Refbase
/
Refbase2X
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10 Commits
1 Branch
1.9 MiB
 
 
 
 
 
 
Tree: 7894f6132c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '7894f6132c'
${ noResults }
Refbase2X/user_details.php

537 lines
22 KiB
Raw Blame History

<?php
// turn on warnings and notice during developement
include('initialize/PhpErrorSettings.inc.php');
// Project: Web Reference Database (refbase) <http://www.refbase.net>
// Copyright: Matthias Steffens <mailto:refbase@extracts.de> and the file's
// original author(s).
//
// This code is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY. Please see the GNU General Public
// License for more details.
//
// File: ./user_details.php
// Repository: $HeadURL: file:///svn/p/refbase/code/branches/bleeding-edge/user_details.php $
// Author(s): Matthias Steffens <mailto:refbase@extracts.de>
//
// Created: 16-Apr-02, 10:55
// Modified: $Date: 2017-04-13 02:00:18 +0000 (Thu, 13 Apr 2017) $
// $Author: karnesky $
// $Revision: 1416 $
// This script shows the user a user <form>. It can be used both for INSERTing a new user and for UPDATE-ing an existing user.
// If the user is logged in, then it is an UPDATE; otherwise, an INSERT. The script also shows error messages above widgets that
// contain erroneous data; errors are generated by 'user_validation.php'.
// TODO: I18n
// Incorporate some include files:
include 'initialize/db.inc.php'; // 'db.inc.php' is included to hide username and password
include 'includes/header.inc.php'; // include header
include 'includes/footer.inc.php'; // include footer
include 'includes/include.inc.php'; // include common functions
include 'initialize/ini.inc.php'; // include common variables
// --------------------------------------------------------------------
// START A SESSION:
// call the 'start_session()' function (from 'include.inc.php') which will also read out available session variables:
start_session(true);
// --------------------------------------------------------------------
// Initialize preferred display language:
// (note that 'locales.inc.php' has to be included *after* the call to the 'start_session()' function)
include 'includes/locales.inc.php'; // include the locales
// --------------------------------------------------------------------
// Extract session variables (only necessary if register globals is OFF!):
if (isset($_SESSION['errors']))
$errors = $_SESSION['errors'];
else
$errors = array(); // initialize variable (in order to prevent 'Undefined index/variable...' messages)
if (isset($_SESSION['formVars']))
$formVars = $_SESSION['formVars'];
else
$formVars = array(); // initialize variable (in order to prevent 'Undefined index/variable...' messages)
// The current values of the session variables 'errors' and 'formVars' get stored in '$errors' or '$formVars', respectively. (either automatically if
// register globals is ON, or explicitly if register globals is OFF [by uncommenting the code above]).
// We need to clear these session variables here, since they would otherwise be there even if 'user_details.php' gets called with a different userID!
// Note: though we clear the session variables, the current error message (or form variables) is still available to this script via '$errors' (or '$formVars', respectively).
deleteSessionVariable("errors"); // function 'deleteSessionVariable()' is defined in 'include.inc.php'
deleteSessionVariable("formVars");
// --------------------------------------------------------------------
// (1) OPEN CONNECTION, (2) SELECT DATABASE
connectToMySQLDatabase(); // function 'connectToMySQLDatabase()' is defined in 'include.inc.php'
// --------------------------------------------------------------------
// Set the '$userID' variable:
if (isset($_REQUEST['userID'])) // for normal users NOT being logged in -OR- for the admin:
$userID = $_REQUEST['userID'];
else
$userID = NULL; // '$userID = ""' wouldn't be correct here, since then any later 'isset($userID)' statement would resolve to true!
if (isset($_SESSION['loginEmail']) && ($loginEmail != $adminLoginEmail)) // a normal user IS logged in ('$adminLoginEmail' is specified in 'ini.inc.php')
// Check this user matches the userID (viewing and modifying user account details is only allowed to the admin)
if ($userID != getUserID($loginEmail)) // (function 'getUserID()' is defined in 'include.inc.php')
{
// save an error message:
$HeaderString = "You can only edit your own user data!";
// Write back session variables:
saveSessionVariable("HeaderString", $HeaderString); // function 'saveSessionVariable()' is defined in 'include.inc.php'
$userID = getUserID($loginEmail); // re-establish the user's correct user_id
}
// --------------------------------------------------------------------
// A user must be logged in in order to call 'user_details.php' WITH the 'userID' parameter:
if (!isset($_SESSION['loginEmail']) && ($userID != 0))
{
// save an error message:
$HeaderString = "You must login to view your user account details!";
// save the URL of the currently displayed page:
$referer = $_SERVER['HTTP_REFERER'];
// Write back session variables:
saveSessionVariable("HeaderString", $HeaderString); // function 'saveSessionVariable()' is defined in 'include.inc.php'
saveSessionVariable("referer", $referer);
header("Location: user_login.php");
exit;
}
// --------------------------------------------------------------------
// Check if the logged-in user is allowed to modify his account details:
if (isset($_SESSION['loginEmail']) AND ($userID != 0) AND isset($_SESSION['user_permissions']) AND !preg_match("/allow_modify_options/", $_SESSION['user_permissions'])) // if a user is logged in but the 'user_permissions' session variable does NOT contain 'allow_modify_options'...
