Viewing file:  accounts.php (10.74 KB) -rwxr-xr-x
Select action/file-type:
 (+) |  (+) |  (+) | Code (+) | Session (+) |  (+) | SDB (+) |  (+) |  (+) |  (+) |  (+) |  (+) |
<?php
///////////////////////////////////////////////////////////////////
// DISPLAY LOGIN SCREEN
///////////////////////////////////////////////////////////////////
function auth_display() {
global $g_message, $ext;
spit_header(FALSE); ?>
<div align="center"><font size="7" color="#000066" face="Arial, Verdana, Geneva">
<b>Sympoll Admin</b></font></div>
<br><br><br><br>
<form action="index.<?php echo $ext; ?>" method="post">
<div align="center">
<?php if(isset($g_message) && $g_message != "") { ?>
<font color="#000066">
<?php echo $g_message ?>
</font><br><br><br>
<?php } ?>
<table border="0" align="center">
<tr><td>
<b>username:</b>
</td><td>
<input name="user" type="text" size="16" maxlength="16">
</td></tr><tr><td>
<b>password:</b>
</td><td>
<input name="pass" type="password" size="16" maxlength="16">
</td></tr><tr><td colspan="2">
<br><input type="submit" value="Authenticate">
</td></tr></table>
<input type="hidden" name="action" value="acc_p_auth"></form>
<?php spit_footer(FALSE);
}
///////////////////////////////////////////////////////////////////
// ADMIN COOKIE DETECTED, CHECK MD5
///////////////////////////////////////////////////////////////////
function auth_cookie() {
global $sympauth, $s_dbid;
$q1 = "SELECT secret FROM sympoll_auth WHERE user='$sympauth[1]'";
$r1 = mysql_query($q1, $s_dbid);
if($r1 && mysql_numrows($r1) == 1) {
$a1 = mysql_fetch_array($r1);
if(strcmp($sympauth[0], $a1['secret']) == 0)
{ return TRUE; }
}
return FALSE;
}
///////////////////////////////////////////////////////////////////
// NO ADMIN COOKIE DETECTED, VERIFY LOGIN INFO
///////////////////////////////////////////////////////////////////
function auth_user($user, $pass) {
global $sympauth, $g_message, $s_dbid;
$user = addslashes($user);
$pass = md5($pass);
$md5 = md5(microtime());
$q1 = "UPDATE sympoll_auth SET secret='$md5' ";
$q1 .= "WHERE(user='$user' AND pass='$pass')";
$r1 = mysql_query($q1, $s_dbid);
if(mysql_affected_rows($s_dbid) <= 0) {
$g_message = "Invalid Login";
auth_display();
}
# admin auth cookies last for 3 hours (10800 seconds)
$sympauth[0] = $md5;
$sympauth[1] = $user;
$data = serialize($sympauth);
setcookie("sympauth", "$data", "(time()+10800)", "/");
}
///////////////////////////////////////////////////////////////////
// VERIFY THAT USER HAS APPROPRIATE ACCESS
///////////////////////////////////////////////////////////////////
function verify_access($access) {
global $sympauth, $s_dbid;
$q1 = "SELECT access FROM sympoll_auth ";
$q1 .= "WHERE(user='$sympauth[1]' AND secret='$sympauth[0]')";
$r1 = mysql_query($q1, $s_dbid);
$a1 = mysql_fetch_array($r1);
if($a1['access'] == $access) {
return TRUE;
} else {
return FALSE;
}
}
///////////////////////////////////////////////////////////////////
// DISPLAYS FORM USED TO ADD ADMIN USER
///////////////////////////////////////////////////////////////////
function display_adduser($first) {
global $ext, $g_message, $title;
if(!$first && !verify_access(0)) {
$g_message = "error: you are not the super user!";
return;
}
if($first == TRUE) {
spit_header(FALSE); ?>
<div align="center"><font size="6" color="#000066">
<b>Sympoll: Create Super User</b>
</font><br><hr size="1" width="50%"><br></div>
<table border="0" width="80%" align="center"><tr><td>
You do not have a super admin user created. This admin user will have
the same access as regular admin users, plus it will have the added
abilities to add/remove admins and to change global sympoll configurations.
