/ -> users.php
1 <?php
2
3
4 // users.php - List, modify, add, and delete users
5 // users.php - author: Nico Stuurman<nicost@sourceforge.net>
6 // TABLES: users
7 /***************************************************************************
8 * This script displays a table with users in group of calling admin. *
9 * Functions to add or modify users and add auditors are integrated. *
10 *
11 * Copyright (c) 2001 by Nico Stuurman *
12 * ------------------------------------------------------------------------ *
13 * This program is free software; you can redistribute it and/or modify it *
14 * under the terms of the GNU General Public License as published by the *
15 * Free Software Foundation; either version 2 of the License, or (at your *
16 * option) any later version. *
17 \**************************************************************************/
18
19 $userfields ='id,login,firstname,lastname,pwd,groupid,permissions,email,indir,outdir';
20
21 // main include calls
22 require('include.php');
23
24 // register variables
25 $post_vars = 'email,id,firstname,lastname,login,me,modify,perms,pwd,pwdcheck,user_group,user_add_groups,';
26 $post_vars .= 'create,user_add,';
27
28 if (!$type)
29 $type=$HTTP_GET_VARS['type'];
30 globalize_vars ($post_vars, $HTTP_POST_VARS);
31
32
33 ////
34 // !check the form input data for validity
35 function check_input () {
36 global $lastname, $login, $pwd, $user_group, $pwdcheck, $type, $PWD_MINIMUM;
37 if ($lastname and $login and $user_group) {
38 if ($pwd != $pwdcheck) {
39 echo "<h5 align='center'>Passwords do not match! <br> Please try again.</h5>";
40 return false;
41 }
42 elseif ($pwd && (strlen($pwd)<$PWD_MINIMUM) ) {
43 echo "<h5 align='center'>The password should be at least $PWD_MINIMUM characters long.</h5>";
44 return false;
45 }
46 elseif ($type=='create' && !$pwd) {
47 echo "<h5 align='center'>Please provide a password.</h5>";
48 return false;
49 }
50 else
51 return true;
52 }
53 else
54 echo "<h5 align='center'>Some input is lacking!</h5>\n";
55 return false;
56 }
57
58
59 ////
60 // !Generates a comma-separated list of tables holding data
61 // tablenames are read from tableoftables
62 function tablestring ($db) {
63 $r=$db->Execute("SELECT id,real_tablename FROM tableoftables WHERE tablename <> 'settings' AND permission <> 'System' ORDER BY id");
64 while (!$r->EOF) {
65 $string.=$r->fields['real_tablename'];
66 $string.=",";
67 $r->Movenext();
68 }
69 // chop of last comma
70 return substr ($string,0,-1);
71 }
72
73
74 ////
75 // !Deletes users after some checks
76 function delete_user ($db, $id) {
77 global $USER;
78
79 include ("includes/defines_inc.php");
80 $tables=tablestring($db);
81 $original_permissions=get_cell ($db,"users","permissions","id",$id);
82 $original_login=get_cell($db,"users","login","id",$id);
83 if (!$original_login)
84 return true;
85
86 // check whether this is illegitimate
87 if (! (($USER['permissions'] & $SUPER) ||
88 (($USER['permissions'] & $ADMIN) && ($USER['groupid']==$user_group) &&
89 ($USER['permissions'] > $original_permissions) ) ||
90 ($USER['id']==$id) ) ) {
91 echo "You are not allowed to do this. <br>";
92 return false;
93 }
94 // cleanup records owned by this user
95 $db->BeginTrans();
96 $test=true;
97 if ($tables) {
98 $table=strtok($tables,",");
99 while ($table) {
100 $query="DELETE FROM $table WHERE ownerid='$id'";
101 if (!$db->Execute($query))
102 $test=false;
103 $table=strtok (",");
104 }
105 }
