9560f39e7b8d21d1976eb78a763f8a81c9a886a8
[cacert-devel.git] / www / wot.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */ ?>
18 <?
19 require_once("../includes/loggedin.php");
20 require_once("../includes/lib/l10n.php");
21 require_once("../includes/notary.inc.php");
22
23
24 function show_page($target,$message,$error)
25 {
26 showheader(_("My CAcert.org Account!"));
27 if ($error != "")
28 $message=_("ERROR").": ".$error;
29 if ($message != "")
30 echo "<p><font color='orange' size='+1'>".$message."</font></p>";
31
32 switch ($target)
33 {
34 case '0':
35 case 'InfoPage': includeit(0, "wot");
36 break;
37 case '1':
38 case 'ListByCity': includeit(1, "wot");
39 break;
40 case '2':
41 case 'BecomeAssurer': includeit(2, "wot");
42 break;
43 case '3':
44 case 'TrustRules': includeit(3, "wot");
45 break;
46 case '4':
47 case 'ShowTTPInfo': includeit(4, "wot");
48 break;
49 case '5';
50 case 'EnterEmail': includeit(5, "wot");
51 break;
52 case '6':
53 case 'VerifyData': includeit(6, "wot");
54 break;
55 // case '7':
56 // case '???': includeit(7, "wot");
57 // break;
58 case '8':
59 case 'EnterMyInfo': includeit(8, "wot");
60 break;
61 case '9':
62 case 'ContactAssurer': includeit(9, "wot");
63 break;
64 case '10':
65 case 'MyPointsOld': includeit(10, "wot");
66 break;
67 // case '11':
68 // case 'OAInfo': includeit(11, "wot");
69 // break;
70 case '12':
71 case 'SearchAssurer': includeit(12, "wot");
72 break;
73 case '13':
74 case 'EnterMyCity': includeit(13, "wot");
75 break;
76 // case '14':
77 // case 'EnterEmail': includeit(14, "wot");
78 // break;
79 case '15':
80 case 'MyPointsNew': includeit(15, "wot");
81 break;
82 }
83
84 showfooter();
85 }
86
87 function send_reminder()
88 {
89 $body = "";
90 $my_translation = L10n::get_translation();
91
92 $_SESSION['_config']['reminder-lang'] = $_POST['reminder-lang'];
93
94 $reminder_translations[] = $_POST['reminder-lang'];
95 if ( !in_array("en", $reminder_translations, $strict=true) ) {
96 $reminder_translations[] = "en";
97 }
98
99 foreach ($reminder_translations as $translation) {
100 L10n::set_translation($translation);
101
102 $body .= L10n::$translations[$translation].":\n\n";
103 $body .= sprintf(_("This is a short reminder that you filled out forms to become trusted with CAcert.org, and %s has attempted to issue you points. Please create your account at %s as soon as possible and then notify %s so that the points can be issued."), $_SESSION['profile']['fname']." (".$_SESSION['profile']['email'].")", "http://www.cacert.org", $_SESSION['profile']['fname'])."\n\n";
104 $body .= _("Best regards")."\n";
105 $body .= _("CAcert Support Team")."\n\n";
106 }
107
108 L10n::set_translation($reminder_translations[0]); // for the subject
109 sendmail($_POST['email'], "[CAcert.org] "._("Reminder Notice"), $body, $_SESSION['profile']['email'], "", "", $_SESSION['profile']['fname']);
110
111 L10n::set_translation($my_translation);
112
113 $_SESSION['_config']['remindersent'] = 1;
114 $_SESSION['_config']['error'] = _("A reminder notice has been sent.");
115 }
116
117 loadem("account");
118 if(array_key_exists('date',$_POST) && $_POST['date'] != "")
119 $_SESSION['_config']['date'] = $_POST['date'];
120
121 if(array_key_exists('location',$_POST) && $_POST['location'] != "")
122 $_SESSION['_config']['location'] = $_POST['location'];
123
124 $oldid=array_key_exists('oldid',$_REQUEST)?intval($_REQUEST['oldid']):0;
125
126 if($oldid == 12)
127 $id = $oldid;
128
129 if($oldid == 4)
130 {
131 if ($_POST['ttp']!='') {
132 //This mail does not need to be translated
133 $body = "Hi TTP adminstrators,\n\n";
134 $body .= "User ".$_SESSION['profile']['fname']." ".
