bug 1137: Added new restrictions to the checks
[cacert-devel.git] / www / wot.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */ ?>
18 <?
19 require_once("../includes/loggedin.php");
20 require_once("../includes/lib/l10n.php");
21 require_once("../includes/wot.inc.php");
22
23
24
25 function show_page($target,$message,$error)
26 {
27 showheader(_("My CAcert.org Account!"));
28 if ($error != "")
29 $message=_("ERROR").": ".$error;
30 if ($message != "")
31 echo "<p><font color='orange' size='+1'>".$message."</font></p>";
32
33 switch ($target)
34 {
35 case '0':
36 case 'InfoPage': includeit(0, "wot");
37 break;
38 case '1':
39 case 'ListByCity': includeit(1, "wot");
40 break;
41 case '2':
42 case 'BecomeAssurer': includeit(2, "wot");
43 break;
44 case '3':
45 case 'TrustRules': includeit(3, "wot");
46 break;
47 case '4':
48 case 'ShowTTPInfo': includeit(4, "wot");
49 break;
50 case '5';
51 case 'EnterEmail': includeit(5, "wot");
52 break;
53 case '6':
54 case 'VerifyData': includeit(6, "wot");
55 break;
56 // case '7':
57 // case '???': includeit(7, "wot");
58 // break;
59 case '8':
60 case 'EnterMyInfo': includeit(8, "wot");
61 break;
62 case '9':
63 case 'ContactAssurer': includeit(9, "wot");
64 break;
65 case '10':
66 case 'MyPointsOld': includeit(10, "wot");
67 break;
68 // case '11':
69 // case 'OAInfo': includeit(11, "wot");
70 // break;
71 case '12':
72 case 'SearchAssurer': includeit(12, "wot");
73 break;
74 case '13':
75 case 'EnterMyCity': includeit(13, "wot");
76 break;
77 // case '14':
78 // case 'EnterEmail': includeit(14, "wot");
79 // break;
80 case '15':
81 case 'MyPointsNew': includeit(15, "wot");
82 break;
83 }
84
85 showfooter();
86 }
87
88 function send_reminder()
89 {
90 $body = "";
91 $my_translation = L10n::get_translation();
92
93 $_SESSION['_config']['reminder-lang'] = $_POST['reminder-lang'];
94
95 $reminder_translations[] = $_POST['reminder-lang'];
96 if ( !in_array("en", $reminder_translations, $strict=true) ) {
97 $reminder_translations[] = "en";
98 }
99
100 foreach ($reminder_translations as $translation) {
101 L10n::set_translation($translation);
102
103 $body .= L10n::$translations[$translation].":\n\n";
104 $body .= sprintf(_("This is a short reminder that you filled out forms to become trusted with CAcert.org, and %s has attempted to issue you points. Please create your account at %s as soon as possible and then notify %s so that the points can be issued."), $_SESSION['profile']['fname']." (".$_SESSION['profile']['email'].")", "http://www.cacert.org", $_SESSION['profile']['fname'])."\n\n";
105 $body .= _("Best regards")."\n";
106 $body .= _("CAcert Support Team")."\n\n";
107 }
108
109 L10n::set_translation($reminder_translations[0]); // for the subject
110 sendmail($_POST['email'], "[CAcert.org] "._("Reminder Notice"), $body, $_SESSION['profile']['email'], "", "", $_SESSION['profile']['fname']);
111
112 L10n::set_translation($my_translation);
113
114 $_SESSION['_config']['remindersent'] = 1;
115 $_SESSION['_config']['error'] = _("A reminder notice has been sent.");
116 }
117
118
119
120 loadem("account");
121 if(array_key_exists('date',$_POST) && $_POST['date'] != "")
122 $_SESSION['_config']['date'] = $_POST['date'];
123
124 if(array_key_exists('location',$_POST) && $_POST['location'] != "")
125 $_SESSION['_config']['location'] = $_POST['location'];
126