106 $query="DELETE FROM users WHERE id='$id'";
107 if (!$db->Execute($query) )
108 $test=false;
109 if ($test) {
110 if ($db->CommitTrans()) {
111 echo "User <i>$original_login</i> was succesfully deleted.";
112 return true;
113 }
114 }
115 $db->RollbackTrans();
116 echo "Failed to remove user <i>$original_login</i>.";
117 return true;
118 }
119
120
121 ////
122 // !Interacts with the SQL database to create/modify users
123 // can be called to create (type=create) or modify (type=modify) other users or oneselves (type=me)
124 function modify ($db, $type) {
125 global $HTTP_POST_VARS, $USER, $perms, $post_vars;
126
127 $id=$HTTP_POST_VARS['id'];
128 $login=$HTTP_POST_VARS['login'];
129 $pwd=$HTTP_POST_VARS['pwd'];
130 $user_group=$HTTP_POST_VARS['user_group'];
131 $user_add_groups=$HTTP_POST_VARS['user_add_groups'];
132 $firstname=$HTTP_POST_VARS['firstname'];
133 $lastname=$HTTP_POST_VARS['lastname'];
134 $email=$HTTP_POST_VARS['email'];
135
136 if($perms)
137 for ($i=0; $i<sizeof($perms); $i++)
138 $permissions=$permissions | $perms[$i];
139
140 // include here, to avoid being overwritten by post_vars
141 include ('includes/defines_inc.php');
142
143 // check whether status of the victim is smaller than
144 // the current users status
145 if ($type == "modify")
146 $original_permissions=get_cell ($db,"users","permissions","id",$id);
147
148 // check whether this is not illegitimate
149 if (! (($USER['permissions'] & $SUPER) ||
150 (($USER['permissions'] & $ADMIN) && ($USER['groupid']==$user_group) &&
151 ($USER['permissions'] > $original_permissions) ) ||
152 ($USER['id']==$id) ) ) {
153 echo "You are not allowed to do this. <br>";
154 return false;
155 }
156
157 // log some info
158 $theid=$USER['id'];
159 $theip=getenv('REMOTE_ADDR');
160 $thedate=time();
161
162 if ($type=='modify' && $id) {
163 $query = "UPDATE users SET login='$login', firstname='$firstname',
164 lastname='$lastname',
165 groupid='$user_group', email='$email',
166 permissions='$permissions', modbyid='$theid',
167 modbyip='$theip', moddate='$thedate'";
168 if ($pwd) {
169 $pwd=md5($pwd);
170 $query.=", pwd='$pwd'";
171 }
172 $query .= " WHERE id='$id';";
173 if ($db->Execute($query)) {
174 echo "Modified settings of user <i>$firstname $lastname</i>.<br>\n";
175 $db->Execute ("DELETE FROM usersxgroups WHERE usersid=$id");
176 if ($user_add_groups)
177 foreach ($user_add_groups AS $add_groupid)
178 $db->Execute("INSERT INTO usersxgroups VALUES ('$id','$add_groupid')");
179 }
180 else
181 echo "Could not modify settings of user: <i>$firstname $lastname</i>.<br>\n";
182 }
183 elseif ($type =='create') {
184 $id=$db->GenID('users_id_seq');
185 $pwd=md5($pwd);
186 $new_user_settings['menustyle']=1;
187 $new_user_settings=serialize($new_user_settings);
188 $query = "INSERT INTO users (id, login, pwd, groupid, firstname, lastname, permissions, email, createdbyid, createdbyip, createddate, settings) ";
189 $query .= "VALUES('$id','$login','$pwd','$user_group','$firstname','$lastname', '$permissions', '$email', '$theid', '$theip', '$thedate', '$new_user_settings')";
190
191 if ($db->Execute($query)) {
192 echo "User <i>$firstname $lastname</i> added.<br>\n";
193 if ($user_add_groups)
194 foreach ($user_add_groups AS $add_groupid)
195 $db->Execute("INSERT INTO usersxgroups VALUES ('$id','$add_groupid')");
196 }
197 else
198 echo "Failed to add user: <i>$firstname $lastname</i>.<br>\n";
199 }
200 elseif ($type=='me' && $id) {
