diff options
Diffstat (limited to 'include/account.php')
-rw-r--r-- | include/account.php | 559 |
1 files changed, 493 insertions, 66 deletions
diff --git a/include/account.php b/include/account.php index bea84cea7..ef79d5bb1 100644 --- a/include/account.php +++ b/include/account.php @@ -69,17 +69,30 @@ function check_account_password($password) { function check_account_invite($invite_code) { $result = array('error' => false, 'message' => ''); - $using_invites = get_config('system','invitation_only'); + // [hilmar -> + $using_invites = (get_config('system','invitation_only') + || get_config('system','invitation_also')); if($using_invites) { + if(! $invite_code) { - $result['message'] .= t('An invitation is required.') . EOL; - } - $r = q("select * from register where hash = '%s' limit 1", dbesc($invite_code)); - if(! $r) { - $result['message'] .= t('Invitation could not be verified.') . EOL; + + $result['message'] + .= 'ZAR0510E,' . t('An invitation is required.') . EOL; + + } else { + + // check if invite code exists + $r = q("SELECT * FROM register WHERE reg_hash = '%s' AND reg_vital = 1 LIMIT 1", + dbesc($invite_code)); + if(! $r) { + $result['message'] + .= 'ZAR0511E,' . t('Invitation could not be verified.') . EOL; + } } } + // <- hilmar] + if(strlen($result['message'])) $result['error'] = true; @@ -105,8 +118,8 @@ function account_total() { return false; } - -function account_store_lowlevel($arr) { +// legacy +function account_store_lowlevel_IS_OBSOLETE($arr) { $store = [ 'account_parent' => ((array_key_exists('account_parent',$arr)) ? $arr['account_parent'] : '0'), @@ -128,12 +141,21 @@ function account_store_lowlevel($arr) { 'account_password_changed' => ((array_key_exists('account_password_changed',$arr)) ? $arr['account_password_changed'] : '0001-01-01 00:00:00') ]; + // never ever is this a create table but a pdo insert into account + // strange function placement in text.php (obscure by design :-) return create_table_from_array('account',$store); - + // the TODO may be to adjust others using create_table_from_array(): + // channel.php + // connections.php + // event.php + // hubloc.php + // import.php } -function create_account($arr) { + +// legacy +function create_account_IS_OBSOLETE($arr) { // Required: { email, password } @@ -257,10 +279,160 @@ function create_account($arr) { return $result; } +/** + * create_account_from_register + * @author hilmar runge + * @since 2020-02-20 + * + * Account creation only happens via table register. + * This function creates the account when all conditions are solved. + * + */ +function create_account_from_register($arr) { + + $result = array('success' => false, 'message' => 'rid:' . $arr['reg_id']); + $now = date('Y-m-d H:i:s'); + + // reg_flags 0x0020 = REGISTER_AGREED = register request verified by user @ regate + $register = q("SELECT * FROM register WHERE reg_id = %d AND (reg_flags & 31) = 0 " + . " AND reg_startup < '%s' AND reg_expires > '%s' ", + intval($arr['reg_id']), + dbesc($now), + dbesc($now) + ); + + if ( ! $register ) return $result; + + // account + $expires = NULL_DATE; + + $default_service_class = get_config('system','default_service_class'); + if($default_service_class === false) + $default_service_class = ''; + + $roles = 0; + // prevent form hackery + if($roles & ACCOUNT_ROLE_ADMIN) { + $admin_result = check_account_admin($arr); + if(! $admin_result) { + $roles = 0; + } + } + + // any accounts available ? + $isa = q("SELECT COUNT(*) AS isa FROM account"); + if ($isa && $isa[0]['isa'] == 0) { + $roles = ACCOUNT_ROLE_ADMIN; + } + + $salt = random_string(32); + $password_encoded = hash('whirlpool', $salt . (hex2bin($register[0]['reg_pass']))); + + $ri = q( + "INSERT INTO account (" + . " account_parent, account_salt, account_password, account_email, " + . " account_language, account_created, account_flags, account_roles, account_level, " + . " account_expires, account_service_class) VALUES( " + . " %d, '%s', '%s', '%s', '%s', '%s', %d, %d, %d, '%s', '%s' ) ", + intval($parent), + dbesc($salt), + dbesc($password_encoded), + dbesc($register[0]['reg_did2']), + dbesc($register[0]['reg_lang']), + dbesc($now), + intval($register[0]['reg_flags'] & 31), // off REGISTER_AGREE at ACCOUNT + intval($roles), + intval(5), + dbesc($expires), + dbesc($default_service_class) + ); + + if(! $ri) { + logger('create_account: DB INSERT failed.'); + $result['message'] = 'ZAR ' . t('Failed to store account information.'); + return($result); + } + + $r = q("SELECT * FROM account WHERE account_email = '%s' AND account_password = '%s' LIMIT 1", + dbesc($register[0]['reg_did2']), + dbesc($password_encoded) + ); + if($r && count($r)) { + $result['account'] = $r[0]; + } + else { + logger('create_account: could not retrieve newly created account'); + } + + // Set the parent record to the current record_id if no parent was provided + + if(! $parent) { + $r = q("UPDATE account SET account_parent = %d WHERE account_id = %d", + intval($result['account']['account_id']), + intval($result['account']['account_id']) + ); + if(! $r) { + logger('create_account: failed to set parent'); + } + $result['account']['parent'] = $result['account']['account_id']; + } + + $result['success'] = true; + //call_hooks('register_account',$result); + + return $result; +} + +/** + * @brief as far to see, email validation for register account verification + * @param array (account) + * @param array ('resend' => true, 'email' = > email) + * + */ function verify_email_address($arr) { + // $hash = random_string(24); + + // [hilmar -> + $reg = q("SELECT * FROM register WHERE reg_vital = 1 AND reg_email = 's%' ", + dbesc($arr['email']) + ); + if ( ! $reg) + return false; + + push_lang(($reg[0]['email']) ? $reg[0]['email'] : 'en'); + + $email_msg = replace_macros(get_intltext_template('register_verify_member.tpl'), + [ + '$sitename' => get_config('system','sitename'), + '$siteurl' => z_root(), + '$email' => $arr['email'], + '$uid' => 1, + '$hash' => $hash, + '$details' => '' + ] + ); + + $res = z_mail( + [ + 'toEmail' => $arr['email'], + 'messageSubject' => sprintf( t('Registration confirmation for %s'), get_config('system','sitename')), + 'textVersion' => $email_msg, + ] + ); + + pop_lang(); + + if(! $res) + logger('send_reg_approval_email: failed to account_id: ' . $arr['account']['account_id']); + + return $res; +} + +function verify_email_addressNOP($arr) { + if(array_key_exists('resend',$arr)) { $a = q("select * from account where account_email = '%s' limit 1", dbesc($arr['email']) @@ -269,11 +441,14 @@ function verify_email_address($arr) { return false; } $account = $a[0]; - $v = q("select * from register where uid = %d and password = 'verify' limit 1", + // [hilmar -> + $v = q("SELECT * FROM register WHERE reg_uid = %d AND reg_vital = 1 " + . " AND reg_pass = 'verify' LIMIT 1", intval($account['account_id']) ); + // <- hilmar] if($v) { - $hash = $v[0]['hash']; + $hash = $v[0]['reg_hash']; } else { return false; @@ -282,13 +457,16 @@ function verify_email_address($arr) { else { $hash = random_string(24); - q("INSERT INTO register ( hash, created, uid, password, lang ) VALUES ( '%s', '%s', %d, '%s', '%s' ) ", + // [hilmar -> + q("INSERT INTO register ( reg_hash, reg_created, reg_uid, reg_pass, reg_lang, reg_stuff ) " + ." VALUES ( '%s', '%s', %d, '%s', '%s', '' ) ", dbesc($hash), dbesc(datetime_convert()), intval($arr['account']['account_id']), dbesc('verify'), dbesc($arr['account']['account_language']) ); + // <- hilmar] $account = $arr['account']; } @@ -345,11 +523,17 @@ function send_reg_approval_email($arr) { $hash = random_string(); - $r = q("INSERT INTO register ( hash, created, uid, password, lang ) VALUES ( '%s', '%s', %d, '%s', '%s' ) ", + // [hilmar -> + // code before fetches the $admins as recipients for the approval request mail + // $arr has a user (self registered) account + // ... $arr['email'] ??? + // ... reg expiration ? + $r = q("INSERT INTO register ( reg_hash, reg_email, reg_created, reg_uid, reg_pass, reg_lang, reg_stuff )" + . " VALUES ( '%s', '%s', '%s', %d, '', '%s', '' ) ", dbesc($hash), + dbesc($arr['account']['account_email']), dbesc(datetime_convert()), intval($arr['account']['account_id']), - dbesc(''), dbesc($arr['account']['account_language']) ); @@ -423,7 +607,7 @@ function account_allow($hash) { $ret = array('success' => false); - $register = q("SELECT * FROM register WHERE hash = '%s' LIMIT 1", + $register = q("SELECT * FROM register WHERE reg_hash = '%s' LIMIT 1", dbesc($hash) ); @@ -431,57 +615,89 @@ function account_allow($hash) { return $ret; $account = q("SELECT * FROM account WHERE account_id = %d LIMIT 1", - intval($register[0]['uid']) + intval($register[0]['reg_uid']) ); + // a register entry without account assigned to if(! $account) return $ret; - q("DELETE FROM register WHERE hash = '%s'", - dbesc($register[0]['hash']) + // [hilmar -> + + q("START TRANSACTION"); + //q("DELETE FROM register WHERE reg_hash = '%s'", + // dbesc($register[0]['reg_hash']) + //); + $r1 = q("UPDATE register SET reg_vital = 0 WHERE reg_hash = '%s'", + dbesc($register[0]['reg_hash']) ); - q("update account set account_flags = (account_flags & ~%d) where (account_flags & %d)>0 and account_id = %d", + /* instead of ... + + // unblock + q("UPDATE account SET account_flags = (account_flags & ~%d) " + . " WHERE (account_flags & %d)>0 AND account_id = %d", intval(ACCOUNT_BLOCKED), intval(ACCOUNT_BLOCKED), - intval($register[0]['uid']) + intval($register[0]['reg_uid']) ); - q("update account set account_flags = (account_flags & ~%d) where (account_flags & %d)>0 and account_id = %d", + // unpend + q("UPDATE account SET account_flags = (account_flags & ~%d) " + . " WHERE (account_flags & %d)>0 AND account_id = %d", intval(ACCOUNT_PENDING), intval(ACCOUNT_PENDING), - intval($register[0]['uid']) + intval($register[0]['reg_uid']) ); - push_lang($register[0]['lang']); + */ + // together unblock and unpend + $r2 = q("UPDATE account SET account_flags = %d WHERE account_id = %d", + intval($account['account_flags'] + &= $account['account_flags'] ^ (ACCOUNT_BLOCKED | ACCOUNT_PENDING)), + intval($register[0]['reg_uid']) + ); + + if($r1 && $r2) { + q("COMMIT"); - $email_tpl = get_intltext_template("register_open_eml.tpl"); - $email_msg = replace_macros($email_tpl, array( - '$sitename' => get_config('system','sitename'), - '$siteurl' => z_root(), - '$username' => $account[0]['account_email'], - '$email' => $account[0]['account_email'], - '$password' => '', - '$uid' => $account[0]['account_id'] - )); + // <- hilmar] - $res = z_mail( - [ - 'toEmail' => $account[0]['account_email'], - 'messageSubject' => sprintf( t('Registration details for %s'), get_config('system','sitename')), - 'textVersion' => $email_msg, - ] - ); + push_lang($register[0]['reg_lang']); - pop_lang(); + $email_tpl = get_intltext_template("register_open_eml.tpl"); + $email_msg = replace_macros($email_tpl, array( + '$sitename' => get_config('system','sitename'), + '$siteurl' => z_root(), + '$username' => $account[0]['account_email'], + '$email' => $account[0]['account_email'], + '$password' => '', + '$uid' => $account[0]['account_id'] + )); - if(get_config('system','auto_channel_create')) - auto_channel_create($register[0]['uid']); + $res = z_mail( + [ + 'toEmail' => $account[0]['account_email'], + 'messageSubject' => sprintf( t('Registration details for %s'), get_config('system','sitename')), + 'textVersion' => $email_msg, + ] + ); - if ($res) { - info( t('Account approved.') . EOL ); - return true; + pop_lang(); + + if(get_config('system','auto_channel_create')) + auto_channel_create($register[0]['uid']); + + if ($res) { + info( t('Account approved.') . EOL ); + return true; + } + + // [hilmar -> + } else { + q("ROLLBACK"); } + // <- hilmar] } @@ -498,42 +714,65 @@ function account_allow($hash) { function account_deny($hash) { - $register = q("SELECT * FROM register WHERE hash = '%s' LIMIT 1", + // [hilmar-> + $register = q("SELECT * FROM register WHERE reg_hash = '%s' AND reg_vital = 1 LIMIT 1", dbesc($hash) ); + // <-hilmar] if(! count($register)) return false; $account = q("SELECT account_id, account_email FROM account WHERE account_id = %d LIMIT 1", - intval($register[0]['uid']) + intval($register[0]['reg_uid']) ); if(! $account) return false; - q("DELETE FROM account WHERE account_id = %d", - intval($register[0]['uid']) - ); + // [hilmar -> + q("START TRANSACTION"); - q("DELETE FROM register WHERE id = %d", - dbesc($register[0]['id']) + $r1 = q("DELETE FROM account WHERE account_id = %d", + intval($register[0]['reg_uid']) + ); + // q("DELETE FROM register WHERE reg_id = %d", + // dbesc($register[0]['reg_id']) + //); + $r2 = q("UPDATE register SET reg_vital = 0 WHERE reg_id = %d AND reg_vital = 1", + dbesc($register[0]['reg_id']) ); - notice( sprintf(t('Registration revoked for %s'), $account[0]['account_email']) . EOL); - return true; + if($r1 && $r2) { + q("COMMIT"); + notice( 'ZAR0512I,' . sprintf( t('Registration revoked for %s'), + $account[0]['account_email']) . EOL); + return true; -} + } else { -// called from regver to activate an account from the email verification link + q("ROLLBACK"); + notice( 'ZAR0513F,' . sprintf( t('Could not revoke registration for %s'), + $account[0]['account_email']) . EOL); + return false; + } + // <- hilmar] +} +/** + * called from Regver to allow/revoke an account + * Use case is under REGISTER_OPEN with APPROVAL + * Ref Regver, Email_validation, Email_resend + * ZAR052+ + */ function account_approve($hash) { $ret = false; // Note: when the password in the register table is 'verify', the uid actually contains the account_id + // hmm - $register = q("SELECT * FROM register WHERE hash = '%s' and password = 'verify' LIMIT 1", + $register = q("SELECT * FROM register WHERE reg_hash = '%s' and reg_pass = 'verify' LIMIT 1", dbesc($hash) ); @@ -541,45 +780,58 @@ function account_approve($hash) { return $ret; $account = q("SELECT * FROM account WHERE account_id = %d LIMIT 1", - intval($register[0]['uid']) + intval($register[0]['reg_uid']) ); if(! $account) return $ret; - q("DELETE FROM register WHERE hash = '%s' and password = 'verify'", - dbesc($register[0]['hash']) + // tr ? + + q("DELETE FROM register WHERE reg_hash = '%s' and reg_pass = 'verify'", + dbesc($register[0]['reg_hash']) ); q("update account set account_flags = (account_flags & ~%d) where (account_flags & %d)>0 and account_id = %d", intval(ACCOUNT_BLOCKED), intval(ACCOUNT_BLOCKED), - intval($register[0]['uid']) + intval($register[0]['reg_uid']) ); q("update account set account_flags = (account_flags & ~%d) where (account_flags & %d)>0 and account_id = %d", intval(ACCOUNT_PENDING), intval(ACCOUNT_PENDING), - intval($register[0]['uid']) + intval($register[0]['reg_uid']) ); q("update account set account_flags = (account_flags & ~%d) where (account_flags & %d)>0 and account_id = %d", intval(ACCOUNT_UNVERIFIED), intval(ACCOUNT_UNVERIFIED), - intval($register[0]['uid']) + intval($register[0]['reg_uid']) ); + /* + // together unblock unpend and verified + q("UPDATE account SET account_flags = %d WHERE account_id = %d", + intval($account['account_flags'] + &= $account['account_flags'] + ^ (ACCOUNT_BLOCKED | ACCOUNT_PENDING | ACCOUNT_UNVERIFIED)), + intval($register[0]['reg_uid']) + ); + */ + + // get a fresh copy after we've modified it. $account = q("SELECT * FROM account WHERE account_id = %d LIMIT 1", - intval($register[0]['uid']) + intval($register[0]['reg_uid']) ); if(! $account) return $ret; if(get_config('system','auto_channel_create')) - auto_channel_create($register[0]['uid']); + auto_channel_create($register[0]['reg_uid']); else { $_SESSION['login_return_url'] = 'new_channel'; authenticate_success($account[0],null,true,true,false,true); @@ -589,6 +841,118 @@ function account_approve($hash) { } +function verify_register_scheme() { + + $dbc = db_columns('register'); + if ($dbc) { + + if ($dbc[0]=='id') { + // v1 format + q("START TRANSACTION"); + + if(ACTIVE_DBTYPE == DBTYPE_POSTGRES) { + $r1 = q("ALTER TABLE register RENAME TO register100;"); + + $r2 = q("CREATE TABLE register (" + . "reg_id serial NOT NULL," + . "reg_vital int DEFAULT 1 NOT NULL," + . "reg_flags bigint DEFAULT 0 NOT NULL," + . "reg_didx char(1) DEFAULT '' NOT NULL," + . "reg_did2 text DEFAULT '' NOT NULL," + . "reg_hash text DEFAULT '' NOT NULL," + . "reg_email text DEFAULT '' NOT NULL," + . "reg_created timestamp NOT NULL," + . "reg_startup timestamp NOT NULL," + . "reg_expires timestamp NOT NULL," + . "reg_byc bigint DEFAULT 0 NOT NULL," + . "reg_uid bigint DEFAULT 0 NOT NULL," + . "reg_atip text DEFAULT '' NOT NULL," + . "reg_pass text DEFAULT '' NOT NULL," + . "reg_lang varchar(16) DEFAULT '' NOT NULL," + . "reg_stuff text NOT NULL," + . "PRIMARY KEY (reg_id) );" + ); + $r0 = q("CREATE INDEX ix_reg_vital ON register (reg_vital);"); + $r0 = q("CREATE INDEX ix_reg_flags ON register (reg_flags);"); + $r0 = q("CREATE INDEX ix_reg_didx ON register (reg_didx);"); + $r0 = q("CREATE INDEX ix_reg_did2 ON register (reg_did2);"); + $r0 = q("CREATE INDEX ix_reg_hash ON register (reg_hash);"); + $r0 = q("CREATE INDEX ix_reg_email ON register (reg_email);"); + $r0 = q("CREATE INDEX ix_reg_created ON register (reg_created);"); + $r0 = q("CREATE INDEX ix_reg_startup ON register (reg_startup);"); + $r0 = q("CREATE INDEX ix_reg_expires ON register (reg_expires);"); + $r0 = q("CREATE INDEX ix_reg_byc ON register (reg_byc);"); + $r0 = q("CREATE INDEX ix_reg_uid ON register (reg_uid);"); + $r0 = q("CREATE INDEX ix_reg_atip ON register (reg_atip);"); + + $r3 = q("INSERT INTO register (reg_id, reg_hash, reg_created, reg_uid, reg_pass, reg_lang, reg_stuff) " + . "SELECT id, hash, created, uid, password, lang, '' FROM register100;"); + + $r4 = q("DROP TABLE register100"); + + } + else { + $r1 = q("RENAME TABLE register TO register100;"); + + $r2 = q("CREATE TABLE IF NOT EXISTS register (" + . "reg_id int(10) UNSIGNED NOT NULL AUTO_INCREMENT," + . "reg_vital