Merge branch 'bug-1177' into bug-893
authorBenny Baumann <BenBE@geshi.org>
Tue, 23 Jul 2013 21:38:31 +0000 (23:38 +0200)
committerBenny Baumann <BenBE@geshi.org>
Tue, 23 Jul 2013 21:38:31 +0000 (23:38 +0200)
includes/account.php
includes/notary.inc.php
pages/account/50.php
www/disputes.php

index 1a381b8..e3dbc9e 100644 (file)
@@ -18,6 +18,7 @@
        require_once("../includes/loggedin.php");
        require_once("../includes/lib/l10n.php");
        require_once("../includes/lib/check_weak_key.php");
+       require_once("../includes/notary.inc.php");
 
        loadem("account");
 
@@ -70,9 +71,7 @@
                }
                $oldid=0;
                $_REQUEST['email'] = trim(mysql_real_escape_string(stripslashes($_REQUEST['newemail'])));
-               $query = "select * from `email` where `email`='".$_REQUEST['email']."' and `deleted`=0";
-               $res = mysql_query($query);
-               if(mysql_num_rows($res) > 0)
+               if(check_email_exists($_REQUEST['email'])==true)
                {
                        showheader(_("My CAcert.org Account!"));
                        printf(_("The email address '%s' is already in a different account. Can't continue."), sanitizeHTML($_REQUEST['email']));
                                {
                                        $row = mysql_fetch_assoc($res);
                                        echo $row['email']."<br>\n";
-                                       $query = "select `emailcerts`.`id`
-                                                       from `emaillink`,`emailcerts` where
-                                                       `emailid`='$id' and `emaillink`.`emailcertsid`=`emailcerts`.`id` and
-                                                       `revoked`=0 and UNIX_TIMESTAMP(`expire`)-UNIX_TIMESTAMP() > 0
-                                                       group by `emailcerts`.`id`";
-                                       $dres = mysql_query($query);
-                                       while($drow = mysql_fetch_assoc($dres))
-                                               mysql_query("update `emailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='".$drow['id']."'");
-
-                                       $query = "update `email` set `deleted`=NOW() where `id`='$id'";
-                                       mysql_query($query);
+                                       account_email_delete($row['id']);
                                        $delcount++;
                                }
                        }
                                {
                                        $row = mysql_fetch_assoc($res);
                                        echo $row['domain']."<br>\n";
-
-                                       $dres = mysql_query(
-                                               "select `domaincerts`.`id`
-                                                       from `domaincerts`
-                                                       where `domaincerts`.`domid` = '$id'
-                                               union distinct
-                                               select `domaincerts`.`id`
-                                                       from `domaincerts`, `domlink`
-                                                       where `domaincerts`.`id` = `domlink`.`certid`
-                                                       and `domlink`.`domid` = '$id'");
-                                       while($drow = mysql_fetch_assoc($dres))
-                                       {
-                                               mysql_query(
-                                                       "update `domaincerts`
-                                                               set `revoked`='1970-01-01 10:00:01'
-                                                               where `id` = '".$drow['id']."'
-                                                               and `revoked` = 0
-                                                               and UNIX_TIMESTAMP(`expire`) -
-                                                                               UNIX_TIMESTAMP() > 0");
-                                       }
-
-                                       mysql_query(
-                                               "update `domains`
-                                                       set `deleted`=NOW()
-                                                       where `id` = '$id'");
+                                       account_domain_delete($row['id']);
                                }
+
                        }
                }
                else
                        $description= trim(mysql_real_escape_string(stripslashes($_REQUEST['description'])));
                }else{
                        $description= "";
-       }
+               }
 
-       if(trim($_REQUEST['disablelogin']) == "1"){
-               $disablelogin = 1;
-       }else{
-               $disablelogin = 0;
-       }
+               if(trim($_REQUEST['disablelogin']) == "1"){
+                       $disablelogin = 1;
+               }else{
+                       $disablelogin = 0;
+               }
 
-       mysql_query("update `emailcerts` set `disablelogin`='$disablelogin', `description`='$description' where `id`='".$_REQUEST['certid']."' and `memid`='".$_SESSION['profile']['id']."'");
+               mysql_query("update `emailcerts` set `disablelogin`='$disablelogin', `description`='$description' where `id`='".$_REQUEST['certid']."' and `memid`='".$_SESSION['profile']['id']."'");
+       }
 