201 $query = "UPDATE users SET firstname='$firstname',
202 lastname='$lastname',
203 email='$email',
204 modbyid='$theid',
205 moddate='$thedate',
206 modbyip='$theip'";
207 if ($pwd) {
208 $pwd=md5($pwd);
209 // require at least write permissions to change the password
210 if ($USER["permissions"] >= $WRITE)
211 $query.=", pwd='$pwd'";
212 }
213 $query .= " WHERE id='$id';";
214 $result.="\n<table border=0 align='center'>\n <tr>\n <td align='center'>\n ";
215 if ($db->Execute($query)) {
216 // modify menu view in settings
217 if ($HTTP_POST_VARS['menustyle']==1)
218 $USER['settings']['menustyle']=1;
219 else
220 $USER['settings']['menustyle']=0;
221 $result.= "Your settings have been modified.<br>\n";
222 // superuser can do whatever he please also with herself
223 if ($USER['permissions'] & $SUPER) {
224 $db->Execute ("DELETE FROM usersxgroups WHERE usersid=$id");
225 if ($user_add_groups)
226 foreach ($user_add_groups AS $add_groupid)
227 $db->Execute("INSERT INTO usersxgroups VALUES ('$id','$add_groupid')");
228 }
229 }
230 else
231 $result.="Failed to modify you settings.<br>\n";
232 $result.=" </td>\n </tr>\n</table>\n\n";
233 }
234 else
235 $result.= "Strange error!< Please report to your system administrator<br>\n";
236 return $result;
237 }
238
239 ////
240 // !can be called to create (type=create) or modify (type=modify) other users or oneselves (type=me)
241 function show_user_form ($type) {
242 global $userfields, $HTTP_SERVER_VARS, $perms, $USER, $db, $system_settings;
243 global $HTTP_SESSION_VARS;
244
245 include ('includes/defines_inc.php');
246
247 // read in essential variables
248 $fieldname = strtok ($userfields,",");
249 while ($fieldname) {
250 global ${$fieldname};
251 $fieldname=strtok(",");
252 }
253
254 if($perms)
255 for ($i=0; $i<sizeof($perms); $i++)
256 $permissions=$permissions | $perms[$i];
257
258 if (!$groupid) $groupid = $USER["groupid"];
259
260 // check whether this is not illegitimate
261 if (! ( ($USER['permissions'] & $SUPER) ||
262 ( ($USER['permissions'] & $ADMIN) && ($USER['groupid'] & $groupid)
263 && ($USER['permissions'] > $status) ) ||
264 ($USER['id'] == $id) ) ) {
265
266 echo "<h3 align='center'>You are not allowed to do this. </h3>";
267 return false;
268 }
269 ?>
270 <form method='post' action='<?php echo $PHP_SELF?>?<?=SID?>'>
271 <?php
272 echo "<input type='hidden' name='id' value='$id'>\n";
273 echo "<table align='center'>\n";
274
275 echo "<tr><td>First name:</td>\n";
276 echo "<td><input type='text' name='firstname' maxlength=50 size=25 value='$firstname'></td></tr>\n";
277 echo "<tr><td>Last name:</td>\n";
278 echo "<td><input type='text' name='lastname' maxlength=50 size=25 value='$lastname'><sup style='color:red'> (required)</sup></td></tr>\n";
279 echo "<tr><td>Email Address:</td><td><input type='text' name='email' maxlength=150 size=25 value='$email'></td></tr>\n";
280
281 if ($type == 'create')
282 echo "<tr><td>Login Name (max. 20 characters):</td><td><input type='text' name='login' maxlength=20 size=20 value='$login'><sup style='color:red'> (required)</sup></td></tr>\n";
283 else {
284 echo "<tr><td>Login Name: </td><td>$login</td></tr>\n";
285 echo "<input type='hidden' name='login' value='$login'>\n";
286 }
287 if ($type=='me') {
288 echo "<tr><td>Menu display: </td>";
289 if ($USER['settings']['menustyle'])
290 $dchecked='checked';
291 else
292 $schecked='checked';
