00001 <?php
00002 # This file is part of the Savane project
00003 # <http://gna.org/projects/savane/>
00004 #
00005 # $Id: change.php 4977 2005-11-15 17:38:40Z yeupou $
00006 #
00007 # Copyright 2003-2006 (c) Mathieu Roy <yeupou--gnu.org>
00008 # Yves Perrin <yves.perrin--cern.ch>
00009 #
00010 # The Savane project is free software; you can redistribute it and/or
00011 # modify it under the terms of the GNU General Public License
00012 # as published by the Free Software Foundation; either version 2
00013 # of the License, or (at your option) any later version.
00014 #
00015 # The Savane project is distributed in the hope that it will be useful,
00016 # but WITHOUT ANY WARRANTY; without even the implied warranty of
00017 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
00018 # GNU General Public License for more details.
00019 #
00020 # You should have received a copy of the GNU General Public License
00021 # along with the Savane project; if not, write to the Free Software
00022 # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
00023
00024
00025 require "../../include/pre.php";
00026
00027 register_globals_off();
00028
00029
00030 ########################################################################
00031 # Preliminary checks
00032 # Check if the user is logged in.
00033 session_require(array('isloggedin'=>'1'));
00034
00035 $item = sane_all("item");
00036 $update = sane_all("update");
00037 $newvalue = sane_all("newvalue");
00038 $newvaluecheck = sane_all("newvaluecheck");
00039 $oldvalue = sane_all("oldvalue");
00040 $step = sane_all("step");
00041 $session_hash = sane_all("session_hash");
00042 $confirm_hash = sane_all("confirm_hash");
00043
00044 if (!$item)
00045 {
00046 exit_missing_param();
00047 }
00048
00049 # To delete the account, the user must have first quitted all groups.
00050 # Yes, this form could do automatically this, but when a user quit his group
00051 # it send mails to people that should be informed, so it is best to push
00052 # the user to use the relevant form than to reimplement everything here
00053 if ($item == 'delete')
00054 {
00055 $res_check = db_query("SELECT user_group_id FROM user_group WHERE user_id=" . user_getid());
00056 if (db_numrows($res_check) != 0)
00057 {
00058 exit_error(_("You must quit groups that your are member of before requesting account deletion"));
00059 }
00060
00061 }
00062
00063 ########################################################################
00064 # Update the database
00065 if ($update)
00066 {
00067 # Update the database and redirect to account conf page
00068 if ($item == "realname")
00069 {
00070 ################# Realname
00071 if (!$newvalue)
00072 { fb(_("You must supply a new real name."), 1); }
00073 else
00074 {
00075 $newvalue = strtr($newvalue, "\'\"\,", " ");
00076 $success = db_query("UPDATE user SET realname='$newvalue' WHERE user_id=".user_getid());
00077 if ($success)
00078 { fb(_("Real Name updated.")); }
00079 else
00080 { fb(_("Failed to update the database."), 1); }
00081 }
00082
00083 }
00084 else if ($item == "timezone")
00085 {
00086 ################# Timezone
00087 if ($newvalue == 100)
00088 { $newvalue = "GMT"; }
00089
00090 $success = db_query("UPDATE user SET timezone='$newvalue' WHERE user_id=" . user_getid());
00091 if ($success)
00092 { fb(_("Timezone updated.")); }
00093 else
00094 { fb(_("Failed to update the database."), 1); }
00095 }
00096 else if ($item == "password")
00097 {
00098 ################# password
00099
00100 require "../../include/account.php";
00101
00102 $success = 1;
00103
00104 # check against old pw
00105 db_query("SELECT user_pw, status FROM user WHERE user_id=" . user_getid());
00106 $row_pw = db_fetch_array();
00107
00108 # CERN_SPECIFIC: sys_use_pamauth have to be included in the
00109 # configuration file and sv_update_conf
00110 if ($GLOBALS['sys_use_pamauth']=='yes' && $row_pw[user_pw] == 'PAM')
00111 {
00112 # use pam authentication
00113 unset($pam_error);
00114 if (!pam_auth(user_getname(), $oldvalue, &$pam_error))