135 $_SESSION['profile']['lname']." with email address '".
136 $_SESSION['profile']['email']."' is requesting a TTP assurances for ".
137 mysql_escape_string(stripslashes($_POST['country'])).".\n\n";
138 if ($_POST['ttptopup']=='1') {
139 $body .= "The user is also requesting TTP TOPUP.\n\n";
140 }else{
141 $body .= "The user is NOT requesting TTP TOPUP.\n\n";
142 }
143 $body .= "The user received ".intval($_SESSION['profile']['points'])." assurance points up to today.\n\n";
144 $body .= "Please start the TTP assurance process.";
145 sendmail("support@cacert.org", "[CAcert.org] TTP request.", $body, "support@cacert.org", "", "", "CAcert Website");
146
147 //This mail needs to be translated
148 $body =_("You are receiving this email because you asked for TTP assurance.")."\n\n";
149 if ($_POST['ttptopup']=='1') {
150 $body .=_("You are requesting TTP TOPUP.")."\n\n";
151 }else{
152 $body .=_("You are NOT requesting TTP TOPUP.")."\n\n";
153 }
154 $body .= _("Best regards")."\n";
155 $body .= _("CAcert Support Team");
156
157 sendmail($_SESSION['profile']['email'], "[CAcert.org] "._("You requested TTP assurances"), $body, "support@cacert.org", "", "", "CAcert Support");
158
159 }
160
161 }
162
163 if(($id == 5 || $oldid == 5 || $id == 6 || $oldid == 6))
164 if (!is_assurer($_SESSION['profile']['id']))
165 {
166 show_page ("Exit","",get_assurer_reason($_SESSION['profile']['id']));
167 exit;
168 }
169
170 if($oldid == 6 && intval($_SESSION['_config']['notarise']['id']) <= 0)
171 {
172 show_page ("EnterEmail","",_("Something went wrong. Please enter the email address again"));
173 exit;
174 }
175 if($oldid == 5 && array_key_exists('reminder',$_POST) && $_POST['reminder'] != "")
176 {
177 send_reminder();
178 show_page ("EnterEmail",_("A reminder notice has been sent."),"");
179 exit;
180 }
181
182 if($oldid == 5)
183 {
184 $query = "select * from `users` where `email`='".mysql_escape_string(stripslashes($_POST['email']))."' and `deleted`=0";
185 $res = mysql_query($query);
186 if(mysql_num_rows($res) != 1)
187 {
188 $_SESSION['_config']['noemailfound'] = 1;
189 show_page("EnterEmail","",_("I'm sorry, there was no email matching what you entered in the system. Please double check your information."));
190 exit;
191 } else
192 {
193 $_SESSION['_config']['noemailfound'] = 0;
194 $_SESSION['_config']['notarise'] = mysql_fetch_assoc($res);
195 if ($_SESSION['_config']['notarise']['verified'] == 0)
196 {
197 show_page("EnterEmail","",_("User is not yet verified. Please try again in 24 hours!"));
198 exit;
199 }
200 if ($_SESSION['profile']['ttpadmin'] != 1) {
201 $_SESSION['assuresomeone']['year'] = intval($_POST['year']);
202 $_SESSION['assuresomeone']['month'] = intval($_POST['month']);
203 $_SESSION['assuresomeone']['day'] = intval($_POST['day']);
204 $dob = sprintf('%04d-%02d-%02d', $_SESSION['assuresomeone']['year'], $_SESSION['assuresomeone']['month'], $_SESSION['assuresomeone']['day']);
205
206 if ( $_SESSION['_config']['notarise']['dob'] != $dob) {
207 show_page("EnterEmail","",_("The data entered is not matching with an account."));
208 exit;
209 }
210 }
211 }
212 $query = "select * from `users` where `email`='".mysql_escape_string(stripslashes($_POST['email']))."' and `locked`=1";
213 $res = mysql_query($query);
214 if(mysql_num_rows($res) >= 1)
215 {
216 $_SESSION['_config']['noemailfound'] = 0;
217 show_page("EnterEmail","",_("This account is locked and can not be assured. For more information ask support@cacert.org."));
