projects / cacert-devel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
bug-893: Fix syntax error: missing closing brace
[cacert-devel.git] / www / disputes.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */ ?>
18 <?
19 require_once("../includes/loggedin.php");
20 require_once("../includes/temp_functions.php");
21
22 loadem("account");
23
24 $type=""; if(array_key_exists('type',$_REQUEST)) $type=$_REQUEST['type'];
25 $action=""; if(array_key_exists('action',$_REQUEST)) $action=sanitizeHTML($_REQUEST['action']);
26
27 if($type == "reallyemail")
28 {
29 $emailid = intval($_SESSION['_config']['emailid']);
30 $hash = mysql_escape_string(trim($_SESSION['_config']['hash']));
31
32 $res = mysql_query("select * from `disputeemail` where `id`='$emailid' and `hash`='$hash'");
33 if(mysql_num_rows($res) <= 0)
34 {
35 showheader(_("Email Dispute"));
36 echo _("This dispute no longer seems to be in the database, can't continue.");
37 showfooter();
38 exit;
39 }
40 $row = mysql_fetch_assoc($res);
41 $oldmemid = $row['oldmemid'];
42
43 if($action == "reject")
44 {
45 mysql_query("update `disputeemail` set hash='',action='reject' where `id`='".intval($emailid)."'");
46 showheader(_("Email Dispute"));
47 echo _("You have opted to reject this dispute and the request will be removed from the database");
48 showfooter();
49 exit;
50 }
51 if($action == "accept")
52 {
53 showheader(_("Email Dispute"));
54 echo "<p>"._("You have opted to accept this dispute and the request will now remove this email address from the existing account, and revoke any current certificates.")."</p>";
55 echo "<p>"._("The following accounts have been removed:")."<br>\n";
56 $query = "select * from `email` where `id`='".intval($emailid)."' and deleted=0";
57 $res = mysql_query($query);
58 if(mysql_num_rows($res) > 0)
59 {
60 $row = mysql_fetch_assoc($res);
61 echo $row['email']."<br>\n";
62 account_email_delete($row['id']);
63 }
64 mysql_query("update `disputeemail` set hash='',action='accept' where `id`='$emailid'");
65 $rc = mysql_num_rows(mysql_query("select * from `domains` where `memid`='$oldmemid' and `deleted`=0"));
66 $rc = mysql_num_rows(mysql_query("select * from `email` where `memid`='$oldmemid' and `deleted`=0 and `id`!='$emailid'"));
67 $res = mysql_query("select * from `users` where `id`='$oldmemid'");
68 $user = mysql_fetch_assoc($res);
69 if($rc == 0 && $rc2 == 0 && $_SESSION['_config']['email'] == $user['email'])
70 {
71 mysql_query("update `users` set `deleted`=NOW() where `id`='$oldmemid'");
72 echo _("This was the primary email on the account, and no emails or domains were left linked so the account has also been removed from the system.");
73 }
74
75 showfooter();
76 exit;
77 }
78 }
79
80 if($type == "email")
81 {
82 $emailid = intval($_REQUEST['emailid']);
83 $hash = trim(mysql_escape_string(stripslashes($_REQUEST['hash'])));
84 if($emailid <= 0 || $hash == "")
85 {
86 showheader(_("Email Dispute"));
87 echo _("Invalid request. Can't continue.");
88 showfooter();
89 exit;
90 }
91
92 $res = mysql_query("select * from `disputeemail` where `id`='$emailid' and `hash`='$hash'");
93 if(mysql_num_rows($res) <= 0)
94 {
95 $res = mysql_query("select * from `disputeemail` where `id`='$emailid' and hash!=''");
96 if(mysql_num_rows($res) > 0)
97 {
98 $row = mysql_fetch_assoc($res);
99 mysql_query("update `disputeemail` set `attempts`='".intval($row['attempts'] + 1)."' where `id`='".$row['id']."'");
100 showheader(_("Email Dispute"));
101 if($row['attempts'] >= 3)
102 {
103 echo _("Your attempt to accept or reject a disputed email is invalid due to the hash string not matching with the email ID. Your attempt has been logged and the request will be removed from the system as a result.");
104 mysql_query("update `disputeemail` set hash='',action='failed' where `id`='$emailid'");
105 } else
106 echo _("Your attempt to accept or reject a disputed email is invalid due to the hash string not matching with the email ID.");
