bug 1291: Update wothash calculation for modified behaviour
[cacert-devel.git] / www / wot.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */ ?>
18 <?
19 require_once("../includes/loggedin.php");
20 require_once("../includes/lib/l10n.php");
21 require_once("../includes/notary.inc.php");
22
23
24
25 function show_page($target,$message,$error)
26 {
27 showheader(_("My CAcert.org Account!"));
28 if ($error != "")
29 $message=_("ERROR").": ".$error;
30 if ($message != "")
31 echo "<p><font color='orange' size='+1'>".$message."</font></p>";
32
33 switch ($target)
34 {
35 case '0':
36 case 'InfoPage': includeit(0, "wot");
37 break;
38 case '1':
39 case 'ListByCity': includeit(1, "wot");
40 break;
41 case '2':
42 case 'BecomeAssurer': includeit(2, "wot");
43 break;
44 case '3':
45 case 'TrustRules': includeit(3, "wot");
46 break;
47 case '4':
48 case 'ShowTTPInfo': includeit(4, "wot");
49 break;
50 case '5';
51 case 'EnterEmail': includeit(5, "wot");
52 break;
53 case '6':
54 case 'VerifyData': includeit(6, "wot");
55 break;
56 // case '7':
57 // case '???': includeit(7, "wot");
58 // break;
59 case '8':
60 case 'EnterMyInfo': includeit(8, "wot");
61 break;
62 case '9':
63 case 'ContactAssurer': includeit(9, "wot");
64 break;
65 case '10':
66 case 'MyPointsOld': includeit(10, "wot");
67 break;
68 // case '11':
69 // case 'OAInfo': includeit(11, "wot");
70 // break;
71 case '12':
72 case 'SearchAssurer': includeit(12, "wot");
73 break;
74 case '13':
75 case 'EnterMyCity': includeit(13, "wot");
76 break;
77 // case '14':
78 // case 'EnterEmail': includeit(14, "wot");
79 // break;
80 case '15':
81 case 'MyPointsNew': includeit(15, "wot");
82 break;
83 }
84
85 showfooter();
86 }
87
88 function send_reminder()
89 {
90 $body = "";
91 $my_translation = L10n::get_translation();
92
93 $_SESSION['_config']['reminder-lang'] = $_POST['reminder-lang'];
94
95 $reminder_translations[] = $_POST['reminder-lang'];
96 if ( !in_array("en", $reminder_translations, $strict=true) ) {
97 $reminder_translations[] = "en";
98 }
99
100 foreach ($reminder_translations as $translation) {
101 L10n::set_translation($translation);
102
103 $body .= L10n::$translations[$translation].":\n\n";
104 $body .= sprintf(_("This is a short reminder that you filled out forms to become trusted with CAcert.org, and %s has attempted to issue you points. Please create your account at %s as soon as possible and then notify %s so that the points can be issued."), $_SESSION['profile']['fname']." (".$_SESSION['profile']['email'].")", "http://www.cacert.org", $_SESSION['profile']['fname'])."\n\n";
105 $body .= _("Best regards")."\n";
106 $body .= _("CAcert Support Team")."\n\n";
107 }
108
109 L10n::set_translation($reminder_translations[0]); // for the subject
110 sendmail($_POST['email'], "[CAcert.org] "._("Reminder Notice"), $body, $_SESSION['profile']['email'], "", "", $_SESSION['profile']['fname']);
111
112 L10n::set_translation($my_translation);
113
114 $_SESSION['_config']['remindersent'] = 1;
115 $_SESSION['_config']['error'] = _("A reminder notice has been sent.");
116 }
117
118 loadem("account");
119 if(array_key_exists('date',$_POST) && $_POST['date'] != "")
120 $_SESSION['_config']['date'] = $_POST['date'];
121
122 if(array_key_exists('location',$_POST) && $_POST['location'] != "")
123 $_SESSION['_config']['location'] = $_POST['location'];
124
125 $oldid=array_key_exists('oldid',$_REQUEST)?intval($_REQUEST['oldid']):0;
126
127 if($oldid == 12)
128 $id = $oldid;
129
130 if($oldid == 4)
131 {
132 if ($_POST['ttp']!='') {
133 //This mail does not need to be translated
134 $body = "Hi TTP adminstrators,\n\n";
135 $body .= "User ".$_SESSION['profile']['fname']." ".
