Merge branch 'bug-1112' into release
[cacert-devel.git] / www / wot.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */ ?>
18 <?
19 require_once("../includes/loggedin.php");
20 require_once("../includes/lib/l10n.php");
21
22
23 function show_page($target,$message,$error)
24 {
25 showheader(_("My CAcert.org Account!"));
26 if ($error != "")
27 $message=_("ERROR").": ".$error;
28 if ($message != "")
29 echo "<p><font color='orange' size='+1'>".$message."</font></p>";
30
31 switch ($target)
32 {
33 case '0':
34 case 'InfoPage': includeit(0, "wot");
35 break;
36 case '1':
37 case 'ListByCity': includeit(1, "wot");
38 break;
39 case '2':
40 case 'BecomeAssurer': includeit(2, "wot");
41 break;
42 case '3':
43 case 'TrustRules': includeit(3, "wot");
44 break;
45 case '4':
46 case 'ShowTTPInfo': includeit(4, "wot");
47 break;
48 case '5';
49 case 'EnterEmail': includeit(5, "wot");
50 break;
51 case '6':
52 case 'VerifyData': includeit(6, "wot");
53 break;
54 // case '7':
55 // case '???': includeit(7, "wot");
56 // break;
57 case '8':
58 case 'EnterMyInfo': includeit(8, "wot");
59 break;
60 case '9':
61 case 'ContactAssurer': includeit(9, "wot");
62 break;
63 case '10':
64 case 'MyPointsOld': includeit(10, "wot");
65 break;
66 // case '11':
67 // case 'OAInfo': includeit(11, "wot");
68 // break;
69 case '12':
70 case 'SearchAssurer': includeit(12, "wot");
71 break;
72 case '13':
73 case 'EnterMyCity': includeit(13, "wot");
74 break;
75 // case '14':
76 // case 'EnterEmail': includeit(14, "wot");
77 // break;
78 case '15':
79 case 'MyPointsNew': includeit(15, "wot");
80 break;
81 }
82
83 showfooter();
84 }
85
86 function send_reminder()
87 {
88 $body = "";
89 $my_translation = L10n::get_translation();
90
91 $_SESSION['_config']['reminder-lang'] = $_POST['reminder-lang'];
92
93 $reminder_translations[] = $_POST['reminder-lang'];
94 if ( !in_array("en", $reminder_translations, $strict=true) ) {
95 $reminder_translations[] = "en";
96 }
97
98 foreach ($reminder_translations as $translation) {
99 L10n::set_translation($translation);
100
101 $body .= L10n::$translations[$translation].":\n\n";
102 $body .= sprintf(_("This is a short reminder that you filled out forms to become trusted with CAcert.org, and %s has attempted to issue you points. Please create your account at %s as soon as possible and then notify %s so that the points can be issued."), $_SESSION['profile']['fname']." (".$_SESSION['profile']['email'].")", "http://www.cacert.org", $_SESSION['profile']['fname'])."\n\n";
103 $body .= _("Best regards")."\n";
104 $body .= _("CAcert Support Team")."\n\n";
105 }
106
107 L10n::set_translation($reminder_translations[0]); // for the subject
108 sendmail($_POST['email'], "[CAcert.org] "._("Reminder Notice"), $body, $_SESSION['profile']['email'], "", "", $_SESSION['profile']['fname']);
109
110 L10n::set_translation($my_translation);
111
112 $_SESSION['_config']['remindersent'] = 1;
113 $_SESSION['_config']['error'] = _("A reminder notice has been sent.");
114 }
115
116
117
118
119 loadem("account");
120 if(array_key_exists('date',$_POST) && $_POST['date'] != "")
121 $_SESSION['_config']['date'] = $_POST['date'];
122
123 if(array_key_exists('location',$_POST) && $_POST['location'] != "")
124 $_SESSION['_config']['location'] = $_POST['location'];
125
126 $oldid=array_key_exists('oldid',$_REQUEST)?intval($_REQUEST['oldid']):0;
127
128 if($oldid == 12)
129 $id = $oldid;
130
131 if($oldid == 4)
132 {
133 if ($_POST['ttp']!='') {
134 //This mail does not need to be translated
135 $body = "Hi TTP adminstrators,\n\n";
136 $body .= "User ".$_SESSION['profile']['fname']." ".