293 echo "<td><input type='radio' name='menustyle' $schecked value='0'>scattered <input type='radio' name='menustyle' $dchecked value='1'>drop-down</td></tr>";
294 }
295
296 if ($USER['permissions'] >= $WRITE && ($system_settings['authmethod'] <> 2
297 || ($type=='me' && $HTTP_SESSION_VARS['authmethod']=='sql')
298 || $type=='create') ) {
299 echo "<tr><td>Password (max. 20 characters):</td><td><input type='password' name='pwd' maxlength=20 size=20 value=''>";
300 if ($type=='create')
301 echo "<sup style='color:red'> (required)</sup></td></tr>\n";
302 echo "<tr><td>Password reType(max. 20 characters):</td><td><input type='password' name='pwdcheck' maxlength=20 size=20 value=''>";
303 if ($type=='create')
304 echo "<sup style='color:red'> (required)</sup></td></tr>\n";
305 if ($type=='modify' || $type=='me')
306 echo "<tr><td colspan=2 align='center'>Leave the password fields blank to keep the current password</td></tr>\n";
307 if ($type=='create' && $system_settings['authmethod']==2)
308 echo "<tr><td colspan=2 align='center'>Leave the password fields blank to force PAM-based authentification</td></tr>\n";
309 }
310
311 if ($USER['permissions'] & $SUPER) {
312 echo "<tr>\n<td>Primary group:</td>\n<td>";
313 $r = $db->Execute('SELECT name,id FROM groups');
314 echo $r->GetMenu2('user_group',$groupid,false);
315 echo "</td>\n</tr>";
316 echo "<tr>\n<td>Additional groups:</td>\n<td>";
317 $r=$db->Execute("SELECT groupsid FROM usersxgroups WHERE usersid=$id");
318 while ($r && !$r->EOF) {
319 $add_groups[]=$r->fields['groupsid'];
320 $r->MoveNext();
321 }
322 $r = $db->Execute("SELECT name,id FROM groups");
323 echo $r->GetMenu2("user_add_groups[]",$add_groups,true,true,3);
324 echo "</td>\n</tr>";
325 }
326 else {
327 echo "<input type=\"hidden\" name=\"user_group\" value=\"" . $USER["groupid"] . "\">";
328 }
329
330 // Checkboxes to give user permissions
331 // set default choice
332 if ( !($permissions) )
333 $permissions = $ACTIVE | $READ | $WRITE;
334 if ( ($type=='modify' || $type=='create') &&
335 ($USER['permissions'] & $ADMIN) ) {
336 if ($USER['permissions'] & $SUPER) {
337 echo "<tr><td>Group-Admin:</td>\n";
338 if ($permissions & $ADMIN)
339 $checked = 'checked';
340 else
341 $checked = '';
342 echo "<td><input type='checkbox' name='perms[]' value='$ADMIN' $checked></td></tr>\n";
343 }
344 echo "<tr><td>Layout tables:</td>\n";
345 if ($permissions & $LAYOUT)
346 $checked = 'checked';
347 else
348 $checked = '';
349 echo "<td><input type='checkbox' name='perms[]' value='$LAYOUT' $checked></td></tr>\n";
350
351 if ($permissions & $WRITE )
352 $checked = "checked";
353 else
354 $checked = '';
355 echo "<tr><td>Write:</td>\n<td><input type='checkbox' name='perms[]' value='$WRITE' $checked></td></tr>\n";
356
357 if ($permissions & $READ)
358 $checked = " checked";
359 else
360 $checked = "";
361 echo "<tr><td>Read:</td>\n";
362 echo "<td><input type='checkbox' name='perms[]' value='$READ' $checked></td></tr>\n";
363
364 if ($permissions & $ACTIVE)
365 $checked = " checked";
366 else
367 $checked = "";
368 echo "<tr><td>Login Allowed:</td>\n";
369 echo "<td><input type='checkbox' name='perms[]' value='$ACTIVE' $checked></td></tr>\n";
370 }
371
372 if ($type == "modify")
373 echo "<tr><td colspan=2 align='center'><input type='submit' name='modify' value='Modify User'></td></tr>\n";
374 elseif ($type == "create")
375 echo "<tr><td colspan=2 align='center'><input type='submit' name='create' value='Create User'></td></tr>\n";
376 elseif ($type == "me")
