".$clang->gT("Forgot Password")."
\n"; if (isset($postuser) && isset($postemail)) { include("database.php"); $emailaddr = $postemail; $query = "SELECT users_name, password, uid FROM ".db_table_name('users')." WHERE users_name=".$connect->qstr($postuser)." AND email=".$connect->qstr($emailaddr); $result = db_select_limit_assoc($query, 1) or safe_die ($query."
".$connect->ErrorMsg()); // Checked if ($result->RecordCount() < 1) { // wrong or unknown username and/or email $loginsummary .= "
".$clang->gT("User name and/or email not found!")."
"; $loginsummary .= "

".$clang->gT("Continue")."
 \n"; } else { $fields = $result->FetchRow(); // send Mail $new_pass = createPassword(); $body = $clang->gT("Your data:") . "
\n";; $body .= $clang->gT("Username") . ": " . $fields['users_name'] . "
\n"; $body .= $clang->gT("New Password") . ": " . $new_pass . "
\n"; $subject = 'User Data'; $to = $emailaddr; $from = $siteadminemail; $sitename = $siteadminname; if(MailTextMessage($body, $subject, $to, $from, $sitename, false,$siteadminbounce)) { $query = "UPDATE ".db_table_name('users')." SET password='".SHA256::hash($new_pass)."' WHERE uid={$fields['uid']}"; $connect->Execute($query); //Checked $loginsummary .= "
".$clang->gT("Username").": {$fields['users_name']}
".$clang->gT("Email").": {$emailaddr}
"; $loginsummary .= "
".$clang->gT("An email with your login data was sent to you."); $loginsummary .= "

".$clang->gT("Continue")."
 \n"; } else { $tmp = str_replace("{NAME}", "".$fields['users_name']."", $clang->gT("Email to {NAME} ({EMAIL}) failed.")); $loginsummary .= "
".str_replace("{EMAIL}", $emailaddr, $tmp) . "
"; $loginsummary .= "

".$clang->gT("Continue")."
 \n"; } } } } elseif($action == "login" && $useWebserverAuth === false) // normal login { $loginsummary = "
".$clang->gT("Logging in...")."
\n"; if (isset($postuser) && isset($_POST['password'])) { include("database.php"); $query = "SELECT uid, users_name, password, parent_id, email, lang, htmleditormode FROM ".db_table_name('users')." WHERE users_name=".$connect->qstr($postuser); $ADODB_FETCH_MODE = ADODB_FETCH_ASSOC; //Checked $result = $connect->SelectLimit($query, 1) or safe_die ($query."
".$connect->ErrorMsg()); if ($result->RecordCount() < 1) { // wrong or unknown username $loginsummary .= "
".$clang->gT("Incorrect User name and/or Password!")."
"; $loginsummary .= "

".$clang->gT("Continue")."
 \n"; } else { $fields = $result->FetchRow(); if (SHA256::hash($_POST['password']) == $fields['password']) { // Anmeldung ERFOLGREICH if (strtolower($_POST['password'])=='password') { $_SESSION['pw_notify']=true; } else { $_SESSION['pw_notify']=false; } // Check if the user has changed his default password session_regenerate_id(); $_SESSION['loginID'] = intval($fields['uid']); $_SESSION['user'] = $fields['users_name']; $_SESSION['htmleditormode'] = $fields['htmleditormode']; // Compute a checksession random number to test POSTs $_SESSION['checksessionpost'] = randomkey(10); if (isset($postloginlang) && $postloginlang) { $_SESSION['adminlang'] = $postloginlang; $clang = new limesurvey_lang($postloginlang); $uquery = "UPDATE {$dbprefix}users " . "SET lang='{$postloginlang}' " . "WHERE uid={$_SESSION['loginID']}"; $uresult = $connect->Execute($uquery); // Checked } else { $_SESSION['adminlang'] = $fields['lang']; $clang = new limesurvey_lang($_SESSION['adminlang']); } $login = true; $loginsummary .= "
" .str_replace("{NAME}", $_SESSION['user'], $clang->gT("Welcome {NAME}")) . "
"; $loginsummary .= $clang->gT("You logged in successfully."); if (isset($_POST['refererargs']) && $_POST['refererargs'] && strpos($_POST['refererargs'], "action=logout") === FALSE) { $_SESSION['metaHeader']=""; $loginsummary .= "
".$clang->gT("Reloading Screen. Please wait.")."\n"; } $loginsummary .= "

