PageRenderTime 75ms CodeModel.GetById 26ms RepoModel.GetById 1ms app.codeStats 0ms

/core/user_api.php

https://github.com/markkimsal/mantisbt
PHP | 1391 lines | 832 code | 263 blank | 296 comment | 160 complexity | 13fdf1b4e7f96a5b35c971bc3124e24f MD5 | raw file
Possible License(s): GPL-2.0, LGPL-2.1 
    

  1. <?php
    2. 

  2. # MantisBT - A PHP based bugtracking system
    3. 

  3. 

  4. # MantisBT is free software: you can redistribute it and/or modify
    5. 

  5. # it under the terms of the GNU General Public License as published by
    6. 

  6. # the Free Software Foundation, either version 2 of the License, or
    7. 

  7. # (at your option) any later version.
    8. 

  8. #
    9. 

  9. # MantisBT is distributed in the hope that it will be useful,
    10. 

  10. # but WITHOUT ANY WARRANTY; without even the implied warranty of
    11. 

  11. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    12. 

  12. # GNU General Public License for more details.
    13. 

  13. #
    14. 

  14. # You should have received a copy of the GNU General Public License
    15. 

  15. # along with MantisBT.  If not, see <http://www.gnu.org/licenses/>.
    16. 

  16. 

  17. /**
    18. 

  18.  * User API
    19. 

  19.  *
    20. 

  20.  * @package CoreAPI
    21. 

  21.  * @subpackage UserAPI
    22. 

  22.  * @copyright Copyright (C) 2000 - 2002  Kenzaburo Ito - kenito@300baud.org
    23. 

  23.  * @copyright Copyright (C) 2002 - 2010  MantisBT Team - mantisbt-dev@lists.sourceforge.net
    24. 

  24.  * @link http://www.mantisbt.org
    25. 

  25.  *
    26. 

  26.  * @uses access_api.php
    27. 

  27.  * @uses authentication_api.php
    28. 

  28.  * @uses config_api.php
    29. 

  29.  * @uses constant_inc.php
    30. 

  30.  * @uses database_api.php
    31. 

  31.  * @uses email_api.php
    32. 

  32.  * @uses error_api.php
    33. 

  33.  * @uses filter_api.php
    34. 

  34.  * @uses helper_api.php
    35. 

  35.  * @uses lang_api.php
    36. 

  36.  * @uses ldap_api.php
    37. 

  37.  * @uses project_api.php
    38. 

  38.  * @uses project_hierarchy_api.php
    39. 

  39.  * @uses string_api.php
    40. 

  40.  * @uses user_pref_api.php
    41. 

  41.  * @uses utility_api.php
    42. 

  42.  */
    43. 

  43. 

  44. require_api( 'access_api.php' );
    45. 

  45. require_api( 'authentication_api.php' );
    46. 

  46. require_api( 'config_api.php' );
    47. 

  47. require_api( 'constant_inc.php' );
    48. 

  48. require_api( 'database_api.php' );
    49. 

  49. require_api( 'email_api.php' );
    50. 

  50. require_api( 'error_api.php' );
    51. 

  51. require_api( 'filter_api.php' );
    52. 

  52. require_api( 'helper_api.php' );
    53. 

  53. require_api( 'lang_api.php' );
    54. 

  54. require_api( 'ldap_api.php' );
    55. 

  55. require_api( 'project_api.php' );
    56. 

  56. require_api( 'project_hierarchy_api.php' );
    57. 

  57. require_api( 'string_api.php' );
    58. 

  58. require_api( 'user_pref_api.php' );
    59. 

  59. require_api( 'utility_api.php' );
    60. 

  60. 

  61. # ===================================
    62. 

  62. # Caching
    63. 

  63. # ===================================
    64. 

  64. # ########################################
    65. 

  65. # SECURITY NOTE: cache globals are initialized here to prevent them
    66. 

  66. #   being spoofed if register_globals is turned on
    67. 

  67. 

  68. $g_cache_user = array();
    69. 

  69. 

  70. # --------------------
    71. 

  71. # Cache a user row if necessary and return the cached copy
    72. 

  72. #  If the second parameter is true (default), trigger an error
    73. 

  73. #  if the user can't be found.  If the second parameter is
    74. 

  74. #  false, return false if the user can't be found.
    75. 

  75. function user_cache_row( $p_user_id, $p_trigger_errors = true ) {
    76. 

  76. 	global $g_cache_user;
    77. 

  77. 

  78. 	if( isset( $g_cache_user[$p_user_id] ) ) {
    79. 

  79. 		return $g_cache_user[$p_user_id];
    80. 

  80. 	}
    81. 

  81. 

  82. 	$t_user_table = db_get_table( 'user' );
    83. 

  83. 

  84. 	$query = "SELECT *
    85. 

  85. 				  FROM $t_user_table
    86. 

  86. 				  WHERE id=" . db_param();
    87. 

  87. 	$result = db_query_bound( $query, Array( $p_user_id ) );
    88. 

  88. 

  89. 	if( 0 == db_num_rows( $result ) ) {
    90. 

  90. 		$g_cache_user[$p_user_id] = false;
    91. 

  91. 

  92. 		if( $p_trigger_errors ) {
    93. 

  93. 			error_parameters( (integer)$p_user_id );
    94. 

  94. 			trigger_error( ERROR_USER_BY_ID_NOT_FOUND, ERROR );
    95. 

  95. 		}
    96. 

  96. 

  97. 		return false;
    98. 

  98. 	}
    99. 

  99. 

  100. 	$row = db_fetch_array( $result );
    101. 

  101. 

  102. 	$g_cache_user[$p_user_id] = $row;
    103. 

  103. 

  104. 	return $row;
    105. 

  105. }
    106. 

  106. 

  107. function user_cache_array_rows( $p_user_id_array ) {
    108. 

  108. 	global $g_cache_user;
    109. 

  109. 	$c_user_id_array = array();
    110. 

  110. 

  111. 	foreach( $p_user_id_array as $t_user_id ) {
    112. 

  112. 		if( !isset( $g_cache_user[(int) $t_user_id] ) ) {
    113. 

  113. 			$c_user_id_array[] = (int) $t_user_id;
    114. 

  114. 		}
    115. 

  115. 	}
    116. 

  116. 

  117. 	if( empty( $c_user_id_array ) ) {
    118. 

  118. 		return;
    119. 

  119. 	}
    120. 

  120. 

  121. 	$t_user_table = db_get_table( 'user' );
    122. 

  122. 

  123. 	$query = "SELECT *
    124. 

  124. 				  FROM $t_user_table
    125. 

  125. 				  WHERE id IN (" . implode( ',', $c_user_id_array ) . ')';
    126. 

  126. 	$result = db_query_bound( $query );
    127. 

  127. 

  128. 	while( $row = db_fetch_array( $result ) ) {
    129. 

  129. 		$g_cache_user[(int) $row['id']] = $row;
    130. 

  130. 	}
    131. 

  131. 	return;
    132. 

  132. }
    133. 

  133. 

  134. # --------------------
    135. 

  135. # Cache an object as a bug.
    136. 

  136. function user_cache_database_result( $p_user_database_result ) {
    137. 

  137. 	global $g_cache_user;
    138. 

  138. 

  139. 	if( isset( $g_cache_user[$p_user_database_result['id']] ) ) {
    140. 

  140. 		return $g_cache_user[$p_user_database_result['id']];
    141. 

  141. 	}
    142. 

  142. 

  143. 	$g_cache_user[$p_user_database_result['id']] = $p_user_database_result;
    144. 

  144. }
    145. 

  145. 

