acctfuncs.inc.php 20.8 KB
Newer Older
1
<?php
2

Dan McGee's avatar
Dan McGee committed
3
4
5
6
7
8
9
10
# Helper function- retrieve request param if available, "" otherwise
function in_request($name) {
	if (isset($_REQUEST[$name])) {
		return $_REQUEST[$name];
	}
	return "";
}

11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# Format PGP key fingerprint
function html_format_pgp_fingerprint($fingerprint) {
	if (strlen($fingerprint) != 40 || !ctype_xdigit($fingerprint)) {
		return $fingerprint;
	}

	return htmlspecialchars(substr($fingerprint, 0, 4) . " " .
		substr($fingerprint, 4, 4) . " " .
		substr($fingerprint, 8, 4) . " " .
		substr($fingerprint, 12, 4) . " " .
		substr($fingerprint, 16, 4) . "  " .
		substr($fingerprint, 20, 4) . " " .
		substr($fingerprint, 24, 4) . " " .
		substr($fingerprint, 28, 4) . " " .
		substr($fingerprint, 32, 4) . " " .
		substr($fingerprint, 36, 4) . " ", ENT_QUOTES);
}

29
# Display the standard Account form, pass in default values if any
30

eric's avatar
eric committed
31
function display_account_form($UTYPE,$A,$U="",$T="",$S="",
32
			$E="",$P="",$C="",$R="",$L="",$I="",$K="",$UID=0) {
eric's avatar
eric committed
33
	# UTYPE: what user type the form is being displayed for
34
35
36
37
38
39
40
41
42
43
44
	# A: what "form" name to use
	# U: value to display for username
	# T: value to display for account type
	# S: value to display for account suspended
	# E: value to display for email address
	# P: password value
	# C: confirm password value
	# R: value to display for RealName
	# L: value to display for Language preference
	# I: value to display for IRC nick
	# N: new package notify value
eric's avatar
eric committed
45
	# UID: Users.ID value in case form is used for editing
46
47
48

	global $SUPPORTED_LANGS;

49
	include("account_edit_form.php");
50
51
52
53
54
55
	return;
} # function display_account_form()


# process form input from a new/edit account form
#
eric's avatar
eric committed
56
function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
57
			$P="",$C="",$R="",$L="",$I="",$K="",$UID=0,$dbh=NULL) {
eric's avatar
eric committed
58
	# UTYPE: The user's account type
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
	# TYPE: either "edit" or "new"
	# A: what parent "form" name to use
	# U: value to display for username
	# T: value to display for account type
	# S: value to display for account suspended
	# E: value to display for email address
	# P: password value
	# C: confirm password value
	# R: value to display for RealName
	# L: value to display for Language preference
	# I: value to display for IRC nick
	# N: new package notify value
	# UID: database Users.ID value

	# error check and process request for a new/modified account
	global $SUPPORTED_LANGS;

76
77
78
	if (!$dbh) {
		$dbh = db_connect();
	}
79

80
	if(isset($_COOKIE['AURSID'])) {
81
		$editor_user = uid_from_sid($_COOKIE['AURSID'], $dbh);
82
83
	}
	else {
84
		$editor_user = null;
85
	}
86

87
	$error = "";
88
	if (empty($E) || empty($U)) {
89
90
		$error = __("Missing a required field.");
	}
91

92
93
94
	if ($TYPE == "new") {
		# they need password fields for this type of action
		#
95
		if (empty($P) || empty($C)) {
96
97
98
99
100
101
102
			$error = __("Missing a required field.");
		}
	} else {
		if (!$UID) {
			$error = __("Missing User ID");
		}
	}
103

104
  if (!$error && !valid_username($U) && !user_is_privileged($editor_user, $dbh))
105
	$error = __("The username is invalid.") . "<ul>\n"
106
			."<li>" . __("It must be between %s and %s characters long",
107
108
			USERNAME_MIN_LEN,  USERNAME_MAX_LEN )
			. "</li>"
109
			. "<li>" . __("Start and end with a letter or number") . "</li>"
110
			. "<li>" . __("Can contain only one period, underscore or hyphen.")
111
112
			. "</li>\n</ul>";