- }
        if($oldid == 13 && $process != "")
        {
                csrf_check("perschange");
        if($oldid == 50 && $process != "")
        {
                $_REQUEST['userid'] = intval($_REQUEST['userid']);
-               $res = mysql_query("select * from `users` where `id`='".intval($_REQUEST['userid'])."'");
-               if(mysql_num_rows($res) > 0)
-               {
-                       $query = "update `domaincerts`,`domains` SET `domaincerts`.`revoked`='1970-01-01 10:00:01'
-                                       WHERE `domaincerts`.`domid` = `domains`.`id` AND `domains`.`memid`='".intval($_REQUEST['userid'])."'";
-                       mysql_query($query);
-                       $query = "update `domains` SET `deleted`=NOW() WHERE `domains`.`memid`='".intval($_REQUEST['userid'])."'";
-                       mysql_query($query);
-                       $query = "update `emailcerts` SET `revoked`='1970-01-01 10:00:01' WHERE `memid`='".intval($_REQUEST['userid'])."'";
-                       mysql_query($query);
-                       $query = "update `email` SET `deleted`=NOW() WHERE `memid`='".intval($_REQUEST['userid'])."'";
-                       mysql_query($query);
-                       $query = "delete from `org` WHERE `memid`='".intval($_REQUEST['userid'])."'";
-                       mysql_query($query);
-                       $query = "update `users` SET `deleted`=NOW() WHERE `id`='".intval($_REQUEST['userid'])."'";
-                       mysql_query($query);
+               if (trim($_REQUEST['arbitrationno'])==""){
+                       showheader(_("My CAcert.org Account!"));
+                       echo _("You did not enter an arbitration number entry.");
+                       showfooter();
+                       exit;
+               }
+               if ( 1 !== preg_match('/^[a-z]\d{8}\.\d+\.\d+$/i',trim($_REQUEST['arbitrationno'])) ) {
+                       showheader(_("My CAcert.org Account!"));
+                       echo _("You did not enter an arbitration number entry.");
+                       showfooter();
+                       exit;
+               }
+               if (check_email_exists($_REQUEST['arbitrationno'].'@cacert.org')) {
+                       showheader(_("My CAcert.org Account!"));
+                       printf(_("The email address '%s' is already in a different account. Can't continue."), sanitizeHTML($_REQUEST['arbitrationno'].'@cacert.org'));
+                       showfooter();
+                       exit;
+                }
+               if (check_client_cert_running($_REQUEST['userid'],1) ||
+                       check_server_cert_running($_REQUEST['userid'],1) ||
+                       check_gpg_cert_running($_REQUEST['userid'],1)) {
+                       showheader(_("My CAcert.org Account!"));
+                       printf(_("The CCA retention time for at least one certificate is not over. Can't continue."));
+                       showfooter();
+                       exit;
+               }
+               if (check_is_orgadmin($_REQUEST['userid'],1)) {
+                       showheader(_("My CAcert.org Account!"));
+                       printf(_("The user is listed as Organisation Administrator. Can't continue."));
+                       showfooter();
+                       exit;
                }
+               account_delete($_REQUEST['userid'], $_REQUEST['arbitrationno'], $_SESSION['profile']['id']);
        }
 
