bug 28: add changes for l10n class
[cacert-devel.git] / www / disputes.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */ ?>
18 <?
19 require_once("../includes/loggedin.php");
20 require_once("../includes/lib/l10n.php");
21
22 loadem("account");
23
24 $type=""; if(array_key_exists('type',$_REQUEST)) $type=$_REQUEST['type'];
25 $action=""; if(array_key_exists('action',$_REQUEST)) $action=sanitizeHTML($_REQUEST['action']);
26
27 if($type == "reallyemail")
28 {
29 $emailid = intval($_SESSION['_config']['emailid']);
30 $hash = mysql_escape_string(trim($_SESSION['_config']['hash']));
31
32 $res = mysql_query("select * from `disputeemail` where `id`='$emailid' and `hash`='$hash'");
33 if(mysql_num_rows($res) <= 0)
34 {
35 showheader(_("Email Dispute"));
36 echo _("This dispute no longer seems to be in the database, can't continue.");
37 showfooter();
38 exit;
39 }
40 $row = mysql_fetch_assoc($res);
41 $oldmemid = $row['oldmemid'];
42
43 if($action == "reject")
44 {
45 mysql_query("update `disputeemail` set hash='',action='reject' where `id`='".intval($emailid)."'");
46 showheader(_("Email Dispute"));
47 echo _("You have opted to reject this dispute and the request will be removed from the database");
48 showfooter();
49 exit;
50 }
51 if($action == "accept")
52 {
53 showheader(_("Email Dispute"));
54 echo "<p>"._("You have opted to accept this dispute and the request will now remove this email address from the existing account, and revoke any current certificates.")."</p>";
55 echo "<p>"._("The following accounts have been removed:")."<br>\n";
56 $query = "select * from `email` where `id`='".intval($emailid)."' and deleted=0";
57 $res = mysql_query($query);
58 if(mysql_num_rows($res) > 0)
59 {
60 $row = mysql_fetch_assoc($res);
61 echo $row['email']."<br>\n";
62 $query = "select `emailcerts`.`id`
63 from `emaillink`,`emailcerts` where
64 `emailid`='$emailid' and `emaillink`.`emailcertsid`=`emailcerts`.`id` and
65 `revoked`=0 and UNIX_TIMESTAMP(`expire`)-UNIX_TIMESTAMP() > 0
66 group by `emailcerts`.`id`";
67 $dres = mysql_query($query);
68 while($drow = mysql_fetch_assoc($dres))
69 mysql_query("update `emailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='".intval($drow['id'])."'");
70
71 $do = `../scripts/runclient`;
72 $query = "update `email` set `deleted`=NOW() where `id`='".intval($emailid)."'";
73 mysql_query($query);
74 }
75 mysql_query("update `disputeemail` set hash='',action='accept' where `id`='$emailid'");
76 $rc = mysql_num_rows(mysql_query("select * from `domains` where `memid`='$oldmemid' and `deleted`=0"));
77 $rc = mysql_num_rows(mysql_query("select * from `email` where `memid`='$oldmemid' and `deleted`=0 and `id`!='$emailid'"));
78 $res = mysql_query("select * from `users` where `id`='$oldmemid'");
79 $user = mysql_fetch_assoc($res);
80 if($rc == 0 && $rc2 == 0 && $_SESSION['_config']['email'] == $user['email'])
81 {
82 mysql_query("update `users` set `deleted`=NOW() where `id`='$oldmemid'");
83 echo _("This was the primary email on the account, and no emails or domains were left linked so the account has also been removed from the system.");
84 }
85
86 showfooter();
87 exit;
88 }
89 }
90
91 if($type == "email")
92 {
93 $emailid = intval($_REQUEST['emailid']);
94 $hash = trim(mysql_escape_string(stripslashes($_REQUEST['hash'])));
95 if($emailid <= 0 || $hash == "")
96 {
97 showheader(_("Email Dispute"));
98 echo _("Invalid request. Can't continue.");
99 showfooter();
100 exit;
101 }
102
103 $res = mysql_query("select * from `disputeemail` where `id`='$emailid' and `hash`='$hash'");
104 if(mysql_num_rows($res) <= 0)
105 {
106 $res = mysql_query("select * from `disputeemail` where `id`='$emailid' and hash!=''");
107 if(mysql_num_rows($res) > 0)
108 {
109 $row = mysql_fetch_assoc($res);
110 mysql_query("update `disputeemail` set `attempts`='".intval($row['attempts'] + 1)."' where `id`='".$row['id']."'");
111 showheader(_("Email Dispute"));
112 if($row['attempts'] >= 3)
113 {
114 echo _("Your attempt to accept or reject a disputed email is invalid due to the hash string not matching with the email ID. Your attempt has been logged and the request will be removed from the system as a result.");
