From a980e8aa7a6c3612fb884a051cc8125b3e4811d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20T=C3=A4nzer?= Date: Tue, 21 Aug 2012 23:43:10 +0200 Subject: Source code taken from cacert-20120810.tar.bz2 --- includes/account.php | 57 +++++++++++++++++++--------- includes/account_stuff.php | 2 +- includes/general.php | 3 +- includes/lib/account.php | 93 ++++++++++++++++++++++++++++++++++------------ 4 files changed, 112 insertions(+), 43 deletions(-) (limited to 'includes') diff --git a/includes/account.php b/includes/account.php index 554713e..f84eb63 100644 --- a/includes/account.php +++ b/includes/account.php @@ -2145,9 +2145,9 @@ if($oldid == 29 && $process != "") { - $domain = mysql_real_escape_string(stripslashes(trim($domainname))); + $domain = mysql_real_escape_string(stripslashes(trim($_REQUEST['domainname']))); - $res1 = mysql_query("select * from `orgdomains` where `domain` like '$domain' and `id`!='".intval($_SESSION['_config']['domid'])."'"); + $res1 = mysql_query("select * from `orgdomains` where `domain` like '$domain' and `id`!='".intval($domid)."'"); $res2 = mysql_query("select * from `domains` where `domain` like '$domain' and `deleted`=0"); if(mysql_num_rows($res1) > 0 || mysql_num_rows($res2) > 0) { @@ -2157,12 +2157,12 @@ } } - if(($oldid == 29 || $oldid == 30) && $process != _("Cancel")) + if(($oldid == 29 || $oldid == 30) && $process != "") // _("Cancel") is handled in front of account.php { $query = "select `orgdomaincerts`.`id` as `id` from `orgdomlink`, `orgdomaincerts`, `orgdomains` where `orgdomlink`.`orgdomid`=`orgdomains`.`id` and `orgdomaincerts`.`id`=`orgdomlink`.`orgcertid` and - `orgdomains`.`id`='".intval($_SESSION['_config']['domid'])."'"; + `orgdomains`.`id`='".intval($domid)."'"; $res = mysql_query($query); while($row = mysql_fetch_assoc($res)) mysql_query("update `orgdomaincerts` set `revoked`='1970-01-01 10:00:01' where `id`='".$row['id']."'"); @@ -2170,7 +2170,7 @@ $query = "select `orgemailcerts`.`id` as `id` from `orgemailcerts`, `orgemaillink`, `orgdomains` where `orgemaillink`.`domid`=`orgdomains`.`id` and `orgemailcerts`.`id`=`orgemaillink`.`emailcertsid` and - `orgdomains`.`id`='".intval($_SESSION['_config']['domid'])."'"; + `orgdomains`.`id`='".intval($domid)."'"; $res = mysql_query($query); while($row = mysql_fetch_assoc($res)) mysql_query("update `orgemailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='".intval($row['id'])."'"); @@ -2178,23 +2178,23 @@ if($oldid == 29 && $process != "") { - $row = mysql_fetch_assoc(mysql_query("select * from `orgdomains` where `id`='".intval($_SESSION['_config']['domid'])."'")); - mysql_query("update `orgdomains` set `domain`='$domain' where `id`='".intval($_SESSION['_config']['domid'])."'"); + $row = mysql_fetch_assoc(mysql_query("select * from `orgdomains` where `id`='".intval($domid)."'")); + mysql_query("update `orgdomains` set `domain`='$domain' where `id`='".intval($domid)."'"); showheader(_("My CAcert.org Account!")); printf(_("'%s' has just been successfully updated in the database."), sanitizeHTML($domain)); - echo "

"._("Click here")." "._("to continue."); + echo "