  146. # --------------------
    147. 

  147. # Clear the user cache (or just the given id if specified)
    148. 

  148. function user_clear_cache( $p_user_id = null ) {
    149. 

  149. 	global $g_cache_user;
    150. 

  150. 

  151. 	if( null === $p_user_id ) {
    152. 

  152. 		$g_cache_user = array();
    153. 

  153. 	} else {
    154. 

  154. 		unset( $g_cache_user[$p_user_id] );
    155. 

  155. 	}
    156. 

  156. 

  157. 	return true;
    158. 

  158. }
    159. 

  159. 

  160. function user_update_cache( $p_user_id, $p_field, $p_value ) {
    161. 

  161. 	global $g_cache_user;
    162. 

  162. 

  163. 	if( isset( $g_cache_user[$p_user_id] ) && isset( $g_cache_user[$p_user_id][$p_field] ) ) {
    164. 

  164. 		$g_cache_user[$p_user_id][$p_field] = $p_value;
    165. 

  165. 	} else {
    166. 

  166. 		user_clear_cache( $p_user_id );
    167. 

  167. 	}
    168. 

  168. }
    169. 

  169. 

  170. function user_search_cache( $p_field, $p_value ) {
    171. 

  171. 	global $g_cache_user;
    172. 

  172. 	if( isset( $g_cache_user ) ) {
    173. 

  173. 		foreach( $g_cache_user as $t_user ) {
    174. 

  174. 			if( $t_user[$p_field] == $p_value ) {
    175. 

  175. 				return $t_user;
    176. 

  176. 			}
    177. 

  177. 		}
    178. 

  178. 	}
    179. 

  179. 	return false;
    180. 

  180. }
    181. 

  181. 

  182. # ===================================
    183. 

  183. # Boolean queries and ensures
    184. 

  184. # ===================================
    185. 

  185. # --------------------
    186. 

  186. # check to see if user exists by id
    187. 

  187. # return true if it does, false otherwise
    188. 

  188. #
    189. 

  189. # Use user_cache_row() to benefit from caching if called multiple times
    190. 

  190. #  and because if the user does exist the data may well be wanted
    191. 

  191. function user_exists( $p_user_id ) {
    192. 

  192. 	$row = user_cache_row( $p_user_id, false );
    193. 

  193. 

  194. 	if( false === $row ) {
    195. 

  195. 		return false;
    196. 

  196. 	} else {
    197. 

  197. 		return true;
    198. 

  198. 	}
    199. 

  199. }
    200. 

  200. 

  201. # --------------------
    202. 

  202. # check to see if project exists by id
    203. 

  203. # if it doesn't exist then error
    204. 

  204. #  otherwise let execution continue undisturbed
    205. 

  205. function user_ensure_exists( $p_user_id ) {
    206. 

  206. 	$c_user_id = (integer)$p_user_id;
    207. 

  207. 

  208. 	if ( !user_exists( $c_user_id ) ) {
    209. 

  209. 		error_parameters( $c_user_id );
    210. 

  210. 		trigger_error( ERROR_USER_BY_ID_NOT_FOUND, ERROR );
    211. 

  211. 	}
    212. 

  212. }
    213. 

  213. 

  214. # --------------------
    215. 

  215. # return true if the username is unique, false if there is already a user
    216. 

  216. #  with that username
    217. 

  217. function user_is_name_unique( $p_username ) {
    218. 

  218. 	$t_user_table = db_get_table( 'user' );
    219. 

  219. 

  220. 	$query = "SELECT username
    221. 

  221. 				FROM $t_user_table
    222. 

  222. 				WHERE username=" . db_param();
    223. 

  223. 	$result = db_query_bound( $query, Array( $p_username ), 1 );
    224. 

  224. 

  225. 	if( db_num_rows( $result ) > 0 ) {
    226. 

  226. 		return false;
    227. 

  227. 	} else {
    228. 

  228. 		return true;
    229. 

  229. 	}
    230. 

  230. }
    231. 

  231. 

  232. # --------------------
    233. 

  233. # Check if the username is unique and trigger an ERROR if it isn't
    234. 

  234. function user_ensure_name_unique( $p_username ) {
    235. 

  235. 	if( !user_is_name_unique( $p_username ) ) {
    236. 

  236. 		trigger_error( ERROR_USER_NAME_NOT_UNIQUE, ERROR );
    237. 

  237. 	}
    238. 

  238. }
    239. 

  239. 

  240. # --------------------
    241. 

  241. # Check if the realname is a valid username (does not account for uniqueness)
    242. 

  242. # Return 0 if it is invalid, The number of matches + 1
    243. 

  243. function user_is_realname_unique( $p_username, $p_realname ) {
    244. 

  244. 	if( is_blank( $p_realname ) ) {
    245. 

  245. 		# don't bother checking if realname is blank
    246. 

  246. 		return 1;
    247. 

  247. 	}
    248. 

  248. 

  249. 	$p_username = trim( $p_username );
    250. 

  250. 	$p_realname = trim( $p_realname );
    251. 

  251. 

  252. 	# allow realname to match username
    253. 

  253. 	$t_count = 0;
    254. 

  254. 	if( $p_realname <> $p_username ) {
    255. 

  255. 		# check realname does not match an existing username
    256. 

  256. 		#  but allow it to match the current user
    257. 

  257. 		$t_target_user = user_get_id_by_name( $p_username );
    258. 

  258. 		$t_other_user = user_get_id_by_name( $p_realname );
    259. 

  259. 		if( ( 0 != $t_other_user ) && ( $t_target_user != $t_other_user ) ) {
    260. 

  260. 			return 0;
    261. 

  261. 		}
    262. 

  262. 

  263. 		# check to see if the realname is unique
    264. 

  264. 		$t_user_table = db_get_table( 'user' );
    265. 

  265. 		$query = "SELECT id
    266. 

  266. 				FROM $t_user_table
    267. 

  267. 				WHERE realname=" . db_param();
    268. 

  268. 		$result = db_query_bound( $query, Array( $p_realname ) );
    269. 

  269. 		$t_count = db_num_rows( $result );
    270. 

  270. 

  271. 		if( $t_count > 0 ) {
    272. 

  272. 			# set flags for non-unique realnames
    273. 

  273. 			if( config_get( 'differentiate_duplicates' ) ) {
    274. 

  274. 				for( $i = 0;$i < $t_count;$i++ ) {
    275. 

  275. 					$t_user_id = db_result( $result, $i );
    276. 

  276. 					user_set_field( $t_user_id, 'duplicate_realname', ON );
    277. 

  277. 				}
    278. 

  278. 			}
    279. 

  279. 		}
    280. 

  280. 	}
    281. 

  281. 	return $t_count + 1;
    282. 

  282. }
    283. 

  283. 

  284. # --------------------
    285. 

  285. # Check if the realname is a unique
    286. 

  286. # Trigger an error if the username is not valid
    287. 

  287. function user_ensure_realname_unique( $p_username, $p_realname ) {
    288. 

  288. 	if( 1 > user_is_realname_unique( $p_username, $p_realname ) ) {
    289. 

  289. 		trigger_error( ERROR_USER_REAL_MATCH_USER, ERROR );
    290. 

  290. 	}
    291. 

  291. }
    292. 

  292. 

  293. # --------------------
    294. 

  294. # Check if the realname is a valid (does not account for uniqueness)
    295. 

  295. # true: valid, false: not valid
    296. 

  296. function user_is_realname_valid( $p_realname ) {
    297. 

  297. 	return( !string_contains_scripting_chars( $p_realname ) );
    298. 

  298. }
    299. 

  299. 

