include('access_denied.php'); - } - break; - case 'navigation_test': - if($_SESSION['USER_RIGHT_CONFIGURATOR']==1) { - include('../classes/expressions/test/navigation_test.php'); - } - else { - include('access_denied.php'); - } - break; - case 'survey_logic_file': - if($_SESSION['USER_RIGHT_CONFIGURATOR']==1) { - include('../classes/expressions/test/survey_logic_file.php'); - } - else { - include('access_denied.php'); - } - break; - case 'upgrade_conditions2relevance': - if($_SESSION['USER_RIGHT_CONFIGURATOR']==1) { - include('../classes/expressions/test/upgrade_conditions2relevance.php'); - } - else { - include('access_denied.php'); - } - break; - default: - if(bHasSurveyPermission($surveyid,'surveycontent','read')) { - include('../classes/expressions/test/test.php'); - } - else { - include('access_denied.php'); - } - break; - } - exit; - } - if ($action=='addquestion' || $action=='copyquestion' || $action=='editquestion' || $action=='editdefaultvalues' || - $action=='orderquestions' || $action=='ajaxquestionattributes' || $action=='ajaxlabelsetpicker' || $action=='ajaxlabelsetdetails') - { - if(bHasSurveyPermission($surveyid,'surveycontent','read')) - { - $_SESSION['FileManagerContext']="edit:question:$surveyid"; - include('questionhandling.php'); - } - else - { - include('access_denied.php'); - } - } - - - if ($action=='adduser' || $action=='deluser'|| $action=='finaldeluser' || $action=='moduser' || $action=='setusertemplates' || $action=='usertemplates' || //Still to check - $action=='userrights' || $action=='modifyuser' || $action=='editusers' || - $action=='addusergroup' || $action=='editusergroup' || $action=='mailusergroup' || - $action=='delusergroup' || $action=='usergroupindb' || $action=='mailsendusergroup' || - $action=='editusergroupindb' || $action=='editusergroups' || $action=='deleteuserfromgroup' || - $action=='addusertogroup' || $action=='setuserrights' || $action=='setasadminchild') - { - include ('userrighthandling.php'); - } - - - // For some output we dont want to have the standard admin menu bar - if (!isset($labelsoutput) && !isset($templatesoutput) && !isset($printablesurveyoutput) && - !isset($assessmentsoutput) && !isset($tokenoutput) && !isset($browseoutput) && !isset($exportspssoutput) && !isset($exportroutput) && - !isset($dataentryoutput) && !isset($statisticsoutput)&& !isset($savedsurveyoutput) && !isset($translateoutput) && // - !isset($exportoutput) && !isset($importoldresponsesoutput) && !isset($conditionsoutput) && - !isset($vvoutput) && !isset($listcolumnoutput) && !isset($importlabelresources) && !isset($iteratesurveyoutput) && - (substr($action,0,4)!= 'ajax') && $action!='update' && $action!='showphpinfo') - { - $adminoutput.= showadminmenu(); - } - - if (isset($databaseoutput)) {$adminoutput.= $databaseoutput;} - if (isset($templatesoutput)) {$adminoutput.= $templatesoutput;} - if (isset($accesssummary )) {$adminoutput.= $accesssummary;} - if (isset($surveysummary )) {$adminoutput.= $surveysummary;} - if (isset($usergroupsummary)){$adminoutput.= $usergroupsummary;} - if (isset($usersummary )) {$adminoutput.= $usersummary;} - if (isset($groupsummary )) {$adminoutput.= $groupsummary;} - if (isset($questionsummary)) {$adminoutput.= $questionsummary;} - if (isset($vasummary )) {$adminoutput.= $vasummary;} - if (isset($addsummary )) {$adminoutput.= $addsummary;} - if (isset($answersummary )) {$adminoutput.= $answersummary;} - if (isset($cssummary )) {$adminoutput.= $cssummary;} - if (isset($listcolumnoutput)) {$adminoutput.= $listcolumnoutput;} - if (isset($ajaxoutput)) {$adminoutput.= $ajaxoutput;} - - - if (isset($editgroup)) {$adminoutput.= $editgroup;} - if (isset($editquestion)) {$adminoutput.= $editquestion;} - if (isset($editdefvalues)) {$adminoutput.= $editdefvalues;} - if (isset($editsurvey)) {$adminoutput.= $editsurvey;} - if (isset($translateoutput)) {$adminoutput.= $translateoutput;} // - if (isset($quotasoutput)) {$adminoutput.= $quotasoutput;} - if (isset($labelsoutput)) {$adminoutput.= $labelsoutput;} - if (isset($listsurveys)) {$adminoutput.= $listsurveys; } - if (isset($integritycheck)) {$adminoutput.= $integritycheck;} - if (isset($ordergroups)){$adminoutput.= $ordergroups;} - if (isset($orderquestions)) {$adminoutput.= $orderquestions;} - if (isset($surveysecurity)) {$adminoutput.= $surveysecurity;} - if (isset($exportstructure)) {$adminoutput.= $exportstructure;} - if (isset($newsurvey)) {$adminoutput.= $newsurvey;} - if (isset($newgroupoutput)) {$adminoutput.= $newgroupoutput;} - if (isset($newquestionoutput)) {$adminoutput.= $newquestionoutput;} - if (isset($newanswer)) {$adminoutput.= $newanswer;} - if (isset($editanswer)) {$adminoutput.= $editanswer;} - if (isset($assessmentsoutput)) {$adminoutput.= $assessmentsoutput;} - if (isset($sHTMLOutput)) {$adminoutput.= $sHTMLOutput;} - - - if (isset($importsurvey)) {$adminoutput.= $importsurvey;} - if (isset($importsurveyresourcesoutput)) {$adminoutput.= $importsurveyresourcesoutput;} - if (isset($importgroup)) {$adminoutput.= $importgroup;} - if (isset($importquestion)) {$adminoutput.= $importquestion;} - if (isset($printablesurveyoutput)) {$adminoutput.= $printablesurveyoutput;} - if (isset($activateoutput)) {$adminoutput.= $activateoutput;} - if (isset($deactivateoutput)) {$adminoutput.= $deactivateoutput;} - if (isset($tokenoutput)) {$adminoutput.= $tokenoutput;} - if (isset($browseoutput)) {$adminoutput.= $browseoutput;} - if (isset($iteratesurveyoutput)) {$adminoutput.= $iteratesurveyoutput;} - if (isset($dataentryoutput)) {$adminoutput.= $dataentryoutput;} - if (isset($statisticsoutput)) {$adminoutput.= $statisticsoutput;} - if (isset($exportoutput)) {$adminoutput.= $exportoutput;} - if (isset($savedsurveyoutput)) {$adminoutput.= $savedsurveyoutput;} - if (isset($importoldresponsesoutput)) {$adminoutput.= $importoldresponsesoutput;} - if (isset($conditionsoutput)) {$adminoutput.= $conditionsoutput;} - if (isset($deletesurveyoutput)) {$adminoutput.= $deletesurveyoutput;} - if (isset($resetsurveylogicoutput)) {$adminoutput.= $resetsurveylogicoutput;} - if (isset($vvoutput)) {$adminoutput.= $vvoutput;} - if (isset($dumpdboutput)) {$adminoutput.= $dumpdboutput;} - if (isset($exportspssoutput)) {$adminoutput.= $exportspssoutput;} - if (isset($exportroutput)) {$adminoutput.= $exportroutput;} - if (isset($loginsummary)) {$adminoutput.= $loginsummary;} - - - if (!isset($printablesurveyoutput) && $subaction!='export' && (substr($action,0,4)!= 'ajax')) - { - if (!isset($_SESSION['metaHeader'])) {$_SESSION['metaHeader']='';} - $adminoutput = getAdminHeader($_SESSION['metaHeader']).$adminoutput; // All future output is written into this and then outputted at the end of file - unset($_SESSION['metaHeader']); - $adminoutput.= "\n"; - if(!isset($_SESSION['checksessionpost'])) - { - $_SESSION['checksessionpost'] = ''; - } - $adminoutput .= "\n"; - $adminoutput .= getAdminFooter("http://docs.limesurvey.org", $clang->gT("LimeSurvey online manual")); - } - -} -else -{ //not logged in - - sendcacheheaders(); - $adminoutput = << - - - - - - - - - - queXS Authentication - - - - - - - - - - -
-EOD; - - $adminoutput .= $loginsummary; - $adminoutput .= "
"; - unset($_SESSION['metaHeader']); -} -if (($action=='showphpinfo') && ($_SESSION['USER_RIGHT_CONFIGURATOR'] == 1)) -{ - phpinfo(); -} -else -{ - echo $adminoutput; -} - diff --git a/include/limesurvey/admin/classes/phpCAS/CAS.php b/include/phpCAS/CAS.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS.php rename to include/phpCAS/CAS.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/AuthenticationException.php b/include/phpCAS/CAS/AuthenticationException.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/AuthenticationException.php rename to include/phpCAS/CAS/AuthenticationException.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/Autoload.php b/include/phpCAS/CAS/Autoload.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/Autoload.php rename to include/phpCAS/CAS/Autoload.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/Client.php b/include/phpCAS/CAS/Client.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/Client.php rename to include/phpCAS/CAS/Client.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/CookieJar.php b/include/phpCAS/CAS/CookieJar.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/CookieJar.php rename to include/phpCAS/CAS/CookieJar.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/Exception.php b/include/phpCAS/CAS/Exception.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/Exception.php rename to include/phpCAS/CAS/Exception.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/GracefullTerminationException.php b/include/phpCAS/CAS/GracefullTerminationException.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/GracefullTerminationException.php rename to include/phpCAS/CAS/GracefullTerminationException.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/InvalidArgumentException.php b/include/phpCAS/CAS/InvalidArgumentException.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/InvalidArgumentException.php rename to include/phpCAS/CAS/InvalidArgumentException.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/Languages/Catalan.php b/include/phpCAS/CAS/Languages/Catalan.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/Languages/Catalan.php rename to include/phpCAS/CAS/Languages/Catalan.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/Languages/English.php b/include/phpCAS/CAS/Languages/English.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/Languages/English.php rename to include/phpCAS/CAS/Languages/English.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/Languages/French.php b/include/phpCAS/CAS/Languages/French.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/Languages/French.php rename to include/phpCAS/CAS/Languages/French.