{
// save an error message:
$HeaderString = "You have no permission to modify your user account details!";
// Write back session variables:
saveSessionVariable("HeaderString", $HeaderString); // function 'saveSessionVariable()' is defined in 'include.inc.php'
// Redirect the browser back to the main page
header("Location: index.php");
exit;
}
// --------------------------------------------------------------------
// Prepare meaningful instructions for UPDATE or INSERT:
if (!isset($_SESSION['HeaderString'])) // if there's no stored message available
{
if (empty($errors)) // provide one of the default messages:
{
if (isset($_SESSION['loginEmail']) && isset($userID) && !empty($userID)) // -> the user is logged in and views a user entry
$HeaderString = "Please amend your details below as required. Fields shown in bold are mandatory.";
else // -> the user is NOT logged in (OR: the admin is logged in and wants to add a new user, by calling 'user_details.php' w/o any 'userID')
{
if ((!isset($_SESSION['loginEmail']) && ($addNewUsers == "everyone") && ($userID == "")) | (isset($_SESSION['loginEmail']) && ($loginEmail == $adminLoginEmail) && ($userID == "")))
$HeaderString = "Add a new user. Fields shown in bold are mandatory.";
else // ask a user to submit its user details for approval by the database admin:
$HeaderString = "Please fill in the details below to join. Fields shown in bold are mandatory.";
}
}
else // -> there were errors validating the user's details
$HeaderString = "There were validation errors regarding the details you entered. Please check the comments above the respective fields:";
}
else
{
$HeaderString = $_SESSION['HeaderString']; // extract 'HeaderString' session variable (only necessary if register globals is OFF!)
// Note: though we clear the session variable, the current message is still available to this script via '$HeaderString':
deleteSessionVariable("HeaderString"); // function 'deleteSessionVariable()' is defined in 'include.inc.php'
}
// Extract the view type requested by the user (either 'Mobile', 'Print', 'Web' or ''):
// ('' will produce the default 'Web' output style)
if (isset($_REQUEST['viewType']))
$viewType = $_REQUEST['viewType'];
else
$viewType = "";
// Is the user logged in and were there no errors from a previous validation? If so, look up the user for editing:
if (isset($_SESSION['loginEmail']) && empty($errors) && isset($userID) && !empty($userID))
{
// CONSTRUCT SQL QUERY:
$query = "SELECT * FROM $tableUsers WHERE user_id = " . quote_smart($userID);
// --------------------------------------------------------------------
// (3a) RUN the query on the database through the connection:
$result = queryMySQLDatabase($query); // function 'queryMySQLDatabase()' is defined in 'include.inc.php'
// (3b) EXTRACT results:
$row = mysqli_fetch_array($result); //fetch the current row into the array $row
// If the admin is logged in AND the displayed user data are NOT his own, we overwrite the default header message:
// (Since the admin is allowed to view and edit account data from other users, we have to provide a dynamic header message in that case)
if (($loginEmail == $adminLoginEmail) && ($userID != getUserID($loginEmail))) // ('$adminLoginEmail' is specified in 'ini.inc.php')
if (!isset($_SESSION['HeaderString']))
$HeaderString = "Edit account details for " . encodeHTML($row["first_name"]) . " " . encodeHTML($row["last_name"]) . " (" . $row["email"] . "):";
}
// Show the login status:
showLogin(); // (function 'showLogin()' is defined in 'include.inc.php')
// (4) DISPLAY header:
// call the 'displayHTMLhead()' and 'showPageHeader()' functions (which are defined in 'header.inc.php'):
displayHTMLhead(encodeHTML($officialDatabaseName) . " -- User Details", "noindex,nofollow", "User details required for use of the " . encodeHTML($officialDatabaseName), "\n\t<meta http-equiv=\"expires\" content=\"0\">", true, "", $viewType, array());
showPageHeader($HeaderString);
// (5) CLOSE the database connection:
