From 70d3c0f57b439e0e31f9404a41d8749ab4fec030 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bernhard=20Fr=C3=B6hlich?= Date: Thu, 25 Aug 2011 21:32:31 +0200 Subject: Uli's proposed fix from https://bugs.cacert.org/view.php?id=975 --- pages/account/43.php | 353 ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 347 insertions(+), 6 deletions(-) mode change 100644 => 100755 pages/account/43.php diff --git a/pages/account/43.php b/pages/account/43.php old mode 100644 new mode 100755 index a286ec6..929188e --- a/pages/account/43.php +++ b/pages/account/43.php @@ -178,7 +178,7 @@ - : + : @@ -318,15 +318,354 @@
+ 0) { + // select domid's + $query = "select id as domids from `domains` where `memid`='".intval($row['id'])."' "; + $dres = mysql_query($query); + $rcexpired = 0; + $rcrevoked = 0; + $rcexpiremax = "0000-00-00 00:00:00"; + while ($drow = mysql_fetch_assoc($dres)) { + $ndomid = intval($drow['domids']); + + $query2 = "select COUNT(id) as dexpired from `domaincerts` where `domid`='".$ndomid."' and revoked = '0000-00-00 00:00:00' and expire < now() "; + $dres2 = mysql_query($query2); + $drow2 = mysql_fetch_assoc($dres2); + $rcexpired += intval($drow2['dexpired']); + + $query2 = "select COUNT(id) as drevoked from `domaincerts` where `domid`='".$ndomid."' and revoked != '0000-00-00 00:00:00' "; + $dres2 = mysql_query($query2); + $drow2 = mysql_fetch_assoc($dres2); + $rcrevoked += intval($drow2['drevoked']); + + $query2 = "select expire as mexpire from `domaincerts` where `domid`='".$ndomid."' and revoked = '0000-00-00 00:00:00' order by expire desc "; + $dres2 = mysql_query($query2); + $drow2 = mysql_fetch_assoc($dres2); + $rcexpiremax = max($rcexpiremax,$drow2['mexpire']); + + $rcactive = intval($rctotal)-intval($rcexpired)-intval($rcrevoked); + } + } +?> + + + + + + + + + + + + + + + + + 0) { +?> + + + + + + + + + + 0) { + $rcexpired = 0; + $rcrevoked = 0; + $rcexpiremax = "0000-00-00 00:00:00"; + + $query2 = "select COUNT(id) as eexpired from `emailcerts` where `memid`='".intval($row['id'])."' and revoked = '0000-00-00 00:00:00' and expire < now() "; + $dres2 = mysql_query($query2); + $drow2 = mysql_fetch_assoc($dres2); + $rcexpired = intval($drow2['dexpired']); + + $query2 = "select COUNT(id) as erevoked from `emailcerts` where `memid`='".intval($row['id'])."' and revoked != '0000-00-00 00:00:00' "; + $dres2 = mysql_query($query2); + $drow2 = mysql_fetch_assoc($dres2); + $rcrevoked = intval($drow2['erevoked']); + + $query2 = "select expire as eexpire from `emailcerts` where `memid`='".intval($row['id'])."' and revoked = '0000-00-00 00:00:00' order by expire desc "; + $dres2 = mysql_query($query2); + $drow2 = mysql_fetch_assoc($dres2); + $rcexpiremax = $drow2['eexpire']; + + $rcactive = intval($rctotal)-intval($rcexpired)-intval($rcrevoked); + +?> + + + + + + + + + + + + + + 0) { + $rcexpired = 0; + $rcexpiremax = "0000-00-00 00:00:00"; + + $query2 = "select COUNT(id) as gexpired from `gpg` where `memid`='".intval($row['id'])."' and expire < now() "; + $dres2 = mysql_query($query2); + $drow2 = mysql_fetch_assoc($dres2); + $rcexpired = intval($drow2['gexpired']); + +/* + $query2 = "select COUNT(id) as erevoked from `gpg` where `memid`='".intval($row['id'])."' and revoked != '0000-00-00 00:00:00' "; + $dres2 = mysql_query($query2); + $drow2 = mysql_fetch_assoc($dres2); + $rcrevoked = intval($drow2['erevoked']); + */ + + $query2 = "select expire as gexpire from `gpg` where `memid`='".intval($row['id'])."' order by expire desc "; + $dres2 = mysql_query($query2); + $drow2 = mysql_fetch_assoc($dres2); + $rcexpiremax = $drow2['gexpire']; + + $rcactive = intval($rctotal)-intval($rcexpired); +?> + + + + + + + + + + + + + + +
