summaryrefslogtreecommitdiff
path: root/includes
diff options
context:
space:
mode:
Diffstat (limited to 'includes')
-rw-r--r--includes/account.php867
-rw-r--r--includes/account_stuff.php367
-rw-r--r--includes/general.php84
-rw-r--r--includes/keygen.php128
-rw-r--r--includes/lib/account.php85
-rw-r--r--includes/lib/check_weak_key.php318
-rw-r--r--includes/lib/general.php115
-rw-r--r--includes/loggedin.php51
-rw-r--r--includes/mysql.php.sample5
-rw-r--r--includes/notary.inc.php1532
-rw-r--r--includes/wot.inc.php539
11 files changed, 2710 insertions, 1381 deletions
diff --git a/includes/account.php b/includes/account.php
index 9d48e73..ec109ae 100644
--- a/includes/account.php
+++ b/includes/account.php
@@ -10,13 +10,15 @@
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
require_once("../includes/loggedin.php");
require_once("../includes/lib/l10n.php");
+ require_once("../includes/lib/check_weak_key.php");
+ require_once("../includes/notary.inc.php");
loadem("account");
@@ -71,14 +73,19 @@ function buildSubjectFromSession() {
return buildSubject(array_unique($domains));
}
- $id = 0; if(array_key_exists("id",$_REQUEST)) $id=intval($_REQUEST['id']);
- $oldid = 0; if(array_key_exists("oldid",$_REQUEST)) $oldid=intval($_REQUEST['oldid']);
- $process = ""; if(array_key_exists("process",$_REQUEST)) $process=$_REQUEST['process'];
+ $id = array_key_exists("id",$_REQUEST) ? intval($_REQUEST['id']) : 0;
+ $oldid = array_key_exists("oldid",$_REQUEST) ? intval($_REQUEST['oldid']) : 0;
+ $process = array_key_exists("process",$_REQUEST) ? $_REQUEST['process'] : "";
+// $showdetalis refers to Secret Question and Answers from account/13.php
+ $showdetails = array_key_exists("showdetails",$_REQUEST) ? intval($_REQUEST['showdetails']) : 0;
- $cert=0; if(array_key_exists('cert',$_REQUEST)) $cert=intval($_REQUEST['cert']);
- $orgid=0; if(array_key_exists('orgid',$_REQUEST)) $orgid=intval($_REQUEST['orgid']);
- $memid=0; if(array_key_exists('memid',$_REQUEST)) $memid=intval($_REQUEST['memid']);
- $domid=0; if(array_key_exists('domid',$_REQUEST)) $domid=intval($_REQUEST['domid']);
+ $cert = array_key_exists('cert',$_REQUEST) ? intval($_REQUEST['cert']) : 0;
+ $orgid = array_key_exists('orgid',$_REQUEST) ? intval($_REQUEST['orgid']) : 0;
+ $memid = array_key_exists('memid',$_REQUEST) ? intval($_REQUEST['memid']) : 0;
+ $domid = array_key_exists('domid',$_REQUEST) ? intval($_REQUEST['domid']) : 0;
+ $ticketno = array_key_exists('ticketno',$_REQUEST) ? $_REQUEST['ticketno'] : "";
+ $ticketvalidation = FALSE;
+ $actionrequest = array_key_exists('action',$_REQUEST) ? $_REQUEST['action'] : "";
if(!$_SESSION['mconn'])
@@ -120,9 +127,7 @@ function buildSubjectFromSession() {
}
$oldid=0;
$_REQUEST['email'] = trim(mysql_real_escape_string(stripslashes($_REQUEST['newemail'])));
- $query = "select * from `email` where `email`='".$_REQUEST['email']."' and `deleted`=0";
- $res = mysql_query($query);
- if(mysql_num_rows($res) > 0)
+ if(check_email_exists($_REQUEST['email'])==true)
{
showheader(_("My CAcert.org Account!"));
printf(_("The email address '%s' is already in a different account. Can't continue."), sanitizeHTML($_REQUEST['email']));
@@ -133,7 +138,7 @@ function buildSubjectFromSession() {
if($checkemail != "OK")
{
showheader(_("My CAcert.org Account!"));
- if (substr($checkemail, 0, 1) == "4")
+ if (substr($checkemail, 0, 1) == "4")
{
echo "<p>"._("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as greylisting. Please try again in a few minutes.")."</p>\n";
} else {
@@ -174,9 +179,9 @@ function buildSubjectFromSession() {
exit;
}
$row = mysql_fetch_assoc($res);
- $body = sprintf(_("Hi %s,"),$_SESSION['profile']['fname'])."\n";
- $body .= _("You are receiving this email because you or someone else")."\n";
- $body .= _("has changed the default email on your account.")."\n\n";
+ $body = sprintf(_("Hi %s,"),$_SESSION['profile']['fname'])."\n\n";
+ $body .= _("You are receiving this email because you or someone else ".
+ "has changed the default email on your account.")."\n\n";
$body .= _("Best regards")."\n"._("CAcert.org Support!");
@@ -200,8 +205,13 @@ function buildSubjectFromSession() {
$delcount = 0;
if(array_key_exists('delid',$_REQUEST) && is_array($_REQUEST['delid']))
{
+ $deltitle=false;
foreach($_REQUEST['delid'] as $id)
{
+ if (!$deltitle) {
+ echo _('The following email addresses have been removed:')."<br>\n";
+ $deltitle=true;
+ }
$id = intval($id);
$query = "select * from `email` where `id`='$id' and `memid`='".intval($_SESSION['profile']['id'])."' and
`email`!='".$_SESSION['profile']['email']."'";
@@ -210,17 +220,7 @@ function buildSubjectFromSession() {
{
$row = mysql_fetch_assoc($res);
echo $row['email']."<br>\n";
- $query = "select `emailcerts`.`id`
- from `emaillink`,`emailcerts` where
- `emailid`='$id' and `emaillink`.`emailcertsid`=`emailcerts`.`id` and
- `revoked`=0 and UNIX_TIMESTAMP(`expire`)-UNIX_TIMESTAMP() > 0
- group by `emailcerts`.`id`";
- $dres = mysql_query($query);
- while($drow = mysql_fetch_assoc($dres))
- mysql_query("update `emailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='".$drow['id']."'");
-
- $query = "update `email` set `deleted`=NOW() where `id`='$id'";
- mysql_query($query);
+ account_email_delete($row['id']);
$delcount++;
}
}
@@ -229,11 +229,9 @@ function buildSubjectFromSession() {
{
echo _("You did not select any email accounts for removal.");
}
- if($delcount > 0)
+ if(0 == $delcount)
{
- echo _("The following accounts have been removed:")."<br>\n";
- } else {
- echo _("You failed to select any accounts to be removed, or you attempted to remove the default account. No action was taken.");
+ echo _("You did not select any accounts to be removed, or you attempted to remove the default account. No action was taken.");
}
showfooter();
@@ -242,6 +240,14 @@ function buildSubjectFromSession() {
if($process != "" && $oldid == 3)
{
+ if(!array_key_exists('CCA',$_REQUEST))
+ {
+ showheader(_("My CAcert.org Account!"));
+ echo _("You did not accept the CAcert Community Agreement (CCA), hit the back button and try again.");
+ showfooter();
+ exit;
+ }
+
if(!(array_key_exists('addid',$_REQUEST) && is_array($_REQUEST['addid'])) && $_REQUEST['SSO'] != '1')
{
showheader(_("My CAcert.org Account!"));
@@ -290,6 +296,11 @@ function buildSubjectFromSession() {
$_REQUEST['keytype'] = "MS";
$csr = clean_csr($_REQUEST['optionalCSR']);
}
+ if(trim($_REQUEST['description']) != ""){
+ $_SESSION['_config']['description']= trim(mysql_real_escape_string(stripslashes($_REQUEST['description'])));
+ }else{
+ $_SESSION['_config']['description']= "";
+ }
}
if($oldid == 4)
@@ -366,14 +377,17 @@ function buildSubjectFromSession() {
exit;
}
+ write_user_agreement(intval($_SESSION['profile']['id']), "CCA", "certificate creation", "", 1);
+
$query = "insert into emailcerts set
- `CN`='$defaultemail',
+ `CN`='$defaultemail',
`keytype`='NS',
`memid`='".intval($_SESSION['profile']['id'])."',
`created`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
`codesign`='".intval($_SESSION['_config']['codesign'])."',
`disablelogin`='".($_SESSION['_config']['disablelogin']?1:0)."',
- `rootcert`='".intval($_SESSION['_config']['rootcert'])."'";
+ `rootcert`='".intval($_SESSION['_config']['rootcert'])."',
+ `description`='".$_SESSION['_config']['description']."'";
mysql_query($query);
$emailid = mysql_insert_id();
if(is_array($addys))
@@ -384,15 +398,15 @@ function buildSubjectFromSession() {
fputs($fp, $emails);
fclose($fp);
$challenge=$_SESSION['spkac_hash'];
- $res=`openssl spkac -verify -in $CSRname`;
- if(!strstr($res,"Challenge String: ".$challenge))
- {
- $id = $oldid;
- showheader(_("My CAcert.org Account!"));
- echo _("The challenge-response code of your certificate request did not match. Can't continue with certificaterequest.");
- showfooter();
- exit;
- }
+ $res=`openssl spkac -verify -in $CSRname`;
+ if(!strstr($res,"Challenge String: ".$challenge))
+ {
+ $id = $oldid;
+ showheader(_("My CAcert.org Account!"));
+ echo _("The challenge-response code of your certificate request did not match. Can't continue with certificaterequest.");
+ showfooter();
+ exit;
+ }
mysql_query("update `emailcerts` set `csr_name`='$CSRname' where `id`='".intval($emailid)."'");
} else if($_REQUEST['keytype'] == "MS" || $_REQUEST['keytype'] == "VI") {
if($csr == "")
@@ -417,8 +431,8 @@ function buildSubjectFromSession() {
$csrsubject="";
$user = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".intval($_SESSION['profile']['id'])."'"));
- if(strlen($user['mname']) == 1)
- $user['mname'] .= '.';
+ if(strlen($user['mname']) == 1)
+ $user['mname'] .= '.';
if($_SESSION['_config']['incname'] <= 0 || $_SESSION['_config']['incname'] > 4)
$csrsubject = "/CN=CAcert WoT User";
if($_SESSION['_config']['incname'] == 1)
@@ -465,14 +479,16 @@ function buildSubjectFromSession() {
showfooter();
exit;
}
- $query = "insert into emailcerts set
- `CN`='$defaultemail',
+ $query = "insert into emailcerts set
+ `CN`='$defaultemail',
`keytype`='".sanitizeHTML($_REQUEST['keytype'])."',
`memid`='".$_SESSION['profile']['id']."',
`created`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
`subject`='".mysql_real_escape_string($csrsubject)."',
`codesign`='".$_SESSION['_config']['codesign']."',
- `rootcert`='".$_SESSION['_config']['rootcert']."'";
+ `disablelogin`='".($_SESSION['_config']['disablelogin']?1:0)."',
+ `rootcert`='".$_SESSION['_config']['rootcert']."',
+ `description`='".$_SESSION['_config']['description']."'";
mysql_query($query);
$emailid = mysql_insert_id();
if(is_array($addys))
@@ -506,10 +522,10 @@ function buildSubjectFromSession() {
csrf_check("adddomain");
if(strstr($_REQUEST['newdomain'],"\x00"))
{
- showheader(_("My CAcert.org Account!"));
- echo _("Due to the possibility for nullbyte domain exploits we currently do not allow any domain names with nullbytes.");
- showfooter();
- exit;
+ showheader(_("My CAcert.org Account!"));
+ echo _("Due to the possibility for nullbyte domain exploits we currently do not allow any domain names with nullbytes.");
+ showfooter();
+ exit;
}
list($newdomain) = explode(" ", $_REQUEST['newdomain'], 2); // Ignore the rest
@@ -624,7 +640,7 @@ function buildSubjectFromSession() {
{
showheader(_("My CAcert.org Account!"));
//echo "<p>"._("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid")."</p>\n";
- if (substr($checkemail, 0, 1) == "4")
+ if (substr($checkemail, 0, 1) == "4")
{
echo "<p>"._("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as greylisting. Please try again in a few minutes.")."</p>\n";
} else {
@@ -671,11 +687,9 @@ function buildSubjectFromSession() {
{
$row = mysql_fetch_assoc($res);
echo $row['domain']."<br>\n";
- mysql_query("update `domains` set `deleted`=NOW() where `id`='$id'");
- $dres = mysql_query("select * from `domlink` where `domid`='$id'");
- while($drow = mysql_fetch_assoc($dres))
- mysql_query("update `domaincerts` set `revoked`='1970-01-01 10:00:01' where `id`='".$drow['certid']."' and `revoked`=0 and UNIX_TIMESTAMP(`expire`)-UNIX_TIMESTAMP() > 0");
+ account_domain_delete($row['id']);
}
+
}
}
else
@@ -689,11 +703,19 @@ function buildSubjectFromSession() {
if($process != "" && $oldid == 10)
{
+ if(!array_key_exists('CCA',$_REQUEST))
+ {
+ showheader(_("My CAcert.org Account!"));
+ echo _("You did not accept the CAcert Community Agreement (CCA), hit the back button and try again.");
+ showfooter();
+ exit;
+ }
+
$CSR = clean_csr($_REQUEST['CSR']);
if(strpos($CSR,"---BEGIN")===FALSE)
{
- // In case the CSR is missing the ---BEGIN lines, add them automatically:
- $CSR = "-----BEGIN CERTIFICATE REQUEST-----\n".$CSR."\n-----END CERTIFICATE REQUEST-----\n";
+ // In case the CSR is missing the ---BEGIN lines, add them automatically:
+ $CSR = "-----BEGIN CERTIFICATE REQUEST-----\n".$CSR."\n-----END CERTIFICATE REQUEST-----\n";
}
if (($weakKey = checkWeakKeyCSR($CSR)) !== "")
@@ -704,6 +726,12 @@ function buildSubjectFromSession() {
exit;
}
+ if(trim($_REQUEST['description']) != ""){
+ $_SESSION['_config']['description']= trim(mysql_real_escape_string(stripslashes($_REQUEST['description'])));
+ }else{
+ $_SESSION['_config']['description']= "";
+ }
+
$_SESSION['_config']['tmpfname'] = tempnam("/tmp", "id10CSR");
$fp = fopen($_SESSION['_config']['tmpfname'], "w");
fputs($fp, $CSR);
@@ -772,19 +800,23 @@ function buildSubjectFromSession() {
if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2)
$_SESSION['_config']['rootcert'] = 1;
+ write_user_agreement(intval($_SESSION['profile']['id']), "CCA", "certificate creation", "", 1);
+
if(array_key_exists('0',$_SESSION['_config']['rowid']) && $_SESSION['_config']['rowid']['0'] > 0)
{
- $query = "insert into `domaincerts` set
+ $query = "insert into `domaincerts` set
`CN`='".mysql_real_escape_string($_SESSION['_config']['rows']['0'])."',
`domid`='".mysql_real_escape_string($_SESSION['_config']['rowid']['0'])."',
`created`=NOW(),`subject`='".mysql_real_escape_string($subject)."',
- `rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."'";
+ `rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."',
+ `description`='".$_SESSION['_config']['description']."'";
} elseif(array_key_exists('0',$_SESSION['_config']['altid']) && $_SESSION['_config']['altid']['0'] > 0) {
- $query = "insert into `domaincerts` set
+ $query = "insert into `domaincerts` set
`CN`='".mysql_real_escape_string($_SESSION['_config']['altrows']['0'])."',
`domid`='".mysql_real_escape_string($_SESSION['_config']['altid']['0'])."',
`created`=NOW(),`subject`='".mysql_real_escape_string($subject)."',
- `rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."'";
+ `rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."',
+ `description`='".$_SESSION['_config']['description']."'";
} else {
showheader(_("My CAcert.org Account!"));
echo _("Domain not verified.");
@@ -856,16 +888,17 @@ function buildSubjectFromSession() {
}
mysql_query("update `domaincerts` set `renewed`='1' where `id`='$id'");
- $query = "insert into `domaincerts` set
- `domid`='".$row['domid']."',
+ $query = "insert into `domaincerts` set
+ `domid`='".$row['domid']."',
`CN`='".mysql_real_escape_string($row['CN'])."',
`subject`='".mysql_real_escape_string($row['subject'])."',".
//`csr_name`='".$row['csr_name']."', // RACE CONDITION
"`created`='".$row['created']."',
- `modified`=NOW(),
+ `modified`=NOW(),
`rootcert`='".$row['rootcert']."',
`type`='".$row['type']."',
- `pkhash`='".$row['pkhash']."'";
+ `pkhash`='".$row['pkhash']."',
+ `description`='".$row['description']."'";
mysql_query($query);
$newid = mysql_insert_id();
$newfile=generatecertpath("csr","server",$newid);
@@ -925,7 +958,7 @@ function buildSubjectFromSession() {
foreach($_REQUEST['revokeid'] as $id)
{
$id = intval($id);
- $query = "select *,UNIX_TIMESTAMP(`domaincerts`.`revoked`) as `revoke` from `domaincerts`,`domains`
+ $query = "select *,UNIX_TIMESTAMP(`domaincerts`.`revoked`) as `revoke` from `domaincerts`,`domains`
where `domaincerts`.`id`='$id' and
`domaincerts`.`domid`=`domains`.`id` and
`domains`.`memid`='".$_SESSION['profile']['id']."'";
@@ -956,7 +989,7 @@ function buildSubjectFromSession() {
foreach($_REQUEST['delid'] as $id)
{
$id = intval($id);
- $query = "select *,UNIX_TIMESTAMP(`domaincerts`.`expire`) as `expired` from `domaincerts`,`domains`
+ $query = "select *,UNIX_TIMESTAMP(`domaincerts`.`expire`) as `expired` from `domaincerts`,`domains`
where `domaincerts`.`id`='$id' and
`domaincerts`.`domid`=`domains`.`id` and
`domains`.`memid`='".$_SESSION['profile']['id']."'";
@@ -982,6 +1015,24 @@ function buildSubjectFromSession() {
exit;
}
+ if($oldid == 12 && array_key_exists('change',$_REQUEST) && $_REQUEST['change'] != "")
+ {
+ showheader(_("My CAcert.org Account!"));
+ foreach($_REQUEST as $id => $val)
+ {
+ if(substr($id,0,14)=="check_comment_")
+ {
+ $cid = intval(substr($id,14));
+ $comment=trim(mysql_real_escape_string(stripslashes($_REQUEST['comment_'.$cid])));
+ mysql_query("update `domaincerts` set `description`='$comment' where `id`='$cid'");
+ }
+ }
+ echo(_("Certificate settings have been changed.")."<br/>\n");
+ showfooter();
+ exit;
+ }
+
+
if($oldid == 5 && array_key_exists('renew',$_REQUEST) && $_REQUEST['renew'] != "")
{
showheader(_("My CAcert.org Account!"));
@@ -991,7 +1042,7 @@ function buildSubjectFromSession() {
foreach($_REQUEST['revokeid'] as $id)
{
$id = intval($id);
- $query = "select *,UNIX_TIMESTAMP(`revoked`) as `revoke` from `emailcerts`
+ $query = "select *,UNIX_TIMESTAMP(`revoked`) as `revoke` from `emailcerts`
where `id`='$id' and `memid`='".$_SESSION['profile']['id']."'";
$res = mysql_query($query);
if(mysql_num_rows($res) <= 0)
@@ -1010,17 +1061,18 @@ function buildSubjectFromSession() {
}
mysql_query("update `emailcerts` set `renewed`='1' where `id`='$id'");
- $query = "insert into emailcerts set
- `memid`='".$row['memid']."',
+ $query = "insert into emailcerts set
+ `memid`='".$row['memid']."',
`CN`='".mysql_real_escape_string($row['CN'])."',
`subject`='".mysql_real_escape_string($row['subject'])."',
- `keytype`='".$row['keytype']."',
- `csr_name`='".$row['csr_name']."',
- `created`='".$row['created']."',
+ `keytype`='".$row['keytype']."',
+ `csr_name`='".$row['csr_name']."',
+ `created`='".$row['created']."',
`modified`=NOW(),
`disablelogin`='".$row['disablelogin']."',
`codesign`='".$row['codesign']."',
- `rootcert`='".$row['rootcert']."'";
+ `rootcert`='".$row['rootcert']."',
+ `description`='".$row['description']."'";
mysql_query($query);
$newid = mysql_insert_id();
$newfile=generatecertpath("csr","client",$newid);
@@ -1064,7 +1116,7 @@ function buildSubjectFromSession() {
foreach($_REQUEST['revokeid'] as $id)
{
$id = intval($id);
- $query = "select *,UNIX_TIMESTAMP(`revoked`) as `revoke` from `emailcerts`
+ $query = "select *,UNIX_TIMESTAMP(`revoked`) as `revoke` from `emailcerts`
where `id`='$id' and `memid`='".$_SESSION['profile']['id']."'";
$res = mysql_query($query);
if(mysql_num_rows($res) <= 0)
@@ -1093,7 +1145,7 @@ function buildSubjectFromSession() {
foreach($_REQUEST['delid'] as $id)
{
$id = intval($id);
- $query = "select *,UNIX_TIMESTAMP(`expire`) as `expired` from `emailcerts`
+ $query = "select *,UNIX_TIMESTAMP(`expire`) as `expired` from `emailcerts`
where `id`='$id' and `memid`='".$_SESSION['profile']['id']."'";
$res = mysql_query($query);
if(mysql_num_rows($res) <= 0)
@@ -1119,27 +1171,30 @@ function buildSubjectFromSession() {
if($oldid == 5 && array_key_exists('change',$_REQUEST) && $_REQUEST['change'] != "")
{
- showheader(_("My CAcert.org Account!"));
- //echo _("Now changing the settings for the following certificates:")."<br>\n";
- foreach($_REQUEST as $id => $val)
- {
- //echo $id."<br/>";
- if(substr($id,0,5)=="cert_")
- {
- $id = intval(substr($id,5));
- $dis=(array_key_exists('disablelogin_'.$id,$_REQUEST) && $_REQUEST['disablelogin_'.$id]=="1")?"0":"1";
- //echo "$id -> ".$_REQUEST['disablelogin_'.$id]."<br/>\n";
- mysql_query("update `emailcerts` set `disablelogin`='$dis' where `id`='$id' and `memid`='".$_SESSION['profile']['id']."'");
- //$row = mysql_fetch_assoc($res);
- }
- }
- echo(_("Certificate settings have been changed.")."<br/>\n");
- showfooter();
- exit;
+ showheader(_("My CAcert.org Account!"));
+ foreach($_REQUEST as $id => $val)
+ {
+ if(substr($id,0,5)=="cert_")
+ {
+ $cid = intval(substr($id,5));
+ $dis=(array_key_exists('disablelogin_'.$cid,$_REQUEST) && $_REQUEST['disablelogin_'.$cid]=="1")?"0":"1";
+ mysql_query("update `emailcerts` set `disablelogin`='$dis' where `id`='$cid' and `memid`='".$_SESSION['profile']['id']."'");
+ }
+ if(substr($id,0,14)=="check_comment_")
+ {
+ $cid = intval(substr($id,14));
+ if(!empty($_REQUEST['check_comment_'.$cid])) {
+ $comment=trim(mysql_real_escape_string(stripslashes($_REQUEST['comment_'.$cid])));
+ mysql_query("update `emailcerts` set `description`='$comment' where `id`='$cid' and `memid`='".$_SESSION['profile']['id']."'");
+ }
+ }
+ }
+ echo(_("Certificate settings have been changed.")."<br/>\n");
+ showfooter();
+ exit;
}
-
- if($oldid == 13 && $process != "")
+ if($oldid == 13 && $process != "" && $showdetails!="")
{
csrf_check("perschange");
$_SESSION['_config']['user'] = $_SESSION['profile'];
@@ -1155,42 +1210,42 @@ function buildSubjectFromSession() {
$_SESSION['_config']['user']['A4'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
$_SESSION['_config']['user']['A5'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
- if($_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q2'] ||
- $_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q3'] ||
- $_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q4'] ||
- $_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q5'] ||
- $_SESSION['_config']['user']['Q2'] == $_SESSION['_config']['user']['Q3'] ||
- $_SESSION['_config']['user']['Q2'] == $_SESSION['_config']['user']['Q4'] ||
- $_SESSION['_config']['user']['Q2'] == $_SESSION['_config']['user']['Q5'] ||
- $_SESSION['_config']['user']['Q3'] == $_SESSION['_config']['user']['Q4'] ||
- $_SESSION['_config']['user']['Q3'] == $_SESSION['_config']['user']['Q5'] ||
- $_SESSION['_config']['user']['Q4'] == $_SESSION['_config']['user']['Q5'] ||
- $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q1'] ||
- $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q2'] ||
- $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q3'] ||
- $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q4'] ||
- $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q5'] ||
- $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['Q3'] ||
- $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['Q4'] ||
- $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['Q5'] ||
- $_SESSION['_config']['user']['A3'] == $_SESSION['_config']['user']['Q4'] ||
- $_SESSION['_config']['user']['A3'] == $_SESSION['_config']['user']['Q5'] ||
- $_SESSION['_config']['user']['A4'] == $_SESSION['_config']['user']['Q5'] ||
- $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['A2'] ||
- $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['A3'] ||
- $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['A4'] ||
- $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['A5'] ||
- $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['A3'] ||
- $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['A4'] ||
- $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['A5'] ||
- $_SESSION['_config']['user']['A3'] == $_SESSION['_config']['user']['A4'] ||
- $_SESSION['_config']['user']['A3'] == $_SESSION['_config']['user']['A5'] ||
- $_SESSION['_config']['user']['A4'] == $_SESSION['_config']['user']['A5'])
- {
- $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 different password questions and answers. You aren't allowed to duplicate questions, set questions as answers or use the question as the answer.")."<br>\n";
- $id = $oldid;
+ if($_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q2'] ||
+ $_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q3'] ||
+ $_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q4'] ||
+ $_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q5'] ||
+ $_SESSION['_config']['user']['Q2'] == $_SESSION['_config']['user']['Q3'] ||
+ $_SESSION['_config']['user']['Q2'] == $_SESSION['_config']['user']['Q4'] ||
+ $_SESSION['_config']['user']['Q2'] == $_SESSION['_config']['user']['Q5'] ||
+ $_SESSION['_config']['user']['Q3'] == $_SESSION['_config']['user']['Q4'] ||
+ $_SESSION['_config']['user']['Q3'] == $_SESSION['_config']['user']['Q5'] ||
+ $_SESSION['_config']['user']['Q4'] == $_SESSION['_config']['user']['Q5'] ||
+ $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q1'] ||
+ $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q2'] ||
+ $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q3'] ||
+ $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q4'] ||
+ $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q5'] ||
+ $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['Q3'] ||
+ $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['Q4'] ||
+ $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['Q5'] ||
+ $_SESSION['_config']['user']['A3'] == $_SESSION['_config']['user']['Q4'] ||
+ $_SESSION['_config']['user']['A3'] == $_SESSION['_config']['user']['Q5'] ||
+ $_SESSION['_config']['user']['A4'] == $_SESSION['_config']['user']['Q5'] ||
+ $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['A2'] ||
+ $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['A3'] ||
+ $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['A4'] ||
+ $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['A5'] ||
+ $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['A3'] ||
+ $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['A4'] ||
+ $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['A5'] ||
+ $_SESSION['_config']['user']['A3'] == $_SESSION['_config']['user']['A4'] ||
+ $_SESSION['_config']['user']['A3'] == $_SESSION['_config']['user']['A5'] ||
+ $_SESSION['_config']['user']['A4'] == $_SESSION['_config']['user']['A5'])
+ {
+ $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 different password questions and answers. You aren't allowed to duplicate questions, set questions as answers or use the question as the answer.")."<br>\n";
+ $id = $oldid;
$oldid=0;
- }
+ }
if($_SESSION['_config']['user']['Q1'] == "" || $_SESSION['_config']['user']['Q2'] == "" ||
$_SESSION['_config']['user']['Q3'] == "" || $_SESSION['_config']['user']['Q4'] == "" ||
@@ -1204,7 +1259,7 @@ function buildSubjectFromSession() {
if($oldid == 13 && $process != "")
{
- $ddquery = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
+ $ddquery = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' and `deleted`=0 group by `to`";
$ddres = mysql_query($ddquery);
$ddrow = mysql_fetch_assoc($ddres);
$_SESSION['profile']['points'] = $ddrow['total'];
@@ -1247,20 +1302,22 @@ function buildSubjectFromSession() {
where `id`='".$_SESSION['profile']['id']."'";
mysql_query($query);
}
- $query = "update `users` set `Q1`='".$_SESSION['_config']['user']['Q1']."',
- `Q2`='".$_SESSION['_config']['user']['Q2']."',
- `Q3`='".$_SESSION['_config']['user']['Q3']."',
- `Q4`='".$_SESSION['_config']['user']['Q4']."',
- `Q5`='".$_SESSION['_config']['user']['Q5']."',
- `A1`='".$_SESSION['_config']['user']['A1']."',
- `A2`='".$_SESSION['_config']['user']['A2']."',
- `A3`='".$_SESSION['_config']['user']['A3']."',
- `A4`='".$_SESSION['_config']['user']['A4']."',
- `A5`='".$_SESSION['_config']['user']['A5']."'
