Merge branch 'bug-1010' into release
authorMichael Tänzer <neo@nhng.de>
Wed, 20 Nov 2013 12:56:24 +0000 (13:56 +0100)
committerMichael Tänzer <neo@nhng.de>
Wed, 20 Nov 2013 12:56:24 +0000 (13:56 +0100)
1  2 
includes/account.php

diff --combined includes/account.php
@@@ -18,7 -18,6 +18,7 @@@
        require_once("../includes/loggedin.php");
        require_once("../includes/lib/l10n.php");
        require_once("../includes/lib/check_weak_key.php");
 +      require_once("../includes/notary.inc.php");
  
        loadem("account");
  
@@@ -71,7 -70,9 +71,7 @@@
                }
                $oldid=0;
                $_REQUEST['email'] = trim(mysql_real_escape_string(stripslashes($_REQUEST['newemail'])));
 -              $query = "select * from `email` where `email`='".$_REQUEST['email']."' and `deleted`=0";
 -              $res = mysql_query($query);
 -              if(mysql_num_rows($res) > 0)
 +              if(check_email_exists($_REQUEST['email'])==true)
                {
                        showheader(_("My CAcert.org Account!"));
                        printf(_("The email address '%s' is already in a different account. Can't continue."), sanitizeHTML($_REQUEST['email']));
                $delcount = 0;
                if(array_key_exists('delid',$_REQUEST) && is_array($_REQUEST['delid']))
                {
 +                      $deltitle=false;
                        foreach($_REQUEST['delid'] as $id)
                        {
 -                              if (0==$delcount) {
 +                              if (!$deltitle) {
                                        echo _('The following email addresses have been removed:')."<br>\n";
 +                                      $deltitle=true;
                                }
                                $id = intval($id);
                                $query = "select * from `email` where `id`='$id' and `memid`='".intval($_SESSION['profile']['id'])."' and
                                {
                                        $row = mysql_fetch_assoc($res);
                                        echo $row['email']."<br>\n";
 -                                      $query = "select `emailcerts`.`id`
 -                                                      from `emaillink`,`emailcerts` where
 -                                                      `emailid`='$id' and `emaillink`.`emailcertsid`=`emailcerts`.`id` and
 -                                                      `revoked`=0 and UNIX_TIMESTAMP(`expire`)-UNIX_TIMESTAMP() > 0
 -                                                      group by `emailcerts`.`id`";
 -                                      $dres = mysql_query($query);
 -                                      while($drow = mysql_fetch_assoc($dres))
 -                                              mysql_query("update `emailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='".$drow['id']."'");
 -
 -                                      $query = "update `email` set `deleted`=NOW() where `id`='$id'";
 -                                      mysql_query($query);
 +                                      account_email_delete($row['id']);
                                        $delcount++;
                                }
                        }
                }
                if(0 == $delcount)
                {
 -                      echo _("You failed to select any accounts to be removed, or you attempted to remove the default account. No action was taken.");
 +                      echo _("You did not select any accounts to be removed, or you attempted to remove the default account. No action was taken.");
                }
  
                showfooter();
  
        if($process != "" && $oldid == 3)
        {
 +              if(!array_key_exists('CCA',$_REQUEST))
 +              {
 +                      showheader(_("My CAcert.org Account!"));
 +                      echo _("You did not accept the CAcert Community Agreement (CCA), hit the back button and try again.");
 +                      showfooter();
 +                      exit;
 +              }
 +
                if(!(array_key_exists('addid',$_REQUEST) && is_array($_REQUEST['addid'])) && $_REQUEST['SSO'] != '1')
                {
                        showheader(_("My CAcert.org Account!"));
                                exit;
                        }
  
 +                      write_user_agreement(intval($_SESSION['profile']['id']), "CCA", "certificate creation", "", 1);
 +
                        $query = "insert into emailcerts set
                                                `CN`='$defaultemail',
                                                `keytype`='NS',
                                {
                                        $row = mysql_fetch_assoc($res);
                                        echo $row['domain']."<br>\n";
 -
 -                                      $dres = mysql_query(
 -                                              "select `domaincerts`.`id`
 -                                                      from `domaincerts`
 -                                                      where `domaincerts`.`domid` = '$id'
 -                                              union distinct
 -                                              select `domaincerts`.`id`
 -                                                      from `domaincerts`, `domlink`
 -                                                      where `domaincerts`.`id` = `domlink`.`certid`
 -                                                      and `domlink`.`domid` = '$id'");
 -                                      while($drow = mysql_fetch_assoc($dres))
 -                                      {
 -                                              mysql_query(
 -                                                      "update `domaincerts`
 -                                                              set `revoked`='1970-01-01 10:00:01'
 -                                                              where `id` = '".$drow['id']."'
 -                                                              and `revoked` = 0
 -                                                              and UNIX_TIMESTAMP(`expire`) -
 -                                                                              UNIX_TIMESTAMP() > 0");
 -                                      }
 -
 -                                      mysql_query(
 -                                              "update `domains`
 -                                                      set `deleted`=NOW()
 -                                                      where `id` = '$id'");
 +                                      account_domain_delete($row['id']);
                                }
 +
                        }
                }
                else
  