  300. # --------------------
    301. 

  301. # Check if the realname is a valid (does not account for uniqueness), if not, trigger an error
    302. 

  302. function user_ensure_realname_valid( $p_realname ) {
    303. 

  303. 	if( !user_is_realname_valid( $p_realname ) ) {
    304. 

  304. 		trigger_error( ERROR_USER_REAL_NAME_INVALID, ERROR );
    305. 

  305. 	}
    306. 

  306. }
    307. 

  307. 

  308. # --------------------
    309. 

  309. # Check if the username is a valid username (does not account for uniqueness)
    310. 

  310. #  realname can match
    311. 

  311. # Return true if it is, false otherwise
    312. 

  312. function user_is_name_valid( $p_username ) {
    313. 

  313. 

  314. 	# The DB field is hard-coded. USERLEN should not be modified.
    315. 

  315. 	if( utf8_strlen( $p_username ) > USERLEN ) {
    316. 

  316. 		return false;
    317. 

  317. 	}
    318. 

  318. 

  319. 	# username must consist of at least one character
    320. 

  320. 	if( is_blank( $p_username ) ) {
    321. 

  321. 		return false;
    322. 

  322. 	}
    323. 

  323. 

  324. 	# Only allow a basic set of characters
    325. 

  325. 	if( 0 == preg_match( config_get( 'user_login_valid_regex' ), $p_username ) ) {
    326. 

  326. 		return false;
    327. 

  327. 	}
    328. 

  328. 

  329. 	# We have a valid username
    330. 

  330. 	return true;
    331. 

  331. }
    332. 

  332. 

  333. # --------------------
    334. 

  334. # Check if the username is a valid username (does not account for uniqueness)
    335. 

  335. # Trigger an error if the username is not valid
    336. 

  336. function user_ensure_name_valid( $p_username ) {
    337. 

  337. 	if( !user_is_name_valid( $p_username ) ) {
    338. 

  338. 		trigger_error( ERROR_USER_NAME_INVALID, ERROR );
    339. 

  339. 	}
    340. 

  340. }
    341. 

  341. 

  342. # --------------------
    343. 

  343. # return whether user is monitoring bug for the user id and bug id
    344. 

  344. function user_is_monitoring_bug( $p_user_id, $p_bug_id ) {
    345. 

  345. 	$c_user_id = db_prepare_int( $p_user_id );
    346. 

  346. 	$c_bug_id = db_prepare_int( $p_bug_id );
    347. 

  347. 

  348. 	$t_bug_monitor_table = db_get_table( 'bug_monitor' );
    349. 

  349. 

  350. 	$query = "SELECT COUNT(*)
    351. 

  351. 				  FROM $t_bug_monitor_table
    352. 

  352. 				  WHERE user_id=" . db_param() . " AND bug_id=" . db_param();
    353. 

    354. 

  354. 	$result = db_query_bound( $query, Array( $c_user_id, $c_bug_id ) );
    355. 

  355. 

  356. 	if( 0 == db_result( $result ) ) {
    357. 

  357. 		return false;
    358. 

  358. 	} else {
    359. 

  359. 		return true;
    360. 

  360. 	}
    361. 

  361. }
    362. 

  362. 

  363. # --------------------
    364. 

  364. # return true if the user has access of ADMINISTRATOR or higher, false otherwise
    365. 

  365. function user_is_administrator( $p_user_id ) {
    366. 

  366. 	$t_access_level = user_get_field( $p_user_id, 'access_level' );
    367. 

  367. 

  368. 	if( $t_access_level >= config_get_global( 'admin_site_threshold' ) ) {
    369. 

  369. 		return true;
    370. 

  370. 	} else {
    371. 

  371. 		return false;
    372. 

  372. 	}
    373. 

  373. }
    374. 

  374. 

  375. /*
    376. 

  376.  * Check if a user has a protected user account.
    377. 

  377.  * Protected user accounts cannot be updated without manage_user_threshold
    378. 

  378.  * permission. If the user ID supplied is that of the anonymous user, this
    379. 

  379.  * function will always return true. The anonymous user account is always
    380. 

  380.  * considered to be protected.
    381. 

  381.  *
    382. 

  382.  * @param int $p_user_id
    383. 

  383.  * @return true: user is protected; false: user is not protected.
    384. 

  384.  * @access public
    385. 

  385.  */
    386. 

  386. function user_is_protected( $p_user_id ) {
    387. 

  387. 	if( user_is_anonymous( $p_user_id ) || ON == user_get_field( $p_user_id, 'protected' ) ) {
    388. 

  388. 		return true;
    389. 

  389. 	}
    390. 

  390. 	return false;
    391. 

  391. }
    392. 

  392. 

  393. /*
    394. 

  394.  * Check if a user is the anonymous user account.
    395. 

  395.  * When anonymous logins are disabled this function will always return false.
    396. 

  396.  *
    397. 

  397.  * @param int $p_user_id
    398. 

  398.  * @return true: user is the anonymous user; false: user is not the anonymous user.
    399. 

  399.  * @access public
    400. 

  400.  */
    401. 

  401. function user_is_anonymous( $p_user_id ) {
    402. 

  402. 	if( ON == config_get( 'allow_anonymous_login' ) && user_get_field( $p_user_id, 'username' ) == config_get( 'anonymous_account' ) ) {
    403. 

  403. 		return true;
    404. 

  404. 	}
    405. 

  405. 	return false;
    406. 

  406. }
    407. 

  407. 

  408. # --------------------
    409. 

  409. # Trigger an ERROR if the user account is protected
    410. 

  410. function user_ensure_unprotected( $p_user_id ) {
    411. 

  411. 	if( user_is_protected( $p_user_id ) ) {
    412. 

  412. 		trigger_error( ERROR_PROTECTED_ACCOUNT, ERROR );
    413. 

  413. 	}
    414. 

  414. }
    415. 

  415. 

  416. # --------------------
    417. 

  417. # return true is the user account is enabled, false otherwise
    418. 

  418. function user_is_enabled( $p_user_id ) {
    419. 

  419. 	if( ON == user_get_field( $p_user_id, 'enabled' ) ) {
    420. 

  420. 		return true;
    421. 

  421. 	} else {
    422. 

  422. 		return false;
    423. 

  423. 	}
    424. 

  424. }
    425. 

  425. 

  426. # --------------------
    427. 

  427. # count the number of users at or greater than a specific level
    428. 

  428. function user_count_level( $p_level = ANYBODY ) {
    429. 

  429. 	$t_level = db_prepare_int( $p_level );
    430. 

  430. 	$t_user_table = db_get_table( 'user' );
    431. 

  431. 	$query = "SELECT COUNT(id) FROM $t_user_table WHERE access_level>=" . db_param();
    432. 

  432. 	$result = db_query_bound( $query, Array( $t_level ) );
    433. 

  433. 

  434. 	# Get the list of connected users
    435. 

  435. 	$t_users = db_result( $result );
    436. 

  436. 

  437. 	return $t_users;
    438. 

  438. }
    439. 

  439. 

  440. # --------------------
    441. 

  441. # Return an array of user ids that are logged in.
    442. 

  442. # A user is considered logged in if the last visit timestamp is within the
    443. 

  443. # specified session duration.
    444. 

  444. # If the session duration is 0, then no users will be returned.
    445. 

  445. function user_get_logged_in_user_ids( $p_session_duration_in_minutes ) {
    446. 

  446. 	$t_session_duration_in_minutes = (integer) $p_session_duration_in_minutes;
    447. 

  447. 

  448. 	# if session duration is 0, then there is no logged in users.
    449. 

