Source code taken from cacert-20141124.tar.bz2
[cacert.git] / www / wot.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */ ?>
18 <?
19 require_once("../includes/loggedin.php");
20 require_once("../includes/lib/l10n.php");
21 require_once("../includes/notary.inc.php");
22
23
24 function show_page($target,$message,$error)
25 {
26 showheader(_("My CAcert.org Account!"));
27 if ($error != "")
28 $message=_("ERROR").": ".$error;
29 if ($message != "")
30 echo "<p><font color='orange' size='+1'>".$message."</font></p>";
31
32 switch ($target)
33 {
34 case '0':
35 case 'InfoPage': includeit(0, "wot");
36 break;
37 case '1':
38 case 'ListByCity': includeit(1, "wot");
39 break;
40 case '2':
41 case 'BecomeAssurer': includeit(2, "wot");
42 break;
43 case '3':
44 case 'TrustRules': includeit(3, "wot");
45 break;
46 case '4':
47 case 'ShowTTPInfo': includeit(4, "wot");
48 break;
49 case '5';
50 case 'EnterEmail': includeit(5, "wot");
51 break;
52 case '6':
53 case 'VerifyData': includeit(6, "wot");
54 break;
55 // case '7':
56 // case '???': includeit(7, "wot");
57 // break;
58 case '8':
59 case 'EnterMyInfo': includeit(8, "wot");
60 break;
61 case '9':
62 case 'ContactAssurer': includeit(9, "wot");
63 break;
64 case '10':
65 case 'MyPointsOld': includeit(10, "wot");
66 break;
67 // case '11':
68 // case 'OAInfo': includeit(11, "wot");
69 // break;
70 case '12':
71 case 'SearchAssurer': includeit(12, "wot");
72 break;
73 case '13':
74 case 'EnterMyCity': includeit(13, "wot");
75 break;
76 // case '14':
77 // case 'EnterEmail': includeit(14, "wot");
78 // break;
79 case '15':
80 case 'MyPointsNew': includeit(15, "wot");
81 break;
82 }
83
84 showfooter();
85 }
86
87 function send_reminder()
88 {
89 $body = "";
90 $my_translation = L10n::get_translation();
91
92 $_SESSION['_config']['reminder-lang'] = $_POST['reminder-lang'];
93
94 $reminder_translations[] = $_POST['reminder-lang'];
95 if ( !in_array("en", $reminder_translations, $strict=true) ) {
96 $reminder_translations[] = "en";
97 }
98
99 foreach ($reminder_translations as $translation) {
100 L10n::set_translation($translation);
101
102 $body .= L10n::$translations[$translation].":\n\n";
103 $body .= sprintf(_("This is a short reminder that you filled out forms to become trusted with CAcert.org, and %s has attempted to issue you points. Please create your account at %s as soon as possible and then notify %s so that the points can be issued."), $_SESSION['profile']['fname']." (".$_SESSION['profile']['email'].")", "http://www.cacert.org", $_SESSION['profile']['fname'])."\n\n";
104 $body .= _("Best regards")."\n";
105 $body .= _("CAcert Support Team")."\n\n";
106 }
107
108 L10n::set_translation($reminder_translations[0]); // for the subject
109 sendmail($_POST['email'], "[CAcert.org] "._("Reminder Notice"), $body, $_SESSION['profile']['email'], "", "", $_SESSION['profile']['fname']);
110
111 L10n::set_translation($my_translation);
112
113 $_SESSION['_config']['remindersent'] = 1;
114 $_SESSION['_config']['error'] = _("A reminder notice has been sent.");
115 }
116
117 loadem("account");
118 if(array_key_exists('date',$_POST) && $_POST['date'] != "")
119 $_SESSION['_config']['date'] = $_POST['date'];
120
121 if(array_key_exists('location',$_POST) && $_POST['location'] != "")
122 $_SESSION['_config']['location'] = $_POST['location'];
123
124 $oldid=array_key_exists('oldid',$_REQUEST)?intval($_REQUEST['oldid']):0;
125
126 if($oldid == 12)
127 $id = $oldid;
128
129 if($oldid == 4)
130 {
131 if ($_POST['ttp']!='') {
132 //This mail does not need to be translated
133 $body = "Hi TTP adminstrators,\n\n";
134 $body .= "User ".$_SESSION['profile']['fname']." ".