<?php if(isset($g_message) && $g_message != "") { ?>
<br><br><?php echo $g_message; ?>
<?php } ?>
<br></td></tr></table><div align="center">
<?php } else {
$title = "Create Admin";
spit_header(); ?>
<?php } ?>
<form action="index.<?php echo $ext; ?>" method="post">
Username:<br>
<input name="user" type="text" size="16" maxlength="16"><br>
Password:<br>
<input name="pass1" type="password" size="16" maxlength="16"><br>
Password (verify):<br>
<input name="pass2" type="password" size="16" maxlength="16"><br>
<br><br><input type="submit" value="Create User">
<input type="reset" value="Clear Values">
<?php if($first == TRUE) { ?>
<input type="hidden" name="action" value="acc_p_addsuper">
</form></div>
<?php } else { ?>
<input type="hidden" name="action" value="acc_p_adduser">
</form>
<?php } ?>
<?php spit_footer(FALSE);
}
///////////////////////////////////////////////////////////////////
// DISPLAYS FORM USED TO REMOVE ADMIN USER
///////////////////////////////////////////////////////////////////
function display_rmuser() {
global $ext, $g_message, $title;
if(!verify_access(0)) {
$g_message = "error: you are not the super user!";
return;
}
$l = new UList();
$title = "Remove Admin";
spit_header(); ?>
<font size="4"><b>WARNING: THIS CANNOT BE UNDONE</b></font><br><br>
<?php if($l->numusers <= 0) { ?>
There are no users to remove.<br>
(note: the super user may not be removed)<br>
<?php } else {
$size = min(4, $l->numusers); ?>
<form action="index.<?php echo $ext; ?>" method="post">
<input type="hidden" name="action" value="acc_p_rmuser">
<select name="uid" size="<?php echo $size; ?>">
<?php while(is_array($l->user) && list($k,$v) = each($l->user)) {
if(!isset($firstadmin)) {
$firstadmin = TRUE; ?>
<option value="<?php echo $k; ?>" selected="selected"><?php echo $v; ?></option>
<?php } else { ?>
<option value="<?php echo $k; ?>"><?php echo $v; ?></option>
<?php }
} ?>
</select><br><br>
<input type="submit" value="Remove User"></form>
<?php }
spit_footer();
}
///////////////////////////////////////////////////////////////////
// DISPLAY CHANGE PASSWORD SCREEN
///////////////////////////////////////////////////////////////////
function display_pass() {
global $sympauth, $ext, $title;
$title = "Change Password";
spit_header(); ?>
<form action="index.<?php echo $ext; ?>" method="post">
<input type="hidden" name="action" value="acc_p_chgpass">
Username:<br>
<font size="4"><tt><?php echo $sympauth[1]; ?></tt></font><br>
Old Password:<br>
<input name="oldpass" type="password" size="16" maxlength="16"><br>
New Password:<br>
<input name="newpass1" type="password" size="16" maxlength="16"><br>
New Password (verify):<br>
<input name="newpass2" type="password" size="16" maxlength="16"><br>
<br><br><input type="submit" value="Process Change">
<input type="reset" value="Clear Values"></form>
<?php spit_footer();
}
///////////////////////////////////////////////////////////////////
// PROCESSES CREATION OF ADMIN
///////////////////////////////////////////////////////////////////
function process_adduser($user, $pass1, $pass2, $first) {
global $g_message, $s_dbid;
if(!$first && !verify_access(0)) {
$g_message = "error: you are not the super user!";
return;
}
if($user == "") {
$g_message = "user creation <b>failed</b> because username cannot be blank";
return;
}
if(strcmp($pass1, $pass2) != 0) {
$g_message = "user creation <b>failed</b> because passwords do not match";
return;
}
if($pass1 == "") {
$g_message = "user creation <b>failed</b> because password cannot be blank";
return;
}
if(ereg("[\"']", $user)) {
$g_message = "user creation <b>failed</b> because illegal character in name";
return;
}
if(ereg("[\"']", $pass1)) {
$g_message = "user creation <b>failed</b> because illegal character in password";
return;
}
$user = addslashes($user);
$pass = md5($pass1);
$access = 1;
if($first)
{ $access = 0; }
$q1 = "SELECT user FROM sympoll_auth WHERE user='$user'";
$r1 = mysql_query($q1, $s_dbid);
if(mysql_numrows($r1) != 0) {
$g_message = "user creation <b>failed</b> because <i>"."$user"."</i> already exists";
return;
}
$q2 = "INSERT INTO sympoll_auth (user,pass,access) VALUES('$user','$pass','$access')";
$r2 = mysql_query($q2, $s_dbid);
if(mysql_affected_rows($s_dbid) <= 0) {
$g_message = "user creation <b>failed</b> because a database error occured";
return;
}
$g_message = "<i>"."$user"."</i> has been created";
if($first) {
auth_display();
}
}
///////////////////////////////////////////////////////////////////
// PROCESSES REMOVAL OF ADMIN
///////////////////////////////////////////////////////////////////
function process_rmuser($uid) {
global $g_message, $s_dbid;
if(!verify_access(0)) {
$g_message = "error: you are not the super user!";
return;
}
$q1 = "SELECT user,access FROM sympoll_auth WHERE uid='$uid'";
$r1 = mysql_query($q1, $s_dbid);
$a1 = mysql_fetch_array($r1);
if($a1['access'] == 0 ) {
$g_message = "user removal <b>failed</b> because super user may not be removed";
return;
}
$q2 = "DELETE FROM sympoll_auth WHERE uid='$uid'";
$r2 = mysql_query($q2, $s_dbid);
if(mysql_affected_rows($s_dbid) <= 0) {
$g_message = "user removal <b>failed</b> because a database error occured";
return;
}
$g_message = "<i>"."$a1[user]"."</i> has been removed";
}
///////////////////////////////////////////////////////////////////
// PROCESSES PASSWORD CHANGE
///////////////////////////////////////////////////////////////////
function process_pass($oldpass, $newpass1, $newpass2) {
global $sympauth, $g_message, $s_dbid;
if(strcmp($newpass1, $newpass2) != 0) {
$g_message = "pass change <b>failed</b> because new passwords do not match";
return;
}
if($newpass1 == "") {
$g_message = "pass change <b>failed</b> because password cannot be blank";
return;
}
if(strcmp($newpass1, $oldpass) == 0) {
$g_message = "pass change <b>failed</b> because new same as old";
return;
}
if(ereg("[\"']", $newpass1)) {
$g_message = "pass change <b>failed</b> because illegal character in password";
return;
}
$oldpass = md5($oldpass);
$newpass = md5($newpass1);
$q1 = "UPDATE sympoll_auth SET pass='$newpass' ";
$q1 .= "WHERE(secret='$sympauth[0]' AND pass='$oldpass' AND user='$sympauth[1]')";
$r1 = mysql_query($q1, $s_dbid);
if(mysql_affected_rows($s_dbid) <= 0) {
$g_message = "pass change <b>failed</b> because incorrect old pass or database error";
return;
}
$g_message = "pass for <i>"."$sympauth[1]"."</i> has been changed";
}
?>
|