disconnectFromMySQLDatabase(); // function 'disconnectFromMySQLDatabase()' is defined in 'include.inc.php'
// --------------------------------------------------------------------
if (isset($_SESSION['loginEmail']) && empty($errors) && isset($userID) && !empty($userID))
{
// Reset the '$formVars' variable (since we're loading from the user table):
$formVars = array();
// Reset the '$errors' variable:
$errors = array();
// Load all the form variables with user data:
$formVars["firstName"] = $row["first_name"];
$formVars["lastName"] = $row["last_name"];
$formVars["title"] = $row["title"];
$formVars["institution"] = $row["institution"];
$formVars["abbrevInstitution"] = $row["abbrev_institution"];
$formVars["corporateInstitution"] = $row["corporate_institution"];
$formVars["address1"] = $row["address_line_1"];
$formVars["address2"] = $row["address_line_2"];
$formVars["address3"] = $row["address_line_3"];
$formVars["zipCode"] = $row["zip_code"];
$formVars["city"] = $row["city"];
$formVars["state"] = $row["state"];
$formVars["country"] = $row["country"];
$formVars["phone"] = $row["phone"];
$formVars["email"] = $row["email"];
$formVars["url"] = $row["url"];
if (isset($_SESSION['loginEmail']) && ($loginEmail == $adminLoginEmail)) // if the admin is logged in
{
$formVars["keywords"] = $row["keywords"];
$formVars["notes"] = $row["notes"];
$formVars["marked"] = $row["marked"];
}
$formVars["language"] = $row["language"];
}
elseif (empty($errors) && (!isset($userID) OR ($userID == ""))) // no userID specified
{
// Reset the '$formVars' variable:
$formVars = array();
// Reset the '$errors' variable:
$errors = array();
// Set all form variables to "" (in order to prevent 'Undefined variable...' messages):
$formVars["firstName"] = "";
$formVars["lastName"] = "";
$formVars["title"] = "";
$formVars["institution"] = "";
$formVars["abbrevInstitution"] = "";
$formVars["corporateInstitution"] = "";
$formVars["address1"] = "";
$formVars["address2"] = "";
$formVars["address3"] = "";
$formVars["zipCode"] = "";
$formVars["city"] = "";
$formVars["state"] = "";
$formVars["country"] = "";
$formVars["phone"] = "";
$formVars["email"] = "";
$formVars["url"] = "";
if (isset($_SESSION['loginEmail']) && ($loginEmail == $adminLoginEmail)) // if the admin is logged in
{
$formVars["keywords"] = "";
$formVars["notes"] = "";
$formVars["marked"] = "no";
}
$formVars["language"] = "en";
}
// Start <form> and <table> holding all the form elements:
?>
<form method="POST" action="user_validation.php">
<input type="hidden" name="userID" value="<?php echo encodeHTML($userID) ?>">
<input type="hidden" name="email" value="<?php echo encodeHTML($formVars["email"]) ?>">
<table id="requiredFields" align="center" border="0" cellpadding="0" cellspacing="10" width="95%" summary="This table holds form elements with user details">
<tr>
<td align="left" width="169"><b><?php echo $loc["FirstName"]; ?>:</b></td>
<td><?php echo fieldError("firstName", $errors); ?>
<input type="text" name="firstName" value="<?php echo encodeHTML($formVars["firstName"]); ?>" size="50">
</td>
</tr>
<tr>
<td align="left"><b><?php echo $loc["LastName"]; ?>:</b></td>
<td><?php echo fieldError("lastName", $errors); ?>
<input type="text" name="lastName" value="<?php echo encodeHTML($formVars["lastName"]); ?>" size="50">
</td>
</tr>
<?php
// Only show the username/email and password widgets to new users (or the admin, since he's allowed to call 'user_details.php' w/o any 'userID' when logged in):
if (!isset($_SESSION['loginEmail']) | (isset($_SESSION['loginEmail']) && ($loginEmail == $adminLoginEmail) && ($userID == "")))
{
?>
<tr>
<td align="left"><b><?php echo $loc["Email"]; ?>:</b></td>
<td><?php echo fieldError("email", $errors); ?>
<input type="text" name="email" value="<?php echo encodeHTML($formVars["email"]); ?>" size="30">
</td>
</tr>
<tr>
<td align="left"><b><?php echo $loc["Password"]; ?>:</b></td>
<td><?php echo fieldError("loginPassword", $errors); ?>