135 $_SESSION['profile']['lname']." with email address '".
136 $_SESSION['profile']['email']."' is requesting a TTP assurances for ".
137 mysql_escape_string(stripslashes($_POST['country'])).".\n\n";
138 if ($_POST['ttptopup']=='1') {
139 $body .= "The user is also requesting TTP TOPUP.\n\n";
140 }else{
141 $body .= "The user is NOT requesting TTP TOPUP.\n\n";
142 }
143 $body .= "The user received ".intval($_SESSION['profile']['points'])." assurance points up to today.\n\n";
144 $body .= "Please start the TTP assurance process.";
145 sendmail("support@cacert.org", "[CAcert.org] TTP request.", $body, "support@cacert.org", "", "", "CAcert Website");
146
147 //This mail needs to be translated
148 $body =_("You are receiving this email because you asked for TTP assurance.")."\n\n";
149 if ($_POST['ttptopup']=='1') {
150 $body .=_("You are requesting TTP TOPUP.")."\n\n";
151 }else{
152 $body .=_("You are NOT requesting TTP TOPUP.")."\n\n";
153 }
154 $body .= _("Best regards")."\n";
155 $body .= _("CAcert Support Team");
156
157 sendmail($_SESSION['profile']['email'], "[CAcert.org] "._("You requested TTP assurances"), $body, "support@cacert.org", "", "", "CAcert Support");
158
159 }
160
161 }
162
163 if(($id == 5 || $oldid == 5 || $id == 6 || $oldid == 6))
164 if (!is_assurer($_SESSION['profile']['id']))
165 {
166 show_page ("Exit","",get_assurer_reason($_SESSION['profile']['id']));
167 exit;
168 }
169
170 if($oldid == 6 && intval($_SESSION['_config']['notarise']['id']) <= 0)
171 {
172 show_page ("EnterEmail","",_("Something went wrong. Please enter the email address again"));
173 exit;
174 }
175 if($oldid == 5 && array_key_exists('reminder',$_POST) && $_POST['reminder'] != "")
176 {
177 send_reminder();
178 show_page ("EnterEmail",_("A reminder notice has been sent."),"");
179 exit;
180 }
181
182 if($oldid == 5)
183 {
184 $query = "select * from `users` where `email`='".mysql_escape_string(stripslashes($_POST['email']))."' and `deleted`=0";
185 $res = mysql_query($query);
186 if(mysql_num_rows($res) != 1)
187 {
188 $_SESSION['_config']['noemailfound'] = 1;
189 show_page("EnterEmail","",_("I'm sorry, there was no email matching what you entered in the system. Please double check your information."));
190 exit;
191 } else
192 {
193 $_SESSION['_config']['noemailfound'] = 0;
194 $_SESSION['_config']['notarise'] = mysql_fetch_assoc($res);
195 if ($_SESSION['_config']['notarise']['verified'] == 0)
196 {
197 show_page("EnterEmail","",_("User is not yet verified. Please try again in 24 hours!"));
198 exit;
199 }
200 if ($_SESSION['profile']['ttpadmin'] != 1) {
201 $_SESSION['assuresomeone']['year'] = intval($_POST['year']);
202 $_SESSION['assuresomeone']['month'] = intval($_POST['month']);
203 $_SESSION['assuresomeone']['day'] = intval($_POST['day']);
204 $dob = sprintf('%04d-%02d-%02d', $_SESSION['assuresomeone']['year'], $_SESSION['assuresomeone']['month'], $_SESSION['assuresomeone']['day']);
205
206 if ( $_SESSION['_config']['notarise']['dob'] != $dob) {
207 show_page("EnterEmail","",_("The data entered is not matching with an account."));
208 exit;
209 }
210 }
211 }
212 $query = "select * from `users` where `email`='".mysql_escape_string(stripslashes($_POST['email']))."' and `locked`=1";
213 $res = mysql_query($query);
214 if(mysql_num_rows($res) >= 1)
215 {
216 $_SESSION['_config']['noemailfound'] = 0;
217 show_page("EnterEmail","",_("This account is locked and can not be assured. For more information ask support@cacert.org."));
218 exit;
219 }
220 }
221
222 if($oldid == 5 || $oldid == 6)
223 {
224 $id=6;
225 // $oldid=0;
226 if(array_key_exists('cancel',$_REQUEST) && $_REQUEST['cancel'] != "")
