summaryrefslogtreecommitdiff
path: root/includes/account.php
diff options
context:
space:
mode:
Diffstat (limited to 'includes/account.php')
-rw-r--r--includes/account.php511
1 files changed, 318 insertions, 193 deletions
diff --git a/includes/account.php b/includes/account.php
index 79237e1..ec109ae 100644
--- a/includes/account.php
+++ b/includes/account.php
@@ -18,17 +18,74 @@
require_once("../includes/loggedin.php");
require_once("../includes/lib/l10n.php");
require_once("../includes/lib/check_weak_key.php");
+ require_once("../includes/notary.inc.php");
loadem("account");
- $id = 0; if(array_key_exists("id",$_REQUEST)) $id=intval($_REQUEST['id']);
- $oldid = 0; if(array_key_exists("oldid",$_REQUEST)) $oldid=intval($_REQUEST['oldid']);
- $process = ""; if(array_key_exists("process",$_REQUEST)) $process=$_REQUEST['process'];
+/**
+ * Build a subject string as needed by the signer
+ *
+ * @param array(string) $domains
+ * First domain is used as CN and repeated in subjectAltName. Duplicates
+ * should already been removed
+ *
+ * @param bool $include_xmpp_addr
+ * [default: true] Whether to include the XmppAddr in the subjectAltName.
+ * This is needed if the Jabber server is jabber.example.com but a Jabber ID
+ * on that server would be alice@example.com
+ *
+ * @return string
+ */
+function buildSubject(array $domains, $include_xmpp_addr = true) {
+ $subject = "/CN=${domains[0]}";
+
+ foreach ($domains as $domain) {
+ $subject .= "/subjectAltName=DNS:$domain";
+
+ if ($include_xmpp_addr) {
+ $subject .= "/subjectAltName=otherName:1.3.6.1.5.5.7.8.5;UTF8:$domain";
+ }
+ }
+
+ return $subject;
+}
+
+/**
+ * Builds the subject string from the session variables
+ * $_SESSION['_config']['rows'] and $_SESSION['_config']['altrows']
+ *
+ * @return string
+ */
+function buildSubjectFromSession() {
+ $domains = array();
+
+ if (is_array($_SESSION['_config']['rows'])) {
+ $domains = array_merge($domains, $_SESSION['_config']['rows']);
+ }
+
+ if (is_array($_SESSION['_config']['altrows']))
+ foreach ($_SESSION['_config']['altrows'] as $row) {
+ if (substr($row, 0, 4) === "DNS:") {
+ $domains[] = substr($row, 4);
+ }
+ }
+
+ return buildSubject(array_unique($domains));
+}
+
+ $id = array_key_exists("id",$_REQUEST) ? intval($_REQUEST['id']) : 0;
+ $oldid = array_key_exists("oldid",$_REQUEST) ? intval($_REQUEST['oldid']) : 0;
+ $process = array_key_exists("process",$_REQUEST) ? $_REQUEST['process'] : "";
+// $showdetalis refers to Secret Question and Answers from account/13.php
+ $showdetails = array_key_exists("showdetails",$_REQUEST) ? intval($_REQUEST['showdetails']) : 0;
- $cert=0; if(array_key_exists('cert',$_REQUEST)) $cert=intval($_REQUEST['cert']);
- $orgid=0; if(array_key_exists('orgid',$_REQUEST)) $orgid=intval($_REQUEST['orgid']);
- $memid=0; if(array_key_exists('memid',$_REQUEST)) $memid=intval($_REQUEST['memid']);
- $domid=0; if(array_key_exists('domid',$_REQUEST)) $domid=intval($_REQUEST['domid']);
+ $cert = array_key_exists('cert',$_REQUEST) ? intval($_REQUEST['cert']) : 0;
+ $orgid = array_key_exists('orgid',$_REQUEST) ? intval($_REQUEST['orgid']) : 0;
+ $memid = array_key_exists('memid',$_REQUEST) ? intval($_REQUEST['memid']) : 0;
+ $domid = array_key_exists('domid',$_REQUEST) ? intval($_REQUEST['domid']) : 0;
+ $ticketno = array_key_exists('ticketno',$_REQUEST) ? $_REQUEST['ticketno'] : "";
+ $ticketvalidation = FALSE;
+ $actionrequest = array_key_exists('action',$_REQUEST) ? $_REQUEST['action'] : "";
if(!$_SESSION['mconn'])
@@ -70,9 +127,7 @@
}
$oldid=0;
$_REQUEST['email'] = trim(mysql_real_escape_string(stripslashes($_REQUEST['newemail'])));
- $query = "select * from `email` where `email`='".$_REQUEST['email']."' and `deleted`=0";
- $res = mysql_query($query);
- if(mysql_num_rows($res) > 0)
+ if(check_email_exists($_REQUEST['email'])==true)
{
showheader(_("My CAcert.org Account!"));
printf(_("The email address '%s' is already in a different account. Can't continue."), sanitizeHTML($_REQUEST['email']));
@@ -150,10 +205,12 @@
$delcount = 0;
if(array_key_exists('delid',$_REQUEST) && is_array($_REQUEST['delid']))
{
+ $deltitle=false;
foreach($_REQUEST['delid'] as $id)
{
- if (0==$delcount) {