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/Languages/German.php b/include/phpCAS/CAS/Languages/German.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/Languages/German.php rename to include/phpCAS/CAS/Languages/German.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/Languages/Greek.php b/include/phpCAS/CAS/Languages/Greek.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/Languages/Greek.php rename to include/phpCAS/CAS/Languages/Greek.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/Languages/Japanese.php b/include/phpCAS/CAS/Languages/Japanese.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/Languages/Japanese.php rename to include/phpCAS/CAS/Languages/Japanese.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/Languages/LanguageInterface.php b/include/phpCAS/CAS/Languages/LanguageInterface.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/Languages/LanguageInterface.php rename to include/phpCAS/CAS/Languages/LanguageInterface.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/Languages/Spanish.php b/include/phpCAS/CAS/Languages/Spanish.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/Languages/Spanish.php rename to include/phpCAS/CAS/Languages/Spanish.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/OutOfSequenceBeforeAuthenticationCallException.php b/include/phpCAS/CAS/OutOfSequenceBeforeAuthenticationCallException.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/OutOfSequenceBeforeAuthenticationCallException.php rename to include/phpCAS/CAS/OutOfSequenceBeforeAuthenticationCallException.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/OutOfSequenceBeforeClientException.php b/include/phpCAS/CAS/OutOfSequenceBeforeClientException.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/OutOfSequenceBeforeClientException.php rename to include/phpCAS/CAS/OutOfSequenceBeforeClientException.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/OutOfSequenceBeforeProxyException.php b/include/phpCAS/CAS/OutOfSequenceBeforeProxyException.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/OutOfSequenceBeforeProxyException.php rename to include/phpCAS/CAS/OutOfSequenceBeforeProxyException.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/OutOfSequenceException.php b/include/phpCAS/CAS/OutOfSequenceException.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/OutOfSequenceException.php rename to include/phpCAS/CAS/OutOfSequenceException.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/PGTStorage/AbstractStorage.php b/include/phpCAS/CAS/PGTStorage/AbstractStorage.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/PGTStorage/AbstractStorage.php rename to include/phpCAS/CAS/PGTStorage/AbstractStorage.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/PGTStorage/Db.php b/include/phpCAS/CAS/PGTStorage/Db.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/PGTStorage/Db.php rename to include/phpCAS/CAS/PGTStorage/Db.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/PGTStorage/File.php b/include/phpCAS/CAS/PGTStorage/File.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/PGTStorage/File.php rename to include/phpCAS/CAS/PGTStorage/File.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService.php b/include/phpCAS/CAS/ProxiedService.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService.php rename to include/phpCAS/CAS/ProxiedService.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService/Abstract.php b/include/phpCAS/CAS/ProxiedService/Abstract.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService/Abstract.php rename to include/phpCAS/CAS/ProxiedService/Abstract.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService/Exception.php b/include/phpCAS/CAS/ProxiedService/Exception.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService/Exception.php rename to include/phpCAS/CAS/ProxiedService/Exception.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService/Http.php b/include/phpCAS/CAS/ProxiedService/Http.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService/Http.php rename to include/phpCAS/CAS/ProxiedService/Http.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService/Http/Abstract.php b/include/phpCAS/CAS/ProxiedService/Http/Abstract.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService/Http/Abstract.php rename to include/phpCAS/CAS/ProxiedService/Http/Abstract.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService/Http/Get.php b/include/phpCAS/CAS/ProxiedService/Http/Get.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService/Http/Get.php rename to include/phpCAS/CAS/ProxiedService/Http/Get.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService/Http/Post.php b/include/phpCAS/CAS/ProxiedService/Http/Post.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService/Http/Post.php rename to include/phpCAS/CAS/ProxiedService/Http/Post.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService/Imap.php b/include/phpCAS/CAS/ProxiedService/Imap.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService/Imap.php rename to include/phpCAS/CAS/ProxiedService/Imap.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService/Testable.php b/include/phpCAS/CAS/ProxiedService/Testable.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/ProxiedService/Testable.php rename to include/phpCAS/CAS/ProxiedService/Testable.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/ProxyChain.php b/include/phpCAS/CAS/ProxyChain.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/ProxyChain.php rename to include/phpCAS/CAS/ProxyChain.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/ProxyChain/AllowedList.php b/include/phpCAS/CAS/ProxyChain/AllowedList.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/ProxyChain/AllowedList.php rename to include/phpCAS/CAS/ProxyChain/AllowedList.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/ProxyChain/Any.php b/include/phpCAS/CAS/ProxyChain/Any.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/ProxyChain/Any.php rename to include/phpCAS/CAS/ProxyChain/Any.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/ProxyChain/Interface.php b/include/phpCAS/CAS/ProxyChain/Interface.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/ProxyChain/Interface.php rename to include/phpCAS/CAS/ProxyChain/Interface.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/ProxyChain/Trusted.php b/include/phpCAS/CAS/ProxyChain/Trusted.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/ProxyChain/Trusted.php rename to include/phpCAS/CAS/ProxyChain/Trusted.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/ProxyTicketException.php b/include/phpCAS/CAS/ProxyTicketException.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/ProxyTicketException.php rename to include/phpCAS/CAS/ProxyTicketException.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/Request/AbstractRequest.php b/include/phpCAS/CAS/Request/AbstractRequest.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/Request/AbstractRequest.php rename to include/phpCAS/CAS/Request/AbstractRequest.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/Request/CurlMultiRequest.php b/include/phpCAS/CAS/Request/CurlMultiRequest.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/Request/CurlMultiRequest.php rename to include/phpCAS/CAS/Request/CurlMultiRequest.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/Request/CurlRequest.php b/include/phpCAS/CAS/Request/CurlRequest.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/Request/CurlRequest.php rename to include/phpCAS/CAS/Request/CurlRequest.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/Request/Exception.php b/include/phpCAS/CAS/Request/Exception.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/Request/Exception.php rename to include/phpCAS/CAS/Request/Exception.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/Request/MultiRequestInterface.php b/include/phpCAS/CAS/Request/MultiRequestInterface.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/Request/MultiRequestInterface.php rename to include/phpCAS/CAS/Request/MultiRequestInterface.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/Request/RequestInterface.php b/include/phpCAS/CAS/Request/RequestInterface.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/Request/RequestInterface.php rename to include/phpCAS/CAS/Request/RequestInterface.php diff --git a/include/limesurvey/admin/classes/phpCAS/CAS/TypeMismatchException.php b/include/phpCAS/CAS/TypeMismatchException.php similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/CAS/TypeMismatchException.php rename to include/phpCAS/CAS/TypeMismatchException.php diff --git a/include/limesurvey/admin/classes/phpCAS/LICENSE b/include/phpCAS/LICENSE similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/LICENSE rename to include/phpCAS/LICENSE diff --git a/include/limesurvey/admin/classes/phpCAS/NOTICE b/include/phpCAS/NOTICE similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/NOTICE rename to include/phpCAS/NOTICE diff --git a/include/limesurvey/admin/classes/phpCAS/README.md b/include/phpCAS/README.md similarity index 100% rename from include/limesurvey/admin/classes/phpCAS/README.md rename to include/phpCAS/README.md diff --git a/include/limesurvey/admin/classes/core/sha256.php b/include/sha256.php similarity index 100% rename from include/limesurvey/admin/classes/core/sha256.php rename to include/sha256.php diff --git a/login.php b/login.php new file mode 100644 index 00000000..48f007d9 --- /dev/null +++ b/login.php @@ -0,0 +1,11 @@ +".$clang->gT("Data for username and one time password was received but the usage of one time passwords is disabled at your configuration settings. Please add the following line to config.php to enable one time passwords: ")."
"; + $loginsummary .= '
$use_one_time_passwords = true;
'; + $loginsummary .= "

