Location: PHPKode > projects > Web Application Gateway > wagateway/admin/saveUser.php
<?

/*************************************************************************************

    COPYRIGHT NOTICE

    This copyright notice must appear at the top of all scripts which are part of
    the Web Application Gateway package.

    Copyright (C) 2001-2008 Gregory Engel
    
    All rights reserved
    
    8547 E Arapahoe Rd, #J-504
    Greenwood Village, CO  80112 USA
    hide@address.com

    This program is free software; you can redistribute it and/or modify it under
    the terms of the GNU General Public License as published by the Free Software
    Foundation; either version 2 of the License, or (at your option) any later version.

    This program is distributed in the hope that it will be useful, but WITHOUT
    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
    FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.

    The GNU General Public License can be found at http://www.gnu.org/copyleft/gpl.html
    A copy is included with the WAG package and is found in the text file gpl.txt

    You should have received a copy of the GNU General Public License (gpl.txt, gpl.html)
    along with the WAG distribution package; if not, the GNU General Public License can
    be found at http://www.gnu.org/copyleft/gpl.html, or by writing to:
    
    Free Software Foundation, Inc.
    59 Temple Place - Suite 330
    Boston, MA  02111-1307, USA.

    This script is part of the Web Application Gateway (WAG) Project. The WAG software
    is free, subject to the terms of the GNU General Public License as published by the
    Free Software Foundation, either version 2 of the License, or (at your option) any
    later version.
    
    $Revision: 41 $
    $LastChangedDate: 2008-01-14 14:07:02 -0700 (Mon, 14 Jan 2008) $
    $LastChangedBy: gpeangel $
 
*************************************************************************************/

require("../common/access.php");

// Cross-site request forgery check

if (!isset($_POST["csrf_token"]) || (strip_tags(trim($_POST["csrf_token"])) != $_SESSION["WAGATEWAY"]["CSRF_TOKEN"]))
    {
    echo "ERROR1Invalid access to script file.\n\nCross-site request forgery check failed.";
    exit();
    }

require_once("../common/dbconnect.php");

$result_message = "ERROR";
$temp = "";

$usr_id = (int)mysql_real_escape_string(strip_tags(trim($_POST["usr_id"])));
$usr_first_name = mysql_real_escape_string(strip_tags(trim($_POST["usr_first_name"])));
$usr_last_name = mysql_real_escape_string(strip_tags(trim($_POST["usr_last_name"])));
$usr_logon_id = mysql_real_escape_string(strip_tags(trim($_POST["usr_logon_id"])));
$usr_email = mysql_real_escape_string(strip_tags(trim($_POST["usr_email"])));
$usr_password = mysql_real_escape_string(strip_tags(trim($_POST["usr_password"])));
$usr_password_exp = mysql_real_escape_string(strip_tags(trim($_POST["usr_password_exp"])));
$usr_password_force_change = mysql_real_escape_string(strip_tags(trim($_POST["usr_password_force_change"])));
$ary_assigned_groups = mysql_real_escape_string(strip_tags(trim($_POST["assigned_groups"])));
$ary_assigned_apps = mysql_real_escape_string(strip_tags(trim($_POST["assigned_apps"])));

if ($usr_id == 0)
    {
    // Check if User ID already exists
    
    $query = "SELECT * FROM ".$_SESSION["WAGATEWAY"]["DB_TABLE_PREFIX"]."Users WHERE usr_logon_id = UPPER('".strtoupper($usr_logon_id)."')";
    $result = mysql_query($query, $db_conn) or die (DBError($_SERVER["PHP_SELF"]."\n\n".$query."\n\n".mysql_errno().": ".mysql_error()));
    
    $row_count = mysql_num_rows($result); 
    
    if ($row_count > 0)
        {
        $result_message .= "1User ID already exists.";
        }
    }

if (strlen($result_message) == 5)
    {
    
    if (strlen($ary_assigned_groups) > 0)
        {
        $ary_assigned_groups = explode(",", $ary_assigned_groups);
        }
    
    if (strlen($ary_assigned_apps) > 0)
        {
        $ary_assigned_apps = explode(",", $ary_assigned_apps);
        }
    
    mysql_query("START TRANSACTION;", $db_conn);
    
    if ($usr_id == 0)
        {
        $query = "INSERT INTO ".$_SESSION["WAGATEWAY"]["DB_TABLE_PREFIX"]."Users (usr_first_name, usr_last_name, usr_logon_id, usr_password, usr_password_set_date, usr_password_force_change, usr_password_exp, usr_email, usr_date_added) VALUES ('".$usr_first_name."', '".$usr_last_name."', UPPER('".$usr_logon_id."'), '".md5($usr_password)."', NOW(), ".$usr_password_force_change.", ".$usr_password_exp.", '".$usr_email."', NOW())";
        $result = mysql_query($query, $db_conn);
        
        if (!$result)
            {
            $result_message .= "2Error creating new user.\n\n".$_SERVER["PHP_SELF"]."\n\n".$query."\n\n".mysql_errno().": ".mysql_error();
            }
        else
            {
            $usr_id = mysql_insert_id();
            }
                                
        // FIXME Setup email account if allowed

        }
    else
        {
        if ($usr_id == 1)
            {
                
            // Admin password and group/application permissions cannot be modified from this screen.  This is to
            // insure the system admin (usr_id = 1) always has access to every installed application.