113
114
115
	if (!$error && $P && $C && ($P != $C)) {
		$error = __("Password fields do not match.");
	}
116
	if (!$error && $P != '' && !good_passwd($P))
117
		$error = __("Your password must be at least %s characters.",PASSWD_MIN_LEN);
118

119
120
121
	if (!$error && !valid_email($E)) {
		$error = __("The email address is invalid.");
	}
122
123
124
125
126

	if (!$error && $K != '' && !valid_pgp_fingerprint($K)) {
		$error = __("The PGP key fingerprint is invalid.");
	}

eric's avatar
eric committed
127
128
129
	if ($UTYPE == "Trusted User" && $T == 3) {
		$error = __("A Trusted User cannot assign Developer status.");
	}
130
131
132
133
134
135
136
137
	if (!$error && !array_key_exists($L, $SUPPORTED_LANGS)) {
		$error = __("Language is not currently supported.");
	}
	if (!$error) {
		# check to see if this username is available
		# NOTE: a race condition exists here if we care...
		#
		$q = "SELECT COUNT(*) AS CNT FROM Users ";
138
		$q.= "WHERE Username = '".db_escape_string($U)."'";
eric's avatar
eric committed
139
140
141
		if ($TYPE == "edit") {
			$q.= " AND ID != ".intval($UID);
		}
142
143
144
145
		$result = db_query($q, $dbh);
		if ($result) {
			$row = mysql_fetch_array($result);
			if ($row[0]) {
146
				$error = __("The username, %s%s%s, is already in use.",
Viktor Leonhardt's avatar
Viktor Leonhardt committed
147
					"<b>", htmlspecialchars($U,ENT_QUOTES), "</b>");
148
149
150
151
152
153
154
155
			}
		}
	}
	if (!$error) {
		# check to see if this email address is available
		# NOTE: a race condition exists here if we care...
		#
		$q = "SELECT COUNT(*) AS CNT FROM Users ";
156
		$q.= "WHERE Email = '".db_escape_string($E)."'";
eric's avatar
eric committed
157
158
159
		if ($TYPE == "edit") {
			$q.= " AND ID != ".intval($UID);
		}
160
161
162
163
		$result = db_query($q, $dbh);
		if ($result) {
			$row = mysql_fetch_array($result);
			if ($row[0]) {
164
				$error = __("The address, %s%s%s, is already in use.",
Viktor Leonhardt's avatar
Viktor Leonhardt committed
165
						"<b>", htmlspecialchars($E,ENT_QUOTES), "</b>");
166
167
168
169
170
			}
		}
	}
	if ($error) {
		print "<span class='error'>".$error."</span><br/>\n";
eric's avatar
eric committed
171
		display_account_form($UTYPE, $A, $U, $T, $S, $E, "", "",
172
				$R, $L, $I, $K, $UID);
173
174
175
	} else {
		if ($TYPE == "new") {
			# no errors, go ahead and create the unprivileged user
Denis's avatar
Denis committed
176
177
			$salt = generate_salt();
			$P = salted_hash($P, $salt);
178
			$escaped = array_map('db_escape_string',
179
				array($U, $E, $P, $salt, $R, $L, $I, str_replace(" ", "", $K)));
Denis's avatar
Denis committed
180
181
			$q = "INSERT INTO Users (" .
				"AccountTypeID, Suspended, Username, Email, Passwd, Salt" .
182
				", RealName, LangPreference, IRCNick, PGPKey) " .
183
				"VALUES (1, 0, '" . implode("', '", $escaped) . "')";
184
185
			$result = db_query($q, $dbh);
			if (!$result) {
186
				print __("Error trying to create account, %s%s%s: %s.",
Viktor Leonhardt's avatar
Viktor Leonhardt committed
187
						"<b>", htmlspecialchars($U,ENT_QUOTES), "</b>", mysql_error($dbh));
188
			} else {
189
190
				# account created/modified, tell them so.
				#
191
				print __("The account, %s%s%s, has been successfully created.",
Viktor Leonhardt's avatar
Viktor Leonhardt committed
192
						"<b>", htmlspecialchars($U,ENT_QUOTES), "</b>");
193
194
195
196
197
198
199
				print "<p>\n";
				print __("Click on the Home link above to login.");
				print "</p>\n";
			}