137 $_SESSION['profile']['lname']." with email address '".
138 $_SESSION['profile']['email']."' is requesting a TTP assurances for ".
139 mysql_escape_string(stripslashes($_POST['country'])).".\n\n";
140 if ($_POST['ttptopup']=='1') {
141 $body .= "The user is also requesting TTP TOPUP.\n\n";
142 }else{
143 $body .= "The user is NOT requesting TTP TOPUP.\n\n";
144 }
145 $body .= "The user received ".intval($_SESSION['profile']['points'])." assurance points up to today.\n\n";
146 $body .= "Please start the TTP assurance process.";
147 sendmail("support@cacert.org", "[CAcert.org] TTP request.", $body, "support@cacert.org", "", "", "CAcert Website");
148
149 //This mail needs to be translated
150 $body =_("You are receiving this email because you asked for TTP assurance.")."\n\n";
151 if ($_POST['ttptopup']=='1') {
152 $body .=_("You are requesting TTP TOPUP.")."\n\n";
153 }else{
154 $body .=_("You are NOT requesting TTP TOPUP.")."\n\n";
155 }
156 $body .= _("Best regards")."\n";
157 $body .= _("CAcert Support Team");
158
159 sendmail($_SESSION['profile']['email'], "[CAcert.org] "._("You requested TTP assurances"), $body, "support@cacert.org", "", "", "CAcert Support");
160
161 }
162
163 }
164
165 if(($id == 5 || $oldid == 5 || $id == 6 || $oldid == 6))
166 if (!is_assurer($_SESSION['profile']['id']))
167 {
168 show_page ("Exit","",get_assurer_reason($_SESSION['profile']['id']));
169 exit;
170 }
171
172 if($oldid == 6 && intval($_SESSION['_config']['notarise']['id']) <= 0)
173 {
174 show_page ("EnterEmail","",_("Something went wrong. Please enter the email address again"));
175 exit;
176 }
177 if($oldid == 5 && array_key_exists('reminder',$_POST) && $_POST['reminder'] != "")
178 {
179 send_reminder();
180 show_page ("EnterEmail",_("A reminder notice has been sent."),"");
181 exit;
182 }
183
184 if($oldid == 5)
185 {
186 $query = "select * from `users` where `email`='".mysql_escape_string(stripslashes($_POST['email']))."' and `deleted`=0";
187 $res = mysql_query($query);
188 if(mysql_num_rows($res) != 1)
189 {
190 $_SESSION['_config']['noemailfound'] = 1;
191 show_page("EnterEmail","",_("I'm sorry, there was no email matching what you entered in the system. Please double check your information."));
192 exit;
193 } else
194 {
195 $_SESSION['_config']['noemailfound'] = 0;
196 $_SESSION['_config']['notarise'] = mysql_fetch_assoc($res);
197 if ($_SESSION['_config']['notarise']['verified'] == 0)
198 {
199 show_page("EnterEmail","",_("User is not yet verified. Please try again in 24 hours!"));
200 exit;
201 }
202 }
203 $query = "select * from `users` where `email`='".mysql_escape_string(stripslashes($_POST['email']))."' and `locked`=1";
204 $res = mysql_query($query);
205 if(mysql_num_rows($res) >= 1)
206 {
207 $_SESSION['_config']['noemailfound'] = 0;
208 show_page("EnterEmail","",_("This account is locked and can not be assured. For more information ask support@cacert.org."));
209 exit;
210 }
211 }
212
213 if($oldid == 5 || $oldid == 6)
214 {
215 $id=6;
216 // $oldid=0;
217 if(array_key_exists('cancel',$_REQUEST) && $_REQUEST['cancel'] != "")
218 {
219 show_page("EnterEmail","","");
220 exit;
221 }
222 if($_SESSION['_config']['notarise']['id'] == $_SESSION['profile']['id'])
223 {
224 show_page("EnterEmail","",_("You are never allowed to Assure yourself!"));
225 exit;
226 }
227
228 $query = "select * from `notary` where `from`='".$_SESSION['profile']['id']."' and
