summaryrefslogtreecommitdiff
path: root/pages
diff options
context:
space:
mode:
authorBernhard Fröhlich <bernhard@cacert.org>2011-09-14 19:20:54 +0200
committerBernhard Fröhlich <bernhard@cacert.org>2011-09-14 19:20:54 +0200
commitde63af512f3558435c1b6b5f7f37406f787c9864 (patch)
tree14a40cdd355273c7df0c0defecd757fe8422be94 /pages
parentb14806a5215a9fc1e95383c7f543d7e17f24a1f5 (diff)
downloadcacert-devel-de63af512f3558435c1b6b5f7f37406f787c9864.tar.gz
cacert-devel-de63af512f3558435c1b6b5f7f37406f787c9864.tar.xz
cacert-devel-de63af512f3558435c1b6b5f7f37406f787c9864.zip
Proposed additional changes by Uli and Dirk https://bugs.cacert.org/view.php?id=975#c2351
Diffstat (limited to 'pages')
-rwxr-xr-xpages/account/43.php140
1 files changed, 137 insertions, 3 deletions
diff --git a/pages/account/43.php b/pages/account/43.php
index f1bfb65..3a96416 100755
--- a/pages/account/43.php
+++ b/pages/account/43.php
@@ -38,24 +38,25 @@
//if(!strstr($email, "%"))
// $emailsearch = "%$email%";
+ // bug-975 ted+uli changes --- begin
if(preg_match("/^[0-9]+$/", $email)) {
// $email consists of digits only ==> search for IDs
$query = "select `users`.`id` as `id`, `email`.`email` as `email` from `users`,`email`
where `users`.`id`=`email`.`memid`
and (`email`.`id`='$email' or `users`.`id`='$email')
- and `email`.`hash`='' and `email`.`deleted`=0 and `users`.`deleted`=0
+ and `users`.`deleted`=0
group by `users`.`id` limit 100";
} else {
// $email contains non-digits ==> search for mail addresses
// Be defensive here (outer join) if primary mail is not listed in email table
$query = "select `users`.`id` as `id`, `email`.`email` as `email`
from `users` left outer join `email` on (`users`.`id`=`email`.`memid`)
- where ((`email`.`email` like '$emailsearch'
- and `email`.`hash`='' and `email`.`deleted`=0)
+ where (`email`.`email` like '$emailsearch'
or `users`.`email` like '$emailsearch')
and `users`.`deleted`=0
group by `users`.`id` limit 100";
}
+ // bug-975 ted+uli changes --- end
$res = mysql_query($query);
if(mysql_num_rows($res) > 1) { ?>
<table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper">
@@ -327,6 +328,139 @@
</table>
<br>
<? } ?>
+<? // Begin - Debug infos ?>
+<table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper">
+ <tr>
+ <td colspan="2" class="title"><?=_("Account State")?></td>
+ </tr>
+
+<?
+ // --- bug-975 begin ---
+ // potential db inconsistency like in a20110804.1
+ // Admin console -> don't list user account
+ // User login -> impossible
+ // Assurer, assure someone -> user displayed
+ /* regular user account search with regular settings
+
+ --- Admin Console find user query
+ $query = "select `users`.`id` as `id`, `email`.`email` as `email` from `users`,`email`
+ where `users`.`id`=`email`.`memid` and
+ (`email`.`email` like '$emailsearch' or `email`.`id`='$email' or `users`.`id`='$email') and
+ `email`.`hash`='' and `email`.`deleted`=0 and `users`.`deleted`=0
+ group by `users`.`id` limit 100";
+ => requirements
+ 1. email.hash = ''
+ 2. email.deleted = 0
+ 3. users.deleted = 0
+ 4. email.email = primary-email (???) or'd
+ not covered by admin console find user routine, but may block users login
+ 5. users.verified = 0|1
+ further "special settings"
+ 6. users.locked (setting displayed in display form)
+ 7. users.assurer_blocked (setting displayed in display form)
+
+ --- User login user query
+ select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
+ `password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0
+ => requirements
+ 1. users.verified = 1
+ 2. users.deleted = 0
+ 3. users.locked = 0
+ 4. users.email = primary-email
+
+ --- Assurer, assure someone find user query
+ select * from `users` where `email`='".mysql_escape_string(stripslashes($_POST['email']))."'