+ if (!$deltitle) {
echo _('The following email addresses have been removed:')."<br>\n";
+ $deltitle=true;
}
$id = intval($id);
$query = "select * from `email` where `id`='$id' and `memid`='".intval($_SESSION['profile']['id'])."' and
@@ -163,17 +220,7 @@
{
$row = mysql_fetch_assoc($res);
echo $row['email']."<br>\n";
- $query = "select `emailcerts`.`id`
- from `emaillink`,`emailcerts` where
- `emailid`='$id' and `emaillink`.`emailcertsid`=`emailcerts`.`id` and
- `revoked`=0 and UNIX_TIMESTAMP(`expire`)-UNIX_TIMESTAMP() > 0
- group by `emailcerts`.`id`";
- $dres = mysql_query($query);
- while($drow = mysql_fetch_assoc($dres))
- mysql_query("update `emailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='".$drow['id']."'");
-
- $query = "update `email` set `deleted`=NOW() where `id`='$id'";
- mysql_query($query);
+ account_email_delete($row['id']);
$delcount++;
}
}
@@ -184,7 +231,7 @@
}
if(0 == $delcount)
{
- echo _("You failed to select any accounts to be removed, or you attempted to remove the default account. No action was taken.");
+ echo _("You did not select any accounts to be removed, or you attempted to remove the default account. No action was taken.");
}
showfooter();
@@ -193,6 +240,14 @@
if($process != "" && $oldid == 3)
{
+ if(!array_key_exists('CCA',$_REQUEST))
+ {
+ showheader(_("My CAcert.org Account!"));
+ echo _("You did not accept the CAcert Community Agreement (CCA), hit the back button and try again.");
+ showfooter();
+ exit;
+ }
+
if(!(array_key_exists('addid',$_REQUEST) && is_array($_REQUEST['addid'])) && $_REQUEST['SSO'] != '1')
{
showheader(_("My CAcert.org Account!"));
@@ -322,6 +377,8 @@
exit;
}
+ write_user_agreement(intval($_SESSION['profile']['id']), "CCA", "certificate creation", "", 1);
+
$query = "insert into emailcerts set
`CN`='$defaultemail',
`keytype`='NS',
@@ -630,32 +687,9 @@
{
$row = mysql_fetch_assoc($res);
echo $row['domain']."<br>\n";
-
- $dres = mysql_query(
- "select `domaincerts`.`id`
- from `domaincerts`
- where `domaincerts`.`domid` = '$id'
- union distinct
- select `domaincerts`.`id`
- from `domaincerts`, `domlink`
- where `domaincerts`.`id` = `domlink`.`certid`
- and `domlink`.`domid` = '$id'");
- while($drow = mysql_fetch_assoc($dres))
- {
- mysql_query(
- "update `domaincerts`
- set `revoked`='1970-01-01 10:00:01'
- where `id` = '".$drow['id']."'
- and `revoked` = 0
- and UNIX_TIMESTAMP(`expire`) -
- UNIX_TIMESTAMP() > 0");
- }
-
- mysql_query(
- "update `domains`
- set `deleted`=NOW()
- where `id` = '$id'");
+ account_domain_delete($row['id']);
}
+
}
}
else
@@ -669,6 +703,14 @@
if($process != "" && $oldid == 10)
{
+ if(!array_key_exists('CCA',$_REQUEST))
+ {
+ showheader(_("My CAcert.org Account!"));
+ echo _("You did not accept the CAcert Community Agreement (CCA), hit the back button and try again.");
+ showfooter();
+ exit;
+ }
+
$CSR = clean_csr($_REQUEST['CSR']);
if(strpos($CSR,"---BEGIN")===FALSE)
{
@@ -753,38 +795,13 @@
exit;
}
- $subject = "";
- $count = 0;
- $supressSAN=0;
- if($_SESSION["profile"]["id"] == 104074) $supressSAN=1;
+ $subject = buildSubjectFromSession();
- if(is_array($_SESSION['_config']['rows']))
- foreach($_SESSION['_config']['rows'] as $row)
- {
- $count++;
- if($count <= 1)
- {
- $subject .= "/CN=$row";
- if(!$supressSAN) $subject .= "/subjectAltName=DNS:$row";
- if(!$supressSAN) $subject .= "/subjectAltName=otherName:1.3.6.1.5.5.7.8.5;UTF8:$row";
- } else {
- if(!$supressSAN) $subject .= "/subjectAltName=DNS:$row";
- if(!$supressSAN) $subject .= "/subjectAltName=otherName:1.3.6.1.5.5.7.8.5;UTF8:$row";
- }
- }
- if(is_array($_SESSION['_config']['altrows']))
- foreach($_SESSION['_config']['altrows'] as $row)
- {
- if(substr($row, 0, 4) == "DNS:")
- {
- $row = substr($row, 4);
- if(!$supressSAN) $subject .= "/subjectAltName=DNS:$row";
- if(!$supressSAN) $subject .= "/subjectAltName=otherName:1.3.6.1.5.5.7.8.5;UTF8:$row";
- }
- }
if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2)
$_SESSION['_config']['rootcert'] = 1;
+ write_user_agreement(intval($_SESSION['profile']['id']), "CCA", "certificate creation", "", 1);
+
if(array_key_exists('0',$_SESSION['_config']['rowid']) && $_SESSION['_config']['rowid']['0'] > 0)