:
:0)?"Pending":" ") ?>
:0)?"Pending":" ") ?>
:
: 0)?"Pending":" ") ?>
:
+
+"2009-06") { + $ucrtdisp = _("between June 2009 and this year"); + } elseif (substr($ucreated,0,7)>="2009-01") { + $ucrtdisp = _("between January and June 2009"); + } else { + $ucrtdisp = _("before January 2009"); + } + + if (substr($umodified,0,7)==substr($now,0,7)) { + $umoddisp = _("this month"); + } elseif (substr($umodified,0,4)==substr($now,0,4)) { + $umoddisp = _("this year"); + } elseif (substr($umodified,0,7)< (intval(substr($now,0,4))-2)."-".substr($now,5,2) ) { + $umoddisp = _("before 2 years"); + } elseif (substr($umodified,0,7)< (intval(substr($now,0,4))-1)."-".substr($now,5,2)) { + $umoddisp = _("before 1 year"); + } else { + $umoddisp = _("within last 12 months"); + } + + +?> + + + + + + + + + + + + + + + don't list user account + // User login -> impossible + // Assurer, assure someone -> user displayed + /* regular user account search with regular settings + + --- Admin Console find user query + $query = "select `users`.`id` as `id`, `email`.`email` as `email` from `users`,`email` + where `users`.`id`=`email`.`memid` and + (`email`.`email` like '$emailsearch' or `email`.`id`='$email' or `users`.`id`='$email') and + `email`.`hash`='' and `email`.`deleted`=0 and `users`.`deleted`=0 + group by `users`.`id` limit 100"; + => requirements + 1. email.hash = '' + 2. email.deleted = 0 + 3. users.deleted = 0 + 4. email.email = primary-email (???) or'd + not covered by admin console find user routine, but may block users login + 5. users.verified = 0|1 + further "special settings" + 6. users.locked (setting displayed in display form) + 7. users.assurer_blocked (setting displayed in display form) + + --- User login user query + select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or + `password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0 + => requirements + 1. users.verified = 1 + 2. users.deleted = 0 + 3. users.locked = 0 + 4. users.email = primary-email + + --- Assurer, assure someone find user query + select * from `users` where `email`='".mysql_escape_string(stripslashes($_POST['email']))."' + and `deleted`=0 + => requirements + 1. users.deleted = 0 + 2. users.email = primary-email + Admin User Assurer + bit Console Login assure someone + + 1. email.hash = '' Yes No No + 2. email.deleted = 0 Yes No No + 3. users.deleted = 0 Yes Yes Yes + 4. users.verified = 1 No Yes No + 5. users.locked = 0 No Yes No + 6. users.email = prim-email No Yes Yes + 7. email.email = prim-email Yes No No + + full usable account needs all 7 requirements fulfilled + so if one setting isn't set/cleared there is an inconsistency either way + if eg email.email is not avail, admin console cannot open user info + but user can login and assurer can display user info + if user verified is not set to 1, admin console displays user record + but user cannot login, but assurer can search for the user and the data displays + + consistency check: + 1. search primary-email in users.email + 2. search primary-email in email.email + 3. userid = email.memid + 4. check settings from table 1. - 5. + + */ + + $inconsistency = 0; + $inconsistencydisp = ""; + $inccause = ""; + // current userid intval($row['id']) + $query = "select email as uemail, deleted as udeleted, verified, locked from `users` where `id`='".intval($row['id'])."' "; + $dres = mysql_query($query); + $drow = mysql_fetch_assoc($dres); + $uemail = $drow['uemail']; + $udeleted = $drow['udeleted']; + $uverified = $drow['verified']; + $ulocked = $drow['locked']; + + $query = "select hash, deleted as edeleted, email as eemail from `email` where `memid`='".intval($row['id'])."' and email='".