- where `id`='".$_SESSION['profile']['id']."'";
- mysql_query($query);
+ if ($showdetails!="") {
+ $query = "update `users` set `Q1`='".$_SESSION['_config']['user']['Q1']."',
+ `Q2`='".$_SESSION['_config']['user']['Q2']."',
+ `Q3`='".$_SESSION['_config']['user']['Q3']."',
+ `Q4`='".$_SESSION['_config']['user']['Q4']."',
+ `Q5`='".$_SESSION['_config']['user']['Q5']."',
+ `A1`='".$_SESSION['_config']['user']['A1']."',
+ `A2`='".$_SESSION['_config']['user']['A2']."',
+ `A3`='".$_SESSION['_config']['user']['A3']."',
+ `A4`='".$_SESSION['_config']['user']['A4']."',
+ `A5`='".$_SESSION['_config']['user']['A5']."'
+ where `id`='".$_SESSION['profile']['id']."'";
+ mysql_query($query);
+ }
- //!!!Should be rewritten
+ //!!!Should be rewritten
$_SESSION['_config']['user']['otphash'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['otphash']))));
$_SESSION['_config']['user']['otppin'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['otppin']))));
if($_SESSION['_config']['user']['otphash'] != "" && $_SESSION['_config']['user']['otppin'] != "")
@@ -1274,7 +1331,7 @@ function buildSubjectFromSession() {
$_SESSION['profile'] = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".$_SESSION['profile']['id']."'"));
$_SESSION['profile']['loggedin'] = 1;
- $ddquery = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
+ $ddquery = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' and `deleted`=0 group by `to`";
$ddres = mysql_query($ddquery);
$ddrow = mysql_fetch_assoc($ddres);
$_SESSION['profile']['points'] = $ddrow['total'];
@@ -1333,9 +1390,9 @@ function buildSubjectFromSession() {
where `id`='".$_SESSION['profile']['id']."'");
echo '<h3>', _("Pass Phrase Changed Successfully"), '</h3>', "\n";
echo _("Your Pass Phrase has been updated and your primary email account has been notified of the change.");
- $body = sprintf(_("Hi %s,"),$_SESSION['profile']['fname'])."\n";
- $body .= _("You are receiving this email because you or someone else")."\n";
- $body .= _("has changed the password on your account.")."\n";
+ $body = sprintf(_("Hi %s,"),$_SESSION['profile']['fname'])."\n\n";
+ $body .= _("You are receiving this email because you or someone else ".
+ "has changed the password on your account.")."\n\n";
$body .= _("Best regards")."\n"._("CAcert.org Support!");
@@ -1373,6 +1430,13 @@ function buildSubjectFromSession() {
}
$_SESSION['_config']['name'] = mysql_real_escape_string(stripslashes(trim($_REQUEST['name'])));
$_SESSION['_config']['OU'] = mysql_real_escape_string(stripslashes(trim($_REQUEST['OU'])));
+
+
+ if(trim($_REQUEST['description']) != ""){
+ $_SESSION['_config']['description']= trim(mysql_real_escape_string(stripslashes($_REQUEST['description'])));
+ }else{
+ $_SESSION['_config']['description']= "";
+ }
}
if($oldid == 16 && (intval(count($_SESSION['_config']['emails'])) + 0) <= 0)
@@ -1401,6 +1465,12 @@ function buildSubjectFromSession() {
if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2)
$_SESSION['_config']['rootcert'] = 1;
+ if(trim($_REQUEST['description']) != ""){
+ $_SESSION['_config']['description']= trim(mysql_real_escape_string(stripslashes($_REQUEST['description'])));
+ }else{
+ $_SESSION['_config']['description']= "";
+ }
+
if(@count($_SESSION['_config']['emails']) > 0)
$id = 17;
}
@@ -1447,6 +1517,7 @@ function buildSubjectFromSession() {
if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2)
$_SESSION['_config']['rootcert'] = 1;
+
$emails .= "SPKAC = $spkac";
if (($weakKey = checkWeakKeySPKAC($emails)) !== "")
{
@@ -1457,13 +1528,15 @@ function buildSubjectFromSession() {
exit;
}
- $query = "insert into `orgemailcerts` set
- `CN`='$defaultemail',
+ $query = "insert into `orgemailcerts` set
+ `CN`='$defaultemail',
+ `ou`='".$_SESSION['_config']['OU']."',
`keytype`='NS',
`orgid`='".$org['orgid']."',
`created`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
`codesign`='".$_SESSION['_config']['codesign']."',
- `rootcert`='".$_SESSION['_config']['rootcert']."'";
+ `rootcert`='".$_SESSION['_config']['rootcert']."',
+ `description`='".$_SESSION['_config']['description']."'";
mysql_query($query);
$emailid = mysql_insert_id();
@@ -1475,15 +1548,15 @@ function buildSubjectFromSession() {
fputs($fp, $emails);
fclose($fp);
$challenge=$_SESSION['spkac_hash'];
- $res=`openssl spkac -verify -in $CSRname`;
- if(!strstr($res,"Challenge String: ".$challenge))
- {
- $id = $oldid;
- showheader(_("My CAcert.org Account!"));
- echo _("The challenge-response code of your certificate request did not match. Can't continue with certificaterequest.");
- showfooter();
- exit;
- }
+ $res=`openssl spkac -verify -in $CSRname`;
+ if(!strstr($res,"Challenge String: ".$challenge))
+ {
+ $id = $oldid;
+ showheader(_("My CAcert.org Account!"));
+ echo _("The challenge-response code of your certificate request did not match. Can't continue with certificaterequest.");
+ showfooter();
+ exit;
+ }
mysql_query("update `orgemailcerts` set `csr_name`='$CSRname' where `id`='$emailid'");
} else if($_REQUEST['keytype'] == "MS" || $_REQUEST['keytype']=="VI") {
$csr = "-----BEGIN CERTIFICATE REQUEST-----\n".clean_csr($_REQUEST['CSR'])."-----END CERTIFICATE REQUEST-----\n";
@@ -1546,14 +1619,16 @@ function buildSubjectFromSession() {
if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2)
$_SESSION['_config']['rootcert'] = 1;
- $query = "insert into `orgemailcerts` set
- `CN`='$defaultemail',
+ $query = "insert into `orgemailcerts` set
+ `CN`='$defaultemail',
+ `ou`='".$_SESSION['_config']['OU']."',
`keytype`='" . sanitizeHTML($_REQUEST['keytype']) . "',
`orgid`='".$org['orgid']."',
`created`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
`subject`='$csrsubject',
`codesign`='".$_SESSION['_config']['codesign']."',
- `rootcert`='".$_SESSION['_config']['rootcert']."'";
+ `rootcert`='".$_SESSION['_config']['rootcert']."',
+ `description`='".$_SESSION['_config']['description']."'";
mysql_query($query);
$emailid = mysql_insert_id();
@@ -1619,16 +1694,18 @@ function buildSubjectFromSession() {
printf(_("It would seem '%s' has already been revoked. I'll skip this for now.")."<br>\n", $row['CN']);
continue;
}
- $query = "insert into `orgemailcerts` set
- `orgid`='".$row['orgid']."',
+ $query = "insert into `orgemailcerts` set
+ `orgid`='".$row['orgid']."',
`CN`='".$row['CN']."',
+ `ou`='".$row['ou']."',
`subject`='".$row['subject']."',
- `keytype`='".$row['keytype']."',
- `csr_name`='".$row['csr_name']."',
- `created`='".$row['created']."',
+ `keytype`='".$row['keytype']."',
+ `csr_name`='".$row['csr_name']."',
+ `created`='".$row['created']."',
`modified`=NOW(),
`codesign`='".$row['codesign']."',
- `rootcert`='".$row['rootcert']."'";
+ `rootcert`='".$row['rootcert']."',
+ `description`='".$row['description']."'";
mysql_query($query);
$newid = mysql_insert_id();
$newfile=generatecertpath("csr","orgclient",$newid);
@@ -1720,6 +1797,39 @@ function buildSubjectFromSession() {
exit;
}
+ if($oldid == 18 && array_key_exists('change',$_REQUEST) && $_REQUEST['change'] != "")
+ {
+ showheader(_("My CAcert.org Account!"));
+ foreach($_REQUEST as $id => $val)
+ {
+ if(substr($id,0,14)=="check_comment_")
+ {
+ $cid = intval(substr($id,14));
+ $comment=trim(mysql_real_escape_string(stripslashes($_REQUEST['comment_'.$cid])));
+ mysql_query("update `orgemailcerts` set `description`='$comment' where `id`='$cid'");
+ }
+ }
+ echo(_("Certificate settings have been changed.")."<br/>\n");
+ showfooter();
+ exit;
+ }
+
+ if($oldid == 18 && array_key_exists('filter',$_REQUEST) && $_REQUEST['filter']!= "")
+ {
+ $id=18;
+ $_SESSION['_config']['orgfilterid']=$_REQUEST['orgfilterid'];
+ $_SESSION['_config']['sorting']=$_REQUEST['sorting'];
+ $_SESSION['_config']['status']=$_REQUEST['status'];
+ }
+
+ if($oldid == 18 && array_key_exists('reset',$_REQUEST) && $_REQUEST['reset']!= "")
+ {
+ $id=18;
+ $_SESSION['_config']['orgfilterid']=0;
+ $_SESSION['_config']['sorting']=0;
+ $_SESSION['_config']['status']=0;
+ }
+
if($process != "" && $oldid == 20)
{
$CSR = clean_csr($_REQUEST['CSR']);
@@ -1733,6 +1843,12 @@ function buildSubjectFromSession() {
exit;
}
+ if(trim($_REQUEST['description']) != ""){
+ $_SESSION['_config']['description']= trim(mysql_real_escape_string(stripslashes($_REQUEST['description'])));
+ }else{
+ $_SESSION['_config']['description']= "";
+ }
+
$_SESSION['_config']['tmpfname'] = tempnam("/tmp", "id20CSR");
$fp = fopen($_SESSION['_config']['tmpfname'], "w");
fputs($fp, $CSR);
@@ -1808,8 +1924,8 @@ function buildSubjectFromSession() {
exit;
}
- if($_SESSION['_config']['rowid']['0'] > 0)
- {
+ if($_SESSION['_config']['rowid']['0'] > 0)
+ {
$query = "select * from `org`,`orginfo` where
`orginfo`.`id`='".$_SESSION['_config']['rowid']['0']."' and
`orginfo`.`id`=`org`.`orgid` and
@@ -1843,25 +1959,27 @@ function buildSubjectFromSession() {
if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2)
$_SESSION['_config']['rootcert'] = 1;
- if($_SESSION['_config']['rowid']['0'] > 0)
- {
- $query = "insert into `orgdomaincerts` set
- `CN`='".$_SESSION['_config']['rows']['0']."',
- `orgid`='".$org['id']."',
- `created`=NOW(),
- `subject`='$csrsubject',
- `rootcert`='".$_SESSION['_config']['rootcert']."',
- `type`='$type'";
- } else {
- $query = "insert into `orgdomaincerts` set
- `CN`='".$_SESSION['_config']['altrows']['0']."',
- `orgid`='".$org['id']."',
- `created`=NOW(),
- `subject`='$csrsubject',
- `rootcert`='".$_SESSION['_config']['rootcert']."',
- `type`='$type'";
- }
- mysql_query($query);
+ if($_SESSION['_config']['rowid']['0'] > 0)
+ {
+ $query = "insert into `orgdomaincerts` set
+ `CN`='".$_SESSION['_config']['rows']['0']."',
+ `orgid`='".$org['id']."',
+ `created`=NOW(),
+ `subject`='$csrsubject',
+ `rootcert`='".$_SESSION['_config']['rootcert']."',
+ `type`='$type',
+ `description`='".$_SESSION['_config']['description']."'";
+ } else {
+ $query = "insert into `orgdomaincerts` set
+ `CN`='".$_SESSION['_config']['altrows']['0']."',
+ `orgid`='".$org['id']."',
+ `created`=NOW(),
+ `subject`='$csrsubject',
+ `rootcert`='".$_SESSION['_config']['rootcert']."',
+ `type`='$type',
+ `description`='".$_SESSION['_config']['description']."'";
+ }
+ mysql_query($query);
$CSRid = mysql_insert_id();
$CSRname=generatecertpath("csr","orgserver",$CSRid);
@@ -1927,15 +2045,16 @@ function buildSubjectFromSession() {
printf(_("It would seem '%s' has already been revoked. I'll skip this for now.")."<br>\n", $row['CN']);
continue;
}
- $query = "insert into `orgdomaincerts` set
- `orgid`='".$row['orgid']."',
+ $query = "insert into `orgdomaincerts` set
+ `orgid`='".$row['orgid']."',
`CN`='".$row['CN']."',
- `csr_name`='".$row['csr_name']."',
+ `csr_name`='".$row['csr_name']."',
`created`='".$row['created']."',
- `modified`=NOW(),
- `subject`='".$row['subject']."',
+ `modified`=NOW(),
+ `subject`='".$row['subject']."',
`type`='".$row['type']."',
- `rootcert`='".$row['rootcert']."'";
+ `rootcert`='".$row['rootcert']."',
+ `description`='".$row['description']."'";
mysql_query($query);
$newid = mysql_insert_id();
//echo "NewID: $newid<br/>\n";
@@ -2036,6 +2155,40 @@ function buildSubjectFromSession() {
exit;
}
+ if($oldid == 22 && array_key_exists('change',$_REQUEST) && $_REQUEST['change'] != "")
+ {
+ showheader(_("My CAcert.org Account!"));
+ foreach($_REQUEST as $id => $val)
+ {
+ if(substr($id,0,14)=="check_comment_")
+ {
+ $cid = intval(substr($id,14));
+ $comment=trim(mysql_real_escape_string(stripslashes($_REQUEST['comment_'.$cid])));
+ mysql_query("update `orgdomaincerts` set `description`='$comment' where `id`='$cid'");
+ }
+ }
+ echo(_("Certificate settings have been changed.")."<br/>\n");
+ showfooter();
+ exit;
+ }
+
+ if($oldid == 22 && array_key_exists('filter',$_REQUEST) && $_REQUEST['filter']!= "")
+ {
+ $id=22;
+ $_SESSION['_config']['dorgfilterid']=$_REQUEST['dorgfilterid'];
+ $_SESSION['_config']['dsorting']=$_REQUEST['dsorting'];
+ $_SESSION['_config']['dstatus']=$_REQUEST['dstatus'];
+ }
+
+ if($oldid == 22 && array_key_exists('reset',$_REQUEST) && $_REQUEST['reset']!= "")
+ {
+ $id=22;
+ $_SESSION['_config']['dorgfilterid']=0;
+ $_SESSION['_config']['dsorting']=0;
+ $_SESSION['_config']['dstatus']=0;
+ }
+
+
if(($id == 24 || $oldid == 24 || $id == 25 || $oldid == 25 || $id == 26 || $oldid == 26 ||
$id == 27 || $oldid == 27 || $id == 28 || $oldid == 28 || $id == 29 || $oldid == 29 ||
$id == 30 || $oldid == 30 || $id == 31 || $oldid == 31) &&
@@ -2133,9 +2286,9 @@ function buildSubjectFromSession() {
if($oldid == 29 && $process != "")
{
- $domain = mysql_real_escape_string(stripslashes(trim($domainname)));
+ $domain = mysql_real_escape_string(stripslashes(trim($_REQUEST['domainname'])));
- $res1 = mysql_query("select * from `orgdomains` where `domain` like '$domain' and `id`!='".intval($_SESSION['_config']['domid'])."'");
+ $res1 = mysql_query("select * from `orgdomains` where `domain` like '$domain' and `id`!='".intval($domid)."'");
$res2 = mysql_query("select * from `domains` where `domain` like '$domain' and `deleted`=0");
if(mysql_num_rows($res1) > 0 || mysql_num_rows($res2) > 0)
{
@@ -2145,20 +2298,20 @@ function buildSubjectFromSession() {
}
}
- if(($oldid == 29 || $oldid == 30) && $process != _("Cancel"))
+ if(($oldid == 29 || $oldid == 30) && $process != "") // _("Cancel") is handled in front of account.php
{
- $query = "select `orgdomaincerts`.`id` as `id` from `orgdomlink`, `orgdomaincerts`, `orgdomains` where
+ $query = "select `orgdomaincerts`.`id` as `id` from `orgdomlink`, `orgdomaincerts`, `orgdomains` where
`orgdomlink`.`orgdomid`=`orgdomains`.`id` and
`orgdomaincerts`.`id`=`orgdomlink`.`orgcertid` and
- `orgdomains`.`id`='".intval($_SESSION['_config']['domid'])."'";
+ `orgdomains`.`id`='".intval($domid)."'";
$res = mysql_query($query);
while($row = mysql_fetch_assoc($res))
mysql_query("update `orgdomaincerts` set `revoked`='1970-01-01 10:00:01' where `id`='".$row['id']."'");
- $query = "select `orgemailcerts`.`id` as `id` from `orgemailcerts`, `orgemaillink`, `orgdomains` where
+ $query = "select `orgemailcerts`.`id` as `id` from `orgemailcerts`, `orgemaillink`, `orgdomains` where
`orgemaillink`.`domid`=`orgdomains`.`id` and
`orgemailcerts`.`id`=`orgemaillink`.`emailcertsid` and
- `orgdomains`.`id`='".intval($_SESSION['_config']['domid'])."'";
+ `orgdomains`.`id`='".intval($domid)."'";
$res = mysql_query($query);
while($row = mysql_fetch_assoc($res))
mysql_query("update `orgemailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='".intval($row['id'])."'");
@@ -2166,23 +2319,23 @@ function buildSubjectFromSession() {
if($oldid == 29 && $process != "")
{
- $row = mysql_fetch_assoc(mysql_query("select * from `orgdomains` where `id`='".intval($_SESSION['_config']['domid'])."'"));
- mysql_query("update `orgdomains` set `domain`='$domain' where `id`='".intval($_SESSION['_config']['domid'])."'");
+ $row = mysql_fetch_assoc(mysql_query("select * from `orgdomains` where `id`='".intval($domid)."'"));
+ mysql_query("update `orgdomains` set `domain`='$domain' where `id`='".intval($domid)."'");
showheader(_("My CAcert.org Account!"));
printf(_("'%s' has just been successfully updated in the database."), sanitizeHTML($domain));
- echo "<br><br><a href='account.php?id=26&orgid=".intval($_SESSION['_config']['orgid'])."'>"._("Click here")."</a> "._("to continue.");
+ echo "<br><br><a href='account.php?id=26&orgid=".intval($orgid)."'>"._("Click here")."</a> "._("to continue.");
showfooter();
exit;
}
if($oldid == 30 && $process != "")
{
- $row = mysql_fetch_assoc(mysql_query("select * from `orgdomains` where `id`='".intval($_SESSION['_config']['domid'])."'"));
+ $row = mysql_fetch_assoc(mysql_query("select * from `orgdomains` where `id`='".intval($domid)."'"));
$domain = $row['domain'];
- mysql_query("delete from `orgdomains` where `id`='".intval($_SESSION['_config']['domid'])."'");
+ mysql_query("delete from `orgdomains` where `id`='".intval($domid)."'");
showheader(_("My CAcert.org Account!"));
printf(_("'%s' has just been successfully deleted from the database."), sanitizeHTML($domain));
- echo "<br><br><a href='account.php?id=26&orgid=".intval($_SESSION['_config']['orgid'])."'>"._("Click here")."</a> "._("to continue.");
+ echo "<br><br><a href='account.php?id=26&orgid=".intval($orgid)."'>"._("Click here")."</a> "._("to continue.");
showfooter();
exit;
}
@@ -2199,7 +2352,7 @@ function buildSubjectFromSession() {
$dres = mysql_query($query);
while($drow = mysql_fetch_assoc($dres))
{
- $query = "select `orgdomaincerts`.`id` as `id` from `orgdomlink`, `orgdomaincerts`, `orgdomains` where
+ $query = "select `orgdomaincerts`.`id` as `id` from `orgdomlink`, `orgdomaincerts`, `orgdomains` where
`orgdomlink`.`orgdomid`=`orgdomains`.`id` and
`orgdomaincerts`.`id`=`orgdomlink`.`orgcertid` and
`orgdomains`.`id`='".intval($drow['id'])."'";
@@ -2211,7 +2364,7 @@ function buildSubjectFromSession() {
mysql_query("delete from `orgdomlink` where `domid`='".intval($row['id'])."'");
}
- $query = "select `orgemailcerts`.`id` as `id` from `orgemailcerts`, `orgemaillink`, `orgdomains` where
+ $query = "select `orgemailcerts`.`id` as `id` from `orgemailcerts`, `orgemaillink`, `orgdomains` where
`orgemaillink`.`domid`=`orgdomains`.`id` and
`orgemailcerts`.`id`=`orgemaillink`.`emailcertsid` and
`orgdomains`.`id`='".intval($drow['id'])."'";
@@ -2234,8 +2387,7 @@ function buildSubjectFromSession() {
$orgid = 0;
}
- if($id == 32 || $oldid == 32 || $id == 33 || $oldid == 33 || $id == 34 || $oldid == 34 ||
- $id == 35 || $oldid == 35)
+ if($id == 32 || $oldid == 32 || $id == 33 || $oldid == 33 || $id == 34 || $oldid == 34)
{
$query = "select * from `org` where `memid`='".intval($_SESSION['profile']['id'])."' and `masteracc`='1'";
$_macc = mysql_num_rows(mysql_query($query));
@@ -2248,6 +2400,19 @@ function buildSubjectFromSession() {
}
}
+ if($id == 35 || $oldid == 35)
+ {
+ $query = "select 1 from `org` where `memid`='".intval($_SESSION['profile']['id'])."'";
+ $is_orguser = mysql_num_rows(mysql_query($query));
+ if($_SESSION['profile']['orgadmin'] != 1 && $is_orguser <= 0)
+ {
+ showheader(_("My CAcert.org Account!"));
+ echo _("You don't have access to this area.");
+ showfooter();
+ exit;
+ }
+ }
+
if($id == 33 && $_SESSION['profile']['orgadmin'] != 1)
{
$orgid = intval($_SESSION['_config']['orgid']);
@@ -2277,8 +2442,21 @@ function buildSubjectFromSession() {
$_SESSION['_config']['errmsg'] = sprintf(_("Wasn't able to match '%s' against any user in the system"), sanitizeHTML($_REQUEST['email']));
} else {
$row = mysql_fetch_assoc($res);
- mysql_query("insert into `org` set `memid`='".intval($row['id'])."', `orgid`='".intval($_SESSION['_config']['orgid'])."',
- `masteracc`='$masteracc', `OU`='$OU', `comments`='$comments'");
+ if ( !is_assurer(intval($row['id'])) )
+ {
+ $id = $oldid;
+ $oldid=0;
+ $_SESSION['_config']['errmsg'] =
+ _("The user is not an Assurer yet");
+ } else {
+ mysql_query(
+ "insert into `org`
+ set `memid`='".intval($row['id'])."',
+ `orgid`='".intval($_SESSION['_config']['orgid'])."',
+ `masteracc`='$masteracc',
+ `OU`='$OU',
+ `comments`='$comments'");
+ }
}
}
@@ -2401,8 +2579,8 @@ function buildSubjectFromSession() {
exit;
}
- if($oldid == 54 || ($id == 53 && array_key_exists('action',$_REQUEST) && $_REQUEST['action'] != "") ||
- ($id == 54 && array_key_exists('action',$_REQUEST) && $_REQUEST['action'] != "" &&
+ if($oldid == 54 || ($id == 53 && array_key_exists('action',$_REQUEST) && $_REQUEST['action'] != "") ||
+ ($id == 54 && array_key_exists('action',$_REQUEST) && $_REQUEST['action'] != "" &&
$_REQUEST['action'] != "aliases" && $_REQUEST['action'] != "edit" && $_REQUEST['action'] != "add"))
{
$id = 53;
@@ -2412,7 +2590,7 @@ function buildSubjectFromSession() {
$locid = intval(array_key_exists('locid',$_REQUEST)?$_REQUEST['locid']:0);
$name = array_key_exists('name',$_REQUEST)?mysql_real_escape_string(strip_tags($_REQUEST['name'])):"";
$long = array_key_exists('longitude',$_REQUEST)?ereg_replace("[^-0-9\.]","",$_REQUEST['longitude']):"";
- $lat = array_key_exists('latitude', $_REQUEST)?ereg_replace("[^-0-9\.]","",$_REQUEST['latitude']):"";
+ $lat = array_key_exists('latitude', $_REQUEST)?ereg_replace("[^-0-9\.]","",$_REQUEST['latitude']):"";
$action = array_key_exists('action',$_REQUEST)?$_REQUEST['action']:"";
if($locid > 0 && $action == "edit")
@@ -2499,7 +2677,17 @@ function buildSubjectFromSession() {
$oldid=0;
}
- if($oldid == 43 && $_REQUEST['action'] == "updatedob")
+ //check if ticket number was entered
+ if ( $id == 43 || $oldid == 43 || $id == 44 || $oldid == 44 ) {
+ if ($ticketno != "" ) {
+ $ticketno = mysql_real_escape_string(trim($_REQUEST['ticketno']));
+ $ticketvalidation = valid_ticket_number($ticketno);
+ }
+
+ $_SESSION['ticketno'] = $ticketno;
+ }
+
+ if($oldid == 43 && $actionrequest == "updatedob" && $ticketvalidation == TRUE)
{
$id = 43;
$oldid=0;
@@ -2511,13 +2699,25 @@ function buildSubjectFromSession() {
$month = intval($_REQUEST['month']);
$year = intval($_REQUEST['year']);
$userid = intval($_REQUEST['userid']);
- $query = "select `fname`,`mname`,`lname`,`suffix`,`dob` from `users` where `id`='$userid'";
- $details = mysql_fetch_assoc(mysql_query($query));
- $query = "insert into `adminlog` set `when`=NOW(),`old-lname`='${details['lname']}',`old-dob`='${details['dob']}',
- `new-lname`='$lname',`new-dob`='$year-$month-$day',`uid`='$userid',`adminid`='".$_SESSION['profile']['id']."'";
- mysql_query($query);
$query = "update `users` set `fname`='$fname',`mname`='$mname',`lname`='$lname',`suffix`='$suffix',`dob`='$year-$month-$day' where `id`='$userid'";
mysql_query($query);
+ write_se_log($userid, $_SESSION['profile']['id'],'SE Name/DOB Change',$ticketno);
+ }elseif($oldid == 43 && $actionrequest == "updatedob" && $ticketvalidation == FALSE){
+ $id = 43;
+ $oldid=0;
+ $_SESSION['ticketmsg']='No action (name/dob change) taken. Ticket number is missing!';
+ }
+
+ if($oldid == 43 && $actionrequest == 'revokecert' && $ticketvalidation == TRUE)
+ {
+ $userid = intval($_REQUEST['userid']);
+ revoke_all_private_cert($userid);
+ write_se_log($userid, $_SESSION['profile']['id'], 'SE Revoke all certificates',$ticketno);
+ $id=43;
+ }elseif($oldid == 43 && $actionrequest == "revokecert" && $ticketvalidation == FALSE){
+ $id = 43;
+ $oldid=0;
+ $_SESSION['ticketmsg']='No certificates revokes. Ticket number is missing!';
}
if($oldid == 48 && $_REQUEST['domain'] == "")
@@ -2543,7 +2743,7 @@ function buildSubjectFromSession() {
$_REQUEST['email'] = $row['email'];
}
- if($oldid == 44)
+ if($oldid == 44 && $ticketvalidation == TRUE)
{
showheader(_("My CAcert.org Account!"));
if(intval($_REQUEST['userid']) <= 0)
@@ -2554,20 +2754,25 @@ function buildSubjectFromSession() {
$row = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".intval($_REQUEST['userid'])."'"));
printf(_("The password for %s has been updated successfully in the system."), sanitizeHTML($row['email']));
- $body = sprintf(_("Hi %s,"),$row['fname'])."\n";
- $body .= _("You are receiving this email because a CAcert administrator")."\n";
- $body .= _("has changed the password on your account.")."\n";
+
+ $body = sprintf(_("Hi %s,"),$row['fname'])."\n\n";
+ $body .= _("You are receiving this email because a CAcert administrator ".