{
$query = "insert into `domaincerts` set
@@ -805,7 +822,6 @@
echo _("Domain not verified.");
showfooter();
exit;
-
}
mysql_query($query);
@@ -904,29 +920,7 @@
continue;
}
- $subject = "";
- $count = 0;
- if(is_array($_SESSION['_config']['rows']))
- foreach($_SESSION['_config']['rows'] as $row)
- {
- $count++;
- if($count <= 1)
- {
- $subject .= "/CN=$row";
- if(!strstr($subject, "=$row/") &&
- substr($subject, -strlen("=$row")) != "=$row")
- $subject .= "/subjectAltName=$row";
- } else {
- if(!strstr($subject, "=$row/") &&
- substr($subject, -strlen("=$row")) != "=$row")
- $subject .= "/subjectAltName=$row";
- }
- }
- if(is_array($_SESSION['_config']['altrows']))
- foreach($_SESSION['_config']['altrows'] as $row)
- if(!strstr($subject, "=$row/") &&
- substr($subject, -strlen("=$row")) != "=$row")
- $subject .= "/subjectAltName=$row";
+ $subject = buildSubjectFromSession();
$subject = mysql_real_escape_string($subject);
mysql_query("update `domaincerts` set `subject`='$subject',`csr_name`='$newfile' where `id`='$newid'");
@@ -948,6 +942,7 @@
{
echo _("You did not select any certificates for renewal.");
}
+
showfooter();
exit;
}
@@ -1029,9 +1024,7 @@
{
$cid = intval(substr($id,14));
$comment=trim(mysql_real_escape_string(stripslashes($_REQUEST['comment_'.$cid])));
-echo "cid:".$cid." comment:".$comment."++</br>";
-echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `memid`='".$_SESSION['profile']['id']."'</br>";
- mysql_query("update `domaincerts` set `description`='$comment' where `id`='$cid' and `memid`='".$_SESSION['profile']['id']."'");
+ mysql_query("update `domaincerts` set `description`='$comment' where `id`='$cid'");
}
}
echo(_("Certificate settings have been changed.")."<br/>\n");
@@ -1201,25 +1194,7 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
exit;
}
-
- if($oldid == 6 && $_REQUEST['certid'] != "")
- {
- if(trim($_REQUEST['description']) != ""){
- $description= trim(mysql_real_escape_string(stripslashes($_REQUEST['description'])));
- }else{
- $description= "";
- }
-
- if(trim($_REQUEST['disablelogin']) == "1"){
- $disablelogin = 1;
- }else{
- $disablelogin = 0;
- }
-
- mysql_query("update `emailcerts` set `disablelogin`='$disablelogin', `description`='$description' where `id`='".$_REQUEST['certid']."' and `memid`='".$_SESSION['profile']['id']."'");
-
- }
- if($oldid == 13 && $process != "")
+ if($oldid == 13 && $process != "" && $showdetails!="")
{
csrf_check("perschange");
$_SESSION['_config']['user'] = $_SESSION['profile'];
@@ -1284,7 +1259,7 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
if($oldid == 13 && $process != "")
{
- $ddquery = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
+ $ddquery = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' and `deleted`=0 group by `to`";
$ddres = mysql_query($ddquery);
$ddrow = mysql_fetch_assoc($ddres);
$_SESSION['profile']['points'] = $ddrow['total'];
@@ -1327,18 +1302,20 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
where `id`='".$_SESSION['profile']['id']."'";
mysql_query($query);
}
- $query = "update `users` set `Q1`='".$_SESSION['_config']['user']['Q1']."',
- `Q2`='".$_SESSION['_config']['user']['Q2']."',
- `Q3`='".$_SESSION['_config']['user']['Q3']."',
- `Q4`='".$_SESSION['_config']['user']['Q4']."',
- `Q5`='".$_SESSION['_config']['user']['Q5']."',
- `A1`='".$_SESSION['_config']['user']['A1']."',
- `A2`='".$_SESSION['_config']['user']['A2']."',
- `A3`='".$_SESSION['_config']['user']['A3']."',
- `A4`='".$_SESSION['_config']['user']['A4']."',
- `A5`='".$_SESSION['_config']['user']['A5']."'
- where `id`='".$_SESSION['profile']['id']."'";
- mysql_query($query);
+ if ($showdetails!="") {
+ $query = "update `users` set `Q1`='".$_SESSION['_config']['user']['Q1']."',
+ `Q2`='".$_SESSION['_config']['user']['Q2']."',
+ `Q3`='".$_SESSION['_config']['user']['Q3']."',
+ `Q4`='".$_SESSION['_config']['user']['Q4']."',
+ `Q5`='".$_SESSION['_config']['user']['Q5']."',
+ `A1`='".$_SESSION['_config']['user']['A1']."',
+ `A2`='".$_SESSION['_config']['user']['A2']."',
+ `A3`='".$_SESSION['_config']['user']['A3']."',
+ `A4`='".$_SESSION['_config']['user']['A4']."',
+ `A5`='".$_SESSION['_config']['user']['A5']."'