  449. 	if( $t_session_duration_in_minutes == 0 ) {
    450. 

  450. 		return array();
    451. 

  451. 	}
    452. 

  452. 

  453. 	# Generate timestamp
    454. 

  454. 	$t_last_timestamp_threshold = mktime( date( 'H' ), date( 'i' ) - 1 * $t_session_duration_in_minutes, date( 's' ), date( 'm' ), date( 'd' ), date( 'Y' ) );
    455. 

  455. 

  456. 	$t_user_table = db_get_table( 'user' );
    457. 

  457. 

  458. 	# Execute query
    459. 

  459. 	$query = 'SELECT id FROM ' . $t_user_table . ' WHERE last_visit > ' . db_param();
    460. 

  460. 	$result = db_query_bound( $query, array( $c_last_timestamp_threshold ), 1 );
    461. 

  461. 

  462. 	# Get the list of connected users
    463. 

  463. 	$t_users_connected = array();
    464. 

  464. 	while( $row = db_fetch_array( $result ) ) {
    465. 

  465. 		$t_users_connected[] = $row['id'];
    466. 

  466. 	}
    467. 

  467. 

  468. 	return $t_users_connected;
    469. 

  469. }
    470. 

  470. 

  471. # ===================================
    472. 

  472. # Creation / Deletion / Updating
    473. 

  473. # ===================================
    474. 

  474. # --------------------
    475. 

  475. # Create a user.
    476. 

  476. # returns false if error, the generated cookie string if ok
    477. 

  477. function user_create( $p_username, $p_password, $p_email = '',
    478. 

  478. 	$p_access_level = null, $p_protected = false, $p_enabled = true,
    479. 

  479. 	$p_realname = '', $p_admin_name = '' ) {
    480. 

  480. 	if( null === $p_access_level ) {
    481. 

  481. 		$p_access_level = config_get( 'default_new_account_access_level' );
    482. 

  482. 	}
    483. 

  483. 

  484. 	$t_password = auth_process_plain_password( $p_password );
    485. 

  485. 

  486. 	$c_access_level = db_prepare_int( $p_access_level );
    487. 

  487. 	$c_protected = db_prepare_bool( $p_protected );
    488. 

  488. 	$c_enabled = db_prepare_bool( $p_enabled );
    489. 

  489. 

  490. 	user_ensure_name_valid( $p_username );
    491. 

  491. 	user_ensure_name_unique( $p_username );
    492. 

  492. 	user_ensure_realname_valid( $p_realname );
    493. 

  493. 	user_ensure_realname_unique( $p_username, $p_realname );
    494. 

  494. 	email_ensure_valid( $p_email );
    495. 

  495. 

  496. 	$t_seed = $p_email . $p_username;
    497. 

  497. 	$t_cookie_string = auth_generate_unique_cookie_string( $t_seed );
    498. 

  498. 	$t_user_table = db_get_table( 'user' );
    499. 

  499. 

  500. 	$query = "INSERT INTO $t_user_table
    501. 

  501. 				    ( username, email, password, date_created, last_visit,
    502. 

  502. 				     enabled, access_level, login_count, cookie_string, realname )
    503. 

  503. 				  VALUES
    504. 

  504. 				    ( " . db_param() . ', ' . db_param() . ', ' . db_param() . ', ' . db_param() . ', ' . db_param()  . ",
    505. 

  505. 				     " . db_param() . ',' . db_param() . ',' . db_param() . ',' . db_param() . ', ' . db_param() . ')';
    506. 

  506. 	db_query_bound( $query, Array( $p_username, $p_email, $t_password, db_now(), db_now(), $c_enabled, $c_access_level, 0, $t_cookie_string, $p_realname ) );
    507. 

  507. 

  508. 	# Create preferences for the user
    509. 

  509. 	$t_user_id = db_insert_id( $t_user_table );
    510. 

  510. 

  511. 	# Users are added with protected set to FALSE in order to be able to update
    512. 

  512. 	# preferences.  Now set the real value of protected.
    513. 

  513. 	if( $c_protected ) {
    514. 

  514. 		user_set_field( $t_user_id, 'protected', 1 );
    515. 

  515. 	}
    516. 

  516. 

  517. 	# Send notification email
    518. 

  518. 	if( !is_blank( $p_email ) ) {
    519. 

  519. 		$t_confirm_hash = auth_generate_confirm_hash( $t_user_id );
    520. 

  520. 		email_signup( $t_user_id, $p_password, $t_confirm_hash, $p_admin_name );
    521. 

  521. 	}
    522. 

  522. 

  523. 	return $t_cookie_string;
    524. 

  524. }
    525. 

  525. 

  526. # --------------------
    527. 

  527. # Signup a user.
    528. 

  528. # If the use_ldap_email config option is on then tries to find email using
    529. 

  529. # ldap. $p_email may be empty, but the user wont get any emails.
    530. 

  530. # returns false if error, the generated cookie string if ok
    531. 

  531. function user_signup( $p_username, $p_email = null ) {
    532. 

  532. 	if( null === $p_email ) {
    533. 

  533. 		$p_email = '';
    534. 

  534. 

  535. 		# @@@ I think the ldap_email stuff is a bit borked
    536. 

  536. 		#  Where is it being set?  When is it being used?
    537. 

  537. 		#  Shouldn't we override an email that is passed in here?
    538. 

  538. 		#  If the user doesn't exist in ldap, is the account created?
    539. 

  539. 		#  If so, there password won't get set anywhere...  (etc)
    540. 

  540. 		#  RJF: I was going to check for the existence of an LDAP email.
    541. 

  541. 		#  however, since we can't create an LDAP account at the moment,
    542. 

  542. 		#  and we don't know the user password in advance, we may not be able
    543. 

  543. 		#  to retrieve it anyway.
    544. 

  544. 		#  I'll re-enable this once a plan has been properly formulated for LDAP
    545. 

  545. 		#  account management and creation.
    546. 

  546. 		/*			$t_email = '';
    547. 

  547. 					if ( ON == config_get( 'use_ldap_email' ) ) {
    548. 

  548. 						$t_email = ldap_email_from_username( $p_username );
    549. 

  549. 					}
    550. 

    551. 

  551. 					if ( !is_blank( $t_email ) ) {
    552. 

  552. 						$p_email = $t_email;
    553. 

  553. 					}
    554. 

  554. 		*/
    555. 

  555. 	}
    556. 

  556. 

  557. 	$p_email = trim( $p_email );
    558. 

  558. 

  559. 	$t_seed = $p_email . $p_username;
    560. 

  560. 

  561. 	# Create random password
    562. 

  562. 	$t_password = auth_generate_random_password( $t_seed );
    563. 

  563. 

  564. 	return user_create( $p_username, $t_password, $p_email );
    565. 

  565. }
    566. 

  566. 

  567. # --------------------
    568. 

  568. # delete project-specific user access levels.
    569. 

  569. # returns true when successfully deleted
    570. 

  570. function user_delete_project_specific_access_levels( $p_user_id ) {
    571. 

  571. 	$c_user_id = db_prepare_int( $p_user_id );
    572. 

  572. 

  573. 	user_ensure_unprotected( $p_user_id );
    574. 

  574. 

  575. 	$t_project_user_list_table = db_get_table( 'project_user_list' );
    576. 

  576. 

  577. 	$query = "DELETE FROM $t_project_user_list_table
    578. 

  578. 				  WHERE user_id=" . db_param();
    579. 

  579. 	db_query_bound( $query, Array( $c_user_id ) );
    580. 

  580. 

  581. 	user_clear_cache( $p_user_id );
    582. 