"._("Click here")." "._("to continue."); showfooter(); exit; } if($oldid == 30 && $process != "") { - $row = mysql_fetch_assoc(mysql_query("select * from `orgdomains` where `id`='".intval($_SESSION['_config']['domid'])."'")); + $row = mysql_fetch_assoc(mysql_query("select * from `orgdomains` where `id`='".intval($domid)."'")); $domain = $row['domain']; - mysql_query("delete from `orgdomains` where `id`='".intval($_SESSION['_config']['domid'])."'"); + mysql_query("delete from `orgdomains` where `id`='".intval($domid)."'"); showheader(_("My CAcert.org Account!")); printf(_("'%s' has just been successfully deleted from the database."), sanitizeHTML($domain)); - echo "

"._("Click here")." "._("to continue."); + echo "

"._("Click here")." "._("to continue."); showfooter(); exit; } @@ -2246,8 +2246,7 @@ $orgid = 0; } - if($id == 32 || $oldid == 32 || $id == 33 || $oldid == 33 || $id == 34 || $oldid == 34 || - $id == 35 || $oldid == 35) + if($id == 32 || $oldid == 32 || $id == 33 || $oldid == 33 || $id == 34 || $oldid == 34) { $query = "select * from `org` where `memid`='".intval($_SESSION['profile']['id'])."' and `masteracc`='1'"; $_macc = mysql_num_rows(mysql_query($query)); @@ -2260,6 +2259,19 @@ } } + if($id == 35 || $oldid == 35) + { + $query = "select 1 from `org` where `memid`='".intval($_SESSION['profile']['id'])."'"; + $is_orguser = mysql_num_rows(mysql_query($query)); + if($_SESSION['profile']['orgadmin'] != 1 && $is_orguser <= 0) + { + showheader(_("My CAcert.org Account!")); + echo _("You don't have access to this area."); + showfooter(); + exit; + } + } + if($id == 33 && $_SESSION['profile']['orgadmin'] != 1) { $orgid = intval($_SESSION['_config']['orgid']); @@ -2289,8 +2301,21 @@ $_SESSION['_config']['errmsg'] = sprintf(_("Wasn't able to match '%s' against any user in the system"), sanitizeHTML($_REQUEST['email'])); } else { $row = mysql_fetch_assoc($res); - mysql_query("insert into `org` set `memid`='".intval($row['id'])."', `orgid`='".intval($_SESSION['_config']['orgid'])."', - `masteracc`='$masteracc', `OU`='$OU', `comments`='$comments'"); + if ( !is_assurer(intval($row['id'])) ) + { + $id = $oldid; + $oldid=0; + $_SESSION['_config']['errmsg'] = + _("The user is not an Assurer yet"); + } else { + mysql_query( + "insert into `org` + set `memid`='".intval($row['id'])."', + `orgid`='".intval($_SESSION['_config']['orgid'])."', + `masteracc`='$masteracc', + `OU`='$OU', + `comments`='$comments'"); + } } } @@ -2967,6 +2992,4 @@ $_SESSION['_config']['orgid'] = intval($orgid); if(intval($memid) > 0) $_SESSION['_config']['memid'] = intval($memid); - if(intval($domid) > 0) - $_SESSION['_config']['domid'] = intval($domid); ?> diff --git a/includes/account_stuff.php b/includes/account_stuff.php index 108bd57..794266a 100644 --- a/includes/account_stuff.php +++ b/includes/account_stuff.php @@ -209,7 +209,7 @@ function hideall() { - 0 || $_SESSION['profile']['orgadmin'] == 1) { ?> + 0 || $_SESSION['profile']['orgadmin'] == 1) { ?>