229 `to`='".$_SESSION['_config']['notarise']['id']."'";
230 $res = mysql_query($query);
231 if(mysql_num_rows($res) > 0)
232 {
233 show_page("EnterEmail","",_("You are only allowed to Assure someone once!"));
234 exit;
235 }
236 }
237
238 if($oldid == 6)
239 {
240 $iecho= "c";
241 if(!array_key_exists('assertion',$_POST) || $_POST['assertion'] != 1)
242 {
243 show_page("VerifyData","",_("You failed to check all boxes to validate your adherence to the rules and policies of CAcert"));
244 exit;
245 }
246
247 /* if(!array_key_exists('rules',$_POST) || $_POST['rules'] != 1)
248 {
249 show_page("VerifyData","",_("You failed to check all boxes to validate your adherence to the rules and policies of CAcert"));
250 exit;
251 }
252 */
253
254 if((!array_key_exists('certify',$_POST) || $_POST['certify'] != 1 ) && $_SESSION['profile']['ttpadmin'] != 1)
255 {
256 show_page("VerifyData","",_("You failed to check all boxes to validate your adherence to the rules and policies of CAcert"));
257 exit;
258 }
259
260 if($_SESSION['profile']['ttpadmin'] != 1 && $_POST['location'] == "")
261 {
262 show_page("VerifyData","",_("You failed to enter a location of your meeting."));
263 exit;
264 }
265
266 if($_REQUEST['points'] == "")
267 {
268 show_page("VerifyData","",_("You must enter the number of points you wish to allocate to this person."));
269 exit;
270 }
271
272 $query = "select * from `users` where `id`='".$_SESSION['_config']['notarise']['id']."'";
273 $res = mysql_query($query);
274 $row = mysql_fetch_assoc($res);
275 $name = $row['fname']." ".$row['mname']." ".$row['lname']." ".$row['suffix'];
276 if($_SESSION['_config']['wothash'] != md5($name."-".$row['dob']) || $_SESSION['_config']['wothash'] != $_REQUEST['pagehash'])
277 {
278 show_page("VerifyData","",_("Race condition discovered, user altered details during assurance procedure. PLEASE MAKE SURE THE NEW DETAILS BELOW MATCH THE ID DOCUMENTS."));
279 exit;
280 }
281 }
282
283
284 if($oldid == 6)
285 {
286 $max = maxpoints();
287
288 $awarded = $newpoints = intval($_POST['points']);
289 if($newpoints > $max)
290 $newpoints = $awarded = $max;
291 if($newpoints < 0)
292 $newpoints = $awarded = 0;
293
294 $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['_config']['notarise']['id']."' group by `to`";
295 $res = mysql_query($query);
296 $drow = mysql_fetch_assoc($res);
297
298 $_POST['expire'] = 0;
299
300 if(($drow['total'] + $newpoints) > 100 && $max < 100)
301 $newpoints = 100 - $drow['total'];
302 if(($drow['total'] + $newpoints) > $max && $max >= 100)
303 $newpoints = $max - $drow['total'];
304 if($newpoints < 0)
305 $newpoints = 0;
306
307 if(mysql_escape_string(stripslashes($_POST['date'])) == "")
308 $_POST['date'] = date("Y-m-d H:i:s");
309
310 $query = "select * from `notary` where `from`='".$_SESSION['profile']['id']."' AND
311 `to`='".$_SESSION['_config']['notarise']['id']."' AND
312 `awarded`='$awarded' AND
313 `location`='".mysql_escape_string(stripslashes($_POST['location']))."' AND
314 `date`='".mysql_escape_string(stripslashes($_POST['date']))."'";
315 $res = mysql_query($query);
316 if(mysql_num_rows($res) > 0)
317 {
318 show_page("VerifyEmail","",_("Identical Assurance attempted, will not continue."));
319 exit;
320 }
321 }
322
323 if($oldid == 6)
324 {
325 $query = "insert into `notary` set `from`='".$_SESSION['profile']['id']."',