+ "has changed the password on your account.")."\n\n";
$body .= _("Best regards")."\n"._("CAcert.org Support!");
sendmail($row['email'], "[CAcert.org] "._("Password Update Notification"), $body,
"support@cacert.org", "", "", "CAcert Support");
+ write_se_log(intval($_REQUEST['userid']), $_SESSION['profile']['id'],'SE reset password',$ticketno);
}
showfooter();
exit;
+ }elseif($oldid == 44 && $ticketvalidation == FALSE){
+ $_SESSION['ticketmsg']='No password reset taken. Ticket number is missing!';
}
+
if($process != "" && $oldid == 45)
{
$CSR = clean_csr($CSR);
@@ -2626,7 +2831,7 @@ function buildSubjectFromSession() {
exit;
}
- $query = "insert into `domaincerts` set
+ $query = "insert into `domaincerts` set
`CN`='".$_SESSION['_config']['0.CN']."',
`domid`='".$_SESSION['_config']['row']['id']."',
`created`=NOW()";
@@ -2660,45 +2865,61 @@ function buildSubjectFromSession() {
}
}
- if($id == 43 && array_key_exists('tverify',$_REQUEST) && $_REQUEST['tverify'] > 0)
+ /* presently not needed
+ if($id == 43 && array_key_exists('tverify',$_REQUEST) && $_REQUEST['tverify'] > 0 && $ticketvalidation==TRUE)
{
$memid = $_REQUEST['userid'] = intval($_REQUEST['tverify']);
$query = "select * from `users` where `id`='$memid'";
$row = mysql_fetch_assoc(mysql_query($query));
$ver = !$row['tverify'];
mysql_query("update `users` set `tverify`='$ver' where `id`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change tverify status',$ticketno);
+ }else{
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
+ }
+ */
+ if($id == 43 && array_key_exists('assurer',$_REQUEST) && $_REQUEST['assurer'] > 0 && $ticketvalidation == TRUE)
+ {
+ csrf_check('admsetassuret');
+ $memid = $_REQUEST['userid'] = intval($_REQUEST['assurer']);
+ $query = "select * from `users` where `id`='$memid'";
+ $row = mysql_fetch_assoc(mysql_query($query));
+ $ver = !$row['assurer'];
+ mysql_query("update `users` set `assurer`='$ver' where `id`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change assurer status',$ticketno);
+ }elseif($id == 43 && array_key_exists('assurer',$_REQUEST) && $_REQUEST['assurer'] > 0 && $ticketvalidation == FALSE){
+ $_REQUEST['userid'] = intval($_REQUEST['assurer']);
+ $_SESSION['ticketmsg']='No action (Change assurer status) taken. Ticket number is missing!';
+ }
+
+ if($id == 43 && array_key_exists('assurer_blocked',$_REQUEST) && $_REQUEST['assurer_blocked'] > 0 && $ticketvalidation == TRUE)
+ {
+ $memid = $_REQUEST['userid'] = intval($_REQUEST['assurer_blocked']);
+ $query = "select * from `users` where `id`='$memid'";
+ $row = mysql_fetch_assoc(mysql_query($query));
+ $ver = !$row['assurer_blocked'];
+ mysql_query("update `users` set `assurer_blocked`='$ver' where `id`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change assurer blocked status',$ticketno);
+ }elseif($id == 43 && array_key_exists('assurer_blocked',$_REQUEST) && $_REQUEST['assurer_blocked'] > 0 && $ticketvalidation == FALSE){
+ $_REQUEST['userid'] = intval($_REQUEST['assurer_blocked']);
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
}
- if($id == 43 && array_key_exists('assurer',$_REQUEST) && $_REQUEST['assurer'] > 0)
- {
- csrf_check('admsetassuret');
- $memid = $_REQUEST['userid'] = intval($_REQUEST['assurer']);
- $query = "select * from `users` where `id`='$memid'";
- $row = mysql_fetch_assoc(mysql_query($query));
- $ver = !$row['assurer'];
- mysql_query("update `users` set `assurer`='$ver' where `id`='$memid'");
- }
-
- if($id == 43 && array_key_exists('assurer_blocked',$_REQUEST) && $_REQUEST['assurer_blocked'] > 0)
- {
- $memid = $_REQUEST['userid'] = intval($_REQUEST['assurer_blocked']);
- $query = "select * from `users` where `id`='$memid'";
- $row = mysql_fetch_assoc(mysql_query($query));
- $ver = !$row['assurer_blocked'];
- mysql_query("update `users` set `assurer_blocked`='$ver' where `id`='$memid'");
- }
-
- if($id == 43 && array_key_exists('locked',$_REQUEST) && $_REQUEST['locked'] > 0)
- {
- csrf_check('admactlock');
+ if($id == 43 && array_key_exists('locked',$_REQUEST) && $_REQUEST['locked'] > 0 && $ticketvalidation == TRUE)
+ {
+ csrf_check('admactlock');
$memid = $_REQUEST['userid'] = intval($_REQUEST['locked']);
$query = "select * from `users` where `id`='$memid'";
$row = mysql_fetch_assoc(mysql_query($query));
$ver = !$row['locked'];
mysql_query("update `users` set `locked`='$ver' where `id`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change locked status',$ticketno);
+ }elseif($id == 43 && array_key_exists('locked',$_REQUEST) && $_REQUEST['locked'] > 0 && $ticketvalidation == FALSE){
+ $_REQUEST['userid'] = intval($_REQUEST['locked']);
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
}
- if($id == 43 && array_key_exists('codesign',$_REQUEST) && $_REQUEST['codesign'] > 0)
+ if($id == 43 && array_key_exists('codesign',$_REQUEST) && $_REQUEST['codesign'] > 0 && $ticketvalidation == TRUE)
{
csrf_check('admcodesign');
$memid = $_REQUEST['userid'] = intval($_REQUEST['codesign']);
@@ -2706,9 +2927,13 @@ function buildSubjectFromSession() {
$row = mysql_fetch_assoc(mysql_query($query));
$ver = !$row['codesign'];
mysql_query("update `users` set `codesign`='$ver' where `id`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change codesign status',$ticketno);
+ }elseif($id == 43 && array_key_exists('codesign',$_REQUEST) && $_REQUEST['codesign'] > 0 && $ticketvalidation == FALSE){
+ $_REQUEST['userid'] = intval($_REQUEST['codesign']);
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
}
- if($id == 43 && array_key_exists('orgadmin',$_REQUEST) && $_REQUEST['orgadmin'] > 0)
+ if($id == 43 && array_key_exists('orgadmin',$_REQUEST) && $_REQUEST['orgadmin'] > 0 && $ticketvalidation == TRUE)
{
csrf_check('admorgadmin');
$memid = $_REQUEST['userid'] = intval($_REQUEST['orgadmin']);
@@ -2716,9 +2941,13 @@ function buildSubjectFromSession() {
$row = mysql_fetch_assoc(mysql_query($query));
$ver = !$row['orgadmin'];
mysql_query("update `users` set `orgadmin`='$ver' where `id`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change org assuer status',$ticketno);
+ }elseif($id == 43 && array_key_exists('orgadmin',$_REQUEST) && $_REQUEST['orgadmin'] > 0 && $ticketvalidation == FALSE){
+ $_REQUEST['userid'] = intval($_REQUEST['orgadmin']);
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
}
- if($id == 43 && array_key_exists('ttpadmin',$_REQUEST) && $_REQUEST['ttpadmin'] > 0)
+ if($id == 43 && array_key_exists('ttpadmin',$_REQUEST) && $_REQUEST['ttpadmin'] > 0 && $ticketvalidation == TRUE)
{
csrf_check('admttpadmin');
$memid = $_REQUEST['userid'] = intval($_REQUEST['ttpadmin']);
@@ -2726,9 +2955,13 @@ function buildSubjectFromSession() {
$row = mysql_fetch_assoc(mysql_query($query));
$ver = !$row['ttpadmin'];
mysql_query("update `users` set `ttpadmin`='$ver' where `id`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change ttp admin status',$ticketno);
+ }elseif($id == 43 && array_key_exists('ttpadmin',$_REQUEST) && $_REQUEST['ttpadmin'] > 0 && $ticketvalidation == FALSE){
+ $_REQUEST['userid'] = intval($_REQUEST['ttpadmin']);
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
}
- if($id == 43 && array_key_exists('adadmin',$_REQUEST) && $_REQUEST['adadmin'] > 0)
+ if($id == 43 && array_key_exists('adadmin',$_REQUEST) && $_REQUEST['adadmin'] > 0 && $ticketvalidation == TRUE)
{
$memid = $_REQUEST['userid'] = intval($_REQUEST['adadmin']);
$query = "select * from `users` where `id`='$memid'";
@@ -2737,18 +2970,26 @@ function buildSubjectFromSession() {
if($ver > 2)
$ver = 0;
mysql_query("update `users` set `adadmin`='$ver' where `id`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change advertising admin status',$ticketno);
+ }elseif($id == 43 && array_key_exists('adadmin',$_REQUEST) && $_REQUEST['adadmin'] > 0 && $ticketvalidation == FALSE){
+ $_REQUEST['userid'] = intval($_REQUEST['adadmin']);
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
}
- if($id == 43 && array_key_exists('locadmin',$_REQUEST) && $_REQUEST['locadmin'] > 0)
+ if($id == 43 && array_key_exists('locadmin',$_REQUEST) && $_REQUEST['locadmin'] > 0 && $ticketvalidation == TRUE)
{
$memid = $_REQUEST['userid'] = intval($_REQUEST['locadmin']);
$query = "select * from `users` where `id`='$memid'";
$row = mysql_fetch_assoc(mysql_query($query));
$ver = !$row['locadmin'];
mysql_query("update `users` set `locadmin`='$ver' where `id`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change location admin status',$ticketno);
+ }elseif($id == 43 && array_key_exists('locadmin',$_REQUEST) && $_REQUEST['locadmin'] > 0 && $ticketvalidation == FALSE){
+ $_REQUEST['userid'] = intval($_REQUEST['locadmin']);
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
}
- if($id == 43 && array_key_exists('admin',$_REQUEST) && $_REQUEST['admin'] > 0)
+ if($id == 43 && array_key_exists('admin',$_REQUEST) && $_REQUEST['admin'] > 0 && $ticketvalidation == TRUE)
{
csrf_check('admsetadmin');
$memid = $_REQUEST['userid'] = intval($_REQUEST['admin']);
@@ -2756,42 +2997,62 @@ function buildSubjectFromSession() {
$row = mysql_fetch_assoc(mysql_query($query));
$ver = !$row['admin'];
mysql_query("update `users` set `admin`='$ver' where `id`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change SE status',$ticketno);
+ }elseif($id == 43 && array_key_exists('admin',$_REQUEST) && $_REQUEST['admin'] > 0 && $ticketvalidation == FALSE){
+ $_REQUEST['userid'] = intval($_REQUEST['admin']);
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
}
- if($id == 43 && array_key_exists('general',$_REQUEST) && $_REQUEST['general'] > 0)
+ if($id == 43 && array_key_exists('general',$_REQUEST) && $_REQUEST['general'] > 0 && $ticketvalidation == TRUE)
{
$memid = $_REQUEST['userid'] = intval($_REQUEST['general']);
$query = "select * from `alerts` where `memid`='$memid'";
$row = mysql_fetch_assoc(mysql_query($query));
$ver = !$row['general'];
mysql_query("update `alerts` set `general`='$ver' where `memid`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change general status',$ticketno);
+ }elseif($id == 43 && array_key_exists('general',$_REQUEST) && $_REQUEST['general'] > 0 && $ticketvalidation == FALSE){
+ $_REQUEST['userid'] = intval($_REQUEST['general']);
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
}
- if($id == 43 && array_key_exists('country',$_REQUEST) && $_REQUEST['country'] > 0)
+ if($id == 43 && array_key_exists('country',$_REQUEST) && $_REQUEST['country'] > 0 && $ticketvalidation == TRUE)
{
$memid = $_REQUEST['userid'] = intval($_REQUEST['country']);
$query = "select * from `alerts` where `memid`='$memid'";
$row = mysql_fetch_assoc(mysql_query($query));
$ver = !$row['country'];
mysql_query("update `alerts` set `country`='$ver' where `memid`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change country status',$ticketno);
+ }elseif($id == 43 && array_key_exists('country',$_REQUEST) && $_REQUEST['country'] > 0 && $ticketvalidation == FALSE){
+ $_REQUEST['userid'] = intval($_REQUEST['country']);
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
}
- if($id == 43 && array_key_exists('regional',$_REQUEST) && $_REQUEST['regional'] > 0)
+ if($id == 43 && array_key_exists('regional',$_REQUEST) && $_REQUEST['regional'] > 0 && $ticketvalidation == TRUE)
{
$memid = $_REQUEST['userid'] = intval($_REQUEST['regional']);
$query = "select * from `alerts` where `memid`='$memid'";
$row = mysql_fetch_assoc(mysql_query($query));
$ver = !$row['regional'];
mysql_query("update `alerts` set `regional`='$ver' where `memid`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change regional status',$ticketno);
+ }elseif($id == 43 && array_key_exists('regional',$_REQUEST) && $_REQUEST['regional'] > 0 && $ticketvalidation == FALSE){
+ $_REQUEST['userid'] = intval($_REQUEST['regional']);
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
}
- if($id == 43 && array_key_exists('radius',$_REQUEST) && $_REQUEST['radius'] > 0)
+ if($id == 43 && array_key_exists('radius',$_REQUEST) && $_REQUEST['radius'] > 0 && $ticketvalidation == TRUE)
{
$memid = $_REQUEST['userid'] = intval($_REQUEST['radius']);
$query = "select * from `alerts` where `memid`='$memid'";
$row = mysql_fetch_assoc(mysql_query($query));
$ver = !$row['radius'];
mysql_query("update `alerts` set `radius`='$ver' where `memid`='$memid'");
+ write_se_log($memid, $_SESSION['profile']['id'],'SE Change radius status',$ticketno);
+ }elseif($id == 43 && array_key_exists('radius',$_REQUEST) && $_REQUEST['radius'] > 0 && $ticketvalidation == false){
+ $_REQUEST['userid'] = intval($_REQUEST['radius']);
+ $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
}
if($id == 50)
@@ -2815,25 +3076,57 @@ function buildSubjectFromSession() {
if($oldid == 50 && $process != "")
{
$_REQUEST['userid'] = intval($_REQUEST['userid']);
- $res = mysql_query("select * from `users` where `id`='".intval($_REQUEST['userid'])."'");
- if(mysql_num_rows($res) > 0)
- {
- $query = "update `domaincerts`,`domains` SET `domaincerts`.`revoked`='1970-01-01 10:00:01'
- WHERE `domaincerts`.`domid` = `domains`.`id` AND `domains`.`memid`='".intval($_REQUEST['userid'])."'";
- mysql_query($query);
- $query = "update `domains` SET `deleted`=NOW() WHERE `domains`.`memid`='".intval($_REQUEST['userid'])."'";
- mysql_query($query);
- $query = "update `emailcerts` SET `revoked`='1970-01-01 10:00:01' WHERE `memid`='".intval($_REQUEST['userid'])."'";
- mysql_query($query);
- $query = "update `email` SET `deleted`=NOW() WHERE `memid`='".intval($_REQUEST['userid'])."'";
- mysql_query($query);
- $query = "delete from `org` WHERE `memid`='".intval($_REQUEST['userid'])."'";
- mysql_query($query);
- $query = "update `users` SET `deleted`=NOW() WHERE `id`='".intval($_REQUEST['userid'])."'";
- mysql_query($query);
+ if (trim($_REQUEST['arbitrationno'])==""){
+ showheader(_("My CAcert.org Account!"));
+ echo _("You did not enter an arbitration number entry.");
+ printf('<br/><a href="account.php?id=43&amp;userid=' . $_REQUEST['userid'] . '">' . _('Back to previous page.') .'</a>');
+ showfooter();
+ exit;
+ }
+ if ( 1 !== preg_match('/^[a-z]\d{8}\.\d+\.\d+$/i',trim($_REQUEST['arbitrationno'])) ) {
+ showheader(_("My CAcert.org Account!"));
+ printf(_("'%s' is not a valid arbitration number entry."), sanitizeHTML(trim($_REQUEST['arbitrationno'])));
+ printf('<br/><a href="account.php?id=43&amp;userid=' . $_REQUEST['userid'] . '">' . _('Back to previous page.') .'</a>');
+ showfooter();
+ exit;
}
+ if (check_email_exists(trim($_REQUEST['arbitrationno']).'@cacert.org')) {
+ showheader(_("My CAcert.org Account!"));
+ printf(_("The email address '%s' is already in a different account. Can't continue."), sanitizeHTML($_REQUEST['arbitrationno'].'@cacert.org'));
+ printf('<br/><a href="account.php?id=43&amp;userid=' . $_REQUEST['userid'] . '">' . _('Back to previous page.') .'</a>');
+ showfooter();
+ exit;
+ }
+ if (check_client_cert_running($_REQUEST['userid'],1) ||
+ check_server_cert_running($_REQUEST['userid'],1) ||
+ check_gpg_cert_running($_REQUEST['userid'],1)) {
+ showheader(_("My CAcert.org Account!"));
+ printf(_("The CCA retention time for at least one certificate is not over. Can't continue."));
+ printf('<br/><a href="account.php?id=43&amp;userid=' . $_REQUEST['userid'] . '">' . _('Back to previous page.') .'</a>');
+ showfooter();
+ exit;
+ }
+ if (check_is_orgadmin($_REQUEST['userid'],1)) {
+ showheader(_("My CAcert.org Account!"));
+ printf(_("The user is listed as Organisation Administrator. Can't continue."));
+ printf('<br/><a href="account.php?id=43&amp;userid=' . $_REQUEST['userid'] . '">' . _('Back to previous page.') .'</a>');
+ showfooter();
+ exit;
+ }
+ account_delete($_REQUEST['userid'], trim($_REQUEST['arbitrationno']), $_SESSION['profile']['id']);
+ write_se_log($_REQUEST['userid'], $_SESSION['profile']['id'], 'SE Account delete', trim($_REQUEST['arbitrationno']));
+ }
+
+ if(($id == 51 || $id == 52 || $oldid == 52))
+ {
+ showheader(_("My CAcert.org Account!"));
+ echo _("You don't have access to this area.\nThe Tverify programme is terminated as of 16th November 2010" );
+ showfooter();
+ exit;
}
+ /* this area not needed as the The Tverify programme is Terminated as of 16th November 2010
+
if(($id == 51 || $id == 52 || $oldid == 52) && $_SESSION['profile']['tverify'] <= 0)
{
showheader(_("My CAcert.org Account!"));
@@ -2841,7 +3134,6 @@ function buildSubjectFromSession() {
showfooter();
exit;
}
-
if($oldid == 52)
{
$uid = intval($_REQUEST['uid']);
@@ -2947,6 +3239,21 @@ function buildSubjectFromSession() {
showfooter();
exit;
}
+ */
+ if($id == 59){
+ if ($oldid == 43 && $_SESSION['profile']['admin'] == 1) {
+ write_se_log($_REQUEST['userid'], $_SESSION['profile']['id'], 'SE View account history', $_REQUEST['ticketno']);
+ $_SESSION['support']=1;
+ }ELSEIF ($oldid == 13 && $_REQUEST['userid'] == $_SESSION['profile']['id']){
+ $_SESSION['support']=0;
+ }ELSE{
+ showheader(_("My CAcert.org Account!"));
+ echo _("You do not have access to this page.");
+ showfooter();
+ exit;
+ }
+ }
+
if(intval($cert) > 0)
$_SESSION['_config']['cert'] = intval($cert);
@@ -2954,6 +3261,4 @@ function buildSubjectFromSession() {
$_SESSION['_config']['orgid'] = intval($orgid);
if(intval($memid) > 0)
$_SESSION['_config']['memid'] = intval($memid);
- if(intval($domid) > 0)
- $_SESSION['_config']['domid'] = intval($domid);
?>
diff --git a/includes/account_stuff.php b/includes/account_stuff.php
index 108bd57..dbebf6a 100644
--- a/includes/account_stuff.php
+++ b/includes/account_stuff.php
@@ -172,7 +172,7 @@ function hideall() {
</div>
<div class="relatedLinks">
<h3 class="pointer" onclick="explode('mydetails')">+ <?=_("My Details")?></h3>
- <ul class="menu" id="mydetails"><li><a href="account.php?id=13"><?=_("Edit")?></a></li><li><a href="account.php?id=14"><?=_("Change Password")?></a></li><li><a href="account.php?id=41"><?=_("Default Language")?></a></li><li><a href="wot.php?id=8"><?=_("My Listing")?></a></li><li><a href="wot.php?id=13"><?=_("My Location")?></a></li><li><a href="account.php?id=36"><?=_("My Alert Settings")?></a></li><li><a href="wot.php?id=10"><?=_("My Points")?></a></li><?