00115 {
00116 ' '._("Old password is incorrect.").' '
00117 . $pam_error;
00118 $success = 0;
00119 }
00120
00121 }
00122 else if ($row_pw[user_pw] != md5($oldvalue))
00123 {
00124 # use basic authentication via user table
00125 fb(_("Old password is incorrect."), 1);
00126 $success = 0;
00127 }
00128
00129 if($usepam)
00130 {
00131 # allow user to set authentication to be PAM based
00132 db_query("UPDATE user SET user_pw='PAM' WHERE user_id=".user_getid());
00133 }
00134 else
00135 {
00136 # do standard password sanity checks and update table
00137 if (!$newvalue)
00138 {
00139 fb(_("You must supply a password."), 1);
00140 $success = 0;
00141 }
00142 if ($newvalue != $newvaluecheck)
00143 {
00144 fb(_("New Passwords do not match."), 1);
00145 $success = 0;
00146 }
00147 if (!account_pwvalid($newvalue))
00148 {
00149 $success = 0;
00150 }
00151
00152 # Update only if everything was ok before
00153 if ($success)
00154 {
00155 $success = db_query("UPDATE user SET user_pw='" . md5($newvalue) . "' WHERE "
00156 . "user_id=" . user_getid());
00157 if ($success)
00158 { fb(_("Password updated.")); }
00159 else
00160 { fb(_("Failed to update the database."), 1); }
00161 }
00162
00163 }
00164 }
00165 else if ($item == "gpgkey")
00166 {
00167 ################# GPG Key
00168
00169 $success = db_query("UPDATE user SET gpg_key='$newvalue' WHERE user_id=".user_getid());
00170 if ($success)
00171 { fb(_("GPG Key updated.")); }
00172 else
00173 { fb(_("Failed to update the database."), 1); }
00174 }
00175 else if ($item == "email")
00176 {
00177 ################# Email
00178
00179 # First step
00180 if (!$step)
00181 {
00182 require "../../include/account.php";
00183
00184 # Proceed only if it is a valid email address
00185 if (account_emailvalid($newvalue))
00186 {
00187
00188 # Build a new confirm hash
00189 $confirm_hash = substr(md5($session_hash . time()),0,16);
00190 $res_user = db_query("SELECT * FROM user WHERE user_id=".user_getid());
00191 if (db_numrows($res_user) < 1)
00192 { exit_error("Invalid User","That user does not exist."); }
00193
00194 $row_user = db_fetch_array($res_user);
00195
00196 $success = db_query("UPDATE user SET confirm_hash='$confirm_hash',email_new='$newvalue' "
00197 . "WHERE user_id='".$row_user[user_id]."'");
00198
00199
00200 if (!$success)
00201 {
00202 fb(_("Failed to update the database."), 1);
00203 }
00204 else
00205 {
00206 fb(_("Database updated."));
00207
00208 if ($GLOBALS['sys_https_host'])
00209 { $url = 'https:
00210 else
00211 { $url = 'http:
00212
00213 $message = sprintf(_("You have requested a change of email address on %s.\nPlease visit the following URL to complete the email change:"), $GLOBALS['sys_name']) . "\n\n"
00214 . $url."&step=confirm\n\n"
00215 . sprintf(_("-- the %s team."), $GLOBALS['sys_name']) . "\n";
00216
00217 $warning_message = sprintf(_("Someone, presumably you, has requested a change of email address on %s.\nIf it wasn't you, maybe someone is trying to steal your account...\n\nYour current address is %s, the supposedly new address is %s.\n\n"), $GLOBALS['sys_name'], $row_user[email], $newvalue)
00218 . _("If you did not request that change, please visit the following URL to discard\nthe email change and report the problem to us:")."\n\n"
00219 . $url."&step=discard\n\n"
00220 . sprintf(_("-- the %s team."), $GLOBALS['sys_name']) . "\n";
00221
00222 $success = sendmail_mail($GLOBALS['sys_replyto']."@".$GLOBALS['sys_lists_domain'],
00223 $newvalue,
00224 $GLOBALS['sys_name'] .' '._("Verification"),
00225 $message);
00226
00227 # yeupou--gnu.org 2003-11-09:
00228 # Send also a warning to the current mail address, just in case:
00229 # You can call that paranoia but
00230 # - someone can find a session open on a computer
00231 # - ask for change the mail address
00232 # - after the change, use the lost password process
00233 # ... and so change the password without knowing and
00234 # without having the user noticing that something bad is going
00235 # on.