218 exit;
219 }
220 }
221
222 if($oldid == 5 || $oldid == 6)
223 {
224 $id=6;
225 // $oldid=0;
226 if(array_key_exists('cancel',$_REQUEST) && $_REQUEST['cancel'] != "")
227 {
228 show_page("EnterEmail","","");
229 exit;
230 }
231 if($_SESSION['_config']['notarise']['id'] == $_SESSION['profile']['id'])
232 {
233 show_page("EnterEmail","",_("You are never allowed to Assure yourself!"));
234 exit;
235 }
236
237 $query = "select * from `notary` where `from`='".intval($_SESSION['profile']['id'])."' and
238 `to`='".intval($_SESSION['_config']['notarise']['id'])."' and `deleted` = 0";
239 $res = mysql_query($query);
240 if(mysql_num_rows($res) > 0)
241 {
242 show_page("EnterEmail","",_("You are only allowed to Assure someone once!"));
243 exit;
244 }
245 }
246
247 if($oldid == 6)
248 {
249 $iecho= "c";
250 //date checks
251 if(trim($_REQUEST['date']) == '')
252 {
253 show_page("VerifyData","",_("You must enter the date when you met the assuree."));
254 exit;
255 }
256
257 if(!check_date_format(trim($_REQUEST['date'])))
258 {
259 show_page("VerifyData","",_("You must enter the date in this format: YYYY-MM-DD."));
260 exit;
261 }
262
263 if(!check_date_difference(trim($_REQUEST['date'])))
264 {
265 show_page("VerifyData","",_("You must not enter a date in the future."));
266 exit;
267 }
268
269 //proof of identity check and accept arbitration, implements CCA
270 if(!array_key_exists('assertion',$_POST) || $_POST['assertion'] != 1)
271 {
272 show_page("VerifyData","",_("You failed to check all boxes to validate your adherence to the rules and policies of CAcert"));
273 exit;
274 }
275
276 //proof of CCA agreement by assuree after 2010-01-01
277 if((!array_key_exists('CCAAgreed',$_POST) || $_POST['CCAAgreed'] != 1) and (check_date_format(trim($_REQUEST['date']),2010)))
278 {
279 show_page("VerifyData","",_("You failed to check all boxes to validate your adherence to the rules and policies of CAcert"));
280 exit;
281 }
282
283 //assurance done according to rules
284 if(!array_key_exists('rules',$_POST) || $_POST['rules'] != 1)
285 {
286 show_page("VerifyData","",_("You failed to check all boxes to validate your adherence to the rules and policies of CAcert"));
287 exit;
288 }
289
290 //met assuree in person, not appliciable for TTP / TTP Topup assurances
291 if((!array_key_exists('certify',$_POST) || $_POST['certify'] != 1 ) && $_REQUEST['method'] != "Trusted 3rd Parties")
292 {
293 show_page("VerifyData","",_("You failed to check all boxes to validate your adherence to the rules and policies of CAcert"));
294 exit;
295 }
296
297 //check location, min 3 characters
298 if(!array_key_exists('location',$_POST) || trim($_POST['location']) == "")
299 {
300 show_page("VerifyData","",_("You failed to enter a location of your meeting."));
301 exit;
302 }
303
304 if(strlen(trim($_REQUEST['location']))<=2)
305 {
306 show_page("VerifyData","",_("You must enter a location with at least 3 characters eg town and country."));
307 exit;
308 }
309
310 //check for points in range 0-35, for nucleus 35 + 15 temporary
311 if($_REQUEST['points'] == "" || !is_numeric($_REQUEST['points']))
312 {
313 show_page("VerifyData","",_("You must enter the number of points you wish to allocate to this person."));
314 exit;
315 }
316
317 if($_REQUEST['points'] <0 || ($_REQUEST['points']>35))
318 {
319 show_page("VerifyData","",_("The number of points you entered are out of the range given by policy."));
320 exit;
321 }
322
323 $query = "select * from `users` where `id`='".intval($_SESSION['_config']['notarise']['id'])."'";
