bug 893:extracted delete functionalities to temp_functions.php, modified www/disputes...
[cacert-devel.git] / www / disputes.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */ ?>
18 <?
19 require_once("../includes/loggedin.php");
20 require_once("../includes/temp_functions.php");
21
22 loadem("account");
23
24 $type=""; if(array_key_exists('type',$_REQUEST)) $type=$_REQUEST['type'];
25 $action=""; if(array_key_exists('action',$_REQUEST)) $action=sanitizeHTML($_REQUEST['action']);
26
27 if($type == "reallyemail")
28 {
29 $emailid = intval($_SESSION['_config']['emailid']);
30 $hash = mysql_escape_string(trim($_SESSION['_config']['hash']));
31
32 $res = mysql_query("select * from `disputeemail` where `id`='$emailid' and `hash`='$hash'");
33 if(mysql_num_rows($res) <= 0)
34 {
35 showheader(_("Email Dispute"));
36 echo _("This dispute no longer seems to be in the database, can't continue.");
37 showfooter();
38 exit;
39 }
40 $row = mysql_fetch_assoc($res);
41 $oldmemid = $row['oldmemid'];
42
43 if($action == "reject")
44 {
45 mysql_query("update `disputeemail` set hash='',action='reject' where `id`='".intval($emailid)."'");
46 showheader(_("Email Dispute"));
47 echo _("You have opted to reject this dispute and the request will be removed from the database");
48 showfooter();
49 exit;
50 }
51 if($action == "accept")
52 {
53 showheader(_("Email Dispute"));
54 echo "<p>"._("You have opted to accept this dispute and the request will now remove this email address from the existing account, and revoke any current certificates.")."</p>";
55 echo "<p>"._("The following accounts have been removed:")."<br>\n";
56 $query = "select * from `email` where `id`='".intval($emailid)."' and deleted=0";
57 $res = mysql_query($query);
58 if(mysql_num_rows($res) > 0)
59 {
60 $row = mysql_fetch_assoc($res);
61 echo $row['email']."<br>\n";
62 account_email_delete($row['id']);
63 }
64 mysql_query("update `disputeemail` set hash='',action='accept' where `id`='$emailid'");
65 $rc = mysql_num_rows(mysql_query("select * from `domains` where `memid`='$oldmemid' and `deleted`=0"));
66 $rc = mysql_num_rows(mysql_query("select * from `email` where `memid`='$oldmemid' and `deleted`=0 and `id`!='$emailid'"));
67 $res = mysql_query("select * from `users` where `id`='$oldmemid'");
68 $user = mysql_fetch_assoc($res);
69 if($rc == 0 && $rc2 == 0 && $_SESSION['_config']['email'] == $user['email'])
70 {
71 mysql_query("update `users` set `deleted`=NOW() where `id`='$oldmemid'");
72 echo _("This was the primary email on the account, and no emails or domains were left linked so the account has also been removed from the system.");
73 }
74
75 showfooter();
76 exit;
77 }
78 }
79
80 if($type == "email")
81 {
82 $emailid = intval($_REQUEST['emailid']);
83 $hash = trim(mysql_escape_string(stripslashes($_REQUEST['hash'])));
84 if($emailid <= 0 || $hash == "")
85 {
86 showheader(_("Email Dispute"));
87 echo _("Invalid request. Can't continue.");
88 showfooter();
89 exit;
90 }
91
92 $res = mysql_query("select * from `disputeemail` where `id`='$emailid' and `hash`='$hash'");
93 if(mysql_num_rows($res) <= 0)
94 {
95 $res = mysql_query("select * from `disputeemail` where `id`='$emailid' and hash!=''");
96 if(mysql_num_rows($res) > 0)
97 {
98 $row = mysql_fetch_assoc($res);
99 mysql_query("update `disputeemail` set `attempts`='".intval($row['attempts'] + 1)."' where `id`='".$row['id']."'");
100 showheader(_("Email Dispute"));
101 if($row['attempts'] >= 3)
102 {
103 echo _("Your attempt to accept or reject a disputed email is invalid due to the hash string not matching with the email ID. Your attempt has been logged and the request will be removed from the system as a result.");
104 mysql_query("update `disputeemail` set hash='',action='failed' where `id`='$emailid'");
105 } else
106 echo _("Your attempt to accept or reject a disputed email is invalid due to the hash string not matching with the email ID.");