  582. 

  583. 	return true;
    584. 

  584. }
    585. 

  585. 

  586. # --------------------
    587. 

  587. # delete profiles for the specified user
    588. 

  588. # returns true when successfully deleted
    589. 

  589. function user_delete_profiles( $p_user_id ) {
    590. 

  590. 	$c_user_id = db_prepare_int( $p_user_id );
    591. 

  591. 

  592. 	user_ensure_unprotected( $p_user_id );
    593. 

  593. 

  594. 	$t_user_profile_table = db_get_table( 'user_profile' );
    595. 

  595. 

  596. 	# Remove associated profiles
    597. 

  597. 	$query = "DELETE FROM $t_user_profile_table
    598. 

  598. 				  WHERE user_id=" . db_param();
    599. 

  599. 	db_query_bound( $query, Array( $c_user_id ) );
    600. 

  600. 

  601. 	user_clear_cache( $p_user_id );
    602. 

  602. 

  603. 	return true;
    604. 

  604. }
    605. 

  605. 

  606. # --------------------
    607. 

  607. # delete a user account (account, profiles, preferences, project-specific access levels)
    608. 

  608. # returns true when the account was successfully deleted
    609. 

  609. function user_delete( $p_user_id ) {
    610. 

  610. 	$c_user_id = db_prepare_int( $p_user_id );
    611. 

  611. 	$t_user_table = db_get_table( 'user' );
    612. 

  612. 

  613. 	user_ensure_unprotected( $p_user_id );
    614. 

  614. 

  615. 	# Remove associated profiles
    616. 

  616. 	user_delete_profiles( $p_user_id );
    617. 

  617. 

  618. 	# Remove associated preferences
    619. 

  619. 	user_pref_delete_all( $p_user_id );
    620. 

  620. 

  621. 	# Remove project specific access levels
    622. 

  622. 	user_delete_project_specific_access_levels( $p_user_id );
    623. 

  623. 

  624. 	# unset non-unique realname flags if necessary
    625. 

  625. 	if( config_get( 'differentiate_duplicates' ) ) {
    626. 

  626. 		$c_realname = user_get_field( $p_user_id, 'realname' );
    627. 

  627. 		$query = "SELECT id
    628. 

  628. 					FROM $t_user_table
    629. 

  629. 					WHERE realname=" . db_param();
    630. 

  630. 		$result = db_query_bound( $query, Array( $c_realname ) );
    631. 

  631. 		$t_count = db_num_rows( $result );
    632. 

  632. 

  633. 		if( $t_count == 2 ) {
    634. 

  634. 

  635. 			# unset flags if there are now only 2 unique names
    636. 

  636. 			for( $i = 0;$i < $t_count;$i++ ) {
    637. 

  637. 				$t_user_id = db_result( $result, $i );
    638. 

  638. 				user_set_field( $t_user_id, 'duplicate_realname', OFF );
    639. 

  639. 			}
    640. 

  640. 		}
    641. 

  641. 	}
    642. 

  642. 

  643. 	user_clear_cache( $p_user_id );
    644. 

  644. 

  645. 	# Remove account
    646. 

  646. 	$query = "DELETE FROM $t_user_table
    647. 

  647. 				  WHERE id=" . db_param();
    648. 

  648. 	db_query_bound( $query, Array( $c_user_id ) );
    649. 

  649. 

  650. 	return true;
    651. 

  651. }
    652. 

  652. 

  653. # ===================================
    654. 

  654. # Data Access
    655. 

  655. # ===================================
    656. 

  656. # --------------------
    657. 

  657. # get a user id from a username
    658. 

  658. #  return false if the username does not exist
    659. 

  659. function user_get_id_by_name( $p_username ) {
    660. 

  660. 	global $g_cache_user;
    661. 

  661. 	if( $t_user = user_search_cache( 'username', $p_username ) ) {
    662. 

  662. 		return $t_user['id'];
    663. 

  663. 	}
    664. 

  664. 

  665. 	$t_user_table = db_get_table( 'user' );
    666. 

  666. 

  667. 	$query = "SELECT *
    668. 

  668. 				  FROM $t_user_table
    669. 

  669. 				  WHERE username=" . db_param();
    670. 

  670. 	$result = db_query_bound( $query, Array( $p_username ) );
    671. 

  671. 

  672. 	if( 0 == db_num_rows( $result ) ) {
    673. 

  673. 		return false;
    674. 

  674. 	} else {
    675. 

  675. 		$row = db_fetch_array( $result );
    676. 

  676. 		user_cache_database_result( $row );
    677. 

  677. 		return $row['id'];
    678. 

  678. 	}
    679. 

  679. }
    680. 

  680. 

  681. # Get a user id from an email address
    682. 

  682. function user_get_id_by_email( $p_email ) {
    683. 

  683. 	global $g_cache_user;
    684. 

  684. 	if( $t_user = user_search_cache( 'email', $p_email ) ) {
    685. 

  685. 		return $t_user['id'];
    686. 

  686. 	}
    687. 

  687. 

  688. 	$t_user_table = db_get_table( 'user' );
    689. 

  689. 

  690. 	$query = "SELECT *
    691. 

  691. 				  FROM $t_user_table
    692. 

  692. 				  WHERE email=" . db_param();
    693. 

  693. 	$result = db_query_bound( $query, Array( $p_email ) );
    694. 

  694. 

  695. 	if( 0 == db_num_rows( $result ) ) {
    696. 

  696. 		return false;
    697. 

  697. 	} else {
    698. 

  698. 		$row = db_fetch_array( $result );
    699. 

  699. 		user_cache_database_result( $row );
    700. 

  700. 		return $row['id'];
    701. 

  701. 	}
    702. 

  702. }
    703. 

  703. 

  704. # Get a user id from their real name
    705. 

  705. function user_get_id_by_realname( $p_realname ) {
    706. 

  706. 	global $g_cache_user;
    707. 

  707. 	if( $t_user = user_search_cache( 'realname', $p_realname ) ) {
    708. 

  708. 		return $t_user['id'];
    709. 

  709. 	}
    710. 

  710. 

  711. 	$t_user_table = db_get_table( 'user' );
    712. 

  712. 

  713. 	$query = "SELECT *
    714. 

  714. 				  FROM $t_user_table
    715. 

  715. 				  WHERE realname=" . db_param();
    716. 

  716. 	$result = db_query_bound( $query, Array( $p_realname ) );
    717. 

  717. 

  718. 	if( 0 == db_num_rows( $result ) ) {
    719. 

  719. 		return false;
    720. 

  720. 	} else {
    721. 

  721. 		$row = db_fetch_array( $result );
    722. 

  722. 		user_cache_database_result( $row );
    723. 

  723. 		return $row['id'];
    724. 

  724. 	}
    725. 

  725. }
    726. 

  726. 

  727. # --------------------
    728. 

  728. # return all data associated with a particular user name
    729. 

  729. #  return false if the username does not exist
    730. 

  730. function user_get_row_by_name( $p_username ) {
    731. 

  731. 	$t_user_id = user_get_id_by_name( $p_username );
    732. 

  732. 

  733. 	if( false === $t_user_id ) {
    734. 

  734. 		return false;
    735. 

  735. 	}
    736. 

  736. 

  737. 	$row = user_get_row( $t_user_id );
    738. 

  738. 

  739. 	return $row;
    740. 

  740. }
    741. 

  741. 

  742. # --------------------
    743. 

  743. # return a user row
    744. 

  744. function user_get_row( $p_user_id ) {
    745. 

  745. 	return user_cache_row( $p_user_id );
    746. 

  746. }
    747. 