324 $res = mysql_query($query);
325 $row = mysql_fetch_assoc($res);
326 $name = sanitizeHTML($row['fname'])." ".sanitizeHTML($row['mname'])." ".sanitizeHTML($row['lname'])." ".sanitizeHTML($row['suffix']);
327 if($_SESSION['_config']['wothash'] != md5($name."-".$row['dob']) || $_SESSION['_config']['wothash'] != $_REQUEST['pagehash'])
328 {
329 show_page("VerifyData","",_("Race condition discovered, user altered details during assurance procedure. PLEASE MAKE SURE THE NEW DETAILS BELOW MATCH THE ID DOCUMENTS."));
330 exit;
331 }
332 }
333
334
335 if($oldid == 6)
336 {
337 $max = maxpoints();
338
339 $awarded = intval($_POST['points']);
340 if($awarded > $max)
341 $awarded = $max;
342 if($awarded < 0)
343 $awarded = 0;
344
345 $drow_points = get_received_total_points(intval($_SESSION['_config']['notarise']['id']));
346
347 if(mysql_real_escape_string(stripslashes($_POST['date'])) == "")
348 $_POST['date'] = date("Y-m-d H:i:s");
349
350 $query = "select * from `notary` where `from`='".intval($_SESSION['profile']['id'])."' AND
351 `to`='".intval($_SESSION['_config']['notarise']['id'])."' AND
352 `awarded`='".intval($awarded)."' AND
353 `location`='".mysql_real_escape_string(stripslashes($_POST['location']))."' AND
354 `date`='".mysql_real_escape_string(stripslashes($_POST['date']))."' AND
355 `deleted`=0";
356 $res = mysql_query($query);
357 if(mysql_num_rows($res) > 0)
358 {
359 show_page("VerifyEmail","",_("Identical Assurance attempted, will not continue."));
360 exit;
361 }
362 }
363
364 if($oldid == 6)
365 {
366 $query = "insert into `notary` set `from`='".intval($_SESSION['profile']['id'])."',
367 `to`='".intval($_SESSION['_config']['notarise']['id'])."',
368 `points`='0', `awarded`='".intval($awarded)."',
369 `location`='".mysql_real_escape_string(stripslashes($_POST['location']))."',
370 `date`='".mysql_real_escape_string(stripslashes($_POST['date']))."',
371 `when`=NOW()";
372 //record active acceptance by Assurer
373 if (check_date_format(trim($_REQUEST['date']),2010)) {
374 write_user_agreement($_SESSION['profile']['id'], "CCA", "assurance", "Assuring", 1, $_SESSION['_config']['notarise']['id']);
375 write_user_agreement($_SESSION['_config']['notarise']['id'], "CCA", "assurance", "Being assured", 0, $_SESSION['profile']['id']);
376 }
377 if($_SESSION['profile']['ttpadmin'] == 1 && ($_POST['method'] == 'Trusted 3rd Parties' || $_POST['method'] == 'Trusted Third Parties')) {
378 $query .= ",\n`method`='TTP-Assisted'";
379 }
380 mysql_query($query);
381 fix_assurer_flag($_SESSION['_config']['notarise']['id']);
382 include_once("../includes/notary.inc.php");
383
384 if($_SESSION['profile']['points'] < 150)
385 {
386 $addpoints = 0;
387 if($_SESSION['profile']['points'] < 149 && $_SESSION['profile']['points'] >= 100)
388 $addpoints = 2;
389 else if($_SESSION['profile']['points'] == 149 && $_SESSION['profile']['points'] >= 100)
390 $addpoints = 1;
391 $query = "insert into `notary` set `from`='".intval($_SESSION['profile']['id'])."',
392 `to`='".intval($_SESSION['profile']['id'])."',
393 `points`='".intval($addpoints)."', `awarded`='".intval($addpoints)."',
394 `location`='".mysql_real_escape_string(stripslashes($_POST['location']))."',
395 `date`='".mysql_real_escape_string(stripslashes($_POST['date']))."',
396 `method`='Administrative Increase',
397 `when`=NOW()";
398 mysql_query($query);
399
400 // No need to fix_assurer_flag here, this should only happen for assurers...