227 {
228 show_page("EnterEmail","","");
229 exit;
230 }
231 if($_SESSION['_config']['notarise']['id'] == $_SESSION['profile']['id'])
232 {
233 show_page("EnterEmail","",_("You are never allowed to Assure yourself!"));
234 exit;
235 }
236
237 $query = "select * from `notary` where `from`='".intval($_SESSION['profile']['id'])."' and
238 `to`='".intval($_SESSION['_config']['notarise']['id'])."' and `deleted` = 0";
239 $res = mysql_query($query);
240 if(mysql_num_rows($res) > 0)
241 {
242 show_page("EnterEmail","",_("You are only allowed to Assure someone once!"));
243 exit;
244 }
245 }
246
247 if($oldid == 6)
248 {
249 $iecho= "c";
250 //date checks
251 if(trim($_REQUEST['date']) == '')
252 {
253 show_page("VerifyData","",_("You must enter the date when you met the assuree."));
254 exit;
255 }
256
257 if(!check_date_format(trim($_REQUEST['date'])))
258 {
259 show_page("VerifyData","",_("You must enter the date in this format: YYYY-MM-DD."));
260 exit;
261 }
262
263 if(!check_date_difference(trim($_REQUEST['date'])))
264 {
265 show_page("VerifyData","",_("You must not enter a date in the future."));
266 exit;
267 }
268
269 //proof of identity check and accept arbitration, implements CCA
270 if(!array_key_exists('assertion',$_POST) || $_POST['assertion'] != 1)
271 {
272 show_page("VerifyData","",_("You failed to check all boxes to validate your adherence to the rules and policies of CAcert"));
273 exit;
274 }
275
276 //proof of CCA agreement by assuree after 2010-01-01
277 if((!array_key_exists('CCAAgreed',$_POST) || $_POST['CCAAgreed'] != 1) and (check_date_format(trim($_REQUEST['date']),2010)))
278 {
279 show_page("VerifyData","",_("You failed to check all boxes to validate your adherence to the rules and policies of CAcert"));
280 exit;
281 }
282
283 //assurance done according to rules
284 if(!array_key_exists('rules',$_POST) || $_POST['rules'] != 1)
285 {
286 show_page("VerifyData","",_("You failed to check all boxes to validate your adherence to the rules and policies of CAcert"));
287 exit;
288 }
289
290 //met assuree in person, not appliciable for TTP / TTP Topup assurances
291 if((!array_key_exists('certify',$_POST) || $_POST['certify'] != 1 ) && $_REQUEST['method'] != "Trusted 3rd Parties")
292 {
293 show_page("VerifyData","",_("You failed to check all boxes to validate your adherence to the rules and policies of CAcert"));
294 exit;
295 }
296
297 //check location, min 3 characters
298 if(!array_key_exists('location',$_POST) || trim($_POST['location']) == "")
299 {
300 show_page("VerifyData","",_("You failed to enter a location of your meeting."));
301 exit;
302 }
303
304 if(strlen(trim($_REQUEST['location']))<=2)
305 {
306 show_page("VerifyData","",_("You must enter a location with at least 3 characters eg town and country."));
307 exit;
308 }
309
310 //check for points in range 0-35, for nucleus 35 + 15 temporary
311 if($_REQUEST['points'] == "" || !is_numeric($_REQUEST['points']))
312 {
313 show_page("VerifyData","",_("You must enter the number of points you wish to allocate to this person."));
314 exit;
315 }
316
317 if($_REQUEST['points'] <0 || ($_REQUEST['points']>35))
318 {
319 show_page("VerifyData","",_("The number of points you entered are out of the range given by policy."));
320 exit;
321 }
322
323 $query = "select * from `users` where `id`='".intval($_SESSION['_config']['notarise']['id'])."'";
324 $res = mysql_query($query);
325 $row = mysql_fetch_assoc($res);
326 $name = sanitizeHTML($row['fname'])." ".sanitizeHTML($row['mname'])." ".sanitizeHTML($row['lname'])." ".sanitizeHTML($row['suffix']);