115 mysql_query("update `disputeemail` set hash='',action='failed' where `id`='$emailid'");
116 } else
117 echo _("Your attempt to accept or reject a disputed email is invalid due to the hash string not matching with the email ID.");
118 showfooter();
119 exit;
120 } else {
121 showheader(_("Email Dispute"));
122 echo _("Invalid request. Can't continue.");
123 showfooter();
124 exit;
125 }
126 }
127 $_SESSION['_config']['emailid'] = $emailid;
128 $_SESSION['_config']['hash'] = $hash;
129 $row = mysql_fetch_assoc(mysql_query("select * from `disputeemail` where `id`='$emailid'"));
130 $_SESSION['_config']['email'] = $row['email'];
131 showheader(_("Email Dispute"));
132 includeit("4", "disputes");
133 showfooter();
134 exit;
135 }
136
137 if($type == "reallydomain")
138 {
139 $domainid = intval($_SESSION['_config']['domainid']);
140 $hash = mysql_escape_string(trim($_SESSION['_config']['hash']));
141
142 $res = mysql_query("select * from `disputedomain` where `id`='$domainid' and `hash`='$hash'");
143 if(mysql_num_rows($res) <= 0)
144 {
145 showheader(_("Domain Dispute"));
146 echo _("This dispute no longer seems to be in the database, can't continue.");
147 showfooter();
148 exit;
149 }
150
151 if($action == "reject")
152 {
153 mysql_query("update `disputedomain` set hash='',action='reject' where `id`='$domainid'");
154 showheader(_("Domain Dispute"));
155 echo _("You have opted to reject this dispute and the request will be removed from the database");
156 showfooter();
157 exit;
158 }
159 if($action == "accept")
160 {
161 showheader(_("Domain Dispute"));
162 echo "<p>"._("You have opted to accept this dispute and the request will now remove this domain from the existing account, and revoke any current certificates.")."</p>";
163 echo "<p>"._("The following accounts have been removed:")."<br>\n";
164 $query = "select * from `domains` where `id`='$domainid' and deleted=0";
165 $res = mysql_query($query);
166 if(mysql_num_rows($res) > 0)
167 {
168 echo $_SESSION['_config']['domain']."<br>\n";
169 mysql_query("update `domains` set `deleted`=NOW() where `id`='$domainid'");
170 $query = "select * from `domlink` where `domid`='$domainid'";
171 $res = mysql_query($query);
172 while($row = mysql_fetch_assoc($res))
173 mysql_query("update `domaincerts` set `revoked`='1970-01-01 10:00:01' where `id`='".$row['certid']."' and `revoked`=0 and UNIX_TIMESTAMP(`expire`)-UNIX_TIMESTAMP() > 0");
174 $do = `../scripts/runserver`;
175 }
176 mysql_query("update `disputedomain` set hash='',action='accept' where `id`='$domainid'");
177 showfooter();
178 exit;
179 }
180 }
181
182 if($type == "domain")
183 {
184 $domainid = intval($_REQUEST['domainid']);
185 $hash = trim(mysql_escape_string(stripslashes($_REQUEST['hash'])));
186 if($domainid <= 0 || $hash == "")
187 {
188 showheader(_("Domain Dispute"));
189 echo _("Invalid request. Can't continue.");
190 showfooter();
191 exit;
192 }
193
194 $res = mysql_query("select * from `disputedomain` where `id`='$domainid' and `hash`='$hash'");
195 if(mysql_num_rows($res) <= 0)
196 {
197 $res = mysql_query("select * from `disputedomain` where `id`='$domainid' and hash!=''");
198 if(mysql_num_rows($res) > 0)
199 {
200 $row = mysql_fetch_assoc($res);
201 mysql_query("update `disputedomain` set `attempts`='".intval($row['attempts'] + 1)."' where `id`='".$row['id']."'");
202 showheader(_("Domain Dispute"));
203 if($row['attempts'] >= 3)
204 {
205 echo _("Your attempt to accept or reject a disputed domain is invalid due to the hash string not matching with the domain ID. Your attempt has been logged and the request will be removed from the system as a result.");
206 mysql_query("update `disputedomain` set hash='',action='failed' where `id`='$domainid'");
207 } else
208 echo _("Your attempt to accept or reject a disputed domain is invalid due to the hash string not matching with the domain ID.");
209 showfooter();
210 exit;
211 } else {
212 showheader(_("Domain Dispute"));
213 echo _("Invalid request. Can't continue.");
214 showfooter();
215 exit;
216 }
217 }
218 $_SESSION['_config']['domainid'] = $domainid;
219 $_SESSION['_config']['hash'] = $hash;