+ where `id`='".$_SESSION['profile']['id']."'";
+ mysql_query($query);
+ }
//!!!Should be rewritten
$_SESSION['_config']['user']['otphash'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['otphash']))));
@@ -1354,7 +1331,7 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
$_SESSION['profile'] = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".$_SESSION['profile']['id']."'"));
$_SESSION['profile']['loggedin'] = 1;
- $ddquery = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
+ $ddquery = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' and `deleted`=0 group by `to`";
$ddres = mysql_query($ddquery);
$ddrow = mysql_fetch_assoc($ddres);
$_SESSION['profile']['points'] = $ddrow['total'];
@@ -1473,7 +1450,6 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
if($oldid == 16 && $process != "")
{
-
if(array_key_exists('codesign',$_REQUEST) && $_REQUEST['codesign'] && $_SESSION['profile']['codesign'] && ($_SESSION['profile']['points'] >= 100))
{
$_REQUEST['codesign'] = 1;
@@ -1554,6 +1530,7 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
$query = "insert into `orgemailcerts` set
`CN`='$defaultemail',
+ `ou`='".$_SESSION['_config']['OU']."',
`keytype`='NS',
`orgid`='".$org['orgid']."',
`created`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
@@ -1644,6 +1621,7 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
$query = "insert into `orgemailcerts` set
`CN`='$defaultemail',
+ `ou`='".$_SESSION['_config']['OU']."',
`keytype`='" . sanitizeHTML($_REQUEST['keytype']) . "',
`orgid`='".$org['orgid']."',
`created`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
@@ -1719,6 +1697,7 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
$query = "insert into `orgemailcerts` set
`orgid`='".$row['orgid']."',
`CN`='".$row['CN']."',
+ `ou`='".$row['ou']."',
`subject`='".$row['subject']."',
`keytype`='".$row['keytype']."',
`csr_name`='".$row['csr_name']."',
@@ -1827,7 +1806,7 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
{
$cid = intval(substr($id,14));
$comment=trim(mysql_real_escape_string(stripslashes($_REQUEST['comment_'.$cid])));
- mysql_query("update `orgemailcerts` set `description`='$comment' where `id`='$cid' and `memid`='".$_SESSION['profile']['id']."'");
+ mysql_query("update `orgemailcerts` set `description`='$comment' where `id`='$cid'");
}
}
echo(_("Certificate settings have been changed.")."<br/>\n");
@@ -1835,6 +1814,21 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
exit;
}
+ if($oldid == 18 && array_key_exists('filter',$_REQUEST) && $_REQUEST['filter']!= "")
+ {
+ $id=18;
+ $_SESSION['_config']['orgfilterid']=$_REQUEST['orgfilterid'];
+ $_SESSION['_config']['sorting']=$_REQUEST['sorting'];
+ $_SESSION['_config']['status']=$_REQUEST['status'];
+ }
+
+ if($oldid == 18 && array_key_exists('reset',$_REQUEST) && $_REQUEST['reset']!= "")
+ {
+ $id=18;
+ $_SESSION['_config']['orgfilterid']=0;
+ $_SESSION['_config']['sorting']=0;
+ $_SESSION['_config']['status']=0;
+ }
if($process != "" && $oldid == 20)
{
@@ -1958,20 +1952,7 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
//if($org['contact'])
// $csrsubject .= "/emailAddress=".trim($org['contact']);
- if(is_array($_SESSION['_config']['rows']))
- foreach($_SESSION['_config']['rows'] as $row)
- $csrsubject .= "/commonName=$row";
- $SAN="";
- if(is_array($_SESSION['_config']['altrows']))
- foreach($_SESSION['_config']['altrows'] as $subalt)
- {
- if($SAN != "")
- $SAN .= ",";
- $SAN .= "$subalt";
- }
-
- if($SAN != "")
- $csrsubject .= "/subjectAltName=".$SAN;
+ $csrsubject .= buildSubjectFromSession();
$type="";
if($_REQUEST["ocspcert"]!="" && $_SESSION['profile']['admin'] == 1) $type="8";
@@ -2183,7 +2164,7 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
{
$cid = intval(substr($id,14));
$comment=trim(mysql_real_escape_string(stripslashes($_REQUEST['comment_'.$cid])));
- mysql_query("update `orgdomaincerts` set `description`='$comment' where `id`='$cid' and `memid`='".$_SESSION['profile']['id']."'");
+ mysql_query("update `orgdomaincerts` set `description`='$comment' where `id`='$cid'");
}
}
echo(_("Certificate settings have been changed.")."<br/>\n");
@@ -2191,6 +2172,22 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
exit;
}
+ if($oldid == 22 && array_key_exists('filter',$_REQUEST) && $_REQUEST['filter']!= "")
+ {
+ $id=22;
+ $_SESSION['_config']['dorgfilterid']=$_REQUEST['dorgfilterid'];
+ $_SESSION['_config']['dsorting']=$_REQUEST['dsorting'];
+ $_SESSION['_config']['dstatus']=$_REQUEST['dstatus'];
+ }
+
+ if($oldid == 22 && array_key_exists('reset',$_REQUEST) && $_REQUEST['reset']!= "")
+ {
+ $id=22;
+ $_SESSION['_config']['dorgfilterid']=0;
+ $_SESSION['_config']['dsorting']=0;
+ $_SESSION['_config']['dstatus']=0;