".$clang->gT("Continue")."
 \n"; + } + //Data was passed, using one time passwords is enabled + else + { + //check if user exists in DB + $query = "SELECT uid, users_name, password, one_time_pw, dateformat, full_name, htmleditormode, questionselectormode, templateeditormode FROM ".db_table_name('users')." WHERE users_name=".$connect->qstr($user); + $ADODB_FETCH_MODE = ADODB_FETCH_ASSOC; //Checked + $result = $connect->SelectLimit($query, 1) or safe_die ($query."
".$connect->ErrorMsg()); + if(!$result) + { + echo "
".$connect->ErrorMsg(); + } + if ($result->RecordCount() < 1) + { + // wrong or unknown username + $loginsummary = sprintf($clang->gT("No one-time password found for user %s"),htmlspecialchars($user))."
"; + if ($sessionhandler=='db') + { + adodb_session_regenerate_id(); + } + else + { + session_regenerate_id(); + } + } + else + { + //get one time pw from db + $srow = $result->FetchRow(); + $otpw = $srow['one_time_pw']; + + //check if passed password and one time password from database DON'T match + if($pw != $otpw) + { + //no match -> warning + $loginsummary = "

".$clang->gT("Passed single-use password was wrong or user doesn't exist")."
"; + $loginsummary .= "

".$clang->gT("Continue")."
 \n"; + } + //both passwords match + else + { + + //delete one time password in database + $uquery = "UPDATE ".db_table_name('users')." + SET one_time_pw='' + WHERE users_name='".db_quote($user)."'"; + + $uresult = $connect->Execute($uquery); + + //data necessary for following functions + $_SESSION['user'] = $srow['users_name']; + $_SESSION['checksessionpost'] = sRandomChars(10); + $_SESSION['loginID'] = $srow['uid']; + $_SESSION['dateformat'] = $srow['dateformat']; + $_SESSION['htmleditormode'] = $srow['htmleditormode']; + $_SESSION['questionselectormode'] = $srow['questionselectormode']; + $_SESSION['templateeditormode'] = $srow['templateeditormode']; + $_SESSION['full_name'] = $srow['full_name']; + GetSessionUserRights($_SESSION['loginID']); + + // Check if the user has changed his default password + if (strtolower($srow['password'])=='password') + { + $_SESSION['pw_notify']=true; + $_SESSION['flashmessage']=$clang->gT("Warning: You are still using the default password ('password'). Please change your password and re-login again."); + } + else + { + $_SESSION['pw_notify']=false; + } + + //delete passed information + unset($_GET['user']); + unset($_GET['onepass']); + + } //else -> passwords match + + } //else -> password found + + } //else -> one time passwords enabled + + } //else -> one time passwords set + +} //else -> data was passed by URL + + + + + +// check data for login +if( isset($_POST['user']) && isset($_POST['password']) || +($action == "forgotpass") || ($action == "login") || +($action == "logout") || +($useWebserverAuth === true && !isset($_SESSION['loginID'])) ) +{ + include("usercontrol.php"); +} + + + + +// login form +if(!isset($_SESSION['loginID']) && $action != "forgotpass" && ($action != "logout" || ($action == "logout" && !isset($_SESSION['loginID'])))) // && $action != "login") // added by Dennis +{ + if($action == "forgotpassword") + { + $loginsummary = ' + +

