".$clang->gT("Forgot password")."
\n"; if (isset($postuser) && isset($postemail)) { include("database.php"); $emailaddr = $postemail; $query = "SELECT users_name, password, uid FROM ".db_table_name('users')." WHERE users_name=".$connect->qstr($postuser)." AND email=".$connect->qstr($emailaddr); $result = db_select_limit_assoc($query, 1) or safe_die ($query."
".$connect->ErrorMsg()); // Checked if ($result->RecordCount() < 1) { // wrong or unknown username and/or email $loginsummary .= "
".$clang->gT("User name and/or email not found!")."
"; $loginsummary .= "

".$clang->gT("Continue")."
 \n"; } else { $fields = $result->FetchRow(); // send Mail $new_pass = createPassword(); $body = sprintf($clang->gT("Your user data for accessing %s"),$sitename). "
\n";; $body .= $clang->gT("Username") . ": " . $fields['users_name'] . "
\n"; $body .= $clang->gT("New password") . ": " . $new_pass . "
\n"; $subject = $clang->gT("User data","unescaped"); $to = $emailaddr; $from = $siteadminemail; if(SendEmailMessage(null, $body, $subject, $to, $from, $sitename, false,$siteadminbounce)) { $query = "UPDATE ".db_table_name('users')." SET password='".SHA256::hashing($new_pass)."' WHERE uid={$fields['uid']}"; $connect->Execute($query); //Checked $loginsummary .= "
".$clang->gT("Username").": {$fields['users_name']}
".$clang->gT("Email").": {$emailaddr}
"; $loginsummary .= "
".$clang->gT("An email with your login data was sent to you."); $loginsummary .= "

".$clang->gT("Continue")."
 \n"; } else { $tmp = str_replace("{NAME}", "".$fields['users_name']."", $clang->gT("Email to {NAME} ({EMAIL}) failed.")); $loginsummary .= "
".str_replace("{EMAIL}", $emailaddr, $tmp) . "
"; $loginsummary .= "

".$clang->gT("Continue")."
 \n"; } } } } elseif($action == "login" && $useWebserverAuth === false) // normal login { $loginsummary = ''; if (isset($postuser) && isset($_POST['password'])) { include("database.php"); $sIp = getIPAddress(); $query = "SELECT * FROM ".db_table_name('failed_login_attempts'). " WHERE ip='$sIp';"; $ADODB_FETCH_MODE = ADODB_FETCH_ASSOC; $result = $connect->query($query); $bLoginAttempted = false; $bCannotLogin = false; $intNthAttempt = 0; if ($result!==false && $result->RecordCount() >= 1) { $bLoginAttempted = true; $field = $result->FetchRow(); $intNthAttempt = $field['number_attempts']; if ($intNthAttempt>=$maxLoginAttempt){ $bCannotLogin = true; } $iLastAttempt = strtotime($field['last_attempt']); if (time() > $iLastAttempt + $timeOutTime){ $bCannotLogin = false; $query = "DELETE FROM ".db_table_name('failed_login_attempts'). " WHERE ip='$sIp';"; $result = $connect->query($query) or safe_die ($query."
".$connect->ErrorMsg()); } } if(!$bCannotLogin){ $query = "SELECT * FROM ".db_table_name('users')." WHERE users_name=".$connect->qstr($postuser); $result = $connect->SelectLimit($query, 1) or safe_die ($query."
".$connect->ErrorMsg()); if ($result->RecordCount() < 1) { $query = fGetLoginAttemptUpdateQry($bLoginAttempted,$sIp); $result = $connect->Execute($query) or safe_die ($query."
".$connect->ErrorMsg());; if ($result) { // wrong or unknown username $loginsummary .= "

".$clang->gT("Incorrect username and/or password!")."