+ }
+
if(($id == 24 || $oldid == 24 || $id == 25 || $oldid == 25 || $id == 26 || $oldid == 26 ||
$id == 27 || $oldid == 27 || $id == 28 || $oldid == 28 || $id == 29 || $oldid == 29 ||
@@ -2680,7 +2677,17 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
$oldid=0;
}
- if($oldid == 43 && $_REQUEST['action'] == "updatedob")
+ //check if ticket number was entered
+ if ( $id == 43 || $oldid == 43 || $id == 44 || $oldid == 44 ) {
+ if ($ticketno != "" ) {
+ $ticketno = mysql_real_escape_string(trim($_REQUEST['ticketno']));
+ $ticketvalidation = valid_ticket_number($ticketno);
+ }
+
+ $_SESSION['ticketno'] = $ticketno;
+ }
+
+ if($oldid == 43 && $actionrequest == "updatedob" && $ticketvalidation == TRUE)
{
$id = 43;
$oldid=0;
@@ -2692,13 +2699,25 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
$month = intval($_REQUEST['month']);
$year = intval($_REQUEST['year']);
$userid = intval($_REQUEST['userid']);
- $query = "select `fname`,`mname`,`lname`,`suffix`,`dob` from `users` where `id`='$userid'";
- $details = mysql_fetch_assoc(mysql_query($query));
- $query = "insert into `adminlog` set `when`=NOW(),`old-lname`='${details['lname']}',`old-dob`='${details['dob']}',
- `new-lname`='$lname',`new-dob`='$year-$month-$day',`uid`='$userid',`adminid`='".$_SESSION['profile']['id']."'";
- mysql_query($query);
$query = "update `users` set `fname`='$fname',`mname`='$mname',`lname`='$lname',`suffix`='$suffix',`dob`='$year-$month-$day' where `id`='$userid'";
mysql_query($query);
+ write_se_log($userid, $_SESSION['profile']['id'],'SE Name/DOB Change',$ticketno);
+ }elseif($oldid == 43 && $actionrequest == "updatedob" && $ticketvalidation == FALSE){
+ $id = 43;
+ $oldid=0;
+ $_SESSION['ticketmsg']='No action (name/dob change) taken. Ticket number is missing!';
+ }
+
+ if($oldid == 43 && $actionrequest == 'revokecert' && $ticketvalidation == TRUE)
+ {
+ $userid = intval($_REQUEST['userid']);
+ revoke_all_private_cert($userid);
+ write_se_log($userid, $_SESSION['profile']['id'], 'SE Revoke all certificates',$ticketno);
+ $id=43;
+ }elseif($oldid == 43 && $actionrequest == "revokecert" && $ticketvalidation == FALSE){
+ $id = 43;
+ $oldid=0;
+ $_SESSION['ticketmsg']='No certificates revokes. Ticket number is missing!';
}
if($oldid == 48 && $_REQUEST['domain'] == "")
@@ -2724,7 +2743,7 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
$_REQUEST['email'] = $row['email'];
}
- if($oldid == 44)
+ if($oldid == 44 && $ticketvalidation == TRUE)
{
showheader(_("My CAcert.org Account!"));
if(intval($_REQUEST['userid']) <= 0)
@@ -2744,12 +2763,16 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
sendmail($row['email'], "[CAcert.org] "._("Password Update Notification"), $body,
"support@cacert.org", "", "", "CAcert Support");
-
+ write_se_log(intval($_REQUEST['userid']), $_SESSION['profile']['id'],'SE reset password',$ticketno);
}
+
showfooter();
exit;
+ }elseif($oldid == 44 && $ticketvalidation == FALSE){
+ $_SESSION['ticketmsg']='No password reset taken. Ticket number is missing!';
}
+
if($process != "" && $oldid == 45)
{
$CSR = clean_csr($CSR);
@@ -2842,16 +2865,20 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
}
}
- if($id == 43 && array_key_exists('tverify',$_REQUEST) && $_REQUEST['tverify'] > 0)
+ /* presently not needed
+ if($id == 43 && array_key_exists('tverify',$_REQUEST) && $_REQUEST['tverify'] > 0 && $ticketvalidation==TRUE)
{
$memid = $_REQUEST['userid'] = intval($_REQUEST['tverify']);
$query = "select * from `users` where `id`='$memid'";
$row = mysql_fetch_assoc(mysql_query($query));
$ver = !$row['tverify'];
mysql_query("update `users` set `tverify`='$ver' where `id`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change tverify status',$ticketno);
+ }else{
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
}
-
- if($id == 43 && array_key_exists('assurer',$_REQUEST) && $_REQUEST['assurer'] > 0)
+ */
+ if($id == 43 && array_key_exists('assurer',$_REQUEST) && $_REQUEST['assurer'] > 0 && $ticketvalidation == TRUE)
{
csrf_check('admsetassuret');
$memid = $_REQUEST['userid'] = intval($_REQUEST['assurer']);
@@ -2859,18 +2886,26 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
$row = mysql_fetch_assoc(mysql_query($query));
$ver = !$row['assurer'];
mysql_query("update `users` set `assurer`='$ver' where `id`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change assurer status',$ticketno);
+ }elseif($id == 43 && array_key_exists('assurer',$_REQUEST) && $_REQUEST['assurer'] > 0 && $ticketvalidation == FALSE){
+ $_REQUEST['userid'] = intval($_REQUEST['assurer']);
+ $_SESSION['ticketmsg']='No action (Change assurer status) taken. Ticket number is missing!';
}