136 $_SESSION['profile']['lname']." with email address '".
137 $_SESSION['profile']['email']."' is requesting a TTP assurances for ".
138 mysql_escape_string(stripslashes($_POST['country'])).".\n\n";
139 if ($_POST['ttptopup']=='1') {
140 $body .= "The user is also requesting TTP TOPUP.\n\n";
141 }else{
142 $body .= "The user is NOT requesting TTP TOPUP.\n\n";
143 }
144 $body .= "The user received ".intval($_SESSION['profile']['points'])." assurance points up to today.\n\n";
145 $body .= "Please start the TTP assurance process.";
146 sendmail("support@cacert.org", "[CAcert.org] TTP request.", $body, "support@cacert.org", "", "", "CAcert Website");
147
148 //This mail needs to be translated
149 $body =_("You are receiving this email because you asked for TTP assurance.")."\n\n";
150 if ($_POST['ttptopup']=='1') {
151 $body .=_("You are requesting TTP TOPUP.")."\n\n";
152 }else{
153 $body .=_("You are NOT requesting TTP TOPUP.")."\n\n";
154 }
155 $body .= _("Best regards")."\n";
156 $body .= _("CAcert Support Team");
157
158 sendmail($_SESSION['profile']['email'], "[CAcert.org] "._("You requested TTP assurances"), $body, "support@cacert.org", "", "", "CAcert Support");
159
160 }
161
162 }
163
164 if(($id == 5 || $oldid == 5 || $id == 6 || $oldid == 6))
165 if (!is_assurer($_SESSION['profile']['id']))
166 {
167 show_page ("Exit","",get_assurer_reason($_SESSION['profile']['id']));
168 exit;
169 }
170
171 if($oldid == 6 && intval($_SESSION['_config']['notarise']['id']) <= 0)
172 {
173 show_page ("EnterEmail","",_("Something went wrong. Please enter the email address again"));
174 exit;
175 }
176 if($oldid == 5 && array_key_exists('reminder',$_POST) && $_POST['reminder'] != "")
177 {
178 send_reminder();
179 show_page ("EnterEmail",_("A reminder notice has been sent."),"");
180 exit;
181 }
182
183 if($oldid == 5)
184 {
185 $query = "select * from `users` where `email`='".mysql_escape_string(stripslashes($_POST['email']))."' and `deleted`=0";
186 $res = mysql_query($query);
187 if(mysql_num_rows($res) != 1)
188 {
189 $_SESSION['_config']['noemailfound'] = 1;
190 show_page("EnterEmail","",_("I'm sorry, there was no email matching what you entered in the system. Please double check your information."));
191 exit;
192 } else
193 {
194 $_SESSION['_config']['noemailfound'] = 0;
195 $_SESSION['_config']['notarise'] = mysql_fetch_assoc($res);
196 if ($_SESSION['_config']['notarise']['verified'] == 0)
197 {
198 show_page("EnterEmail","",_("User is not yet verified. Please try again in 24 hours!"));
199 exit;
200 }
201 if ($_SESSION['profile']['ttpadmin'] != 1) {
202 $_SESSION['assuresomeone']['year'] = intval($_POST['year']);
203 $_SESSION['assuresomeone']['month'] = intval($_POST['month']);
204 $_SESSION['assuresomeone']['day'] = intval($_POST['day']);
205 $dob = sprintf('%04d-%02d-%02d', $_SESSION['assuresomeone']['year'], $_SESSION['assuresomeone']['month'], $_SESSION['assuresomeone']['day']);
206
207 if ( $_SESSION['_config']['notarise']['dob'] != $dob) {
208 show_page("EnterEmail","",_("The data entered is not matching with an account."));
209 exit;
210 }
211 }
212 }
213 $query = "select * from `users` where `email`='".mysql_escape_string(stripslashes($_POST['email']))."' and `locked`=1";
214 $res = mysql_query($query);
215 if(mysql_num_rows($res) >= 1)
216 {
217 $_SESSION['_config']['noemailfound'] = 0;
218 show_page("EnterEmail","",_("This account is locked and can not be assured. For more information ask support@cacert.org."));
219 exit;
220 }
221 }
222
223 if($oldid == 5 || $oldid == 6)
224 {
225 $id=6;
226 // $oldid=0;
227 if(array_key_exists('cancel',$_REQUEST) && $_REQUEST['cancel'] != "")