"; if ($intNthAttempt+1>=$maxLoginAttempt) $loginsummary .= sprintf($clang->gT("You have exceeded you maximum login attempts. Please wait %d minutes before trying again"),($timeOutTime/60))."
"; $loginsummary .= "
".$clang->gT("Continue")."
 \n"; } } else { $fields = $result->FetchRow(); if (SHA256::hashing($_POST['password']) == $fields['password']) { // Anmeldung ERFOLGREICH if (strtolower($_POST['password'])=='password') { $_SESSION['pw_notify']=true; $_SESSION['flashmessage']=$clang->gT("Warning: You are still using the default password ('password'). Please change your password and re-login again."); } else { $_SESSION['pw_notify']=false; } // Check if the user has changed his default password if ($sessionhandler=='db') { adodb_session_regenerate_id(); } else { session_regenerate_id(); } $_SESSION['loginID'] = intval($fields['uid']); $_SESSION['user'] = $fields['users_name']; $_SESSION['full_name'] = $fields['full_name']; $_SESSION['htmleditormode'] = $fields['htmleditormode']; $_SESSION['questionselectormode'] = $fields['questionselectormode']; $_SESSION['templateeditormode'] = $fields['templateeditormode']; $_SESSION['dateformat'] = $fields['dateformat']; // Compute a checksession random number to test POSTs $_SESSION['checksessionpost'] = sRandomChars(10); if (isset($postloginlang) && $postloginlang!='default') { $_SESSION['adminlang'] = $postloginlang; $clang = new limesurvey_lang($postloginlang); $uquery = "UPDATE {$dbprefix}users " . "SET lang='{$postloginlang}' " . "WHERE uid={$_SESSION['loginID']}"; $uresult = $connect->Execute($uquery); // Checked } else { if ( $fields['lang']=='auto' && isset( $_SERVER["HTTP_ACCEPT_LANGUAGE"] ) ) { $browlang=strtolower( $_SERVER["HTTP_ACCEPT_LANGUAGE"] ); $browlang=str_replace(' ', '', $browlang); $browlang=explode( ",", $browlang); $browlang=$browlang[0]; $browlang=explode( ";", $browlang); $browlang=$browlang[0]; $check=0; $value=26; if ($browlang!="zh-hk" && $browlang!="zh-tw" && $browlang!="es-mx" && $browlang!="pt-br") { $browlang=explode( "-",$browlang); $browlang=$browlang[0]; } $_SESSION['adminlang']=$browlang; } else { $_SESSION['adminlang'] = $fields['lang']; } $clang = new limesurvey_lang($_SESSION['adminlang']); } $login = true; $loginsummary .= "
\n"; $loginsummary .= "
" . $clang->gT("Logged in") . "
"; $loginsummary .= "
".sprintf($clang->gT("Welcome %s!"),$_SESSION['full_name'])."
 "; $loginsummary .= "
\n"; if (isset($_POST['refererargs']) && $_POST['refererargs'] && strpos($_POST['refererargs'], "action=logout") === FALSE) { require_once("../classes/inputfilter/class.inputfilter_clean.php"); $myFilter = new InputFilter('','',1,1,1); // Prevent XSS attacks $sRefererArg=$myFilter->process($_POST['refererargs']); $_SESSION['metaHeader']=""; $loginsummary .= "

".$clang->gT("Reloading screen. Please wait.")."\n"; } $loginsummary .= "

\n"; GetSessionUserRights($_SESSION['loginID']); //go to queXS $loc = ""; if ($_SESSION['USER_RIGHT_SUPERADMIN'] == 1) $loc = "admin"; else { $utest = $connect->GetOne("SELECT username FROM client WHERE username = '" . $_SESSION['user'] . "'"); if (!empty($utest)) $loc = "client"; } header('Location: ' . QUEXS_URL . $loc); die(); } else { $query = fGetLoginAttemptUpdateQry($bLoginAttempted,$sIp); $result = $connect->Execute($query) or safe_die ($query."
".$connect->ErrorMsg());; if ($result) { // wrong or unknown username $loginsummary .= "

".$clang->gT("Incorrect username and/or password!")."
"; if ($intNthAttempt+1>=$maxLoginAttempt) $loginsummary .= sprintf($clang->gT("You have exceeded you maximum login attempts. Please wait %d minutes before trying again"),($timeOutTime/60))."
"; $loginsummary .= "
".$clang->gT("Continue")."
 \n"; } } } } else{ $loginsummary .= "

