bug 1137: Added check for non numeric points
[cacert-devel.git] / www / wot.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */ ?>
18 <?
19 require_once("../includes/loggedin.php");
20 require_once("../includes/lib/l10n.php");
21 require_once("../includes/wot.inc.php");
22
23
24
25 function show_page($target,$message,$error)
26 {
27 showheader(_("My CAcert.org Account!"));
28 if ($error != "")
29 $message=_("ERROR").": ".$error;
30 if ($message != "")
31 echo "<p><font color='orange' size='+1'>".$message."</font></p>";
32
33 switch ($target)
34 {
35 case '0':
36 case 'InfoPage': includeit(0, "wot");
37 break;
38 case '1':
39 case 'ListByCity': includeit(1, "wot");
40 break;
41 case '2':
42 case 'BecomeAssurer': includeit(2, "wot");
43 break;
44 case '3':
45 case 'TrustRules': includeit(3, "wot");
46 break;
47 case '4':
48 case 'ShowTTPInfo': includeit(4, "wot");
49 break;
50 case '5';
51 case 'EnterEmail': includeit(5, "wot");
52 break;
53 case '6':
54 case 'VerifyData': includeit(6, "wot");
55 break;
56 // case '7':
57 // case '???': includeit(7, "wot");
58 // break;
59 case '8':
60 case 'EnterMyInfo': includeit(8, "wot");
61 break;
62 case '9':
63 case 'ContactAssurer': includeit(9, "wot");
64 break;
65 case '10':
66 case 'MyPointsOld': includeit(10, "wot");
67 break;
68 // case '11':
69 // case 'OAInfo': includeit(11, "wot");
70 // break;
71 case '12':
72 case 'SearchAssurer': includeit(12, "wot");
73 break;
74 case '13':
75 case 'EnterMyCity': includeit(13, "wot");
76 break;
77 // case '14':
78 // case 'EnterEmail': includeit(14, "wot");
79 // break;
80 case '15':
81 case 'MyPointsNew': includeit(15, "wot");
82 break;
83 }
84
85 showfooter();
86 }
87
88 function send_reminder()
89 {
90 $body = "";
91 $my_translation = L10n::get_translation();
92
93 $_SESSION['_config']['reminder-lang'] = $_POST['reminder-lang'];
94
95 $reminder_translations[] = $_POST['reminder-lang'];
96 if ( !in_array("en", $reminder_translations, $strict=true) ) {
97 $reminder_translations[] = "en";
98 }
99
100 foreach ($reminder_translations as $translation) {
101 L10n::set_translation($translation);
102
103 $body .= L10n::$translations[$translation].":\n\n";
104 $body .= sprintf(_("This is a short reminder that you filled out forms to become trusted with CAcert.org, and %s has attempted to issue you points. Please create your account at %s as soon as possible and then notify %s so that the points can be issued."), $_SESSION['profile']['fname']." (".$_SESSION['profile']['email'].")", "http://www.cacert.org", $_SESSION['profile']['fname'])."\n\n";
105 $body .= _("Best regards")."\n";
106 $body .= _("CAcert Support Team")."\n\n";
107 }
108
109 L10n::set_translation($reminder_translations[0]); // for the subject
110 sendmail($_POST['email'], "[CAcert.org] "._("Reminder Notice"), $body, $_SESSION['profile']['email'], "", "", $_SESSION['profile']['fname']);
111
112 L10n::set_translation($my_translation);
113
114 $_SESSION['_config']['remindersent'] = 1;
115 $_SESSION['_config']['error'] = _("A reminder notice has been sent.");
116 }
117
118
119
120 loadem("account");
121 if(array_key_exists('date',$_POST) && $_POST['date'] != "")
122 $_SESSION['_config']['date'] = $_POST['date'];
123
124 if(array_key_exists('location',$_POST) && $_POST['location'] != "")