- if($id == 43 && array_key_exists('assurer_blocked',$_REQUEST) && $_REQUEST['assurer_blocked'] > 0)
+ if($id == 43 && array_key_exists('assurer_blocked',$_REQUEST) && $_REQUEST['assurer_blocked'] > 0 && $ticketvalidation == TRUE)
{
$memid = $_REQUEST['userid'] = intval($_REQUEST['assurer_blocked']);
$query = "select * from `users` where `id`='$memid'";
$row = mysql_fetch_assoc(mysql_query($query));
$ver = !$row['assurer_blocked'];
mysql_query("update `users` set `assurer_blocked`='$ver' where `id`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change assurer blocked status',$ticketno);
+ }elseif($id == 43 && array_key_exists('assurer_blocked',$_REQUEST) && $_REQUEST['assurer_blocked'] > 0 && $ticketvalidation == FALSE){
+ $_REQUEST['userid'] = intval($_REQUEST['assurer_blocked']);
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
}
- if($id == 43 && array_key_exists('locked',$_REQUEST) && $_REQUEST['locked'] > 0)
+ if($id == 43 && array_key_exists('locked',$_REQUEST) && $_REQUEST['locked'] > 0 && $ticketvalidation == TRUE)
{
csrf_check('admactlock');
$memid = $_REQUEST['userid'] = intval($_REQUEST['locked']);
@@ -2878,9 +2913,13 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
$row = mysql_fetch_assoc(mysql_query($query));
$ver = !$row['locked'];
mysql_query("update `users` set `locked`='$ver' where `id`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change locked status',$ticketno);
+ }elseif($id == 43 && array_key_exists('locked',$_REQUEST) && $_REQUEST['locked'] > 0 && $ticketvalidation == FALSE){
+ $_REQUEST['userid'] = intval($_REQUEST['locked']);
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
}
- if($id == 43 && array_key_exists('codesign',$_REQUEST) && $_REQUEST['codesign'] > 0)
+ if($id == 43 && array_key_exists('codesign',$_REQUEST) && $_REQUEST['codesign'] > 0 && $ticketvalidation == TRUE)
{
csrf_check('admcodesign');
$memid = $_REQUEST['userid'] = intval($_REQUEST['codesign']);
@@ -2888,9 +2927,13 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
$row = mysql_fetch_assoc(mysql_query($query));
$ver = !$row['codesign'];
mysql_query("update `users` set `codesign`='$ver' where `id`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change codesign status',$ticketno);
+ }elseif($id == 43 && array_key_exists('codesign',$_REQUEST) && $_REQUEST['codesign'] > 0 && $ticketvalidation == FALSE){
+ $_REQUEST['userid'] = intval($_REQUEST['codesign']);
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
}
- if($id == 43 && array_key_exists('orgadmin',$_REQUEST) && $_REQUEST['orgadmin'] > 0)
+ if($id == 43 && array_key_exists('orgadmin',$_REQUEST) && $_REQUEST['orgadmin'] > 0 && $ticketvalidation == TRUE)
{
csrf_check('admorgadmin');
$memid = $_REQUEST['userid'] = intval($_REQUEST['orgadmin']);
@@ -2898,9 +2941,13 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
$row = mysql_fetch_assoc(mysql_query($query));
$ver = !$row['orgadmin'];
mysql_query("update `users` set `orgadmin`='$ver' where `id`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change org assuer status',$ticketno);
+ }elseif($id == 43 && array_key_exists('orgadmin',$_REQUEST) && $_REQUEST['orgadmin'] > 0 && $ticketvalidation == FALSE){
+ $_REQUEST['userid'] = intval($_REQUEST['orgadmin']);
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
}
- if($id == 43 && array_key_exists('ttpadmin',$_REQUEST) && $_REQUEST['ttpadmin'] > 0)
+ if($id == 43 && array_key_exists('ttpadmin',$_REQUEST) && $_REQUEST['ttpadmin'] > 0 && $ticketvalidation == TRUE)
{
csrf_check('admttpadmin');
$memid = $_REQUEST['userid'] = intval($_REQUEST['ttpadmin']);
@@ -2908,9 +2955,13 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
$row = mysql_fetch_assoc(mysql_query($query));
$ver = !$row['ttpadmin'];
mysql_query("update `users` set `ttpadmin`='$ver' where `id`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change ttp admin status',$ticketno);
+ }elseif($id == 43 && array_key_exists('ttpadmin',$_REQUEST) && $_REQUEST['ttpadmin'] > 0 && $ticketvalidation == FALSE){
+ $_REQUEST['userid'] = intval($_REQUEST['ttpadmin']);
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
}
- if($id == 43 && array_key_exists('adadmin',$_REQUEST) && $_REQUEST['adadmin'] > 0)
+ if($id == 43 && array_key_exists('adadmin',$_REQUEST) && $_REQUEST['adadmin'] > 0 && $ticketvalidation == TRUE)
{
$memid = $_REQUEST['userid'] = intval($_REQUEST['adadmin']);
$query = "select * from `users` where `id`='$memid'";
@@ -2919,18 +2970,26 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
if($ver > 2)
$ver = 0;
mysql_query("update `users` set `adadmin`='$ver' where `id`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change advertising admin status',$ticketno);