127 $oldid=array_key_exists('oldid',$_REQUEST)?intval($_REQUEST['oldid']):0;
128
129 if($oldid == 12)
130 $id = $oldid;
131
132 if(($id == 5 || $oldid == 5 || $id == 6 || $oldid == 6))
133 if (!is_assurer($_SESSION['profile']['id']))
134 {
135 show_page ("Exit","",get_assurer_reason($_SESSION['profile']['id']));
136 exit;
137 }
138
139 if($oldid == 6 && intval($_SESSION['_config']['notarise']['id']) <= 0)
140 {
141 show_page ("EnterEmail","",_("Something went wrong. Please enter the email address again"));
142 exit;
143 }
144 if($oldid == 5 && array_key_exists('reminder',$_POST) && $_POST['reminder'] != "")
145 {
146 send_reminder();
147 show_page ("EnterEmail",_("A reminder notice has been sent."),"");
148 exit;
149 }
150
151 if($oldid == 5)
152 {
153 $query = "select * from `users` where `email`='".mysql_escape_string(stripslashes($_POST['email']))."' and `deleted`=0";
154 $res = mysql_query($query);
155 if(mysql_num_rows($res) != 1)
156 {
157 $_SESSION['_config']['noemailfound'] = 1;
158 show_page("EnterEmail","",_("I'm sorry, there was no email matching what you entered in the system. Please double check your information."));
159 exit;
160 } else
161 {
162 $_SESSION['_config']['noemailfound'] = 0;
163 $_SESSION['_config']['notarise'] = mysql_fetch_assoc($res);
164 if ($_SESSION['_config']['notarise']['verified'] == 0)
165 {
166 show_page("EnterEmail","",_("User is not yet verified. Please try again in 24 hours!"));
167 exit;
168 }
169 }
170 $query = "select * from `users` where `email`='".mysql_escape_string(stripslashes($_POST['email']))."' and `locked`=1";
171 $res = mysql_query($query);
172 if(mysql_num_rows($res) >= 1)
173 {
174 $_SESSION['_config']['noemailfound'] = 0;
175 show_page("EnterEmail","",_("This account is locked and can not be assured. For more information ask support@cacert.org."));
176 exit;
177 }
178 }
179
180 if($oldid == 5 || $oldid == 6)
181 {
182 $id=6;
183 // $oldid=0;
184 if(array_key_exists('cancel',$_REQUEST) && $_REQUEST['cancel'] != "")
185 {
186 show_page("EnterEmail","","");
187 exit;
188 }
189 if($_SESSION['_config']['notarise']['id'] == $_SESSION['profile']['id'])
190 {
191 show_page("EnterEmail","",_("You are never allowed to Assure yourself!"));
192 exit;
193 }
194
195 $query = "select * from `notary` where `from`='".$_SESSION['profile']['id']."' and
196 `to`='".$_SESSION['_config']['notarise']['id']."'";
197 $res = mysql_query($query);
198 if(mysql_num_rows($res) > 0)
199 {
200 show_page("EnterEmail","",_("You are only allowed to Assure someone once!"));
201 exit;
202 }
203 }
204
205 if($oldid == 6)
206 {
207 $iecho= "c";
208 if(trim($_REQUEST['date']) == '')
209 {
210 show_page("VerifyData","",_("You must enter the date when you met the assuree."));
211 exit;
212 }
213
214 if(!check_date_format(trim($_REQUEST['date'])))
215 {
216 show_page("VerifyData","",_("You must enter the date in this format: YYYY-MM-DD."));
217 exit;
218 }
219
220 if(!check_date_differnce(trim($_REQUEST['date'])))
221 {
222 show_page("VerifyData","",_("You must not enter a date in the future."));
223 exit;
224 }
225
226 if(!array_key_exists('assertion',$_POST) || $_POST['assertion'] != 1)
227 {
228 show_page("VerifyData","",_("You failed to check all boxes to validate your adherence to the rules and policies of CAcert"));
229 exit;
230 }
231
232 if(!array_key_exists('CCAAgreed',$_POST) || $_POST['CCAAgreed'] != 1)