125 $_SESSION['_config']['location'] = $_POST['location'];
126
127 $oldid=array_key_exists('oldid',$_REQUEST)?intval($_REQUEST['oldid']):0;
128
129 if($oldid == 12)
130 $id = $oldid;
131
132 if(($id == 5 || $oldid == 5 || $id == 6 || $oldid == 6))
133 if (!is_assurer($_SESSION['profile']['id']))
134 {
135 show_page ("Exit","",get_assurer_reason($_SESSION['profile']['id']));
136 exit;
137 }
138
139 if($oldid == 6 && intval($_SESSION['_config']['notarise']['id']) <= 0)
140 {
141 show_page ("EnterEmail","",_("Something went wrong. Please enter the email address again"));
142 exit;
143 }
144 if($oldid == 5 && array_key_exists('reminder',$_POST) && $_POST['reminder'] != "")
145 {
146 send_reminder();
147 show_page ("EnterEmail",_("A reminder notice has been sent."),"");
148 exit;
149 }
150
151 if($oldid == 5)
152 {
153 $query = "select * from `users` where `email`='".mysql_escape_string(stripslashes($_POST['email']))."' and `deleted`=0";
154 $res = mysql_query($query);
155 if(mysql_num_rows($res) != 1)
156 {
157 $_SESSION['_config']['noemailfound'] = 1;
158 show_page("EnterEmail","",_("I'm sorry, there was no email matching what you entered in the system. Please double check your information."));
159 exit;
160 } else
161 {
162 $_SESSION['_config']['noemailfound'] = 0;
163 $_SESSION['_config']['notarise'] = mysql_fetch_assoc($res);
164 if ($_SESSION['_config']['notarise']['verified'] == 0)
165 {
166 show_page("EnterEmail","",_("User is not yet verified. Please try again in 24 hours!"));
167 exit;
168 }
169 }
170 }
171
172 if($oldid == 5 || $oldid == 6)
173 {
174 $id=6;
175 // $oldid=0;
176 if(array_key_exists('cancel',$_REQUEST) && $_REQUEST['cancel'] != "")
177 {
178 show_page("EnterEmail","","");
179 exit;
180 }
181 if($_SESSION['_config']['notarise']['id'] == $_SESSION['profile']['id'])
182 {
183 show_page("EnterEmail","",_("You are never allowed to Assure yourself!"));
184 exit;
185 }
186
187 $query = "select * from `notary` where `from`='".$_SESSION['profile']['id']."' and
188 `to`='".$_SESSION['_config']['notarise']['id']."'";
189 $res = mysql_query($query);
190 if(mysql_num_rows($res) > 0)
191 {
192 show_page("EnterEmail","",_("You are only allowed to Assure someone once!"));
193 exit;
194 }
195 }
196
197 if($oldid == 6)
198 {
199 $iecho= "c";
200 if(trim($_REQUEST['date']) == '')
201 {
202 show_page("VerifyData","",_("You must enter the date when you met the assuree."));
203 exit;
204 }
205
206 if(!check_date_format(trim($_REQUEST['date'])))
207 {
208 show_page("VerifyData","",_("You must enter the date in this format: YYYY-MM-DD."));
209 exit;
210 }
211
212 if(!check_date_differnce(trim($_REQUEST['date'])))
213 {
214 show_page("VerifyData","",_("You must not enter a date in the future."));
215 exit;
216 }
217
218 if(!array_key_exists('assertion',$_POST) || $_POST['assertion'] != 1)
219 {
220 show_page("VerifyData","",_("You failed to check all boxes to validate your adherence to the rules and policies of CAcert"));
221 exit;
222 }
223
224 if(!array_key_exists('CCAAgreed',$_POST) || $_POST['CCAAgreed'] != 1)
225 {
226 show_page("VerifyData","",_("You failed to check all boxes to validate your adherence to the rules and policies of CAcert"));
227 exit;
228 }
229