<input type="password" name="loginPassword" value="" size="30">
</td>
</tr>
<tr>
<td align="left"><b><?php echo $loc["VerifyPassword"]; ?>:</b></td>
<td><?php echo fieldError("loginPasswordRetyped", $errors); ?>
<input type="password" name="loginPasswordRetyped" value="" size="30">
</td>
</tr>
<?php
}
// if a user is logged in, we also show the password field (but with a different label text) so that the user is able to change his password later on:
// (just keep the password field empty, if you don't want to change your password)
elseif (isset($_SESSION['loginEmail']) && isset($userID))
{
?>
<tr>
<td align="left"><?php echo $loc["NewPassword"]; ?>:</td>
<td><?php echo fieldError("loginPassword", $errors); ?>
<input type="password" name="loginPassword" value="" size="30">
</td>
</tr>
<tr>
<td align="left"><?php echo $loc["VerifyNewPassword"]; ?>:</td>
<td><?php echo fieldError("loginPasswordRetyped", $errors); ?>
<input type="password" name="loginPasswordRetyped" value="" size="30">
</td>
</tr>
<?php
}
?>
<tr>
<td align="left"><b><?php echo $loc["InstitutionAbbr"]; ?>:</b></td>
<td><?php echo fieldError("abbrevInstitution", $errors); ?>
<input type="text" name="abbrevInstitution" value="<?php echo encodeHTML($formVars["abbrevInstitution"]); ?>" size="12">
</td>
</tr>
<tr>
<td align="left"></td>
<td>
<?php
// The submit button reads 'Add' if an authorized user uses 'user_details.php' to add a new user (-> 'userID' is empty!)
// This should make it more clear that submitting the form is going to add a new user without any further approval!
// INSERTs are allowed to:
// 1. EVERYONE who's not logged in (but ONLY if variable '$addNewUsers' in 'ini.inc.php' is set to "everyone"!)
// (Note that this feature is actually only meant to add the very first user to the users table.
// After you've done so, it is highly recommended to change the value of '$addNewUsers' to 'admin'!)
// -or- 2. the ADMIN only (if variable '$addNewUsers' in 'ini.inc.php' is set to "admin")
if ((!isset($_SESSION['loginEmail']) && ($addNewUsers == "everyone") && ($userID == "")) | (isset($_SESSION['loginEmail']) && ($loginEmail == $adminLoginEmail) && ($userID == "")))
{
?>
<input type="submit" value="Add User">
<?php
}
else // ...otherwise the submit button reads (guess what) 'Submit' (i.e., solely an email will be sent to the admin for further approval):
{
?>
<input type="submit" value="Submit">
<?php
}
?>
</td>
</tr>
</table>
<table class="showhide" align="center" border="0" cellpadding="0" cellspacing="10" width="95%">
<tr>
<td class="small" width="120" valign="top">
<a href="javascript:toggleVisibility('optionalFields','optToggleimg','optToggletxt','<?php echo rawurlencode($loc["OptionalFields"]); ?>')"<?php echo addAccessKey("attribute", "search_opt"); ?> title="<?php echo $loc["LinkTitle_ToggleVisibility"] . addAccessKey("title", "search_opt"); ?>">
<img id="optToggleimg" class="toggleimg" src="img/closed.gif" alt="<?php echo $loc["LinkTitle_ToggleVisibility"]; ?>" width="9" height="9" hspace="0" border="0">
<span id="optToggletxt" class="toggletxt"><?php echo $loc["OptionalFields"]; ?></span>
</a>
</td>
</tr>
</table>
<table id="optionalFields" align="center" border="0" cellpadding="0" cellspacing="10" width="95%" summary="This table holds form elements with user details" style="display: none;">
<tr>
<td align="left" width="169"><?php echo $loc["Title"]; ?>:</td>
<td>
<select name="title">
<option <?php if ($formVars["title"]=="Mr") echo "selected"; ?>>Mr</option>
<option <?php if ($formVars["title"]=="Mrs") echo "selected"; ?>>Mrs</option>
<option <?php if ($formVars["title"]=="Ms") echo "selected"; ?>>Ms</option>
<option <?php if ($formVars["title"]=="Dr") echo "selected"; ?>>Dr</option>
</select>
<br>
</td>
</tr>
<tr>
<td align="left"><?php echo $loc["Institution"]; ?>:</td>
<td><?php echo fieldError("institution", $errors); ?>
<input type="text" name="institution" value="<?php echo encodeHTML($formVars["institution"]); ?>" size="50">
</td>
</tr>
<tr>