        if($process != "" && $oldid == 10)
        {
 +              if(!array_key_exists('CCA',$_REQUEST))
 +              {
 +                      showheader(_("My CAcert.org Account!"));
 +                      echo _("You did not accept the CAcert Community Agreement (CCA), hit the back button and try again.");
 +                      showfooter();
 +                      exit;
 +              }
 +
                $CSR = clean_csr($_REQUEST['CSR']);
                if(strpos($CSR,"---BEGIN")===FALSE)
                {
                if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2)
                        $_SESSION['_config']['rootcert'] = 1;
  
 +              write_user_agreement(intval($_SESSION['profile']['id']), "CCA", "certificate creation", "", 1);
 +
                if(array_key_exists('0',$_SESSION['_config']['rowid']) && $_SESSION['_config']['rowid']['0'] > 0)
                {
                        $query = "insert into `domaincerts` set
                        $description= trim(mysql_real_escape_string(stripslashes($_REQUEST['description'])));
                }else{
                        $description= "";
 -      }
 +              }
  
 -      if(trim($_REQUEST['disablelogin']) == "1"){
 -              $disablelogin = 1;
 -      }else{
 -              $disablelogin = 0;
 -      }
 +              if(trim($_REQUEST['disablelogin']) == "1"){
 +                      $disablelogin = 1;
 +              }else{
 +                      $disablelogin = 0;
 +              }
  
 -      mysql_query("update `emailcerts` set `disablelogin`='$disablelogin', `description`='$description' where `id`='".$_REQUEST['certid']."' and `memid`='".$_SESSION['profile']['id']."'");
 +              mysql_query("update `emailcerts` set `disablelogin`='$disablelogin', `description`='$description' where `id`='".$_REQUEST['certid']."' and `memid`='".$_SESSION['profile']['id']."'");
 +      }
  
 - }
        if($oldid == 13 && $process != "")
        {
                csrf_check("perschange");
  
                        $query = "insert into `orgemailcerts` set
                                                `CN`='$defaultemail',
+                                               `ou`='".$_SESSION['_config']['OU']."',
                                                `keytype`='NS',
                                                `orgid`='".$org['orgid']."',
                                                `created`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
  
                        $query = "insert into `orgemailcerts` set
                                                `CN`='$defaultemail',
+                                               `ou`='".$_SESSION['_config']['OU']."',
                                                `keytype`='" . sanitizeHTML($_REQUEST['keytype']) . "',
                                                `orgid`='".$org['orgid']."',
                                                `created`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
                                $query = "insert into `orgemailcerts` set
                                                `orgid`='".$row['orgid']."',
                                                `CN`='".$row['CN']."',
+                                               `ou`='".$row['ou']."',
                                                `subject`='".$row['subject']."',
                                                `keytype`='".$row['keytype']."',
                                                `csr_name`='".$row['csr_name']."',
                exit;
        }
  
+       if($oldid == 18 && array_key_exists('filter',$_REQUEST) && $_REQUEST['filter']!= "")
+       {
+               $id=18;
+               $_SESSION['_config']['orgfilterid']=$_REQUEST['orgfilterid'];
+               $_SESSION['_config']['sorting']=$_REQUEST['sorting'];
+               $_SESSION['_config']['status']=$_REQUEST['status'];
+       }
+       if($oldid == 18 && array_key_exists('reset',$_REQUEST) && $_REQUEST['reset']!= "")
+       {
+               $id=18;
+               $_SESSION['_config']['orgfilterid']=0;
+               $_SESSION['_config']['sorting']=0;
+               $_SESSION['_config']['status']=0;
+       }
  