233 {
234 show_page("VerifyData","",_("You failed to check all boxes to validate your adherence to the rules and policies of CAcert"));
235 exit;
236 }
237
238 /* if(!array_key_exists('rules',$_POST) || $_POST['rules'] != 1)
239 {
240 show_page("VerifyData","",_("You failed to check all boxes to validate your adherence to the rules and policies of CAcert"));
241 exit;
242 }
243 */
244
245 if((!array_key_exists('certify',$_POST) || $_POST['certify'] != 1 ) && $_SESSION['profile']['ttpadmin'] != 1)
246 {
247 show_page("VerifyData","",_("You failed to check all boxes to validate your adherence to the rules and policies of CAcert"));
248 exit;
249 }
250
251 if($_SESSION['profile']['ttpadmin'] != 1 && $_POST['location'] == "")
252 {
253 show_page("VerifyData","",_("You failed to enter a location of your meeting."));
254 exit;
255 }
256
257 if(strlen(trim($_REQUEST['location']))<=3)
258 {
259 show_page("VerifyData","",_("You must enter a location with at least 3 characters eg town and country."));
260 exit;
261 }
262
263 if($_REQUEST['points'] == "" || !is_numeric($_REQUEST['points']))
264 {
265 show_page("VerifyData","",_("You must enter the number of points you wish to allocate to this person."));
266 exit;
267 }
268
269 $query = "select * from `users` where `id`='".$_SESSION['_config']['notarise']['id']."'";
270 $res = mysql_query($query);
271 $row = mysql_fetch_assoc($res);
272 $name = $row['fname']." ".$row['mname']." ".$row['lname']." ".$row['suffix'];
273 if($_SESSION['_config']['wothash'] != md5($name."-".$row['dob']) || $_SESSION['_config']['wothash'] != $_REQUEST['pagehash'])
274 {
275 show_page("VerifyData","",_("Race condition discovered, user altered details during assurance procedure. PLEASE MAKE SURE THE NEW DETAILS BELOW MATCH THE ID DOCUMENTS."));
276 exit;
277 }
278 }
279
280
281 if($oldid == 6)
282 {
283 $max = maxpoints();
284
285 $awarded = $newpoints = intval($_POST['points']);
286 if($newpoints > $max)
287 $newpoints = $awarded = $max;
288 if($newpoints < 0)
289 $newpoints = $awarded = 0;
290
291 $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['_config']['notarise']['id']."' group by `to`";
292 $res = mysql_query($query);
293 $drow = mysql_fetch_assoc($res);
294
295 $_POST['expire'] = 0;
296
297 if(($drow['total'] + $newpoints) > 100 && $max < 100)
298 $newpoints = 100 - $drow['total'];
299 if(($drow['total'] + $newpoints) > $max && $max >= 100)
300 $newpoints = $max - $drow['total'];
301 if($newpoints < 0)
302 $newpoints = 0;
303
304 if(mysql_escape_string(stripslashes($_POST['date'])) == "")
305 $_POST['date'] = date("Y-m-d H:i:s");
306
307 $query = "select * from `notary` where `from`='".$_SESSION['profile']['id']."' AND
308 `to`='".$_SESSION['_config']['notarise']['id']."' AND
309 `awarded`='$awarded' AND
310 `location`='".mysql_escape_string(stripslashes($_POST['location']))."' AND
311 `date`='".mysql_escape_string(stripslashes($_POST['date']))."'";
312 $res = mysql_query($query);
313 if(mysql_num_rows($res) > 0)
314 {
315 show_page("VerifyEmail","",_("Identical Assurance attempted, will not continue."));
316 exit;
317 }
318 }
319
320 if($oldid == 6)
321 {
322 $query = "insert into `notary` set `from`='".$_SESSION['profile']['id']."',
323 `to`='".$_SESSION['_config']['notarise']['id']."',
324 `points`='$newpoints', `awarded`='$awarded',