00236 # The next step is probably to print the mail change request
00237 # on account/ with the possibility to discard
00238 sendmail_mail($GLOBALS['sys_replyto']."@".$GLOBALS['sys_lists_domain'],
00239 $row_user[email],
00240 $GLOBALS['sys_name'] .' '._("Verification"),
00241 $warning_message);
00242
00243
00244 if ($success)
00245 {
00246 sprintf(_("Confirmation mailed to %s."), $newvalue);
00247 fb(_("Follow the instructions in the email to complete the email change."));
00248 }
00249 else
00250 {
00251 fb(_("The system reported a failure when trying to send the confirmation mail. Please retry and report that problem to administrators."), 1);
00252 }
00253 }
00254
00255
00256 }
00257 }
00258 else if ($step == "confirm")
00259 {
00260 $success = 1;
00261 $res_user = db_query("SELECT * FROM user WHERE confirm_hash='$confirm_hash'");
00262 if (db_numrows($res_user) > 1)
00263 {
00264 $ffeedback = (" This confirm hash exists more than once.");
00265 $success = 0;
00266 }
00267 if (db_numrows($res_user) < 1)
00268 {
00269 $ffeedback = (" Invalid confirmation hash.");
00270 $success = 0;
00271 }
00272 if ($success)
00273 {
00274 $row_user = db_fetch_array($res_user);
00275 $success = db_query("UPDATE user SET "
00276 . "email='" . $row_user['email_new'] . "',"
00277 . "confirm_hash='none',"
00278 . "email_new='" . $row_user['email'] . "' WHERE "
00279 . "confirm_hash='$confirm_hash'");
00280
00281 if ($success)
00282 { fb(_("Email address updated.")); }
00283 else
00284 { fb(_("Failed to update the database."), 1); }
00285
00286 }
00287 }
00288 else if ($step == "discard")
00289 {
00290 # Just remove stuff added
00291 $success = db_query("UPDATE user SET "
00292 . "confirm_hash='none',"
00293 . "email_new='' WHERE "
00294 . "confirm_hash='$confirm_hash'");
00295 if ($success)
00296 { fb(_("Address change process discarded.")); }
00297 else
00298 { fb(_("Failed to discard the address change process, please contact administrators."), 1); }
00299
00300 }
00301 else
00302 {
00303 fb(_("Unable to understand what to do, parameters are probably missing"), 1);
00304 }
00305 }
00306 else if ($item == "delete")
00307 {
00308
00309 ################# Account Deletion
00310
00311 # First step
00312 if (!$step && $newvalue == 'deletionconfirmed')
00313 {
00314 # Build a new confirm hash
00315 $confirm_hash = substr(md5($session_hash . time()),0,16);
00316 $res_user = db_query("SELECT * FROM user WHERE user_id=".user_getid());
00317 if (db_numrows($res_user) < 1)
00318 { exit_error("Invalid User","That user does not exist."); }
00319
00320 $row_user = db_fetch_array($res_user);
00321
00322 $success = db_query("UPDATE user SET confirm_hash='$confirm_hash',email_new='$newvalue' "
00323 . "WHERE user_id='".$row_user[user_id]."'");
00324
00325
00326 if (!$success)
00327 {
00328 fb(_("Failed to update the database."), 1);
00329 }
00330 else
00331 {
00332 fb(_("Database updated."));
00333
00334 if ($GLOBALS['sys_https_host'])
00335 { $url = 'https:
00336 else
00337 { $url = 'http:
00338
00339 $message = sprintf(_("Someone, presumably you, has requested your %s account deletion.\nIf it wasn't you, it probably means that someone stole your account.\n\n"), $GLOBALS['sys_name']).