		} else {
			# no errors, go ahead and modify the user account
jchu's avatar
jchu committed
200

201
			$q = "UPDATE Users SET ";
202
			$q.= "Username = '".db_escape_string($U)."'";
eric's avatar
eric committed
203
204
205
206
207
208
209
210
			if ($T) {
				$q.= ", AccountTypeID = ".intval($T);
			}
			if ($S) {
				$q.= ", Suspended = 1";
			} else {
				$q.= ", Suspended = 0";
			}
211
			$q.= ", Email = '".db_escape_string($E)."'";
eric's avatar
eric committed
212
			if ($P) {
Denis's avatar
Denis committed
213
214
215
				$salt = generate_salt();
				$hash = salted_hash($P, $salt);
				$q .= ", Passwd = '$hash', Salt = '$salt'";
eric's avatar
eric committed
216
			}
217
218
219
			$q.= ", RealName = '".db_escape_string($R)."'";
			$q.= ", LangPreference = '".db_escape_string($L)."'";
			$q.= ", IRCNick = '".db_escape_string($I)."'";
220
			$q.= ", PGPKey = '".db_escape_string(str_replace(" ", "", $K))."'";
221
			$q.= " WHERE ID = ".intval($UID);
222
223
			$result = db_query($q, $dbh);
			if (!$result) {
224
				print __("Error trying to modify account, %s%s%s: %s.",
Viktor Leonhardt's avatar
Viktor Leonhardt committed
225
						"<b>", htmlspecialchars($U,ENT_QUOTES), "</b>", mysql_error($dbh));
226
			} else {
227
				print __("The account, %s%s%s, has been successfully modified.",
Viktor Leonhardt's avatar
Viktor Leonhardt committed
228
						"<b>", htmlspecialchars($U,ENT_QUOTES), "</b>");
229
230
231
232
233
234
235
236
237
			}
		}
	}
	return;
}

# search existing accounts
#
function search_accounts_form() {
238
	include("search_accounts_form.php");
239
240
241
242
243
244
	return;
}


# search results page
#
eric's avatar
eric committed
245
function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="",
246
		$S="",$E="",$R="",$I="",$K="",$dbh=NULL) {
eric's avatar
eric committed
247
	# UTYPE: what account type the user belongs to
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
	# O: what row offset we're at
	# SB: how to sort the results
	# U: value to display for username
	# T: value to display for account type
	# S: value to display for account suspended
	# E: value to display for email address
	# R: value to display for RealName
	# I: value to display for IRC nick

	$HITS_PER_PAGE = 50;
	if ($O) {
		$OFFSET = intval($O);
	} else {
		$OFFSET = 0;
	}
	if ($OFFSET < 0) {
		$OFFSET = 0;
	}
	$search_vars = array();