$uemail."' "; + $dres = mysql_query($query); + if ($drow = mysql_fetch_assoc($dres)) { + $eemail = $drow['eemail']; + $edeleted = $drow['edeleted']; + $ehash = $drow['hash']; + if ($udeleted!=0) { + $inconsistency += 1; + $inccause .= (empty($inccause)?"":"
")._("Users record set to deleted"); + } + if ($uverified!=1) { + $inconsistency += 2; + $inccause .= (empty($inccause)?"":"
")._("Users record verified not set"); + } + if ($ulocked!=0) { + $inconsistency += 4; + $inccause .= (empty($inccause)?"":"
")._("Users record locked set"); + } + if ($edeleted!=0) { + $inconsistency += 8; + $inccause .= (empty($inccause)?"":"
")._("Email record set deleted"); + } + if ($ehash!='') { + $inconsistency += 16; + $inccause .= (empty($inccause)?"":"
")._("Email record hash not unset"); + } + } else { + $inconsistency = 32; + $inccause = _("Prim. email, Email record doesn't exist"); + } + if ($inconsistency>0) { + // $inconsistencydisp = _("Yes"); +?> + + + + + + + + +
:
:
:
code:
that needs to be fixed manualy thru arbitration/critical team.")?>
+
+ + + - + + @@ -345,6 +684,7 @@ $points += $drow['points']; ?> + @@ -355,7 +695,7 @@ - + @@ -371,9 +711,10 @@ ?>
::  
- + + @@ -392,6 +733,7 @@ $points += $drow['points']; ?> + @@ -402,7 +744,7 @@ - + @@ -414,4 +756,3 @@

- -- cgit v1.2.1 From bbc36730a848e9fa9a5e09f3c25de505fd511272 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bernhard=20Fr=C3=B6hlich?= Date: Thu, 25 Aug 2011 22:18:15 +0200 Subject: My proposal to fix the bug responsible for arbitration case a20110804.1 --- pages/account/43.php | 381 ++++----------------------------------------------- 1 file changed, 25 insertions(+), 356 deletions(-) diff --git a/pages/account/43.php b/pages/account/43.php index 929188e..ae8bffc 100755 --- a/pages/account/43.php +++ b/pages/account/43.php @@ -38,14 +38,24 @@ //if(!strstr($email, "%")) // $emailsearch = "%$email%"; - if(intval($email) > 0) - $emailsearch = ""; - - $query = "select `users`.`id` as `id`, `email`.`email` as `email` from `users`,`email` - where `users`.`id`=`email`.`memid` and - (`email`.`email` like '$emailsearch' or `email`.`id`='$email' or `users`.`id`='$email') and - `email`.`hash`='' and `email`.`deleted`=0 and `users`.`deleted`=0 - group by `users`.`id` limit 100"; + if(preg_match("/^[0-9]+$/", $email)) { + // $email consists of digits only ==> search for IDs + $query = "select `users`.`id` as `id`, `email`.`email` as `email` from `users`,`email` + where `users`.`id`=`email`.`memid` + and (`email`.`id`='$email' or `users`.`id`='$email') + and `email`.`hash`='' and `email`.`deleted`=0 and `users`.`deleted`=0 + group by `users`.`id` limit 100"; + } else { + // $email contains non-digits ==> search for mail addresses + // Be defensive here (outer join) if primary mail is not listed in email table + $query = "select `users`.`id` as `id`, `email`.`email` as `email` + from `users` left oter join `email` on (`users`.`id`=`email`.`memid`) + where ((`email`.`email` like '$emailsearch' + and `email`.`hash`='' and `email`.`deleted`=0) + or `users`.`email` like '$emailsearch') + and `users`.`deleted`=0 + group by `users`.`id` limit 100"; + } $res = mysql_query($query); if(mysql_num_rows($res) > 1) { ?>