327 if($_SESSION['_config']['wothash'] != md5($name."-".$row['dob']) || $_SESSION['_config']['wothash'] != $_REQUEST['pagehash'])
328 {
329 show_page("VerifyData","",_("Race condition discovered, user altered details during assurance procedure. PLEASE MAKE SURE THE NEW DETAILS BELOW MATCH THE ID DOCUMENTS."));
330 exit;
331 }
332 }
333
334
335 if($oldid == 6)
336 {
337 $max = maxpoints();
338
339 $awarded = $newpoints = intval($_POST['points']);
340 if($newpoints > $max)
341 $newpoints = $awarded = $max;
342 if($newpoints < 0)
343 $newpoints = $awarded = 0;
344
345 $query = "select sum(`points`) as `total` from `notary` where `to`='".intval($_SESSION['_config']['notarise']['id'])."' and `deleted` = 0 group by `to`";
346 $res = mysql_query($query);
347 $drow = mysql_fetch_assoc($res);
348
349 $_POST['expire'] = 0;
350
351 if(($drow['total'] + $newpoints) > 100 && $max < 100)
352 $newpoints = 100 - $drow['total'];
353 if(($drow['total'] + $newpoints) > $max && $max >= 100)
354 $newpoints = $max - $drow['total'];
355 if($newpoints < 0)
356 $newpoints = 0;
357
358 if(mysql_real_escape_string(stripslashes($_POST['date'])) == "")
359 $_POST['date'] = date("Y-m-d H:i:s");
360
361 $query = "select * from `notary` where `from`='".intval($_SESSION['profile']['id'])."' AND
362 `to`='".intval($_SESSION['_config']['notarise']['id'])."' AND
363 `awarded`='".intval($awarded)."' AND
364 `location`='".mysql_real_escape_string(stripslashes($_POST['location']))."' AND
365 `date`='".mysql_real_escape_string(stripslashes($_POST['date']))."' AND
366 `deleted`=0";
367 $res = mysql_query($query);
368 if(mysql_num_rows($res) > 0)
369 {
370 show_page("VerifyEmail","",_("Identical Assurance attempted, will not continue."));
371 exit;
372 }
373 }
374
375 if($oldid == 6)
376 {
377 $query = "insert into `notary` set `from`='".intval($_SESSION['profile']['id'])."',
378 `to`='".intval($_SESSION['_config']['notarise']['id'])."',
379 `points`='".intval($newpoints)."', `awarded`='".intval($awarded)."',
380 `location`='".mysql_real_escape_string(stripslashes($_POST['location']))."',
381 `date`='".mysql_real_escape_string(stripslashes($_POST['date']))."',
382 `when`=NOW()";
383 //record active acceptance by Assurer
384 if (check_date_format(trim($_REQUEST['date']),2010)) {
385 write_user_agreement($_SESSION['profile']['id'], "CCA", "assurance", "Assuring", 1, $_SESSION['_config']['notarise']['id']);
386 write_user_agreement($_SESSION['_config']['notarise']['id'], "CCA", "assurance", "Being assured", 0, $_SESSION['profile']['id']);
387 }
388 if($_SESSION['profile']['ttpadmin'] == 1 && ($_POST['method'] == 'Trusted 3rd Parties' || $_POST['method'] == 'Trusted Third Parties')) {
389 $query .= ",\n`method`='TTP-Assisted'";
390 }
391 mysql_query($query);
392 fix_assurer_flag($_SESSION['_config']['notarise']['id']);
393 include_once("../includes/notary.inc.php");
394
395 if($_SESSION['profile']['points'] < 150)
396 {
397 $addpoints = 0;
398 if($_SESSION['profile']['points'] < 149 && $_SESSION['profile']['points'] >= 100)
399 $addpoints = 2;
400 else if($_SESSION['profile']['points'] == 149 && $_SESSION['profile']['points'] >= 100)
401 $addpoints = 1;
402 $query = "insert into `notary` set `from`='".intval($_SESSION['profile']['id'])."',
403 `to`='".intval($_SESSION['profile']['id'])."',
404 `points`='".intval($addpoints)."', `awarded`='".intval($addpoints)."',
405 `location`='".mysql_real_escape_string(stripslashes($_POST['location']))."',
406 `date`='".mysql_real_escape_string(stripslashes($_POST['date']))."',
407 `method`='Administrative Increase',
408 `when`=NOW()";
409 mysql_query($query);
410
411 // No need to fix_assurer_flag here, this should only happen for assurers...