230 /* if(!array_key_exists('rules',$_POST) || $_POST['rules'] != 1)
231 {
232 show_page("VerifyData","",_("You failed to check all boxes to validate your adherence to the rules and policies of CAcert"));
233 exit;
234 }
235 */
236
237 if((!array_key_exists('certify',$_POST) || $_POST['certify'] != 1 ) && $_SESSION['profile']['ttpadmin'] != 1)
238 {
239 show_page("VerifyData","",_("You failed to check all boxes to validate your adherence to the rules and policies of CAcert"));
240 exit;
241 }
242
243 if($_SESSION['profile']['ttpadmin'] != 1 && $_POST['location'] == "")
244 {
245 show_page("VerifyData","",_("You failed to enter a location of your meeting."));
246 exit;
247 }
248
249 if(strlen(trim($_REQUEST['location']))<=3)
250 {
251 show_page("VerifyData","",_("You must enter a location with at least 3 characters eg town and country."));
252 exit;
253 }
254
255 if($_REQUEST['points'] == "" || !is_numeric($_REQUEST['points']))
256 {
257 show_page("VerifyData","",_("You must enter the number of points you wish to allocate to this person."));
258 exit;
259 }
260
261 $query = "select * from `users` where `id`='".$_SESSION['_config']['notarise']['id']."'";
262 $res = mysql_query($query);
263 $row = mysql_fetch_assoc($res);
264 $name = $row['fname']." ".$row['mname']." ".$row['lname']." ".$row['suffix'];
265 if($_SESSION['_config']['wothash'] != md5($name."-".$row['dob']) || $_SESSION['_config']['wothash'] != $_REQUEST['pagehash'])
266 {
267 show_page("VerifyData","",_("Race condition discovered, user altered details during assurance procedure. PLEASE MAKE SURE THE NEW DETAILS BELOW MATCH THE ID DOCUMENTS."));
268 exit;
269 }
270 }
271
272
273 if($oldid == 6)
274 {
275 $max = maxpoints();
276
277 $awarded = $newpoints = intval($_POST['points']);
278 if($newpoints > $max)
279 $newpoints = $awarded = $max;
280 if($newpoints < 0)
281 $newpoints = $awarded = 0;
282
283 $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['_config']['notarise']['id']."' group by `to`";
284 $res = mysql_query($query);
285 $drow = mysql_fetch_assoc($res);
286
287 $_POST['expire'] = 0;
288
289 if(($drow['total'] + $newpoints) > 100 && $max < 100)
290 $newpoints = 100 - $drow['total'];
291 if(($drow['total'] + $newpoints) > $max && $max >= 100)
292 $newpoints = $max - $drow['total'];
293 if($newpoints < 0)
294 $newpoints = 0;
295
296 if(mysql_escape_string(stripslashes($_POST['date'])) == "")
297 $_POST['date'] = date("Y-m-d H:i:s");
298
299 $query = "select * from `notary` where `from`='".$_SESSION['profile']['id']."' AND
300 `to`='".$_SESSION['_config']['notarise']['id']."' AND
301 `awarded`='$awarded' AND
302 `location`='".mysql_escape_string(stripslashes($_POST['location']))."' AND
303 `date`='".mysql_escape_string(stripslashes($_POST['date']))."'";
304 $res = mysql_query($query);
305 if(mysql_num_rows($res) > 0)
306 {
307 show_page("VerifyEmail","",_("Identical Assurance attempted, will not continue."));
308 exit;
309 }
310 }
311
312 if($oldid == 6)
313 {
314 $query = "insert into `notary` set `from`='".$_SESSION['profile']['id']."',
315 `to`='".$_SESSION['_config']['notarise']['id']."',
316 `points`='$newpoints', `awarded`='$awarded',
317 `location`='".mysql_escape_string(stripslashes($_POST['location']))."',
