/*
LibreSSL - CAcert web application
Copyright (C) 2004-2008 CAcert Inc.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/ ?>
if(array_key_exists('assurance',$_REQUEST) && $_REQUEST['assurance'] > 0)
{
$assurance = mysql_escape_string(intval($_REQUEST['assurance']));
$row = 0;
$res = mysql_query("select `to` from `notary` where `id`='$assurance'");
if ($res) {
$row = mysql_fetch_assoc($res);
}
mysql_query("delete from `notary` where `id`='$assurance'");
if ($row) {
fix_assurer_flag($row['to']);
}
}
if(intval(array_key_exists('userid',$_REQUEST)?$_REQUEST['userid']:0) <= 0)
{
$emailsearch = $email = mysql_escape_string(stripslashes($_REQUEST['email']));
//Disabled to speed up the queries
//if(!strstr($email, "%"))
// $emailsearch = "%$email%";
// bug-975 ted+uli changes --- begin
if(preg_match("/^[0-9]+$/", $email)) {
// $email consists of digits only ==> search for IDs
$query = "select `users`.`id` as `id`, `email`.`email` as `email` from `users`,`email`
where `users`.`id`=`email`.`memid`
and (`email`.`id`='$email' or `users`.`id`='$email')
and `users`.`deleted`=0
group by `users`.`id` limit 100";
} else {
// $email contains non-digits ==> search for mail addresses
// Be defensive here (outer join) if primary mail is not listed in email table
$query = "select `users`.`id` as `id`, `email`.`email` as `email`
from `users` left outer join `email` on (`users`.`id`=`email`.`memid`)
where ((`email`.`email` like '$emailsearch')
or `users`.`email` like '$emailsearch')
and `users`.`deleted`=0
group by `users`.`id` limit 100";
}
// bug-975 ted+uli changes --- end
$res = mysql_query($query);
if(mysql_num_rows($res) > 1) { ?>
} elseif(mysql_num_rows($res) == 1) {
$row = mysql_fetch_assoc($res);
$_REQUEST['userid'] = $row['id'];
} else {
printf(_("No users found matching %s"), sanitizeHTML($email));
}
}
if(intval($_REQUEST['userid']) > 0)
{
$id = intval($_REQUEST['userid']);
$query = "select * from `users` where `id`='$id' and `users`.`deleted`=0";
$res = mysql_query($query);
if(mysql_num_rows($res) <= 0)
{
echo _("I'm sorry, the user you were looking for seems to have disappeared! Bad things are a foot!");
} else {
$row = mysql_fetch_assoc($res);
$query = "select sum(`points`) as `points` from `notary` where `to`='".intval($row['id'])."'";
$dres = mysql_query($query);
$drow = mysql_fetch_assoc($dres);
$alerts = mysql_fetch_assoc(mysql_query("select * from `alerts` where `memid`='".intval($row['id'])."'"));
?>
$query = "select * from `email` where `memid`='".intval($row['id'])."' and `deleted`=0 and `hash`=''
and `email`!='".mysql_escape_string($row['email'])."'";
$dres = mysql_query($query);
if(mysql_num_rows($dres) > 0) { ?>
// --- bug-975 begin ---
// potential db inconsistency like in a20110804.1
// Admin console -> don't list user account
// User login -> impossible
// Assurer, assure someone -> user displayed
/* regular user account search with regular settings
--- Admin Console find user query
$query = "select `users`.`id` as `id`, `email`.`email` as `email` from `users`,`email`
where `users`.`id`=`email`.`memid` and
(`email`.`email` like '$emailsearch' or `email`.`id`='$email' or `users`.`id`='$email') and
`email`.`hash`='' and `email`.`deleted`=0 and `users`.`deleted`=0
group by `users`.`id` limit 100";
=> requirements
1. email.hash = ''
2. email.deleted = 0
3. users.deleted = 0
4. email.email = primary-email (???) or'd
not covered by admin console find user routine, but may block users login
5. users.verified = 0|1
further "special settings"
6. users.locked (setting displayed in display form)
7. users.assurer_blocked (setting displayed in display form)
--- User login user query
select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
`password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0
=> requirements
1. users.verified = 1
2. users.deleted = 0
3. users.locked = 0
4. users.email = primary-email
--- Assurer, assure someone find user query
select * from `users` where `email`='".mysql_escape_string(stripslashes($_POST['email']))."'
and `deleted`=0
=> requirements
1. users.deleted = 0
2. users.email = primary-email
Admin User Assurer
bit Console Login assure someone
1. email.hash = '' Yes No No
2. email.deleted = 0 Yes No No
3. users.deleted = 0 Yes Yes Yes
4. users.verified = 1 No Yes No
5. users.locked = 0 No Yes No
6. users.email = prim-email No Yes Yes
7. email.email = prim-email Yes No No
full usable account needs all 7 requirements fulfilled
so if one setting isn't set/cleared there is an inconsistency either way
if eg email.email is not avail, admin console cannot open user info
but user can login and assurer can display user info
if user verified is not set to 1, admin console displays user record
but user cannot login, but assurer can search for the user and the data displays
consistency check:
1. search primary-email in users.email
2. search primary-email in email.email
3. userid = email.memid
4. check settings from table 1. - 5.
*/
$inconsistency = 0;
$inconsistencydisp = "";
$inccause = "";
// current userid intval($row['id'])
$query = "select email as uemail, deleted as udeleted, verified, locked from `users` where `id`='".intval($row['id'])."' ";
$dres = mysql_query($query);
$drow = mysql_fetch_assoc($dres);
$uemail = $drow['uemail'];
$udeleted = $drow['udeleted'];
$uverified = $drow['verified'];
$ulocked = $drow['locked'];
$query = "select hash, deleted as edeleted, email as eemail from `email` where `memid`='".intval($row['id'])."' and email='".$uemail."' ";
$dres = mysql_query($query);
if ($drow = mysql_fetch_assoc($dres)) {
$eemail = $drow['eemail'];
$edeleted = $drow['edeleted'];
$ehash = $drow['hash'];
if ($udeleted!=0) {
$inconsistency += 1;
$inccause .= (empty($inccause)?"":" ")._("Users record set to deleted");
}
if ($uverified!=1) {
$inconsistency += 2;
$inccause .= (empty($inccause)?"":" ")._("Users record verified not set");
}
if ($ulocked!=0) {
$inconsistency += 4;
$inccause .= (empty($inccause)?"":" ")._("Users record locked set");
}
if ($edeleted!=0) {
$inconsistency += 8;
$inccause .= (empty($inccause)?"":" ")._("Email record set deleted");
}
if ($ehash!='') {
$inconsistency += 16;
$inccause .= (empty($inccause)?"":" ")._("Email record hash not unset");
}
} else {
$inconsistency = 32;
$inccause = _("Prim. email, Email record doesn't exist");
}
if ($inconsistency>0) {
// $inconsistencydisp = _("Yes");
?>
=_("Account inconsistency")?>:
=$inccause?> code: =$inconsistency?>
=_("Account inconsistency can cause problems in daily account operations that needs to be fixed manualy thru arbitration/critical team.")?>