        if(($id == 51 || $id == 52 || $oldid == 52) && $_SESSION['profile']['tverify'] <= 0)
index 2d78821..929158e 100644 (file)
 </form>
 <?
        }
+
+       function account_email_delete($mailid){
+       //deletes an email entry from an acount
+       //revolkes all certifcates for that email address
+       //called from www/account.php if($process != "" && $oldid == 2)
+       //called from www/diputes.php if($type == "reallyemail") / if($action == "accept")
+       //called from account_delete
+               $mailid = intval($mailid);
+               $query = "select `emailcerts`.`id`
+                       from `emaillink`,`emailcerts` where
+                       `emailid`='$mailid' and `emaillink`.`emailcertsid`=`emailcerts`.`id` and
+                       `revoked`=0 and UNIX_TIMESTAMP(`expire`)-UNIX_TIMESTAMP() > 0
+                               group by `emailcerts`.`id`";
+               $dres = mysql_query($query);
+               while($drow = mysql_fetch_assoc($dres)){
+                       mysql_query("update `emailcerts` set `revoked`='1970-01-01 10:00:01', `disablelogin`=1 where `id`='".$drow['id']."'");
+               }
+               $query = "update `email` set `deleted`=NOW() where `id`='$mailid'";
+               mysql_query($query);
+       }
+
+       function account_domain_delete($domainid){
+       //deletes an domain entry from an acount
+       //revolkes all certifcates for that domain address
+       //called from www/account.php if($process != "" && $oldid == 9)
+       //called from www/diputes.php if($type == "reallydomain") / if($action == "accept")
+       //called from account_delete
+               $domainid = intval($domainid);
+               $query = "select distinct `domaincerts`.`id`
+                       from `domaincerts`, `domlink`
+                       where `domaincerts`.`domid` = '$domainid'
+                       or (
+                       `domaincerts`.`id` = `domlink`.`certid`
+                       and `domlink`.`domid` = '$domainid')";
+               $dres = mysql_query($query);
+               while($drow = mysql_fetch_assoc($dres))
+               {
+                       mysql_query(
+                               "update `domaincerts`
+                               set `revoked`='1970-01-01 10:00:01'
+                               where `id` = '".$drow['id']."'
+                               and `revoked` = 0
+                               and UNIX_TIMESTAMP(`expire`) -
+                               UNIX_TIMESTAMP() > 0");
+               }
+               mysql_query(
+                       "update `domains`
+                       set `deleted`=NOW()
+                       where `id` = '$domainid'");
+       }
+
+       function account_delete($id, $arbno, $adminid){
+       //deletes an account following the deleted account routnie V3
+       // called from www/account.php if($oldid == 50 && $process != "")
+       //change password
+               $id = intval($id);
+               $arbno = mysql_real_escape_string($arbno);
+               $adminid = intval($adminid);
+               $pool = 'abcdefghijklmnopqrstuvwxyz';
+               $pool .= '0123456789!()ยง';
+               $pool .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
+               srand ((double)microtime()*1000000);
+               $password="";
+               for($index = 0; $index < 30; $index++)
+               {
+                       $password .= substr($pool,(rand()%(strlen ($pool))), 1);
+               }
+               mysql_query("update `users` set `password`=sha1('".$password."') where `id`='".$id."'");
+
+       //create new mail for arbitration number
+               $query = "insert into `email` set `email`='".$arbno."@cacert.org',`memid`='".$id."',`created`=NOW(),`modified`=NOW(), `attempts`=-1";
+               mysql_query($query);
+               $emailid = mysql_insert_id();
+
+       //set new mail as default
+               $query = "update `users` set `email`='".$arbno."@cacert.org' where `id`='".$id."'";
+               mysql_query($query);
+
+       //delete all other email address
+               $query = "select * from `email` where `memid`='".$id."' and `id`!='".$emailid."'" ;
+               $res=mysql_query($query);
+               while($row = mysql_fetch_assoc($res)){
+                       account_email_delete($row['id']);
+               }
+
+       //delete all domains
+               $query = "select * from `domains` where `memid`='".$id."'";
+               $res=mysql_query($query);
+               while($row = mysql_fetch_assoc($res)){
+                       account_domain_delete($row['id']);
+               }
+
+       //clear alert settings
+               mysql_query("update `alerts` set `general`='0' where `memid`='$id'");
+               mysql_query("update `alerts` set `country`='0' where `memid`='$id'");
+               mysql_query("update `alerts` set `regional`='0' where `memid`='$id'");
+               mysql_query("update `alerts` set `radius`='0' where `memid`='$id'");
+
+       //set default location
+               $query = "update `users` set `locid`='2256755', `regid`='243', `ccid`='12' where `id`='".$id."'";
+               mysql_query($query);
+
+       //clear listings
+               $query = "update `users` set `listme`=' ',`contactinfo`=' ' where `id`='".$id."'";
+               mysql_query($query);
+
+       //set lanuage to default
+               //set default language
+               mysql_query("update `users` set `language`='en_AU' where `id`='".$id."'");
+               //delete secondary langugaes
+               mysql_query("delete from `addlang` where `userid`='".$id."'");
+
+       //change secret questions
+               for($i=1;$i<=5;$i++){
+                       $q="";
+                       $a="";
+                       for($index = 0; $index < 30; $index++)
+                       {
+                               $q .= substr($pool,(rand()%(strlen ($pool))), 1);
+                               $a .= substr($pool,(rand()%(strlen ($pool))), 1);
+                       }
+                       $query = "update `users` set `Q$i`='$q', `A$i`='$a' where `id`='".$id."'";
+                       mysql_query($query);
+               }
+
+       //change personal information to arbitration number and DOB=1900-01-01