+ <ul class="menu" id="mydetails"><li><a href="account.php?id=13"><?=_("View/Edit")?></a></li><li><a href="account.php?id=14"><?=_("Change Password")?></a></li><li><a href="account.php?id=41"><?=_("Default Language")?></a></li><li><a href="wot.php?id=8"><?=_("My Listing")?></a></li><li><a href="wot.php?id=13"><?=_("My Location")?></a></li><li><a href="account.php?id=36"><?=_("My Alert Settings")?></a></li><li><a href="wot.php?id=10"><?=_("My Points")?></a></li><?
if($_SESSION['profile']['id'] == 1 || $_SESSION['profile']['id'] == 5897)
echo "<li><a href='sqldump.php'>SQL Dump</a></li>";
?></ul>
@@ -209,7 +209,7 @@ function hideall() {
<ul class="menu" id="serverorg"><li><a href="account.php?id=20"><?=_("New")?></a></li><li><a href="account.php?id=22"><?=_("View")?></a></li></ul>
</div>
<? } ?>
-<? if(mysql_num_rows(mysql_query("select * from `org` where `memid`='".intval($_SESSION['profile']['id'])."' and `masteracc`='1'")) > 0 || $_SESSION['profile']['orgadmin'] == 1) { ?>
+<? if(mysql_num_rows(mysql_query("select * from `org` where `memid`='".intval($_SESSION['profile']['id'])."'")) > 0 || $_SESSION['profile']['orgadmin'] == 1) { ?>
<div class="relatedLinks">
<h3 class="pointer" onclick="explode('orgadmin')">+ <?=_("Org Admin")?></h3>
<ul class="menu" id="orgadmin"><? if($_SESSION['profile']['orgadmin'] == 1) { ?><li><a href="account.php?id=24"><?=_("New Organisation")?></a></li><li><a href="account.php?id=25"><?=_("View Organisations")?></a></li><? } ?><li><a href="account.php?id=35"><?=_("View")?></a></li></ul>
@@ -262,6 +262,7 @@ function hideall() {
<ul class="menu" id="advertising"><li><a href="advertising.php?id=1"><?=_("New Ad")?></a></li><li><a href="advertising.php?id=0"><?=_("View Ads")?></a></li></ul>
</div>
<? } ?>
+ <? include("about_menu.php"); ?>
</div>
<div id="content">
<div class="story">
@@ -280,365 +281,7 @@ function hideall() {
<div id="siteInfo"><a href="//wiki.cacert.org/FAQ/AboutUs"><?=_("About Us")?></a> | <a href="account.php?id=38"><?=_("Donations")?></a> | <a href="http://wiki.cacert.org/wiki/CAcertIncorporated"><?=_("Association Membership")?></a> |
<a href="/policy/PrivacyPolicy.html"><?=_("Privacy Policy")?></a> | <a href="account.php?id=40"><?=_("Contact Us")?></a>
| &copy;2002-<?=date("Y")?> <?=_("by CAcert")?></div>
-</div>
-</body>
+</div>
+</body>
</html><?
}
-
- /**
- * Produces a log entry with the error message with log level E_USER_WARN
- * and a random ID an returns a message that can be displayed to the user
- * including the generated ID
- *
- * @param $errormessage string
- * The error message that should be logged
- * @return string containing the generated ID that can be displayed to the
- * user
- */
- function failWithId($errormessage) {
- $errorId = rand();
- trigger_error("$errormessage. ID: $errorId", E_USER_WARNING);
- return sprintf(_("Something went wrong when processing your request. ".
- "Please contact %s for help and provide them with the ".
- "following ID: %d"),
- "<a href='mailto:support@cacert.org?subject=System%20Error%20-%20".
- "ID%3A%20$errorId'>support@cacert.org</a>",
- $errorId);
- }
-
- /**
- * Checks whether the given CSR contains a vulnerable key
- *
- * @param $csr string
- * The CSR to be checked
- * @param $encoding string [optional]
- * The encoding the CSR is in (for the "-inform" parameter of OpenSSL,
- * currently only "PEM" (default) or "DER" allowed)
- * @return string containing the reason if the key is considered weak,
- * empty string otherwise
- */
- function checkWeakKeyCSR($csr, $encoding = "PEM")
- {
- // non-PEM-encodings may be binary so don't use echo
- $descriptorspec = array(
- 0 => array("pipe", "r"), // STDIN for child
- 1 => array("pipe", "w"), // STDOUT for child
- );
- $encoding = escapeshellarg($encoding);
- $proc = proc_open("openssl req -inform $encoding -text -noout",
- $descriptorspec, $pipes);
-
- if (is_resource($proc))
- {
- fwrite($pipes[0], $csr);
- fclose($pipes[0]);
-
- $csrText = "";
- while (!feof($pipes[1]))
- {
- $csrText .= fread($pipes[1], 8192);
- }
- fclose($pipes[1]);
-
- if (($status = proc_close($proc)) !== 0 || $csrText === "")
- {
- return _("I didn't receive a valid Certificate Request, hit ".
- "the back button and try again.");
- }
- } else {
- return failWithId("checkWeakKeyCSR(): Failed to start OpenSSL");
- }
-
-
- return checkWeakKeyText($csrText);
- }
-
- /**
- * Checks whether the given X509 certificate contains a vulnerable key
- *
- * @param $cert string
- * The X509 certificate to be checked
- * @param $encoding string [optional]
- * The encoding the certificate is in (for the "-inform" parameter of
- * OpenSSL, currently only "PEM" (default), "DER" or "NET" allowed)
- * @return string containing the reason if the key is considered weak,
- * empty string otherwise
- */
- function checkWeakKeyX509($cert, $encoding = "PEM")
- {
- // non-PEM-encodings may be binary so don't use echo
- $descriptorspec = array(
- 0 => array("pipe", "r"), // STDIN for child
- 1 => array("pipe", "w"), // STDOUT for child
- );
- $encoding = escapeshellarg($encoding);
- $proc = proc_open("openssl x509 -inform $encoding -text -noout",
- $descriptorspec, $pipes);
-
- if (is_resource($proc))
- {
- fwrite($pipes[0], $cert);
- fclose($pipes[0]);
-
- $certText = "";
- while (!feof($pipes[1]))
- {
- $certText .= fread($pipes[1], 8192);
- }
- fclose($pipes[1]);
-
- if (($status = proc_close($proc)) !== 0 || $certText === "")
- {
- return _("I didn't receive a valid Certificate Request, hit ".
- "the back button and try again.");
- }
- } else {
- return failWithId("checkWeakKeyCSR(): Failed to start OpenSSL");
- }
-
-
- return checkWeakKeyText($certText);
- }
-
- /**
- * Checks whether the given SPKAC contains a vulnerable key
- *
- * @param $spkac string
- * The SPKAC to be checked
- * @param $spkacname string [optional]
- * The name of the variable that contains the SPKAC. The default is
- * "SPKAC"
- * @return string containing the reason if the key is considered weak,
- * empty string otherwise
- */
- function checkWeakKeySPKAC($spkac, $spkacname = "SPKAC")
- {
- /* Check for the debian OpenSSL vulnerability */
-
- $spkac = escapeshellarg($spkac);
- $spkacname = escapeshellarg($spkacname);
- $spkacText = `echo $spkac | openssl spkac -spkac $spkacname`;
- if ($spkacText === null) {
- return _("I didn't receive a valid Certificate Request, hit the ".
- "back button and try again.");
- }
-
- return checkWeakKeyText($spkacText);
- }
-
- /**
- * Checks whether the given text representation of a CSR or a SPKAC contains
- * a weak key
- *
- * @param $text string
- * The text representation of a key as output by the
- * "openssl <foo> -text -noout" commands
- * @return string containing the reason if the key is considered weak,
- * empty string otherwise
- */
- function checkWeakKeyText($text)
- {
- /* Which public key algorithm? */
- if (!preg_match('/^\s*Public Key Algorithm: ([^\s]+)$/m', $text,
- $algorithm))
- {
- return failWithId("checkWeakKeyText(): Couldn't extract the ".
- "public key algorithm used");
- } else {
- $algorithm = $algorithm[1];
- }
-
-
- if ($algorithm === "rsaEncryption")
- {
- if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text,
- $keysize))
- {
- return failWithId("checkWeakKeyText(): Couldn't parse the RSA ".
- "key size");
- } else {
- $keysize = intval($keysize[1]);
- }
-
- if ($keysize < 1024)
- {
- return sprintf(_("The keys that you use are very small ".
- "and therefore insecure. Please generate stronger ".
- "keys. More information about this issue can be ".
- "found in %sthe wiki%s"),
- "<a href='//wiki.cacert.org/WeakKeys#SmallKey'>",
- "</a>");
- } elseif ($keysize < 2048) {
- // not critical but log so we have some statistics about
- // affected users
- trigger_error("checkWeakKeyText(): Certificate for small ".
- "key (< 2048 bit) requested", E_USER_NOTICE);
- }
-
-
- $debianVuln = checkDebianVulnerability($text, $keysize);
- if ($debianVuln === true)
- {
- return sprintf(_("The keys you use have very likely been ".
- "generated with a vulnerable version of OpenSSL which ".
- "was distributed by debian. Please generate new keys. ".
- "More information about this issue can be found in ".
- "%sthe wiki%s"),
- "<a href='//wiki.cacert.org/WeakKeys#DebianVulnerability'>",
- "</a>");
- } elseif ($debianVuln === false) {
- // not vulnerable => do nothing
- } else {
- return failWithId("checkWeakKeyText(): Something went wrong in".
- "checkDebianVulnerability()");
- }
-
- if (!preg_match('/^\s*Exponent: (\d+) \(0x[0-9a-fA-F]+\)$/m', $text,
- $exponent))
- {
- return failWithId("checkWeakKeyText(): Couldn't parse the RSA ".
- "exponent");
- } else {
- $exponent = $exponent[1]; // exponent might be very big =>
- //handle as string using bc*()
-
- if (bccomp($exponent, "3") === 0)
- {
- return sprintf(_("The keys you use might be insecure. ".
- "Although there is currently no known attack for ".
- "reasonable encryption schemes, we're being ".
- "cautious and don't allow certificates for such ".
- "keys. Please generate stronger keys. More ".
- "information about this issue can be found in ".
- "%sthe wiki%s"),
- "<a href='//wiki.cacert.org/WeakKeys#SmallExponent'>",
- "</a>");
- } elseif (!(bccomp($exponent, "65537") >= 0 &&
- (bccomp($exponent, "100000") === -1 ||
- // speed things up if way smaller than 2^256
- bccomp($exponent, bcpow("2", "256")) === -1) )) {
- // 65537 <= exponent < 2^256 recommended by NIST
- // not critical but log so we have some statistics about
- // affected users
- trigger_error("checkWeakKeyText(): Certificate for ".
- "unsuitable exponent '$exponent' requested",
- E_USER_NOTICE);
- }
- }
- }
-
- /* No weakness found */
- return "";
- }
-
- /**
- * Reimplement the functionality of the openssl-vulnkey tool
- *
- * @param $text string
- * The text representation of a key as output by the
- * "openssl <foo> -text -noout" commands
- * @param $keysize int [optional]
- * If the key size is already known it can be provided so it doesn't
- * have to be parsed again. This also skips the check whether the key
- * is an RSA key => use wisely
- * @return TRUE if key is vulnerable, FALSE otherwise, NULL in case of error
- */
- function checkDebianVulnerability($text, $keysize = 0)
- {
- $keysize = intval($keysize);
-
- if ($keysize === 0)
- {
- /* Which public key algorithm? */
- if (!preg_match('/^\s*Public Key Algorithm: ([^\s]+)$/m', $text,
- $algorithm))
- {
- trigger_error("checkDebianVulnerability(): Couldn't extract ".
- "the public key algorithm used", E_USER_WARNING);
- return null;
- } else {
- $algorithm = $algorithm[1];
- }
-
- if ($algorithm !== "rsaEncryption") return false;
-
- /* Extract public key size */
- if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text,
- $keysize))
- {
- trigger_error("checkDebianVulnerability(): Couldn't parse the ".
- "RSA key size", E_USER_WARNING);
- return null;
- } else {
- $keysize = intval($keysize[1]);
- }
- }
-
- // $keysize has been made sure to contain an int
- $blacklist = "/usr/share/openssl-blacklist/blacklist.RSA-$keysize";
- if (!(is_file($blacklist) && is_readable($blacklist)))
- {
- if (in_array($keysize, array(512, 1024, 2048, 4096)))
- {
- trigger_error("checkDebianVulnerability(): Blacklist for ".
- "$keysize bit keys not accessible. Expected at ".
- "$blacklist", E_USER_ERROR);
- return null;
- }
-
- trigger_error("checkDebianVulnerability(): $blacklist is not ".
- "readable. Unsupported key size?", E_USER_WARNING);
- return false;
- }
-
-
- /* Extract RSA modulus */
- if (!preg_match('/^\s*Modulus \(\d+ bit\):\n'.
- '((?:\s*[0-9a-f][0-9a-f]:(?:\n)?)+[0-9a-f][0-9a-f])$/m',
- $text, $modulus))
- {
- trigger_error("checkDebianVulnerability(): Couldn't extract the ".
- "RSA modulus", E_USER_WARNING);
- return null;
- } else {
- $modulus = $modulus[1];
- // strip whitespace and colon leftovers
- $modulus = str_replace(array(" ", "\t", "\n", ":"), "", $modulus);
-
- // when using "openssl xxx -text" first byte was 00 in all my test
- // cases but 00 not present in the "openssl xxx -modulus" output
- if ($modulus[0] === "0" && $modulus[1] === "0")
- {
- $modulus = substr($modulus, 2);
- } else {
- trigger_error("checkDebianVulnerability(): First byte is not ".
- "zero", E_USER_NOTICE);
- }
-
- $modulus = strtoupper($modulus);
- }
-
-
- /* calculate checksum and look it up in the blacklist */
- $checksum = substr(sha1("Modulus=$modulus\n"), 20);
-
- // $checksum and $blacklist should be safe, but just to make sure
- $checksum = escapeshellarg($checksum);
- $blacklist = escapeshellarg($blacklist);
- exec("grep $checksum $blacklist", $dummy, $debianVuln);
- if ($debianVuln === 0) // grep returned something => it is on the list
- {
- return true;
- } elseif ($debianVuln === 1) { // grep returned nothing
- return false;
- } else {
- trigger_error("checkDebianVulnerability(): Something went wrong ".
- "when looking up the key with checksum $checksum in the ".
- "blacklist $blacklist", E_USER_ERROR);
- return null;
- }
-
- // Should not get here
- return null;
- }
-?>
diff --git a/includes/general.php b/includes/general.php
index 4919c84..b1e1993 100644
--- a/includes/general.php
+++ b/includes/general.php
@@ -15,13 +15,16 @@
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
+
+ require_once(dirname(__FILE__)."/lib/general.php");
+
session_name("cacert");
session_start();
- session_register("_config");
- session_register("profile");
- session_register("signup");
- session_register("lostpw");
+// session_register("_config");
+// session_register("profile");
+// session_register("signup");
+// session_register("lostpw");
// if($_SESSION['profile']['id'] > 0)
// session_regenerate_id();
@@ -54,7 +57,7 @@
exit;
}
- if(array_key_exists('HTTP_HOST',$_SERVER) &&
+ if(array_key_exists('HTTP_HOST',$_SERVER) &&
($_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'] ||
$_SERVER['HTTP_HOST'] == $_SESSION['_config']['tverify']))
{
@@ -79,7 +82,7 @@
$locked = mysql_fetch_assoc(mysql_query("select `locked` from `users` where `id`='".$_SESSION['profile']['id']."'"));
if($locked['locked'] == 0)
{
- $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
+ $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' and `deleted`=0 group by `to`";
$res = mysql_query($query);
$row = mysql_fetch_assoc($res);
$_SESSION['profile']['points'] = $row['total'];
@@ -166,19 +169,19 @@
$points++;
//echo "Points due to length and charset: $points<br/>";
-
+
// check for historical password proposal
if ($pwd === "Fr3d Sm|7h") {
return 0;
}
-
+
return $points;
}
function checkpw($pwd, $email, $fname, $mname, $lname, $suffix)
{
$points = checkpwlight($pwd);
-
+
if(@strstr(strtolower($pwd), strtolower($email)))
$points--;
@@ -215,7 +218,8 @@
//echo "Points due to name matches: $points<br/>";
- $do = `grep '$pwd' /usr/share/dict/american-english`;
+ $shellpwd = escapeshellarg($pwd);
+ $do = `grep $shellpwd /usr/share/dict/american-english`;
if($do)
$points--;
@@ -228,7 +232,7 @@
{
$bits = explode(": ", $_SESSION['_config']['subject'], 2);
$bits = str_replace(", ", "|", str_replace("/", "|", array_key_exists('1',$bits)?$bits['1']:""));
- $bits = explode("|", $bits);
+ $bits = explode("|", $bits);
$_SESSION['_config']['cnc'] = $_SESSION['_config']['subaltc'] = 0;
$_SESSION['_config']['OU'] = "";
@@ -487,10 +491,6 @@
return(0);
}
- if($points >= 300)
- return(200);
- if($points >= 200)
- return(150);
if($points >= 150)
return(35);
if($points >= 140)
@@ -536,23 +536,28 @@
$myemail = mysql_real_escape_string($email);
if(preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\+\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/" , $email))
{
- list($username,$domain)=split('@',$email);
+ list($username,$domain)=explode('@',$email,2);
$dom = escapeshellarg($domain);
$line = trim(`dig +short MX $dom 2>&1`);
#echo $email."-$dom-$line-\n";
#echo `dig +short mx heise.de 2>&1`."-<br>\n";
$list = explode("\n", $line);
- foreach($list as $row)
- list($pri, $mxhosts[]) = explode(" ", substr(trim($row), 0, -1));
+ foreach($list as $row) {
+ if(!strstr($row, " ")) {
+ continue;
+ }
+ list($pri, $mxhosts[]) = explode(" ", trim($row), 2);
+ }
$mxhosts[] = $domain;
-#print_r($mxhosts); die;
+ array_walk($mxhosts, function(&$mx) { $mx = trim($mx, '.'); } );
+
foreach($mxhosts as $key => $domain)
{
$fp = @fsockopen($domain,25,$errno,$errstr,5);
if($fp)
{
-
+
$line = fgets($fp, 4096);
while(substr($line, 0, 4) == "220-")
$line = fgets($fp, 4096);
@@ -657,7 +662,7 @@
return $ticket;
}
- function sanitizeHTML($input)
+ function sanitizeHTML($input)
{
return htmlentities(strip_tags($input), ENT_QUOTES);
//In case of problems, please use the following line again:
@@ -727,38 +732,8 @@
$text=preg_replace("/[^\w-.@]/","",$text);
return($text);
}
-
- // returns 0 if $userID is an Assurer
- // Otherwise :
- // Bit 0 is always set
- // Bit 1 is set if 100 Assurance Points are not reached
- // Bit 2 is set if Assurer Test is missing
- // Bit 3 is set if the user is not allowed to be an Assurer (assurer_blocked > 0)
- function get_assurer_status($userID)
- {
- $Result = 0;
- $query = mysql_query('SELECT * FROM `cats_passed` AS `tp`, `cats_variant` AS `cv` '.
- ' WHERE `tp`.`variant_id` = `cv`.`id` AND `cv`.`type_id` = 1 AND `tp`.`user_id` = \''.(int)intval($userID).'\'');
- if(mysql_num_rows($query) < 1)
- {
- $Result |= 5;
- }
-
- $query = mysql_query('SELECT SUM(`points`) AS `points` FROM `notary` AS `n` WHERE `n`.`to` = \''.(int)intval($userID).'\' AND `n`.`expire` < now()');
- $row = mysql_fetch_assoc($query);
- if ($row['points'] < 100) {
- $Result |= 3;
- }
-
- $query = mysql_query('SELECT `assurer_blocked` FROM `users` WHERE `id` = \''.(int)intval($userID).'\'');
- $row = mysql_fetch_assoc($query);
- if ($row['assurer_blocked'] > 0) {
- $Result |= 9;
- }
-
- return $Result;
- }
-
+
+
// returns text message to be shown to the user given the result of is_no_assurer
function no_assurer_text($Status)
{
@@ -800,7 +775,7 @@
$name="../$type/$kind/".intval($id/1000)."/$kind-".intval($id).".$type";
if (!is_dir("../csr")) { mkdir("../csr",0777); }
if (!is_dir("../crt")) { mkdir("../crt",0777); }
-
+
if (!is_dir("../csr/$kind")) { mkdir("../csr/$kind",0777); }
if (!is_dir("../crt/$kind")) { mkdir("../crt/$kind",0777); }
if (!is_dir("../csr/$kind/".intval($id/1000))) { mkdir("../csr/$kind/".intval($id/1000)); }
@@ -827,4 +802,5 @@
return $res;
}
+
?>
diff --git a/includes/keygen.php b/includes/keygen.php
new file mode 100644
index 0000000..2713a81
--- /dev/null
+++ b/includes/keygen.php
@@ -0,0 +1,128 @@
+<? /*
+ LibreSSL - CAcert web application
+ Copyright (C) 2004-2011 CAcert Inc.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 of the License.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+*/
+
+if (array_key_exists('HTTP_USER_AGENT',$_SERVER) && strstr($_SERVER['HTTP_USER_AGENT'], "MSIE")) { ?>
+
+ <noscript>
+ <p><?=_('You have to enable JavaScript to generate certificates in the browser.')?></p>
+ <p><?=_('If you don\'t want to do that for any reason, you can use '.
+ 'manually created certificate requests instead.')?></p>
+ </noscript>
+
+ <div id="noActiveX" style="color:red">
+ <p><?=_('Could not initialize ActiveX object required for certificate generation.')?></p>
+ <p><?=_('You have to enable ActiveX for this to work. On Windows Vista, Windows 7 and '.
+ 'later versions you have to add this website to the list of trusted sites '.
+ 'in the internet settings.')?></p>
+ <p><?php
+ printf(_('Go to "Extras -> Internet Options -> Security -> Trusted '.
+ 'Websites", click on "Custom Level", set "ActiveX control '.
+ 'elements that are not marked as safe initialized on start in '.
+ 'scripts" to "Confirm" and click "OK". Now click "Sites", add '.
+ '"%s" and "%s" to your list of trusted sites and make the '.
+ 'changes come into effect by clicking "Close" and "OK".'),
+ 'https://'.$_SESSION['_config']['normalhostname'],
+ 'https://'.$_SESSION['_config']['securehostname'])?>
+ </p>
+ </div>
+
+ <form method="post" style="display:none" action="account.php"
+ id="CertReqForm">
+ <input type="hidden" name="oldid" value="<?=intval($id)?>" />
+ <input type="hidden" id="CSR" name="CSR" />
+ <input type="hidden" name="keytype" value="MS" />
+
+ <p><?=_('Security level')?>:
+ <select id="SecurityLevel">
+ <option value="high" selected="selected"><?=_('High')?></option>
+ <option value="medium"><?=_('Medium')?></option>
+ <option value="custom"><?=_('Custom')?>&hellip;</option>
+ </select>
+ </p>
+
+ <fieldset id="customSettings" style="display:none">
+ <legend><?=_('Custom Parameters')?></legend>
+
+ <p><?=_('Cryptography Provider')?>:
+ <select id="CspProvider"></select>
+ </p>
+ <p><?=_('Algorithm')?>: <select id="algorithm"></select></p>
+ <p><?=_('Keysize')?>:
+ <input id="keySize" type="number" />
+ <?=_('Minimum Size')?>: <span id="keySizeMin"></span>,
+ <?=_('Maximum Size')?>: <span id="keySizeMax"></span>,
+ <?php
+ // TRANSLATORS: this specifies the step between two valid key
+ // sizes. E.g. if the step is 512 and the minimum is 1024 and
+ // the maximum is 2048, then only 1024, 1536 and 2048 bits may
+ // be specified as key size.
+ echo _('Step')?>: <span id="keySizeStep"></span></p>
+ <p style="color:red"><?php
+ printf(_('Please note that RSA key sizes smaller than %d bit '.
+ 'will not be accepted by CAcert.'),
+ 2048)?>
+ </p>
+ </fieldset>
+
+ <p><input type="submit" id="GenReq" name="GenReq" value="<?=_('Create Certificate')?>" /></p>
+ <p id="generatingKeyNotice" style="display:none">
+ <?=_('Generating your key. Please wait')?>&hellip;</p>
+ </form>
+
+ <!-- Error messages used in the JavaScript. Defined here so they can be
+ translated without passing the JavaScript code through PHP -->
+ <p id="createRequestErrorChooseAlgorithm" style="display:none">
+ <?=_('Could not generate certificate request. Probably you need to '.
+ 'choose a different algorithm.')?>
+ </p>
+ <p id="createRequestErrorConfirmDialogue" style="display:none">
+ <?=_('Could not generate certificate request. Please confirm the '.
+ 'dialogue if you are asked if you want to generate the key.')?>
+ </p>
+ <p id="createRequestErrorConnectDevice" style="display:none">
+ <?=_('Could not generate certificate request. Please make sure the '.
+ 'cryptography device (e.g. the smartcard) is connected.')?>
+ </p>
+ <p id="createRequestError" style="display:none">
+ <?=_('Could not generate certificate request.')?>
+ </p>
+ <p id="invalidKeySizeError" style="display:none">
+ <?=_('You have specified an invalid key size')?>
+ </p>
+ <p id="unsupportedPlatformError" style="display:none">
+ <?=_('Could not initialize the cryptographic module for your '.
+ 'platform. Currently we support Microsoft Windows XP, Vista '.
+ 'and 7. If you\'re using one of these platforms and see this '.
+ 'error message anyway you might have to enable ActiveX as '.
+ 'described in the red explanation text and accept loading of '.
+ 'the module.')?>
+ </p>
+
+ <script type="text/javascript" src="keygenIE.js"></script>
+
+<? } else { ?>
+ <p>
+ <form method="post" action="account.php">
+ <input type="hidden" name="keytype" value="NS">
+ <?=_("Keysize:")?> <keygen name="SPKAC" challenge="<? $_SESSION['spkac_hash']=make_hash(); echo $_SESSION['spkac_hash']; ?>">
+
+ <input type="submit" name="submit" value="<?=_("Create Certificate Request")?>">
+ <input type="hidden" name="oldid" value="<?=intval($id)?>">
+ </form>
+ </p>
+<? }
diff --git a/includes/lib/account.php b/includes/lib/account.php
index f7a24fa..e311668 100644
--- a/includes/lib/account.php
+++ b/includes/lib/account.php
@@ -17,32 +17,79 @@
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
-function fix_assurer_flag($userID)
+/**
+ * Function to recalculate the cached Assurer status
+ *
+ * @param int $userID
+ * if the user ID is not given the flag will be recalculated for all users
+ *
+ * @return bool
+ * false if there was an error on fixing the flag. This does NOT return the
+ * new value of the flag
+ */
+function fix_assurer_flag($userID = NULL)
{
- // Update Assurer-Flag on users table if 100 points.
- // Should the number of points be SUM(points) or SUM(awarded)?
- $query = mysql_query('UPDATE `users` AS `u` SET `assurer` = 1 WHERE '.
- '`u`.`id` = \''.(int)intval($userID).'\' AND '.