	$q = "SELECT Users.*, AccountTypes.AccountType ";
	$q.= "FROM Users, AccountTypes ";
	$q.= "WHERE AccountTypes.ID = Users.AccountTypeID ";
	if ($T == "u") {
		$q.= "AND AccountTypes.ID = 1 ";
		$search_vars[] = "T";
	} elseif ($T == "t") {
		$q.= "AND AccountTypes.ID = 2 ";
		$search_vars[] = "T";
	} elseif ($T == "d") {
		$q.= "AND AccountTypes.ID = 3 ";
		$search_vars[] = "T";
	}
	if ($S) {
		$q.= "AND Users.Suspended = 1 ";
		$search_vars[] = "S";
	}
	if ($U) {
286
		$q.= "AND Username LIKE '%".db_escape_like($U)."%' ";
287
288
289
		$search_vars[] = "U";
	}
	if ($E) {
290
		$q.= "AND Email LIKE '%".db_escape_like($E)."%' ";
291
292
293
		$search_vars[] = "E";
	}
	if ($R) {
294
		$q.= "AND RealName LIKE '%".db_escape_like($R)."%' ";
295
296
297
		$search_vars[] = "R";
	}
	if ($I) {
298
		$q.= "AND IRCNick LIKE '%".db_escape_like($I)."%' ";
299
300
		$search_vars[] = "I";
	}
301
302
303
304
	if ($K) {
		$q.= "AND PGPKey LIKE '%".db_escape_like(str_replace(" ", "", $K))."%' ";
		$search_vars[] = "K";
	}
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
	switch ($SB) {
		case 't':
			$q.= "ORDER BY AccountTypeID, Username ";
			break;
		case 'r':
			$q.= "ORDER BY RealName, AccountTypeID ";
			break;
		case 'i':
			$q.= "ORDER BY IRCNick, AccountTypeID ";
			break;
		case 'v':
			$q.= "ORDER BY LastVoted, Username ";
			break;
		default:
			$q.= "ORDER BY Username, AccountTypeID ";
			break;
	}
	$search_vars[] = "SB";
323
	$q.= "LIMIT " . $HITS_PER_PAGE . " OFFSET " . $OFFSET;
324

325
326
327
	if (!$dbh) {
		$dbh = db_connect();
	}
328

329
	$result = db_query($q, $dbh);
330
331
332
333
334
335
	$num_rows = mysql_num_rows($result);

	while ($row = mysql_fetch_assoc($result)) {
		$userinfo[] = $row;
	}

336
	include("account_search_results.php");
337
338
339
	return;
}

340
341
342
343
/*
 * Returns SID (Session ID) and error (error message) in an array
 * SID of 0 means login failed.
 */
344
function try_login($dbh=NULL) {
345
	global $MAX_SESSIONS_PER_USER, $PERSISTENT_COOKIE_TIMEOUT;
346

Loui Chang's avatar
Loui Chang committed
347
	$login_error = "";
348
349
350
351
	$new_sid = "";
	$userID = null;

	if ( isset($_REQUEST['user']) || isset($_REQUEST['passwd']) ) {
352
353
354
		if (!$dbh) {
			$dbh = db_connect();
		}
355
		$userID = valid_user($_REQUEST['user'], $dbh);
356

357
		if ( user_suspended($userID, $dbh) ) {
358
359
360
			$login_error = "Account Suspended.";
		}
		elseif ( $userID && isset($_REQUEST['passwd'])
361
		  && valid_passwd($userID, $_REQUEST['passwd'], $dbh) ) {
362
363
364
365
366
367
368

			$logged_in = 0;
			$num_tries = 0;

			# Account looks good.  Generate a SID and store it.

			while (!$logged_in && $num_tries < 5) {
369
370
371
372
373
				if ($MAX_SESSIONS_PER_USER) {
					# Delete all user sessions except the
					# last ($MAX_SESSIONS_PER_USER - 1).
					$q = "DELETE s.* FROM Sessions s ";
					$q.= "LEFT JOIN (SELECT SessionID FROM Sessions ";
374
					$q.= "WHERE UsersId = " . $userID . " ";
375
376
377
					$q.= "ORDER BY LastUpdateTS DESC ";
					$q.= "LIMIT " . ($MAX_SESSIONS_PER_USER - 1) . ") q ";
					$q.= "ON s.SessionID = q.SessionID ";
378
					$q.= "WHERE s.UsersId = " . $userID . " ";
379
380
381
382
					$q.= "AND q.SessionID IS NULL;";
					db_query($q, $dbh);
				}