326 `to`='".$_SESSION['_config']['notarise']['id']."',
327 `points`='$newpoints', `awarded`='$awarded',
328 `location`='".mysql_escape_string(stripslashes($_POST['location']))."',
329 `date`='".mysql_escape_string(stripslashes($_POST['date']))."',
330 `when`=NOW()";
331 if($_SESSION['profile']['board'] == 1 && intval($_POST['expire']) > 0)
332 {
333 $query .= ",\n`method`='Temporary Increase'";
334 $query .= ",\n`expire`=DATE_ADD(NOW(), INTERVAL '".intval($_POST['expire'])."' DAY)";
335 $query .= ",\n`sponsor`='".intval($_POST['sponsor'])."'";
336 } else if($_SESSION['profile']['board'] == 1) {
337 $query .= ",\n`method`='".mysql_escape_string(stripslashes($_POST['method']))."'";
338 } else if($_SESSION['profile']['ttpadmin'] == 1 && ($_POST['method'] == 'Trusted 3rd Parties' || $_POST['method'] == 'Trusted Third Parties')) {
339 $query .= ",\n`method`='TTP-Assisted'";
340 }
341 mysql_query($query);
342 fix_assurer_flag($_SESSION['_config']['notarise']['id']);
343
344 if($_SESSION['profile']['points'] < 150)
345 {
346 $addpoints = 0;
347 if($_SESSION['profile']['points'] < 149 && $_SESSION['profile']['points'] >= 100)
348 $addpoints = 2;
349 else if($_SESSION['profile']['points'] == 149 && $_SESSION['profile']['points'] >= 100)
350 $addpoints = 1;
351 $query = "insert into `notary` set `from`='".$_SESSION['profile']['id']."',
352 `to`='".$_SESSION['profile']['id']."',
353 `points`='$addpoints', `awarded`='$addpoints',
354 `location`='".mysql_escape_string(stripslashes($_POST['location']))."',
355 `date`='".mysql_escape_string(stripslashes($_POST['date']))."',
356 `method`='Administrative Increase',
357 `when`=NOW()";
358 mysql_query($query);
359 // No need to fix_assurer_flag here, this should only happen for assurers...
360 $_SESSION['profile']['points'] += $addpoints;
361 }
362
363 $my_translation = L10n::get_translation();
364 L10n::set_translation($_SESSION['_config']['notarise']['language']);
365
366 $body = sprintf(_("You are receiving this email because you have been assured by %s %s (%s)."), $_SESSION['profile']['fname'], $_SESSION['profile']['lname'], $_SESSION['profile']['email'])."\n\n";
367 if($_POST['points'] != $newpoints)
368 $body .= sprintf(_("You were issued %s points however the system has rounded this down to %s and you now have %s points in total."), $_POST['points'], $newpoints, ($newpoints + $drow['total']))."\n\n";
369 else
370 $body .= sprintf(_("You were issued %s points and you now have %s points in total."), $newpoints, ($newpoints + $drow['total']))."\n\n";
371
372 if(($drow['total'] + $newpoints) < 100 && ($drow['total'] + $newpoints) >= 50)
373 {
374 $body .= _("You now have over 50 points, and can now have your name added to client certificates, and issue server certificates for up to 2 years.")."\n\n";
375 }
376
377 if(($drow['total'] + $newpoints) >= 100 && $newpoints > 0)
378 {
379 $body .= _("You have at least 100 Assurance Points, if you want to become an assurer try the Assurer Challenge")." ( https://cats.cacert.org )\n\n";
380 $body .= _("To make it easier for others in your area to find you, it's helpful to list yourself as an assurer (this is voluntary), as well as a physical location where you live or work the most. You can flag your account to be listed, and add a comment to the display by going to:")."\n";
381 $body .= "https://www.cacert.org/wot.php?id=8\n\n";
382 $body .= _("You can list your location by going to:")."\n";