- 'EXISTS(SELECT 1 FROM `cats_passed` AS `cp`, `cats_variant` AS `cv` '.
- 'WHERE `cp`.`variant_id` = `cv`.`id` AND `cv`.`type_id` = 1 AND '.
- '`cp`.`user_id` = `u`.`id`) AND '.
- '(SELECT SUM(`points`) FROM `notary` AS `n` WHERE `n`.`to` = `u`.`id` '.
- 'AND (`n`.`expire` > now() OR `n`.`expire` IS NULL)) >= 100');
- // Challenge has been passed and non-expired points >= 100
+ // Update Assurer-Flag on users table if 100 points and CATS passed.
+ //
+ // We may have some performance issues here if no userID is given
+ // there are ~150k assurances and ~220k users currently
+ // but the exists-clause on cats_passed should be a good filter
+ $sql = '
+ UPDATE `users` AS `u` SET `assurer` = 1
+ WHERE '.(
+ ($userID === NULL) ?
+ '`u`.`assurer` = 0' :
+ '`u`.`id` = \''.intval($userID).'\''
+ ).'
+ AND EXISTS(
+ SELECT 1 FROM `cats_passed` AS `cp`, `cats_variant` AS `cv`
+ WHERE `cp`.`variant_id` = `cv`.`id`
+ AND `cv`.`type_id` = 1
+ AND `cp`.`user_id` = `u`.`id`
+ )
+ AND (
+ SELECT SUM(`points`) FROM `notary` AS `n`
+ WHERE `n`.`to` = `u`.`id`
+ AND (`n`.`expire` > now()
+ OR `n`.`expire` IS NULL)
+ ) >= 100';
+ $query = mysql_query($sql);
if (!$query) {
return false;
}
-
+ // Challenge has been passed and non-expired points >= 100
+
// Reset flag if requirements are not met
- $query = mysql_query('UPDATE `users` AS `u` SET `assurer` = 0 WHERE '.
- '`u`.`id` = \''.(int)intval($userID).'\' AND '.
- '(NOT EXISTS(SELECT 1 FROM `cats_passed` AS `cp`, `cats_variant` AS '.
- '`cv` WHERE `cp`.`variant_id` = `cv`.`id` AND `cv`.`type_id` = 1 '.
- 'AND `cp`.`user_id` = `u`.`id`) OR '.
- '(SELECT SUM(`points`) FROM `notary` AS `n` WHERE `n`.`to` = `u`.`id` '.
- 'AND (`n`.`expire` > now() OR `n`.`expire` IS NULL)) < 100)');
+ //
+ // Also a bit performance critical but assurer flag is only set on
+ // ~5k accounts
+ $sql = '
+ UPDATE `users` AS `u` SET `assurer` = 0
+ WHERE '.(
+ ($userID === NULL) ?
+ '`u`.`assurer` <> 0' :
+ '`u`.`id` = \''.intval($userID).'\''
+ ).'
+ AND (
+ NOT EXISTS(
+ SELECT 1 FROM `cats_passed` AS `cp`,
+ `cats_variant` AS `cv`
+ WHERE `cp`.`variant_id` = `cv`.`id`
+ AND `cv`.`type_id` = 1
+ AND `cp`.`user_id` = `u`.`id`
+ )
+ OR (
+ SELECT SUM(`points`) FROM `notary` AS `n`
+ WHERE `n`.`to` = `u`.`id`
+ AND (
+ `n`.`expire` > now()
+ OR `n`.`expire` IS NULL
+ )
+ ) < 100
+ )';
+ $query = mysql_query($sql);
if (!$query) {
return false;
}
diff --git a/includes/lib/check_weak_key.php b/includes/lib/check_weak_key.php
new file mode 100644
index 0000000..217b885
--- /dev/null
+++ b/includes/lib/check_weak_key.php
@@ -0,0 +1,318 @@
+<?php /*
+ LibreSSL - CAcert web application
+ Copyright (C) 2004-2011 CAcert Inc.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 of the License.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+*/
+
+// failWithId()
+require_once 'general.php';
+
+
+/**
+* Checks whether the given CSR contains a vulnerable key
+*
+* @param $csr string
+* The CSR to be checked
+* @param $encoding string [optional]
+* The encoding the CSR is in (for the "-inform" parameter of OpenSSL,
+* currently only "PEM" (default) or "DER" allowed)
+* @return string containing the reason if the key is considered weak,
+* empty string otherwise
+*/
+function checkWeakKeyCSR($csr, $encoding = "PEM")
+{
+ $encoding = escapeshellarg($encoding);
+ $status = runCommand("openssl req -inform $encoding -text -noout",
+ $csr, $csrText);
+ if ($status === true) {
+ return failWithId("checkWeakKeyCSR(): Failed to start OpenSSL");
+ }
+
+ if ($status !== 0 || $csrText === "") {
+ return _("I didn't receive a valid Certificate Request. Hit ".
+ "the back button and try again.");
+ }
+
+ return checkWeakKeyText($csrText);
+}
+
+/**
+ * Checks whether the given X509 certificate contains a vulnerable key
+ *
+ * @param $cert string
+ * The X509 certificate to be checked
+ * @param $encoding string [optional]
+ * The encoding the certificate is in (for the "-inform" parameter of
+ * OpenSSL, currently only "PEM" (default), "DER" or "NET" allowed)
+ * @return string containing the reason if the key is considered weak,
+ * empty string otherwise
+ */
+function checkWeakKeyX509($cert, $encoding = "PEM")
+{
+ $encoding = escapeshellarg($encoding);
+ $status = runCommand("openssl x509 -inform $encoding -text -noout",
+ $cert, $certText);
+ if ($status === true) {
+ return failWithId("checkWeakKeyX509(): Failed to start OpenSSL");
+ }
+
+ if ($status !== 0 || $certText === "") {
+ return _("I didn't receive a valid Certificate Request. Hit ".
+ "the back button and try again.");
+ }
+
+ return checkWeakKeyText($certText);
+}
+
+/**
+ * Checks whether the given SPKAC contains a vulnerable key
+ *
+ * @param $spkac string
+ * The SPKAC to be checked
+ * @param $spkacname string [optional]
+ * The name of the variable that contains the SPKAC. The default is
+ * "SPKAC"
+ * @return string containing the reason if the key is considered weak,
+ * empty string otherwise
+ */
+function checkWeakKeySPKAC($spkac, $spkacname = "SPKAC")
+{
+ $spkacname = escapeshellarg($spkacname);
+ $status = runCommand("openssl spkac -spkac $spkacname", $spkac, $spkacText);
+ if ($status === true) {
+ return failWithId("checkWeakKeySPKAC(): Failed to start OpenSSL");
+ }
+
+ if ($status !== 0 || $spkacText === "") {
+ return _("I didn't receive a valid Certificate Request. Hit the ".
+ "back button and try again.");
+ }
+
+ return checkWeakKeyText($spkacText);
+}
+
+/**
+ * Checks whether the given text representation of a CSR or a SPKAC contains
+ * a weak key
+ *
+ * @param $text string
+ * The text representation of a key as output by the
+ * "openssl <foo> -text -noout" commands
+ * @return string containing the reason if the key is considered weak,
+ * empty string otherwise
+ */
+function checkWeakKeyText($text)
+{
+ /* Which public key algorithm? */
+ if (!preg_match('/^\s*Public Key Algorithm: ([^\s]+)$/m', $text,
+ $algorithm))
+ {
+ return failWithId("checkWeakKeyText(): Couldn't extract the ".
+ "public key algorithm used.\nData:\n$text");
+ } else {
+ $algorithm = $algorithm[1];
+ }
+
+
+ if ($algorithm === "rsaEncryption")
+ {
+ if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text,
+ $keysize))
+ {
+ return failWithId("checkWeakKeyText(): Couldn't parse the RSA ".
+ "key size.\nData:\n$text");
+ } else {
+ $keysize = intval($keysize[1]);
+ }
+
+ if ($keysize < 2048)
+ {
+ return sprintf(_("The keys that you use are very small ".
+ "and therefore insecure. Please generate stronger ".
+ "keys. More information about this issue can be ".
+ "found in %sthe wiki%s"),
+ "<a href='//wiki.cacert.org/WeakKeys#SmallKey'>",
+ "</a>");
+ }
+
+
+ $debianVuln = checkDebianVulnerability($text, $keysize);
+ if ($debianVuln === true)
+ {
+ return sprintf(_("The keys you use have very likely been ".
+ "generated with a vulnerable version of OpenSSL which ".
+ "was distributed by debian. Please generate new keys. ".
+ "More information about this issue can be found in ".
+ "%sthe wiki%s"),
+ "<a href='//wiki.cacert.org/WeakKeys#DebianVulnerability'>",
+ "</a>");
+ } elseif ($debianVuln === false) {
+ // not vulnerable => do nothing
+ } else {
+ return failWithId("checkWeakKeyText(): Something went wrong in".
+ "checkDebianVulnerability().\nKeysize: $keysize\n".
+ "Data:\n$text");
+ }
+
+ if (!preg_match('/^\s*Exponent: (\d+) \(0x[0-9a-fA-F]+\)$/m', $text,
+ $exponent))
+ {
+ return failWithId("checkWeakKeyText(): Couldn't parse the RSA ".
+ "exponent.\nData:\n$text");
+ } else {
+ $exponent = $exponent[1]; // exponent might be very big =>
+ //handle as string using bc*()
+
+ if (bccomp($exponent, "3") === 0)
+ {
+ return sprintf(_("The keys you use might be insecure. ".
+ "Although there is currently no known attack for ".
+ "reasonable encryption schemes, we're being ".
+ "cautious and don't allow certificates for such ".
+ "keys. Please generate stronger keys. More ".
+ "information about this issue can be found in ".
+ "%sthe wiki%s"),
+ "<a href='//wiki.cacert.org/WeakKeys#SmallExponent'>",
+ "</a>");
+ } elseif (!(bccomp($exponent, "65537") >= 0 &&
+ (bccomp($exponent, "100000") === -1 ||
+ // speed things up if way smaller than 2^256
+ bccomp($exponent, bcpow("2", "256")) === -1) )) {
+ // 65537 <= exponent < 2^256 recommended by NIST
+ // not critical but log so we have some statistics about
+ // affected users
+ trigger_error("checkWeakKeyText(): Certificate for ".
+ "unsuitable exponent '$exponent' requested",
+ E_USER_NOTICE);
+ }
+ }
+ }
+
+ /* No weakness found */
+ return "";
+}
+
+/**
+ * Reimplement the functionality of the openssl-vulnkey tool
+ *
+ * @param $text string
+ * The text representation of a key as output by the
+ * "openssl <foo> -text -noout" commands
+ * @param $keysize int [optional]
+ * If the key size is already known it can be provided so it doesn't
+ * have to be parsed again. This also skips the check whether the key
+ * is an RSA key => use wisely
+ * @return TRUE if key is vulnerable, FALSE otherwise, NULL in case of error
+ */
+function checkDebianVulnerability($text, $keysize = 0)
+{
+ $keysize = intval($keysize);
+
+ if ($keysize === 0)
+ {
+ /* Which public key algorithm? */
+ if (!preg_match('/^\s*Public Key Algorithm: ([^\s]+)$/m', $text,
+ $algorithm))
+ {
+ trigger_error("checkDebianVulnerability(): Couldn't extract ".
+ "the public key algorithm used.\nData:\n$text",
+ E_USER_WARNING);
+ return null;
+ } else {
+ $algorithm = $algorithm[1];
+ }
+
+ if ($algorithm !== "rsaEncryption") return false;
+
+ /* Extract public key size */
+ if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text,
+ $keysize))
+ {
+ trigger_error("checkDebianVulnerability(): Couldn't parse the ".
+ "RSA key size.\nData:\n$text", E_USER_WARNING);
+ return null;
+ } else {
+ $keysize = intval($keysize[1]);
+ }
+ }
+
+ // $keysize has been made sure to contain an int
+ $blacklist = "/usr/share/openssl-blacklist/blacklist.RSA-$keysize";
+ if (!(is_file($blacklist) && is_readable($blacklist)))
+ {
+ if (in_array($keysize, array(512, 1024, 2048, 4096)))
+ {
+ trigger_error("checkDebianVulnerability(): Blacklist for ".
+ "$keysize bit keys not accessible. Expected at ".
+ "$blacklist", E_USER_ERROR);
+ return null;
+ }
+
+ trigger_error("checkDebianVulnerability(): $blacklist is not ".
+ "readable. Unsupported key size?", E_USER_WARNING);
+ return false;
+ }
+
+
+ /* Extract RSA modulus */
+ if (!preg_match('/^\s*Modulus \(\d+ bit\):\n'.
+ '((?:\s*[0-9a-f][0-9a-f]:(?:\n)?)+[0-9a-f][0-9a-f])$/m',
+ $text, $modulus))
+ {
+ trigger_error("checkDebianVulnerability(): Couldn't extract the ".
+ "RSA modulus.\nData:\n$text", E_USER_WARNING);
+ return null;
+ } else {
+ $modulus = $modulus[1];
+ // strip whitespace and colon leftovers
+ $modulus = str_replace(array(" ", "\t", "\n", ":"), "", $modulus);
+
+ // when using "openssl xxx -text" first byte was 00 in all my test
+ // cases but 00 not present in the "openssl xxx -modulus" output
+ if ($modulus[0] === "0" && $modulus[1] === "0")
+ {
+ $modulus = substr($modulus, 2);
+ } else {
+ trigger_error("checkDebianVulnerability(): First byte is not ".
+ "zero", E_USER_NOTICE);
+ }
+
+ $modulus = strtoupper($modulus);
+ }
+
+
+ /* calculate checksum and look it up in the blacklist */
+ $checksum = substr(sha1("Modulus=$modulus\n"), 20);
+
+ // $checksum and $blacklist should be safe, but just to make sure
+ $checksum = escapeshellarg($checksum);
+ $blacklist = escapeshellarg($blacklist);
+ $debianVuln = runCommand("grep $checksum $blacklist");
+ if ($debianVuln === 0) // grep returned something => it is on the list
+ {
+ return true;
+ } elseif ($debianVuln === 1) {
+ // grep returned nothing
+ return false;
+ } else {
+ trigger_error("checkDebianVulnerability(): Something went wrong ".
+ "when looking up the key with checksum $checksum in the ".
+ "blacklist $blacklist", E_USER_ERROR);
+ return null;
+ }
+
+ // Should not get here
+ return null;
+}
diff --git a/includes/lib/general.php b/includes/lib/general.php
index 25d2561..85b132d 100644
--- a/includes/lib/general.php
+++ b/includes/lib/general.php
@@ -47,4 +47,117 @@ function get_user_id_from_cert($serial, $issuer_cn)
return -1;
}
-?>
+/**
+ * Produces a log entry with the error message with log level E_USER_WARN
+ * and a random ID an returns a message that can be displayed to the user
+ * including the generated ID
+ *
+ * @param $errormessage string
+ * The error message that should be logged
+ * @return string containing the generated ID that can be displayed to the
+ * user
+ */
+function failWithId($errormessage) {
+ $errorId = rand();
+ trigger_error("$errormessage. ID: $errorId", E_USER_WARNING);
+ return sprintf(_("Something went wrong when processing your request. ".
+ "Please contact %s for help and provide them with the ".
+ "following ID: %d"),
+ "<a href='mailto:support@cacert.org?subject=System%20Error%20-%20".
+ "ID%3A%20$errorId'>support@cacert.org</a>",
+ $errorId);
+}
+
+
+/**
+ * Runs a command on the shell and return it's exit code and output
+ *
+ * @param string $command
+ * The command to run. Make sure that you escapeshellarg() any non-constant
+ * parts as this is executed on a shell!
+ * @param string|bool $input
+ * The input that is passed to the command via STDIN, if true the real
+ * STDIN is passed through
+ * @param string|bool $output
+ * The output the command wrote to STDOUT (this is passed as reference),
+ * if true the output will be written to the real STDOUT. Output is ignored
+ * by default
+ * @param string|bool $errors
+ * The output the command wrote to STDERR (this is passed as reference),
+ * if true (default) the output will be written to the real STDERR
+ *
+ * @return int|bool
+ * The exit code of the command, true if the execution of the command
+ * failed (true because then
+ * <code>if (runCommand('echo "foo"')) handle_error();</code> will work)
+ */
+function runCommand($command, $input = "", &$output = null, &$errors = true) {
+ $descriptorspec = array();
+
+ if ($input !== true) {
+ $descriptorspec[0] = array("pipe", "r"); // STDIN for child
+ }
+
+ if ($output !== true) {
+ $descriptorspec[1] = array("pipe", "w"); // STDOUT for child
+ }
+
+ if ($errors !== true) {
+ $descriptorspec[2] = array("pipe", "w"); // STDERR for child
+ }
+
+ $proc = proc_open($command, $descriptorspec, $pipes);
+
+ if (is_resource($proc))
+ {
+ if ($input !== true) {
+ fwrite($pipes[0], $input);
+ fclose($pipes[0]);
+ }
+
+ if ($output !== true) {
+ $output = stream_get_contents($pipes[1]);
+ }
+
+ if ($errors !== true) {
+ $errors = stream_get_contents($pipes[2]);
+ }
+
+ return proc_close($proc);
+
+ } else {
+ return true;
+ }
+}
+
+ // returns 0 if $userID is an Assurer
+ // Otherwise :
+ // Bit 0 is always set
+ // Bit 1 is set if 100 Assurance Points are not reached
+ // Bit 2 is set if Assurer Test is missing
+ // Bit 3 is set if the user is not allowed to be an Assurer (assurer_blocked > 0)
+ function get_assurer_status($userID)
+ {
+ $Result = 0;
+ $query = mysql_query('SELECT * FROM `cats_passed` AS `tp`, `cats_variant` AS `cv` '.
+ ' WHERE `tp`.`variant_id` = `cv`.`id` AND `cv`.`type_id` = 1 AND `tp`.`user_id` = \''.(int)intval($userID).'\'');
+ if(mysql_num_rows($query) < 1)
+ {
+ $Result |= 5;
+ }
+
+ $query = mysql_query('SELECT SUM(`points`) AS `points` FROM `notary` AS `n` WHERE `n`.`to` = \''.(int)intval($userID).'\' AND `n`.`expire` < now()');
+ $row = mysql_fetch_assoc($query);
+ if ($row['points'] < 100) {
+ $Result |= 3;
+ }
+
+ $query = mysql_query('SELECT `assurer_blocked` FROM `users` WHERE `id` = \''.(int)intval($userID).'\'');
+ $row = mysql_fetch_assoc($query);
+ if ($row['assurer_blocked'] > 0) {
+ $Result |= 9;
+ }
+
+ return $Result;
+ }
+ \ No newline at end of file
diff --git a/includes/loggedin.php b/includes/loggedin.php
index 5734fad..03de18c 100644
--- a/includes/loggedin.php
+++ b/includes/loggedin.php
@@ -18,20 +18,29 @@
include_once("../includes/lib/general.php");
require_once("../includes/lib/l10n.php");
+ include_once("../includes/mysql.php");
+
+ if(!isset($_SESSION['profile']) || !is_array($_SESSION['profile'])) {
+ $_SESSION['profile'] = array( 'id' => 0, 'loggedin' => 0 );
+ }
+ if(!isset($_SESSION['profile']['id']) || !isset($_SESSION['profile']['loggedin'])) {
+ $_SESSION['profile']['id'] = 0;
+ $_SESSION['profile']['loggedin'] = 0;
+ }
if($_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'] && $_SESSION['profile']['id'] > 0 && $_SESSION['profile']['loggedin'] != 0)
{
$uid = $_SESSION['profile']['id'];
$_SESSION['profile']['loggedin'] = 0;
$_SESSION['profile'] = "";
- foreach($_SESSION as $key)
+ foreach($_SESSION as $key => $value)
{
- if($key == '_config')
+ if($key == '_config' || $key == 'mconn' || 'csrf_' == substr($key, 0, 5))
continue;
if(is_int($key) || is_string($key))
unset($_SESSION[$key]);
- unset($$key);
- session_unregister($key);
+ unset($$key);
+ //session_unregister($key);
}
$_SESSION['profile'] = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='$uid'"));
@@ -40,7 +49,7 @@
else
unset($_SESSION['profile']);
}
-
+
if($_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'] && ($_SESSION['profile']['id'] == 0 || $_SESSION['profile']['loggedin'] == 0))
{
$user_id = get_user_id_from_cert($_SERVER['SSL_CLIENT_M_SERIAL'],
@@ -50,14 +59,14 @@
{
$_SESSION['profile']['loggedin'] = 0;
$_SESSION['profile'] = "";
- foreach($_SESSION as $key)
+ foreach($_SESSION as $key => $value)
{
- if($key == '_config')
+ if($key == '_config' || $key == 'mconn' || 'csrf_' == substr($key, 0, 5))
continue;
if(is_int($key) || is_string($key))
unset($_SESSION[$key]);
- unset($$key);
- session_unregister($key);
+ unset($$key);
+ //session_unregister($key);
}
$_SESSION['profile'] = mysql_fetch_assoc(mysql_query(
@@ -69,16 +78,16 @@
} else {
$_SESSION['profile']['loggedin'] = 0;
$_SESSION['profile'] = "";
- foreach($_SESSION as $key)
+ foreach($_SESSION as $key => $value)
{
- if($key == '_config')
+ if($key == '_config' || $key == 'mconn' || 'csrf_' == substr($key, 0, 5))
continue;
- unset($_SESSION[$key]);
- unset($$key);
- session_unregister($key);
+ unset($_SESSION[$key]);
+ unset($$key);
+ //session_unregister($key);
}
- unset($_SESSION['_config']['oldlocation']);
+ $_SESSION['_config']['oldlocation'] = '';
foreach($_GET as $key => $val)
{
@@ -104,7 +113,7 @@
if($_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'] && $_SESSION['profile']['id'] > 0 && $_SESSION['profile']['loggedin'] > 0)
{
- $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
+ $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' and `deleted`=0 group by `to`";
$res = mysql_query($query);
$row = mysql_fetch_assoc($res);
$_SESSION['profile']['points'] = $row['total'];
@@ -127,9 +136,9 @@
$_SESSION['profile'] = "";
foreach($_SESSION as $key => $value)
{
- unset($_SESSION[$key]);
- unset($$key);
- session_unregister($key);
+ unset($_SESSION[$key]);
+ unset($$key);
+ //session_unregister($key);
}
header("location: https://".$normalhost."/index.php");
@@ -138,11 +147,11 @@
if($_SESSION['profile']['loggedin'] < 1)
{
- unset($_SESSION['_config']['oldlocation']);
+ $_SESSION['_config']['oldlocation'] = '';
foreach($_REQUEST as $key => $val)
{
- if($_SESSION['_config']['oldlocation'])
+ if('' != $_SESSION['_config']['oldlocation'])
$_SESSION['_config']['oldlocation'] .= "&";
$key = str_replace(array("\n", "\r"), '', $key);
diff --git a/includes/mysql.php.sample b/includes/mysql.php.sample
index ff5cfc3..10185fc 100644
--- a/includes/mysql.php.sample
+++ b/includes/mysql.php.sample
@@ -28,7 +28,7 @@
function sendmail($to, $subject, $message, $from, $replyto = "", $toname = "", $fromname = "", $errorsto = "returns@cacert.org", $extra="")
{
- $lines = explode('\n', $message);
+ $lines = explode("\n", $message);
$message = "";
foreach($lines as $line)
{
@@ -64,7 +64,8 @@
fputs($smtp, "DATA\r\n");
$InputBuffer = fgets($smtp, 1024);
fputs($smtp, "X-Mailer: CAcert.org Website\r\n");
- fputs($smtp, "X-OriginatingIP: ".$_SERVER["REMOTE_ADDR"]."\r\n");
+ if (array_key_exists("REMOTE_ADDR", $_SERVER))
+ fputs($smtp, "X-OriginatingIP: ".$_SERVER["REMOTE_ADDR"]."\r\n");
fputs($smtp, "Sender: $errorsto\r\n");
fputs($smtp, "Errors-To: $errorsto\r\n");
if($replyto != "")
diff --git a/includes/notary.inc.php b/includes/notary.inc.php
index cc0e0eb..0695450 100644
--- a/includes/notary.inc.php
+++ b/includes/notary.inc.php
@@ -14,7 +14,7 @@
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-*/
+*/
function query_init ($query)
{
@@ -35,7 +35,16 @@
function get_number_of_assurances ($userid)
{
$res = query_init ("SELECT count(*) AS `list` FROM `notary`
- WHERE `method` = 'Face to Face Meeting' AND `from`='".intval($userid)."' ");
+ WHERE `method` = 'Face to Face Meeting' AND `deleted`=0 AND `from`='".intval($userid)."' ");
+ $row = query_getnextrow($res);
+
+ return intval($row['list']);
+ }
+
+ function get_number_of_ttpassurances ($userid)
+ {
+ $res = query_init ("SELECT count(*) AS `list` FROM `notary`
+ WHERE (`method`='Trusted Third Parties' or `method`='TTP-Assisted') AND `deleted`=0 AND `to`='".intval($userid)."' ");
$row = query_getnextrow($res);
return intval($row['list']);
@@ -44,7 +53,7 @@
function get_number_of_assurees ($userid)
{
$res = query_init ("SELECT count(*) AS `list` FROM `notary`
- WHERE `method` = 'Face to Face Meeting' AND `to`='".intval($userid)."' ");
+ WHERE `method` = 'Face to Face Meeting' AND `deleted`=0 AND `to`='".intval($userid)."' ");
$row = query_getnextrow($res);
return intval($row['list']);
@@ -52,8 +61,8 @@
function get_top_assurer_position ($no_of_assurances)
{
- $res = query_init ("SELECT count(*) AS `list` FROM `notary`
- WHERE `method` = 'Face to Face Meeting'
+ $res = query_init ("SELECT count(*) AS `list` FROM `notary`
+ WHERE `method` = 'Face to Face Meeting'
GROUP BY `from` HAVING count(*) > '".intval($no_of_assurances)."'");
return intval(query_get_number_of_rows($res)+1);
}
@@ -66,27 +75,49 @@
return intval(query_get_number_of_rows($res)+1);
}
- function get_given_assurances ($userid)
+ /**
+ * get_given_assurances()
+ * returns the list of assurances given by the user
+ * @param mixed $userid - user id for the account for report
+ * @param integer $log - for log output = 1
+ * @return
+ */
+ function get_given_assurances ($userid, $log=0)
{
- $res = query_init ("select * from `notary` where `from`='".intval($userid)."' and `from` != `to` order by `id` asc");
+ $deleted='';
+ if ($log == 0) {
+ $deleted = ' and `deleted` = 0 ';
+ }
+ $res = query_init ("select * from `notary` where `from`='".intval($userid)."' and `from` != `to` $deleted order by `id` asc");
return $res;
}
- function get_received_assurances ($userid)
+ /**
+ * get_received_assurances()
+ * returns the list of assurances received by the user
+ * @param mixed $userid - user id for the account for report
+ * @param integer $log - for log output = 1
+ * @return
+ */
+ function get_received_assurances ($userid, $log=0)
{
- $res = query_init ("select * from `notary` where `to`='".intval($userid)."' and `from` != `to` order by `id` asc ");
+ $deleted='';
+ if ($log == 0) {
+ $deleted = ' and `deleted` = 0 ';
+ }
+ $res = query_init ("select * from `notary` where `to`='".intval($userid)."' and `from` != `to` $deleted order by `id` asc ");
return $res;
}
function get_given_assurances_summary ($userid)
{
- $res = query_init ("select count(*) as number,points,awarded,method from notary where `from`='".intval($userid)."' group by points,awarded,method");
+ $res = query_init ("select count(*) as number,points,awarded,method from notary where `from`='".intval($userid)."' AND `deleted`=0 group by points,awarded,method");
return $res;
}
-
+
function get_received_assurances_summary ($userid)
{
- $res = query_init ("select count(*) as number,points,awarded,method from notary where `to`='".intval($userid)."' group by points,awarded,method");
+ $res = query_init ("select count(*) as number,points,awarded,method from notary where `to`='".intval($userid)."' AND `deleted`=0 group by points,awarded,method");
return $res;
}
@@ -106,7 +137,7 @@
function calc_experience ($row,&$points,&$experience,&$sum_experience,&$revoked)
{
- $apoints = max($row['points'],$row['awarded']);
+ $apoints = max($row['points'], $row['awarded']);
$points += $apoints;
$experience = "&nbsp;";
$revoked = false; # to be coded later (after DB-upgrade)
@@ -129,7 +160,7 @@
$awarded = 100;
}
else
- $experience = 0;
+ $experience = 0;
switch ($row['method'])
{
@@ -192,15 +223,15 @@
?>
<table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper">
- <tr>
- <td class="title"><?=_("Assurer Ranking")?></td>
- </tr>
- <tr>
- <td class="DataTD"><?=sprintf(_("You have made %s assurances which ranks you as the #%s top assurer."), intval($num_of_assurances), intval($rank_of_assurer) )?></td>
- </tr>
- <tr>
- <td class="DataTD"><?=sprintf(_("You have received %s assurances which ranks you as the #%s top assuree."), intval($num_of_assurees), intval($rank_of_assuree) )?></td>
- </tr>
+ <tr>
+ <td class="title"><?=_("Assurer Ranking")?></td>
+ </tr>
+ <tr>
+ <td class="DataTD"><?=sprintf(_("You have made %s assurances which ranks you as the #%s top assurer."), intval($num_of_assurances), intval($rank_of_assurer) )?></td>
+ </tr>
+ <tr>
+ <td class="DataTD"><?=sprintf(_("You have received %s assurances which ranks you as the #%s top assuree."), intval($num_of_assurees), intval($rank_of_assuree) )?></td>
+ </tr>
</table>
<br/>
<?