  747. 

  748. # --------------------
    749. 

  749. # return the specified user field for the user id
    750. 

  750. function user_get_field( $p_user_id, $p_field_name ) {
    751. 

  751. 	if( NO_USER == $p_user_id ) {
    752. 

  752. 		trigger_error( 'user_get_field() for NO_USER', WARNING );
    753. 

  753. 		return '@null@';
    754. 

  754. 	}
    755. 

  755. 

  756. 	$row = user_get_row( $p_user_id );
    757. 

  757. 

  758. 	if( isset( $row[$p_field_name] ) ) {
    759. 

  759. 		return $row[$p_field_name];
    760. 

  760. 	} else {
    761. 

  761. 		error_parameters( $p_field_name );
    762. 

  762. 		trigger_error( ERROR_DB_FIELD_NOT_FOUND, WARNING );
    763. 

  763. 		return '';
    764. 

  764. 	}
    765. 

  765. }
    766. 

  766. 

  767. # --------------------
    768. 

  768. # lookup the user's email in LDAP or the db as appropriate
    769. 

  769. function user_get_email( $p_user_id ) {
    770. 

  770. 	$t_email = '';
    771. 

  771. 	if( ON == config_get( 'use_ldap_email' ) ) {
    772. 

  772. 		$t_email = ldap_email( $p_user_id );
    773. 

  773. 	}
    774. 

  774. 	if( is_blank( $t_email ) ) {
    775. 

  775. 		$t_email = user_get_field( $p_user_id, 'email' );
    776. 

  776. 	}
    777. 

  777. 	return $t_email;
    778. 

  778. }
    779. 

  779. 

  780. # --------------------
    781. 

  781. # lookup the user's realname
    782. 

  782. function user_get_realname( $p_user_id ) {
    783. 

  783. 	$t_realname = '';
    784. 

  784. 

  785. 	if ( ON == config_get( 'use_ldap_realname' ) ) {
    786. 

  786. 		$t_realname = ldap_realname( $p_user_id );
    787. 

  787. 	}
    788. 

  788. 

  789. 	if ( is_blank( $t_realname ) ) {
    790. 

  790. 		$t_realname = user_get_field( $p_user_id, 'realname' );
    791. 

  791. 	}
    792. 

  792. 

  793. 	return $t_realname;
    794. 

  794. }
    795. 

  795. 

  796. # --------------------
    797. 

  797. # return the username or a string "user<id>" if the user does not exist
    798. 

  798. # if $g_show_realname is set and real name is not empty, return it instead
    799. 

  799. function user_get_name( $p_user_id ) {
    800. 

  800. 	$row = user_cache_row( $p_user_id, false );
    801. 

  801. 

  802. 	if( false == $row ) {
    803. 

  803. 		return lang_get( 'prefix_for_deleted_users' ) . (int) $p_user_id;
    804. 

  804. 	} else {
    805. 

  805. 		if( ON == config_get( 'show_realname' ) ) {
    806. 

  806. 			if( is_blank( $row['realname'] ) ) {
    807. 

  807. 				return $row['username'];
    808. 

  808. 			} else {
    809. 

  809. 				if( isset( $row['duplicate_realname'] ) && ( ON == $row['duplicate_realname'] ) ) {
    810. 

  810. 					return $row['realname'] . ' (' . $row['username'] . ')';
    811. 

  811. 				} else {
    812. 

  812. 					return $row['realname'];
    813. 

  813. 				}
    814. 

  814. 			}
    815. 

  815. 		} else {
    816. 

  816. 			return $row['username'];
    817. 

  817. 		}
    818. 

  818. 	}
    819. 

  819. }
    820. 

  820. 

  821. /**
    822. 

  822. * Return the user avatar image URL
    823. 

  823. * in this first implementation, only gravatar.com avatars are supported
    824. 

  824. * @return array|bool an array( URL, width, height ) or false when the given user has no avatar
    825. 

  825. */
    826. 

  826. function user_get_avatar( $p_user_id, $p_size = 80 ) {
    827. 

  827. 	$t_email = utf8_strtolower( user_get_email( $p_user_id ) );
    828. 

  828. 	if( is_blank( $t_email ) ) {
    829. 

  829. 		$t_result = false;
    830. 

  830. 	} else {
    831. 

  831. 		$t_default_image = config_get( 'default_avatar' );
    832. 

  832. 		$t_size = $p_size;
    833. 

  833. 

  834. 		$t_use_ssl = false;
    835. 

  835. 		if( isset( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
    836. 

  836. 			$t_use_ssl = true;
    837. 

  837. 		}
    838. 

  838. 

  839. 		if( !$t_use_ssl ) {
    840. 

  840. 			$t_gravatar_domain = 'http://www.gravatar.com/';
    841. 

  841. 		} else {
    842. 

  842. 			$t_gravatar_domain = 'https://secure.gravatar.com/';
    843. 

  843. 		}
    844. 

  844. 

  845. 		$t_avatar_url = $t_gravatar_domain . 'avatar.php?gravatar_id=' . md5( $t_email ) . '&default=' . urlencode( $t_default_image ) . '&size=' . $t_size . '&rating=G';
    846. 

  846. 		$t_result = array(
    847. 

  847. 			$t_avatar_url,
    848. 

  848. 			$t_size,
    849. 

  849. 			$t_size,
    850. 

  850. 		);
    851. 

  851. 	}
    852. 

  852. 

  853. 	return $t_result;
    854. 

  854. }
    855. 

  855. 

  856. # --------------------
    857. 

  857. # return the user's access level
    858. 

  858. #  account for private project and the project user lists
    859. 

  859. function user_get_access_level( $p_user_id, $p_project_id = ALL_PROJECTS ) {
    860. 

  860. 	$t_access_level = user_get_field( $p_user_id, 'access_level' );
    861. 

  861. 

  862. 	if( user_is_administrator( $p_user_id ) ) {
    863. 

  863. 		return $t_access_level;
    864. 

  864. 	}
    865. 

  865. 

  866. 	$t_project_access_level = project_get_local_user_access_level( $p_project_id, $p_user_id );
    867. 

  867. 

  868. 	if( false === $t_project_access_level ) {
    869. 

  869. 		return $t_access_level;
    870. 

  870. 	} else {
    871. 

  871. 		return $t_project_access_level;
    872. 

  872. 	}
    873. 

  873. }
    874. 

  874. 

  875. $g_user_accessible_projects_cache = null;
    876. 

  876. 

  877. # --------------------
    878. 

  878. # retun an array of project IDs to which the user has access
    879. 

  879. function user_get_accessible_projects( $p_user_id, $p_show_disabled = false ) {
    880. 

  880. 	global $g_user_accessible_projects_cache;
    881. 

  881. 

  882. 	if( null !== $g_user_accessible_projects_cache && auth_get_current_user_id() == $p_user_id && false == $p_show_disabled ) {
    883. 

  883. 		return $g_user_accessible_projects_cache;
    884. 

  884. 	}
    885. 

  885. 

  886. 	if( access_has_global_level( config_get( 'private_project_threshold' ), $p_user_id ) ) {
    887. 

  887. 		$t_projects = project_hierarchy_get_subprojects( ALL_PROJECTS, $p_show_disabled );
    888. 

  888. 	} else {
    889. 

  889. 		$t_project_table = db_get_table( 'project' );
    890. 

  890. 		$t_project_user_list_table = db_get_table( 'project_user_list' );
    891. 

  891. 		$t_project_hierarchy_table = db_get_table( 'project_hierarchy' );
    892. 

  892. 

  893. 		$t_public = VS_PUBLIC;
    894. 