::  
@@ -138,7 +148,7 @@ { echo "$i"; } ?> @@ -178,7 +188,7 @@ - + @@ -318,354 +328,15 @@
- 0) { - // select domid's - $query = "select id as domids from `domains` where `memid`='".intval($row['id'])."' "; - $dres = mysql_query($query); - $rcexpired = 0; - $rcrevoked = 0; - $rcexpiremax = "0000-00-00 00:00:00"; - while ($drow = mysql_fetch_assoc($dres)) { - $ndomid = intval($drow['domids']); - - $query2 = "select COUNT(id) as dexpired from `domaincerts` where `domid`='".$ndomid."' and revoked = '0000-00-00 00:00:00' and expire < now() "; - $dres2 = mysql_query($query2); - $drow2 = mysql_fetch_assoc($dres2); - $rcexpired += intval($drow2['dexpired']); - - $query2 = "select COUNT(id) as drevoked from `domaincerts` where `domid`='".$ndomid."' and revoked != '0000-00-00 00:00:00' "; - $dres2 = mysql_query($query2); - $drow2 = mysql_fetch_assoc($dres2); - $rcrevoked += intval($drow2['drevoked']); - - $query2 = "select expire as mexpire from `domaincerts` where `domid`='".$ndomid."' and revoked = '0000-00-00 00:00:00' order by expire desc "; - $dres2 = mysql_query($query2); - $drow2 = mysql_fetch_assoc($dres2); - $rcexpiremax = max($rcexpiremax,$drow2['mexpire']); - - $rcactive = intval($rctotal)-intval($rcexpired)-intval($rcrevoked); - } - } -?> -
::
- - - - - - - - - - - - - - - - 0) { -?> - - - - - - - - - - 0) { - $rcexpired = 0; - $rcrevoked = 0; - $rcexpiremax = "0000-00-00 00:00:00"; - - $query2 = "select COUNT(id) as eexpired from `emailcerts` where `memid`='".intval($row['id'])."' and revoked = '0000-00-00 00:00:00' and expire < now() "; - $dres2 = mysql_query($query2); - $drow2 = mysql_fetch_assoc($dres2); - $rcexpired = intval($drow2['dexpired']); - - $query2 = "select COUNT(id) as erevoked from `emailcerts` where `memid`='".intval($row['id'])."' and revoked != '0000-00-00 00:00:00' "; - $dres2 = mysql_query($query2); - $drow2 = mysql_fetch_assoc($dres2); - $rcrevoked = intval($drow2['erevoked']); - - $query2 = "select expire as eexpire from `emailcerts` where `memid`='".intval($row['id'])."' and revoked = '0000-00-00 00:00:00' order by expire desc "; - $dres2 = mysql_query($query2); - $drow2 = mysql_fetch_assoc($dres2); - $rcexpiremax = $drow2['eexpire']; - - $rcactive = intval($rctotal)-intval($rcexpired)-intval($rcrevoked); - -?> - - - - - - - - - - - - - - 0) { - $rcexpired = 0; - $rcexpiremax = "0000-00-00 00:00:00"; - - $query2 = "select COUNT(id) as gexpired from `gpg` where `memid`='".intval($row['id'])."' and expire < now() "; - $dres2 = mysql_query($query2); - $drow2 = mysql_fetch_assoc($dres2); - $rcexpired = intval($drow2['gexpired']); - -/* - $query2 = "select COUNT(id) as erevoked from `gpg` where `memid`='".intval($row['id'])."' and revoked != '0000-00-00 00:00:00' "; - $dres2 = mysql_query($query2); - $drow2 = mysql_fetch_assoc($dres2); - $rcrevoked = intval($drow2['erevoked']); - */ - - $query2 = "select expire as gexpire from `gpg` where `memid`='".intval($row['id'])."' order by expire desc "; - $dres2 = mysql_query($query2); - $drow2 = mysql_fetch_assoc($dres2); - $rcexpiremax = $drow2['gexpire']; - - $rcactive = intval($rctotal)-intval($rcexpired); -?> - - - - - - - - - - - - - - -
:
:0)?"Pending":" ") ?>
:0)?"Pending":" ") ?>
:
: 0)?"Pending":" ") ?>
:
-