\n"; GetSessionUserRights($_SESSION['loginID']); } else { $loginsummary .= "
".$clang->gT("Incorrect User name and/or Password!")."
"; $loginsummary .= "

".$clang->gT("Continue")."
 \n"; } } } } elseif($useWebserverAuth === true && !isset($_SERVER['PHP_AUTH_USER'])) // LimeSurvey expects webserver auth but it has not been achieved { $loginsummary .= "
".$clang->gT("LimeSurvey is setup to use the webserver authentication, but it seems you have not already been authenticated")."
"; $loginsummary .= "

".$clang->gT("Please contact your system administrator")."
 \n"; } elseif($useWebserverAuth === true && isset($_SERVER['PHP_AUTH_USER'])) // normal login through webserver authentication { $action = 'login'; // we'll include database.php // we need to unset surveyid // that could be set if the user clicked on // a link with all params before first auto-login unset($surveyid); $loginsummary = "
".$clang->gT("Logging in...")."
\n"; // getting user name, optionnally mapped if (isset($userArrayMap) && is_array($userArrayMap) && isset($userArrayMap[$_SERVER['PHP_AUTH_USER']])) { $mappeduser=$userArrayMap[$_SERVER['PHP_AUTH_USER']]; } else { $mappeduser=$_SERVER['PHP_AUTH_USER']; } include("database.php"); $query = "SELECT uid, users_name, password, parent_id, email, lang, htmleditormode FROM ".db_table_name('users')." WHERE users_name=".$connect->qstr($mappeduser); $ADODB_FETCH_MODE = ADODB_FETCH_ASSOC; //Checked $result = $connect->SelectLimit($query, 1) or safe_die ($query."
".$connect->ErrorMsg()); if ($result->RecordCount() < 1) { // In case the hook function is defined // overrite the default auto-import profile // by this function's result if (function_exists("hook_get_autouserprofile")) { // If defined this function returns an array // describing the defaukt profile for this user $WebserverAuth_autouserprofile = hook_get_autouserprofile($mappeduser); } if (isset($WebserverAuth_autocreateUser) && $WebserverAuth_autocreateUser === true && isset($WebserverAuth_autouserprofile) && is_array ($WebserverAuth_autouserprofile) && count($WebserverAuth_autouserprofile) > 0 ) { // user doesn't exist but auto-create user is set $isAuthenticated=false; $new_pass = createPassword(); $uquery = "INSERT INTO {$dbprefix}users " ."(users_name, password,full_name,parent_id,lang,email,create_survey,create_user,delete_user,superadmin,configurator,manage_template,manage_label) " ."VALUES (" . $connect->qstr($mappeduser).", " . "'".SHA256::hash($new_pass)."', " . "'".db_quote($WebserverAuth_autouserprofile['full_name'])."', " . getInitialAdmin_uid()." , " . "'".$WebserverAuth_autouserprofile['lang']."', " . "'".db_quote($WebserverAuth_autouserprofile['email'])."', " . intval($WebserverAuth_autouserprofile['create_survey'])."," . intval($WebserverAuth_autouserprofile['create_user'])."," . intval($WebserverAuth_autouserprofile['delete_user'])."," . intval($WebserverAuth_autouserprofile['superadmin'])."," . intval($WebserverAuth_autouserprofile['configurator'])."," . intval($WebserverAuth_autouserprofile['manage_template'])."," . intval($WebserverAuth_autouserprofile['manage_label']) .")"; $uresult = $connect->Execute($uquery); //Checked if ($uresult) { $isAuthenticated=true; $newqid = $connect->Insert_ID("{$dbprefix}users","uid"); $arrayTemplates=explode(",",$WebserverAuth_autouserprofile['templatelist']); foreach ($arrayTemplates as $tplname) { $template_query = "INSERT INTO {$dbprefix}templates_rights VALUES('$newqid','$tplname','1')"; $connect->Execute($template_query); //Checked } // read again user from newly created entry $result = $connect->SelectLimit($query, 1) or safe_die ($query."
".$connect->ErrorMsg());//Checked } else { $loginsummary .= "
".$clang->gT("Auto Import User Failed!")."
"; $loginsummary .= "