+ and `deleted`=0
+ => requirements
+ 1. users.deleted = 0
+ 2. users.email = primary-email
+ Admin User Assurer
+ bit Console Login assure someone
+
+ 1. email.hash = '' Yes No No
+ 2. email.deleted = 0 Yes No No
+ 3. users.deleted = 0 Yes Yes Yes
+ 4. users.verified = 1 No Yes No
+ 5. users.locked = 0 No Yes No
+ 6. users.email = prim-email No Yes Yes
+ 7. email.email = prim-email Yes No No
+
+ full usable account needs all 7 requirements fulfilled
+ so if one setting isn't set/cleared there is an inconsistency either way
+ if eg email.email is not avail, admin console cannot open user info
+ but user can login and assurer can display user info
+ if user verified is not set to 1, admin console displays user record
+ but user cannot login, but assurer can search for the user and the data displays
+
+ consistency check:
+ 1. search primary-email in users.email
+ 2. search primary-email in email.email
+ 3. userid = email.memid
+ 4. check settings from table 1. - 5.
+
+ */
+
+ $inconsistency = 0;
+ $inconsistencydisp = "";
+ $inccause = "";
+ // current userid intval($row['id'])
+ $query = "select email as uemail, deleted as udeleted, verified, locked from `users` where `id`='".intval($row['id'])."' ";
+ $dres = mysql_query($query);
+ $drow = mysql_fetch_assoc($dres);
+ $uemail = $drow['uemail'];
+ $udeleted = $drow['udeleted'];
+ $uverified = $drow['verified'];
+ $ulocked = $drow['locked'];
+
+ $query = "select hash, deleted as edeleted, email as eemail from `email` where `memid`='".intval($row['id'])."' and email='".$uemail."' ";
+ $dres = mysql_query($query);
+ if ($drow = mysql_fetch_assoc($dres)) {
+ $eemail = $drow['eemail'];
+ $edeleted = $drow['edeleted'];
+ $ehash = $drow['hash'];
+ if ($udeleted!=0) {
+ $inconsistency += 1;
+ $inccause .= (empty($inccause)?"":"<br>")._("Users record set to deleted");
+ }
+ if ($uverified!=1) {
+ $inconsistency += 2;
+ $inccause .= (empty($inccause)?"":"<br>")._("Users record verified not set");
+ }
+ if ($ulocked!=0) {
+ $inconsistency += 4;
+ $inccause .= (empty($inccause)?"":"<br>")._("Users record locked set");
+ }
+ if ($edeleted!=0) {
+ $inconsistency += 8;
+ $inccause .= (empty($inccause)?"":"<br>")._("Email record set deleted");
+ }
+ if ($ehash!='') {
+ $inconsistency += 16;
+ $inccause .= (empty($inccause)?"":"<br>")._("Email record hash not unset");
+ }
+ } else {
+ $inconsistency = 32;
+ $inccause = _("Prim. email, Email record doesn't exist");
+ }
+ if ($inconsistency>0) {
+ // $inconsistencydisp = _("Yes");
+?>
+ <tr>
+ <td class="DataTD"><?=_("Account inconsistency")?>:</td>
+ <td class="DataTD"><?=$inccause?><br>code: <?=$inconsistency?></td>
+ </tr>
+ <tr>
+ <td colspan="2" class="DataTD"><?=_("Account inconsistency can cause problems in daily account operations<br>that needs to be fixed manualy thru arbitration/critical team.")?></td>
+ </tr>
+<? }
+
+ // --- bug-975 end ---
+?>
+</table>
+<br>
+<?
+ // End - Debug infos
+?>
<?
if(array_key_exists('assuredto',$_GET) && $_GET['assuredto'] == "yes") {