325 `location`='".mysql_escape_string(stripslashes($_POST['location']))."',
326 `date`='".mysql_escape_string(stripslashes($_POST['date']))."',
327 `when`=NOW()";
328 //record active acceptance by Assurer
329 write_user_agreement($_SESSION['profile']['id'], "CCA", "Assurance", "Assurer", 1, $_SESSION['_config']['notarise']['id']);
330 if($_SESSION['profile']['board'] == 1 && intval($_POST['expire']) > 0)
331 {
332 $query .= ",\n`method`='Temporary Increase'";
333 $query .= ",\n`expire`=DATE_ADD(NOW(), INTERVAL '".intval($_POST['expire'])."' DAY)";
334 $query .= ",\n`sponsor`='".intval($_POST['sponsor'])."'";
335 } else if($_SESSION['profile']['board'] == 1) {
336 $query .= ",\n`method`='".mysql_escape_string(stripslashes($_POST['method']))."'";
337 } else if($_SESSION['profile']['ttpadmin'] == 1 && ($_POST['method'] == 'Trusted 3rd Parties' || $_POST['method'] == 'Trusted Third Parties')) {
338 $query .= ",\n`method`='Trusted Third Parties'";
339 }
340 mysql_query($query);
341 fix_assurer_flag($_SESSION['_config']['notarise']['id']);
342
343 if($_SESSION['profile']['points'] < 150)
344 {
345 $addpoints = 0;
346 if($_SESSION['profile']['points'] < 149 && $_SESSION['profile']['points'] >= 100)
347 $addpoints = 2;
348 else if($_SESSION['profile']['points'] == 149 && $_SESSION['profile']['points'] >= 100)
349 $addpoints = 1;
350 $query = "insert into `notary` set `from`='".$_SESSION['profile']['id']."',
351 `to`='".$_SESSION['profile']['id']."',
352 `points`='$addpoints', `awarded`='$addpoints',
353 `location`='".mysql_escape_string(stripslashes($_POST['location']))."',
354 `date`='".mysql_escape_string(stripslashes($_POST['date']))."',
355 `method`='Administrative Increase',
356 `when`=NOW()";
357 mysql_query($query);
358 // No need to fix_assurer_flag here, this should only happen for assurers...
359 $_SESSION['profile']['points'] += $addpoints;
360 }
361
362 $my_translation = L10n::get_translation();
363 L10n::set_translation($_SESSION['_config']['notarise']['language']);
364
365 $body = sprintf(_("You are receiving this email because you have been assured by %s %s (%s)."), $_SESSION['profile']['fname'], $_SESSION['profile']['lname'], $_SESSION['profile']['email'])."\n\n";
366 if($_POST['points'] != $newpoints)
367 $body .= sprintf(_("You were issued %s points however the system has rounded this down to %s and you now have %s points in total."), $_POST['points'], $newpoints, ($newpoints + $drow['total']))."\n\n";
368 else
369 $body .= sprintf(_("You were issued %s points and you now have %s points in total."), $newpoints, ($newpoints + $drow['total']))."\n\n";
370
371 if(($drow['total'] + $newpoints) < 100 && ($drow['total'] + $newpoints) >= 50)
372 {
373 $body .= _("You now have over 50 points, and can now have your name added to client certificates, and issue server certificates for up to 2 years.")."\n\n";
374 }
375
376 if(($drow['total'] + $newpoints) >= 100 && $newpoints > 0)
377 {
378 $body .= _("You have at least 100 Assurance Points. If you want ".
379 "to become an assurer try the Assurer Challenge").
380 " ( https://cats.cacert.org ).\n\n";
381 $body .= _("To make it easier for others in your area to find ".
382 "you, it's helpful to list yourself as an assurer (this ".
383 "is voluntary), as well as a physical location where you ".
384 "live or work the most. You can flag your account to be ".