107 showfooter();
108 exit;
109 } else {
110 showheader(_("Email Dispute"));
111 echo _("Invalid request. Can't continue.");
112 showfooter();
113 exit;
114 }
115 }
116 $_SESSION['_config']['emailid'] = $emailid;
117 $_SESSION['_config']['hash'] = $hash;
118 $row = mysql_fetch_assoc(mysql_query("select * from `disputeemail` where `id`='$emailid'"));
119 $_SESSION['_config']['email'] = $row['email'];
120 showheader(_("Email Dispute"));
121 includeit("4", "disputes");
122 showfooter();
123 exit;
124 }
125
126 if($type == "reallydomain")
127 {
128 $domainid = intval($_SESSION['_config']['domainid']);
129 $hash = mysql_escape_string(trim($_SESSION['_config']['hash']));
130
131 $res = mysql_query("select * from `disputedomain` where `id`='$domainid' and `hash`='$hash'");
132 if(mysql_num_rows($res) <= 0)
133 {
134 showheader(_("Domain Dispute"));
135 echo _("This dispute no longer seems to be in the database, can't continue.");
136 showfooter();
137 exit;
138 }
139
140 if($action == "reject")
141 {
142 mysql_query("update `disputedomain` set hash='',action='reject' where `id`='$domainid'");
143 showheader(_("Domain Dispute"));
144 echo _("You have opted to reject this dispute and the request will be removed from the database");
145 showfooter();
146 exit;
147 }
148 if($action == "accept")
149 {
150 showheader(_("Domain Dispute"));
151 echo "<p>"._("You have opted to accept this dispute and the request will now remove this domain from the existing account, and revoke any current certificates.")."</p>";
152 echo "<p>"._("The following accounts have been removed:")."<br>\n";
153 //new account_domain_delete($domainid, $memberID)
154 $query = "select * from `domains` where `id`='$domainid' and deleted=0";
155 $res = mysql_query($query);
156 if(mysql_num_rows($res) > 0)
157 {
158 echo $_SESSION['_config']['domain']."<br>\n";
159 account_domain_delete($domainid);
160 }
161 mysql_query("update `disputedomain` set hash='',action='accept' where `id`='$domainid'");
162 showfooter();
163 exit;
164 }
165 }
166
167 if($type == "domain")
168 {
169 $domainid = intval($_REQUEST['domainid']);
170 $hash = trim(mysql_escape_string(stripslashes($_REQUEST['hash'])));
171 if($domainid <= 0 || $hash == "")
172 {
173 showheader(_("Domain Dispute"));
174 echo _("Invalid request. Can't continue.");
175 showfooter();
176 exit;
177 }
178
179 $res = mysql_query("select * from `disputedomain` where `id`='$domainid' and `hash`='$hash'");
180 if(mysql_num_rows($res) <= 0)
181 {
182 $res = mysql_query("select * from `disputedomain` where `id`='$domainid' and hash!=''");
183 if(mysql_num_rows($res) > 0)
184 {
185 $row = mysql_fetch_assoc($res);
186 mysql_query("update `disputedomain` set `attempts`='".intval($row['attempts'] + 1)."' where `id`='".$row['id']."'");
187 showheader(_("Domain Dispute"));
188 if($row['attempts'] >= 3)
189 {
190 echo _("Your attempt to accept or reject a disputed domain is invalid due to the hash string not matching with the domain ID. Your attempt has been logged and the request will be removed from the system as a result.");
191 mysql_query("update `disputedomain` set hash='',action='failed' where `id`='$domainid'");
192 } else
193 echo _("Your attempt to accept or reject a disputed domain is invalid due to the hash string not matching with the domain ID.");
194 showfooter();
195 exit;
196 } else {
197 showheader(_("Domain Dispute"));
198 echo _("Invalid request. Can't continue.");
199 showfooter();
200 exit;
201 }
202 }
203 $_SESSION['_config']['domainid'] = $domainid;
204 $_SESSION['_config']['hash'] = $hash;
205 $row = mysql_fetch_assoc(mysql_query("select * from `disputedomain` where `id`='$domainid'"));
206 $_SESSION['_config']['domain'] = $row['domain'];
207 showheader(_("Domain Dispute"));
208 includeit("6", "disputes");
209 showfooter();
210 exit;
211 }
212
213 if($oldid == "1")
214 {
215 csrf_check('emaildispute');