".sprintf($clang->gT("You have exceeded you maximum login attempts. Please wait %d minutes before trying again"),($timeOutTime/60))."
"; $loginsummary .= "
".$clang->gT("Continue")."
 \n"; } } } elseif($useWebserverAuth === true && !isset($_SERVER['PHP_AUTH_USER'])) // LimeSurvey expects webserver auth but it has not been achieved { $loginsummary .= "
".$clang->gT("LimeSurvey is setup to use the webserver authentication, but it seems you have not already been authenticated")."
"; $loginsummary .= "

".$clang->gT("Please contact your system administrator")."
 \n"; } elseif($useWebserverAuth === true && isset($_SERVER['PHP_AUTH_USER'])) // normal login through webserver authentication { $action = 'login'; // we'll include database.php // we need to unset surveyid // that could be set if the user clicked on // a link with all params before first auto-login unset($surveyid); $loginsummary = ''; // getting user name, optionnally mapped if (isset($userArrayMap) && is_array($userArrayMap) && isset($userArrayMap[$_SERVER['PHP_AUTH_USER']])) { $mappeduser=$userArrayMap[$_SERVER['PHP_AUTH_USER']]; } else { $mappeduser=$_SERVER['PHP_AUTH_USER']; } include("database.php"); $query = "SELECT uid, users_name, password, parent_id, email, lang, htmleditormode, questionselectormode, templateeditormode, dateformat FROM ".db_table_name('users')." WHERE users_name=".$connect->qstr($mappeduser); $ADODB_FETCH_MODE = ADODB_FETCH_ASSOC; //Checked $result = $connect->SelectLimit($query, 1) or safe_die ($query."
".$connect->ErrorMsg()); if ($result->RecordCount() < 1) { // In case the hook function is defined // overrite the default auto-import profile // by this function's result if (function_exists("hook_get_autouserprofile")) { // If defined this function returns an array // describing the defaukt profile for this user $WebserverAuth_autouserprofile = hook_get_autouserprofile($mappeduser); } if (isset($WebserverAuth_autocreateUser) && $WebserverAuth_autocreateUser === true && isset($WebserverAuth_autouserprofile) && is_array ($WebserverAuth_autouserprofile) && count($WebserverAuth_autouserprofile) > 0 ) { // user doesn't exist but auto-create user is set $isAuthenticated=false; $new_pass = createPassword(); $uquery = "INSERT INTO {$dbprefix}users " ."(users_name, password,full_name,parent_id,lang,email,create_survey,create_user,delete_user,superadmin,configurator,manage_template,manage_label) " ."VALUES (" . $connect->qstr($mappeduser).", " . "'".SHA256::hashing($new_pass)."', " . "'".db_quote($WebserverAuth_autouserprofile['full_name'])."', " . getInitialAdmin_uid()." , " . "'".$WebserverAuth_autouserprofile['lang']."', " . "'".db_quote($WebserverAuth_autouserprofile['email'])."', " . intval($WebserverAuth_autouserprofile['create_survey'])."," . intval($WebserverAuth_autouserprofile['create_user'])."," . intval($WebserverAuth_autouserprofile['delete_user'])."," . intval($WebserverAuth_autouserprofile['superadmin'])."," . intval($WebserverAuth_autouserprofile['configurator'])."," . intval($WebserverAuth_autouserprofile['manage_template'])."," . intval($WebserverAuth_autouserprofile['manage_label']) .")"; $uresult = $connect->Execute($uquery); //Checked if ($uresult) { $isAuthenticated=true; $newqid = $connect->Insert_ID("{$dbprefix}users","uid"); $arrayTemplates=explode(",",$WebserverAuth_autouserprofile['templatelist']); foreach ($arrayTemplates as $tplname) { $template_query = "INSERT INTO {$dbprefix}templates_rights VALUES('$newqid','$tplname','1')"; $connect->Execute($template_query); //Checked } // read again user from newly created entry $result = $connect->SelectLimit($query, 1) or safe_die ($query."
".$connect->ErrorMsg());//Checked } else { $loginsummary .= "
".$clang->gT("Auto-import of user failed!")."
"; $loginsummary .= "