".$clang->gT("Continue")."
 \n"; $isAuthenticated=false; } } else { // wrong or unknown username $loginsummary .= "
".$clang->gT("Incorrect User name and/or Password!")."
"; $loginsummary .= "

".$clang->gT("Continue")."
 \n"; $isAuthenticated=false; } } else { // User already exists $isAuthenticated=true; } if ($isAuthenticated ===true) { // user exists and was authenticated by webserver $fields = $result->FetchRow(); $_SESSION['loginID'] = intval($fields['uid']); $_SESSION['user'] = $fields['users_name']; $_SESSION['adminlang'] = $fields['lang']; $_SESSION['htmleditormode'] = $fields['htmleditormode']; $_SESSION['checksessionpost'] = randomkey(10); $_SESSION['pw_notify']=false; $clang = new limesurvey_lang($_SESSION['adminlang']); $login = true; $loginsummary .= "
" .str_replace("{NAME}", $_SESSION['user'], $clang->gT("Welcome {NAME}")) . "
"; $loginsummary .= $clang->gT("You logged in successfully."); if (isset($_SERVER['QUERY_STRING']) && $_SERVER['QUERY_STRING'] && strpos($_SERVER['QUERY_STRING'], "action=logout") === FALSE) { $_SESSION['metaHeader']=""; $loginsummary .= "
".$clang->gT("Reloading Screen. Please wait.")."\n"; } $loginsummary .= "

\n"; GetSessionUserRights($_SESSION['loginID']); } } } elseif ($action == "logout") { // $logoutsummary = "
".$clang->gT("Logout")."
\n"; killSession(); $logoutsummary = $clang->gT("Logout successful."); // $logoutsummary .= "

".$clang->gT("Main Admin Screen")."
 \n"; } elseif ($action == "adduser" && $_SESSION['USER_RIGHT_CREATE_USER']) { $addsummary = "
".$clang->gT("Add User")."
\n"; $new_user = html_entity_decode_php4($postnew_user); $new_email = html_entity_decode_php4($postnew_email); $new_full_name = html_entity_decode_php4($postnew_full_name); $new_user = $postnew_user; // TODO: check if html decode should be used here $new_email = $postnew_email; // TODO: check if html decode should be used here $new_full_name = html_entity_decode_php4($postnew_full_name); $valid_email = true; if(!validate_email($new_email)) { $valid_email = false; $addsummary .= "
".$clang->gT("Failed to add User.")."
\n" . " " . $clang->gT("Email address is not valid.")."
\n"; } if(empty($new_user)) { if($valid_email) $addsummary .= "
".$clang->gT("Failed to add User.")."
\n" . " "; $addsummary .= $clang->gT("Username was not supplied.")."
\n"; } elseif($valid_email) { $new_pass = createPassword(); $uquery = "INSERT INTO {$dbprefix}users (users_name, password,full_name,parent_id,lang,email,create_survey,create_user,delete_user,superadmin,configurator,manage_template,manage_label) VALUES ('".db_quote($new_user)."', '".SHA256::hash($new_pass)."', '".db_quote($new_full_name)."', {$_SESSION['loginID']}, '{$defaultlang}', '".db_quote($new_email)."',0,0,0,0,0,0,0)"; $uresult = $connect->Execute($uquery); //Checked if($uresult) { $newqid = $connect->Insert_ID("{$dbprefix}users","uid"); // add default template to template rights for user $template_query = "INSERT INTO {$dbprefix}templates_rights VALUES('$newqid','default','1')"; $connect->Execute($template_query); //Checked // add new user to userlist $squery = "SELECT uid, users_name, password, parent_id, email, create_survey, configurator, create_user, delete_user, superadmin, manage_template, manage_label FROM ".db_table_name('users')." WHERE uid='{$newqid}'"; //added by Dennis $sresult = db_execute_assoc($squery);//Checked $srow = $sresult->FetchRow(); $userlist = getuserlist(); array_push($userlist, array("user"=>$srow['users_name'], "uid"=>$srow['uid'], "email"=>$srow['email'], "password"=>$srow["password"], "parent_id"=>$srow['parent_id'], // "level"=>$level, "create_survey"=>$srow['create_survey'], "configurator"=>$srow['configurator'], "create_user"=>$srow['create_user'], "delete_user"=>$srow['delete_user'], "superadmin"=>$srow['superadmin'], "manage_template"=>$srow['manage_template'], "manage_label"=>$srow['manage_label'])); // send Mail $body = $clang->gT("You were signed in on the site")." ".$sitename."
\n"; $body .= $clang->gT("Your data:")."
\n"; $body .= $clang->gT("Username") . ": " . $new_user . "
\n"; if ($useWebserverAuth === false) { // authent is not delegated to web server // send password otherwise do not $body .= $clang->gT("Password") . ": " . $new_pass . "
\n"; } $body .= "".$clang->gT("Login here")."
\n"; $subject = 'Registration'; $to = $new_email; $from = $siteadminemail; $sitename = $siteadminname; if(MailTextMessage($body, $subject, $to, $from, $sitename, true, $siteadminbounce)) { $addsummary .= "
".$clang->gT("Username").": $new_user
".$clang->gT("Email").": $new_email
"; $addsummary .= "
".$clang->gT("An email with a generated password was sent to the user."); } else { // Muss noch mal gesendet werden oder andere M??glichkeit $tmp = str_replace("{NAME}", "".$new_user."", $clang->gT("Email to {NAME} ({EMAIL}) failed.")); $addsummary .= "
".str_replace("{EMAIL}", $new_email, $tmp) . "
"; } $addsummary .= "
\t\t\t