+'; + } + elseif (!isset($loginsummary)) + { // could be at login or after logout + $refererargs=''; // If this is a direct access to admin.php, no args are given + // If we are called from a link with action and other args set, get them + if (isset($_SERVER['QUERY_STRING']) && $_SERVER['QUERY_STRING']) + { + $refererargs = html_escape($_SERVER['QUERY_STRING']); + } + + + + + + + + //include("database.php"); + $sIp = getIPAddress(); + $query = "SELECT * FROM ".db_table_name('failed_login_attempts'). " WHERE ip='$sIp';"; + $ADODB_FETCH_MODE = ADODB_FETCH_ASSOC; + $result = $connect->query($query) or safe_die ($query."
".$connect->ErrorMsg()); + $bCannotLogin = false; + $intNthAttempt = 0; + if ($result!==false && $result->RecordCount() >= 1) + { + $field = $result->FetchRow(); + $intNthAttempt = $field['number_attempts']; + if ($intNthAttempt>=$maxLoginAttempt){ + $bCannotLogin = true; + } + + $iLastAttempt = strtotime($field['last_attempt']); + + if (time() > $iLastAttempt + $timeOutTime){ + $bCannotLogin = false; + $query = "DELETE FROM ".db_table_name('failed_login_attempts'). " WHERE ip='$sIp';"; + $result = $connect->query($query) or safe_die ($query."
".$connect->ErrorMsg()); + } + + } + $loginsummary =""; + if (!$bCannotLogin) + { + if (!isset($logoutsummary)) + { + $loginsummary = "
"; + $loginsummary .= " \n"; + } +} diff --git a/login_check_cas.php b/login_check_cas.php new file mode 100644 index 00000000..c03c55c4 --- /dev/null +++ b/login_check_cas.php @@ -0,0 +1,115 @@ +qstr(phpCAS::getUser()); + $ADODB_FETCH_MODE = ADODB_FETCH_ASSOC; //Checked + $result = $connect->SelectLimit($query, 1) or safe_die ($query."
".$connect->ErrorMsg()); + if(!$result) + { + echo "
".$connect->ErrorMsg(); + } + if ($result->RecordCount() < 1) + { + // wrong or unknown username + $loginsummary = sprintf($clang->gT("No user"))."
"; + if ($sessionhandler=='db') + { + adodb_session_regenerate_id(); + } + else + { + session_regenerate_id(); + } + } + else + { + + $srow = $result->FetchRow(); + $_SESSION['user'] = $srow['users_name']; + $_SESSION['checksessionpost'] = sRandomChars(10); + $_SESSION['loginID'] = $srow['uid']; + $_SESSION['dateformat'] = $srow['dateformat']; + $_SESSION['htmleditormode'] = $srow['htmleditormode']; + $_SESSION['questionselectormode'] = $srow['questionselectormode']; + $_SESSION['templateeditormode'] = $srow['templateeditormode']; + $_SESSION['full_name'] = $srow['full_name']; + GetSessionUserRights($_SESSION['loginID']); + + $auth = TRUE; + $_SESSION['CASauthenticated'] = $auth; + + //go to queXS + $loc = ""; + if ($_SESSION['USER_RIGHT_SUPERADMIN'] == 1) + $loc = "admin"; + else + { + $utest = $connect->GetOne("SELECT username FROM client WHERE username = '" . $_SESSION['user'] . "'"); + if (!empty($utest)) + $loc = "client"; + } + header('Location: ' . QUEXS_URL . $loc); + die(); + + } + + } + else + { + $auth = FALSE; + $_SESSION['CASauthenticated'] = $auth; + } + + } + +} + +?> diff --git a/usercontrol.php b/usercontrol.php new file mode 100644 index 00000000..b3a716df --- /dev/null +++ b/usercontrol.php @@ -0,0 +1,907 @@ +".$clang->gT("Forgot password")."
\n"; + + if (isset($postuser) && isset($postemail)) + { + include("database.php"); + $emailaddr = $postemail; + $query = "SELECT users_name, password, uid FROM ".db_table_name('users')." WHERE users_name=".$connect->qstr($postuser)." AND email=".$connect->qstr($emailaddr); + $result = db_select_limit_assoc($query, 1) or safe_die ($query."
".$connect->ErrorMsg()); // Checked + + if ($result->RecordCount() < 1) + { + // wrong or unknown username and/or email + $loginsummary .= "
".$clang->gT("User name and/or email not found!")."
"; + $loginsummary .= "

".$clang->gT("Continue")."
 \n"; + } + else + { + $fields = $result->FetchRow(); + + // send Mail + $new_pass = createPassword(); + $body = sprintf($clang->gT("Your user data for accessing %s"),$sitename). "
\n";; + $body .= $clang->gT("Username") . ": " . $fields['users_name'] . "
\n"; + $body .= $clang->gT("New password") . ": " . $new_pass . "
\n"; + + $subject = $clang->gT("User data","unescaped"); + $to = $emailaddr; + $from = $siteadminemail; + + + if(SendEmailMessage(null, $body, $subject, $to, $from, $sitename, false,$siteadminbounce)) + { + $query = "UPDATE ".db_table_name('users')." SET password='".SHA256::hashing($new_pass)."' WHERE uid={$fields['uid']}"; + $connect->Execute($query); //Checked + $loginsummary .= "
".$clang->gT("Username").": {$fields['users_name']}
".$clang->gT("Email").": {$emailaddr}
"; + $loginsummary .= "
".$clang->gT("An email with your login data was sent to you."); + $loginsummary .= "

".$clang->gT("Continue")."
 \n"; + } + else + { + $tmp = str_replace("{NAME}", "".$fields['users_name']."", $clang->gT("Email to {NAME} ({EMAIL}) failed.")); + $loginsummary .= "
".str_replace("{EMAIL}", $emailaddr, $tmp) . "
"; + $loginsummary .= "

".$clang->gT("Continue")."
 \n"; + } + } + } + } + elseif($action == "login" && $useWebserverAuth === false) // normal login + { + $loginsummary = ''; + + if (isset($postuser) && isset($_POST['password'])) + { + include("database.php"); + + $sIp = getIPAddress(); + $query = "SELECT * FROM ".db_table_name('failed_login_attempts'). " WHERE ip='$sIp';"; + $ADODB_FETCH_MODE = ADODB_FETCH_ASSOC; + $result = $connect->query($query); + $bLoginAttempted = false; + $bCannotLogin = false; + + $intNthAttempt = 0; + if ($result!==false && $result->RecordCount() >= 1) + { + $bLoginAttempted = true; + $field = $result->FetchRow(); + $intNthAttempt = $field['number_attempts']; + if ($intNthAttempt>=$maxLoginAttempt){ + $bCannotLogin = true; + } + + $iLastAttempt = strtotime($field['last_attempt']); + + if (time() > $iLastAttempt + $timeOutTime){ + $bCannotLogin = false; + $query = "DELETE FROM ".db_table_name('failed_login_attempts'). " WHERE ip='$sIp';"; + $result = $connect->query($query) or safe_die ($query."
".$connect->ErrorMsg()); + + } + + } + if(!$bCannotLogin){ + $query = "SELECT * FROM ".db_table_name('users')." WHERE users_name=".$connect->qstr($postuser); + + $result = $connect->SelectLimit($query, 1) or safe_die ($query."
".$connect->ErrorMsg()); + if ($result->RecordCount() < 1) + { + $query = fGetLoginAttemptUpdateQry($bLoginAttempted,$sIp); + + $result = $connect->Execute($query) or safe_die ($query."
".$connect->ErrorMsg());; + if ($result) + { + // wrong or unknown username + $loginsummary .= "

".$clang->gT("Incorrect username and/or password!")."