".$clang->gT("Continue")."
 \n"; $isAuthenticated=false; } } else { $query = fGetLoginAttemptUpdateQry($bLoginAttempted,$sIp); $result = $connect->Execute($query) or safe_die ($query."
".$connect->ErrorMsg());; if ($result) { // wrong or unknown username $loginsummary .= "

".$clang->gT("Incorrect username and/or password!")."
"; if ($intNthAttempt+1>=$maxLoginAttempt) $loginsummary .= sprintf($clang->gT("You have exceeded you maximum login attempts. Please wait %d minutes before trying again"),($timeOutTime/60))."
"; $loginsummary .= "
".$clang->gT("Continue")."
 \n"; } $isAuthenticated=false; } } else { // User already exists $isAuthenticated=true; } if ($isAuthenticated ===true) { // user exists and was authenticated by webserver $fields = $result->FetchRow(); $_SESSION['loginID'] = intval($fields['uid']); $_SESSION['user'] = $fields['users_name']; $_SESSION['adminlang'] = $fields['lang']; $_SESSION['htmleditormode'] = $fields['htmleditormode']; $_SESSION['questionselectormode'] = $fields['questionselectormode']; $_SESSION['templateeditormode'] = $fields['templateeditormode']; $_SESSION['dateformat'] = $fields['dateformat']; $_SESSION['checksessionpost'] = sRandomChars(10); $_SESSION['pw_notify']=false; $clang = new limesurvey_lang($_SESSION['adminlang']); $login = true; $loginsummary .= "
" .sprintf($clang->gT("Welcome %s!"),$_SESSION['user']) . "
"; $loginsummary .= $clang->gT("You logged in successfully."); if (isset($_SERVER['QUERY_STRING']) && $_SERVER['QUERY_STRING'] && strpos($_SERVER['QUERY_STRING'], "action=logout") === FALSE) { $_SESSION['metaHeader']=""; $loginsummary .= "

".$clang->gT("Reloading screen. Please wait.")."\n"; } $loginsummary .= "

\n"; GetSessionUserRights($_SESSION['loginID']); } } } elseif ($action == "logout") { killSession(); $logoutsummary = '

'.$clang->gT("Logout successful."); } elseif ($action == "adduser" && $_SESSION['USER_RIGHT_CREATE_USER']) { $addsummary = "

".$clang->gT("Add user")."
\n"; $new_user = FlattenText($postnew_user,true); $new_email = FlattenText($postnew_email,true); $new_full_name = FlattenText($postnew_full_name,true); $valid_email = true; if(!validate_email($new_email)) { $valid_email = false; $addsummary .= "
".$clang->gT("Failed to add user")."

\n" . " " . $clang->gT("The email address is not valid.")."
\n"; } if(empty($new_user)) { if($valid_email) $addsummary .= "
".$clang->gT("Failed to add user")."
\n" . " "; $addsummary .= $clang->gT("A username was not supplied or the username is invalid.")."
\n"; } elseif($valid_email) { $new_pass = createPassword(); $uquery = "INSERT INTO {$dbprefix}users (users_name, password,full_name,parent_id,lang,email,create_survey,create_user,delete_user,superadmin,configurator,manage_template,manage_label) VALUES ('".db_quote($new_user)."', '".SHA256::hashing($new_pass)."', '".db_quote($new_full_name)."', {$_SESSION['loginID']}, 'auto', '".db_quote($new_email)."',0,0,0,0,0,0,0)"; $uresult = $connect->Execute($uquery); //Checked if($uresult) { $newqid = $connect->Insert_ID("{$dbprefix}users","uid"); // add default template to template rights for user $template_query = "INSERT INTO {$dbprefix}templates_rights VALUES('$newqid','default','1')"; $connect->Execute($template_query); //Checked // add new user to userlist $squery = "SELECT uid, users_name, password, parent_id, email, create_survey, configurator, create_user, delete_user, superadmin, manage_template, manage_label FROM ".db_table_name('users')." WHERE uid='{$newqid}'"; //added by Dennis $sresult = db_execute_assoc($squery);//Checked $srow = $sresult->FetchRow(); $userlist = getuserlist(); array_push($userlist, array("user"=>$srow['users_name'], "uid"=>$srow['uid'], "email"=>$srow['email'], "password"=>$srow["password"], "parent_id"=>$srow['parent_id'], // "level"=>$level, "create_survey"=>$srow['create_survey'], "configurator"=>$srow['configurator'], "create_user"=>$srow['create_user'], "delete_user"=>$srow['delete_user'], "superadmin"=>$srow['superadmin'], "manage_template"=>$srow['manage_template'], "manage_label"=>$srow['manage_label'])); // send Mail $body = sprintf($clang->gT("Hello %s,",'unescaped'), $new_full_name)."