" ."" ."" ."" ."" ."

"; } else{ $addsummary .= "
".$clang->gT("Failed to add User.")."
\n" . " " . $clang->gT("Username and/or email address already exists.")."
\n"; } } $addsummary .= "
".$clang->gT("Continue")."
 \n"; } elseif ($action == "deluser" && ($_SESSION['USER_RIGHT_SUPERADMIN'] == 1 || $_SESSION['USER_RIGHT_DELETE_USER'] )) { $addsummary = "
".$clang->gT("Deleting User")."
\n"; // CAN'T DELETE ORIGINAL SUPERADMIN // Initial SuperAdmin has parent_id == 0 $adminquery = "SELECT uid FROM {$dbprefix}users WHERE parent_id=0"; $adminresult = db_select_limit_assoc($adminquery, 1);//Checked $row=$adminresult->FetchRow(); if($row['uid'] == $postuserid) // it's the original superadmin !!! { $addsummary .= "
".$clang->gT("Initial Superadmin cannot be deleted!")."
\n"; } else { if (isset($postuserid)) { $sresultcount = 0;// 1 if I am parent of $postuserid if ($_SESSION['USER_RIGHT_SUPERADMIN'] != 1) { $squery = "SELECT uid FROM {$dbprefix}users WHERE uid=$postuserid AND parent_id=".$_SESSION['loginID']; $sresult = $connect->Execute($squery); //Checked $sresultcount = $sresult->RecordCount(); } if ($_SESSION['USER_RIGHT_SUPERADMIN'] == 1 || $sresultcount > 0 || $postuserid == $_SESSION['loginID']) { // We are about to kill an uid with potential childs // Let's re-assign them their grand-father as their // new parentid $squery = "SELECT parent_id FROM {$dbprefix}users WHERE uid=".$postuserid; $sresult = $connect->Execute($squery); //Checked $fields = $sresult->FetchRow($sresult); if (isset($fields[0])) { $uquery = "UPDATE ".db_table_name('users')." SET parent_id={$fields[0]} WHERE parent_id=".$postuserid; // added by Dennis $uresult = $connect->Execute($uquery); //Checked } //DELETE USER FROM TABLE $dquery="DELETE FROM {$dbprefix}users WHERE uid=".$postuserid; // added by Dennis $dresult=$connect->Execute($dquery); //Checked // Delete user rights $dquery="DELETE FROM {$dbprefix}surveys_rights WHERE uid=".$postuserid; $dresult=$connect->Execute($dquery); //Checked if($postuserid == $_SESSION['loginID']) killSession(); // user deleted himself $addsummary .= "
".$clang->gT("Username").": {$postuser}
\n"; } else { include("access_denied.php"); } } else { $addsummary .= "
".$clang->gT("Could not delete user. User was not supplied.")."
\n"; } } $addsummary .= "