216 $email = trim(mysql_escape_string(stripslashes($_REQUEST['dispute'])));
217 if($email == "")
218 {
219 showheader(_("Email Dispute"));
220 echo _("Not a valid email address. Can't continue.");
221 showfooter();
222 exit;
223 }
224
225 $res = mysql_query("select * from `disputeemail` where `email`='$email' and hash!=''");
226 if(mysql_num_rows($res) > 0)
227 {
228 showheader(_("Email Dispute"));
229 printf(_("The email address '%s' already exists in the dispute system. Can't continue."), sanitizeHTML($email));
230 showfooter();
231 exit;
232 }
233
234 unset($oldid);
235 $query = "select * from `email` where `email`='$email' and `deleted`=0";
236 $res = mysql_query($query);
237 if(mysql_num_rows($res) <= 0)
238 {
239 showheader(_("Email Dispute"));
240 printf(_("The email address '%s' doesn't exist in the system. Can't continue."), sanitizeHTML($email));
241 showfooter();
242 exit;
243 }
244 $row = mysql_fetch_assoc($res);
245 $oldmemid = $row['memid'];
246 $emailid = $row['id'];
247 if($_SESSION['profile']['id'] == $oldmemid)
248 {
249 showheader(_("Email Dispute"));
250 echo _("You aren't allowed to dispute your own email addresses. Can't continue.");
251 showfooter();
252 exit;
253 }
254
255 $res = mysql_query("select * from `users` where `id`='$oldmemid'");
256 $user = mysql_fetch_assoc($res);
257 $rc = mysql_num_rows(mysql_query("select * from `domains` where `memid`='$oldmemid' and `deleted`=0"));
258 $rc2 = mysql_num_rows(mysql_query("select * from `email` where `memid`='$oldmemid' and `deleted`=0 and `id`!='$emailid'"));
259 if($user['email'] == $email && ($rc > 0 || $rc2 > 0))
260 {
261 showheader(_("Email Dispute"));
262 echo _("You only dispute the primary email address of an account if there is no longer any email addresses or domains linked to it.");
263 showfooter();
264 exit;
265 }
266
267 $hash = make_hash();
268 $query = "insert into `disputeemail` set `email`='$email',`memid`='".intval($_SESSION['profile']['id'])."',
269 `oldmemid`='$oldmemid',`created`=NOW(),`hash`='$hash',`id`='".intval($emailid)."',
270 `IP`='".$_SERVER['REMOTE_ADDR']."'";
271 mysql_query($query);
272
273 $body = sprintf(_("You have been sent this email as the email address '%s' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute:"), $email)."\n\n";
274 $body .= "https://".$_SESSION['_config']['normalhostname']."/disputes.php?type=email&emailid=$emailid&hash=$hash\n\n";
275 $body .= _("Best regards")."\n"._("CAcert.org Support!");
276
277 sendmail($email, "[CAcert.org] "._("Dispute Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
278
279 showheader(_("Email Dispute"));
280 printf(_("The email address '%s' has been entered into the dispute system, the email address will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request."), sanitizeHTML($email));
281 showfooter();
282 exit;
283 }
284
285 if($oldid == "2")
286 {
287 csrf_check('domaindispute');
288 $domain = trim(mysql_escape_string(stripslashes($_REQUEST['dispute'])));
289 if($domain == "")
290 {
291 showheader(_("Domain Dispute"));
292 echo _("Not a valid Domain. Can't continue.");
293 showfooter();
294 exit;
295 }
296
297 $query = "select * from `disputedomain` where `domain`='$domain' and hash!=''";
298 $res = mysql_query($query);
299 if(mysql_num_rows($res) > 0)
300 {
301 showheader(_("Domain Dispute"));
302 printf(_("The domain '%s' already exists in the dispute system. Can't continue."), sanitizeHTML($domain));
303 showfooter();
304 exit;
305 }
306 unset($oldid);
307 $query = "select * from `domains` where `domain`='$domain' and `deleted`=0";
308 $email = ""; if(array_key_exists('email',$_REQUEST)) $email=trim(mysql_real_escape_string($_REQUEST['email']));
309 $res = mysql_query($query);
310 if(mysql_num_rows($res) <= 0)
311 {
312 showheader(_("Domain Dispute"));
313 printf(_("The domain '%s' doesn't exist in the system. Can't continue."), sanitizeHTML($email));
314 showfooter();
315 exit;
316 }