228 {
229 show_page("EnterEmail","","");
230 exit;
231 }
232 if($_SESSION['_config']['notarise']['id'] == $_SESSION['profile']['id'])
233 {
234 show_page("EnterEmail","",_("You are never allowed to Assure yourself!"));
235 exit;
236 }
237
238 $query = "select * from `notary` where `from`='".intval($_SESSION['profile']['id'])."' and
239 `to`='".intval($_SESSION['_config']['notarise']['id'])."' and `deleted` = 0";
240 $res = mysql_query($query);
241 if(mysql_num_rows($res) > 0)
242 {
243 show_page("EnterEmail","",_("You are only allowed to Assure someone once!"));
244 exit;
245 }
246 }
247
248 if($oldid == 6)
249 {
250 $iecho= "c";
251 //date checks
252 if(trim($_REQUEST['date']) == '')
253 {
254 show_page("VerifyData","",_("You must enter the date when you met the assuree."));
255 exit;
256 }
257
258 if(!check_date_format(trim($_REQUEST['date'])))
259 {
260 show_page("VerifyData","",_("You must enter the date in this format: YYYY-MM-DD."));
261 exit;
262 }
263
264 if(!check_date_difference(trim($_REQUEST['date'])))
265 {
266 show_page("VerifyData","",_("You must not enter a date in the future."));
267 exit;
268 }
269
270 //proof of identity check and accept arbitration, implements CCA
271 if(!array_key_exists('assertion',$_POST) || $_POST['assertion'] != 1)
272 {
273 show_page("VerifyData","",_("You failed to check all boxes to validate your adherence to the rules and policies of CAcert"));
274 exit;
275 }
276
277 //proof of CCA agreement by assuree after 2010-01-01
278 if((!array_key_exists('CCAAgreed',$_POST) || $_POST['CCAAgreed'] != 1) and (check_date_format(trim($_REQUEST['date']),2010)))
279 {
280 show_page("VerifyData","",_("You failed to check all boxes to validate your adherence to the rules and policies of CAcert"));
281 exit;
282 }
283
284 //assurance done according to rules
285 if(!array_key_exists('rules',$_POST) || $_POST['rules'] != 1)
286 {
287 show_page("VerifyData","",_("You failed to check all boxes to validate your adherence to the rules and policies of CAcert"));
288 exit;
289 }
290
291 //met assuree in person, not appliciable for TTP / TTP Topup assurances
292 if((!array_key_exists('certify',$_POST) || $_POST['certify'] != 1 ) && $_REQUEST['method'] != "Trusted 3rd Parties")
293 {
294 show_page("VerifyData","",_("You failed to check all boxes to validate your adherence to the rules and policies of CAcert"));
295 exit;
296 }
297
298 //check location, min 3 characters
299 if(!array_key_exists('location',$_POST) || trim($_POST['location']) == "")
300 {
301 show_page("VerifyData","",_("You failed to enter a location of your meeting."));
302 exit;
303 }
304
305 if(strlen(trim($_REQUEST['location']))<=2)
306 {
307 show_page("VerifyData","",_("You must enter a location with at least 3 characters eg town and country."));
308 exit;
309 }
310
311 //check for points in range 0-35, for nucleus 35 + 15 temporary
312 if($_REQUEST['points'] == "" || !is_numeric($_REQUEST['points']))
313 {
314 show_page("VerifyData","",_("You must enter the number of points you wish to allocate to this person."));
315 exit;
316 }
317
318 if($_REQUEST['points'] <0 || ($_REQUEST['points']>35))
319 {
320 show_page("VerifyData","",_("The number of points you entered are out of the range given by policy."));
321 exit;
322 }
323
324 $query = "select * from `users` where `id`='".intval($_SESSION['_config']['notarise']['id'])."'";
325 $res = mysql_query($query);
326 $row = mysql_fetch_assoc($res);
327 $name = sanitizeHTML($row['fname'])." ".sanitizeHTML($row['mname'])." ".sanitizeHTML($row['lname'])." ".sanitizeHTML($row['suffix']);