-"2009-06") { - $ucrtdisp = _("between June 2009 and this year"); - } elseif (substr($ucreated,0,7)>="2009-01") { - $ucrtdisp = _("between January and June 2009"); - } else { - $ucrtdisp = _("before January 2009"); - } - - if (substr($umodified,0,7)==substr($now,0,7)) { - $umoddisp = _("this month"); - } elseif (substr($umodified,0,4)==substr($now,0,4)) { - $umoddisp = _("this year"); - } elseif (substr($umodified,0,7)< (intval(substr($now,0,4))-2)."-".substr($now,5,2) ) { - $umoddisp = _("before 2 years"); - } elseif (substr($umodified,0,7)< (intval(substr($now,0,4))-1)."-".substr($now,5,2)) { - $umoddisp = _("before 1 year"); - } else { - $umoddisp = _("within last 12 months"); - } - - -?> - - - - - - - - - - - - - - - don't list user account - // User login -> impossible - // Assurer, assure someone -> user displayed - /* regular user account search with regular settings - - --- Admin Console find user query - $query = "select `users`.`id` as `id`, `email`.`email` as `email` from `users`,`email` - where `users`.`id`=`email`.`memid` and - (`email`.`email` like '$emailsearch' or `email`.`id`='$email' or `users`.`id`='$email') and - `email`.`hash`='' and `email`.`deleted`=0 and `users`.`deleted`=0 - group by `users`.`id` limit 100"; - => requirements - 1. email.hash = '' - 2. email.deleted = 0 - 3. users.deleted = 0 - 4. email.email = primary-email (???) or'd - not covered by admin console find user routine, but may block users login - 5. users.verified = 0|1 - further "special settings" - 6. users.locked (setting displayed in display form) - 7. users.assurer_blocked (setting displayed in display form) - - --- User login user query - select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or - `password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0 - => requirements - 1. users.verified = 1 - 2. users.deleted = 0 - 3. users.locked = 0 - 4. users.email = primary-email - - --- Assurer, assure someone find user query - select * from `users` where `email`='".mysql_escape_string(stripslashes($_POST['email']))."' - and `deleted`=0 - => requirements - 1. users.deleted = 0 - 2. users.email = primary-email - Admin User Assurer - bit Console Login assure someone - - 1. email.hash = '' Yes No No - 2. email.deleted = 0 Yes No No - 3. users.deleted = 0 Yes Yes Yes - 4. users.verified = 1 No Yes No - 5. users.locked = 0 No Yes No - 6. users.email = prim-email No Yes Yes - 7. email.email = prim-email Yes No No - - full usable account needs all 7 requirements fulfilled - so if one setting isn't set/cleared there is an inconsistency either way - if eg email.email is not avail, admin console cannot open user info - but user can login and assurer can display user info - if user verified is not set to 1, admin console displays user record - but user cannot login, but assurer can search for the user and the data displays - - consistency check: - 1. search primary-email in users.email - 2. search primary-email in email.email - 3. userid = email.memid - 4. check settings from table 1. - 5. - - */ - - $inconsistency = 0; - $inconsistencydisp = ""; - $inccause = ""; - // current userid intval($row['id']) - $query = "select email as uemail, deleted as udeleted, verified, locked from `users` where `id`='".intval($row['id'])."' "; - $dres = mysql_query($query); - $drow = mysql_fetch_assoc($dres); - $uemail = $drow['uemail']; - $udeleted = $drow['udeleted']; - $uverified = $drow['verified']; - $ulocked = $drow['locked']; - - $query = "select hash, deleted as edeleted, email as eemail from `email` where `memid`='".intval($row['id'])."' and email='".$uemail."' "; - $dres = mysql_query($query); - if ($drow = mysql_fetch_assoc($dres)) { - $eemail = $drow['eemail']; - $edeleted = $drow['edeleted']; - $ehash = $drow['hash']; - if ($udeleted!=0) { - $inconsistency += 1; - $inccause .= (empty($inccause)?"":"