"; + if ($intNthAttempt+1>=$maxLoginAttempt) + $loginsummary .= sprintf($clang->gT("You have exceeded you maximum login attempts. Please wait %d minutes before trying again"),($timeOutTime/60))."
"; + $loginsummary .= "
".$clang->gT("Continue")."
 \n"; + } + + + } + else + { + $fields = $result->FetchRow(); + if (SHA256::hashing($_POST['password']) == $fields['password']) + { + // Anmeldung ERFOLGREICH + if (strtolower($_POST['password'])=='password') + { + $_SESSION['pw_notify']=true; + $_SESSION['flashmessage']=$clang->gT("Warning: You are still using the default password ('password'). Please change your password and re-login again."); + } + else + { + $_SESSION['pw_notify']=false; + } // Check if the user has changed his default password + + if ($sessionhandler=='db') + { + adodb_session_regenerate_id(); + } + else + { + session_regenerate_id(); + + } + $_SESSION['loginID'] = intval($fields['uid']); + $_SESSION['user'] = $fields['users_name']; + $_SESSION['full_name'] = $fields['full_name']; + $_SESSION['htmleditormode'] = $fields['htmleditormode']; + $_SESSION['questionselectormode'] = $fields['questionselectormode']; + $_SESSION['templateeditormode'] = $fields['templateeditormode']; + $_SESSION['dateformat'] = $fields['dateformat']; + // Compute a checksession random number to test POSTs + $_SESSION['checksessionpost'] = sRandomChars(10); + if (isset($postloginlang) && $postloginlang!='default') + { + $_SESSION['adminlang'] = $postloginlang; + $clang = new limesurvey_lang($postloginlang); + $uquery = "UPDATE {$dbprefix}users " + . "SET lang='{$postloginlang}' " + . "WHERE uid={$_SESSION['loginID']}"; + $uresult = $connect->Execute($uquery); // Checked + } + else + { + + if ( $fields['lang']=='auto' && isset( $_SERVER["HTTP_ACCEPT_LANGUAGE"] ) ) + { + $browlang=strtolower( $_SERVER["HTTP_ACCEPT_LANGUAGE"] ); + $browlang=str_replace(' ', '', $browlang); + $browlang=explode( ",", $browlang); + $browlang=$browlang[0]; + $browlang=explode( ";", $browlang); + $browlang=$browlang[0]; + $check=0; + $value=26; + if ($browlang!="zh-hk" && $browlang!="zh-tw" && $browlang!="es-mx" && $browlang!="pt-br") + { + $browlang=explode( "-",$browlang); + $browlang=$browlang[0]; + } + $_SESSION['adminlang']=$browlang; + } + else + { + $_SESSION['adminlang'] = $fields['lang']; + } + $clang = new limesurvey_lang($_SESSION['adminlang']); + } + $login = true; + + $loginsummary .= "
\n"; + $loginsummary .= "
" . $clang->gT("Logged in") . "
"; + $loginsummary .= "
".sprintf($clang->gT("Welcome %s!"),$_SESSION['full_name'])."
 "; + $loginsummary .= "
\n"; + + if (isset($_POST['refererargs']) && $_POST['refererargs'] && + strpos($_POST['refererargs'], "action=logout") === FALSE) + { + require_once("../classes/inputfilter/class.inputfilter_clean.php"); + $myFilter = new InputFilter('','',1,1,1); + // Prevent XSS attacks + $sRefererArg=$myFilter->process($_POST['refererargs']); + $_SESSION['metaHeader']=""; + $loginsummary .= "

".$clang->gT("Reloading screen. Please wait.")."\n"; + } + $loginsummary .= "

\n"; + GetSessionUserRights($_SESSION['loginID']); + + //go to queXS + $loc = ""; + if ($_SESSION['USER_RIGHT_SUPERADMIN'] == 1) + $loc = "admin"; + else + { + $utest = $connect->GetOne("SELECT username FROM client WHERE username = '" . $_SESSION['user'] . "'"); + if (!empty($utest)) + $loc = "client"; + } + header('Location: ' . QUEXS_URL . $loc); + die(); + } + else + { + $query = fGetLoginAttemptUpdateQry($bLoginAttempted,$sIp); + + $result = $connect->Execute($query) or safe_die ($query."
".$connect->ErrorMsg());; + if ($result) + { + // wrong or unknown username + $loginsummary .= "

".$clang->gT("Incorrect username and/or password!")."
"; + if ($intNthAttempt+1>=$maxLoginAttempt) + $loginsummary .= sprintf($clang->gT("You have exceeded you maximum login attempts. Please wait %d minutes before trying again"),($timeOutTime/60))."
"; + $loginsummary .= "
".$clang->gT("Continue")."
 \n"; + } + + } + } + + } + else{ + $loginsummary .= "

".sprintf($clang->gT("You have exceeded you maximum login attempts. Please wait %d minutes before trying again"),($timeOutTime/60))."
"; + $loginsummary .= "
".$clang->gT("Continue")."
 \n"; + } + } + } + elseif($useWebserverAuth === true && !isset($_SERVER['PHP_AUTH_USER'])) // LimeSurvey expects webserver auth but it has not been achieved + { + $loginsummary .= "
".$clang->gT("LimeSurvey is setup to use the webserver authentication, but it seems you have not already been authenticated")."
"; + $loginsummary .= "

".$clang->gT("Please contact your system administrator")."
 \n"; + } + elseif($useWebserverAuth === true && isset($_SERVER['PHP_AUTH_USER'])) // normal login through webserver authentication + { + $action = 'login'; + // we'll include database.php + // we need to unset surveyid + // that could be set if the user clicked on + // a link with all params before first auto-login + unset($surveyid); + + $loginsummary = ''; + // getting user name, optionnally mapped + if (isset($userArrayMap) && is_array($userArrayMap) && + isset($userArrayMap[$_SERVER['PHP_AUTH_USER']])) + { + $mappeduser=$userArrayMap[$_SERVER['PHP_AUTH_USER']]; + } + else + { + $mappeduser=$_SERVER['PHP_AUTH_USER']; + } + + include("database.php"); + $query = "SELECT uid, users_name, password, parent_id, email, lang, htmleditormode, questionselectormode, templateeditormode, dateformat FROM ".db_table_name('users')." WHERE users_name=".$connect->qstr($mappeduser); + $ADODB_FETCH_MODE = ADODB_FETCH_ASSOC; //Checked + $result = $connect->SelectLimit($query, 1) or safe_die ($query."
".$connect->ErrorMsg()); + if ($result->RecordCount() < 1) + { + // In case the hook function is defined + // overrite the default auto-import profile + // by this function's result + if (function_exists("hook_get_autouserprofile")) + { + // If defined this function returns an array + // describing the defaukt profile for this user + $WebserverAuth_autouserprofile = hook_get_autouserprofile($mappeduser); + } + + if (isset($WebserverAuth_autocreateUser) && + $WebserverAuth_autocreateUser === true && + isset($WebserverAuth_autouserprofile) && + is_array ($WebserverAuth_autouserprofile) && + count($WebserverAuth_autouserprofile) > 0 ) + { // user doesn't exist but auto-create user is set + $isAuthenticated=false; + $new_pass = createPassword(); + + $uquery = "INSERT INTO {$dbprefix}users " + ."(users_name, password,full_name,parent_id,lang,email,create_survey,create_user,delete_user,superadmin,configurator,manage_template,manage_label) " + ."VALUES (" + . $connect->qstr($mappeduser).", " + . "'".SHA256::hashing($new_pass)."', " + . "'".db_quote($WebserverAuth_autouserprofile['full_name'])."', " + . getInitialAdmin_uid()." , " + . "'".$WebserverAuth_autouserprofile['lang']."', " + . "'".db_quote($WebserverAuth_autouserprofile['email'])."', " + . intval($WebserverAuth_autouserprofile['create_survey'])."," + . intval($WebserverAuth_autouserprofile['create_user'])."," + . intval($WebserverAuth_autouserprofile['delete_user'])."," + . intval($WebserverAuth_autouserprofile['superadmin'])."," + . intval($WebserverAuth_autouserprofile['configurator'])."," + . intval($WebserverAuth_autouserprofile['manage_template'])."," + . intval($WebserverAuth_autouserprofile['manage_label']) + .")"; + + $uresult = $connect->Execute($uquery); //Checked + if ($uresult) + { + $isAuthenticated=true; + $newqid = $connect->Insert_ID("{$dbprefix}users","uid"); + $arrayTemplates=explode(",",$WebserverAuth_autouserprofile['templatelist']); + foreach ($arrayTemplates as $tplname) + { + $template_query = "INSERT INTO {$dbprefix}templates_rights VALUES('$newqid','$tplname','1')"; + $connect->Execute($template_query); //Checked + } + + // read again user from newly created entry + $result = $connect->SelectLimit($query, 1) or safe_die ($query."
".$connect->ErrorMsg());//Checked + } + else + { + $loginsummary .= "
".$clang->gT("Auto-import of user failed!")."
"; + $loginsummary .= "