107 showfooter();
108 exit;
109 } else {
110 showheader(_("Email Dispute"));
111 echo _("Invalid request. Can't continue.");
112 showfooter();
113 exit;
114 }
115 }
116 $_SESSION['_config']['emailid'] = $emailid;
117 $_SESSION['_config']['hash'] = $hash;
118 $row = mysql_fetch_assoc(mysql_query("select * from `disputeemail` where `id`='$emailid'"));
119 $_SESSION['_config']['email'] = $row['email'];
120 showheader(_("Email Dispute"));
121 includeit("4", "disputes");
122 showfooter();
123 exit;
124 }
125
126 if($type == "reallydomain")
127 {
128 $domainid = intval($_SESSION['_config']['domainid']);
129 $hash = mysql_escape_string(trim($_SESSION['_config']['hash']));
130
131 $res = mysql_query("select * from `disputedomain` where `id`='$domainid' and `hash`='$hash'");
132 if(mysql_num_rows($res) <= 0)
133 {
134 showheader(_("Domain Dispute"));
135 echo _("This dispute no longer seems to be in the database, can't continue.");
136 showfooter();
137 exit;
138 }
139
140 if($action == "reject")
141 {
142 mysql_query("update `disputedomain` set hash='',action='reject' where `id`='$domainid'");
143 showheader(_("Domain Dispute"));
144 echo _("You have opted to reject this dispute and the request will be removed from the database");
145 showfooter();
146 exit;
147 }
148 if($action == "accept")
149 {
150 showheader(_("Domain Dispute"));
151 echo "<p>"._("You have opted to accept this dispute and the request will now remove this domain from the existing account, and revoke any current certificates.")."</p>";
152 echo "<p>"._("The following accounts have been removed:")."<br>\n";
153 //new account_domain_delete($domainid, $memberID)
154 $query = "select * from `domains` where `id`='$domainid' and deleted=0";
155 $res = mysql_query($query);
156 if(mysql_num_rows($res) > 0)
157 {
158 echo $_SESSION['_config']['domain']."<br>\n";
159 account_domain_delete($domainid);
160 mysql_query("update `disputedomain` set hash='',action='accept' where `id`='$domainid'");
161 showfooter();
162 exit;
163 }
164 }
165
166 if($type == "domain")
167 {
168 $domainid = intval($_REQUEST['domainid']);
169 $hash = trim(mysql_escape_string(stripslashes($_REQUEST['hash'])));
170 if($domainid <= 0 || $hash == "")
171 {
172 showheader(_("Domain Dispute"));
173 echo _("Invalid request. Can't continue.");
174 showfooter();
175 exit;
176 }
177
178 $res = mysql_query("select * from `disputedomain` where `id`='$domainid' and `hash`='$hash'");
179 if(mysql_num_rows($res) <= 0)
180 {
181 $res = mysql_query("select * from `disputedomain` where `id`='$domainid' and hash!=''");
182 if(mysql_num_rows($res) > 0)
183 {
184 $row = mysql_fetch_assoc($res);
185 mysql_query("update `disputedomain` set `attempts`='".intval($row['attempts'] + 1)."' where `id`='".$row['id']."'");
186 showheader(_("Domain Dispute"));
187 if($row['attempts'] >= 3)
188 {
189 echo _("Your attempt to accept or reject a disputed domain is invalid due to the hash string not matching with the domain ID. Your attempt has been logged and the request will be removed from the system as a result.");
190 mysql_query("update `disputedomain` set hash='',action='failed' where `id`='$domainid'");
191 } else
192 echo _("Your attempt to accept or reject a disputed domain is invalid due to the hash string not matching with the domain ID.");
193 showfooter();
194 exit;
195 } else {
196 showheader(_("Domain Dispute"));
197 echo _("Invalid request. Can't continue.");
198 showfooter();
199 exit;
200 }
201 }
202 $_SESSION['_config']['domainid'] = $domainid;
203 $_SESSION['_config']['hash'] = $hash;
204 $row = mysql_fetch_assoc(mysql_query("select * from `disputedomain` where `id`='$domainid'"));
205 $_SESSION['_config']['domain'] = $row['domain'];
206 showheader(_("Domain Dispute"));
207 includeit("6", "disputes");
208 showfooter();
209 exit;
210 }
211
212 if($oldid == "1")
213 {
214 csrf_check('emaildispute');