318 `date`='".mysql_escape_string(stripslashes($_POST['date']))."',
319 `when`=NOW()";
320 //record active acceptance by Assurer
321 write_user_agreement($_SESSION['profile']['id'], "CCA", "Assurance", "Assurer", 1, $_SESSION['_config']['notarise']['id']);
322 if($_SESSION['profile']['board'] == 1 && intval($_POST['expire']) > 0)
323 {
324 $query .= ",\n`method`='Temporary Increase'";
325 $query .= ",\n`expire`=DATE_ADD(NOW(), INTERVAL '".intval($_POST['expire'])."' DAY)";
326 $query .= ",\n`sponsor`='".intval($_POST['sponsor'])."'";
327 } else if($_SESSION['profile']['board'] == 1) {
328 $query .= ",\n`method`='".mysql_escape_string(stripslashes($_POST['method']))."'";
329 } else if($_SESSION['profile']['ttpadmin'] == 1 && ($_POST['method'] == 'Trusted 3rd Parties' || $_POST['method'] == 'Trusted Third Parties')) {
330 $query .= ",\n`method`='Trusted Third Parties'";
331 }
332 mysql_query($query);
333 fix_assurer_flag($_SESSION['_config']['notarise']['id']);
334
335 if($_SESSION['profile']['points'] < 150)
336 {
337 $addpoints = 0;
338 if($_SESSION['profile']['points'] < 149 && $_SESSION['profile']['points'] >= 100)
339 $addpoints = 2;
340 else if($_SESSION['profile']['points'] == 149 && $_SESSION['profile']['points'] >= 100)
341 $addpoints = 1;
342 $query = "insert into `notary` set `from`='".$_SESSION['profile']['id']."',
343 `to`='".$_SESSION['profile']['id']."',
344 `points`='$addpoints', `awarded`='$addpoints',
345 `location`='".mysql_escape_string(stripslashes($_POST['location']))."',
346 `date`='".mysql_escape_string(stripslashes($_POST['date']))."',
347 `method`='Administrative Increase',
348 `when`=NOW()";
349 mysql_query($query);
350 // No need to fix_assurer_flag here, this should only happen for assurers...
351 $_SESSION['profile']['points'] += $addpoints;
352 }
353
354 $my_translation = L10n::get_translation();
355 L10n::set_translation($_SESSION['_config']['notarise']['language']);
356
357 $body = sprintf(_("You are receiving this email because you have been assured by %s %s (%s)."), $_SESSION['profile']['fname'], $_SESSION['profile']['lname'], $_SESSION['profile']['email'])."\n\n";
358 if($_POST['points'] != $newpoints)
359 $body .= sprintf(_("You were issued %s points however the system has rounded this down to %s and you now have %s points in total."), $_POST['points'], $newpoints, ($newpoints + $drow['total']))."\n\n";
360 else
361 $body .= sprintf(_("You were issued %s points and you now have %s points in total."), $newpoints, ($newpoints + $drow['total']))."\n\n";
362
363 if(($drow['total'] + $newpoints) < 100 && ($drow['total'] + $newpoints) >= 50)
364 {
365 $body .= _("You now have over 50 points, and can now have your name added to client certificates, and issue server certificates for up to 2 years.")."\n\n";
366 }
367
368 if(($drow['total'] + $newpoints) >= 100 && $newpoints > 0)
369 {
370 $body .= _("You have at least 100 Assurance Points. If you want ".
371 "to become an assurer try the Assurer Challenge").
372 " ( https://cats.cacert.org ).\n\n";
373 $body .= _("To make it easier for others in your area to find ".
374 "you, it's helpful to list yourself as an assurer (this ".
375 "is voluntary), as well as a physical location where you ".
376 "live or work the most. You can flag your account to be ".