+

diff --git a/includes/general.php b/includes/general.php index 9e2b131..3478dd4 100644 --- a/includes/general.php +++ b/includes/general.php @@ -215,7 +215,8 @@ //echo "Points due to name matches: $points
"; - $do = `grep '$pwd' /usr/share/dict/american-english`; + $shellpwd = escapeshellarg($pwd); + $do = `grep $shellpwd /usr/share/dict/american-english`; if($do) $points--; diff --git a/includes/lib/account.php b/includes/lib/account.php index c7697ce..e311668 100644 --- a/includes/lib/account.php +++ b/includes/lib/account.php @@ -17,37 +17,82 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ -function fix_assurer_flag($userID) +/** + * Function to recalculate the cached Assurer status + * + * @param int $userID + * if the user ID is not given the flag will be recalculated for all users + * + * @return bool + * false if there was an error on fixing the flag. This does NOT return the + * new value of the flag + */ +function fix_assurer_flag($userID = NULL) { - // If requirements for assurers are modified see also scripts/cron/updatesort.php - - // Update Assurer-Flag on users table if 100 points. - // Should the number of points be SUM(points) or SUM(awarded)? - $query = mysql_query('UPDATE `users` AS `u` SET `assurer` = 1 WHERE '. - '`u`.`id` = \''.(int)intval($userID).'\' AND '. - 'EXISTS(SELECT 1 FROM `cats_passed` AS `cp`, `cats_variant` AS `cv` '. - 'WHERE `cp`.`variant_id` = `cv`.`id` AND `cv`.`type_id` = 1 AND '. - '`cp`.`user_id` = `u`.`id`) AND '. - '(SELECT SUM(`points`) FROM `notary` AS `n` WHERE `n`.`to` = `u`.`id` '. - 'AND (`n`.`expire` > now() OR `n`.`expire` IS NULL)) >= 100'); - // Challenge has been passed and non-expired points >= 100 - + // Update Assurer-Flag on users table if 100 points and CATS passed. + // + // We may have some performance issues here if no userID is given + // there are ~150k assurances and ~220k users currently + // but the exists-clause on cats_passed should be a good filter + $sql = ' + UPDATE `users` AS `u` SET `assurer` = 1 + WHERE '.( + ($userID === NULL) ? + '`u`.`assurer` = 0' : + '`u`.`id` = \''.intval($userID).'\'' + ).' + AND EXISTS( + SELECT 1 FROM `cats_passed` AS `cp`, `cats_variant` AS `cv` + WHERE `cp`.`variant_id` = `cv`.`id` + AND `cv`.`type_id` = 1 + AND `cp`.`user_id` = `u`.`id` + ) + AND ( + SELECT SUM(`points`) FROM `notary` AS `n` + WHERE `n`.`to` = `u`.`id` + AND (`n`.`expire` > now() + OR `n`.`expire` IS NULL) + ) >= 100'; + + $query = mysql_query($sql); if (!$query) { return false; } - + // Challenge has been passed and non-expired points >= 100 + // Reset flag if requirements are not met - $query = mysql_query('UPDATE `users` AS `u` SET `assurer` = 0 WHERE '. - '`u`.`id` = \''.(int)intval($userID).'\' AND '. - '(NOT EXISTS(SELECT 1 FROM `cats_passed` AS `cp`, `cats_variant` AS '. - '`cv` WHERE `cp`.`variant_id` = `cv`.`id` AND `cv`.`type_id` = 1 '. - 'AND `cp`.`user_id` = `u`.`id`) OR '. - '(SELECT SUM(`points`) FROM `notary` AS `n` WHERE `n`.`to` = `u`.`id` '. - 'AND (`n`.`expire` > now() OR `n`.`expire` IS NULL)) < 100)'); - + // + // Also a bit performance critical but assurer flag is only set on + // ~5k accounts + $sql = ' + UPDATE `users` AS `u` SET `assurer` = 0 + WHERE '.( + ($userID === NULL) ? + '`u`.`assurer` <> 0' : + '`u`.`id` = \''.intval($userID).'\'' + ).' + AND ( + NOT EXISTS( + SELECT 1 FROM `cats_passed` AS `cp`, + `cats_variant` AS `cv` + WHERE `cp`.`variant_id` = `cv`.`id` + AND `cv`.`type_id` = 1 + AND `cp`.`user_id` = `u`.`id` + ) + OR ( + SELECT SUM(`points`) FROM `notary` AS `n` + WHERE `n`.`to` = `u`.`id` + AND ( + `n`.`expire` > now() + OR `n`.`expire` IS NULL + ) + ) < 100 + )'; + + $query = mysql_query($sql); if (!$query) { return false; } - + return true; } \ No newline at end of file -- cgit v1.2.1