From 70d3c0f57b439e0e31f9404a41d8749ab4fec030 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bernhard=20Fr=C3=B6hlich?= Date: Thu, 25 Aug 2011 21:32:31 +0200 Subject: Uli's proposed fix from https://bugs.cacert.org/view.php?id=975 --- pages/account/43.php | 353 ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 347 insertions(+), 6 deletions(-) mode change 100644 => 100755 pages/account/43.php diff --git a/pages/account/43.php b/pages/account/43.php old mode 100644 new mode 100755 index a286ec6..929188e --- a/pages/account/43.php +++ b/pages/account/43.php @@ -178,7 +178,7 @@ - : + : @@ -318,15 +318,354 @@
+ 0) { + // select domid's + $query = "select id as domids from `domains` where `memid`='".intval($row['id'])."' "; + $dres = mysql_query($query); + $rcexpired = 0; + $rcrevoked = 0; + $rcexpiremax = "0000-00-00 00:00:00"; + while ($drow = mysql_fetch_assoc($dres)) { + $ndomid = intval($drow['domids']); + + $query2 = "select COUNT(id) as dexpired from `domaincerts` where `domid`='".$ndomid."' and revoked = '0000-00-00 00:00:00' and expire < now() "; + $dres2 = mysql_query($query2); + $drow2 = mysql_fetch_assoc($dres2); + $rcexpired += intval($drow2['dexpired']); + + $query2 = "select COUNT(id) as drevoked from `domaincerts` where `domid`='".$ndomid."' and revoked != '0000-00-00 00:00:00' "; + $dres2 = mysql_query($query2); + $drow2 = mysql_fetch_assoc($dres2); + $rcrevoked += intval($drow2['drevoked']); + + $query2 = "select expire as mexpire from `domaincerts` where `domid`='".$ndomid."' and revoked = '0000-00-00 00:00:00' order by expire desc "; + $dres2 = mysql_query($query2); + $drow2 = mysql_fetch_assoc($dres2); + $rcexpiremax = max($rcexpiremax,$drow2['mexpire']); + + $rcactive = intval($rctotal)-intval($rcexpired)-intval($rcrevoked); + } + } +?> + + + + + + + + + + + + + + + + + 0) { +?> + + + + + + + + + + 0) { + $rcexpired = 0; + $rcrevoked = 0; + $rcexpiremax = "0000-00-00 00:00:00"; + + $query2 = "select COUNT(id) as eexpired from `emailcerts` where `memid`='".intval($row['id'])."' and revoked = '0000-00-00 00:00:00' and expire < now() "; + $dres2 = mysql_query($query2); + $drow2 = mysql_fetch_assoc($dres2); + $rcexpired = intval($drow2['dexpired']); + + $query2 = "select COUNT(id) as erevoked from `emailcerts` where `memid`='".intval($row['id'])."' and revoked != '0000-00-00 00:00:00' "; + $dres2 = mysql_query($query2); + $drow2 = mysql_fetch_assoc($dres2); + $rcrevoked = intval($drow2['erevoked']); + + $query2 = "select expire as eexpire from `emailcerts` where `memid`='".intval($row['id'])."' and revoked = '0000-00-00 00:00:00' order by expire desc "; + $dres2 = mysql_query($query2); + $drow2 = mysql_fetch_assoc($dres2); + $rcexpiremax = $drow2['eexpire']; + + $rcactive = intval($rctotal)-intval($rcexpired)-intval($rcrevoked); + +?> + + + + + + + + + + + + + + 0) { + $rcexpired = 0; + $rcexpiremax = "0000-00-00 00:00:00"; + + $query2 = "select COUNT(id) as gexpired from `gpg` where `memid`='".intval($row['id'])."' and expire < now() "; + $dres2 = mysql_query($query2); + $drow2 = mysql_fetch_assoc($dres2); + $rcexpired = intval($drow2['gexpired']); + +/* + $query2 = "select COUNT(id) as erevoked from `gpg` where `memid`='".intval($row['id'])."' and revoked != '0000-00-00 00:00:00' "; + $dres2 = mysql_query($query2); + $drow2 = mysql_fetch_assoc($dres2); + $rcrevoked = intval($drow2['erevoked']); + */ + + $query2 = "select expire as gexpire from `gpg` where `memid`='".intval($row['id'])."' order by expire desc "; + $dres2 = mysql_query($query2); + $drow2 = mysql_fetch_assoc($dres2); + $rcexpiremax = $drow2['gexpire']; + + $rcactive = intval($rctotal)-intval($rcexpired); +?> + + + + + + + + + + + + + + +
:
:0)?"Pending":" ") ?>
:0)?"Pending":" ") ?>
:
: 0)?"Pending":" ") ?>
:
+