215 $email = trim(mysql_escape_string(stripslashes($_REQUEST['dispute'])));
216 if($email == "")
217 {
218 showheader(_("Email Dispute"));
219 echo _("Not a valid email address. Can't continue.");
220 showfooter();
221 exit;
222 }
223
224 $res = mysql_query("select * from `disputeemail` where `email`='$email' and hash!=''");
225 if(mysql_num_rows($res) > 0)
226 {
227 showheader(_("Email Dispute"));
228 printf(_("The email address '%s' already exists in the dispute system. Can't continue."), sanitizeHTML($email));
229 showfooter();
230 exit;
231 }
232
233 unset($oldid);
234 $query = "select * from `email` where `email`='$email' and `deleted`=0";
235 $res = mysql_query($query);
236 if(mysql_num_rows($res) <= 0)
237 {
238 showheader(_("Email Dispute"));
239 printf(_("The email address '%s' doesn't exist in the system. Can't continue."), sanitizeHTML($email));
240 showfooter();
241 exit;
242 }
243 $row = mysql_fetch_assoc($res);
244 $oldmemid = $row['memid'];
245 $emailid = $row['id'];
246 if($_SESSION['profile']['id'] == $oldmemid)
247 {
248 showheader(_("Email Dispute"));
249 echo _("You aren't allowed to dispute your own email addresses. Can't continue.");
250 showfooter();
251 exit;
252 }
253
254 $res = mysql_query("select * from `users` where `id`='$oldmemid'");
255 $user = mysql_fetch_assoc($res);
256 $rc = mysql_num_rows(mysql_query("select * from `domains` where `memid`='$oldmemid' and `deleted`=0"));
257 $rc2 = mysql_num_rows(mysql_query("select * from `email` where `memid`='$oldmemid' and `deleted`=0 and `id`!='$emailid'"));
258 if($user['email'] == $email && ($rc > 0 || $rc2 > 0))
259 {
260 showheader(_("Email Dispute"));
261 echo _("You only dispute the primary email address of an account if there is no longer any email addresses or domains linked to it.");
262 showfooter();
263 exit;
264 }
265
266 $hash = make_hash();
267 $query = "insert into `disputeemail` set `email`='$email',`memid`='".intval($_SESSION['profile']['id'])."',
268 `oldmemid`='$oldmemid',`created`=NOW(),`hash`='$hash',`id`='".intval($emailid)."',
269 `IP`='".$_SERVER['REMOTE_ADDR']."'";
270 mysql_query($query);
271
272 $body = sprintf(_("You have been sent this email as the email address '%s' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute:"), $email)."\n\n";
273 $body .= "https://".$_SESSION['_config']['normalhostname']."/disputes.php?type=email&emailid=$emailid&hash=$hash\n\n";
274 $body .= _("Best regards")."\n"._("CAcert.org Support!");
275
276 sendmail($email, "[CAcert.org] "._("Dispute Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
277
278 showheader(_("Email Dispute"));
279 printf(_("The email address '%s' has been entered into the dispute system, the email address will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request."), sanitizeHTML($email));
280 showfooter();
281 exit;
282 }
283
284 if($oldid == "2")
285 {
286 csrf_check('domaindispute');
287 $domain = trim(mysql_escape_string(stripslashes($_REQUEST['dispute'])));
288 if($domain == "")
289 {
290 showheader(_("Domain Dispute"));
291 echo _("Not a valid Domain. Can't continue.");
292 showfooter();
293 exit;
294 }
295
296 $query = "select * from `disputedomain` where `domain`='$domain' and hash!=''";
297 $res = mysql_query($query);
298 if(mysql_num_rows($res) > 0)
299 {
300 showheader(_("Domain Dispute"));
301 printf(_("The domain '%s' already exists in the dispute system. Can't continue."), sanitizeHTML($domain));
302 showfooter();
303 exit;
304 }
305 unset($oldid);
306 $query = "select * from `domains` where `domain`='$domain' and `deleted`=0";
307 $email = ""; if(array_key_exists('email',$_REQUEST)) $email=trim(mysql_real_escape_string($_REQUEST['email']));
308 $res = mysql_query($query);
309 if(mysql_num_rows($res) <= 0)
310 {
311 showheader(_("Domain Dispute"));
312 printf(_("The domain '%s' doesn't exist in the system. Can't continue."), sanitizeHTML($email));
313 showfooter();