")._("Users record set to deleted"); - } - if ($uverified!=1) { - $inconsistency += 2; - $inccause .= (empty($inccause)?"":"
")._("Users record verified not set"); - } - if ($ulocked!=0) { - $inconsistency += 4; - $inccause .= (empty($inccause)?"":"
")._("Users record locked set"); - } - if ($edeleted!=0) { - $inconsistency += 8; - $inccause .= (empty($inccause)?"":"
")._("Email record set deleted"); - } - if ($ehash!='') { - $inconsistency += 16; - $inccause .= (empty($inccause)?"":"
")._("Email record hash not unset"); - } - } else { - $inconsistency = 32; - $inccause = _("Prim. email, Email record doesn't exist"); - } - if ($inconsistency>0) { - // $inconsistencydisp = _("Yes"); -?> - - - - - - - - -
:
:
:
code:
that needs to be fixed manualy thru arbitration/critical team.")?>
-
- - - - + - @@ -684,7 +355,6 @@ $points += $drow['points']; ?> - @@ -695,7 +365,7 @@ - + @@ -711,10 +381,9 @@ ?>
::  
- + - @@ -733,7 +402,6 @@ $points += $drow['points']; ?> - @@ -744,7 +412,7 @@ - + @@ -756,3 +424,4 @@

+ -- cgit v1.2.1 From a2c2ddd7b5ef0c04d52fe9f22439e30a6de27a87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bernhard=20Fr=C3=B6hlich?= Date: Thu, 25 Aug 2011 22:42:32 +0200 Subject: Typo fix --- pages/account/43.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/account/43.php b/pages/account/43.php index ae8bffc..f1bfb65 100755 --- a/pages/account/43.php +++ b/pages/account/43.php @@ -49,7 +49,7 @@ // $email contains non-digits ==> search for mail addresses // Be defensive here (outer join) if primary mail is not listed in email table $query = "select `users`.`id` as `id`, `email`.`email` as `email` - from `users` left oter join `email` on (`users`.`id`=`email`.`memid`) + from `users` left outer join `email` on (`users`.`id`=`email`.`memid`) where ((`email`.`email` like '$emailsearch' and `email`.`hash`='' and `email`.`deleted`=0) or `users`.`email` like '$emailsearch') -- cgit v1.2.1 From de63af512f3558435c1b6b5f7f37406f787c9864 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bernhard=20Fr=C3=B6hlich?= Date: Wed, 14 Sep 2011 19:20:54 +0200 Subject: Proposed additional changes by Uli and Dirk https://bugs.cacert.org/view.php?id=975#c2351 --- pages/account/43.php | 140 +++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 137 insertions(+), 3 deletions(-) diff --git a/pages/account/43.php b/pages/account/43.php index f1bfb65..3a96416 100755 --- a/pages/account/43.php +++ b/pages/account/43.php @@ -38,24 +38,25 @@ //if(!strstr($email, "%")) // $emailsearch = "%$email%"; + // bug-975 ted+uli changes --- begin if(preg_match("/^[0-9]+$/", $email)) { // $email consists of digits only ==> search for IDs $query = "select `users`.`id` as `id`, `email`.`email` as `email` from `users`,`email` where `users`.`id`=`email`.`memid` and (`email`.`id`='$email' or `users`.`id`='$email') - and `email`.`hash`='' and `email`.`deleted`=0 and `users`.`deleted`=0 + and `users`.`deleted`=0 group by `users`.`id` limit 100"; } else { // $email contains non-digits ==> search for mail addresses // Be defensive here (outer join) if primary mail is not listed in email table $query = "select `users`.`id` as `id`, `email`.`email` as `email` from `users` left outer join `email` on (`users`.`id`=`email`.`memid`) - where ((`email`.`email` like '$emailsearch' - and `email`.`hash`='' and `email`.`deleted`=0) + where (`email`.`email` like '$emailsearch' or `users`.`email` like '$emailsearch') and `users`.`deleted`=0 group by `users`.`id` limit 100"; } + // bug-975 ted+uli changes --- end $res = mysql_query($query); if(mysql_num_rows($res) > 1) { ?>