\n"; $body .= sprintf($clang->gT("this is an automated email to notify that a user has been created for you on the site '%s'.",'unescaped'), $sitename)."

\n"; $body .= $clang->gT("You can use now the following credentials to log into the site:",'unescaped')."
\n"; $body .= $clang->gT("Username",'unescaped') . ": " . $new_user . "
\n"; if ($useWebserverAuth === false) { // authent is not delegated to web server // send password (if authorized by config) if ($display_user_password_in_email === true) { $body .= $clang->gT("Password",'unescaped') . ": " . $new_pass . "
\n"; } else { $body .= $clang->gT("Password",'unescaped') . ": " . $clang->gT("Please ask your LimeSurvey administrator for your password.") . "
\n"; } } $body .= "".$clang->gT("Click here to log in.",'unescaped')."

\n"; $body .= sprintf($clang->gT('If you have any questions regarding this mail please do not hesitate to contact the site administrator at %s. Thank you!','unescaped'),$siteadminemail)."
\n"; $subject = sprintf($clang->gT("User registration at '%s'","unescaped"),$sitename); $to = $new_user." <$new_email>"; $from = $siteadminname." <$siteadminemail>"; $addsummary .="
"; if(SendEmailMessage(null, $body, $subject, $to, $from, $sitename, true, $siteadminbounce)) { $addsummary .= "
".$clang->gT("Username").": $new_user
".$clang->gT("Email").": $new_email
"; $addsummary .= "
".$clang->gT("An email with a generated password was sent to the user."); } else { // has to be sent again or no other way $tmp = str_replace("{NAME}", "".$new_user."", $clang->gT("Email to {NAME} ({EMAIL}) failed.")); $addsummary .= "
".str_replace("{EMAIL}", $new_email, $tmp) . "
"; } $addsummary .= "
\t\t\t
" ."" ."" ."" ."" ."
"; } else{ $addsummary .= "
".$clang->gT("Failed to add user")."

\n" . " " . $clang->gT("The user name already exists.")."
\n"; } } $addsummary .= "