383
384
				$new_sid = new_sid();
				$q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS)"
385
				  ." VALUES (" . $userID . ", '" . $new_sid . "', UNIX_TIMESTAMP())";
386
				$result = db_query($q, $dbh);
387

388
389
390
391
392
				# Query will fail if $new_sid is not unique
				if ($result) {
					$logged_in = 1;
					break;
				}
393

394
				$num_tries++;
395
			}
396

397
			if ($logged_in) {
398
399
400
				$q = "UPDATE Users SET LastLogin = UNIX_TIMESTAMP() ";
				$q.= "WHERE ID = '$userID'";
				db_query($q, $dbh);
401

402
				# set our SID cookie
Dan McGee's avatar
Dan McGee committed
403
404
				if (isset($_POST['remember_me']) &&
					$_POST['remember_me'] == "on") {
405
					# Set cookies for 30 days.
406
					$cookie_time = time() + $PERSISTENT_COOKIE_TIMEOUT;
407
408
409
410
411
412

					# Set session for 30 days.
					$q = "UPDATE Sessions SET LastUpdateTS = $cookie_time ";
					$q.= "WHERE SessionID = '$new_sid'";
					db_query($q, $dbh);
				}
413
414
				else
					$cookie_time = 0;
415

416
				setcookie("AURSID", $new_sid, $cookie_time, "/", null, !empty($_SERVER['HTTPS']), true);
417
				header("Location: " . $_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING']);
418
419
420
421
422
423
424
425
				$login_error = "";

			}
			else {
				$login_error = "Error trying to generate session id.";
			}
		}
		else {
426
			$login_error = __("Bad username or password.");
427
428
429
430
431
432
433
434
435
436
437
438
439
440
		}
	}
	return array('SID' => $new_sid, 'error' => $login_error);
}

/*
 * Only checks if the name itself is valid
 * Longer or equal to USERNAME_MIN_LEN
 * Shorter or equal to USERNAME_MAX_LEN
 * Starts and ends with a letter or number
 * Contains at most ONE dot, hyphen, or underscore
 * Returns the username if it is valid
 * Returns nothing if it isn't valid
 */
441
function valid_username($user) {
442
	if (!empty($user)) {
443

444
445
446
		#Is username at not too short or too long?
		if ( strlen($user) >= USERNAME_MIN_LEN &&
		  strlen($user) <= USERNAME_MAX_LEN ) {
447

448
			$user = strtolower($user);
449
			# Does username:
450
451
452
453
454
455
456
457
458
			# start and end with a letter or number
			# contain only letters and numbers,
			#  and at most has one dash, period, or underscore
			if ( preg_match("/^[a-z0-9]+[.\-_]?[a-z0-9]+$/", $user) ) {
				#All is good return the username
				return $user;
			}
		}
	}
459

460
461
462
463
464
465
466
	return;
}

/*
 * Checks if the username is valid and if it exists in the database
 * Returns the username ID or nothing
 */
canyonknight's avatar
canyonknight committed
467
function valid_user($user, $dbh=NULL) {
468
	/*	if ( $user = valid_username($user) ) { */
canyonknight's avatar
canyonknight committed
469
470
471
472
473

	if(!$dbh) {
		$dbh = db_connect();
	}

474
475
	if ( $user ) {
		$q = "SELECT ID FROM Users WHERE Username = '"
476
			. db_escape_string($user). "'";
477