401 $_SESSION['profile']['points'] += $addpoints;
402 }
403
404 $my_translation = L10n::get_translation();
405 L10n::set_translation($_SESSION['_config']['notarise']['language']);
406
407 $body = sprintf(_("You are receiving this email because you have been assured by %s %s (%s)."), $_SESSION['profile']['fname'], $_SESSION['profile']['lname'], $_SESSION['profile']['email'])."\n\n";
408
409 $body .= sprintf(_("You were issued %s assurance points and you now have %s assurance points in total."), $awarded, ($awarded + $drow_total))."\n\n";
410
411 if(($drow_total + $awarded) < 100 && ($drow_total + $awarded) >= 50)
412 {
413 $body .= _("You now have over 50 points, and can now have your name added to client certificates, and issue server certificates for up to 2 years.")."\n\n";
414 }
415
416 if(($drow_total + $awarded) >= 100 && $drow_total < 0 && !is_assurer(intval($_SESSION['_config']['notarise']['id'])) )
417 {
418 $body .= _("You have at least 100 Assurance Points, if you want to become an assurer try the Assurer Challenge")." ( https://cats.cacert.org )\n\n";
419 $body .= _("To make it easier for others in your area to find you, it's helpful to list yourself as an assurer (this is voluntary), as well as a physical location where you live or work the most. You can flag your account to be listed, and add a comment to the display by going to:")."\n";
420 $body .= "https://www.cacert.org/wot.php?id=8\n\n";
421 $body .= _("You can list your location by going to:")."\n";
422 $body .= "https://www.cacert.org/wot.php?id=13\n\n";
423 }
424
425 $body .= _("Best regards")."\n";
426 $body .= _("CAcert Support Team");
427
428 sendmail($_SESSION['_config']['notarise']['email'], "[CAcert.org] "._("You've been Assured."), $body, "support@cacert.org", "", "", "CAcert Website");
429
430 L10n::set_translation($my_translation);
431
432 $body = sprintf(_("You are receiving this email because you have assured %s %s (%s)."), $_SESSION['_config']['notarise']['fname'], $_SESSION['_config']['notarise']['lname'], $_SESSION['_config']['notarise']['email'])."\n\n";
433 $body .= sprintf(_("You issued %s assurance points and they now have %s assurance points in total."), $awarded, ($awarded + $drow['total']))."\n\n";
434
435 $body .= _("Best regards")."\n";
436 $body .= _("CAcert Support Team");
437
438 sendmail($_SESSION['profile']['email'], "[CAcert.org] "._("You've Assured Another Member."), $body, "support@cacert.org", "", "", "CAcert Support");
439
440 show_page('EnterEmail', _("Shortly you and the person you were assuring will receive an email confirmation. There is no action on your behalf required to complete this."));
441 exit;
442 }
443
444 if($oldid == 8)
445 {
446 csrf_check("chgcontact");
447
448 $info = mysql_real_escape_string(strip_tags(stripslashes($_POST['contactinfo'])));
449 $listme = intval($_POST['listme']);
450 if($listme < 0 || $listme > 1)
451 $listme = 0;
452
453 $_SESSION['profile']['listme'] = $listme;