".$clang->gT("Continue")."
 \n"; + $isAuthenticated=false; + } + + } + else + { + $query = fGetLoginAttemptUpdateQry($bLoginAttempted,$sIp); + + $result = $connect->Execute($query) or safe_die ($query."
".$connect->ErrorMsg());; + if ($result) + { + // wrong or unknown username + $loginsummary .= "

".$clang->gT("Incorrect username and/or password!")."
"; + if ($intNthAttempt+1>=$maxLoginAttempt) + $loginsummary .= sprintf($clang->gT("You have exceeded you maximum login attempts. Please wait %d minutes before trying again"),($timeOutTime/60))."
"; + $loginsummary .= "
".$clang->gT("Continue")."
 \n"; + } + $isAuthenticated=false; + } + + } + else + { // User already exists + $isAuthenticated=true; + } + + if ($isAuthenticated ===true) + { // user exists and was authenticated by webserver + $fields = $result->FetchRow(); + + $_SESSION['loginID'] = intval($fields['uid']); + $_SESSION['user'] = $fields['users_name']; + $_SESSION['adminlang'] = $fields['lang']; + $_SESSION['htmleditormode'] = $fields['htmleditormode']; + $_SESSION['questionselectormode'] = $fields['questionselectormode']; + $_SESSION['templateeditormode'] = $fields['templateeditormode']; + $_SESSION['dateformat'] = $fields['dateformat']; + $_SESSION['checksessionpost'] = sRandomChars(10); + $_SESSION['pw_notify']=false; + $clang = new limesurvey_lang($_SESSION['adminlang']); + $login = true; + + $loginsummary .= "
" .sprintf($clang->gT("Welcome %s!"),$_SESSION['user']) . "
"; + $loginsummary .= $clang->gT("You logged in successfully."); + + if (isset($_SERVER['QUERY_STRING']) && $_SERVER['QUERY_STRING'] && + strpos($_SERVER['QUERY_STRING'], "action=logout") === FALSE) + { + $_SESSION['metaHeader']=""; + $loginsummary .= "

".$clang->gT("Reloading screen. Please wait.")."\n"; + } + $loginsummary .= "

\n"; + GetSessionUserRights($_SESSION['loginID']); + } + } +} +elseif ($action == "logout") +{ + killSession(); + $logoutsummary = '

'.$clang->gT("Logout successful."); +} + +elseif ($action == "adduser" && $_SESSION['USER_RIGHT_CREATE_USER']) +{ + $addsummary = "

".$clang->gT("Add user")."
\n"; + + $new_user = FlattenText($postnew_user,true); + $new_email = FlattenText($postnew_email,true); + $new_full_name = FlattenText($postnew_full_name,true); + + $valid_email = true; + if(!validate_email($new_email)) + { + $valid_email = false; + $addsummary .= "
".$clang->gT("Failed to add user")."

\n" . " " . $clang->gT("The email address is not valid.")."
\n"; + } + if(empty($new_user)) + { + if($valid_email) $addsummary .= "
".$clang->gT("Failed to add user")."
\n" . " "; + $addsummary .= $clang->gT("A username was not supplied or the username is invalid.")."
\n"; + } + elseif($valid_email) + { + $new_pass = createPassword(); + $uquery = "INSERT INTO {$dbprefix}users (users_name, password,full_name,parent_id,lang,email,create_survey,create_user,delete_user,superadmin,configurator,manage_template,manage_label) + VALUES ('".db_quote($new_user)."', '".SHA256::hashing($new_pass)."', '".db_quote($new_full_name)."', {$_SESSION['loginID']}, 'auto', '".db_quote($new_email)."',0,0,0,0,0,0,0)"; + $uresult = $connect->Execute($uquery); //Checked + + if($uresult) + { + $newqid = $connect->Insert_ID("{$dbprefix}users","uid"); + + // add default template to template rights for user + $template_query = "INSERT INTO {$dbprefix}templates_rights VALUES('$newqid','default','1')"; + $connect->Execute($template_query); //Checked + + // add new user to userlist + $squery = "SELECT uid, users_name, password, parent_id, email, create_survey, configurator, create_user, delete_user, superadmin, manage_template, manage_label FROM ".db_table_name('users')." WHERE uid='{$newqid}'"; //added by Dennis + $sresult = db_execute_assoc($squery);//Checked + $srow = $sresult->FetchRow(); + $userlist = getuserlist(); + array_push($userlist, array("user"=>$srow['users_name'], "uid"=>$srow['uid'], "email"=>$srow['email'], + "password"=>$srow["password"], "parent_id"=>$srow['parent_id'], // "level"=>$level, + "create_survey"=>$srow['create_survey'], "configurator"=>$srow['configurator'], "create_user"=>$srow['create_user'], + "delete_user"=>$srow['delete_user'], "superadmin"=>$srow['superadmin'], "manage_template"=>$srow['manage_template'], + "manage_label"=>$srow['manage_label'])); + + // send Mail + $body = sprintf($clang->gT("Hello %s,",'unescaped'), $new_full_name)."

\n"; + $body .= sprintf($clang->gT("this is an automated email to notify that a user has been created for you on the site '%s'.",'unescaped'), $sitename)."

\n"; + $body .= $clang->gT("You can use now the following credentials to log into the site:",'unescaped')."
\n"; + $body .= $clang->gT("Username",'unescaped') . ": " . $new_user . "
\n"; + if ($useWebserverAuth === false) + { // authent is not delegated to web server + // send password (if authorized by config) + if ($display_user_password_in_email === true) + { + $body .= $clang->gT("Password",'unescaped') . ": " . $new_pass . "
\n"; + } + else + { + $body .= $clang->gT("Password",'unescaped') . ": " . $clang->gT("Please ask your LimeSurvey administrator for your password.") . "
\n"; + } + } + + $body .= "".$clang->gT("Click here to log in.",'unescaped')."

\n"; + $body .= sprintf($clang->gT('If you have any questions regarding this mail please do not hesitate to contact the site administrator at %s. Thank you!','unescaped'),$siteadminemail)."
\n"; + + $subject = sprintf($clang->gT("User registration at '%s'","unescaped"),$sitename); + $to = $new_user." <$new_email>"; + $from = $siteadminname." <$siteadminemail>"; + $addsummary .="
"; + if(SendEmailMessage(null, $body, $subject, $to, $from, $sitename, true, $siteadminbounce)) + { + $addsummary .= "
".$clang->gT("Username").": $new_user
".$clang->gT("Email").": $new_email
"; + $addsummary .= "
".$clang->gT("An email with a generated password was sent to the user."); + } + else + { + // has to be sent again or no other way + $tmp = str_replace("{NAME}", "".$new_user."", $clang->gT("Email to {NAME} ({EMAIL}) failed.")); + $addsummary .= "
".str_replace("{EMAIL}", $new_email, $tmp) . "
"; + } + + $addsummary .= "
\t\t\t
" + ."" + ."" + ."" + ."" + ."
"; + } + else{ + $addsummary .= "
".$clang->gT("Failed to add user")."