385 "listed, and add a comment to the display by going to:")."\n";
386 $body .= "https://www.cacert.org/wot.php?id=8\n\n";
387 $body .= _("You can list your location by going to:")."\n";
388 $body .= "https://www.cacert.org/wot.php?id=13\n\n";
389 }
390
391 if($_SESSION['profile']['board'] == 1 && intval($_POST['expire']) > 0)
392 $body .= sprintf(_("Please Note: this is a temporary increase for %s days only. After that time your points will be reduced to 150 points."), intval($_POST['expire']))."\n\n";
393
394 $body .= _("Best regards")."\n";
395 $body .= _("CAcert Support Team");
396
397 sendmail($_SESSION['_config']['notarise']['email'], "[CAcert.org] "._("You've been Assured."), $body, "support@cacert.org", "", "", "CAcert Website");
398
399 L10n::set_translation($my_translation);
400
401 $body = sprintf(_("You are receiving this email because you have assured %s %s (%s)."), $_SESSION['_config']['notarise']['fname'], $_SESSION['_config']['notarise']['lname'], $_SESSION['_config']['notarise']['email'])."\n\n";
402 if($_POST['points'] != $newpoints)
403 $body .= sprintf(_("You issued %s points however the system has rounded this down to %s and they now have %s points in total."), $_POST['points'], $newpoints, ($newpoints + $drow['total']))."\n\n";
404 else
405 $body .= sprintf(_("You issued %s points and they now have %s points in total."), $newpoints, ($newpoints + $drow['total']))."\n\n";
406
407 if($_SESSION['profile']['board'] == 1 && intval($_POST['expire']) > 0)
408 $body .= sprintf(_("Please Note: this is a temporary increase for %s days only. After that time their points will be reduced to 150 points."), intval($_POST['expire']))."\n\n";
409 $body .= _("Best regards")."\n";
410 $body .= _("CAcert Support Team");
411
412 sendmail($_SESSION['profile']['email'], "[CAcert.org] "._("You've Assured Another Member."), $body, "support@cacert.org", "", "", "CAcert Support");
413
414 if($_SESSION['profile']['board'] == 1 && intval($_POST['expire']) > 0)
415 {
416 $body = sprintf("%s %s (%s) has issued a temporary increase to 200 points for %s %s (%s) for %s days. This action was sponsored by %s %s (%s).", $_SESSION['profile']['fname'], $_SESSION['profile']['lname'], $_SESSION['profile']['email'], $_SESSION['_config']['notarise']['fname'], $_SESSION['_config']['notarise']['lname'], $_SESSION['_config']['notarise']['email'], intval($_POST['expire']), $sponsor['fname'], $sponsor['lname'], $sponsor['email'])."\n\n";
417
418 sendmail("cacert-board@lists.cacert.org", "[CAcert.org] Temporary Increase Issued.", $body, "website@cacert.org", "", "", "CAcert Website");
419 }
420
421 showheader(_("My CAcert.org Account!"));
422 echo "<p>"._("Shortly you and the person you were assuring will receive an email confirmation. There is no action on your behalf required to complete this.")."</p>";
423 ?><form method="post" action="wot.php">
424 <table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper">
425 <tr>
426 <td colspan="2" class="title"><?=_("Assure Someone")?></td>
427 </tr>
428 <tr>
429 <td class="DataTD"><?=_("Email")?>:</td>
430 <td class="DataTD"><input type="text" name="email" id="email" value=""></td>
431 </tr>
432 <tr>
433 <td class="DataTD" colspan="2"><input type="submit" name="process" value="<?=_("Next")?>"></td>
434 </tr>
435 </table>
436 <input type="hidden" name="oldid" value="5">
437 </form>
438 <SCRIPT LANGUAGE="JavaScript">
439 //<![CDATA[
440 function my_init()
441 {
442 document.getElementById("email").focus();
443 }
444
445 window.onload = my_init();
446 //]]>
447 </script>
448 <?