00340 sprintf(_("If you did request your %s account deletion, visit the following URL to finish\nthe deletion process:"), $GLOBALS['sys_name']) . "\n\n"
00341 . $url."&step=confirm\n\n"
00342
00343 . _("If you did not request that change, please visit the following URL to discard\nthe process and report ASAP the problem to us:")."\n\n"
00344 . $url."&step=discard\n\n"
00345 . sprintf(_("-- the %s team."), $GLOBALS['sys_name']) . "\n";
00346
00347 $success = sendmail_mail($GLOBALS['sys_replyto']."@".$GLOBALS['sys_lists_domain'],
00348 $row_user[email],
00349 $GLOBALS['sys_name'] .' '._("Verification"),
00350 $message);
00351
00352
00353 if ($success)
00354 {
00355 fb(_("Follow the instructions in the email to complete the account deletion."));
00356 }
00357 else
00358 {
00359 fb(_("The system reported a failure when trying to send the confirmation mail. Please retry and report that problem to administrators."), 1);
00360 }
00361
00362 }
00363 }
00364 else if ($step == "confirm")
00365 {
00366 $success = 1;
00367 $res_user = db_query("SELECT * FROM user WHERE confirm_hash='$confirm_hash'");
00368 if (db_numrows($res_user) > 1)
00369 {
00370 $ffeedback = (" This confirm hash exists more than once.");
00371 $success = 0;
00372 }
00373 if (db_numrows($res_user) < 1)
00374 {
00375 $ffeedback = (" Invalid confirmation hash.");
00376 $success = 0;
00377 }
00378 if ($success)
00379 {
00380 $row_user = db_fetch_array($res_user);
00381 # Erase every personal information
00382 $success = db_query("UPDATE user SET "
00383 . "user_pw='*********34344',"
00384 . "realname='-Deleted Account-',"
00385 . "status='S',"
00386 . "email='idontexist@nowhere.net',"
00387 . "confirm_hash='',"
00388 . "authorized_keys='',"
00389 . "people_view_skills='0',"
00390 . "people_resume='',"
00391 . "timezone='GMT',"
00392 . "theme='',"
00393 . "gpg_key='',"
00394 . "email_new='' WHERE "
00395 . "confirm_hash='$confirm_hash' AND "
00396 . "user_id='".user_getid()."'");
00397 # Additionally, clean up sessions
00398 db_query("DELETE FROM user_bookmarks WHERE user_id='".user_getid()."'");
00399
00400 db_query("DELETE FROM user_preferences WHERE user_id='".user_getid()."'");
00401 db_query("DELETE FROM session WHERE user_id='".user_getid()."'");
00402
00403 if ($success)
00404 { fb(_("Account deleted.")); }
00405 else
00406 { fb(_("Failed to update the database."), 1); }
00407
00408
00409 }
00410 }
00411 else if ($step == "discard")
00412 {
00413 # Just remove stuff added
00414 $success = db_query("UPDATE user SET "
00415 . "confirm_hash='none',"
00416 . "email_new='' WHERE "
00417 . "confirm_hash='$confirm_hash'");
00418 if ($success)
00419 { fb(_("Account deletion process discarded.")); }
00420 else
00421 { fb(_("Failed to discard account deletion process, please contact administrators."), 1); }
00422 }
00423
00424 else
00425 {
00426 fb(_("Unable to understand what to do, parameters are probably missing"), 1);
00427 }
00428 }
00429
00430
00431 # Success is set, it means that we can safely go back to the main
00432 # configuration page.
00433 if ($success)
00434 {
00435 session_redirect($GLOBALS['sys_home']."my/admin/?feedback=".rawurlencode($feedback));
00436 }
00437
00438 }
00439
00440 ########################################################################
00441 # If we reach this point, it means that not sucessful update has been
00442 # already made.
00443
00444 # Defines the page depending on the item given
00445 if ($item == "realname")
00446 {
00447 ################# Realname
00448
00449 $title = _("Change Real Name");
00450 $input_title = _("New Real Name:");
00451 }
00452 else if ($item == "timezone")
00453 {
00454 ################# Timezone
00455
00456 require "../../include/timezones.php";
00457 $title = _("Change Timezone");
00458 $input_title = _("No matter where you live, you can see all dates and times as if it were in your neighborhood:");
00459 $input_specific = html_build_select_box_from_arrays ($TZs,$TZs,'newvalue',user_get_timezone(), true, 'GMT');
00460 }
00461 else if ($item == "password")
00462 {
00463 ################# Password
00464
00465 $title = _("Change Password");
00466
00467 $input_title = _("Current Password:");
00468 $input2_title = _("New Password:");
00469 $input3_title = _("Re-type New Password:");
00470
00471 $form_item_name = "oldvalue";
00472 $form_item2_name = "newvalue";
00473 $form_item3_name = "newvaluecheck";
00474
00475 $input_type = "password";