328 if($_SESSION['_config']['wothash'] != md5($name."-".$row['dob']) || $_SESSION['_config']['wothash'] != $_REQUEST['pagehash'])
329 {
330 show_page("VerifyData","",_("Race condition discovered, user altered details during assurance procedure. PLEASE MAKE SURE THE NEW DETAILS BELOW MATCH THE ID DOCUMENTS."));
331 exit;
332 }
333 }
334
335
336 if($oldid == 6)
337 {
338 $max = maxpoints();
339
340 $awarded = $newpoints = intval($_POST['points']);
341 if($newpoints > $max)
342 $newpoints = $awarded = $max;
343 if($newpoints < 0)
344 $newpoints = $awarded = 0;
345
346 $query = "select sum(`points`) as `total` from `notary` where `to`='".intval($_SESSION['_config']['notarise']['id'])."' and `deleted` = 0 group by `to`";
347 $res = mysql_query($query);
348 $drow = mysql_fetch_assoc($res);
349
350 $_POST['expire'] = 0;
351
352 if(($drow['total'] + $newpoints) > 100 && $max < 100)
353 $newpoints = 100 - $drow['total'];
354 if(($drow['total'] + $newpoints) > $max && $max >= 100)
355 $newpoints = $max - $drow['total'];
356 if($newpoints < 0)
357 $newpoints = 0;
358
359 if(mysql_real_escape_string(stripslashes($_POST['date'])) == "")
360 $_POST['date'] = date("Y-m-d H:i:s");
361
362 $query = "select * from `notary` where `from`='".intval($_SESSION['profile']['id'])."' AND
363 `to`='".intval($_SESSION['_config']['notarise']['id'])."' AND
364 `awarded`='".intval($awarded)."' AND
365 `location`='".mysql_real_escape_string(stripslashes($_POST['location']))."' AND
366 `date`='".mysql_real_escape_string(stripslashes($_POST['date']))."' AND
367 `deleted`=0";
368 $res = mysql_query($query);
369 if(mysql_num_rows($res) > 0)
370 {
371 show_page("VerifyEmail","",_("Identical Assurance attempted, will not continue."));
372 exit;
373 }
374 }
375
376 if($oldid == 6)
377 {
378 $query = "insert into `notary` set `from`='".intval($_SESSION['profile']['id'])."',
379 `to`='".intval($_SESSION['_config']['notarise']['id'])."',
380 `points`='".intval($newpoints)."', `awarded`='".intval($awarded)."',
381 `location`='".mysql_real_escape_string(stripslashes($_POST['location']))."',
382 `date`='".mysql_real_escape_string(stripslashes($_POST['date']))."',
383 `when`=NOW()";
384 //record active acceptance by Assurer
385 if (check_date_format(trim($_REQUEST['date']),2010)) {
386 write_user_agreement($_SESSION['profile']['id'], "CCA", "assurance", "Assuring", 1, $_SESSION['_config']['notarise']['id']);
387 write_user_agreement($_SESSION['_config']['notarise']['id'], "CCA", "assurance", "Being assured", 0, $_SESSION['profile']['id']);
388 }
389 if($_SESSION['profile']['ttpadmin'] == 1 && ($_POST['method'] == 'Trusted 3rd Parties' || $_POST['method'] == 'Trusted Third Parties')) {
390 $query .= ",\n`method`='TTP-Assisted'";
391 }
392 mysql_query($query);
393 fix_assurer_flag($_SESSION['_config']['notarise']['id']);
394 include_once("../includes/notary.inc.php");
395
396 if($_SESSION['profile']['points'] < 150)
397 {
398 $addpoints = 0;
399 if($_SESSION['profile']['points'] < 149 && $_SESSION['profile']['points'] >= 100)
400 $addpoints = 2;
401 else if($_SESSION['profile']['points'] == 149 && $_SESSION['profile']['points'] >= 100)
402 $addpoints = 1;
403 $query = "insert into `notary` set `from`='".intval($_SESSION['profile']['id'])."',
404 `to`='".intval($_SESSION['profile']['id'])."',
405 `points`='".intval($addpoints)."', `awarded`='".intval($addpoints)."',
406 `location`='".mysql_real_escape_string(stripslashes($_POST['location']))."',
407 `date`='".mysql_real_escape_string(stripslashes($_POST['date']))."',
408 `method`='Administrative Increase',
409 `when`=NOW()";
410 mysql_query($query);
411
412 // No need to fix_assurer_flag here, this should only happen for assurers...