gT("Continue")."\"/>

\n"; } elseif (($action == "deluser" || $action == "finaldeluser") && ($_SESSION['USER_RIGHT_SUPERADMIN'] == 1 || $_SESSION['USER_RIGHT_DELETE_USER'] )) { $addsummary = "
".$clang->gT("Deleting user")."
\n"; $addsummary .= "
\n"; // CAN'T DELETE ORIGINAL SUPERADMIN // Initial SuperAdmin has parent_id == 0 $adminquery = "SELECT uid FROM {$dbprefix}users WHERE parent_id=0"; $adminresult = db_select_limit_assoc($adminquery, 1);//Checked $row=$adminresult->FetchRow(); if($row['uid'] == $postuserid) // it's the original superadmin !!! { $addsummary .= "
".$clang->gT("Initial Superadmin cannot be deleted!")."
\n"; } else { if (isset($postuserid)) { $sresultcount = 0;// 1 if I am parent of $postuserid if ($_SESSION['USER_RIGHT_SUPERADMIN'] != 1) { $squery = "SELECT uid FROM {$dbprefix}users WHERE uid=$postuserid AND parent_id=".$_SESSION['loginID']; $sresult = $connect->Execute($squery); //Checked $sresultcount = $sresult->RecordCount(); } if ($_SESSION['USER_RIGHT_SUPERADMIN'] == 1 || $sresultcount > 0 || $postuserid == $_SESSION['loginID']) { $transfer_surveys_to = 0; $query = "SELECT users_name, uid FROM ".db_table_name('users').";"; $result = db_execute_assoc($query) or safe_die($connect->ErrorMsg()); $current_user = $_SESSION['loginID']; if($result->RecordCount() == 2) { $action = "finaldeluser"; while($rows = $result->FetchRow()){ $intUid = $rows['uid']; $selected = ''; if ($intUid == $current_user) $selected = " selected='selected'"; if ($postuserid != $intUid) $transfer_surveys_to = $intUid; } } $query = "SELECT sid FROM ".db_table_name('surveys')." WHERE owner_id = $postuserid ;"; $result = db_execute_assoc($query) or safe_die($connect->ErrorMsg()); if($result->RecordCount() == 0) { $action = "finaldeluser"; } if ($action=="finaldeluser") { if (isset($_POST['transfer_surveys_to'])) {$transfer_surveys_to=sanitize_int($_POST['transfer_surveys_to']);} if ($transfer_surveys_to > 0){ $query = "UPDATE ".db_table_name('surveys')." SET owner_id = $transfer_surveys_to WHERE owner_id=$postuserid"; $result = db_execute_assoc($query) or safe_die($connect->ErrorMsg()); } $squery = "SELECT parent_id FROM {$dbprefix}users WHERE uid=".$postuserid; $sresult = $connect->Execute($squery); //Checked $fields = $sresult->FetchRow($sresult); if (isset($fields[0])) { $uquery = "UPDATE ".db_table_name('users')." SET parent_id={$fields[0]} WHERE parent_id=".$postuserid; // added by Dennis $uresult = $connect->Execute($uquery); //Checked } //DELETE USER FROM TABLE $dquery="DELETE FROM {$dbprefix}users WHERE uid=".$postuserid; // added by Dennis $dresult=$connect->Execute($dquery); //Checked // Delete user rights $dquery="DELETE FROM {$dbprefix}survey_permissions WHERE uid=".$postuserid; $dresult=$connect->Execute($dquery); //Checked if($postuserid == $_SESSION['loginID']) { killSession(); // user deleted himself header( "Location: " . $homeurl . "/admin.php"); die(); } $addsummary .= "
".$clang->gT("Username").": {$postuser}

\n"; $addsummary .= "
".$clang->gT("Success!")."
\n"; if ($transfer_surveys_to>0){ $sTransferred_to = getUserNameFromUid($transfer_surveys_to); $addsummary .= sprintf($clang->gT("All of the user's surveys were transferred to %s."),$sTransferred_to); } $addsummary .= "
gT("Continue")."\"/>\n"; } else { $current_user = $_SESSION['loginID']; $addsummary .= "
".$clang->gT("Transfer the user's surveys to: ")."\n"; $addsummary .= "
"; $addsummary .= ""; $addsummary .= "

"; $addsummary .= "
"; } } else { include("access_denied.php"); } } else { $addsummary .= "
".$clang->gT("Could not delete user. User was not supplied.")."
\n"; $addsummary .= "
gT("Continue")."\"/>\n"; } } $addsummary .= "
\n"; } elseif ($action == "moduser") { $addsummary = "
".$clang->gT("Editing user")."
\n"; $addsummary .= "
\n"; $squery = "SELECT uid FROM {$dbprefix}users WHERE uid=$postuserid AND parent_id=".$_SESSION['loginID']; $sresult = $connect->Execute($squery); //Checked $sresultcount = $sresult->RecordCount(); if(($_SESSION['USER_RIGHT_SUPERADMIN'] == 1 || $postuserid == $_SESSION['loginID'] || ($sresultcount > 0 && $_SESSION['USER_RIGHT_CREATE_USER'])) && !($demoModeOnly == true && $postuserid == 1) ) { $users_name = html_entity_decode($postuser, ENT_QUOTES, 'UTF-8'); $email = html_entity_decode($postemail,ENT_QUOTES, 'UTF-8'); $sPassword = html_entity_decode($_POST['pass'],ENT_QUOTES, 'UTF-8'); if ($sPassword=='%%unchanged%%') $sPassword=''; $full_name = html_entity_decode($postfull_name,ENT_QUOTES, 'UTF-8'); $valid_email = true; if(!validate_email($email)) { $valid_email = false; $failed = true; $addsummary .= "
".$clang->gT("Could not modify user data.")."