317 $row = mysql_fetch_assoc($res);
318 $oldmemid = $row['memid'];
319 if($_SESSION['profile']['id'] == $oldmemid)
320 {
321 showheader(_("Domain Dispute"));
322 echo _("You aren't allowed to dispute your own domains. Can't continue.");
323 showfooter();
324 exit;
325 }
326
327 $domainid = $row['id'];
328 $_SESSION['_config']['domainid'] = $domainid;
329 $_SESSION['_config']['memid'] = array_key_exists('memid',$_REQUEST)?intval($_REQUEST['memid']):0;
330 $_SESSION['_config']['domain'] = $domain;
331 $_SESSION['_config']['oldmemid'] = $oldmemid;
332
333 $addy = array();
334 $domtmp = escapeshellarg($domain);
335 if(strtolower(substr($domtmp, -4, 3)) != ".jp")
336 $adds = explode("\n", trim(`whois $domtmp|grep \@`));
337 if(substr($domain, -4) == ".org" || substr($domain, -5) == ".info")
338 {
339 if(is_array($adds))
340 foreach($adds as $line)
341 {
342 $bits = explode(":", $line, 2);
343 $line = trim($bits[1]);
344 if(!in_array($line, $addy) && $line != "")
345 $addy[] = trim(mysql_escape_string(stripslashes($line)));
346 }
347 } else {
348 if(is_array($adds))
349 foreach($adds as $line)
350 {
351 $line = trim(str_replace("\t", " ", $line));
352 $line = trim(str_replace("(", "", $line));
353 $line = trim(str_replace(")", " ", $line));
354
355 $bits = explode(" ", $line);
356 foreach($bits as $bit)
357 {
358 if(strstr($bit, "@"))
359 $line = $bit;
360 }
361 if(!in_array($line, $addy) && $line != "")
362 $addy[] = trim(mysql_escape_string(stripslashes($line)));
363 }
364 }
365
366 $rfc = array("root@$domain", "hostmaster@$domain", "postmaster@$domain", "admin@$domain", "webmaster@$domain");
367 foreach($rfc as $sub)
368 if(!in_array($sub, $addy))
369 $addy[] = $sub;
370 $_SESSION['_config']['addy'] = $addy;
371 showheader(_("Domain Dispute"));
372 includeit("5", "disputes");
373 showfooter();
374 exit;
375 }
376
377 if($oldid == "5")
378 {
379 $authaddy = trim(mysql_escape_string(stripslashes($_REQUEST['authaddy'])));
380
381 if(!in_array($authaddy, $_SESSION['_config']['addy']) || $authaddy == "")
382 {
383 showheader(_("My CAcert.org Account!"));
384 echo _("The address you submitted isn't a valid authority address for the domain.");
385 showfooter();
386 exit;
387 }
388
389 $query = "select * from `domains` where `domain`='".$_SESSION['_config']['domain']."' and `deleted`=0";
390 $res = mysql_query($query);
391 if(mysql_num_rows($res) <= 0)
392 {
393 showheader(_("Domain Dispute!"));
394 printf(_("The domain '%s' isn't in the system. Can't continue."), sanitizeHTML($_SESSION['_config']['domain']));
395 showfooter();
396 exit;
397 }
398
399 $domainid = intval($_SESSION['_config']['domainid']);
400 $memid = intval($_SESSION['_config']['memid']);
401 $oldmemid = intval($_SESSION['_config']['oldmemid']);
402 $domain = mysql_escape_string($_SESSION['_config']['domain']);
403
404 $hash = make_hash();
405 $query = "insert into `disputedomain` set `domain`='$domain',`memid`='".$_SESSION['profile']['id']."',
406 `oldmemid`='$oldmemid',`created`=NOW(),`hash`='$hash',`id`='$domainid'";
407 mysql_query($query);
408
409 $body = sprintf(_("You have been sent this email as the domain '%s' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute:"), $domain)."\n\n";
410 $body .= "https://".$_SESSION['_config']['normalhostname']."/disputes.php?type=domain&domainid=$domainid&hash=$hash\n\n";
411 $body .= _("Best regards")."\n"._("CAcert.org Support!");
412
413 sendmail($authaddy, "[CAcert.org] "._("Dispute Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
414
415 showheader(_("Domain Dispute"));
416 printf(_("The domain '%s' has been entered into the dispute system, the email address you choose will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request."), sanitizeHTML($domain));
417 showfooter();
418 exit;
419 }
420
421 showheader(_("Domain and Email Disputes"));
422 includeit($id, "disputes");
423 showfooter();
424 ?>
CAcert's authoritative development repository