478
		$result = db_query($q, $dbh);
479
		# Is the username in the database?
480
481
482
		if ($result) {
			$row = mysql_fetch_row($result);
			return $row[0];
483
484
485
486
487
		}
	}
	return;
}

canyonknight's avatar
canyonknight committed
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
# Check for any open proposals about a user. Used to prevent multiple proposals.
function open_user_proposals($user, $dbh=NULL) {
	if(!$dbh) {
		$dbh = db_connect();
	}
	$q = "SELECT * FROM TU_VoteInfo WHERE User = '" . db_escape_string($user) . "'";
	$q.= " AND End > UNIX_TIMESTAMP()";
	$result = db_query($q, $dbh);
	if (mysql_num_rows($result)) {
		return true;
	}
	else {
		return false;
	}
}

# Creates a new trusted user proposal from entered agenda.
# Optionally takes proposal about specific user. Length of vote set by submitter.
function add_tu_proposal($agenda, $user, $votelength, $submitteruid, $dbh=NULL) {
	if(!$dbh) {
		$dbh = db_connect();
	}
	$q = "INSERT INTO TU_VoteInfo (Agenda, User, Submitted, End, SubmitterID) VALUES ";
	$q.= "('" . db_escape_string($agenda) . "', ";
	$q.= "'" . db_escape_string($user) . "', ";
	$q.= "UNIX_TIMESTAMP(), UNIX_TIMESTAMP() + " . db_escape_string($votelength);
	$q.= ", " . $submitteruid . ")";
	db_query($q, $dbh);

}

canyonknight's avatar
canyonknight committed
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
# Add a reset key for a specific user
function create_resetkey($resetkey, $uid, $dbh=NULL) {
	if(!$dbh) {
		$dbh = db_connect();
	}
	$q = "UPDATE Users ";
	$q.= "SET ResetKey = '" . $resetkey . "' ";
	$q.= "WHERE ID = " . $uid;
	db_query($q, $dbh);
}

# Change a password and save the salt only if reset key and email are correct
function password_reset($hash, $salt, $resetkey, $email, $dbh=NULL) {
	if(!$dbh) {
		$dbh = db_connect();
	}
	$q = "UPDATE Users ";
	$q.= "SET Passwd = '$hash', ";
	$q.= "Salt = '$salt', ";
	$q.= "ResetKey = '' ";
	$q.= "WHERE ResetKey != '' ";
	$q.= "AND ResetKey = '".db_escape_string($resetkey)."' ";
	$q.= "AND Email = '".db_escape_string($email)."'";
	$result = db_query($q, $dbh);

	if (!mysql_affected_rows($dbh)) {
		$error = __('Invalid e-mail and reset key combination.');
		return $error;
	} else {
		header('Location: passreset.php?step=complete');
		exit();
	}
}

553
function good_passwd($passwd) {
554
555
556
557
558
559
560
561
562
	if ( strlen($passwd) >= PASSWD_MIN_LEN ) {
		return true;
	}
	return false;
}

/* Verifies that the password is correct for the userID specified.
 * Returns true or false
 */
563
564
565
566
function valid_passwd($userID, $passwd, $dbh=NULL) {
	if (!$dbh) {
		$dbh = db_connect();
	}
567
	if ( strlen($passwd) > 0 ) {
Denis's avatar
Denis committed
568
569
570
571
572
		# get salt for this user
		$salt = get_salt($userID);
		if ($salt) {
			# use salt
			$passwd_q = "SELECT ID FROM Users" .
573
				" WHERE ID = " . $userID  . " AND Passwd = '" .
Denis's avatar
Denis committed
574
				salted_hash($passwd, $salt) . "'";
575
576
577
578
579
580
			$result = db_query($passwd_q, $dbh);
			if ($result) {
				$passwd_result = mysql_fetch_row($result);
				if ($passwd_result[0]) {
					return true;
				}
Denis's avatar
Denis committed
581
582
583
584
			}
		} else {
			# check without salt
			$nosalt_q = "SELECT ID FROM Users".
585
				" WHERE ID = " . $userID .
Denis's avatar
Denis committed
586
				" AND Passwd = '" . md5($passwd) . "'";
587
588
589
590
591
592
593
594
595
596
597
			$result = db_query($nosalt_q, $dbh);
			if ($result) {
				$nosalt_row = mysql_fetch_row($result);
				if ($nosalt_row[0]) {
					# password correct, but salt it first
					if (!save_salt($userID, $passwd)) {
						trigger_error("Unable to salt user's password;" .
							" ID " . $userID, E_USER_WARNING);
						return false;
					}
					return true;
Denis's avatar
Denis committed
598
599
				}
			}
600
601
602
603
604
		}
	}
	return false;
}