::  
@@ -327,6 +328,139 @@

+ + + + + + + don't list user account + // User login -> impossible + // Assurer, assure someone -> user displayed + /* regular user account search with regular settings + + --- Admin Console find user query + $query = "select `users`.`id` as `id`, `email`.`email` as `email` from `users`,`email` + where `users`.`id`=`email`.`memid` and + (`email`.`email` like '$emailsearch' or `email`.`id`='$email' or `users`.`id`='$email') and + `email`.`hash`='' and `email`.`deleted`=0 and `users`.`deleted`=0 + group by `users`.`id` limit 100"; + => requirements + 1. email.hash = '' + 2. email.deleted = 0 + 3. users.deleted = 0 + 4. email.email = primary-email (???) or'd + not covered by admin console find user routine, but may block users login + 5. users.verified = 0|1 + further "special settings" + 6. users.locked (setting displayed in display form) + 7. users.assurer_blocked (setting displayed in display form) + + --- User login user query + select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or + `password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0 + => requirements + 1. users.verified = 1 + 2. users.deleted = 0 + 3. users.locked = 0 + 4. users.email = primary-email + + --- Assurer, assure someone find user query + select * from `users` where `email`='".mysql_escape_string(stripslashes($_POST['email']))."' + and `deleted`=0 + => requirements + 1. users.deleted = 0 + 2. users.email = primary-email + Admin User Assurer + bit Console Login assure someone + + 1. email.hash = '' Yes No No + 2. email.deleted = 0 Yes No No + 3. users.deleted = 0 Yes Yes Yes + 4. users.verified = 1 No Yes No + 5. users.locked = 0 No Yes No + 6. users.email = prim-email No Yes Yes + 7. email.email = prim-email Yes No No + + full usable account needs all 7 requirements fulfilled + so if one setting isn't set/cleared there is an inconsistency either way + if eg email.email is not avail, admin console cannot open user info + but user can login and assurer can display user info + if user verified is not set to 1, admin console displays user record + but user cannot login, but assurer can search for the user and the data displays + + consistency check: + 1. search primary-email in users.email + 2. search primary-email in email.email + 3. userid = email.memid + 4. check settings from table 1. - 5. + + */ + + $inconsistency = 0; + $inconsistencydisp = ""; + $inccause = ""; + // current userid intval($row['id']) + $query = "select email as uemail, deleted as udeleted, verified, locked from `users` where `id`='".intval($row['id'])."' "; + $dres = mysql_query($query); + $drow = mysql_fetch_assoc($dres); + $uemail = $drow['uemail']; + $udeleted = $drow['udeleted']; + $uverified = $drow['verified']; + $ulocked = $drow['locked']; + + $query = "select hash, deleted as edeleted, email as eemail from `email` where `memid`='".intval($row['id'])."' and email='".$uemail."' "; + $dres = mysql_query($query); + if ($drow = mysql_fetch_assoc($dres)) { + $eemail = $drow['eemail']; + $edeleted = $drow['edeleted']; + $ehash = $drow['hash']; + if ($udeleted!=0) { + $inconsistency += 1; + $inccause .= (empty($inccause)?"":"
")._("Users record set to deleted"); + } + if ($uverified!=1) { + $inconsistency += 2; + $inccause .= (empty($inccause)?"":"