+ }elseif($id == 43 && array_key_exists('adadmin',$_REQUEST) && $_REQUEST['adadmin'] > 0 && $ticketvalidation == FALSE){
+ $_REQUEST['userid'] = intval($_REQUEST['adadmin']);
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
}
- if($id == 43 && array_key_exists('locadmin',$_REQUEST) && $_REQUEST['locadmin'] > 0)
+ if($id == 43 && array_key_exists('locadmin',$_REQUEST) && $_REQUEST['locadmin'] > 0 && $ticketvalidation == TRUE)
{
$memid = $_REQUEST['userid'] = intval($_REQUEST['locadmin']);
$query = "select * from `users` where `id`='$memid'";
$row = mysql_fetch_assoc(mysql_query($query));
$ver = !$row['locadmin'];
mysql_query("update `users` set `locadmin`='$ver' where `id`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change location admin status',$ticketno);
+ }elseif($id == 43 && array_key_exists('locadmin',$_REQUEST) && $_REQUEST['locadmin'] > 0 && $ticketvalidation == FALSE){
+ $_REQUEST['userid'] = intval($_REQUEST['locadmin']);
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
}
- if($id == 43 && array_key_exists('admin',$_REQUEST) && $_REQUEST['admin'] > 0)
+ if($id == 43 && array_key_exists('admin',$_REQUEST) && $_REQUEST['admin'] > 0 && $ticketvalidation == TRUE)
{
csrf_check('admsetadmin');
$memid = $_REQUEST['userid'] = intval($_REQUEST['admin']);
@@ -2938,42 +2997,62 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
$row = mysql_fetch_assoc(mysql_query($query));
$ver = !$row['admin'];
mysql_query("update `users` set `admin`='$ver' where `id`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change SE status',$ticketno);
+ }elseif($id == 43 && array_key_exists('admin',$_REQUEST) && $_REQUEST['admin'] > 0 && $ticketvalidation == FALSE){
+ $_REQUEST['userid'] = intval($_REQUEST['admin']);
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
}
- if($id == 43 && array_key_exists('general',$_REQUEST) && $_REQUEST['general'] > 0)
+ if($id == 43 && array_key_exists('general',$_REQUEST) && $_REQUEST['general'] > 0 && $ticketvalidation == TRUE)
{
$memid = $_REQUEST['userid'] = intval($_REQUEST['general']);
$query = "select * from `alerts` where `memid`='$memid'";
$row = mysql_fetch_assoc(mysql_query($query));
$ver = !$row['general'];
mysql_query("update `alerts` set `general`='$ver' where `memid`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change general status',$ticketno);
+ }elseif($id == 43 && array_key_exists('general',$_REQUEST) && $_REQUEST['general'] > 0 && $ticketvalidation == FALSE){
+ $_REQUEST['userid'] = intval($_REQUEST['general']);
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
}
- if($id == 43 && array_key_exists('country',$_REQUEST) && $_REQUEST['country'] > 0)
+ if($id == 43 && array_key_exists('country',$_REQUEST) && $_REQUEST['country'] > 0 && $ticketvalidation == TRUE)
{
$memid = $_REQUEST['userid'] = intval($_REQUEST['country']);
$query = "select * from `alerts` where `memid`='$memid'";
$row = mysql_fetch_assoc(mysql_query($query));
$ver = !$row['country'];
mysql_query("update `alerts` set `country`='$ver' where `memid`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change country status',$ticketno);
+ }elseif($id == 43 && array_key_exists('country',$_REQUEST) && $_REQUEST['country'] > 0 && $ticketvalidation == FALSE){
+ $_REQUEST['userid'] = intval($_REQUEST['country']);
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
}
- if($id == 43 && array_key_exists('regional',$_REQUEST) && $_REQUEST['regional'] > 0)
+ if($id == 43 && array_key_exists('regional',$_REQUEST) && $_REQUEST['regional'] > 0 && $ticketvalidation == TRUE)
{
$memid = $_REQUEST['userid'] = intval($_REQUEST['regional']);
$query = "select * from `alerts` where `memid`='$memid'";
$row = mysql_fetch_assoc(mysql_query($query));
$ver = !$row['regional'];
mysql_query("update `alerts` set `regional`='$ver' where `memid`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change regional status',$ticketno);
+ }elseif($id == 43 && array_key_exists('regional',$_REQUEST) && $_REQUEST['regional'] > 0 && $ticketvalidation == FALSE){
+ $_REQUEST['userid'] = intval($_REQUEST['regional']);
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
}
- if($id == 43 && array_key_exists('radius',$_REQUEST) && $_REQUEST['radius'] > 0)
+ if($id == 43 && array_key_exists('radius',$_REQUEST) && $_REQUEST['radius'] > 0 && $ticketvalidation == TRUE)
{
$memid = $_REQUEST['userid'] = intval($_REQUEST['radius']);
$query = "select * from `alerts` where `memid`='$memid'";
$row = mysql_fetch_assoc(mysql_query($query));
$ver = !$row['radius'];
mysql_query("update `alerts` set `radius`='$ver' where `memid`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change radius status',$ticketno);