+               $query = "select `fname`,`mname`,`lname`,`suffix`,`dob` from `users` where `id`='$userid'";
+               $details = mysql_fetch_assoc(mysql_query($query));
+               $query = "insert into `adminlog` set `when`=NOW(),`old-lname`='${details['lname']}',`old-dob`='${details['dob']}',
+                       `new-lname`='$arbno',`new-dob`='1900-01-01',`uid`='$id',`adminid`='".$adminid."'";
+               mysql_query($query);
+               $query = "update `users` set `fname`='".$arbno."',
+                       `mname`='".$arbno."',
+                       `lname`='".$arbno."',
+                       `suffix`='".$arbno."',
+                       `dob`='1900-01-01'
+                       where `id`='".$id."'";
+               mysql_query($query);
+
+       //clear all admin and board flags
+               mysql_query("update `users` set `assurer`='0' where `id`='$id'");
+               mysql_query("update `users` set `assurer_blocked`='0' where `id`='$id'");
+               mysql_query("update `users` set `codesign`='0' where `id`='$id'");
+               mysql_query("update `users` set `orgadmin`='0' where `id`='$id'");
+               mysql_query("update `users` set `ttpadmin`='0' where `id`='$id'");
+               mysql_query("update `users` set `locadmin`='0' where `id`='$id'");
+               mysql_query("update `users` set `admin`='0' where `id`='$id'");
+               mysql_query("update `users` set `adadmin`='0' where `id`='$id'");
+               mysql_query("update `users` set `tverify`='0' where `id`='$id'");
+               mysql_query("update `users` set `board`='0' where `id`='$id'");
+
+       //block account
+               mysql_query("update `users` set `locked`='1' where `id`='$id'");  //, `deleted`=Now()
+       }
+
+
+       function check_email_exists($email){
+       // called from includes/account.php if($process != "" && $oldid == 1)
+       // called from includes/account.php     if($oldid == 50 && $process != "")
+               $email = mysql_real_escape_string($email);
+               $query = "select 1 from `email` where `email`='$email' and `deleted`=0";
+               $res = mysql_query($query);
+               return mysql_num_rows($res) > 0;
+       }
+
+       function check_gpg_cert_running($uid,$cca=0){
+               //if $cca =0 if just expired, =1 if CCA retention +3 month should be obeyed
+               // called from includes/account.php     if($oldid == 50 && $process != "")
+               $uid = intval($uid);
+               if (0==$cca) {
+                       $query = "select 1 from `gpg` where `memid`='$uid' and `expire`>NOW()";
+               }else{
+                       $query = "select 1 from `gpg` where `memid`='$uid' and `expire`>(NOW()-90*86400)";
+               }
+               $res = mysql_query($query);
+               return mysql_num_rows($res) > 0;
+       }
+
+       function check_client_cert_running($uid,$cca=0){
+               //if $cca =0 if just expired, =1 if CCA retention +3 month should be obeyed
+               // called from includes/account.php     if($oldid == 50 && $process != "")
+               $uid = intval($uid);
+               if (0==$cca) {
+                       $query1 = "select 1 from `emailcerts` where `memid`='$uid' and `expire`>NOW()";
+                       $query2 = "select 1 from `emailcerts` where `memid`='$uid' and `revoked`>NOW()";
+               }else{
+                       $query1 = "select 1 from `emailcerts` where `memid`='$uid' and `expire`>(NOW()-90*86400)  and `revoked`<`created`";
+                       $query2 = "select 1 from `emailcerts` where `memid`='$uid' and `revoked`>(NOW()-90*86400)";
+               }
+               $res = mysql_query($query1);
+               $r1 = mysql_num_rows($res)>0;
+               $res = mysql_query($query2);
+               $r2 = mysql_num_rows($res)>0;
+               return !!($r1 || $r2);
+       }
+
+       function check_server_cert_running($uid,$cca=0){
+               //if $cca =0 if just expired, =1 if CCA retention +3 month should be obeyed
+               // called from includes/account.php     if($oldid == 50 && $process != "")
+               $uid = intval($uid);
+               if (0==$cca) {
+                       $query1 = "select 1 from `domaincerts` where `memid`='$uid' and `expire`>NOW()";
+                       $query2 = "select 1 from `domaincerts` where `memid`='$uid' and `revoked`>NOW()";
+               }else{
+                       $query1 = "select 1 from `domaincerts` where `memid`='$uid' and `expire`>(NOW()-90*86400)  and `revoked`<`created`";
+                       $query2 = "select 1 from `domaincerts` where `memid`='$uid' and `revoked`>(NOW()-90*86400)";
+               }
+               $res = mysql_query($query1);
+               $r1 = mysql_num_rows($res)>0;
+               $res = mysql_query($query2);
+               $r2 = mysql_num_rows($res)>0;
+               return !!($r1 || $r2);
+       }
+
+       function check_is_orgadmin($uid){
+               // called from includes/account.php     if($oldid == 50 && $process != "")
+               $uid = intval($uid);
+               $query = "select 1 from `org` where `memid`='$uid' and `deleted`=0";
+               $res = mysql_query($query);
+               return mysql_num_rows($res) > 0;
+       }
index 1604156..a4c2413 100644 (file)
 <form method="post" action="account.php">
 <table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper">
   <tr>
-    <td colspan="2" class="title"><?=_("Change Password")?></td>
+    <td colspan="2" class="title"><?=_("Delete Account")?></td>
   </tr>
   <tr>
     <td class="DataTD"><?=_("Email")?>:</td>
     <td class="DataTD"><b><?=sanitizeHTML($_REQUEST['email'])?></b></td>
   </tr>
   <tr>
+    <td class="DataTD"><?=_("New Username from arbitration number + sequence number a20xxyyzz.a.b")?>:</td>
+    <td class="DataTD"><input type="text" name="arbitrationno"></td>
+  </tr>
+  <tr>
     <td class="DataTD" colspan="2"><?=_("Are you sure you want to delete this user, while not actually deleting the account it will completely disable it and revoke any/all certificates currently issued.")?></td>
   </tr>
   <tr>
index 4944d8c..34a447a 100644 (file)
@@ -17,6 +17,7 @@
 */ ?>
 <?
        require_once("../includes/loggedin.php");
+       require_once("../includes/notary.inc.php");
 