+"2009-06") { + $ucrtdisp = _("between June 2009 and this year"); + } elseif (substr($ucreated,0,7)>="2009-01") { + $ucrtdisp = _("between January and June 2009"); + } else { + $ucrtdisp = _("before January 2009"); + } + + if (substr($umodified,0,7)==substr($now,0,7)) { + $umoddisp = _("this month"); + } elseif (substr($umodified,0,4)==substr($now,0,4)) { + $umoddisp = _("this year"); + } elseif (substr($umodified,0,7)< (intval(substr($now,0,4))-2)."-".substr($now,5,2) ) { + $umoddisp = _("before 2 years"); + } elseif (substr($umodified,0,7)< (intval(substr($now,0,4))-1)."-".substr($now,5,2)) { + $umoddisp = _("before 1 year"); + } else { + $umoddisp = _("within last 12 months"); + } + + +?> + + + + + + + + + + + + + + + don't list user account + // User login -> impossible + // Assurer, assure someone -> user displayed + /* regular user account search with regular settings + + --- Admin Console find user query + $query = "select `users`.`id` as `id`, `email`.`email` as `email` from `users`,`email` + where `users`.`id`=`email`.`memid` and + (`email`.`email` like '$emailsearch' or `email`.`id`='$email' or `users`.`id`='$email') and + `email`.`hash`='' and `email`.`deleted`=0 and `users`.`deleted`=0 + group by `users`.`id` limit 100"; + => requirements + 1. email.hash = '' + 2. email.deleted = 0 + 3. users.deleted = 0 + 4. email.email = primary-email (???) or'd + not covered by admin console find user routine, but may block users login + 5. users.verified = 0|1 + further "special settings" + 6. users.locked (setting displayed in display form) + 7. users.assurer_blocked (setting displayed in display form) + + --- User login user query + select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or + `password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0 + => requirements + 1. users.verified = 1 + 2. users.deleted = 0 + 3. users.locked = 0 + 4. users.email = primary-email + + --- Assurer, assure someone find user query + select * from `users` where `email`='".mysql_escape_string(stripslashes($_POST['email']))."' + and `deleted`=0 + => requirements + 1. users.deleted = 0 + 2. users.email = primary-email + Admin User Assurer + bit Console Login assure someone + + 1. email.hash = '' Yes No No + 2. email.deleted = 0 Yes No No + 3. users.deleted = 0 Yes Yes Yes + 4. users.verified = 1 No Yes No + 5. users.locked = 0 No Yes No + 6. users.email = prim-email No Yes Yes + 7. email.email = prim-email Yes No No + + full usable account needs all 7 requirements fulfilled + so if one setting isn't set/cleared there is an inconsistency either way + if eg email.email is not avail, admin console cannot open user info + but user can login and assurer can display user info + if user verified is not set to 1, admin console displays user record + but user cannot login, but assurer can search for the user and the data displays + + consistency check: + 1. search primary-email in users.email + 2. search primary-email in email.email + 3. userid = email.memid + 4. check settings from table 1. - 5. + + */ + + $inconsistency = 0; + $inconsistencydisp = ""; + $inccause = ""; + // current userid intval($row['id']) + $query = "select email as uemail, deleted as udeleted, verified, locked from `users` where `id`='".intval($row['id'])."' "; + $dres = mysql_query($query); + $drow = mysql_fetch_assoc($dres); + $uemail = $drow['uemail']; + $udeleted = $drow['udeleted']; + $uverified = $drow['verified']; + $ulocked = $drow['locked']; + + $query = "select hash, deleted as edeleted, email as eemail from `email` where `memid`='".intval($row['id'])."' and email='".$uemail."' "; + $dres = mysql_query($query); + if ($drow = mysql_fetch_assoc($dres)) { + $eemail = $drow['eemail']; + $edeleted = $drow['edeleted']; + $ehash = $drow['hash']; + if ($udeleted!=0) { + $inconsistency += 1; + $inccause .= (empty($inccause)?"":"
")._("Users record set to deleted"); + } + if ($uverified!=1) { + $inconsistency += 2; + $inccause .= (empty($inccause)?"":"
")._("Users record verified not set"); + } + if ($ulocked!=0) { + $inconsistency += 4; + $inccause .= (empty($inccause)?"":"
")._("Users record locked set"); + } + if ($edeleted!=0) { + $inconsistency += 8; + $inccause .= (empty($inccause)?"":"
")._("Email record set deleted"); + } + if ($ehash!='') { + $inconsistency += 16; + $inccause .= (empty($inccause)?"":"
")._("Email record hash not unset"); + } + } else { + $inconsistency = 32; + $inccause = _("Prim. email, Email record doesn't exist"); + } + if ($inconsistency>0) { + // $inconsistencydisp = _("Yes"); +?> + + + + + + + + +
:
:
:
code:
that needs to be fixed manualy thru arbitration/critical team.")?>
+
+ + + - + + @@ -345,6 +684,7 @@ $points += $drow['points']; ?> + @@ -355,7 +695,7 @@ - + @@ -371,9 +711,10 @@ ?>
::  
- + + @@ -392,6 +733,7 @@ $points += $drow['points']; ?> + @@ -402,7 +744,7 @@ - + @@ -414,4 +756,3 @@

- -- cgit v1.2.1
::