\n" . " " . $clang->gT("The user name already exists.")."
\n"; + } + } + $addsummary .= "

gT("Continue")."\"/>

\n"; +} + +elseif (($action == "deluser" || $action == "finaldeluser") && ($_SESSION['USER_RIGHT_SUPERADMIN'] == 1 || $_SESSION['USER_RIGHT_DELETE_USER'] )) +{ + $addsummary = "
".$clang->gT("Deleting user")."
\n"; + $addsummary .= "
\n"; + + // CAN'T DELETE ORIGINAL SUPERADMIN + // Initial SuperAdmin has parent_id == 0 + $adminquery = "SELECT uid FROM {$dbprefix}users WHERE parent_id=0"; + $adminresult = db_select_limit_assoc($adminquery, 1);//Checked + $row=$adminresult->FetchRow(); + + if($row['uid'] == $postuserid) // it's the original superadmin !!! + { + $addsummary .= "
".$clang->gT("Initial Superadmin cannot be deleted!")."
\n"; + } + else + { + if (isset($postuserid)) + { + $sresultcount = 0;// 1 if I am parent of $postuserid + if ($_SESSION['USER_RIGHT_SUPERADMIN'] != 1) + { + $squery = "SELECT uid FROM {$dbprefix}users WHERE uid=$postuserid AND parent_id=".$_SESSION['loginID']; + $sresult = $connect->Execute($squery); //Checked + $sresultcount = $sresult->RecordCount(); + } + + if ($_SESSION['USER_RIGHT_SUPERADMIN'] == 1 || $sresultcount > 0 || $postuserid == $_SESSION['loginID']) + { + $transfer_surveys_to = 0; + $query = "SELECT users_name, uid FROM ".db_table_name('users').";"; + $result = db_execute_assoc($query) or safe_die($connect->ErrorMsg()); + + $current_user = $_SESSION['loginID']; + if($result->RecordCount() == 2) { + + $action = "finaldeluser"; + while($rows = $result->FetchRow()){ + $intUid = $rows['uid']; + $selected = ''; + if ($intUid == $current_user) + $selected = " selected='selected'"; + + if ($postuserid != $intUid) + $transfer_surveys_to = $intUid; + } + } + + $query = "SELECT sid FROM ".db_table_name('surveys')." WHERE owner_id = $postuserid ;"; + $result = db_execute_assoc($query) or safe_die($connect->ErrorMsg()); + if($result->RecordCount() == 0) { + $action = "finaldeluser"; + } + + if ($action=="finaldeluser") + { + if (isset($_POST['transfer_surveys_to'])) {$transfer_surveys_to=sanitize_int($_POST['transfer_surveys_to']);} + if ($transfer_surveys_to > 0){ + $query = "UPDATE ".db_table_name('surveys')." SET owner_id = $transfer_surveys_to WHERE owner_id=$postuserid"; + $result = db_execute_assoc($query) or safe_die($connect->ErrorMsg()); + } + $squery = "SELECT parent_id FROM {$dbprefix}users WHERE uid=".$postuserid; + $sresult = $connect->Execute($squery); //Checked + $fields = $sresult->FetchRow($sresult); + + if (isset($fields[0])) + { + $uquery = "UPDATE ".db_table_name('users')." SET parent_id={$fields[0]} WHERE parent_id=".$postuserid; // added by Dennis + $uresult = $connect->Execute($uquery); //Checked + } + + //DELETE USER FROM TABLE + $dquery="DELETE FROM {$dbprefix}users WHERE uid=".$postuserid; // added by Dennis + $dresult=$connect->Execute($dquery); //Checked + + // Delete user rights + $dquery="DELETE FROM {$dbprefix}survey_permissions WHERE uid=".$postuserid; + $dresult=$connect->Execute($dquery); //Checked + + if($postuserid == $_SESSION['loginID']) + { + killSession(); // user deleted himself + header( "Location: " . $homeurl . "/admin.php"); + die(); + } + + $addsummary .= "
".$clang->gT("Username").": {$postuser}

\n"; + $addsummary .= "
".$clang->gT("Success!")."
\n"; + if ($transfer_surveys_to>0){ + $sTransferred_to = getUserNameFromUid($transfer_surveys_to); + $addsummary .= sprintf($clang->gT("All of the user's surveys were transferred to %s."),$sTransferred_to); + } + $addsummary .= "
gT("Continue")."\"/>\n"; + } + else + { + $current_user = $_SESSION['loginID']; + $addsummary .= "
".$clang->gT("Transfer the user's surveys to: ")."\n"; + $addsummary .= "
"; + $addsummary .= ""; + $addsummary .= "

"; + $addsummary .= "
"; + } + + } + else + { + include("access_denied.php"); + } + } + else + { + $addsummary .= "
".$clang->gT("Could not delete user. User was not supplied.")."
\n"; + $addsummary .= "
gT("Continue")."\"/>\n"; + } + } + $addsummary .= "
\n"; +} + + + +elseif ($action == "moduser") +{ + $addsummary = "
".$clang->gT("Editing user")."
\n"; + $addsummary .= "
\n"; + + $squery = "SELECT uid FROM {$dbprefix}users WHERE uid=$postuserid AND parent_id=".$_SESSION['loginID']; + $sresult = $connect->Execute($squery); //Checked + $sresultcount = $sresult->RecordCount(); + + if(($_SESSION['USER_RIGHT_SUPERADMIN'] == 1 || $postuserid == $_SESSION['loginID'] || + ($sresultcount > 0 && $_SESSION['USER_RIGHT_CREATE_USER'])) && !($demoModeOnly == true && $postuserid == 1) + ) + { + $users_name = html_entity_decode($postuser, ENT_QUOTES, 'UTF-8'); + $email = html_entity_decode($postemail,ENT_QUOTES, 'UTF-8'); + $sPassword = html_entity_decode($_POST['pass'],ENT_QUOTES, 'UTF-8'); + if ($sPassword=='%%unchanged%%') $sPassword=''; + $full_name = html_entity_decode($postfull_name,ENT_QUOTES, 'UTF-8'); + $valid_email = true; + + if(!validate_email($email)) + { + $valid_email = false; + $failed = true; + $addsummary .= "
".$clang->gT("Could not modify user data.")."

\n" + . " ".$clang->gT("Email address is not valid.")."
\n"; + } + elseif($valid_email) + { + $failed = false; + if(empty($sPassword)) + { + $uquery = "UPDATE ".db_table_name('users')." SET email='".db_quote($email)."', full_name='".db_quote($full_name)."' WHERE uid=".$postuserid; + } else { + $uquery = "UPDATE ".db_table_name('users')." SET email='".db_quote($email)."', full_name='".db_quote($full_name)."', password='".SHA256::hashing($sPassword)."' WHERE uid=".$postuserid; + } + + $uresult = $connect->Execute($uquery);//Checked + + if($uresult && empty($sPassword)) + { + $addsummary .= "
".$clang->gT("Username").": $users_name
".$clang->gT("Password").": (".$clang->gT("Unchanged").")

\n"; + $addsummary .= "
".$clang->gT("Success!")."
\n"; + } elseif($uresult && !empty($sPassword)) + { + if ($display_user_password_in_html === true) + { + $displayedPwd = $sPassword; + } + else + { + $displayedPwd = preg_replace('/./','*',$sPassword); + } + $addsummary .= "
".$clang->gT("Username").": $users_name
".$clang->gT("Password").": {$displayedPwd}

\n"; + $addsummary .= "
".$clang->gT("Success!")."
\n"; + } + else + { + // Username and/or email adress already exists. + $addsummary .= "
".$clang->gT("Could not modify user data.")."