413 $_SESSION['profile']['points'] += $addpoints;
414 }
415
416 $my_translation = L10n::get_translation();
417 L10n::set_translation($_SESSION['_config']['notarise']['language']);
418
419 $body = sprintf(_("You are receiving this email because you have been assured by %s %s (%s)."), $_SESSION['profile']['fname'], $_SESSION['profile']['lname'], $_SESSION['profile']['email'])."\n\n";
420 if($_POST['points'] != $newpoints)
421 $body .= sprintf(_("You were issued %s points however the system has rounded this down to %s and you now have %s points in total."), $_POST['points'], $newpoints, ($newpoints + $drow['total']))."\n\n";
422 else
423 $body .= sprintf(_("You were issued %s points and you now have %s points in total."), $newpoints, ($newpoints + $drow['total']))."\n\n";
424
425 if(($drow['total'] + $newpoints) < 100 && ($drow['total'] + $newpoints) >= 50)
426 {
427 $body .= _("You now have over 50 points, and can now have your name added to client certificates, and issue server certificates for up to 2 years.")."\n\n";
428 }
429
430 if(($drow['total'] + $newpoints) >= 100 && $newpoints > 0)
431 {
432 $body .= _("You have at least 100 Assurance Points, if you want to become an assurer try the Assurer Challenge")." ( https://cats.cacert.org )\n\n";
433 $body .= _("To make it easier for others in your area to find you, it's helpful to list yourself as an assurer (this is voluntary), as well as a physical location where you live or work the most. You can flag your account to be listed, and add a comment to the display by going to:")."\n";
434 $body .= "https://www.cacert.org/wot.php?id=8\n\n";
435 $body .= _("You can list your location by going to:")."\n";
436 $body .= "https://www.cacert.org/wot.php?id=13\n\n";
437 }
438
439 $body .= _("Best regards")."\n";
440 $body .= _("CAcert Support Team");
441
442 sendmail($_SESSION['_config']['notarise']['email'], "[CAcert.org] "._("You've been Assured."), $body, "support@cacert.org", "", "", "CAcert Website");
443
444 L10n::set_translation($my_translation);
445
446 $body = sprintf(_("You are receiving this email because you have assured %s %s (%s)."), $_SESSION['_config']['notarise']['fname'], $_SESSION['_config']['notarise']['lname'], $_SESSION['_config']['notarise']['email'])."\n\n";
447 if($_POST['points'] != $newpoints)
448 $body .= sprintf(_("You issued %s points however the system has rounded this down to %s and they now have %s points in total."), $_POST['points'], $newpoints, ($newpoints + $drow['total']))."\n\n";
449 else
450 $body .= sprintf(_("You issued %s points and they now have %s points in total."), $newpoints, ($newpoints + $drow['total']))."\n\n";
451
452 $body .= _("Best regards")."\n";
453 $body .= _("CAcert Support Team");
454
455 sendmail($_SESSION['profile']['email'], "[CAcert.org] "._("You've Assured Another Member."), $body, "support@cacert.org", "", "", "CAcert Support");
456
457 show_page('EnterEmail', _("Shortly you and the person you were assuring will receive an email confirmation. There is no action on your behalf required to complete this."));
458 exit;
459 }
460
461 if($oldid == 8)
462 {
463 csrf_check("chgcontact");
464
465 $info = mysql_real_escape_string(strip_tags(stripslashes($_POST['contactinfo'])));