412 $_SESSION['profile']['points'] += $addpoints;
413 }
414
415 $my_translation = L10n::get_translation();
416 L10n::set_translation($_SESSION['_config']['notarise']['language']);
417
418 $body = sprintf(_("You are receiving this email because you have been assured by %s %s (%s)."), $_SESSION['profile']['fname'], $_SESSION['profile']['lname'], $_SESSION['profile']['email'])."\n\n";
419 if($_POST['points'] != $newpoints)
420 $body .= sprintf(_("You were issued %s points however the system has rounded this down to %s and you now have %s points in total."), $_POST['points'], $newpoints, ($newpoints + $drow['total']))."\n\n";
421 else
422 $body .= sprintf(_("You were issued %s points and you now have %s points in total."), $newpoints, ($newpoints + $drow['total']))."\n\n";
423
424 if(($drow['total'] + $newpoints) < 100 && ($drow['total'] + $newpoints) >= 50)
425 {
426 $body .= _("You now have over 50 points, and can now have your name added to client certificates, and issue server certificates for up to 2 years.")."\n\n";
427 }
428
429 if(($drow['total'] + $newpoints) >= 100 && $newpoints > 0)
430 {
431 $body .= _("You have at least 100 Assurance Points, if you want to become an assurer try the Assurer Challenge")." ( https://cats.cacert.org )\n\n";
432 $body .= _("To make it easier for others in your area to find you, it's helpful to list yourself as an assurer (this is voluntary), as well as a physical location where you live or work the most. You can flag your account to be listed, and add a comment to the display by going to:")."\n";
433 $body .= "https://www.cacert.org/wot.php?id=8\n\n";
434 $body .= _("You can list your location by going to:")."\n";
435 $body .= "https://www.cacert.org/wot.php?id=13\n\n";
436 }
437
438 $body .= _("Best regards")."\n";
439 $body .= _("CAcert Support Team");
440
441 sendmail($_SESSION['_config']['notarise']['email'], "[CAcert.org] "._("You've been Assured."), $body, "support@cacert.org", "", "", "CAcert Website");
442
443 L10n::set_translation($my_translation);
444
445 $body = sprintf(_("You are receiving this email because you have assured %s %s (%s)."), $_SESSION['_config']['notarise']['fname'], $_SESSION['_config']['notarise']['lname'], $_SESSION['_config']['notarise']['email'])."\n\n";
446 if($_POST['points'] != $newpoints)
447 $body .= sprintf(_("You issued %s points however the system has rounded this down to %s and they now have %s points in total."), $_POST['points'], $newpoints, ($newpoints + $drow['total']))."\n\n";
448 else
449 $body .= sprintf(_("You issued %s points and they now have %s points in total."), $newpoints, ($newpoints + $drow['total']))."\n\n";
450
451 $body .= _("Best regards")."\n";
452 $body .= _("CAcert Support Team");
453
454 sendmail($_SESSION['profile']['email'], "[CAcert.org] "._("You've Assured Another Member."), $body, "support@cacert.org", "", "", "CAcert Support");
455
456 show_page('EnterEmail', _("Shortly you and the person you were assuring will receive an email confirmation. There is no action on your behalf required to complete this."));
457 exit;
458 }
459
460 if($oldid == 8)
461 {
462 csrf_check("chgcontact");
463
464 $info = mysql_real_escape_string(strip_tags(stripslashes($_POST['contactinfo'])));
