41,43c41,43
< if(intval($email) > 0)
< $emailsearch = "";
<
---
> // bug-975 ted+uli changes --- begin
> if(preg_match("/^[0-9]+$/", $email)) {
> // $email consists of digits only ==> search for IDs
45,47c45,56
< where `users`.`id`=`email`.`memid` and
< (`email`.`email` like '$emailsearch' or `email`.`id`='$email' or `users`.`id`='$email') and
< `email`.`hash`='' and `email`.`deleted`=0 and `users`.`deleted`=0
---
> where `users`.`id`=`email`.`memid`
> and (`email`.`id`='$email' or `users`.`id`='$email')
> and `users`.`deleted`=0
> group by `users`.`id` limit 100";
> } else {
> // $email contains non-digits ==> search for mail addresses
> // Be defensive here (outer join) if primary mail is not listed in email table
> $query = "select `users`.`id` as `id`, `email`.`email` as `email`
> from `users` left outer join `email` on (`users`.`id`=`email`.`memid`)
> where ((`email`.`email` like '$emailsearch')
> or `users`.`email` like '$emailsearch')
> and `users`.`deleted`=0
48a58,59
> }
> // bug-975 ted+uli changes --- end
319a331,464
>
>
>
>
>
>
>
> // --- bug-975 begin ---
> // potential db inconsistency like in a20110804.1
> // Admin console -> don't list user account
> // User login -> impossible
> // Assurer, assure someone -> user displayed
> /* regular user account search with regular settings
>
> --- Admin Console find user query
> $query = "select `users`.`id` as `id`, `email`.`email` as `email` from `users`,`email`
> where `users`.`id`=`email`.`memid` and
> (`email`.`email` like '$emailsearch' or `email`.`id`='$email' or `users`.`id`='$email') and
> `email`.`hash`='' and `email`.`deleted`=0 and `users`.`deleted`=0
> group by `users`.`id` limit 100";
> => requirements
> 1. email.hash = ''
> 2. email.deleted = 0
> 3. users.deleted = 0
> 4. email.email = primary-email (???) or'd
> not covered by admin console find user routine, but may block users login
> 5. users.verified = 0|1
> further "special settings"
> 6. users.locked (setting displayed in display form)
> 7. users.assurer_blocked (setting displayed in display form)
>
> --- User login user query
> select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
> `password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0
> => requirements
> 1. users.verified = 1
> 2. users.deleted = 0
> 3. users.locked = 0
> 4. users.email = primary-email
>
> --- Assurer, assure someone find user query
> select * from `users` where `email`='".mysql_escape_string(stripslashes($_POST['email']))."'
> and `deleted`=0
> => requirements
> 1. users.deleted = 0
> 2. users.email = primary-email
> Admin User Assurer
> bit Console Login assure someone
>
> 1. email.hash = '' Yes No No
> 2. email.deleted = 0 Yes No No
> 3. users.deleted = 0 Yes Yes Yes
> 4. users.verified = 1 No Yes No
> 5. users.locked = 0 No Yes No
> 6. users.email = prim-email No Yes Yes
> 7. email.email = prim-email Yes No No
>
> full usable account needs all 7 requirements fulfilled
> so if one setting isn't set/cleared there is an inconsistency either way
> if eg email.email is not avail, admin console cannot open user info
> but user can login and assurer can display user info
> if user verified is not set to 1, admin console displays user record
> but user cannot login, but assurer can search for the user and the data displays
>
> consistency check:
> 1. search primary-email in users.email
> 2. search primary-email in email.email
> 3. userid = email.memid
> 4. check settings from table 1. - 5.
>
> */
>
> $inconsistency = 0;
> $inconsistencydisp = "";
> $inccause = "";
> // current userid intval($row['id'])
> $query = "select email as uemail, deleted as udeleted, verified, locked from `users` where `id`='".intval($row['id'])."' ";
> $dres = mysql_query($query);
> $drow = mysql_fetch_assoc($dres);
> $uemail = $drow['uemail'];
> $udeleted = $drow['udeleted'];
> $uverified = $drow['verified'];
> $ulocked = $drow['locked'];
>
> $query = "select hash, deleted as edeleted, email as eemail from `email` where `memid`='".intval($row['id'])."' and email='".$uemail."' ";
> $dres = mysql_query($query);
> if ($drow = mysql_fetch_assoc($dres)) {
> $eemail = $drow['eemail'];
> $edeleted = $drow['edeleted'];
> $ehash = $drow['hash'];
> if ($udeleted!=0) {
> $inconsistency += 1;
> $inccause .= (empty($inccause)?"":" ")._("Users record set to deleted");
> }
> if ($uverified!=1) {
> $inconsistency += 2;
> $inccause .= (empty($inccause)?"":" ")._("Users record verified not set");
> }
> if ($ulocked!=0) {
> $inconsistency += 4;
> $inccause .= (empty($inccause)?"":" ")._("Users record locked set");
> }
> if ($edeleted!=0) {
> $inconsistency += 8;
> $inccause .= (empty($inccause)?"":" ")._("Email record set deleted");
> }
> if ($ehash!='') {
> $inconsistency += 16;
> $inccause .= (empty($inccause)?"":" ")._("Email record hash not unset");
> }
> } else {
> $inconsistency = 32;
> $inccause = _("Prim. email, Email record doesn't exist");
> }
> if ($inconsistency>0) {
> // $inconsistencydisp = _("Yes");
> ?>
>
>
:
>
code:
>
>
>
that needs to be fixed manualy thru arbitration/critical team.")?>