@@ -210,119 +241,124 @@
{
?>
<table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper">
- <tr>
+ <tr>
<?
if ($support == "1")
{
?>
- <td colspan="10" class="title"><?=$title?></td>
+ <td colspan="10" class="title"><?=$title?></td>
<?
} else {
?>
- <td colspan="7" class="title"><?=$title?></td>
-<? }
+ <td colspan="7" class="title"><?=$title?></td>
+<?
+ }
?>
- </tr>
- <tr>
- <td class="DataTD"><strong><?=_("ID")?></strong></td>
- <td class="DataTD"><strong><?=_("Date")?></strong></td>
+ </tr>
+ <tr>
+ <td class="DataTD"><strong><?=_("ID")?></strong></td>
+ <td class="DataTD"><strong><?=_("Date")?></strong></td>
<?
if ($support == "1")
{
?>
- <td class="DataTD"><strong><?=_("When")?></strong></td>
- <td class="DataTD"><strong><?=_("Email")?></strong></td>
-<? } ?>
- <td class="DataTD"><strong><?=_("Who")?></strong></td>
- <td class="DataTD"><strong><?=_("Points")?></strong></td>
- <td class="DataTD"><strong><?=_("Location")?></strong></td>
- <td class="DataTD"><strong><?=_("Method")?></strong></td>
- <td class="DataTD"><strong><?=_("Experience Points")?></strong></td>
+ <td class="DataTD"><strong><?=_("When")?></strong></td>
+ <td class="DataTD"><strong><?=_("Email")?></strong></td>
+<?
+ }
+?>
+ <td class="DataTD"><strong><?=_("Who")?></strong></td>
+ <td class="DataTD"><strong><?=_("Points")?></strong></td>
+ <td class="DataTD"><strong><?=_("Location")?></strong></td>
+ <td class="DataTD"><strong><?=_("Method")?></strong></td>
+ <td class="DataTD"><strong><?=_("Experience Points")?></strong></td>
<?
if ($support == "1")
{
?>
- <td class="DataTD"><strong><?=_("Revoke")?></strong></td>
+ <td class="DataTD"><strong><?=_("Revoke")?></strong></td>
<?
}
?>
- </tr>
+ </tr>
<?
}
function output_assurances_footer($points_txt,$points,$experience_txt,$sumexperience,$support)
{
?>
- <tr>
- <td class="DataTD" colspan="5"><strong><?=$points_txt?>:</strong></td>
- <td class="DataTD"><?=$points?></td>
- <td class="DataTD">&nbsp;</td>
- <td class="DataTD"><strong><?=$experience_txt?>:</strong></td>
- <td class="DataTD"><?=$sumexperience?></td>
+ <tr>
+ <td<?=($support == "1")?' colspan="5"':' colspan="3"'?> class="DataTD"><strong><?=$points_txt?>:</strong></td>
+ <td class="DataTD"><?=$points?></td>
+ <td class="DataTD">&nbsp;</td>
+ <td class="DataTD"><strong><?=$experience_txt?>:</strong></td>
+ <td class="DataTD"><?=$sumexperience?></td>
<?
if ($support == "1")
{
?>
- <td class="DataTD">&nbsp;</td>
+ <td class="DataTD">&nbsp;</td>
<?
}
?>
- </tr>
+ </tr>
</table>
<br/>
<?
}
- function output_assurances_row($assuranceid,$date,$when,$email,$name,$awarded,$points,$location,$method,$experience,$userid,$support,$revoked)
+ function output_assurances_row($assuranceid,$date,$when,$email,$name,$awarded,$points,$location,$method,$experience,$userid,$support,$revoked, $ticketno)
{
- $tdstyle="";
- $emopen="";
- $emclose="";
+ $tdstyle="";
+ $emopen="";
+ $emclose="";
- if ($awarded == $points)
- {
- if ($awarded == "0")
+ if ($awarded == $points)
{
- if ($when < "2006-09-01")
+ if ($awarded == "0")
{
- $tdstyle="style='background-color: #ffff80'";
- $emopen="<em>";
- $emclose="</em>";
+ if ($when < "2006-09-01")
+ {
+ $tdstyle="style='background-color: #ffff80'";
+ $emopen="<em>";
+ $emclose="</em>";
+ }
}
}
- }
?>
- <tr>
- <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$assuranceid?><?=$emclose?></td>
- <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$date?><?=$emclose?></td>
+ <tr>
+ <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$assuranceid?><?=$emclose?></td>
+ <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$date?><?=$emclose?></td>
<?
- if ($support == "1")
- {
+ if ($support == "1")
+ {
?>
<td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$when?><?=$emclose?></td>
<td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$email?><?=$emclose?></td>
-<? }
+<?
+ }
?>
- <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$name?><?=$emclose?></td>
- <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$awarded?><?=$emclose?></td>
- <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$location?><?=$emclose?></td>
- <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$method?><?=$emclose?></td>
- <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$experience?><?=$emclose?></td>
+ <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$name?><?=$emclose?></td>
+ <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$awarded?><?=$emclose?></td>
+ <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$location?><?=$emclose?></td>
+ <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$method?><?=$emclose?></td>
+ <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$experience?><?=$emclose?></td>
<?
- if ($support == "1")
- {
- if ($revoked == true)
+ if ($support == "1")
{
+ if ($revoked == true)
+ {
?>
- <td class="DataTD" <?=$tdstyle?>>&nbsp;</td>
-<? } else {
+ <td class="DataTD" <?=$tdstyle?>>&nbsp;</td>
+<?
+ } else {
?>
- <td class="DataTD" <?=$tdstyle?>><?=$emopen?><a href="account.php?id=43&amp;userid=<?=intval($userid)?>&amp;assurance=<?=intval($assuranceid)?>&amp;csrf=<?=make_csrf('admdelassurance')?>" onclick="return confirm('<?=_("Are you sure you want to revoke this assurance?")?>');"><?=_("Revoke")?></a><?=$emclose?></td>
+ <td class="DataTD" <?=$tdstyle?>><?=$emopen?><a href="account.php?id=43&amp;userid=<?=intval($userid)?>&amp;assurance=<?=intval($assuranceid)?>&amp;csrf=<?=make_csrf('admdelassurance')?>&amp;ticketno=<?=$ticketno?>" onclick="return confirm('<?=sprintf(_("Are you sure you want to revoke the assurance with ID &quot;%s&quot;?"),$assuranceid)?>');"><?=_("Revoke")?></a><?=$emclose?></td>
<?
+ }
}
- }
?>
</tr>
<?
@@ -332,14 +368,14 @@
{
?>
<table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper">
- <tr>
- <td colspan="4" class="title"><?=_("Summary of your Points")?></td>
- </tr>
- <tr>
- <td class="DataTD"><strong><?=_("Description")?></strong></td>
- <td class="DataTD"><strong><?=_("Points")?></strong></td>
- <td class="DataTD"><strong><?=_("Countable Points")?></strong></td>
- <td class="DataTD"><strong><?=_("Remark")?></strong></td>
+ <tr>
+ <td colspan="4" class="title"><?=_("Summary of your Points")?></td>
+ </tr>
+ <tr>
+ <td class="DataTD"><strong><?=_("Description")?></strong></td>
+ <td class="DataTD"><strong><?=_("Points")?></strong></td>
+ <td class="DataTD"><strong><?=_("Countable Points")?></strong></td>
+ <td class="DataTD"><strong><?=_("Remark")?></strong></td>
</tr>
<?
}
@@ -355,36 +391,36 @@
function output_summary_row($title,$points,$points_countable,$remark)
{
?>
- <tr>
- <td class="DataTD"><strong><?=$title?></strong></td>
- <td class="DataTD"><?=$points?></td>
- <td class="DataTD"><?=$points_countable?></td>
- <td class="DataTD"><?=$remark?></td>
- </tr>
+ <tr>
+ <td class="DataTD"><strong><?=$title?></strong></td>
+ <td class="DataTD"><?=$points?></td>
+ <td class="DataTD"><?=$points_countable?></td>
+ <td class="DataTD"><?=$remark?></td>
+ </tr>
<?
}
// ************* output given assurances ******************
- function output_given_assurances_content($userid,&$points,&$sum_experience,$support)
+ function output_given_assurances_content($userid,&$points,&$sum_experience,$support, $ticketno)
{
$points = 0;
$sumexperience = 0;
$res = get_given_assurances(intval($userid));
while($row = mysql_fetch_assoc($res))
{
- $fromuser = get_user (intval($row['to']));
+ $fromuser = get_user (intval($row['to']));
$apoints = calc_experience ($row,$points,$experience,$sum_experience,$revoked);
$name = show_user_link ($fromuser['fname']." ".$fromuser['lname'],intval($row['to']));
$email = show_email_link ($fromuser['email'],intval($row['to']));
- output_assurances_row (intval($row['id']),$row['date'],$row['when'],$email,$name,$apoints,intval($row['points']),$row['location'],$row['method']==""?"":_(sprintf("%s", $row['method'])),$experience,$userid,$support,$revoked);
+ output_assurances_row (intval($row['id']),$row['date'],$row['when'],$email,$name,$apoints,intval($row['points']),$row['location'],$row['method']==""?"":_(sprintf("%s", $row['method'])),$experience,$userid,$support,$revoked, $ticketno);
}
}
// ************* output received assurances ******************
- function output_received_assurances_content($userid,&$points,&$sum_experience,$support)
+ function output_received_assurances_content($userid,&$points,&$sum_experience,$support, $ticketno)
{
$points = 0;
$sumexperience = 0;
@@ -395,7 +431,7 @@
calc_assurances ($row,$points,$experience,$sum_experience,$awarded,$revoked);
$name = show_user_link ($fromuser['fname']." ".$fromuser['lname'],intval($row['from']));
$email = show_email_link ($fromuser['email'],intval($row['from']));
- output_assurances_row (intval($row['id']),$row['date'],$row['when'],$email,$name,$awarded,intval($row['points']),$row['location'],$row['method']==""?"":_(sprintf("%s", $row['method'])),$experience,$userid,$support,$revoked);
+ output_assurances_row (intval($row['id']),$row['date'],$row['when'],$email,$name,$awarded,intval($row['points']),$row['location'],$row['method']==""?"":_(sprintf("%s", $row['method'])),$experience,$userid,$support,$revoked, $ticketno);
}
}
@@ -430,6 +466,8 @@
break;
case 'Unknown': // to be revoked in the future? limit to max 50 pts?
case 'Trusted Third Parties': // to be revoked in the future? limit to max 35 pts?
+ case 'TTP-Assisted': // TTP assurances, limit to 35
+ case 'TOPUP': // TOPUP to be delevoped in the future, limit to 30
case '': // to be revoked in the future? limit to max 50 pts?
case 'Face to Face Meeting': // normal assurances, limit to 35/50 pts in the future?
break;
@@ -575,17 +613,17 @@
return $issue_points;
}
- function output_given_assurances($userid,$support)
+ function output_given_assurances($userid, $support=0, $ticketno='')
{
output_assurances_header(_("Assurance Points You Issued"),$support);
- output_given_assurances_content($userid,$points,$sum_experience,$support);
+ output_given_assurances_content($userid,$points,$sum_experience,$support, $ticketno);
output_assurances_footer(_("Total Points Issued"),$points,_("Total Experience Points"),$sum_experience,$support);
}
- function output_received_assurances($userid,$support)
+ function output_received_assurances($userid,$support=0, $ticketno='')
{
output_assurances_header(_("Your Assurance Points"),$support);
- output_received_assurances_content($userid,$points,$sum_experience,$support);
+ output_received_assurances_content($userid,$points,$sum_experience,$support, $ticketno);
output_assurances_footer(_("Total Assurance Points"),$points,_("Total Experience Points"),$sum_experience,$support);
}
@@ -602,4 +640,1294 @@
<p>[ <a href='javascript:history.go(-1)'><?=_("Go Back")?></a> ]</p>
<?
}
+
+ //functions to do with recording user agreements
+ /**
+ * write_user_agreement()
+ * writes a new record to the table user_agreement
+ *
+ * @param mixed $memid
+ * @param mixed $document
+ * @param mixed $method
+ * @param mixed $comment
+ * @param integer $active
+ * @param integer $secmemid
+ * @return
+ */
+ function write_user_agreement($memid, $document, $method, $comment, $active=1, $secmemid=0){
+ // write a new record to the table user_agreement
+ $query="insert into `user_agreements` set `memid`=".intval($memid).", `secmemid`=".intval($secmemid).
+ ",`document`='".mysql_real_escape_string($document)."',`date`=NOW(), `active`=".intval($active).",`method`='".mysql_real_escape_string($method)."',`comment`='".mysql_real_escape_string($comment)."'" ;
+ $res = mysql_query($query);
+ }
+
+ /**
+ * get_user_agreement_status()
+ * returns 1 if the user has an entry for the given type in user_agreement, 0 if no entry is recorded
+ * @param mixed $memid
+ * @param string $type
+ * @return
+ */
+ function get_user_agreement_status($memid, $type="CCA"){
+ $query="SELECT u.`document` FROM `user_agreements` u
+ WHERE u.`document` = '" . mysql_real_escape_string($type) . "' AND u.`memid`=" . intval($memid) ;
+ $res = mysql_query($query);
+ if(mysql_num_rows($res) <=0){
+ return 0;
+ }else{
+ return 1;
+ }
+ }
+
+ /**
+ * get_first_user_agreement()
+ * returns the first user_agreement entry of the requested type depending on thes status of active of a given user
+ * @param mixed $memid
+ * @param integer $active, 0 - passive, 1 -active
+ * @param string $type
+ * @return
+ */
+ function get_first_user_agreement($memid, $active=1, $type="CCA"){
+ //returns an array (`document`,`date`,`method`, `comment`,`active`)
+ $query="SELECT u.`document`, u.`date`, u.`method`, u.`comment`, u.`active` FROM `user_agreements` AS u
+ WHERE u.`document` = '" . mysql_real_escape_string($type) . "' AND u.`memid`=" . intval($memid) . " AND u.`active`=" . intval($active) .
+ " ORDER BY u.`date` Limit 1;";
+ $res = mysql_query($query);
+ if(mysql_num_rows($res) >0){
+ $rec = mysql_fetch_assoc($res);
+ }else{
+ $rec=array();
+ }
+ return $rec;
+ }
+
+ /**
+ * get_last_user_agreement()
+ * returns the last user_agreement entry of a given type and of a given user
+ * @param mixed $memid
+ * @param string $type
+ * @return
+ */
+ function get_last_user_agreement($memid, $type="CCA"){
+ //returns an array (`document`,`date`,`method`, `comment`,`active`)
+ $query="SELECT u.`document`, u.`date`, u.`method`, u.`comment`, u.`active` FROM user_agreements u WHERE u.`document` = '" . mysql_real_escape_string($type) . "' AND (u.`memid`=" . intval($memid) . " ) order by `date` desc limit 1 " ;
+ $res = mysql_query($query);
+ if(mysql_num_rows($res) >0){
+ $rec = mysql_fetch_assoc($res);
+ }else{
+ $rec=array();
+ }
+ return $rec;
+ }
+
+function get_user_agreement($memid){
+ $query="(SELECT u.`document`, u.`date`, u.`method`, u.`comment`, 1 as `active` FROM user_agreements u WHERE u.`document` = 'CCA' AND (u.`memid`=".$memid." ) order by u.`date` )
+ union
+ (SELECT u.`document`, u.`date`, u.`method`, u.`comment`, 0 as `active` FROM user_agreements u WHERE u.`document` = 'CCA' AND ( u.`secmemid`=".$memid.") order by u.`date`)
+ union
+ (SELECT u.`document`, u.`date`, u.`method`, u.`comment`, 0 as `active` FROM user_agreements u WHERE u.`document` != 'CCA' AND ( u.`memid`=".$memid.") order by u.u.`document`, u.`date`) " ;
+ $res = mysql_query($query);
+
+ return mysql_query($query);
+}
+
+ /**
+ * delete_user_agreement()
+ * deletes all entries for a given type from user_agreement of a given user, if type is not given all
+ * @param mixed $memid
+ * @param string $type
+ * @return
+ */
+ function delete_user_agreement($memid, $type=false){
+ if ($type === false) {
+ $filter = '';
+ } else {
+ $filter = " and `document` = '" . mysql_real_escape_string($type) . "'";
+ }
+ mysql_query("delete from `user_agreements` where `memid`=" . intval($memid) . $filter );
+ }
+
+ // functions for 6.php (assure somebody)
+
+ function AssureHead($confirmation,$checkname)
+ {
?>
+<form method="post" action="wot.php">
+<table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper" width="600">
+ <tr>
+ <td colspan="2" class="title"><?=$confirmation?></td>
+ </tr>
+ <tr>
+ <td class="DataTD" colspan="2" align="left"><?=$checkname?></td>
+ </tr>
+<?
+ }
+
+ function AssureTextLine($field1,$field2)
+ {
+?>
+ <tr>
+ <td class="DataTD"><?=$field1.(empty($field1)?'':':')?></td>
+ <td class="DataTD"><?=$field2?></td>
+ </tr>
+<?
+ }
+
+ function AssureBoxLine($type,$text,$checked)
+ {
+?>
+ <tr>
+ <td class="DataTD"><input type="checkbox" name="<?=$type?>" value="1" <?=$checked?"checked":""?>></td>
+ <td class="DataTD"><?=$text?></td>
+ </tr>
+<?
+ }
+
+ function AssureMethodLine($text,$methods,$remark)
+ {
+ if (count($methods) != 1) {
+?>
+ <tr>
+ <td class="DataTD"><?=$text.(empty($text)?'':':')?></td>
+ <td class="DataTD">
+ <select name="method">
+<?
+ foreach($methods as $val) {
+?>
+ <option value="<?=$val?>"><?=$val?></option>
+<?
+ }
+?>
+ </select>
+ <br />
+ <?=$remark?>
+ </td>
+ </tr>
+<?
+ } else {
+?>
+ <input type="hidden" name="<?=$val?>" value="<?=$methods[0]?>" />
+<?
+ }
+ }
+
+ function AssureInboxLine($type,$field,$value,$description)
+ {
+?>
+ <tr>
+ <td class="DataTD"><?=$field.(empty($field)?'':':')?></td>
+ <td class="DataTD"><input type="text" name="<?=$type?>" value="<?=$value?>"><?=$description?></td>
+ </tr>
+<?
+ }
+
+ function AssureFoot($oldid,$confirm)
+ {
+?>
+ <tr>
+ <td class="DataTD" colspan="2">
+ <input type="submit" name="process" value="<?=$confirm?>" />
+ <input type="submit" name="cancel" value="<?=_("Cancel")?>" />
+ </td>
+ </tr>
+</table>
+<input type="hidden" name="pagehash" value="<?=$_SESSION['_config']['wothash']?>" />
+<input type="hidden" name="oldid" value="<?=$oldid?>" />
+</form>
+<?