00476 $input2_type = "password";
00477 $input3_type = "password";
00478
00479 # AFS CERN Stuff
00480 if ($sys_use_pamauth == "yes") {
00481 $input4_title = "<br />Instead of providing a new Savannah password you
00482 may choose to authenticate via an <strong>AFS</strong> account you own
00483 at this site (this requires your Savannah login name to be the
00484 same as the AFS account name). In this case, you don't need to fill the two \"New Password\" fields. Instead, check the following box:";
00485
00486 db_query("SELECT user_pw FROM user WHERE user_id=" . user_getid());
00487 $row_pw = db_fetch_array();
00488 $uses_pam_auth = 0;
00489 if ($row_pw[user_pw] == 'PAM')
00490 { $input4_type = 'checkbox" CHECKED'; }
00491 else
00492 { $input4_type = 'checkbox"'; }
00493
00494 $form_item4_name = "usepam";
00495 }
00496
00497 }
00498 else if ($item == "gpgkey")
00499 {
00500 ################# GPG Key
00501
00502 $res_user = db_query("SELECT gpg_key FROM user WHERE user_id=" . user_getid());
00503 $row_user = db_fetch_array($res_user);
00504
00505
00506 $title = _("Change GPG Key");
00507 $input_title = _("You can write down here your (ASCII) public key (gpg --export --armor keyid):");
00508 $input_specific = '<textarea cols="70" rows="10" wrap="virtual" name="newvalue">'.$row_user['gpg_key'].'</textarea>';
00509
00510 }
00511 else if ($item == "email")
00512 {
00513 ################# Email
00514
00515 # First step
00516 if (!$step)
00517 {
00518 $title = _("Change Email Address");
00519 $input_title = _('New Email Address:');
00520 $preamble = _("Changing your email address will require confirmation from your new email address, so that we can ensure we have a good email address on file.").'</p><p>'._("We need to maintain an accurate email address for each user due to the level of access we grant via this account. If we need to reach a user for issues related to this server, it is important that we be able to do so.").'</p><p>'._("Submitting the form below will mail a confirmation URL to the new email address. Visiting this link will complete the email change.");
00521 }
00522
00523 }
00524 else if ($item == "delete")
00525 {
00526 ################# Account deletion
00527
00528 # First step
00529 if (!$step)
00530 {
00531 $title = _("Delete Account");
00532 $input_title = _('Do you really want to delete your user account:');
00533 $input_specific = form_input("checkbox", "newvalue", "deletionconfirmed").' '._("Yes, I really do");
00534 $preamble = _("This process will require email confirmation.");
00535 }
00536 }
00537
00538
00539
00540 # Defines some information if not specific
00541 if (!$form_item_name)
00542 { $form_item_name = "newvalue"; }
00543 if (!$input_title)
00544 { $input_title = $title; }
00545 if (!$input_type)
00546 { $input_type = "text"; }
00547
00548
00549 ########################################################################
00550 # Actually prints the HTML page
00551 site_user_header(array('title'=>$title,
00552 'context'=>'account'));
00553
00554
00555 if ($preamble)
00556 {
00557 print '<p>'.$preamble.'</p>';
00558 }
00559
00560 print '<form action="'.$_SERVER['PHP_SELF'].'" method="post">';
00561 print '<span class="preinput">'.$input_title.'</span>';
00562
00563 # Print the usual input unless we have something specific
00564 if (!$input_specific)
00565 {
00566 print '<br /> <input name="'.$form_item_name.'" type="'.$input_type.'" />';
00567 }
00568 else
00569 {
00570 print '<br /> '.$input_specific;
00571 }
00572
00573 # Add one more input if required
00574 if ($input2_type)
00575 {
00576 print '<br /><span class="preinput">'.$input2_title.'</span>';
00577 print '<br /> <input type="'.$input2_type.'" name="'.$form_item2_name.'" />';
00578
00579 }
00580
00581 # Add one more input if required
00582 if ($input3_type)
00583 {
00584 print '<br /><span class="preinput">'.$input3_title.'</span>';
00585 print '<br /> <input type="'.$input3_type.'" name="'.$form_item3_name.'" />';
00586 }
00587
00588 # Add one more input if required
00589 if ($input4_type)
00590 {
00591 print '<br /><span class="preinput">'.$input4_title.'</span>';
00592 print '<br /> <input type="'.$input4_type.'" name="'.$form_item4_name.'" />';
00593 }
00594
00595 print '<p><input type="hidden" name="item" value="'.$item.'" /></p>';
00596 print '<p><input type="submit" name="update" value="'._("Update").'" /></p>';
00597 print '</form>';
00598
00599
00600 site_user_footer(array());
00601
00602
00603 ?>