int(10) UNSIGNED NOT NULL DEFAULT 1," + . "reg_flags int(10) UNSIGNED NOT NULL DEFAULT 0," + . "reg_didx char(1) NOT NULL DEFAULT ''," + . "reg_did2 char(191) NOT NULL DEFAULT ''," + . "reg_hash char(191) NOT NULL DEFAULT ''," + . "reg_email char(191) NOT NULL DEFAULT ''," + . "reg_created datetime NOT NULL DEFAULT '0001-01-01 00:00:00'," + . "reg_startup datetime NOT NULL DEFAULT '0001-01-01 00:00:00'," + . "reg_expires datetime NOT NULL DEFAULT '0001-01-01 00:00:00'," + . "reg_byc int(10) UNSIGNED NOT NULL DEFAULT 0 ," + . "reg_uid int(10) UNSIGNED NOT NULL DEFAULT 0 ," + . "reg_atip char(191) NOT NULL DEFAULT ''," + . "reg_pass char(191) NOT NULL DEFAULT ''," + . "reg_lang char(16) NOT NULL DEFAULT ''," + . "reg_stuff text NOT NULL," + . "PRIMARY KEY (reg_id)," + . "KEY ix_reg_hash (reg_hash)," + . "KEY ix_reg_vital (reg_vital)," + . "KEY ix_reg_flags (reg_flags)," + . "KEY ix_reg_didx (reg_didx)," + . "KEY ix_reg_did2 (reg_did2)," + . "KEY ix_reg_email (reg_email)," + . "KEY ix_reg_created (reg_created)," + . "KEY ix_reg_startup (reg_startup)," + . "KEY ix_reg_expires (reg_expires)," + . "KEY ix_reg_byc (reg_byc)," + . "KEY ix_reg_uid (reg_uid)," + . "KEY ix_reg_atip (reg_atip)" + . ") ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;" + ); + + $r3 = q("INSERT INTO register (reg_id, reg_hash, reg_created, reg_uid, reg_pass, reg_lang, reg_stuff) " + . "SELECT id, hash, created, uid, password, lang, '' FROM register100;"); + + $r4 = q("DROP TABLE register100"); + } + + // $r = ($r1 && $r2 && $r3 && $r4); + // the only important + $r = $r2; + + if($r) { + q("COMMIT"); + return UPDATE_SUCCESS; + } + + q("ROLLBACK"); + return UPDATE_FAILED; + } + elseif ( count($dbc) != 16 ) { + // ffu + // fields in v2.0.0 = 16 + } + } +} + + /** * @brief Checks for accounts that have past their expiration date. * @@ -824,3 +1188,66 @@ function get_account_techlevel($account_id = 0) { return (5); } + +function zar_log($msg='') { + file_put_contents('./zar.log', + date('Y-m-d_H:i:s') . ' ' . $msg . ', ip: § ' . $_SERVER['REMOTE_ADDR'] . ' §' . "\n", FILE_APPEND); + return; +} + +function zar_reg_mail($reonar=false) { + if ($reonar) { + $zem = z_mail( + [ + 'toEmail' => $reonar['to'], + 'fromName' => ' ', + 'fromEmail' => $reonar['from'], + 'messageSubject' => $reonar['subject'], + 'textVersion' => $reonar['txttemplate'], + ] + ); + return $zem; + } +} + +/** + * ckeck current day and time against register duties + * + * @author Hilmar Runge + * @since 2020-02-25 + * @param the current date and time is taken as default + * @return ['isduty'] true/false + * ['nowfmt'] the textmsg about the current state + * ['atform'] the disabled html attribute for form input fields + * + */ +function zar_register_dutystate( $now=NULL, $day=NULL ) { + + is_null($now) ? $now = date('Hi') : ''; + is_null($day) ? $day = date('N') : ''; + + $isduty = zarIsDuty($day, $now, 'isOpen'); + + if ( $isduty === false ) { + return array( 'isduty' => $isduty, 'nowfmt' => '', 'atform' => '' ); + } + + $dutyis = $isduty ? t('open') : t('closed'); + $atform = $isduty ? '' : 'disabled'; + + $nowfmt = t('Registration is currently') + . ' ('.substr($now,0,2) . ':' . substr($now,-2) . ') ' + . ' ' . $dutyis; + + if (!$isduty) { + $pernext = zarIsDuty($day, $now, 'nextOpen'); + + if (is_array($pernext)) + $nowfmt .= '. ' . t('Next opens') . ' ' + . ucfirst( array('','mo','tu','we','th','fr','sa','so')[$pernext[0]]) . ' ' + . substr($pernext[1],0,2) . ':' . substr($pernext[1],-2); + } + return array( 'isduty' => $isduty, 'nowfmt' => $nowfmt, 'atform' => $atform); + +} + |