605
606
607
/*
 * Checks if the PGP key fingerprint is valid (must be 40 hexadecimal digits).
 */
608
function valid_pgp_fingerprint($fingerprint) {
609
610
611
612
	$fingerprint = str_replace(" ", "", $fingerprint);
	return (strlen($fingerprint) == 40 && ctype_xdigit($fingerprint));
}

613
614
615
/*
 * Is the user account suspended?
 */
616
617
618
619
function user_suspended($id, $dbh=NULL) {
	if (!$dbh) {
		$dbh = db_connect();
	}
elij's avatar
elij committed
620
621
622
	if (!$id) {
		return false;
	}
623
	$q = "SELECT Suspended FROM Users WHERE ID = " . $id;
624
625
626
	$result = db_query($q, $dbh);
	if ($result) {
		$row = mysql_fetch_row($result);
627
		if ($row[0]) {
628
629
			return true;
		}
630
631
632
633
634
635
636
	}
	return false;
}

/*
 * This should be expanded to return something
 */
637
638
639
640
function user_delete($id, $dbh=NULL) {
	if (!$dbh) {
		$dbh = db_connect();
	}
641
	$q = "DELETE FROM Users WHERE ID = " . $id;
642
	db_query($q, $dbh);
643
644
645
646
647
648
649
	return;
}

/*
 * A different way of determining a user's privileges
 * rather than account_from_sid()
 */
650
651
652
653
function user_is_privileged($id, $dbh=NULL) {
	if (!$dbh) {
		$dbh = db_connect();
	}
654
	$q = "SELECT AccountTypeID FROM Users WHERE ID = " . $id;
655
656
657
	$result = db_query($q, $dbh);
	if ($result) {
		$row = mysql_fetch_row($result);
658
659
		if($row[0] > 1) {
			return $row[0];
660
		}
661
	}
662
663
664
665
	return 0;

}

canyonknight's avatar
canyonknight committed
666
667
668
669
670
671
672
673
674
675
676
# Remove session on logout
function delete_session_id($sid, $dbh=NULL) {
	if(!$dbh) {
		$dbh = db_connect();
	}

	$q = "DELETE FROM Sessions WHERE SessionID = '";
	$q.= db_escape_string($sid) . "'";
	db_query($q, $dbh);
}

677
# Clear out old expired sessions.
canyonknight's avatar
canyonknight committed
678
function clear_expired_sessions($dbh=NULL) {
679
680
	global $LOGIN_TIMEOUT;

canyonknight's avatar
canyonknight committed
681
682
683
684
	if(!$dbh) {
		$dbh = db_connect();
	}

685
	$q = "DELETE FROM Sessions WHERE LastUpdateTS < (UNIX_TIMESTAMP() - $LOGIN_TIMEOUT)";
686
687
688
689
	db_query($q, $dbh);

	return;
}
690

canyonknight's avatar
canyonknight committed
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
function account_details($uid, $username, $dbh=NULL) {
	if(!$dbh) {
		$dbh = db_connect();
	}
	$q = "SELECT Users.*, AccountTypes.AccountType ";
	$q.= "FROM Users, AccountTypes ";
	$q.= "WHERE AccountTypes.ID = Users.AccountTypeID ";
	if (!empty($uid)) {
		$q.= "AND Users.ID = ".intval($uid);
	} else {
		$q.= "AND Users.Username = '".db_escape_string($username) . "'";
	}
	$result = db_query($q, $dbh);