383 $body .= "https://www.cacert.org/wot.php?id=13\n\n";
384 }
385
386 if($_SESSION['profile']['board'] == 1 && intval($_POST['expire']) > 0)
387 $body .= sprintf(_("Please Note: this is a temporary increase for %s days only. After that time your points will be reduced to 150 points."), intval($_POST['expire']))."\n\n";
388
389 $body .= _("Best regards")."\n";
390 $body .= _("CAcert Support Team");
391
392 sendmail($_SESSION['_config']['notarise']['email'], "[CAcert.org] "._("You've been Assured."), $body, "support@cacert.org", "", "", "CAcert Website");
393
394 L10n::set_translation($my_translation);
395
396 $body = sprintf(_("You are receiving this email because you have assured %s %s (%s)."), $_SESSION['_config']['notarise']['fname'], $_SESSION['_config']['notarise']['lname'], $_SESSION['_config']['notarise']['email'])."\n\n";
397 if($_POST['points'] != $newpoints)
398 $body .= sprintf(_("You issued %s points however the system has rounded this down to %s and they now have %s points in total."), $_POST['points'], $newpoints, ($newpoints + $drow['total']))."\n\n";
399 else
400 $body .= sprintf(_("You issued %s points and they now have %s points in total."), $newpoints, ($newpoints + $drow['total']))."\n\n";
401
402 if($_SESSION['profile']['board'] == 1 && intval($_POST['expire']) > 0)
403 $body .= sprintf(_("Please Note: this is a temporary increase for %s days only. After that time their points will be reduced to 150 points."), intval($_POST['expire']))."\n\n";
404 $body .= _("Best regards")."\n";
405 $body .= _("CAcert Support Team");
406
407 sendmail($_SESSION['profile']['email'], "[CAcert.org] "._("You've Assured Another Member."), $body, "support@cacert.org", "", "", "CAcert Support");
408
409 if($_SESSION['profile']['board'] == 1 && intval($_POST['expire']) > 0)
410 {
411 $body = sprintf("%s %s (%s) has issued a temporary increase to 200 points for %s %s (%s) for %s days. This action was sponsored by %s %s (%s).", $_SESSION['profile']['fname'], $_SESSION['profile']['lname'], $_SESSION['profile']['email'], $_SESSION['_config']['notarise']['fname'], $_SESSION['_config']['notarise']['lname'], $_SESSION['_config']['notarise']['email'], intval($_POST['expire']), $sponsor['fname'], $sponsor['lname'], $sponsor['email'])."\n\n";
412
413 sendmail("cacert-board@lists.cacert.org", "[CAcert.org] Temporary Increase Issued.", $body, "website@cacert.org", "", "", "CAcert Website");
414 }
415
416 showheader(_("My CAcert.org Account!"));
417 echo "<p>"._("Shortly you and the person you were assuring will receive an email confirmation. There is no action on your behalf required to complete this.")."</p>";
418 ?><form method="post" action="wot.php">
419 <table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper">
420 <tr>
421 <td colspan="2" class="title"><?=_("Assure Someone")?></td>
422 </tr>
423 <tr>
424 <td class="DataTD"><?=_("Email")?>:</td>
425 <td class="DataTD"><input type="text" name="email" id="email" value=""></td>
426 </tr>
427 <tr>
428 <td class="DataTD" colspan="2"><input type="submit" name="process" value="<?=_("Next")?>"></td>
429 </tr>
430 </table>
431 <input type="hidden" name="oldid" value="5">
432 </form>
433 <SCRIPT LANGUAGE="JavaScript">
434 //<![CDATA[
435 function my_init()
436 {
437 document.getElementById("email").focus();
438 }
439
440 window.onload = my_init();
441 //]]>
442 </script>
443 <?