            $query = "UPDATE ".$_SESSION["WAGATEWAY"]["DB_TABLE_PREFIX"]."Users SET usr_first_name = '".$usr_first_name."', usr_last_name = '".$usr_last_name."', usr_logon_id = UPPER('".$usr_logon_id."'), usr_password_exp = 0, usr_password_force_change = 0, usr_email = '".$usr_email."' WHERE usr_id = ".$usr_id;
            $result = mysql_query($query, $db_conn);
            
            if (!$result)
                {
                $result_message .= "3Error updating user record.\n\n".$_SERVER["PHP_SELF"]."\n\n".$query."\n\n".mysql_errno().": ".mysql_error();
                }
            else
                {
                $result_message = "NOTES1Note: The System Administrator cannot be dissociated from groups and application. Neither can the System Administrator password cannot be changed from this screen. Use the 'My Account' screen to change System Administrator password.";
                    
                // Clear the associated groups
                $query = "DELETE FROM ".$_SESSION["WAGATEWAY"]["DB_TABLE_PREFIX"]."UserGroups WHERE ug_usr_id = ".$usr_id;
                $result = mysql_query($query, $db_conn);
                
                if (!$result)
                    {
                    $result_message = "ERROR2Error updating associated groups.\n\n".$_SERVER["PHP_SELF"]."\n\n".$query."\n\n".mysql_errno().": ".mysql_error();
                    }
                else
                    {
                    
                    // Clear the associated applications
                    $query = "DELETE FROM ".$_SESSION["WAGATEWAY"]["DB_TABLE_PREFIX"]."UserApps WHERE ua_usr_id = ".$usr_id;
                    $result = mysql_query($query, $db_conn);
                    
                    if (!$result)
                        {
                        $result_message = "ERROR3Error updating associated applications.\n\n".$_SERVER["PHP_SELF"]."\n\n".$query."\n\n".mysql_errno().": ".mysql_error();
                        }
                    }
                }
            }
        else
            {
            
            $query = "UPDATE ".$_SESSION["WAGATEWAY"]["DB_TABLE_PREFIX"]."Users SET usr_first_name = '".$usr_first_name."', usr_last_name = '".$usr_last_name."', usr_logon_id = UPPER('".$usr_logon_id."'), usr_password = '".md5($usr_password)."', usr_password_exp = ".$usr_password_exp.", usr_password_force_change = ".$usr_password_force_change.", usr_email = '".$usr_email."' WHERE usr_id = ".$usr_id;
            $result = mysql_query($query, $db_conn);
            
            if (!$result)
                {
                $result_message .= "1Error updating user.\n\n".$_SERVER["PHP_SELF"]."\n\n".$query."\n\n".mysql_errno().": ".mysql_error();
                }
            else
                {
                    
                // Clear the associated groups
                $query = "DELETE FROM ".$_SESSION["WAGATEWAY"]["DB_TABLE_PREFIX"]."UserGroups WHERE ug_usr_id = ".$usr_id;
                $result = mysql_query($query, $db_conn);
                
                if (!$result)
                    {
                    $result_message .= "2Error updating associated groups.\n\n".$_SERVER["PHP_SELF"]."\n\n".$query."\n\n".mysql_errno().": ".mysql_error();
                    }
                else
                    {
                    
                    // Clear the associated applications
                    $query = "DELETE FROM ".$_SESSION["WAGATEWAY"]["DB_TABLE_PREFIX"]."UserApps WHERE ua_usr_id = ".$usr_id;
                    $result = mysql_query($query, $db_conn);
                    
                    if (!$result)
                        {
                        $result_message .= "3Error updating associated applications.\n\n".$_SERVER["PHP_SELF"]."\n\n".$query."\n\n".mysql_errno().": ".mysql_error();
                        }
                    else
                        {
                        }
                    }
                }
            }
        }
    }
    
if (strlen($result_message) == 5)
    {
    
    // Save the associated groups
    if (is_array($ary_assigned_groups))
        {
        for ($i = 0; $i < count($ary_assigned_groups); $i++)
            {
            $query = "INSERT INTO ".$_SESSION["WAGATEWAY"]["DB_TABLE_PREFIX"]."UserGroups (ug_usr_id, ug_grp_id) VALUES (".$usr_id.", ".$ary_assigned_groups[$i].")";
            $result = mysql_query($query, $db_conn);
            
            if (!$result)
                {
                $result_message .= "3Error adding user to groups.\n\n".$_SERVER["PHP_SELF"]."\n\n".$query."\n\n".mysql_errno().": ".mysql_error();
                continue;
                }
            }
        }
    