".$clang->gT("Continue")."
 \n"; } elseif ($action == "moduser") { $addsummary = "
".$clang->gT("Modifying User")."
\n"; $squery = "SELECT uid FROM {$dbprefix}users WHERE uid=$postuserid AND parent_id=".$_SESSION['loginID']; $sresult = $connect->Execute($squery); //Checked $sresultcount = $sresult->RecordCount(); if($_SESSION['USER_RIGHT_SUPERADMIN'] == 1 || $postuserid == $_SESSION['loginID'] || ($sresultcount > 0 && $_SESSION['USER_RIGHT_CREATE_USER']) ) { $users_name = html_entity_decode_php4($postuser); $email = html_entity_decode_php4($postemail); $pass = html_entity_decode_php4($_POST['pass']); $full_name = html_entity_decode_php4($postfull_name); $valid_email = true; if(!validate_email($email)) { $valid_email = false; $failed = true; $addsummary .= "
".$clang->gT("Could not modify User Data.")."
\n" . " ".$clang->gT("Email address ist not valid.")."
\n"; } elseif($valid_email) { $failed = false; if(empty($pass)) { $uquery = "UPDATE ".db_table_name('users')." SET email='".db_quote($email)."', full_name='".db_quote($full_name)."' WHERE uid=".$postuserid; } else { $uquery = "UPDATE ".db_table_name('users')." SET email='".db_quote($email)."', full_name='".db_quote($full_name)."', password='".SHA256::hash($pass)."' WHERE uid=".$postuserid; } $uresult = $connect->Execute($uquery);//Checked if($uresult && empty($pass)) { $addsummary .= "
".$clang->gT("Username").": $users_name
".$clang->gT("Password").": {".$clang->gT("Unchanged")."}
\n"; } elseif($uresult && !empty($pass)) { $addsummary .= "
".$clang->gT("Username").": $users_name
".$clang->gT("Password").": $pass
\n"; } else { // Username and/or email adress already exists. $addsummary .= "
".$clang->gT("Could not modify User Data.")."
\n" . " ".$clang->gT("Email address already exists.")."
\n"; } } if($failed) { $addsummary .= "

" ."" ."" ."" ."

"; } else { $addsummary .= "

".$clang->gT("Continue")."
 \n"; } } else { include("access_denied.php"); } } elseif ($action == "userrights") { $addsummary = "
".$clang->gT("Set User Rights")."
\n"; // A user can't modify his own rights ;-) if($postuserid != $_SESSION['loginID']) { $squery = "SELECT uid FROM {$dbprefix}users WHERE uid=$postuserid AND parent_id=".$_SESSION['loginID']; $sresult = $connect->Execute($squery); // Checked $sresultcount = $sresult->RecordCount(); if($_SESSION['USER_RIGHT_SUPERADMIN'] != 1 && $sresultcount > 0) { // Not Admin, just a user with childs $rights = array(); // Forbids Allowing more privileges than I have if(isset($_POST['create_survey']) && $_SESSION['USER_RIGHT_CREATE_SURVEY'])$rights['create_survey']=1; else $rights['create_survey']=0; if(isset($_POST['configurator']) && $_SESSION['USER_RIGHT_CONFIGURATOR'])$rights['configurator']=1; else $rights['configurator']=0; if(isset($_POST['create_user']) && $_SESSION['USER_RIGHT_CREATE_USER'])$rights['create_user']=1; else $rights['create_user']=0; if(isset($_POST['delete_user']) && $_SESSION['USER_RIGHT_DELETE_USER'])$rights['delete_user']=1; else $rights['delete_user']=0; $rights['superadmin']=0; // ONLY Initial Superadmin can give this right if(isset($_POST['manage_template']) && $_SESSION['USER_RIGHT_MANAGE_TEMPLATE'])$rights['manage_template']=1; else $rights['manage_template']=0; if(isset($_POST['manage_label']) && $_SESSION['USER_RIGHT_MANAGE_LABEL'])$rights['manage_label']=1; else $rights['manage_label']=0; setuserrights($postuserid, $rights); $addsummary .= "
".$clang->gT("Update user rights successful.")."
\n"; $addsummary .= "