")._("Users record verified not set"); + } + if ($ulocked!=0) { + $inconsistency += 4; + $inccause .= (empty($inccause)?"":"
")._("Users record locked set"); + } + if ($edeleted!=0) { + $inconsistency += 8; + $inccause .= (empty($inccause)?"":"
")._("Email record set deleted"); + } + if ($ehash!='') { + $inconsistency += 16; + $inccause .= (empty($inccause)?"":"
")._("Email record hash not unset"); + } + } else { + $inconsistency = 32; + $inccause = _("Prim. email, Email record doesn't exist"); + } + if ($inconsistency>0) { + // $inconsistencydisp = _("Yes"); +?> + + + + + + + + +
:
code:
that needs to be fixed manualy thru arbitration/critical team.")?>
+
+ Date: Fri, 16 Sep 2011 04:12:09 +0200 Subject: bug 975: Many fixes to the fix MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - also include accounts without an entry in the email table when searching by id - revert the breakage of an indentation - always use backticks around non-SQL keywords or functions - fix a problem when the primary email had been deleted and readded before - use HTML to do the line breaking for us and fix typo Signed-off-by: Michael Tänzer --- pages/account/43.php | 34 +++++++++++++++++++++++++++------- 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/pages/account/43.php b/pages/account/43.php index 3a96416..5bd86bf 100755 --- a/pages/account/43.php +++ b/pages/account/43.php @@ -41,9 +41,10 @@ // bug-975 ted+uli changes --- begin if(preg_match("/^[0-9]+$/", $email)) { // $email consists of digits only ==> search for IDs - $query = "select `users`.`id` as `id`, `email`.`email` as `email` from `users`,`email` - where `users`.`id`=`email`.`memid` - and (`email`.`id`='$email' or `users`.`id`='$email') + // Be defensive here (outer join) if primary mail is not listed in email table + $query = "select `users`.`id` as `id`, `email`.`email` as `email` + from `users` left outer join `email` on (`users`.`id`=`email`.`memid`) + where (`email`.`id`='$email' or `users`.`id`='$email') and `users`.`deleted`=0 group by `users`.`id` limit 100"; } else { @@ -149,7 +150,7 @@ { echo "$i"; } ?> @@ -404,7 +405,8 @@ $inconsistencydisp = ""; $inccause = ""; // current userid intval($row['id']) - $query = "select email as uemail, deleted as udeleted, verified, locked from `users` where `id`='".intval($row['id'])."' "; + $query = "select `email` as `uemail`, `deleted` as `udeleted`, `verified`, `locked` + from `users` where `id`='".intval($row['id'])."' "; $dres = mysql_query($query); $drow = mysql_fetch_assoc($dres); $uemail = $drow['uemail']; @@ -412,9 +414,23 @@ $uverified = $drow['verified']; $ulocked = $drow['locked']; - $query = "select hash, deleted as edeleted, email as eemail from `email` where `memid`='".intval($row['id'])."' and email='".$uemail."' "; + $query = "select `hash`, `email` as `eemail` from `email` + where `memid`='".intval($row['id'])."' and + `email` ='".$uemail."' and + `deleted` = 0"; $dres = mysql_query($query); if ($drow = mysql_fetch_assoc($dres)) { + $drow['edeleted'] = 0; + } else { + // try if there are deleted entries + $query = "select `hash`, `deleted` as `edeleted`, `email` as `eemail` from `email` + where `memid`='".intval($row['id'])."' and + `email` ='".$uemail."'"; + $dres = mysql_query($query); + $drow = mysql_fetch_assoc($dres); + } + + if ($drow) { $eemail = $drow['eemail']; $edeleted = $drow['edeleted']; $ehash = $drow['hash']; @@ -450,7 +466,11 @@
code: - that needs to be fixed manualy thru arbitration/critical team.")?> + + +