220 $row = mysql_fetch_assoc(mysql_query("select * from `disputedomain` where `id`='$domainid'"));
221 $_SESSION['_config']['domain'] = $row['domain'];
222 showheader(_("Domain Dispute"));
223 includeit("6", "disputes");
224 showfooter();
225 exit;
226 }
227
228 if($oldid == "1")
229 {
230 csrf_check('emaildispute');
231 $email = trim(mysql_escape_string(stripslashes($_REQUEST['dispute'])));
232 if($email == "")
233 {
234 showheader(_("Email Dispute"));
235 echo _("Not a valid email address. Can't continue.");
236 showfooter();
237 exit;
238 }
239
240 $res = mysql_query("select * from `disputeemail` where `email`='$email' and hash!=''");
241 if(mysql_num_rows($res) > 0)
242 {
243 showheader(_("Email Dispute"));
244 printf(_("The email address '%s' already exists in the dispute system. Can't continue."), sanitizeHTML($email));
245 showfooter();
246 exit;
247 }
248
249 unset($oldid);
250 $query = "select * from `email` where `email`='$email' and `deleted`=0";
251 $res = mysql_query($query);
252 if(mysql_num_rows($res) <= 0)
253 {
254 showheader(_("Email Dispute"));
255 printf(_("The email address '%s' doesn't exist in the system. Can't continue."), sanitizeHTML($email));
256 showfooter();
257 exit;
258 }
259 $row = mysql_fetch_assoc($res);
260 $oldmemid = $row['memid'];
261 $emailid = $row['id'];
262 if($_SESSION['profile']['id'] == $oldmemid)
263 {
264 showheader(_("Email Dispute"));
265 echo _("You aren't allowed to dispute your own email addresses. Can't continue.");
266 showfooter();
267 exit;
268 }
269
270 $res = mysql_query("select * from `users` where `id`='$oldmemid'");
271 $user = mysql_fetch_assoc($res);
272 $rc = mysql_num_rows(mysql_query("select * from `domains` where `memid`='$oldmemid' and `deleted`=0"));
273 $rc2 = mysql_num_rows(mysql_query("select * from `email` where `memid`='$oldmemid' and `deleted`=0 and `id`!='$emailid'"));
274 if($user['email'] == $email && ($rc > 0 || $rc2 > 0))
275 {
276 showheader(_("Email Dispute"));
277 echo _("You only dispute the primary email address of an account if there is no longer any email addresses or domains linked to it.");
278 showfooter();
279 exit;
280 }
281
282 $hash = make_hash();
283 $query = "insert into `disputeemail` set `email`='$email',`memid`='".intval($_SESSION['profile']['id'])."',
284 `oldmemid`='$oldmemid',`created`=NOW(),`hash`='$hash',`id`='".intval($emailid)."',
285 `IP`='".$_SERVER['REMOTE_ADDR']."'";
286 mysql_query($query);
287
288 $my_translation = L10n::get_translation();
289 L10n::set__recipient_language($oldmemid);
290
291 $body = sprintf(_("You have been sent this email as the email address '%s' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute:"), $email)."\n\n";
292 $body .= "https://".$_SESSION['_config']['normalhostname']."/disputes.php?type=email&emailid=$emailid&hash=$hash\n\n";
293 $body .= _("Best regards")."\n"._("CAcert.org Support!");
294
295 sendmail($email, "[CAcert.org] "._("Dispute Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
296 L10n::set_translation($my_translation);
297
298 showheader(_("Email Dispute"));
299 printf(_("The email address '%s' has been entered into the dispute system, the email address will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request."), sanitizeHTML($email));
300 showfooter();
301 exit;
302 }
303
304 if($oldid == "2")
305 {
306 csrf_check('domaindispute');
307 $domain = trim(mysql_escape_string(stripslashes($_REQUEST['dispute'])));
308 if($domain == "")
309 {
310 showheader(_("Domain Dispute"));
311 echo _("Not a valid Domain. Can't continue.");
312 showfooter();
313 exit;
314 }
315
316 $query = "select * from `disputedomain` where `domain`='$domain' and hash!=''";
317 $res = mysql_query($query);
318 if(mysql_num_rows($res) > 0)
319 {
320 showheader(_("Domain Dispute"));
321 printf(_("The domain '%s' already exists in the dispute system. Can't continue."), sanitizeHTML($domain));
322 showfooter();
323 exit;
324 }
325 unset($oldid);
326 $query = "select * from `domains` where `domain`='$domain' and `deleted`=0";
327 $email = ""; if(array_key_exists('email',$_REQUEST)) $email=trim(mysql_real_escape_string($_REQUEST['email']));
328 $res = mysql_query($query);
329 if(mysql_num_rows($res) <= 0)
330 {