".$clang->gT("Continue")."
 \n"; } elseif ($_SESSION['USER_RIGHT_SUPERADMIN'] == 1) { $rights = array(); if(isset($_POST['create_survey']))$rights['create_survey']=1; else $rights['create_survey']=0; if(isset($_POST['configurator']))$rights['configurator']=1; else $rights['configurator']=0; if(isset($_POST['create_user']))$rights['create_user']=1; else $rights['create_user']=0; if(isset($_POST['delete_user']))$rights['delete_user']=1; else $rights['delete_user']=0; // Only Initial Superadmin can give this right if(isset($_POST['superadmin'])) { // Am I original Superadmin ? // Initial SuperAdmin has parent_id == 0 $adminquery = "SELECT uid FROM {$dbprefix}users WHERE parent_id=0"; $adminresult = db_select_limit_assoc($adminquery, 1); $row=$adminresult->FetchRow(); if($row['uid'] == $_SESSION['loginID']) // it's the original superadmin !!! { $rights['superadmin']=1; } else { $rights['superadmin']=0; } } else { $rights['superadmin']=0; } if(isset($_POST['manage_template']))$rights['manage_template']=1; else $rights['manage_template']=0; if(isset($_POST['manage_label']))$rights['manage_label']=1; else $rights['manage_label']=0; setuserrights($postuserid, $rights); $addsummary .= "
".$clang->gT("Update user rights successful.")."
\n"; $addsummary .= "

".$clang->gT("Continue")."
 \n"; } else { include("access_denied.php"); } } else { $addsummary .= "
".$clang->gT("You are not allowed to change your own rights!")."
\n"; $addsummary .= "

".$clang->gT("Continue")."
 \n"; } } elseif ($action == "usertemplates") { $addsummary = "
".$clang->gT("Set Template Rights")."
\n"; // SUPERADMINS AND MANAGE_TEMPLATE USERS CAN SET THESE RIGHTS if( $_SESSION['USER_RIGHT_SUPERADMIN'] == 1 || $_SESSION['USER_RIGHT_MANAGE_TEMPLATE'] == 1) { $templaterights = array(); $tquery = "SELECT * FROM ".$dbprefix."templates"; $tresult = db_execute_assoc($tquery); while ($trow = $tresult->FetchRow()) { if (isset($_POST[$trow["folder"]."_use"])) $templaterights[$trow["folder"]] = 1; else $templaterights[$trow["folder"]] = 0; } foreach ($templaterights as $key => $value) { $uquery = "INSERT INTO {$dbprefix}templates_rights SET `uid`={$postuserid}, `folder`='".$key."', `use`=".$value." ON DUPLICATE KEY UPDATE `use`=".$value; $uresult = $connect->execute($uquery); } if ($uresult) { $addsummary .= "
".$clang->gT("Update usertemplates successful.")."
\n"; $addsummary .= "

".$clang->gT("Continue")."
 \n"; } else { $addsummary .= "".$clang->gT("Error")."
\n"; $addsummary .= "
".$clang->gT("Error while updating usertemplates.")."
\n"; $addsummary .= "

".$clang->gT("Continue")."
 \n"; } } else { include("access_denied.php"); } } function getInitialAdmin_uid() { global $dbprefix; // Initial SuperAdmin has parent_id == 0 $adminquery = "SELECT uid FROM {$dbprefix}users WHERE parent_id=0"; $adminresult = db_select_limit_assoc($adminquery, 1); $row=$adminresult->FetchRow(); return $row['uid']; } ?>