	if ($result) {
		$row = mysql_fetch_assoc($result);
	}

	return $row;
}

function own_account_details($sid, $dbh=NULL) {
	if(!$dbh) {
		$dbh = db_connect();
	}
	$q = "SELECT Users.*, AccountTypes.AccountType ";
	$q.= "FROM Users, AccountTypes, Sessions ";
	$q.= "WHERE AccountTypes.ID = Users.AccountTypeID ";
	$q.= "AND Users.ID = Sessions.UsersID ";
	$q.= "AND Sessions.SessionID = '";
	$q.= db_escape_string($sid)."'";
	$result = db_query($q, $dbh);

	if ($result) {
		$row = mysql_fetch_assoc($result);
	}

	return $row;
}
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753

function tu_voted($voteid, $uid, $dbh=NULL) {
	if (!$dbh) {
		$dbh = db_connect();
	}

	$q = "SELECT * FROM TU_Votes WHERE VoteID = " . intval($voteid) . " AND UserID = " . intval($uid);
	$result = db_query($q, $dbh);
	if (mysql_num_rows($result)) {
		return true;
	}
	else {
		return false;
	}
}

function current_proposal_list($order, $dbh=NULL) {
	if (!$dbh) {
		$dbh = db_connect();
	}

	$q = "SELECT * FROM TU_VoteInfo WHERE End > " . time() . " ORDER BY Submitted " . $order;
	$result = db_query($q, $dbh);

754
	$details = array();
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
	while ($row = mysql_fetch_assoc($result)) {
		$details[] = $row;
	}

	return $details;
}

function past_proposal_list($order, $lim, $dbh=NULL) {
	if (!$dbh) {
		$dbh = db_connect();
	}

	$q = "SELECT * FROM TU_VoteInfo WHERE End < " . time() . " ORDER BY Submitted " . $order . $lim;
	$result = db_query($q, $dbh);

770
	$details = array();
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
	while ($row = mysql_fetch_assoc($result)) {
		$details[] = $row;
	}

	return $details;
}

function proposal_count($dbh=NULL) {
	if (!$dbh) {
		$dbh = db_connect();
	}

	$q = "SELECT COUNT(*) FROM TU_VoteInfo";
	$result = db_query($q, $dbh);
	$row = mysql_fetch_row($result);

	return $row[0];
}

function vote_details($voteid, $dbh=NULL) {
	if (!$dbh) {
		$dbh = db_connect();
	}

	$q = "SELECT * FROM TU_VoteInfo ";
	$q.= "WHERE ID = " . intval($voteid);

	$result = db_query($q, $dbh);
	$row = mysql_fetch_assoc($result);

	return $row;
}

function voter_list($voteid, $dbh=NULL) {
	if (!$dbh) {
		$dbh = db_connect();
	}

809
810
	$whovoted = '';

811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
	$q = "SELECT tv.UserID,U.Username ";
	$q.= "FROM TU_Votes tv, Users U ";
	$q.= "WHERE tv.VoteID = " . intval($voteid);
	$q.= " AND tv.UserID = U.ID ";
	$q.= "ORDER BY Username";

	$result = db_query($q, $dbh);
	if ($result) {
		while ($row = mysql_fetch_assoc($result)) {
			$whovoted.= '<a href="account.php?Action=AccountInfo&amp;ID='.$row['UserID'].'">'.$row['Username'].'</a> ';
		}
	}
	return $whovoted;
}

function cast_proposal_vote($voteid, $uid, $vote, $newtotal, $dbh=NULL) {
	if (!$dbh) {
		$dbh = db_connect();
	}

	$q = "UPDATE TU_VoteInfo SET " . $vote . " = " . ($newtotal) . " WHERE ID = " . $voteid;
	db_query($q, $dbh);

	$q = "INSERT INTO TU_Votes (VoteID, UserID) VALUES (" . $voteid . ", " . $uid . ")";
	db_query($q, $dbh);

}