\n" + . " ".$clang->gT("Email address already exists.")."
\n"; + } + } + if($failed) + { + $addsummary .= "
" + ."" + ."" + ."" + ."
"; + } + else + { + $addsummary .= "
gT("Continue")."\"/>\n"; + } + } + else + { + include("access_denied.php"); + } + $addsummary .= "
\n"; +} + +elseif ($action == "userrights") +{ + $addsummary = "
".$clang->gT("Set user permissions")."
\n"; + $addsummary .= "
\n"; + + // A user can't modify his own rights ;-) + if($postuserid != $_SESSION['loginID']) + { + $squery = "SELECT uid FROM {$dbprefix}users WHERE uid=$postuserid AND parent_id=".$_SESSION['loginID']; + $sresult = $connect->Execute($squery); // Checked + $sresultcount = $sresult->RecordCount(); + + if($_SESSION['USER_RIGHT_SUPERADMIN'] != 1 && $sresultcount > 0) + { // Not Admin, just a user with childs + $rights = array(); + + // Forbids Allowing more privileges than I have + if(isset($_POST['create_survey']) && $_SESSION['USER_RIGHT_CREATE_SURVEY'])$rights['create_survey']=1; else $rights['create_survey']=0; + if(isset($_POST['configurator']) && $_SESSION['USER_RIGHT_CONFIGURATOR'])$rights['configurator']=1; else $rights['configurator']=0; + if(isset($_POST['create_user']) && $_SESSION['USER_RIGHT_CREATE_USER'])$rights['create_user']=1; else $rights['create_user']=0; + if(isset($_POST['delete_user']) && $_SESSION['USER_RIGHT_DELETE_USER'])$rights['delete_user']=1; else $rights['delete_user']=0; + + $rights['superadmin']=0; // ONLY Initial Superadmin can give this right + if(isset($_POST['manage_template']) && $_SESSION['USER_RIGHT_MANAGE_TEMPLATE'])$rights['manage_template']=1; else $rights['manage_template']=0; + if(isset($_POST['manage_label']) && $_SESSION['USER_RIGHT_MANAGE_LABEL'])$rights['manage_label']=1; else $rights['manage_label']=0; + + if ($postuserid<>1) setuserrights($postuserid, $rights); + $addsummary .= "
".$clang->gT("User permissions were updated successfully.")."
\n"; + $addsummary .= "
gT("Continue")."\"/>\n"; + } + elseif ($_SESSION['USER_RIGHT_SUPERADMIN'] == 1) + { + $rights = array(); + + if(isset($_POST['create_survey']))$rights['create_survey']=1; else $rights['create_survey']=0; + if(isset($_POST['configurator']))$rights['configurator']=1; else $rights['configurator']=0; + if(isset($_POST['create_user']))$rights['create_user']=1; else $rights['create_user']=0; + if(isset($_POST['delete_user']))$rights['delete_user']=1; else $rights['delete_user']=0; + + // Only Initial Superadmin can give this right + if(isset($_POST['superadmin'])) + { + // Am I original Superadmin ? + + // Initial SuperAdmin has parent_id == 0 + $adminquery = "SELECT uid FROM {$dbprefix}users WHERE parent_id=0"; + $adminresult = db_select_limit_assoc($adminquery, 1); + $row=$adminresult->FetchRow(); + + if($row['uid'] == $_SESSION['loginID']) // it's the original superadmin !!! + { + $rights['superadmin']=1; + } + else + { + $rights['superadmin']=0; + } + } + else + { + $rights['superadmin']=0; + } + + if(isset($_POST['manage_template']))$rights['manage_template']=1; else $rights['manage_template']=0; + if(isset($_POST['manage_label']))$rights['manage_label']=1; else $rights['manage_label']=0; + + setuserrights($postuserid, $rights); + $addsummary .= "
".$clang->gT("User permissions were updated successfully.")."
\n"; + $addsummary .= "
gT("Continue")."\"/>\n"; + } + else + { + include("access_denied.php"); + } + } + else + { + $addsummary .= "
".$clang->gT("You are not allowed to change your own permissions!")."
\n"; + $addsummary .= "
gT("Continue")."\"/>\n"; + } + $addsummary .= "
\n"; +} + +elseif ($action == "usertemplates") +{ + $addsummary = "
".$clang->gT("Set template permissions")."
\n"; + $addsummary .= "
\n"; + + // SUPERADMINS AND MANAGE_TEMPLATE USERS CAN SET THESE RIGHTS + if( $_SESSION['USER_RIGHT_SUPERADMIN'] == 1 || $_SESSION['USER_RIGHT_MANAGE_TEMPLATE'] == 1) + { + $templaterights = array(); + $tquery = "SELECT * FROM ".$dbprefix."templates"; + $tresult = db_execute_assoc($tquery); + while ($trow = $tresult->FetchRow()) { + if (isset($_POST[$trow["folder"]."_use"])) + $templaterights[$trow["folder"]] = 1; + else + $templaterights[$trow["folder"]] = 0; + } + foreach ($templaterights as $key => $value) { + $uquery = "INSERT INTO {$dbprefix}templates_rights (uid,".db_quote_id('folder').",".db_quote_id('use').") VALUES ({$postuserid},'".$key."',$value)"; + $uresult = $connect->execute($uquery); + if (!$uresult) + { + $uquery = "UPDATE {$dbprefix}templates_rights SET ".db_quote_id('use')."=$value where ".db_quote_id('folder')."='$key' AND uid=".$postuserid; + $uresult = $connect->execute($uquery); + } + } + if ($uresult) + { + $addsummary .= "
".$clang->gT("Template permissions were updated successfully.")."
\n"; + $addsummary .= "
gT("Continue")."\"/>\n"; + } + else + { + $addsummary .= "
".$clang->gT("Error")."
\n"; + $addsummary .= "
".$clang->gT("Error while updating usertemplates.")."
\n"; + $addsummary .= "
gT("Continue")."\"/>\n"; + } + } + else + { + include("access_denied.php"); + } + $addsummary .= "
\n"; +} + + +function getInitialAdmin_uid() +{ + global $dbprefix; + // Initial SuperAdmin has parent_id == 0 + $adminquery = "SELECT uid FROM {$dbprefix}users WHERE parent_id=0"; + $adminresult = db_select_limit_assoc($adminquery, 1); + $row=$adminresult->FetchRow(); + return $row['uid']; +} + +function fGetLoginAttemptUpdateQry($la,$sIp) +{ + $timestamp = date("Y-m-d H:i:s"); + if ($la) + $query = "UPDATE ".db_table_name('failed_login_attempts') + ." SET number_attempts=number_attempts+1, last_attempt = '$timestamp' WHERE ip='$sIp'"; + else + $query = "INSERT INTO ".db_table_name('failed_login_attempts') . "(ip, number_attempts,last_attempt)" + ." VALUES('$sIp',1,'$timestamp')"; + + return $query; +} + + +function getUserNameFromUid($uid){ + $query = "SELECT users_name, uid FROM ".db_table_name('users')." WHERE uid = $uid;"; + + $result = db_execute_assoc($query) or safe_die($connect->ErrorMsg()); + + + if($result->RecordCount() > 0) { + while($rows = $result->FetchRow()){ + return $rows['users_name']; + } + } +}