465 $listme = intval($_POST['listme']);
466 if($listme < 0 || $listme > 1)
467 $listme = 0;
468
469 $_SESSION['profile']['listme'] = $listme;
470 $_SESSION['profile']['contactinfo'] = $info;
471
472 $query = "update `users` set `listme`='$listme',`contactinfo`='$info' where `id`='".intval($_SESSION['profile']['id'])."'";
473 mysql_query($query);
474
475 showheader(_("My CAcert.org Account!"));
476 echo "<p>"._("Your account information has been updated.")."</p>";
477 showfooter();
478 exit;
479 }
480
481 if($oldid == 9 && $_REQUEST['userid'] > 0 && $_SESSION['profile']['id'] > 0)
482 {
483 if($_SESSION['_config']['pagehash'] != $_REQUEST['pageid'])
484 {
485 $oldid=0;
486 $id = 9;
487 show_page("ContactAssurer","",_("It looks like you were trying to contact multiple people, this isn't allowed due to data security reasons."));
488 exit;
489 } else {
490 $body = $_REQUEST['message'];
491 $subject = $_REQUEST['subject'];
492 $userid = intval($_REQUEST['userid']);
493 $user = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".intval($userid)."' and `listme`=1"));
494 $points = mysql_num_rows(mysql_query("select sum(`points`) as `total` from `notary`
495 where `to`='".intval($user['id'])."' and `deleted` = 0 group by `to` HAVING SUM(`points`) > 0"));
496 if($points > 0)
497 {
498 $my_translation = L10n::get_translation();
499 L10n::set_translation($user['language']);
500
501 $subject = "[CAcert.org] ".sprintf(_("Message from %s"),
502 $_SESSION['profile']['fname']);
503
504 $body = sprintf(_("Hi %s,"), $user['fname'])."\n\n";
505 $body .= sprintf(_("%s %s has sent you a message via the ".
506 "contact an Assurer form on CAcert.org."),
507 $_SESSION['profile']['fname'],
508 $_SESSION['profile']['lname'])."\n\n";
509 $body .= sprintf(_("Subject: %s"), $_REQUEST['subject'])."\n";
510 $body .= _("Message:")."\n";
511 $body .= $_REQUEST['message']."\n\n";
512 $body .= "------------------------------------------------\n\n";
513 $body .= _("Please note, that this is NOT a message on behalf ".
514 "of CAcert but another CAcert community member. If ".
515 "you suspect that the contact form might have been ".
516 "abused, please write to support@cacert.org")."\n\n";
517 $body .= _("Best regards")."\n";
518 $body .= _("Your CAcert Community");
519
520 sendmail($user['email'], $subject, $body,
521 $_SESSION['profile']['email'], //from
522 "", //replyto
523 "", //toname
524 $_SESSION['profile']['fname']." ".
525 $_SESSION['profile']['lname']); //fromname
526
527 L10n::set_translation($my_translation);
528
529 showheader(_("My CAcert.org Account!"));?>
530 <p>
531 <? printf(_("Your email has been sent to %s."), sanitizeHTML($user['fname'])); ?>
532 </p>
533 <p>[ <a href='javascript:history.go(-2)'><?= _("Go Back") ?></a> ]</p>
534 <?
535 showfooter();
536 exit;
537 } else {
538 show_page(0,"",_("Sorry, I was unable to locate that user."));
539 exit;
540 }
541
542 }
543 }
544 if($oldid == 9)
545 {
546 $oldid=0;
547 $id = 9;
548 show_page("ContactAssurer","",_("There was an error and I couldn't proceed"));
549 exit;
550 }
551
552 // showheader(_("My CAcert.org Account!"));
553 // echo "ID now = ".$id."/".$oldid.">>".$iecho;
554 // includeit($id, "wot");
555 // showfooter();
556 show_page ($id,"","");
557 ?>