449 showfooter();
450 exit;
451 }
452
453 if($oldid == 8)
454 {
455 csrf_check("chgcontact");
456
457 $info = mysql_escape_string(strip_tags(stripslashes($_POST['contactinfo'])));
458 $listme = intval($_POST['listme']);
459 if($listme < 0 || $listme > 1)
460 $listme = 0;
461
462 $_SESSION['profile']['listme'] = $listme;
463 $_SESSION['profile']['contactinfo'] = $info;
464
465 $query = "update `users` set `listme`='$listme',`contactinfo`='$info' where `id`='".$_SESSION['profile']['id']."'";
466 mysql_query($query);
467
468 showheader(_("My CAcert.org Account!"));
469 echo "<p>"._("Your account information has been updated.")."</p>";
470 showfooter();
471 exit;
472 }
473
474 if($oldid == 9 && $_REQUEST['userid'] > 0 && $_SESSION['profile']['id'] > 0)
475 {
476 if($_SESSION['_config']['pagehash'] != $_REQUEST['pageid'])
477 {
478 $oldid=0;
479 $id = 9;
480 show_page("ContactAssurer","",_("It looks like you were trying to contact multiple people, this isn't allowed due to data security reasons."));
481 exit;
482 } else {
483 $body = $_REQUEST['message'];
484 $subject = $_REQUEST['subject'];
485 $userid = intval($_REQUEST['userid']);
486 $user = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='$userid' and `listme`=1"));
487 $points = mysql_num_rows(mysql_query("select sum(`points`) as `total` from `notary`
488 where `to`='".$user['id']."' group by `to` HAVING SUM(`points`) > 0"));
489 if($points > 0)
490 {
491 $my_translation = L10n::get_translation();
492 L10n::set_translation($user['language']);
493
494 $subject = "[CAcert.org] ".sprintf(_("Message from %s"),
495 $_SESSION['profile']['fname']);
496
497 $body = sprintf(_("Hi %s,"), $user['fname'])."\n\n";
498 $body .= sprintf(_("%s %s has sent you a message via the ".
499 "contact an Assurer form on CAcert.org."),
500 $_SESSION['profile']['fname'],
501 $_SESSION['profile']['lname'])."\n\n";
502 $body .= sprintf(_("Subject: %s"), $_REQUEST['subject'])."\n";
503 $body .= _("Message:")."\n";
504 $body .= $_REQUEST['message']."\n\n";
505 $body .= "------------------------------------------------\n\n";
506 $body .= _("Please note, that this is NOT a message on behalf ".
507 "of CAcert but another CAcert community member. If ".
508 "you suspect that the contact form might have been ".
509 "abused, please write to support@cacert.org")."\n\n";
510 $body .= _("Best regards")."\n";
511 $body .= _("Your CAcert Community");
512
513 sendmail($user['email'], $subject, $body,
514 $_SESSION['profile']['email'], //from
515 "", //replyto
516 "", //toname
517 $_SESSION['profile']['fname']." ".
518 $_SESSION['profile']['lname']); //fromname
519
520 L10n::set_translation($my_translation);
521
522 showheader(_("My CAcert.org Account!"));?>
523 <p>
524 <? printf(_("Your email has been sent to %s."), $user['fname']); ?>
525 </p>
526 <p>[ <a href='javascript:history.go(-2)'><?= _("Go Back") ?></a> ]</p>
527 <?
528 showfooter();
529 exit;
530 } else {
531 show_page(0,"",_("Sorry, I was unable to locate that user."));
532 exit;
533 }
534
535 }
536 }
537 if($oldid == 9)
538 {
539 $oldid=0;
540 $id = 9;
541 show_page("ContactAssurer","",_("There was an error and I couldn't proceed"));
542 exit;
543 }
544
545 // showheader(_("My CAcert.org Account!"));
546 // echo "ID now = ".$id."/".$oldid.">>".$iecho;
547 // includeit($id, "wot");
548 // showfooter();
549 show_page ($id,"","");
550 ?>