\n" . " ".$clang->gT("Email address is not valid.")."
\n"; } elseif($valid_email) { $failed = false; if(empty($sPassword)) { $uquery = "UPDATE ".db_table_name('users')." SET email='".db_quote($email)."', full_name='".db_quote($full_name)."' WHERE uid=".$postuserid; } else { $uquery = "UPDATE ".db_table_name('users')." SET email='".db_quote($email)."', full_name='".db_quote($full_name)."', password='".SHA256::hashing($sPassword)."' WHERE uid=".$postuserid; } $uresult = $connect->Execute($uquery);//Checked if($uresult && empty($sPassword)) { $addsummary .= "
".$clang->gT("Username").": $users_name
".$clang->gT("Password").": (".$clang->gT("Unchanged").")

\n"; $addsummary .= "
".$clang->gT("Success!")."
\n"; } elseif($uresult && !empty($sPassword)) { if ($display_user_password_in_html === true) { $displayedPwd = $sPassword; } else { $displayedPwd = preg_replace('/./','*',$sPassword); } $addsummary .= "
".$clang->gT("Username").": $users_name
".$clang->gT("Password").": {$displayedPwd}

\n"; $addsummary .= "
".$clang->gT("Success!")."
\n"; } else { // Username and/or email adress already exists. $addsummary .= "
".$clang->gT("Could not modify user data.")."