466 $listme = intval($_POST['listme']);
467 if($listme < 0 || $listme > 1)
468 $listme = 0;
469
470 $_SESSION['profile']['listme'] = $listme;
471 $_SESSION['profile']['contactinfo'] = $info;
472
473 $query = "update `users` set `listme`='$listme',`contactinfo`='$info' where `id`='".intval($_SESSION['profile']['id'])."'";
474 mysql_query($query);
475
476 showheader(_("My CAcert.org Account!"));
477 echo "<p>"._("Your account information has been updated.")."</p>";
478 showfooter();
479 exit;
480 }
481
482 if($oldid == 9 && $_REQUEST['userid'] > 0 && $_SESSION['profile']['id'] > 0)
483 {
484 if($_SESSION['_config']['pagehash'] != $_REQUEST['pageid'])
485 {
486 $oldid=0;
487 $id = 9;
488 show_page("ContactAssurer","",_("It looks like you were trying to contact multiple people, this isn't allowed due to data security reasons."));
489 exit;
490 } else {
491 $body = $_REQUEST['message'];
492 $subject = $_REQUEST['subject'];
493 $userid = intval($_REQUEST['userid']);
494 $user = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".intval($userid)."' and `listme`=1"));
495 $points = mysql_num_rows(mysql_query("select sum(`points`) as `total` from `notary`
496 where `to`='".intval($user['id'])."' and `deleted` = 0 group by `to` HAVING SUM(`points`) > 0"));
497 if($points > 0)
498 {
499 $my_translation = L10n::get_translation();
500 L10n::set_translation($user['language']);
501
502 $subject = "[CAcert.org] ".sprintf(_("Message from %s"),
503 $_SESSION['profile']['fname']);
504
505 $body = sprintf(_("Hi %s,"), $user['fname'])."\n\n";
506 $body .= sprintf(_("%s %s has sent you a message via the ".
507 "contact an Assurer form on CAcert.org."),
508 $_SESSION['profile']['fname'],
509 $_SESSION['profile']['lname'])."\n\n";
510 $body .= sprintf(_("Subject: %s"), $_REQUEST['subject'])."\n";
511 $body .= _("Message:")."\n";
512 $body .= $_REQUEST['message']."\n\n";
513 $body .= "------------------------------------------------\n\n";
514 $body .= _("Please note, that this is NOT a message on behalf ".
515 "of CAcert but another CAcert community member. If ".
516 "you suspect that the contact form might have been ".
517 "abused, please write to support@cacert.org")."\n\n";
518 $body .= _("Best regards")."\n";
519 $body .= _("Your CAcert Community");
520
521 sendmail($user['email'], $subject, $body,
522 $_SESSION['profile']['email'], //from
523 "", //replyto
524 "", //toname
525 $_SESSION['profile']['fname']." ".
526 $_SESSION['profile']['lname']); //fromname
527
528 L10n::set_translation($my_translation);
529
530 showheader(_("My CAcert.org Account!"));?>
531 <p>
532 <? printf(_("Your email has been sent to %s."), sanitizeHTML($user['fname'])); ?>
533 </p>
534 <p>[ <a href='javascript:history.go(-2)'><?= _("Go Back") ?></a> ]</p>
535 <?
536 showfooter();
537 exit;
538 } else {
539 show_page(0,"",_("Sorry, I was unable to locate that user."));
540 exit;
541 }
542
543 }
544 }
545 if($oldid == 9)
546 {
547 $oldid=0;
548 $id = 9;
549 show_page("ContactAssurer","",_("There was an error and I couldn't proceed"));
550 exit;
551 }
552
553 // showheader(_("My CAcert.org Account!"));
554 // echo "ID now = ".$id."/".$oldid.">>".$iecho;
555 // includeit($id, "wot");
556 // showfooter();
557 show_page ($id,"","");
558 ?>