        if($process != "" && $oldid == 20)
        {
                exit;
        }
  
+       if($oldid == 22 && array_key_exists('filter',$_REQUEST) && $_REQUEST['filter']!= "")
+       {
+               $id=22;
+               $_SESSION['_config']['dorgfilterid']=$_REQUEST['dorgfilterid'];
+               $_SESSION['_config']['dsorting']=$_REQUEST['dsorting'];
+               $_SESSION['_config']['dstatus']=$_REQUEST['dstatus'];
+       }
+       if($oldid == 22 && array_key_exists('reset',$_REQUEST) && $_REQUEST['reset']!= "")
+       {
+               $id=22;
+               $_SESSION['_config']['dorgfilterid']=0;
+               $_SESSION['_config']['dsorting']=0;
+               $_SESSION['_config']['dstatus']=0;
+       }
  
        if(($id == 24 || $oldid == 24 || $id == 25 || $oldid == 25 || $id == 26 || $oldid == 26 ||
                $id == 27 || $oldid == 27 || $id == 28 || $oldid == 28 || $id == 29 || $oldid == 29 ||
                mysql_query($query);
        }
  
 +      if($oldid == 43 && $_REQUEST['action'] == 'revokecert')
 +      {
 +              $userid = intval($_REQUEST['userid']);
 +              revoke_all_private_cert($userid);
 +              $id=43;
 +      }
 +
        if($oldid == 48 && $_REQUEST['domain'] == "")
        {
                $id = $oldid;
        if($oldid == 50 && $process != "")
        {
                $_REQUEST['userid'] = intval($_REQUEST['userid']);
 -              $res = mysql_query("select * from `users` where `id`='".intval($_REQUEST['userid'])."'");
 -              if(mysql_num_rows($res) > 0)
 -              {
 -                      $query = "update `domaincerts`,`domains` SET `domaincerts`.`revoked`='1970-01-01 10:00:01'
 -                                      WHERE `domaincerts`.`domid` = `domains`.`id` AND `domains`.`memid`='".intval($_REQUEST['userid'])."'";
 -                      mysql_query($query);
 -                      $query = "update `domains` SET `deleted`=NOW() WHERE `domains`.`memid`='".intval($_REQUEST['userid'])."'";
 -                      mysql_query($query);
 -                      $query = "update `emailcerts` SET `revoked`='1970-01-01 10:00:01' WHERE `memid`='".intval($_REQUEST['userid'])."'";
 -                      mysql_query($query);
 -                      $query = "update `email` SET `deleted`=NOW() WHERE `memid`='".intval($_REQUEST['userid'])."'";
 -                      mysql_query($query);
 -                      $query = "delete from `org` WHERE `memid`='".intval($_REQUEST['userid'])."'";
 -                      mysql_query($query);
 -                      $query = "update `users` SET `deleted`=NOW() WHERE `id`='".intval($_REQUEST['userid'])."'";
 -                      mysql_query($query);
 +              if (trim($_REQUEST['arbitrationno'])==""){
 +                      showheader(_("My CAcert.org Account!"));
 +                      echo _("You did not enter an arbitration number entry.");
 +                      showfooter();
 +                      exit;
 +              }
 +              if ( 1 !== preg_match('/^[a-z]\d{8}\.\d+\.\d+$/i',trim($_REQUEST['arbitrationno'])) ) {
 +                      showheader(_("My CAcert.org Account!"));
 +                      printf(_("'%s' is not a valid arbitration number entry."), sanitizeHTML(trim($_REQUEST['arbitrationno'])));
 +                      showfooter();
 +                      exit;
 +              }
 +              if (check_email_exists(trim($_REQUEST['arbitrationno']).'@cacert.org')) {
 +                      showheader(_("My CAcert.org Account!"));
 +                      printf(_("The email address '%s' is already in a different account. Can't continue."), sanitizeHTML($_REQUEST['arbitrationno'].'@cacert.org'));
 +                      showfooter();
 +                      exit;
 +               }
 +              if (check_client_cert_running($_REQUEST['userid'],1) ||
 +                      check_server_cert_running($_REQUEST['userid'],1) ||
 +                      check_gpg_cert_running($_REQUEST['userid'],1)) {
 +                      showheader(_("My CAcert.org Account!"));
 +                      printf(_("The CCA retention time for at least one certificate is not over. Can't continue."));
 +                      showfooter();
 +                      exit;
 +              }
 +              if (check_is_orgadmin($_REQUEST['userid'],1)) {
 +                      showheader(_("My CAcert.org Account!"));
 +                      printf(_("The user is listed as Organisation Administrator. Can't continue."));
 +                      showfooter();
 +                      exit;
                }
 +              account_delete($_REQUEST['userid'], trim($_REQUEST['arbitrationno']), $_SESSION['profile']['id']);
        }
  
        if(($id == 51 || $id == 52 || $oldid == 52) && $_SESSION['profile']['tverify'] <= 0)