\n" . " ".$clang->gT("Email address already exists.")."
\n"; } } if($failed) { $addsummary .= "
" ."" ."" ."" ."
"; } else { $addsummary .= "
gT("Continue")."\"/>\n"; } } else { include("access_denied.php"); } $addsummary .= "
\n"; } elseif ($action == "userrights") { $addsummary = "
".$clang->gT("Set user permissions")."
\n"; $addsummary .= "
\n"; // A user can't modify his own rights ;-) if($postuserid != $_SESSION['loginID']) { $squery = "SELECT uid FROM {$dbprefix}users WHERE uid=$postuserid AND parent_id=".$_SESSION['loginID']; $sresult = $connect->Execute($squery); // Checked $sresultcount = $sresult->RecordCount(); if($_SESSION['USER_RIGHT_SUPERADMIN'] != 1 && $sresultcount > 0) { // Not Admin, just a user with childs $rights = array(); // Forbids Allowing more privileges than I have if(isset($_POST['create_survey']) && $_SESSION['USER_RIGHT_CREATE_SURVEY'])$rights['create_survey']=1; else $rights['create_survey']=0; if(isset($_POST['configurator']) && $_SESSION['USER_RIGHT_CONFIGURATOR'])$rights['configurator']=1; else $rights['configurator']=0; if(isset($_POST['create_user']) && $_SESSION['USER_RIGHT_CREATE_USER'])$rights['create_user']=1; else $rights['create_user']=0; if(isset($_POST['delete_user']) && $_SESSION['USER_RIGHT_DELETE_USER'])$rights['delete_user']=1; else $rights['delete_user']=0; $rights['superadmin']=0; // ONLY Initial Superadmin can give this right if(isset($_POST['manage_template']) && $_SESSION['USER_RIGHT_MANAGE_TEMPLATE'])$rights['manage_template']=1; else $rights['manage_template']=0; if(isset($_POST['manage_label']) && $_SESSION['USER_RIGHT_MANAGE_LABEL'])$rights['manage_label']=1; else $rights['manage_label']=0; if ($postuserid<>1) setuserrights($postuserid, $rights); $addsummary .= "
".$clang->gT("User permissions were updated successfully.")."
\n"; $addsummary .= "
gT("Continue")."\"/>\n"; } elseif ($_SESSION['USER_RIGHT_SUPERADMIN'] == 1) { $rights = array(); if(isset($_POST['create_survey']))$rights['create_survey']=1; else $rights['create_survey']=0; if(isset($_POST['configurator']))$rights['configurator']=1; else $rights['configurator']=0; if(isset($_POST['create_user']))$rights['create_user']=1; else $rights['create_user']=0; if(isset($_POST['delete_user']))$rights['delete_user']=1; else $rights['delete_user']=0; // Only Initial Superadmin can give this right if(isset($_POST['superadmin'])) { // Am I original Superadmin ? // Initial SuperAdmin has parent_id == 0 $adminquery = "SELECT uid FROM {$dbprefix}users WHERE parent_id=0"; $adminresult = db_select_limit_assoc($adminquery, 1); $row=$adminresult->FetchRow(); if($row['uid'] == $_SESSION['loginID']) // it's the original superadmin !!! { $rights['superadmin']=1; } else { $rights['superadmin']=0; } } else { $rights['superadmin']=0; } if(isset($_POST['manage_template']))$rights['manage_template']=1; else $rights['manage_template']=0; if(isset($_POST['manage_label']))$rights['manage_label']=1; else $rights['manage_label']=0; setuserrights($postuserid, $rights); $addsummary .= "
".$clang->gT("User permissions were updated successfully.")."
\n"; $addsummary .= "
gT("Continue")."\"/>\n"; } else { include("access_denied.php"); } } else { $addsummary .= "
".$clang->gT("You are not allowed to change your own permissions!")."
\n"; $addsummary .= "
gT("Continue")."\"/>\n"; } $addsummary .= "
\n"; } elseif ($action == "usertemplates") { $addsummary = "
".$clang->gT("Set template permissions")."
\n"; $addsummary .= "
\n"; // SUPERADMINS AND MANAGE_TEMPLATE USERS CAN SET THESE RIGHTS if( $_SESSION['USER_RIGHT_SUPERADMIN'] == 1 || $_SESSION['USER_RIGHT_MANAGE_TEMPLATE'] == 1) { $templaterights = array(); $tquery = "SELECT * FROM ".$dbprefix."templates"; $tresult = db_execute_assoc($tquery); while ($trow = $tresult->FetchRow()) { if (isset($_POST[$trow["folder"]."_use"])) $templaterights[$trow["folder"]] = 1; else $templaterights[$trow["folder"]] = 0; } foreach ($templaterights as $key => $value) { $uquery = "INSERT INTO {$dbprefix}templates_rights (uid,".db_quote_id('folder').",".db_quote_id('use').") VALUES ({$postuserid},'".$key."',$value)"; $uresult = $connect->execute($uquery); if (!$uresult) { $uquery = "UPDATE {$dbprefix}templates_rights SET ".db_quote_id('use')."=$value where ".db_quote_id('folder')."='$key' AND uid=".$postuserid; $uresult = $connect->execute($uquery); } } if ($uresult) { $addsummary .= "
".$clang->gT("Template permissions were updated successfully.")."
\n"; $addsummary .= "
gT("Continue")."\"/>\n"; } else { $addsummary .= "
".$clang->gT("Error")."
\n"; $addsummary .= "
".$clang->gT("Error while updating usertemplates.")."
\n"; $addsummary .= "
gT("Continue")."\"/>\n"; } } else { include("access_denied.php"); } $addsummary .= "
\n"; } function getInitialAdmin_uid() { global $dbprefix; // Initial SuperAdmin has parent_id == 0 $adminquery = "SELECT uid FROM {$dbprefix}users WHERE parent_id=0"; $adminresult = db_select_limit_assoc($adminquery, 1); $row=$adminresult->FetchRow(); return $row['uid']; } function fGetLoginAttemptUpdateQry($la,$sIp) { $timestamp = date("Y-m-d H:i:s"); if ($la) $query = "UPDATE ".db_table_name('failed_login_attempts') ." SET number_attempts=number_attempts+1, last_attempt = '$timestamp' WHERE ip='$sIp'"; else $query = "INSERT INTO ".db_table_name('failed_login_attempts') . "(ip, number_attempts,last_attempt)" ." VALUES('$sIp',1,'$timestamp')"; return $query; } function getUserNameFromUid($uid){ $query = "SELECT users_name, uid FROM ".db_table_name('users')." WHERE uid = $uid;"; $result = db_execute_assoc($query) or safe_die($connect->ErrorMsg()); if($result->RecordCount() > 0) { while($rows = $result->FetchRow()){ return $rows['users_name']; } } }