+ }
+
+ function account_email_delete($mailid){
+ //deletes an email entry from an acount
+ //revolkes all certifcates for that email address
+ //called from www/account.php if($process != "" && $oldid == 2)
+ //called from www/diputes.php if($type == "reallyemail") / if($action == "accept")
+ //called from account_delete
+ $mailid = intval($mailid);
+ revoke_all_client_cert($mailid);
+ $query = "update `email` set `deleted`=NOW() where `id`='$mailid'";
+ mysql_query($query);
+ }
+
+ function account_domain_delete($domainid){
+ //deletes an domain entry from an acount
+ //revolkes all certifcates for that domain address
+ //called from www/account.php if($process != "" && $oldid == 9)
+ //called from www/diputes.php if($type == "reallydomain") / if($action == "accept")
+ //called from account_delete
+ $domainid = intval($domainid);
+ revoke_all_server_cert($domainid);
+ mysql_query(
+ "update `domains`
+ set `deleted`=NOW()
+ where `id` = '$domainid'");
+ }
+
+ function account_delete($id, $arbno, $adminid){
+ //deletes an account following the deleted account routnie V3
+ // called from www/account.php if($oldid == 50 && $process != "")
+ //change password
+ $id = intval($id);
+ $arbno = mysql_real_escape_string($arbno);
+ $adminid = intval($adminid);
+ $pool = 'abcdefghijklmnopqrstuvwxyz';
+ $pool .= '0123456789!()ยง';
+ $pool .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
+ srand ((double)microtime()*1000000);
+ $password="";
+ for($index = 0; $index < 30; $index++)
+ {
+ $password .= substr($pool,(rand()%(strlen ($pool))), 1);
+ }
+ mysql_query("update `users` set `password`=sha1('".$password."') where `id`='".$id."'");
+
+ //create new mail for arbitration number
+ $query = "insert into `email` set `email`='".$arbno."@cacert.org',`memid`='".$id."',`created`=NOW(),`modified`=NOW(), `attempts`=-1";
+ mysql_query($query);
+ $emailid = mysql_insert_id();
+
+ //set new mail as default
+ $query = "update `users` set `email`='".$arbno."@cacert.org' where `id`='".$id."'";
+ mysql_query($query);
+
+ //delete all other email address
+ $query = "select `id` from `email` where `memid`='".$id."' and `id`!='".$emailid."'" ;
+ $res=mysql_query($query);
+ while($row = mysql_fetch_assoc($res)){
+ account_email_delete($row['id']);
+ }
+
+ //delete all domains
+ $query = "select `id` from `domains` where `memid`='".$id."'";
+ $res=mysql_query($query);
+ while($row = mysql_fetch_assoc($res)){
+ account_domain_delete($row['id']);
+ }
+
+ //clear alert settings
+ mysql_query(
+ "update `alerts` set
+ `general`='0',
+ `country`='0',
+ `regional`='0',
+ `radius`='0'
+ where `memid`='$id'");
+
+ //set default location
+ $query = "update `users` set `locid`='2256755', `regid`='243', `ccid`='12' where `id`='".$id."'";
+ mysql_query($query);
+
+ //clear listings
+ $query = "update `users` set `listme`=' ',`contactinfo`=' ' where `id`='".$id."'";
+ mysql_query($query);
+
+ //set lanuage to default
+ //set default language
+ mysql_query("update `users` set `language`='en_AU' where `id`='".$id."'");
+ //delete secondary langugaes
+ mysql_query("delete from `addlang` where `userid`='".$id."'");
+
+ //change secret questions
+ for($i=1;$i<=5;$i++){
+ $q="";
+ $a="";
+ for($index = 0; $index < 30; $index++)
+ {
+ $q .= substr($pool,(rand()%(strlen ($pool))), 1);
+ $a .= substr($pool,(rand()%(strlen ($pool))), 1);
+ }
+ $query = "update `users` set `Q$i`='$q', `A$i`='$a' where `id`='".$id."'";
+ mysql_query($query);
+ }
+
+ //change personal information to arbitration number and DOB=1900-01-01
+ $query = "update `users` set `fname`='".$arbno."',
+ `mname`='".$arbno."',
+ `lname`='".$arbno."',
+ `suffix`='".$arbno."',
+ `dob`='1900-01-01'
+ where `id`='".$id."'";
+ mysql_query($query);
+
+ //clear all admin and board flags
+ mysql_query(
+ "update `users` set
+ `assurer`='0',
+ `assurer_blocked`='0',
+ `codesign`='0',
+ `orgadmin`='0',
+ `ttpadmin`='0',
+ `locadmin`='0',
+ `admin`='0',
+ `adadmin`='0',
+ `tverify`='0',
+ `board`='0'
+ where `id`='$id'");
+
+ //block account
+ mysql_query("update `users` set `locked`='1' where `id`='$id'"); //, `deleted`=Now()
+ }
+
+
+ function check_email_exists($email){
+ // called from includes/account.php if($process != "" && $oldid == 1)
+ // called from includes/account.php if($oldid == 50 && $process != "")
+ $email = mysql_real_escape_string($email);
+ $query = "select 1 from `email` where `email`='$email' and `deleted`=0";
+ $res = mysql_query($query);
+ return mysql_num_rows($res) > 0;
+ }
+
+ function check_gpg_cert_running($uid,$cca=0){
+ //if $cca =0 if just expired, =1 if CCA retention +3 month should be obeyed
+ // called from includes/account.php if($oldid == 50 && $process != "")
+ $uid = intval($uid);
+ if (0==$cca) {
+ $query = "select 1 from `gpg` where `memid`='$uid' and `expire`>NOW()";
+ }else{
+ $query = "select 1 from `gpg` where `memid`='$uid' and `expire`>(NOW()-90*86400)";
+ }
+ $res = mysql_query($query);
+ return mysql_num_rows($res) > 0;
+ }
+
+ function check_client_cert_running($uid,$cca=0){
+ //if $cca =0 if just expired, =1 if CCA retention +3 month should be obeyed
+ // called from includes/account.php if($oldid == 50 && $process != "")
+ $uid = intval($uid);
+ if (0==$cca) {
+ $query1 = "select 1 from `emailcerts` where `memid`='$uid' and `expire`>NOW() and `revoked`<`created`";
+ $query2 = "select 1 from `emailcerts` where `memid`='$uid' and `revoked`>NOW()";
+ }else{
+ $query1 = "select 1 from `emailcerts` where `memid`='$uid' and `expire`>(NOW()-90*86400) and `revoked`<`created`";
+ $query2 = "select 1 from `emailcerts` where `memid`='$uid' and `revoked`>(NOW()-90*86400)";
+ }
+ $res = mysql_query($query1);
+ $r1 = mysql_num_rows($res)>0;
+ $res = mysql_query($query2);
+ $r2 = mysql_num_rows($res)>0;
+ return !!($r1 || $r2);
+ }
+
+ function check_server_cert_running($uid,$cca=0){
+ //if $cca =0 if just expired, =1 if CCA retention +3 month should be obeyed
+ // called from includes/account.php if($oldid == 50 && $process != "")
+ $uid = intval($uid);
+ if (0==$cca) {
+ $query1 = "
+ select 1 from `domaincerts` join `domains`
+ on `domaincerts`.`domid` = `domains`.`id`
+ where `domains`.`memid` = '$uid'
+ and `domaincerts`.`expire` > NOW()
+ and `domaincerts`.`revoked` < `domaincerts`.`created`";
+ $query2 = "
+ select 1 from `domaincerts` join `domains`
+ on `domaincerts`.`domid` = `domains`.`id`
+ where `domains`.`memid` = '$uid'
+ and `revoked`>NOW()";
+ }else{
+ $query1 = "
+ select 1 from `domaincerts` join `domains`
+ on `domaincerts`.`domid` = `domains`.`id`
+ where `domains`.`memid` = '$uid'
+ and `expire`>(NOW()-90*86400)
+ and `revoked`<`created`";
+ $query2 = "
+ select 1 from `domaincerts` join `domains`
+ on `domaincerts`.`domid` = `domains`.`id`
+ where `domains`.`memid` = '$uid'
+ and `revoked`>(NOW()-90*86400)";
+ }
+ $res = mysql_query($query1);
+ $r1 = mysql_num_rows($res)>0;
+ $res = mysql_query($query2);
+ $r2 = mysql_num_rows($res)>0;
+ return !!($r1 || $r2);
+ }
+
+ function check_is_orgadmin($uid){
+ // called from includes/account.php if($oldid == 50 && $process != "")
+ $uid = intval($uid);
+ $query = "select 1 from `org` where `memid`='$uid' and `deleted`=0";
+ $res = mysql_query($query);
+ return mysql_num_rows($res) > 0;
+ }
+
+
+ // revokation of certificates
+ function revoke_all_client_cert($mailid){
+ //revokes all client certificates for an email address
+ $mailid = intval($mailid);
+ $query = "select `emailcerts`.`id`
+ from `emaillink`,`emailcerts` where
+ `emaillink`.`emailid`='$mailid' and `emaillink`.`emailcertsid`=`emailcerts`.`id` and `emailcerts`.`revoked`=0
+ group by `emailcerts`.`id`";
+ $dres = mysql_query($query);
+ while($drow = mysql_fetch_assoc($dres)){
+ mysql_query("update `emailcerts` set `revoked`='1970-01-01 10:00:01', `disablelogin`=1 where `id`='".$drow['id']."'");
+ }
+ }
+
+ function revoke_all_server_cert($domainid){
+ //revokes all server certs for an domain
+ $domainid = intval($domainid);
+ $query =
+ "select `domaincerts`.`id`
+ from `domaincerts`
+ where `domaincerts`.`domid` = '$domainid'
+ union distinct
+ select `domaincerts`.`id`
+ from `domaincerts`, `domlink`
+ where `domaincerts`.`id` = `domlink`.`certid`
+ and `domlink`.`domid` = '$domainid'";
+ $dres = mysql_query($query);
+ while($drow = mysql_fetch_assoc($dres))
+ {
+ mysql_query(
+ "update `domaincerts`
+ set `revoked`='1970-01-01 10:00:01'
+ where `id` = '".$drow['id']."'
+ and `revoked` = 0");
+ }
+ }
+
+ function revoke_all_private_cert($uid){
+ //revokes all certificates linked to a personal accounts
+ //gpg revokation needs to be added to a later point
+ $uid=intval($uid);
+ $query = "select `id` from `email` where `memid`='".$uid."'";
+ $res=mysql_query($query);
+ while($row = mysql_fetch_assoc($res)){
+ revoke_all_client_cert($row['id']);
+ }
+
+
+ $query = "select `id` from `domains` where `memid`='".$uid."'";
+ $res=mysql_query($query);
+ while($row = mysql_fetch_assoc($res)){
+ revoke_all_server_cert($row['id']);
+ }
+ }
+
+ /**
+ * check_date_format()
+ * checks if the date is entered in the right date format YYYY-MM-DD and
+ * if the date is after the 1st January of the given year
+ *
+ * @param mixed $date
+ * @param integer $year
+ * @return
+ */
+ function check_date_format($date, $year=2000){
+ if (!strpos($date,'-')) {
+ return FALSE;
+ }
+ $arr=explode('-',$date);
+
+ if ((count($arr)!=3)) {
+ return FALSE;
+ }
+ if (intval($arr[0])<=$year) {
+ return FALSE;
+ }
+ if (intval($arr[1])>12 or intval($arr[1])<=0) {
+ return FALSE;
+ }
+ if (intval($arr[2])>31 or intval($arr[2])<=0) {
+ return FALSE;
+ }
+
+ return checkdate( intval($arr[1]), intval($arr[2]), intval($arr[0]));
+
+ }
+
+ /**
+ * check_date_difference()
+ * returns false if the date is larger then today + time diffrence
+ *
+ * @param mixed $date
+ * @param integer $diff
+ * @return
+ */
+ function check_date_difference($date, $diff=1){
+ return (strtotime($date)<=time()+$diff*86400);
+ }
+
+/**
+ * write_se_log()
+ * writes an information to the adminlog
+ *
+ * @param mixed $uid - id of the user account
+ * @param mixed $adminid - id of the admin
+ * @param mixed $type - what was changed
+ * @param mixed $info - the ticket / arbitration no or other information
+ * @return
+ */
+function write_se_log($uid, $adminid, $type, $info){
+ //records all support engineer actions changing a user account
+ $uid = intval($uid);
+ $adminid = intval($adminid);
+ $type = mysql_real_escape_string($type);
+ $info = mysql_real_escape_string($info);
+ $query="insert into `adminlog` (`when`, `uid`, `adminid`,`type`,`information`) values
+ (Now(), $uid, $adminid, '$type', '$info')";
+ mysql_query($query);
+}
+
+/**
+ * valid_ticket_number()
+ * checks if the entered information is a valid ticket or arbitration number
+ * @param mixed $ticketno
+ * @return
+ */
+function valid_ticket_number($ticketno){
+ //return if a given ticket number is valid
+ //a arbitration case
+ //d dispute action
+ //s support case
+ //m board motion
+ $pattern='/[adsmADSM]\d{8}\./';
+ if (preg_match($pattern, $ticketno)) {
+ return true;
+ }
+ return false;
+}
+
+// function for handling account/43.php
+/**
+ * get_user_data()
+ * returns all data of to an account given by the id
+ * @param mixed $userid - account id
+ * @param mixed $deleted - states if deleted data should be visible , default = 0 - not visible
+ * @return
+ */
+function get_user_data($userid, $deleted=0){
+ $userid = intval($userid);
+ $filter='';
+ if (0==$deleted) {
+ $filter=' and `users`.`deleted`=0';
+ }
+ $query = "select * from `users` where `users`.`id`='$userid' ".$filter;
+ return mysql_query($query);
+}
+
+/**
+ * get_alerts()
+ * retrns all alert settings for one user
+ * @param mixed $userid for the requested account
+ * @return
+ */
+function get_alerts($userid){
+ return mysql_fetch_assoc(mysql_query("select * from `alerts` where `memid`='".intval($userid)."'"));
+}
+
+/**
+ * get_email_address()
+ * returns all email address linked to one account
+ * @param mixed $userid
+ * @param string $primary if given the primary email address is not retirned
+ * @param integer $deleted - states if deleted data should be visible , default = 0 - not visible
+ * @return
+ */
+function get_email_address($userid, $primary,$deleted=0){
+ //should be entered in account/2.php
+ $userid = intval($userid);
+ $filter='';
+ if (0==$deleted) {
+ $filter=' and `deleted`=0';
+ }
+ if ($primary) {
+ $filter= $filter." and `email`!='".mysql_real_escape_string($primary)."'";
+ }
+ $query = "select * from `email` where `memid`='".$userid."'".$filter." order by `created`";
+ return mysql_query($query);
+}
+
+/**
+ * get_domains()
+ * returns all domains to an account
+ * @param mixed $userid
+ * @param integer $deleted - states if deleted data should be visible , default = 0 - not visible
+ * @return
+ */
+function get_domains($userid, $deleted=0){
+ //should be entered in account/9.php
+ $userid = intval($userid);
+ $filter='';
+ if (0==$deleted) {
+ $filter=' and `deleted`=0';
+ }
+ $query = "select * from `domains` where `memid`='".$userid."' and `hash`=''".$filter." order by `created`";
+ return mysql_query($query);
+}
+
+/**
+ * get_training_result()
+ * returns all training results to an account
+ * @param mixed $userid
+ * @return
+ */
+function get_training_result($userid){
+ //should be entered in account/55.php
+ $userid = intval($userid);
+ $query = "SELECT `CP`.`pass_date`, `CT`.`type_text`, `CV`.`test_text` ".
+ " FROM `cats_passed` AS CP, `cats_variant` AS CV, `cats_type` AS CT ".
+ " WHERE `CP`.`variant_id`=`CV`.`id` AND `CV`.`type_id`=`CT`.`id` AND `CP`.`user_id` ='".$userid."'".
+ " ORDER BY `CP`.`pass_date`";
+ return mysql_query($query);
+}
+
+/**
+ * get_se_log()
+ * returns all SE log entries to an account
+ * @param mixed $userid
+ * @return
+ */
+function get_se_log($userid){
+ $userid = intval($userid);
+ $query = "SELECT `adminlog`.`when`, `adminlog`.`type`, `adminlog`.`information`, `users`.`fname`, `users`.`lname`
+ FROM `adminlog`, `users`
+ WHERE `adminlog`.`adminid` = `users`.`id` and `adminlog`.`uid`=".$userid."
+ ORDER BY `adminlog`.`when`";
+ return mysql_query($query);
+}
+
+/**
+ * get_client_certs()
+ * returns all client certificates to an account
+ * @param mixed $userid
+ * @param integer $viewall- states if expired certs should be visible , default = 0 - not visible
+ * @return
+ */
+//add to account/5.php
+function get_client_certs($userid,$viewall=0){
+ $userid = intval($userid);
+ $query = "select UNIX_TIMESTAMP(`emailcerts`.`created`) as `created`,
+ UNIX_TIMESTAMP(`emailcerts`.`expire`) - UNIX_TIMESTAMP() as `timeleft`,
+ UNIX_TIMESTAMP(`emailcerts`.`expire`) as `expired`,
+ `emailcerts`.`expire` as `expires`,
+ `emailcerts`.`revoked` as `revoke`,
+ UNIX_TIMESTAMP(`emailcerts`.`revoked`) as `revoked`,
+ `emailcerts`.`id`,
+ `emailcerts`.`CN`,
+ `emailcerts`.`serial`,
+ `emailcerts`.`disablelogin` as `disablelogin`,
+ `emailcerts`.`description`
+ from `emailcerts`
+ where `emailcerts`.`memid`='".$userid."'";
+ if($viewall != 1)
+ $query .= " AND `revoked`=0 AND `renewed`=0 ";
+ $query .= " GROUP BY `emailcerts`.`id` ";
+ if($viewall != 1)
+ $query .= " HAVING `timeleft` > 0 ";
+ $query .= " ORDER BY `emailcerts`.`modified` desc";
+ return mysql_query($query);
+}
+
+/**
+ * get_server_certs()
+ * returns all server certs to an account
+ * @param mixed $userid
+ * @param integer $viewall states if expired certs should be visible , default = 0 - not visible
+ * @return
+ */
+function get_server_certs($userid,$viewall=0){
+ //add to account/12.php
+ $userid = intval($userid);
+ $query = "select UNIX_TIMESTAMP(`domaincerts`.`created`) as `created`,
+ UNIX_TIMESTAMP(`domaincerts`.`expire`) - UNIX_TIMESTAMP() as `timeleft`,
+ UNIX_TIMESTAMP(`domaincerts`.`expire`) as `expired`,
+ `domaincerts`.`expire` as `expires`, `revoked` as `revoke`,
+ UNIX_TIMESTAMP(`revoked`) as `revoked`, `CN`, `domaincerts`.`serial`, `domaincerts`.`id` as `id`,
+ `domaincerts`.`description`
+ from `domaincerts`,`domains`
+ where `memid`='".$userid."' and `domaincerts`.`domid`=`domains`.`id` ";
+ if($viewall != 1)
+ {
+ $query .= "AND `revoked`=0 AND `renewed`=0 ";
+ $query .= "HAVING `timeleft` > 0 ";
+ }
+ $query .= "ORDER BY `domaincerts`.`modified` desc";
+ return mysql_query($query);
+}
+
+/**
+ * get_gpg_certs()
+ * retruns all gpg certs to an account
+ * @param mixed $userid
+ * @param integer $viewall states if expired certs should be visible , default = 0 - not visible
+ * @return
+ */
+function get_gpg_certs($userid,$viewall=0){
+ //add to gpg/2.php
+ $userid = intval($userid);
+ $query = $query = "select UNIX_TIMESTAMP(`issued`) as `issued`,
+ UNIX_TIMESTAMP(`expire`) - UNIX_TIMESTAMP() as `timeleft`,
+ UNIX_TIMESTAMP(`expire`) as `expired`,
+ `expire` as `expires`, `id`, `level`,
+ `email`,`keyid`,`description` from `gpg` where `memid`='".$userid."'
+ ORDER BY `issued` desc";
+ return mysql_query($query);
+}
+
+
+
+/**
+ * output_log_email_header()
+ * shows the table header to the email table
+ * @return
+ */
+function output_log_email_header(){
+ ?>
+ <tr>
+ <td class="DataTD bold"><?= _("Email, primary bold") ?></td>
+ <td class="DataTD bold"><?= _("Created") ?></td>
+ <td class="DataTD bold"><?= _("Deleted") ?></td>
+ </tr>
+
+ <?
+}
+/**
+ * output_log_email()
+ * shows all email data
+ * @param mixed $row - sql-query array
+ * @param mixed $primary - if given the primary address is highlighted
+ * @return
+ */
+function output_log_email($row,$primary){
+ $italic='';
+ $bold='';
+ if ($row['deleted'] > 0) {
+ $italic=' italic';
+ }
+ if ($primary==$row['email'] && $row['deleted'] == 0) {
+ $bold= ' bold';
+ }
+ ?>
+ <tr>
+ <td class="DataTD<?= $bold . $italic ?>"><?=$row['email']?></td>
+ <td class="DataTD<?= $bold . $italic ?>"><?=$row['created']?></td>
+ <td class="DataTD<?= $bold . $italic ?>"><?=$row['deleted']?></td>
+ </tr>
+ <?
+}
+
+/**
+ * output_log_domains_header()
+ * shows the table header to the domains table
+ * @return
+ */
+function output_log_domains_header(){
+ ?>
+ <tr>
+ <td class="DataTD bold"><?= _("Domain") ?></td>
+ <td class="DataTD bold"><?= _("Created") ?></td>
+ <td class="DataTD bold"><?= _("Deleted") ?></td>
+ </tr>
+
+ <?
+}
+
+/**
+ * output_log_domains()
+ * shows the domain data
+ * @param mixed $row - sql-query array
+ * @return
+ */
+function output_log_domains($row){
+ $italic='';
+ if (0==$row['deleted']) {
+ $italic='italic ';
+ }
+ ?>
+ <tr>
+ <td class="DataTD <? $italic ?>"><?=$row['domain']?></td>
+ <td class="DataTD <? $italic ?>"><?=$row['created']?></td>
+ <td class="DataTD <? $italic ?>"><?=$row['deleted']?></td>
+ </tr>
+ <?
+}
+
+/**
+ * output_log_agreement_header()
+ * shows the table header to the user agreement table
+ * @return
+ */
+function output_log_agreement_header(){
+ ?>
+ <tr>
+ <td class="DataTD bold"><?= _("Agreement") ?></td>
+ <td class="DataTD bold"><?= _("Date") ?></td>
+ <td class="DataTD bold"><?= _("Method") ?></td>
+ <td class="DataTD bold"><?= _("Active ") ?></td>
+ </tr>
+ <?
+}
+
+/**
+ * output_log_agreement()
+ * shows the agreement data
+ * @param mixed $row - sql-query array
+ * @return
+ */
+function output_log_agreement($row){
+ ?>
+ <tr>
+ <td class="DataTD" ><?=$row['document']?></td>
+ <td class="DataTD" ><?=$row['date']?></td>
+ <td class="DataTD" ><?=$row['method']?></td>
+ <td class="DataTD"><?= ($row['active']==0)? _('passive'):_('active')?></td>
+ </tr>
+ <?
+}
+
+/**
+ * output_log_training_header()
+ * shows the table header to the training table
+ * @return
+ */
+function output_log_training_header(){
+ //should be entered in account/55.php
+ ?>
+ <tr>
+ <td class="DataTD bold"><?= _("Agreement") ?></td>
+ <td class="DataTD bold"><?= _("Test") ?></td>
+ <td class="DataTD bold"><?= _("Variant") ?></td>
+ </tr>
+ <?
+}
+
+/**
+ * output_log_training()
+ * shows the training data
+ * @param mixed $row - sql-query array
+ * @return
+ */
+function output_log_training($row){
+ //should be entered in account/55.php
+ ?>
+ <tr>
+ <td class="DataTD"><?=$row['pass_date']?></td>
+ <td class="DataTD"><?=$row['type_text']?></td>
+ <td class="DataTD"><?=$row['test_text']?></td>
+ </tr>
+ <?
+}
+
+/**
+ * output_log_se_header()
+ * shows the table header to the SE log table
+ * @param integer $support - if support = 1 some columns ar not visible
+ * @return
+ */
+function output_log_se_header($support=0){
+ ?>
+ <tr>
+ <td class="DataTD bold"><?= _("Date") ?></td>
+ <td class="DataTD bold"><?= _("Type") ?></td>
+ <?if (1==$support) {
+ ?>
+ <td class="DataTD bold"><?= _("Information") ?></td>
+ <td class="DataTD bold"><?= _("Admin") ?></td>
+ <?
+ }?>
+ </tr>
+ <?
+}
+
+/**
+ * output_log_se()
+ * show the SE log data
+ * @param mixed $row - sql-query array
+ * @param integer $support - if support = 1 some columns are added
+ * @return
+ */
+function output_log_se($row, $support=0){
+ //should be entered in account/55.php
+ ?>
+ <tr>
+ <td class="DataTD"><?=$row['when']?></td>
+ <td class="DataTD"><?=$row['type']?></td>
+ <?if (1==$support) {
+ ?>
+ <td class="DataTD"><?=$row['information']?></td>
+ <td class="DataTD"><?=$row['fname'].' '.$row['lname']?></td>
+ <?
+ }?>
+ </tr>
+ <?
+}
+
+/**
+ * output_client_cert_header()
+ * shows the table header to the cleint cert table
+ * @param integer $support - if support = 1 some columns ar not visible
+ * @return
+ */
+function output_client_cert_header($support=0){
+ //should be added to account/5.php
+ ?>
+ <tr>
+ <?if ($support !=1) { ?>
+ <td class="DataTD"><?=_("Renew/Revoke/Delete")?></td>
+ <? } ?>
+ <td class="DataTD"><?=_("Status")?></td>
+ <td class="DataTD"><?=_("Email Address")?></td>
+ <td class="DataTD"><?=_("SerialNumber")?></td>
+ <td class="DataTD"><?=_("Revoked")?></td>
+ <td class="DataTD"><?=_("Expires")?></td>
+ <td class="DataTD"><?=_("Login")?></td>
+ <?if ($support !=1) { ?>
+ <td colspan="2" class="DataTD"><?=_("Comment *")?></td>
+ <? } ?>
+ </tr>
+ <?
+}
+
+/**
+ * output_client_cert()
+ * show the client cert data
+ * @param mixed $row - sql-query array
+ * @param integer $support - if support = 1 some columns are not visible
+ * @return
+ */
+function output_client_cert($row, $support=0){
+ //should be entered in account/5.php
+ $verified="";
+ if($row['timeleft'] > 0)
+ $verified = _("Valid");
+ if($row['timeleft'] < 0)
+ $verified = _("Expired");
+ if($row['expired'] == 0)
+ $verified = _("Pending");
+ if($row['revoked'] > 0)
+ $verified = _("Revoked");
+ if($row['revoked'] == 0)
+ $row['revoke'] = _("Not Revoked");
+ ?>
+ <tr>
+ <?
+ if($verified != _("Pending") && $verified != _("Revoked")) {
+ if ($support !=1) { ?>
+ <td class="DataTD"><input type="checkbox" name="revokeid[]" value="<?=$row['id']?>"></td>
+ <? } ?>
+ <td class="DataTD"><?=$verified?></td>
+ <? if ($support !=1) { ?>
+ <td class="DataTD"><a href="account.php?id=6&amp;cert=<?=$row['id']?>"><?=(trim($row['CN'])=="" ? _("empty") : $row['CN'])?></a></td>
+ <? } ELSE {?>
+ <td class="DataTD"><?=(trim($row['CN'])=="" ? _("empty") : $row['CN'])?></td>
+ <? } ?>
+ <? } else if($verified != _("Revoked")) {
+ if ($support !=1) { ?>
+ <td class="DataTD"><input type="checkbox" name="delid[]" value="<?=$row['id']?>"></td>
+ <? } ?>
+ <td class="DataTD"><?=$verified?></td>
+ <td class="DataTD"><?=(trim($row['CN'])=="" ? _("empty") : $row['CN'])?></td>
+ <? } else {
+ if ($support !=1) { ?>
+ <td class="DataTD">&nbsp;</td>
+ <? } ?>
+ <td class="DataTD"><?=$verified?></td>
+ <td class="DataTD"><?=(trim($row['CN'])=="" ? _("empty") : $row['CN'])?></td>
+ <? } ?>
+
+ <td class="DataTD"><?=$row['serial']?></td>
+ <td class="DataTD"><?=$row['revoke']?></td>
+ <td class="DataTD"><?=$row['expires']?></td>
+
+ <? if ($support !=1) { ?>
+ <td class="DataTD">
+ <input type="checkbox" name="disablelogin_<?=$row['id']?>" value="1" <?=$row['disablelogin']?"":"checked='checked'"?>/>
+ <input type="hidden" name="cert_<?=$row['id']?>" value="1" />
+ </td>
+ <? } ELSE { ?>
+ <td class="DataTD">
+ <input type="checkbox" name="disablelogin_<?=$row['id']?>" value="1" <?=$row['disablelogin']?"":"checked='checked'"?> DISABLED/>
+ </td>
+ <? }
+ if ($support !=1) { ?>
+ <td class="DataTD"><input name="comment_<?=$row['id']?>" type="text" value="<?=htmlspecialchars($row['description'])?>" /></td>
+ <td class="DataTD"><input type="checkbox" name="check_comment_<?=$row['id']?>" /></td>
+ <? }?>
+ </tr>
+
+ <?
+}
+
+/**
+ * output_log_server_certs_header()
+ * shows the table header to the server cert table
+ * @param integer $support - if support = 1 some columns ar not visible
+ * @return
+ */
+function output_log_server_certs_header($support=0){
+ //should be entered in account/12.php
+ ?>
+ <tr>
+ <?if ($support !=1) { ?>
+ <td class="DataTD"><?=_("Renew/Revoke/Delete")?></td>
+ <? } ?>
+ <td class="DataTD"><?=_("Status")?></td>
+ <td class="DataTD"><?=_("CommonName")?></td>
+ <td class="DataTD"><?=_("SerialNumber")?></td>
+ <td class="DataTD"><?=_("Revoked")?></td>
+ <td class="DataTD"><?=_("Expires")?></td>
+ <?if ($support !=1) { ?>
+ <td colspan="2" class="DataTD"><?=_("Comment *")?></td>
+ <? } ?>
+ </tr>
+ <?