331 showheader(_("Domain Dispute"));
332 printf(_("The domain '%s' doesn't exist in the system. Can't continue."), sanitizeHTML($email));
333 showfooter();
334 exit;
335 }
336 $row = mysql_fetch_assoc($res);
337 $oldmemid = $row['memid'];
338 if($_SESSION['profile']['id'] == $oldmemid)
339 {
340 showheader(_("Domain Dispute"));
341 echo _("You aren't allowed to dispute your own domains. Can't continue.");
342 showfooter();
343 exit;
344 }
345
346 $domainid = $row['id'];
347 $_SESSION['_config']['domainid'] = $domainid;
348 $_SESSION['_config']['memid'] = array_key_exists('memid',$_REQUEST)?intval($_REQUEST['memid']):0;
349 $_SESSION['_config']['domain'] = $domain;
350 $_SESSION['_config']['oldmemid'] = $oldmemid;
351
352 $addy = array();
353 $domtmp = escapeshellarg($domain);
354 if(strtolower(substr($domtmp, -4, 3)) != ".jp")
355 $adds = explode("\n", trim(`whois $domtmp|grep \@`));
356 if(substr($domain, -4) == ".org" || substr($domain, -5) == ".info")
357 {
358 if(is_array($adds))
359 foreach($adds as $line)
360 {
361 $bits = explode(":", $line, 2);
362 $line = trim($bits[1]);
363 if(!in_array($line, $addy) && $line != "")
364 $addy[] = trim(mysql_escape_string(stripslashes($line)));
365 }
366 } else {
367 if(is_array($adds))
368 foreach($adds as $line)
369 {
370 $line = trim(str_replace("\t", " ", $line));
371 $line = trim(str_replace("(", "", $line));
372 $line = trim(str_replace(")", " ", $line));
373
374 $bits = explode(" ", $line);
375 foreach($bits as $bit)
376 {
377 if(strstr($bit, "@"))
378 $line = $bit;
379 }
380 if(!in_array($line, $addy) && $line != "")
381 $addy[] = trim(mysql_escape_string(stripslashes($line)));
382 }
383 }
384
385 $rfc = array("root@$domain", "hostmaster@$domain", "postmaster@$domain", "admin@$domain", "webmaster@$domain");
386 foreach($rfc as $sub)
387 if(!in_array($sub, $addy))
388 $addy[] = $sub;
389 $_SESSION['_config']['addy'] = $addy;
390 showheader(_("Domain Dispute"));
391 includeit("5", "disputes");
392 showfooter();
393 exit;
394 }
395
396 if($oldid == "5")
397 {
398 $authaddy = trim(mysql_escape_string(stripslashes($_REQUEST['authaddy'])));
399
400 if(!in_array($authaddy, $_SESSION['_config']['addy']) || $authaddy == "")
401 {
402 showheader(_("My CAcert.org Account!"));
403 echo _("The address you submitted isn't a valid authority address for the domain.");
404 showfooter();
405 exit;
406 }
407
408 $query = "select * from `domains` where `domain`='".$_SESSION['_config']['domain']."' and `deleted`=0";
409 $res = mysql_query($query);
410 if(mysql_num_rows($res) <= 0)
411 {
412 showheader(_("Domain Dispute!"));
413 printf(_("The domain '%s' isn't in the system. Can't continue."), sanitizeHTML($_SESSION['_config']['domain']));
414 showfooter();
415 exit;
416 }
417
418 $domainid = intval($_SESSION['_config']['domainid']);
419 $memid = intval($_SESSION['_config']['memid']);
420 $oldmemid = intval($_SESSION['_config']['oldmemid']);
421 $domain = mysql_escape_string($_SESSION['_config']['domain']);
422
423 $hash = make_hash();
424 $query = "insert into `disputedomain` set `domain`='$domain',`memid`='".$_SESSION['profile']['id']."',
425 `oldmemid`='$oldmemid',`created`=NOW(),`hash`='$hash',`id`='$domainid'";
426 mysql_query($query);
427 $my_translation = L10n::get_translation();
428 L10n::set__recipient_language($oldmemid);
429
430 $body = sprintf(_("You have been sent this email as the domain '%s' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute:"), $domain)."\n\n";
431 $body .= "https://".$_SESSION['_config']['normalhostname']."/disputes.php?type=domain&domainid=$domainid&hash=$hash\n\n";
432 $body .= _("Best regards")."\n"._("CAcert.org Support!");
433 L10n::set__recipient_language($my_translation);
434
435 sendmail($authaddy, "[CAcert.org] "._("Dispute Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
436
437 showheader(_("Domain Dispute"));
438 printf(_("The domain '%s' has been entered into the dispute system, the email address you choose will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request."), sanitizeHTML($domain));
439 showfooter();
440 exit;
441 }
442
443 showheader(_("Domain and Email Disputes"));
444 includeit($id, "disputes");
445 showfooter();
446 ?>