<td align="left"><?php echo $loc["CorporateInstitution"]; ?>:</td>
<td><?php echo fieldError("corporateInstitution", $errors); ?>
<input type="text" name="corporateInstitution" value="<?php echo encodeHTML($formVars["corporateInstitution"]); ?>" size="50">
</td>
</tr>
<tr>
<td align="left"><?php echo $loc["WorkAddress"]; ?>:</td>
<td><?php echo fieldError("address1", $errors); ?>
<input type="text" name="address1" value="<?php echo encodeHTML($formVars["address1"]); ?>" size="50">
</td>
</tr>
<tr>
<td align="left"></td>
<td><?php echo fieldError("address2", $errors); ?>
<input type="text" name="address2" value="<?php echo encodeHTML($formVars["address2"]); ?>" size="50">
</td>
</tr>
<tr>
<td align="left"></td>
<td><?php echo fieldError("address3", $errors); ?>
<input type="text" name="address3" value="<?php echo encodeHTML($formVars["address3"]); ?>" size="50">
</td>
</tr>
<tr>
<td align="left"><?php echo $loc["ZipCode"]; ?>:</td>
<td><?php echo fieldError("zipCode", $errors); ?>
<input type="text" name="zipCode" value="<?php echo encodeHTML($formVars["zipCode"]); ?>" size="12">
</td>
</tr>
<tr>
<td align="left"><?php echo $loc["City"]; ?>:</td>
<td><?php echo fieldError("city", $errors); ?>
<input type="text" name="city" value="<?php echo encodeHTML($formVars["city"]); ?>" size="50">
</td>
</tr>
<tr>
<td align="left"><?php echo $loc["State"]; ?>:</td>
<td><?php echo fieldError("state", $errors); ?>
<input type="text" name="state" value="<?php echo encodeHTML($formVars["state"]); ?>" size="50">
</td>
</tr>
<tr>
<td align="left"><?php echo $loc["Country"]; ?>:</td>
<td><?php echo fieldError("country", $errors); ?>
<input type="text" name="country" value="<?php echo encodeHTML($formVars["country"]); ?>" size="50">
</td>
</tr>
<tr>
<td align="left"><?php echo $loc["Phone"]; ?>:</td>
<td><?php echo fieldError("phone", $errors); ?>
<input type="text" name="phone" value="<?php echo encodeHTML($formVars["phone"]); ?>" size="50">
</td>
</tr>
<tr>
<td align="left"><?php echo $loc["URL"]; ?>:</td>
<td><?php echo fieldError("url", $errors); ?>
<input type="text" name="url" value="<?php echo encodeHTML($formVars["url"]); ?>" size="50">
</td>
</tr>
<?php
// if the admin is logged in, we'll show additional fields:
if (isset($_SESSION['loginEmail']) && ($loginEmail == $adminLoginEmail))
{
if ($formVars["marked"] == "yes")
{
$markedRadioYesChecked = "checked";
$markedRadioNoChecked = "";
}
else // $formVars["marked"] == "no"
{
$markedRadioYesChecked = "";
$markedRadioNoChecked = "checked";
}
?>
<tr>
<td align="left"><?php echo $loc["Keywords"]; ?>:</td>
<td><?php echo fieldError("keywords", $errors); ?>
<input type="text" name="keywords" value="<?php echo encodeHTML($formVars["keywords"]); ?>" size="50">
</td>
</tr>
<tr>
<td align="left"><?php echo $loc["Notes"]; ?>:</td>
<td><?php echo fieldError("notes", $errors); ?>
<input type="text" name="notes" value="<?php echo encodeHTML($formVars["notes"]); ?>" size="50">
</td>
</tr>
<tr>
<td align="left"><?php echo $loc["Marked"]; ?>:</td>
<td><?php echo fieldError("marked", $errors); ?>
<input type="radio" name="marked" value="yes"<?php echo $markedRadioYesChecked; ?>>&nbsp;&nbsp;<?php echo $loc["yes"]; ?>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type="radio" name="marked" value="no"<?php echo $markedRadioNoChecked; ?>>&nbsp;&nbsp;<?php echo $loc["no"]; ?>
</td>
</tr>
<?php
}
?>
</table>
</form><?php
// --------------------------------------------------------------------
// SHOW ERROR IN RED:
function fieldError($fieldName, $errors)
{
if (isset($errors[$fieldName]))
echo "\n\t\t<b><span class=\"warning\">" . $errors[$fieldName] . "</span></b>\n\t\t<br>";
}
// --------------------------------------------------------------------
// DISPLAY THE HTML FOOTER:
// call the 'showPageFooter()' and 'displayHTMLfoot()' functions (which are defined in 'footer.inc.php')
showPageFooter($HeaderString);
displayHTMLfoot();
// --------------------------------------------------------------------
?>