+}
+
+/**
+ * output_log_server_certs()
+ * show the server cert data
+ * @param mixed $row - sql-query array
+ * @param integer $support - if support = 1 some columns are not visible
+ * @return
+ */
+function output_log_server_certs($row, $support=0){
+ //should be entered in account/12.php
+ if($row['timeleft'] > 0)
+ $verified = _("Valid");
+ if($row['timeleft'] < 0)
+ $verified = _("Expired");
+ if($row['expired'] == 0)
+ $verified = _("Pending");
+ if($row['revoked'] > 0)
+ $verified = _("Revoked");
+ if($row['revoked'] == 0)
+ $row['revoke'] = _("Not Revoked");
+ ?>
+ <tr>
+ <? if ($support !=1) {
+ if($verified != _("Pending") && $verified != _("Revoked")) { ?>
+ <td class="DataTD"><input type="checkbox" name="revokeid[]" value="<?=$row['id']?>"/></td>
+ <? } else if($verified != _("Revoked")) { ?>
+ <td class="DataTD"><input type="checkbox" name="delid[]" value="<?=$row['id']?>"/></td>
+ <? } else { ?>
+ <td class="DataTD">&nbsp;</td>
+ <? }
+ }?>
+ <td class="DataTD"><?=$verified?></td>
+ <?if ($support !=1) { ?>
+ <td class="DataTD"><a href="account.php?id=15&amp;cert=<?=$row['id']?>"><?=$row['CN']?></a></td>
+ <? }ELSE{ ?>
+ <td class="DataTD"><?=$row['CN']?></td>
+ <?}?>
+ <td class="DataTD"><?=$row['serial']?></td>
+ <td class="DataTD"><?=$row['revoke']?></td>
+ <td class="DataTD"><?=$row['expires']?></td>
+ <?if ($support !=1) { ?>
+ <td class="DataTD"><input name="comment_<?=$row['id']?>" type="text" value="<?=htmlspecialchars($row['description'])?>" /></td>
+ <td class="DataTD"><input type="checkbox" name="check_comment_<?=$row['id']?>" /></td>
+ <?}?>
+ </tr> <?
+}
+
+/**
+ * output_gpg_certs_header()
+ * shows the table header to the gpg cert table
+ * @param integer $support - if support = 1 some columns ar not visible
+ * @return
+ */
+function output_gpg_certs_header($support=0){
+ ?>
+ <tr>
+ <td class="DataTD"><?=_("Status")?></td>
+ <td class="DataTD"><?=_("Email Address")?></td>
+ <td class="DataTD"><?=_("Expires")?></td>
+ <td class="DataTD"><?=_("Key ID")?></td>
+ <?if ($support !=1) { ?>
+ <td colspan="2" class="DataTD"><?=_("Comment *")?></td>
+ <? }?>
+ </tr>
+ <?
+}
+
+/**
+ * output_gpg_certs()
+ * show the gpg cert data
+ * @param mixed $row - sql-query array
+ * @param integer $support - if support = 1 some columns are not visible
+ * @return
+ */
+function output_gpg_certs($row, $support=0){
+ //should be entered in account/55.php
+ if($row['timeleft'] > 0)
+ $verified = _("Valid");
+ if($row['timeleft'] < 0)
+ $verified = _("Expired");
+ if($row['expired'] == 0)
+ $verified = _("Pending");
+ ?>
+ <tr>
+ <? if($verified == _("Valid")) { ?>
+ <td class="DataTD"><?=$verified?></td>
+ <?if ($support !=1) { ?>
+ <td class="DataTD"><a href="gpg.php?id=3&amp;cert=<?=$row['id']?>"><?=$row['email']?></a></td>
+ <? } else { ?>
+ <td class="DataTD"><?=$row['email']?></td>
+ <? } ?>
+ <? } else if($verified == _("Pending")) { ?>
+ <td class="DataTD"><?=$verified?></td>
+ <td class="DataTD"><?=$row['email']?></td>
+ <? } else { ?>
+ <td class="DataTD"><?=$verified?></td>
+ <?if ($support !=1) { ?>
+ <td class="DataTD"><a href="gpg.php?id=3&amp;cert=<?=$row['id']?>"><?=$row['email']?></a></td>
+ <? } else { ?>
+ <td class="DataTD"><?=$row['email']?></td>
+ <? } ?>
+ <? } ?>
+ <td class="DataTD"><?=$row['expires']?></td>
+ <?if ($support != 1) { ?>
+ <td class="DataTD"><a href="gpg.php?id=3&amp;cert=<?=$row['id']?>"><?=$row['keyid']?></a></td>
+ <? } else { ?>
+ <td class="DataTD"><?=$row['keyid']?></td>
+ <? } ?>
+ <?if ($support !=1) { ?>
+ <td class="DataTD"><input name="comment_<?=$row['id']?>" type="text" value="<?=htmlspecialchars($row['description'])?>" /></td>
+ <td class="DataTD"><input type="checkbox" name="check_comment_<?=$row['id']?>" /></td>
+ <? } ?>
+ </tr>
+ <?
+}
+
+/**
+ * output_log_given_assurances()
+ * returns the list of all given assurances
+ * @param mixed $userid - user id for the output
+ * @param integer $support - support view = 1
+ * @return
+ */
+function output_log_given_assurances($userid, $support=0)
+{
+ output_assurances_header(_("Assurance given"),$support);
+ output_log_given_assurances_content($userid, $support);
+}
+
+/**
+ * output_log_given_assurances_content()
+ *
+ * @param mixed $userid
+ * @param mixed $support
+ * @return
+ */
+function output_log_given_assurances_content($userid, $support)
+{
+ $res = get_given_assurances(intval($userid), 1);
+ while($row = mysql_fetch_assoc($res))
+ {
+ $fromuser = get_user (intval($row['to']));
+ $apoints = calc_experience ($row,$points,$experience,$sum_experience,$revoked);
+ $name = show_user_link ($fromuser['fname']." ".$fromuser['lname'],intval($row['to']));
+ $email = show_email_link ($fromuser['email'],intval($row['to']));
+ $revoked = '';
+ if ($row['date'] != 0) {
+ $revoked = $row['deleted'];
+ }
+ output_log_assurances_row(intval($row['id']),$row['date'],$row['when'],$email,$name,$apoints,intval($row['points']),$row['location'],$row['method']==""?"":_(sprintf("%s", $row['method'])),$experience,$userid,$support,$revoked);
+ }
+}
+
+/**
+ * output_log_received_assurances()
+ *
+ * @param mixed $userid
+ * @param integer $support
+ * @return
+ */
+function output_log_received_assurances($userid, $support=0)
+{
+ output_assurances_header(_("Assurance received"), $support);
+ output_log_received_assurances_content($userid, $support);
+}
+
+/**
+ * output_log_received_assurances_content()
+ *
+ * @param mixed $userid
+ * @param mixed $support
+ * @param mixed $points
+ * @param mixed $sum_experience
+ * @param mixed $ticketno
+ * @return
+ */
+function output_log_received_assurances_content($userid, $support)
+{
+ $res = get_received_assurances(intval($userid), 1);
+ while($row = mysql_fetch_assoc($res))
+ {
+ $fromuser = get_user (intval($row['from']));
+ calc_assurances ($row,$points,$experience,$sum_experience,$awarded,$revoked);
+ $name = show_user_link ($fromuser['fname']." ".$fromuser['lname'],intval($row['from']));
+ $email = show_email_link ($fromuser['email'],intval($row['from']));
+ $revoked = '';
+ if ($row['date'] != 0) {
+ $revoked = $revoked = $row['deleted'];
+ }
+ output_log_assurances_row(intval($row['id']),$row['date'],$row['when'],$email,$name,$awarded,intval($row['points']),$row['location'],$row['method']==""?"":_(sprintf("%s", $row['method'])),$experience,$userid,$support,$revoked);
+ }
+}
+
+/**
+ * output_log_assurances_row()
+ *
+ * @param mixed $assuranceid
+ * @param mixed $date
+ * @param mixed $when
+ * @param mixed $email
+ * @param mixed $name
+ * @param mixed $awarded
+ * @param mixed $points
+ * @param mixed $location
+ * @param mixed $method
+ * @param mixed $experience
+ * @param mixed $userid
+ * @param mixed $support
+ * @param mixed $revoked
+ * @return
+ */
+function output_log_assurances_row($assuranceid,$date,$when,$email,$name,$awarded,$points,$location,$method,$experience,$userid,$support,$revoked)
+{
+
+ $tdstyle="";
+ $emopen="";
+ $emclose="";
+
+ if ($awarded == $points)
+ {
+ if ($awarded == "0")
+ {
+ if ($when < "2006-09-01")
+ {
+ $tdstyle="style='background-color: #ffff80'";
+ $emopen="<em>";
+ $emclose="</em>";
+ }
+ }
+ }
+ ?>
+ <tr>
+ <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$assuranceid?><?=$emclose?></td>
+ <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$date?><?=$emclose?></td>
+ <?
+ if ($support == "1")
+ {
+ ?>
+ <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$when?><?=$emclose?></td>
+ <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$email?><?=$emclose?></td>
+ <?
+ }
+ ?>
+ <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$name?><?=$emclose?></td>
+ <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$awarded?><?=$emclose?></td>
+ <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$location?><?=$emclose?></td>
+ <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$method?><?=$emclose?></td>
+ <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$experience?><?=$emclose?></td>
+ <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$revoked?><?=$emclose?></td>
+ </tr>
+ <?
+}
+
diff --git a/includes/wot.inc.php b/includes/wot.inc.php
deleted file mode 100644
index 884b97f..0000000
--- a/includes/wot.inc.php
+++ /dev/null
@@ -1,539 +0,0 @@
-<? /*
- LibreSSL - CAcert web application
- Copyright (C) 2004-2011 CAcert Inc.
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; version 2 of the License.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-*/
-
- function query_init ($query)
- {
- return mysql_query($query);
- }
-
- function query_getnextrow ($res)
- {
- $row1 = mysql_fetch_assoc($res);
- return $row1;
- }
-
- function query_get_number_of_rows ($resultset)
- {
- return intval(mysql_num_rows($resultset));
- }
-
- function get_number_of_assurances ($userid)
- {
- $res = query_init ("SELECT count(*) AS `list` FROM `notary`
- WHERE `method` = 'Face to Face Meeting' AND `from`='".intval($userid)."' ");
- $row = query_getnextrow($res);
-
- return intval($row['list']);
- }
-
- function get_number_of_assurees ($userid)
- {
- $res = query_init ("SELECT count(*) AS `list` FROM `notary`
- WHERE `method` = 'Face to Face Meeting' AND `to`='".intval($userid)."' ");
- $row = query_getnextrow($res);
-
- return intval($row['list']);
- }
-
- function get_top_assurer_position ($no_of_assurances)
- {
- $res = query_init ("SELECT count(*) AS `list` FROM `notary`
- WHERE `method` = 'Face to Face Meeting'
- GROUP BY `from` HAVING count(*) > '".intval($no_of_assurances)."'");
- return intval(query_get_number_of_rows($res)+1);
- }
-
- function get_top_assuree_position ($no_of_assurees)
- {
- $res = query_init ("SELECT count(*) AS `list` FROM `notary`
- WHERE `method` = 'Face to Face Meeting'
- GROUP BY `to` HAVING count(*) > '".intval($no_of_assurees)."'");
- return intval(query_get_number_of_rows($res)+1);
- }
-
- function get_given_assurances ($userid)
- {
- $res = query_init ("select * from `notary` where `from`='".intval($userid)."' and `from` != `to` order by `id` asc");
- return $res;
- }
-
- function get_received_assurances ($userid)
- {
- $res = query_init ("select * from `notary` where `to`='".intval($userid)."' and `from` != `to` order by `id` asc ");
- return $res;
- }
-
- function get_given_assurances_summary ($userid)
- {
- $res = query_init ("select count(*) as number,points,awarded,method from notary where `from`='".intval($userid)."' group by points,awarded,method");
- return $res;
- }
-
- function get_received_assurances_summary ($userid)
- {
- $res = query_init ("select count(*) as number,points,awarded,method from notary where `to`='".intval($userid)."' group by points,awarded,method");
- return $res;
- }
-
- function get_user ($userid)
- {
- $res = query_init ("select * from `users` where `id`='".intval($userid)."'");
- return mysql_fetch_assoc($res);
- }
-
- function get_cats_state ($userid)
- {
-
- $res = query_init ("select * from `cats_passed` inner join `cats_variant` on `cats_passed`.`variant_id` = `cats_variant`.`id` and `cats_variant`.`type_id` = 1
- WHERE `cats_passed`.`user_id` = '".intval($userid)."'");
- return mysql_num_rows($res);
- }
-
- function calc_experience ($row,&$points,&$experience,&$sum_experience)
- {
- $apoints = max($row['points'], $row['awarded']);
-
- $points += $apoints;
-
- $experience = "&nbsp;";
- if ($row['method'] == "Face to Face Meeting")
- {
- $sum_experience = $sum_experience +2;
- $experience = "2";
- }
- return $apoints;
- }
-
- function calc_assurances ($row,&$points,&$experience,&$sumexperience,&$awarded)
- {
- $awarded = calc_points($row);
-
- if ($awarded > 100)
- {
- $experience = $awarded - 100; // needs to be fixed in the future (limit 50 pts and/or no experience if pts > 100)
- $awarded = 100;
- }
- else
- $experience = 0;
-
- switch ($row['method'])
- {
- case 'Thawte Points Transfer':
- case 'CT Magazine - Germany':
- case 'Temporary Increase': // Current usage of 'Temporary Increase' may break audit aspects, needs to be reimplemented
- $awarded=sprintf("<strong style='color: red'>%s</strong>",_("Revoked"));
- $experience=0;
- break;
- default:
- $points += $awarded;
- }
- $sumexperience = $sumexperience + $experience;
- }
-
-
- function show_user_link ($name,$userid)
- {
- $name = trim($name);
- if($name == "")
- {
- if ($userid == 0)
- $name = _("System");
- else
- $name = _("Deleted account");
- }
- else
- $name = "<a href='wot.php?id=9&amp;userid=".intval($userid)."'>$name</a>";
- return $name;
- }
-
- function get_assurer_ranking($userid,&$num_of_assurances,&$rank_of_assurer)
- {
- $num_of_assurances = get_number_of_assurances (intval($userid));
- $rank_of_assurer = get_top_assurer_position($num_of_assurances);
- }
-
- function get_assuree_ranking($userid,&$num_of_assurees,&$rank_of_assuree)
- {
- $num_of_assurees = get_number_of_assurees (intval($userid));
- $rank_of_assuree = get_top_assuree_position($num_of_assurees);
- }
-
-
-// ************* html table definitions ******************
-
- function output_ranking($userid)
- {
- get_assurer_ranking($userid,$num_of_assurances,$rank_of_assurer);
- get_assuree_ranking($userid,$num_of_assurees,$rank_of_assuree);
-
-?>
-<table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper">
- <tr>
- <td class="title"><?=_("Assurer Ranking")?></td>
- </tr>
- <tr>
- <td class="DataTD"><?=sprintf(_("You have made %s assurances which ranks you as the #%s top assurer."), intval($num_of_assurances), intval($rank_of_assurer) )?></td>
- </tr>
- <tr>
- <td class="DataTD"><?=sprintf(_("You have received %s assurances which ranks you as the #%s top assuree."), intval($num_of_assurees), intval($rank_of_assuree) )?></td>
- </tr>
-</table>
-<br/>
-<?
- }
-
- function output_assurances_header($title)
- {
-?>
-<table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper">
- <tr>
- <td colspan="7" class="title"><?=$title?></td>
- </tr>
- <tr>
- <td class="DataTD"><strong><?=_("ID")?></strong></td>
- <td class="DataTD"><strong><?=_("Date")?></strong></td>
- <td class="DataTD"><strong><?=_("Who")?></strong></td>
- <td class="DataTD"><strong><?=_("Points")?></strong></td>
- <td class="DataTD"><strong><?=_("Location")?></strong></td>
- <td class="DataTD"><strong><?=_("Method")?></strong></td>
- <td class="DataTD"><strong><?=_("Experience Points")?></strong></td>
- </tr>
-<?
- }
-
- function output_assurances_footer($points_txt,$points,$experience_txt,$sumexperience)
- {
-?>
- <tr>
- <td class="DataTD" colspan="3"><strong><?=$points_txt?>:</strong></td>
- <td class="DataTD"><?=$points?></td>
- <td class="DataTD">&nbsp;</td>
- <td class="DataTD"><strong><?=$experience_txt?>:</strong></td>
- <td class="DataTD"><?=$sumexperience?></td>
- </tr>
-</table>
-<br/>
-<?
- }
-
- function output_assurances_row($assuranceid,$date,$when,$name,$awarded,$points,$location,$method,$experience)
- {
-
- $tdstyle="";
- $emopen="";
- $emclose="";
-
- if ($awarded == $points)
- {
- if ($awarded == "0")
- {
- if ($when < "2006-09-01")
- {
- $tdstyle="style='background-color: #ffff80'";
- $emopen="<em>";
- $emclose="</em>";
- }
- }
- }
-
-?>
- <tr>
- <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$assuranceid?><?=$emclose?></td>
- <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$date?><?=$emclose?></td>
- <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$name?><?=$emclose?></td>
- <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$awarded?><?=$emclose?></td>
- <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$location?><?=$emclose?></td>
- <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$method?><?=$emclose?></td>
- <td class="DataTD" <?=$tdstyle?>><?=$emopen?><?=$experience?><?=$emclose?></td>
- </tr>
-<?
- }
-
- function output_summary_header()
- {
-?>
-<table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper">
- <tr>
- <td colspan="4" class="title"><?=_("Summary of your Points")?></td>
- </tr>
- <tr>
- <td class="DataTD"><strong><?=_("Description")?></strong></td>
- <td class="DataTD"><strong><?=_("Points")?></strong></td>
- <td class="DataTD"><strong><?=_("Countable Points")?></strong></td>
- <td class="DataTD"><strong><?=_("Remark")?></strong></td>
- </tr>
-<?
- }
-
- function output_summary_footer()
- {
-?>
-</table>
-<br/>
-<?
- }
-
- function output_summary_row($title,$points,$points_countable,$remark)
- {
-?>
- <tr>
- <td class="DataTD"><strong><?=$title?></strong></td>
- <td class="DataTD"><?=$points?></td>
- <td class="DataTD"><?=$points_countable?></td>
- <td class="DataTD"><?=$remark?></td>
- </tr>
-<?
- }
-
-
-// ************* output given assurances ******************
-
- function output_given_assurances_content($userid,&$points,&$sum_experience)
- {
- $points = 0;
- $sumexperience = 0;
- $res = get_given_assurances(intval($userid));
- while($row = mysql_fetch_assoc($res))
- {
- $fromuser = get_user (intval($row['to']));
- $apoints = calc_experience ($row,$points,$experience,$sum_experience);
- $name = show_user_link ($fromuser['fname']." ".$fromuser['lname'],intval($row['to']));
- output_assurances_row (intval($row['id']),$row['date'],$row['when'],$name,$apoints,intval($row['points']),$row['location'],$row['method']==""?"":_(sprintf("%s", $row['method'])),$experience);
- }
- }
-
-// ************* output received assurances ******************
-
- function output_received_assurances_content($userid,&$points,&$sum_experience)
- {
- $points = 0;
- $sumexperience = 0;
- $res = get_received_assurances(intval($userid));
- while($row = mysql_fetch_assoc($res))
- {
- $fromuser = get_user (intval($row['from']));
- calc_assurances ($row,$points,$experience,$sum_experience,$awarded);
- $name = show_user_link ($fromuser['fname']." ".$fromuser['lname'],intval($row['from']));
- output_assurances_row (intval($row['id']),$row['date'],$row['when'],$name,$awarded,intval($row['points']),$row['location'],$row['method']==""?"":_(sprintf("%s", $row['method'])),$experience);
- }
- }
-
-// ************* output summary table ******************
-
- function check_date_limit ($userid,$age)
- {
- $dob = date("Y-m-d", mktime(0,0,0,date("m"),date("d"),date("Y")-$age));
- $res = query_init ("select id from `users` where `id`='".$userid."' and `dob` < '$dob'");
- return intval(query_get_number_of_rows($res));
- }
-
- function calc_points($row)
- {
- $awarded = intval($row['awarded']);
- if ($awarded == "")
- $awarded = 0;
- if (intval($row['points']) < $awarded)
- $points = $awarded; // if 'sum of added points' > 100, awarded shows correct value
- else
- $points = intval($row['points']); // on very old assurances, awarded is '0' instead of correct value
- switch ($row['method'])
- {
- case 'Thawte Points Transfer': // revoke all Thawte-points (as per arbitration)
- case 'CT Magazine - Germany': // revoke c't (only one test-entry)
- case 'Temporary Increase': // revoke 'temporary increase' (Current usage breaks audit aspects, needs to be reimplemented)
- $points = 0;
- break;
- case 'Administrative Increase': // ignore AI with 2 points or less (historical for experiance points, now other calculation)
- if ($points <= 2) // maybe limit to 35/50 pts in the future?
- $points = 0;
- break;
- case 'Unknown': // to be revoked in the future? limit to max 50 pts?
- case 'Trusted Third Parties': // to be revoked in the future? limit to max 35 pts?
- case '': // to be revoked in the future? limit to max 50 pts?
- case 'Face to Face Meeting': // normal assurances, limit to 35/50 pts in the future?
- break;
- default: // should never happen ... ;-)
- $points = 0;
- }
- if ($points < 0) // ignore negative points (bug needs to be fixed)
- $points = 0;
- return $points;
- }
-
- function max_points($userid)
- {
- return output_summary_content ($userid,0);
- }
-
- function output_summary_content($userid,$display_output)
- {
- $sum_points = 0;
- $sum_experience = 0;
- $sum_experience_other = 0;
- $max_points = 100;
- $max_experience = 50;
-
- $experience_limit_reached_txt = _("Limit reached");
-
- if (check_date_limit($userid,18) != 1)
- {
- $max_experience = 10;
- $experience_limit_reached_txt = _("Limit given by PoJAM reached");
- }
- if (check_date_limit($userid,14) != 1)
- {
- $max_experience = 0;
- $experience_limit_reached_txt = _("Limit given by PoJAM reached");
- }
-
- $res = get_received_assurances_summary($userid);
- while($row = mysql_fetch_assoc($res))
- {
- $points = calc_points ($row);
-
- if ($points > $max_points) // limit to 100 points, above is experience (needs to be fixed)
- {
- $sum_experience_other = $sum_experience_other+($points-$max_points)*intval($row['number']);
- $points = $max_points;
- }
- $sum_points += $points*intval($row['number']);
- }
-
- $res = get_given_assurances_summary($userid);
- while($row = mysql_fetch_assoc($res))
- {
- switch ($row['method'])
- {
- case 'Face to Face Meeting': // count Face to Face only
- $sum_experience += 2*intval($row['number']);
- break;
- }
-
- }
-
- if ($sum_points > $max_points)
- {
- $sum_points_countable = $max_points;
- $remark_points = _("Limit reached");
- }
- else
- {
- $sum_points_countable = $sum_points;
- $remark_points = "&nbsp;";
- }
- if ($sum_experience > $max_experience)
- {
- $sum_experience_countable = $max_experience;
- $remark_experience = $experience_limit_reached_txt;
- }
- else
- {
- $sum_experience_countable = $sum_experience;
- $remark_experience = "&nbsp;";
- }
-
- if ($sum_experience_countable + $sum_experience_other > $max_experience)
- {
- $sum_experience_other_countable = $max_experience-$sum_experience_countable;
- $remark_experience_other = $experience_limit_reached_txt;
- }
- else
- {
- $sum_experience_other_countable = $sum_experience_other;
- $remark_experience_other = "&nbsp;";
- }
-
- if ($sum_points_countable < $max_points)
- {
- if ($sum_experience_countable != 0)
- $remark_experience = _("Points on hold due to less assurance points");
- $sum_experience_countable = 0;
- if ($sum_experience_other_countable != 0)
- $remark_experience_other = _("Points on hold due to less assurance points");
- $sum_experience_other_countable = 0;
- }
-
- $issue_points = 0;
- $cats_test_passed = get_cats_state ($userid);
- if ($cats_test_passed == 0)
- {
- $issue_points_txt = "<strong style='color: red'>"._("You have to pass the CAcert Assurer Challenge (CATS-Test) to be an Assurer")."</strong>";
- if ($sum_points_countable < $max_points)
- {
- $issue_points_txt = "<strong style='color: red'>";
- $issue_points_txt .= sprintf(_("You need %s assurance points and the passed CATS-Test to be an Assurer"), intval($max_points));
- $issue_points_txt .= "</strong>";
- }
- }
- else
- {
- $experience_total = $sum_experience_countable+$sum_experience_other_countable;
- $issue_points_txt = "";
- if ($sum_points_countable == $max_points)
- $issue_points = 10;
- if ($experience_total >= 10)
- $issue_points = 15;
- if ($experience_total >= 20)
- $issue_points = 20;
- if ($experience_total >= 30)
- $issue_points = 25;
- if ($experience_total >= 40)
- $issue_points = 30;
- if ($experience_total >= 50)
- $issue_points = 35;
- if ($issue_points != 0)
- $issue_points_txt = sprintf(_("You may issue up to %s points"),$issue_points);
- }
- if ($display_output)
- {
- output_summary_row (_("Assurance Points you received"),$sum_points,$sum_points_countable,$remark_points);
- output_summary_row (_("Total Experience Points by Assurance"),$sum_experience,$sum_experience_countable,$remark_experience);
- output_summary_row (_("Total Experience Points (other ways)"),$sum_experience_other,$sum_experience_other_countable,$remark_experience_other);
- output_summary_row (_("Total Points"),"&nbsp;",$sum_points_countable + $sum_experience_countable + $sum_experience_other_countable,$issue_points_txt);
- }
- return $issue_points;
- }
-
- function output_given_assurances($userid)
- {
- output_assurances_header(_("Assurance Points You Issued"));
- output_given_assurances_content($userid,$points,$sum_experience);
- output_assurances_footer(_("Total Points Issued"),$points,_("Total Experience Points"),$sum_experience);
- }
-
- function output_received_assurances($userid)
- {
- output_assurances_header(_("Your Assurance Points"));
- output_received_assurances_content($userid,$points,$sum_experience);
- output_assurances_footer(_("Total Assurance Points"),$points,_("Total Experience Points"),$sum_experience);
- }
-
- function output_summary($userid)
- {
- output_summary_header();
- output_summary_content($userid,1);
- output_summary_footer();
- }
-
- function output_end_of_page()
- {
-?>
- <p>[ <a href='javascript:history.go(-1)'><?=_("Go Back")?></a> ]</p>
-<?
- }
-?>