        loadem("account");
 
                        {
                                $row = mysql_fetch_assoc($res);
                                echo $row['email']."<br>\n";
-                               $query = "select `emailcerts`.`id`
-                                               from `emaillink`,`emailcerts` where
-                                               `emailid`='$emailid' and `emaillink`.`emailcertsid`=`emailcerts`.`id` and
-                                               `revoked`=0 and UNIX_TIMESTAMP(`expire`)-UNIX_TIMESTAMP() > 0
-                                               group by `emailcerts`.`id`";
-                               $dres = mysql_query($query);
-                               while($drow = mysql_fetch_assoc($dres))
-                                       mysql_query("update `emailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='".intval($drow['id'])."'");
-
-                               $do = `../scripts/runclient`;
-                               $query = "update `email` set `deleted`=NOW() where `id`='".intval($emailid)."'";
-                               mysql_query($query);
+                               account_email_delete($row['id']);
                        }
                        mysql_query("update `disputeemail` set hash='',action='accept' where `id`='$emailid'");
-                       $rc = mysql_num_rows(mysql_query("select * from `domains` where `memid`='$oldmemid' and `deleted`=0"));
-                       $rc = mysql_num_rows(mysql_query("select * from `email` where `memid`='$oldmemid' and `deleted`=0 and `id`!='$emailid'"));
-                       $res = mysql_query("select * from `users` where `id`='$oldmemid'");
-                       $user = mysql_fetch_assoc($res);
+                       $rc = mysql_num_rows(mysql_query("select * from `domains` where `memid`='$oldmemid' and `deleted`=0"));
+                       $rc2 = mysql_num_rows(mysql_query("select * from `email` where `memid`='$oldmemid' and `deleted`=0 and `id`!='$emailid'"));
+                       $res = mysql_query("select * from `users` where `id`='$oldmemid'");
+                       $user = mysql_fetch_assoc($res);
                        if($rc == 0 && $rc2 == 0 && $_SESSION['_config']['email'] == $user['email'])
                        {
                                mysql_query("update `users` set `deleted`=NOW() where `id`='$oldmemid'");
                        showheader(_("Domain Dispute"));
                        echo "<p>"._("You have opted to accept this dispute and the request will now remove this domain from the existing account, and revoke any current certificates.")."</p>";
                        echo "<p>"._("The following accounts have been removed:")."<br>\n";
+                       //new account_domain_delete($domainid, $memberID)
                        $query = "select * from `domains` where `id`='$domainid' and deleted=0";
                        $res = mysql_query($query);
                        if(mysql_num_rows($res) > 0)
                        {
-                                echo $_SESSION['_config']['domain']."<br>\n";
-                                mysql_query("update `domains` set `deleted`=NOW() where `id`='$domainid'");
-                               $query = "select * from `domlink` where `domid`='$domainid'";
-                               $res = mysql_query($query);
-                               while($row = mysql_fetch_assoc($res))
-                                       mysql_query("update `domaincerts` set `revoked`='1970-01-01 10:00:01' where `id`='".$row['certid']."' and `revoked`=0 and UNIX_TIMESTAMP(`expire`)-UNIX_TIMESTAMP() > 0");
-                               $do = `../scripts/runserver`;
+                               echo $_SESSION['_config']['domain']."<br>\n";
+                               account_domain_delete($domainid);
                        }
                        mysql_query("update `disputedomain` set hash='',action='accept' where `id`='$domainid'");
                        showfooter();