444 showfooter();
445 exit;
446 }
447
448 if($oldid == 8)
449 {
450 csrf_check("chgcontact");
451
452 $info = mysql_escape_string(strip_tags(stripslashes($_POST['contactinfo'])));
453 $listme = intval($_POST['listme']);
454 if($listme < 0 || $listme > 1)
455 $listme = 0;
456
457 $_SESSION['profile']['listme'] = $listme;
458 $_SESSION['profile']['contactinfo'] = $info;
459
460 $query = "update `users` set `listme`='$listme',`contactinfo`='$info' where `id`='".$_SESSION['profile']['id']."'";
461 mysql_query($query);
462
463 showheader(_("My CAcert.org Account!"));
464 echo "<p>"._("Your account information has been updated.")."</p>";
465 showfooter();
466 exit;
467 }
468
469 if($oldid == 9 && $_REQUEST['userid'] > 0 && $_SESSION['profile']['id'] > 0)
470 {
471 if($_SESSION['_config']['pagehash'] != $_REQUEST['pageid'])
472 {
473 $oldid=0;
474 $id = 9;
475 show_page("ContactAssurer","",_("It looks like you were trying to contact multiple people, this isn't allowed due to data security reasons."));
476 exit;
477 } else {
478 $body = $_REQUEST['message'];
479 $subject = $_REQUEST['subject'];
480 $userid = intval($_REQUEST['userid']);
481 $user = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='$userid' and `listme`=1"));
482 $points = mysql_num_rows(mysql_query("select sum(`points`) as `total` from `notary`
483 where `to`='".$user['id']."' group by `to` HAVING SUM(`points`) > 0"));
484 if($points > 0)
485 {
486 $my_translation = L10n::get_translation();
487 L10n::set_translation($user['language']);
488
489 $subject = "[CAcert.org] ".sprintf(_("Message from %s"),
490 $_SESSION['profile']['fname']);
491
492 $body = sprintf(_("Hi %s,"), $user['fname'])."\n\n";
493 $body .= sprintf(_("%s %s has sent you a message via the ".
494 "contact an Assurer form on CAcert.org."),
495 $_SESSION['profile']['fname'],
496 $_SESSION['profile']['lname'])."\n\n";
497 $body .= sprintf(_("Subject: %s"), $_REQUEST['subject'])."\n";
498 $body .= _("Message:")."\n";
499 $body .= $_REQUEST['message']."\n\n";
500 $body .= "------------------------------------------------\n\n";
501 $body .= _("Please note, that this is NOT a message on behalf ".
502 "of CAcert but another CAcert community member. If ".
503 "you suspect that the contact form might have been ".
504 "abused, please write to support@cacert.org")."\n\n";
505 $body .= _("Best regards")."\n";
506 $body .= _("Your CAcert Community");
507
508 sendmail($user['email'], $subject, $body,
509 $_SESSION['profile']['email'], //from
510 "", //replyto
511 "", //toname
512 $_SESSION['profile']['fname']." ".
513 $_SESSION['profile']['lname']); //fromname
514
515 L10n::set_translation($my_translation);
516
517 showheader(_("My CAcert.org Account!"));?>
518 <p>
519 <? printf(_("Your email has been sent to %s."), $user['fname']); ?>
520 </p>
521 <p>[ <a href='javascript:history.go(-2)'><?= _("Go Back") ?></a> ]</p>
522 <?
523 showfooter();
524 exit;
525 } else {
526 show_page(0,"",_("Sorry, I was unable to locate that user."));
527 exit;
528 }
529
530 }
531 }
532 if($oldid == 9)
533 {
534 $oldid=0;
535 $id = 9;
536 show_page("ContactAssurer","",_("There was an error and I couldn't proceed"));
537 exit;
538 }
539
540 // showheader(_("My CAcert.org Account!"));
541 // echo "ID now = ".$id."/".$oldid.">>".$iecho;
542 // includeit($id, "wot");
543 // showfooter();
544 show_page ($id,"","");
545 ?>