377 "listed, and add a comment to the display by going to:")."\n";
378 $body .= "https://www.cacert.org/wot.php?id=8\n\n";
379 $body .= _("You can list your location by going to:")."\n";
380 $body .= "https://www.cacert.org/wot.php?id=13\n\n";
381 }
382
383 if($_SESSION['profile']['board'] == 1 && intval($_POST['expire']) > 0)
384 $body .= sprintf(_("Please Note: this is a temporary increase for %s days only. After that time your points will be reduced to 150 points."), intval($_POST['expire']))."\n\n";
385
386 $body .= _("Best regards")."\n";
387 $body .= _("CAcert Support Team");
388
389 sendmail($_SESSION['_config']['notarise']['email'], "[CAcert.org] "._("You've been Assured."), $body, "support@cacert.org", "", "", "CAcert Website");
390
391 L10n::set_translation($my_translation);
392
393 $body = sprintf(_("You are receiving this email because you have assured %s %s (%s)."), $_SESSION['_config']['notarise']['fname'], $_SESSION['_config']['notarise']['lname'], $_SESSION['_config']['notarise']['email'])."\n\n";
394 if($_POST['points'] != $newpoints)
395 $body .= sprintf(_("You issued %s points however the system has rounded this down to %s and they now have %s points in total."), $_POST['points'], $newpoints, ($newpoints + $drow['total']))."\n\n";
396 else
397 $body .= sprintf(_("You issued %s points and they now have %s points in total."), $newpoints, ($newpoints + $drow['total']))."\n\n";
398
399 if($_SESSION['profile']['board'] == 1 && intval($_POST['expire']) > 0)
400 $body .= sprintf(_("Please Note: this is a temporary increase for %s days only. After that time their points will be reduced to 150 points."), intval($_POST['expire']))."\n\n";
401 $body .= _("Best regards")."\n";
402 $body .= _("CAcert Support Team");
403
404 sendmail($_SESSION['profile']['email'], "[CAcert.org] "._("You've Assured Another Member."), $body, "support@cacert.org", "", "", "CAcert Support");
405
406 if($_SESSION['profile']['board'] == 1 && intval($_POST['expire']) > 0)
407 {
408 $body = sprintf("%s %s (%s) has issued a temporary increase to 200 points for %s %s (%s) for %s days. This action was sponsored by %s %s (%s).", $_SESSION['profile']['fname'], $_SESSION['profile']['lname'], $_SESSION['profile']['email'], $_SESSION['_config']['notarise']['fname'], $_SESSION['_config']['notarise']['lname'], $_SESSION['_config']['notarise']['email'], intval($_POST['expire']), $sponsor['fname'], $sponsor['lname'], $sponsor['email'])."\n\n";
409
410 sendmail("cacert-board@lists.cacert.org", "[CAcert.org] Temporary Increase Issued.", $body, "website@cacert.org", "", "", "CAcert Website");
411 }
412
413 showheader(_("My CAcert.org Account!"));
414 echo "<p>"._("Shortly you and the person you were assuring will receive an email confirmation. There is no action on your behalf required to complete this.")."</p>";
415 ?><form method="post" action="wot.php">
416 <table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper">
417 <tr>
418 <td colspan="2" class="title"><?=_("Assure Someone")?></td>
419 </tr>
420 <tr>
421 <td class="DataTD"><?=_("Email")?>:</td>
422 <td class="DataTD"><input type="text" name="email" id="email" value=""></td>
423 </tr>
424 <tr>
425 <td class="DataTD" colspan="2"><input type="submit" name="process" value="<?=_("Next")?>"></td>
426 </tr>
427 </table>
428 <input type="hidden" name="oldid" value="5">
429 </form>
430 <SCRIPT LANGUAGE="JavaScript">
431 //<![CDATA[
432 function my_init()
433 {
434 document.getElementById("email").focus();
435 }
436
437 window.onload = my_init();
438 //]]>
439 </script>
440 <?