  894. 		$t_private = VS_PRIVATE;
    895. 

  895. 

  896. 		$result = null;
    897. 

  897. 

  898. 		$query = "SELECT p.id, p.name, ph.parent_id
    899. 

  899. 						  FROM $t_project_table p
    900. 

  900. 						  LEFT JOIN $t_project_user_list_table u
    901. 

  901. 						    ON p.id=u.project_id AND u.user_id=" . db_param() . "
    902. 

  902. 						  LEFT JOIN $t_project_hierarchy_table ph
    903. 

  903. 						    ON ph.child_id = p.id
    904. 

  904. 						  WHERE " . ( $p_show_disabled ? '' : ( 'p.enabled = ' . db_param() . ' AND ' ) ) . "
    905. 

  905. 							( p.view_state=" . db_param() . "
    906. 

  906. 							    OR (p.view_state=" . db_param() . "
    907. 

  907. 								    AND
    908. 

  908. 							        u.user_id=" . db_param() . " )
    909. 

  909. 							)
    910. 

  910. 			  ORDER BY p.name";
    911. 

  911. 		$result = db_query_bound( $query, ( $p_show_disabled ? Array( $p_user_id, $t_public, $t_private, $p_user_id ) : Array( $p_user_id, true, $t_public, $t_private, $p_user_id ) ) );
    912. 

  912. 

  913. 		$row_count = db_num_rows( $result );
    914. 

  914. 

  915. 		$t_projects = array();
    916. 

  916. 

  917. 		for( $i = 0;$i < $row_count;$i++ ) {
    918. 

  918. 			$row = db_fetch_array( $result );
    919. 

  919. 

  920. 			$t_projects[(int)$row['id']] = ( $row['parent_id'] === NULL ) ? 0 : (int)$row['parent_id'];
    921. 

  921. 		}
    922. 

  922. 

  923. 		# prune out children where the parents are already listed. Make the list
    924. 

  924. 		#  first, then prune to avoid pruning a parent before the child is found.
    925. 

  925. 		$t_prune = array();
    926. 

  926. 		foreach( $t_projects as $t_id => $t_parent ) {
    927. 

  927. 			if(( $t_parent !== 0 ) && isset( $t_projects[$t_parent] ) ) {
    928. 

  928. 				$t_prune[] = $t_id;
    929. 

  929. 			}
    930. 

  930. 		}
    931. 

  931. 		foreach( $t_prune as $t_id ) {
    932. 

  932. 			unset( $t_projects[$t_id] );
    933. 

  933. 		}
    934. 

  934. 		$t_projects = array_keys( $t_projects );
    935. 

  935. 	}
    936. 

  936. 

  937. 	if( auth_get_current_user_id() == $p_user_id ) {
    938. 

  938. 		$g_user_accessible_projects_cache = $t_projects;
    939. 

  939. 	}
    940. 

  940. 

  941. 	return $t_projects;
    942. 

  942. }
    943. 

  943. 

  944. $g_user_accessible_subprojects_cache = null;
    945. 

  945. 

  946. # --------------------
    947. 

  947. # retun an array of subproject IDs of a certain project to which the user has access
    948. 

  948. function user_get_accessible_subprojects( $p_user_id, $p_project_id, $p_show_disabled = false ) {
    949. 

  949. 	global $g_user_accessible_subprojects_cache;
    950. 

  950. 

  951. 	if( null !== $g_user_accessible_subprojects_cache && auth_get_current_user_id() == $p_user_id && false == $p_show_disabled ) {
    952. 

  952. 		if( isset( $g_user_accessible_subprojects_cache[$p_project_id] ) ) {
    953. 

  953. 			return $g_user_accessible_subprojects_cache[$p_project_id];
    954. 

  954. 		} else {
    955. 

  955. 			return Array();
    956. 

  956. 		}
    957. 

  957. 	}
    958. 

  958. 

  959. 	$t_project_table = db_get_table( 'project' );
    960. 

  960. 	$t_project_user_list_table = db_get_table( 'project_user_list' );
    961. 

  961. 	$t_project_hierarchy_table = db_get_table( 'project_hierarchy' );
    962. 

  962. 

  963. 	$t_public = VS_PUBLIC;
    964. 

  964. 	$t_private = VS_PRIVATE;
    965. 

  965. 

  966. 	if( access_has_global_level( config_get( 'private_project_threshold' ), $p_user_id ) ) {
    967. 

  967. 		$t_enabled_clause = $p_show_disabled ? '' : 'p.enabled = ' . db_param() . ' AND';
    968. 

  968. 		$query = "SELECT DISTINCT p.id, p.name, ph.parent_id
    969. 

  969. 					  FROM $t_project_table p
    970. 

  970. 					  LEFT JOIN $t_project_hierarchy_table ph
    971. 

  971. 					    ON ph.child_id = p.id
    972. 

  972. 					  WHERE $t_enabled_clause
    973. 

  973. 					  	 ph.parent_id IS NOT NULL
    974. 

  974. 					  ORDER BY p.name";
    975. 

  975. 		$result = db_query_bound( $query, ( $p_show_disabled ? null : Array( true ) ) );
    976. 

  976. 	} else {
    977. 

  977. 		$query = "SELECT DISTINCT p.id, p.name, ph.parent_id
    978. 

  978. 					  FROM $t_project_table p
    979. 

  979. 					  LEFT JOIN $t_project_user_list_table u
    980. 

  980. 					    ON p.id = u.project_id AND u.user_id=" . db_param() . "
    981. 

  981. 					  LEFT JOIN $t_project_hierarchy_table ph
    982. 

  982. 					    ON ph.child_id = p.id
    983. 

  983. 					  WHERE " . ( $p_show_disabled ? '' : ( 'p.enabled = ' . db_param() . ' AND ' ) ) . '
    984. 

  984. 					  	ph.parent_id IS NOT NULL AND
    985. 

  985. 						( p.view_state=' . db_param() . '
    986. 

  986. 						    OR (p.view_state=' . db_param() . '
    987. 

  987. 							    AND
    988. 

  988. 						        u.user_id=' . db_param() . ' )
    989. 

  989. 						)
    990. 

  990. 					  ORDER BY p.name';
    991. 

  991. 		$result = db_query_bound( $query, ( $p_show_disabled ? Array( $p_user_id, $t_public, $t_private, $p_user_id ) : Array( $p_user_id, 1, $t_public, $t_private, $p_user_id ) ) );
    992. 

  992. 	}
    993. 

  993. 

  994. 	$row_count = db_num_rows( $result );
    995. 

  995. 

  996. 	$t_projects = array();
    997. 

  997. 

  998. 	for( $i = 0;$i < $row_count;$i++ ) {
    999. 

  999. 		$row = db_fetch_array( $result );
    1000. 

  1000. 

  1001. 		if( !isset( $t_projects[(int)$row['parent_id']] ) ) {
    1002. 

  1002. 			$t_projects[(int)$row['parent_id']] = array();
    1003. 

  1003. 		}
    1004. 

  1004. 

  1005. 		array_push( $t_projects[(int)$row['parent_id']], (int)$row['id'] );
    1006. 

  1006. 	}
    1007. 

  1007. 

  1008. 	if( auth_get_current_user_id() == $p_user_id ) {
    1009. 

  1009. 		$g_user_accessible_subprojects_cache = $t_projects;
    1010. 

  1010. 	}
    1011. 

  1011. 

  1012. 	if( !isset( $t_projects[(int)$p_project_id] ) ) {
    1013. 

  1013. 		$t_projects[(int)$p_project_id] = array();
    1014. 

  1014. 	}
    1015. 