    // Save the associated applications
    if (is_array($ary_assigned_apps) && (strlen($result_message) == 5))
        {
        for ($i = 0; $i < count($ary_assigned_apps); $i++)
            {
            $query = "INSERT INTO ".$_SESSION["WAGATEWAY"]["DB_TABLE_PREFIX"]."UserApps (ua_usr_id, ua_app_id) VALUES (".$usr_id.", ".$ary_assigned_apps[$i].")";
            $result = mysql_query($query, $db_conn);
            
            if (!$result)
                {
                $result_message .= "3Error adding applications to group.\n\n".$_SERVER["PHP_SELF"]."\n\n".$query."\n\n".mysql_errno().": ".mysql_error();
                continue;
                }
            }
        }
    }

if ((strlen($result_message) == 5) || (substr($result_message, 0, 5) == "NOTES"))
    {
    $result = mysql_query("COMMIT;", $db_conn);
    }
else
    {
    $result = mysql_query("ROLLBACK;", $db_conn);
    }

if (!$result)
    {
    $result_message .= "3Unable to save group record.\n\n".$_SERVER["PHP_SELF"]."\n\n".$query."\n\n".mysql_errno().": ".mysql_error();
    }
else
    {
    }

    
if ((strlen($result_message) == 5) && $usr_id > 0)
    {
    
    // The $usr_id > 0 check is here only until creat email account functionality on add new user is complete
    
    // Attempt to update email account password
    
    // Blank password field == no change to password
    
    if (strlen(trim($usr_password)) > 0)
        {
        
        $usr_email_password = $usr_password;
        $usr_password = ", usr_password = '".md5($usr_password)."', usr_password_set_date = NOW()";
    
        // Attempt to sync email account password
        
        if ($_SESSION["WAGATEWAY"]["SYNC_EMAIL"] == 1)
            {
            
            // Extract the user account from the email address
            
            if (strlen($usr_email) > 0 && strpos($usr_email, "@") > 0)
                {
                
                // for domain-less logins
                
                if ($_SESSION["WAGATEWAY"]["EMAIL_USERID_WITH_DOMAIN"] == 0)
                    {
                    $str_email_userid = substr($usr_email, 0, strpos($usr_email, "@"));
                    }
                else
                    {
                    $str_email_userid = $usr_email;
                    }
                
                $str_password = "";
                
                switch ($_SESSION["WAGATEWAY"]["EMAIL_FIELD_ENCRYPT"])
                    {
                    case 0: // Clear Text
                        
                        $str_password = "'".$usr_email_password."'";
                        
                        break;
                        
                    case 1: // MD5 Hash
                        
                        $str_password = "'".md5($usr_email_password)."'";
                    
                        break;
                        
                    case 2: // MySQL PASSWORD()
                        
                        $str_password = "PASSWORD('".$usr_email_password."')";
                    
                        break;
                        
                    }
                    
                $email_db_conn = mysql_connect($_SESSION["WAGATEWAY"]["EMAIL_DB_SERVER"], $_SESSION["WAGATEWAY"]["EMAIL_DB_USER_NAME"], $_SESSION["WAGATEWAY"]["EMAIL_DB_USER_PASSWORD"]) or die (DBError($_SERVER["PHP_SELF"]."\n\n".$query."\n\n".mysql_errno().": ".mysql_error()));
                mysql_select_db($_SESSION["WAGATEWAY"]["EMAIL_DB_NAME"], $email_db_conn) or die (DBError($_SERVER["PHP_SELF"]."\n\n".$query."\n\n".mysql_errno().": ".mysql_error()));
                
                $query = "UPDATE ".$_SESSION["WAGATEWAY"]["EMAIL_TABLE_NAME"]." SET ".$_SESSION["WAGATEWAY"]["EMAIL_PASSWORD_FIELD_NAME"]." = ".$str_password." WHERE ".$_SESSION["WAGATEWAY"]["EMAIL_USERID_FIELD_NAME"]." = '".$usr_email."'";
                $result = mysql_query($query, $email_db_conn);
                
                if (!$result)
                    {
                    $result_message .= "3Unable to update user's email password.\n\n".$_SERVER["PHP_SELF"]."\n\n".$query."\n\n".mysql_errno().": ".mysql_error();
                    continue;
                    }
                }
            }
        }
    else
        {
        $usr_password = "";
        }
    }
        
echo $result_message;
    
?>
Return current item: Web Application Gateway