314 exit;
315 }
316 $row = mysql_fetch_assoc($res);
317 $oldmemid = $row['memid'];
318 if($_SESSION['profile']['id'] == $oldmemid)
319 {
320 showheader(_("Domain Dispute"));
321 echo _("You aren't allowed to dispute your own domains. Can't continue.");
322 showfooter();
323 exit;
324 }
325
326 $domainid = $row['id'];
327 $_SESSION['_config']['domainid'] = $domainid;
328 $_SESSION['_config']['memid'] = array_key_exists('memid',$_REQUEST)?intval($_REQUEST['memid']):0;
329 $_SESSION['_config']['domain'] = $domain;
330 $_SESSION['_config']['oldmemid'] = $oldmemid;
331
332 $addy = array();
333 $domtmp = escapeshellarg($domain);
334 if(strtolower(substr($domtmp, -4, 3)) != ".jp")
335 $adds = explode("\n", trim(`whois $domtmp|grep \@`));
336 if(substr($domain, -4) == ".org" || substr($domain, -5) == ".info")
337 {
338 if(is_array($adds))
339 foreach($adds as $line)
340 {
341 $bits = explode(":", $line, 2);
342 $line = trim($bits[1]);
343 if(!in_array($line, $addy) && $line != "")
344 $addy[] = trim(mysql_escape_string(stripslashes($line)));
345 }
346 } else {
347 if(is_array($adds))
348 foreach($adds as $line)
349 {
350 $line = trim(str_replace("\t", " ", $line));
351 $line = trim(str_replace("(", "", $line));
352 $line = trim(str_replace(")", " ", $line));
353
354 $bits = explode(" ", $line);
355 foreach($bits as $bit)
356 {
357 if(strstr($bit, "@"))
358 $line = $bit;
359 }
360 if(!in_array($line, $addy) && $line != "")
361 $addy[] = trim(mysql_escape_string(stripslashes($line)));
362 }
363 }
364
365 $rfc = array("root@$domain", "hostmaster@$domain", "postmaster@$domain", "admin@$domain", "webmaster@$domain");
366 foreach($rfc as $sub)
367 if(!in_array($sub, $addy))
368 $addy[] = $sub;
369 $_SESSION['_config']['addy'] = $addy;
370 showheader(_("Domain Dispute"));
371 includeit("5", "disputes");
372 showfooter();
373 exit;
374 }
375
376 if($oldid == "5")
377 {
378 $authaddy = trim(mysql_escape_string(stripslashes($_REQUEST['authaddy'])));
379
380 if(!in_array($authaddy, $_SESSION['_config']['addy']) || $authaddy == "")
381 {
382 showheader(_("My CAcert.org Account!"));
383 echo _("The address you submitted isn't a valid authority address for the domain.");
384 showfooter();
385 exit;
386 }
387
388 $query = "select * from `domains` where `domain`='".$_SESSION['_config']['domain']."' and `deleted`=0";
389 $res = mysql_query($query);
390 if(mysql_num_rows($res) <= 0)
391 {
392 showheader(_("Domain Dispute!"));
393 printf(_("The domain '%s' isn't in the system. Can't continue."), sanitizeHTML($_SESSION['_config']['domain']));
394 showfooter();
395 exit;
396 }
397
398 $domainid = intval($_SESSION['_config']['domainid']);
399 $memid = intval($_SESSION['_config']['memid']);
400 $oldmemid = intval($_SESSION['_config']['oldmemid']);
401 $domain = mysql_escape_string($_SESSION['_config']['domain']);
402
403 $hash = make_hash();
404 $query = "insert into `disputedomain` set `domain`='$domain',`memid`='".$_SESSION['profile']['id']."',
405 `oldmemid`='$oldmemid',`created`=NOW(),`hash`='$hash',`id`='$domainid'";
406 mysql_query($query);
407
408 $body = sprintf(_("You have been sent this email as the domain '%s' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute:"), $domain)."\n\n";
409 $body .= "https://".$_SESSION['_config']['normalhostname']."/disputes.php?type=domain&domainid=$domainid&hash=$hash\n\n";
410 $body .= _("Best regards")."\n"._("CAcert.org Support!");
411
412 sendmail($authaddy, "[CAcert.org] "._("Dispute Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
413
414 showheader(_("Domain Dispute"));
415 printf(_("The domain '%s' has been entered into the dispute system, the email address you choose will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request."), sanitizeHTML($domain));
416 showfooter();
417 exit;
418 }
419
420 showheader(_("Domain and Email Disputes"));
421 includeit($id, "disputes");
422 showfooter();
423 ?>