454 $_SESSION['profile']['contactinfo'] = $info;
455
456 $query = "update `users` set `listme`='$listme',`contactinfo`='$info' where `id`='".intval($_SESSION['profile']['id'])."'";
457 mysql_query($query);
458
459 showheader(_("My CAcert.org Account!"));
460 echo "<p>"._("Your account information has been updated.")."</p>";
461 showfooter();
462 exit;
463 }
464
465 if($oldid == 9 && $_REQUEST['userid'] > 0 && $_SESSION['profile']['id'] > 0)
466 {
467 if($_SESSION['_config']['pagehash'] != $_REQUEST['pageid'])
468 {
469 $oldid=0;
470 $id = 9;
471 show_page("ContactAssurer","",_("It looks like you were trying to contact multiple people, this isn't allowed due to data security reasons."));
472 exit;
473 } else {
474 $body = $_REQUEST['message'];
475 $subject = $_REQUEST['subject'];
476 $userid = intval($_REQUEST['userid']);
477 $user = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".intval($userid)."' and `listme`=1"));
478 if(is_assurer($userid) > 0)
479 {
480 $my_translation = L10n::get_translation();
481 L10n::set_translation($user['language']);
482
483 $subject = "[CAcert.org] ".sprintf(_("Message from %s"),
484 $_SESSION['profile']['fname']);
485
486 $body = sprintf(_("Hi %s,"), $user['fname'])."\n\n";
487 $body .= sprintf(_("%s %s has sent you a message via the ".
488 "contact an Assurer form on CAcert.org."),
489 $_SESSION['profile']['fname'],
490 $_SESSION['profile']['lname'])."\n\n";
491 $body .= sprintf(_("Subject: %s"), $_REQUEST['subject'])."\n";
492 $body .= _("Message:")."\n";
493 $body .= $_REQUEST['message']."\n\n";
494 $body .= "------------------------------------------------\n\n";
495 $body .= _("Please note, that this is NOT a message on behalf ".
496 "of CAcert but another CAcert community member. If ".
497 "you suspect that the contact form might have been ".
498 "abused, please write to support@cacert.org")."\n\n";
499 $body .= _("Best regards")."\n";
500 $body .= _("Your CAcert Community");
501
502 sendmail($user['email'], $subject, $body,
503 $_SESSION['profile']['email'], //from
504 "", //replyto
505 "", //toname
506 $_SESSION['profile']['fname']." ".
507 $_SESSION['profile']['lname']); //fromname
508
509 L10n::set_translation($my_translation);
510
511 showheader(_("My CAcert.org Account!"));?>
512 <p>
513 <? printf(_("Your email has been sent to %s."), sanitizeHTML($user['fname'])); ?>
514 </p>
515 <p>[ <a href='javascript:history.go(-2)'><?= _("Go Back") ?></a> ]</p>
516 <?
517 showfooter();
518 exit;
519 } else {
520 show_page(0,"",_("Sorry, I was unable to locate that user."));
521 exit;
522 }
523
524 }
525 }
526 if($oldid == 9)
527 {
528 $oldid=0;
529 $id = 9;
530 show_page("ContactAssurer","",_("There was an error and I couldn't proceed"));
531 exit;
532 }
533
534 // showheader(_("My CAcert.org Account!"));
535 // echo "ID now = ".$id."/".$oldid.">>".$iecho;
536 // includeit($id, "wot");
537 // showfooter();
538 show_page ($id,"","");
539 ?>