377 echo "<tr><td colspan=2 align='center'><input type='submit' name='me' value='Change Settings'></td></tr>\n";
378 echo"</table>\n";
379 echo "</form>\n";
380 }
381
382
383 /****************************** main script ***********************************/
384
385 allowonly($ACTIVE,$USER['permissions']);
386
387
388 if ($type=='me') {
389 $title .= 'Personal Settings';
390 printheader($title);
391 navbar($USER['permissions']);
392 // pull existing data from database
393 $query = "SELECT $userfields FROM users WHERE id=$USER[id];";
394 $r = $db->Execute($query);
395 $fieldname = strtok ($userfields,',');
396 while ($fieldname) {
397 ${$fieldname}= $r->fields["$fieldname"];
398 $fieldname=strtok(",");
399 }
400 show_user_form('me');
401 printfooter($db,$USER);
402 exit();
403 }
404 if ($me=="Change Settings") {
405 $title.="Change Settings";
406 $result=modify ($db, "me");
407 printheader($title);
408 navbar ($USER["permissions"]);
409 echo $result;
410 show_user_form("me");
411 printfooter($db,$USER);
412 exit();
413 }
414
415 // Only a groupadmin and sysadmin are allowed to view the remainder
416 allowonly($ADMIN,$USER["permissions"]);
417
418 // set title and print headers
419 $title.="User administration";
420 // extend title if user is an admin
421 if ($USER["permissions"] < $SUPER)
422 $title .= " in group ".get_cell($db,"groups","name","id",$USER["groupid"]);
423 printheader($title);
424 navbar($USER["permissions"]);
425
426 // Check whether modify or delete button has been chosen
427 $del=false;
428 $mod=false;
429 if ($HTTP_POST_VARS) {
430 //determine wether or not the remove-command is given and act on it
431 while((list($key, $val) = each($HTTP_POST_VARS))) {
432 if (substr($key, 0, 3) == "del") {
433 $delarray = explode("_", $key);
434 $del = true;
435 }
436 if (substr($key, 0, 3) == "mop") {
437 $modarray = explode ("_", $key);
438 $mod = true;
439 }
440 }
441 }
442
443 if ($user_add =="Add User") {
444 show_user_form ("create");
445 }
446 elseif ( ($create == "Create User") && get_cell($db,"users","login","login",
447 $login) ) {
448 echo "<h5>A user with that login name already exists. Please try another one.</h5>\n";
449 $login = "";
450 show_user_form ("create");
451 }
452
453 elseif ( ($create == "Create User") && !(check_input() )) {
454 show_user_form ("create");
455 }
456
457 elseif ( ($modify == "Modify User") && !(check_input() )) {
458 show_user_form ("modify");
459 }
460
461 elseif ($mod==true) {
462 // pull existing data from database
463 $query = "SELECT $userfields FROM users WHERE id=$modarray[1];";
464 $r = $db->Execute($query);
465 $fieldname = strtok ($userfields,",");
466 while ($fieldname) {
467 ${$fieldname}= $r->fields["$fieldname"];
468 $fieldname=strtok(",");
469 }
470 show_user_form ("modify");
471 }
472
473 else {
474 echo "<table align='center' border='1'><caption><h5>";
475 if ($modify == "Modify User") {
476 modify ($db, "modify");
477 }
478 if ($create == "Create User") {
479 modify ($db, "create");
480 }
481 if ($del==true) {
482 if (!delete_user($db,$delarray[1])) {
483 echo "</table>\n";
484 printfooter();
485 exit();
486 }
487 }
488 echo "</h5></caption>\n";
489 ?>
490 <form method='post' name='form' action='<?php echo $PHP_SELF?>?<?=SID?>'>
491 <?php
492 // set database query
493 $db_query = "SELECT * FROM users";
494
495 // if user is not sysadmin then only list users of admin's group
496 if (! ($USER["permissions"] & $SUPER))
497 $db_query .= " WHERE groupid='" .$USER[groupid]."'";