441 showfooter();
442 exit;
443 }
444
445 if($oldid == 8)
446 {
447 csrf_check("chgcontact");
448
449 $info = mysql_escape_string(strip_tags(stripslashes($_POST['contactinfo'])));
450 $listme = intval($_POST['listme']);
451 if($listme < 0 || $listme > 1)
452 $listme = 0;
453
454 $_SESSION['profile']['listme'] = $listme;
455 $_SESSION['profile']['contactinfo'] = $info;
456
457 $query = "update `users` set `listme`='$listme',`contactinfo`='$info' where `id`='".$_SESSION['profile']['id']."'";
458 mysql_query($query);
459
460 showheader(_("My CAcert.org Account!"));
461 echo "<p>"._("Your account information has been updated.")."</p>";
462 showfooter();
463 exit;
464 }
465
466 if($oldid == 9 && $_REQUEST['userid'] > 0 && $_SESSION['profile']['id'] > 0)
467 {
468 if($_SESSION['_config']['pagehash'] != $_REQUEST['pageid'])
469 {
470 $oldid=0;
471 $id = 9;
472 show_page("ContactAssurer","",_("It looks like you were trying to contact multiple people, this isn't allowed due to data security reasons."));
473 exit;
474 } else {
475 $body = $_REQUEST['message'];
476 $subject = $_REQUEST['subject'];
477 $userid = intval($_REQUEST['userid']);
478 $user = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='$userid' and `listme`=1"));
479 $points = mysql_num_rows(mysql_query("select sum(`points`) as `total` from `notary`
480 where `to`='".$user['id']."' group by `to` HAVING SUM(`points`) > 0"));
481 if($points > 0)
482 {
483 $my_translation = L10n::get_translation();
484 L10n::set_translation($user['language']);
485
486 $subject = "[CAcert.org] ".sprintf(_("Message from %s"),
487 $_SESSION['profile']['fname']);
488
489 $body = sprintf(_("Hi %s,"), $user['fname'])."\n\n";
490 $body .= sprintf(_("%s %s has sent you a message via the ".
491 "contact an Assurer form on CAcert.org."),
492 $_SESSION['profile']['fname'],
493 $_SESSION['profile']['lname'])."\n\n";
494 $body .= sprintf(_("Subject: %s"), $_REQUEST['subject'])."\n";
495 $body .= _("Message:")."\n";
496 $body .= $_REQUEST['message']."\n\n";
497 $body .= "------------------------------------------------\n\n";
498 $body .= _("Please note, that this is NOT a message on behalf ".
499 "of CAcert but another CAcert community member. If ".
500 "you suspect that the contact form might have been ".
501 "abused, please write to support@cacert.org")."\n\n";
502 $body .= _("Best regards")."\n";
503 $body .= _("Your CAcert Community");
504
505 sendmail($user['email'], $subject, $body,
506 $_SESSION['profile']['email'], //from
507 "", //replyto
508 "", //toname
509 $_SESSION['profile']['fname']." ".
510 $_SESSION['profile']['lname']); //fromname
511
512 L10n::set_translation($my_translation);
513
514 showheader(_("My CAcert.org Account!"));?>
515 <p>
516 <? printf(_("Your email has been sent to %s."), $user['fname']); ?>
517 </p>
518 <p>[ <a href='javascript:history.go(-2)'><?= _("Go Back") ?></a> ]</p>
519 <?
520 showfooter();
521 exit;
522 } else {
523 show_page(0,"",_("Sorry, I was unable to locate that user."));
524 exit;
525 }
526
527 }
528 }
529 if($oldid == 9)
530 {
531 $oldid=0;
532 $id = 9;
533 show_page("ContactAssurer","",_("There was an error and I couldn't proceed"));
534 exit;
535 }
536
537 // showheader(_("My CAcert.org Account!"));
538 // echo "ID now = ".$id."/".$oldid.">>".$iecho;
539 // includeit($id, "wot");
540 // showfooter();
541 show_page ($id,"","");
542 ?>