+ }elseif($id == 43 && array_key_exists('radius',$_REQUEST) && $_REQUEST['radius'] > 0 && $ticketvalidation == false){
+ $_REQUEST['userid'] = intval($_REQUEST['radius']);
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
}
if($id == 50)
@@ -2997,25 +3076,57 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
if($oldid == 50 && $process != "")
{
$_REQUEST['userid'] = intval($_REQUEST['userid']);
- $res = mysql_query("select * from `users` where `id`='".intval($_REQUEST['userid'])."'");
- if(mysql_num_rows($res) > 0)
- {
- $query = "update `domaincerts`,`domains` SET `domaincerts`.`revoked`='1970-01-01 10:00:01'
- WHERE `domaincerts`.`domid` = `domains`.`id` AND `domains`.`memid`='".intval($_REQUEST['userid'])."'";
- mysql_query($query);
- $query = "update `domains` SET `deleted`=NOW() WHERE `domains`.`memid`='".intval($_REQUEST['userid'])."'";
- mysql_query($query);
- $query = "update `emailcerts` SET `revoked`='1970-01-01 10:00:01' WHERE `memid`='".intval($_REQUEST['userid'])."'";
- mysql_query($query);
- $query = "update `email` SET `deleted`=NOW() WHERE `memid`='".intval($_REQUEST['userid'])."'";
- mysql_query($query);
- $query = "delete from `org` WHERE `memid`='".intval($_REQUEST['userid'])."'";
- mysql_query($query);
- $query = "update `users` SET `deleted`=NOW() WHERE `id`='".intval($_REQUEST['userid'])."'";
- mysql_query($query);
+ if (trim($_REQUEST['arbitrationno'])==""){
+ showheader(_("My CAcert.org Account!"));
+ echo _("You did not enter an arbitration number entry.");
+ printf('<br/><a href="account.php?id=43&amp;userid=' . $_REQUEST['userid'] . '">' . _('Back to previous page.') .'</a>');
+ showfooter();
+ exit;
+ }
+ if ( 1 !== preg_match('/^[a-z]\d{8}\.\d+\.\d+$/i',trim($_REQUEST['arbitrationno'])) ) {
+ showheader(_("My CAcert.org Account!"));
+ printf(_("'%s' is not a valid arbitration number entry."), sanitizeHTML(trim($_REQUEST['arbitrationno'])));
+ printf('<br/><a href="account.php?id=43&amp;userid=' . $_REQUEST['userid'] . '">' . _('Back to previous page.') .'</a>');
+ showfooter();
+ exit;
+ }
+ if (check_email_exists(trim($_REQUEST['arbitrationno']).'@cacert.org')) {
+ showheader(_("My CAcert.org Account!"));
+ printf(_("The email address '%s' is already in a different account. Can't continue."), sanitizeHTML($_REQUEST['arbitrationno'].'@cacert.org'));
+ printf('<br/><a href="account.php?id=43&amp;userid=' . $_REQUEST['userid'] . '">' . _('Back to previous page.') .'</a>');
+ showfooter();
+ exit;
+ }
+ if (check_client_cert_running($_REQUEST['userid'],1) ||
+ check_server_cert_running($_REQUEST['userid'],1) ||
+ check_gpg_cert_running($_REQUEST['userid'],1)) {
+ showheader(_("My CAcert.org Account!"));
+ printf(_("The CCA retention time for at least one certificate is not over. Can't continue."));
+ printf('<br/><a href="account.php?id=43&amp;userid=' . $_REQUEST['userid'] . '">' . _('Back to previous page.') .'</a>');
+ showfooter();
+ exit;
+ }
+ if (check_is_orgadmin($_REQUEST['userid'],1)) {
+ showheader(_("My CAcert.org Account!"));
+ printf(_("The user is listed as Organisation Administrator. Can't continue."));
+ printf('<br/><a href="account.php?id=43&amp;userid=' . $_REQUEST['userid'] . '">' . _('Back to previous page.') .'</a>');
+ showfooter();
+ exit;
}
+ account_delete($_REQUEST['userid'], trim($_REQUEST['arbitrationno']), $_SESSION['profile']['id']);
+ write_se_log($_REQUEST['userid'], $_SESSION['profile']['id'], 'SE Account delete', trim($_REQUEST['arbitrationno']));
+ }
+
+ if(($id == 51 || $id == 52 || $oldid == 52))
+ {
+ showheader(_("My CAcert.org Account!"));
+ echo _("You don't have access to this area.\nThe Tverify programme is terminated as of 16th November 2010" );
+ showfooter();
+ exit;
}
+ /* this area not needed as the The Tverify programme is Terminated as of 16th November 2010
+
if(($id == 51 || $id == 52 || $oldid == 52) && $_SESSION['profile']['tverify'] <= 0)
{
showheader(_("My CAcert.org Account!"));
@@ -3023,7 +3134,6 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
showfooter();
exit;
}
-
if($oldid == 52)
{
$uid = intval($_REQUEST['uid']);
@@ -3129,6 +3239,21 @@ echo "update `domaincerts` set `description`='$comment' where `id`='$cid' and `m
showfooter();
exit;
}
+ */
+ if($id == 59){
+ if ($oldid == 43 && $_SESSION['profile']['admin'] == 1) {
+ write_se_log($_REQUEST['userid'], $_SESSION['profile']['id'], 'SE View account history', $_REQUEST['ticketno']);
+ $_SESSION['support']=1;
+ }ELSEIF ($oldid == 13 && $_REQUEST['userid'] == $_SESSION['profile']['id']){
+ $_SESSION['support']=0;
+ }ELSE{
+ showheader(_("My CAcert.org Account!"));
+ echo _("You do not have access to this page.");
+ showfooter();
+ exit;
+ }
+ }
+
if(intval($cert) > 0)
$_SESSION['_config']['cert'] = intval($cert);