498
499 // extend query to order output list on login name
500 $db_query .= " ORDER BY login";
501
502 // print header of table which will list users
503 echo "<tr>\n";
504 echo "<th>Login</th>\n";
505 echo "<th>Real Name</th>\n";
506 echo "<th>Primary<br>Group</th>\n";
507 echo "<th>Additional<br>Groups</th>\n";
508 echo "<th>Admin</th>\n";
509 echo "<th>Write</th>\n";
510 echo "<th>Read</th>\n";
511 echo "<th>Active</th>\n";
512 echo "<th>Created</th>\n";
513 echo "<th>Modified</th>\n";
514 echo "<th colspan=\"2\">Action</th>\n";
515 echo "</tr>\n";
516
517 $dateformat=get_cell($db,"dateformats","dateformat","id",$system_settings["dateformat"]);
518
519 // get result and number of rows in result
520 $r = $db->Execute($db_query);
521 while (!$r->EOF) {
522 // for each row, print result in table cells
523
524 // display admin dot if status of user is admin
525 for ($i=0;$i<4;$i++)
526 $stat[$i] = " ";
527 if ($r->fields["permissions"] & $ADMIN) {
528 $stat[0] = "<li> ";
529 }
530 if ($r->fields["permissions"] & $WRITE) {
531 $stat[1] = "<li> ";
532 }
533 if ($r->fields["permissions"] & $READ) {
534 $stat[2] = "<li> ";
535 }
536 if ($r->fields["permissions"] & $ACTIVE) {
537 $stat[3] = "<li> ";
538 }
539
540 // print table output per row
541 echo "<tr>\n";
542 echo "<td><b><a href=\"mailto:".$r->fields["email"]."\">".$r->fields["login"]."</a></b></td>\n";
543 echo "<td>".$r->fields["firstname"]." ".$r->fields["lastname"]."</td>\n";
544 echo "<td>".get_cell ($db,"groups","name","id",$r->fields["groupid"])."</td>\n";
545 $ra=$db->Execute("SELECT groupsid FROM usersxgroups WHERE usersid='".$r->fields["id"]."'");
546 echo "<td>";
547 if (!$ra || $ra->EOF)
548 echo " ";
549 else
550 while (!$ra->EOF) {
551 echo get_cell($db,"groups","name","id",$ra->fields["groupsid"])."<br>";
552 $ra->MoveNext();
553 }
554 echo "</td>\n";
555 for ($i=0;$i<4;$i++)
556 echo "<td align=\"center\">$stat[$i]</td>\n";
557
558 if ($r->fields["createddate"])
559 $createddate=date($dateformat,$r->fields["createddate"]);
560 else
561 $createddate=" ";
562
563 echo "<td>$createddate</td>\n";
564 if ($r->fields["moddate"])
565 $moddate=date($dateformat,$r->fields["moddate"]);
566 else
567 $moddate=" ";
568 echo "<td>$moddate</td>\n";
569
570 // don't delete/modify yourself, and, except for sysadmin,
571 // do not let admins fool around with other admins in group
572 $id = $r->fields["id"];
573 if ( ($USER["id"] <> $id) && ( !($r->fields["permissions"] & $ADMIN)
574 || ($USER["permissions"] & $SUPER)) ) {
575 $modstring="<input type=\"submit\" name=\"mop_".$id."\" value=\"Modify\">";
576 $delstring="<input type=\"submit\" name=\"del_".$id."\" value=\"Remove\" ";
577 $delstring.="Onclick=\"if(confirm('Do you really want to delete user: ";
578 $delstring.= $r->fields["firstname"]." ".$r->fields["lastname"].
579 ", and all his/her database entries? (NO UNDO POSSIBLE!)')){return true;}return false;\">";
580 echo "<td align=\"center\">$modstring</td>\n";
581 echo "<td align=\"center\">$delstring</td>\n";
582 }
583 else
584 echo "<td align='center'> </td><td align='center'> </td>";
585
586 echo "</tr>\n";
587 $r->MoveNext();
588 }
589
590 echo "<tr border=0><td colspan=12 align='center'>";
591 echo "<INPUT align='center' TYPE='submit' NAME='user_add' VALUE='Add User'></INPUT>\n";
592 echo "</td></tr>\n";
593 echo "</form>\n";
594
595 echo "</table>";
596
597
598 }
599 printfooter($db,$USER);
600
601 ?>
602