  1015. 

  1016. 	return $t_projects[(int)$p_project_id];
    1017. 

  1017. }
    1018. 

  1018. 

  1019. # --------------------
    1020. 

  1020. function user_get_all_accessible_subprojects( $p_user_id, $p_project_id ) {
    1021. 

  1021. 	/** @todo (thraxisp) Should all top level projects be a sub-project of ALL_PROJECTS implicitly?
    1022. 

  1022. 	 *  affects how news and some summaries are generated
    1023. 

  1023. 	 */
    1024. 

  1024. 	$t_todo = user_get_accessible_subprojects( $p_user_id, $p_project_id );
    1025. 

  1025. 	$t_subprojects = Array();
    1026. 

  1026. 

  1027. 	while( $t_todo ) {
    1028. 

  1028. 		$t_elem = (int)array_shift( $t_todo );
    1029. 

  1029. 		if( !in_array( $t_elem, $t_subprojects ) ) {
    1030. 

  1030. 			array_push( $t_subprojects, $t_elem );
    1031. 

  1031. 			$t_todo = array_merge( $t_todo, user_get_accessible_subprojects( $p_user_id, $t_elem ) );
    1032. 

  1032. 		}
    1033. 

  1033. 	}
    1034. 

  1034. 

  1035. 	return $t_subprojects;
    1036. 

  1036. }
    1037. 

  1037. 

  1038. function user_get_all_accessible_projects( $p_user_id, $p_project_id ) {
    1039. 

  1039. 	if( ALL_PROJECTS == $p_project_id ) {
    1040. 

  1040. 		$t_topprojects = $t_project_ids = user_get_accessible_projects( $p_user_id );
    1041. 

  1041. 		foreach( $t_topprojects as $t_project ) {
    1042. 

  1042. 			$t_project_ids = array_merge( $t_project_ids, user_get_all_accessible_subprojects( $p_user_id, $t_project ) );
    1043. 

  1043. 		}
    1044. 

  1044. 

  1045. 		$t_project_ids = array_unique( $t_project_ids );
    1046. 

  1046. 	} else {
    1047. 

  1047. 		access_ensure_project_level( VIEWER, $p_project_id );
    1048. 

  1048. 		$t_project_ids = user_get_all_accessible_subprojects( $p_user_id, $p_project_id );
    1049. 

  1049. 		array_unshift( $t_project_ids, $p_project_id );
    1050. 

  1050. 	}
    1051. 

  1051. 

  1052. 	return $t_project_ids;
    1053. 

  1053. }
    1054. 

  1054. 

  1055. 

  1056. # --------------------
    1057. 

  1057. # return the number of open assigned bugs to a user in a project
    1058. 

  1058. function user_get_assigned_open_bug_count( $p_user_id, $p_project_id = ALL_PROJECTS ) {
    1059. 

  1059. 	$t_bug_table = db_get_table( 'bug' );
    1060. 

  1060. 

  1061. 	$t_where_prj = helper_project_specific_where( $p_project_id, $p_user_id ) . ' AND';
    1062. 

  1062. 

  1063. 	$t_resolved = config_get( 'bug_resolved_status_threshold' );
    1064. 

  1064. 

  1065. 	$query = "SELECT COUNT(*)
    1066. 

  1066. 				  FROM $t_bug_table
    1067. 

  1067. 				  WHERE $t_where_prj
    1068. 

  1068. 				  		status<'$t_resolved' AND
    1069. 

  1069. 				  		handler_id=" . db_param();
    1070. 

  1070. 	$result = db_query_bound( $query, Array( $p_user_id ) );
    1071. 

  1071. 

  1072. 	return db_result( $result );
    1073. 

  1073. }
    1074. 

  1074. 

  1075. # --------------------
    1076. 

  1076. # return the number of open reported bugs by a user in a project
    1077. 

  1077. function user_get_reported_open_bug_count( $p_user_id, $p_project_id = ALL_PROJECTS ) {
    1078. 

  1078. 	$t_bug_table = db_get_table( 'bug' );
    1079. 

  1079. 

  1080. 	$t_where_prj = helper_project_specific_where( $p_project_id, $p_user_id ) . ' AND';
    1081. 

  1081. 

  1082. 	$t_resolved = config_get( 'bug_resolved_status_threshold' );
    1083. 

  1083. 

  1084. 	$query = "SELECT COUNT(*)
    1085. 

  1085. 				  FROM $t_bug_table
    1086. 

  1086. 				  WHERE $t_where_prj
    1087. 

  1087. 						  status<'$t_resolved' AND
    1088. 

  1088. 						  reporter_id=" . db_param();
    1089. 

  1089. 	$result = db_query_bound( $query, Array( $p_user_id ) );
    1090. 

  1090. 

  1091. 	return db_result( $result );
    1092. 

  1092. }
    1093. 

  1093. 

  1094. # --------------------
    1095. 

  1095. # return a profile row
    1096. 

  1096. function user_get_profile_row( $p_user_id, $p_profile_id ) {
    1097. 

  1097. 	$c_user_id = db_prepare_int( $p_user_id );
    1098. 

  1098. 	$c_profile_id = db_prepare_int( $p_profile_id );
    1099. 

  1099. 

  1100. 	$t_user_profile_table = db_get_table( 'user_profile' );
    1101. 

  1101. 

  1102. 	$query = "SELECT *
    1103. 

  1103. 				  FROM $t_user_profile_table
    1104. 

  1104. 				  WHERE id=" . db_param() . " AND
    1105. 

  1105. 				  		user_id=" . db_param();
    1106. 

  1106. 	$result = db_query_bound( $query, Array( $c_profile_id, $c_user_id ) );
    1107. 

  1107. 

  1108. 	if( 0 == db_num_rows( $result ) ) {
    1109. 

  1109. 		trigger_error( ERROR_USER_PROFILE_NOT_FOUND, ERROR );
    1110. 

  1110. 	}
    1111. 

  1111. 

  1112. 	$row = db_fetch_array( $result );
    1113. 

  1113. 

  1114. 	return $row;
    1115. 

  1115. }
    1116. 

  1116. 

  1117. # --------------------
    1118. 

  1118. # Get failed login attempts
    1119. 

  1119. function user_is_login_request_allowed( $p_user_id ) {
    1120. 

  1120. 	$t_max_failed_login_count = config_get( 'max_failed_login_count' );
    1121. 

  1121. 	$t_failed_login_count = user_get_field( $p_user_id, 'failed_login_count' );
    1122. 

  1122. 	return( $t_failed_login_count < $t_max_failed_login_count || OFF == $t_max_failed_login_count );
    1123. 

  1123. }
    1124. 

  1124. 

  1125. # --------------------
    1126. 

  1126. # Get 'lost password' in progress attempts
    1127. 

  1127. function user_is_lost_password_request_allowed( $p_user_id ) {
    1128. 

  1128. 	if( OFF == config_get( 'lost_password_feature' ) ) {
    1129. 

  1129. 		return false;
    1130. 

  1130. 	}
    1131. 

  1131. 	$t_max_lost_password_in_progress_count = config_get( 'max_lost_password_in_progress_count' );
    1132. 

  1132. 	$t_lost_password_in_progress_count = user_get_field( $p_user_id, 'lost_password_request_count' );
    1133. 

  1133. 	return( $t_lost_password_in_progress_count < $t_max_lost_password_in_progress_count || OFF == $t_max_lost_password_in_progress_count );
    1134. 

  1134. }
    1135. 

  1135. 

  1136. # --------------------
    1137. 

  1137. # return the bug filter parameters for the specified user
    1138. 

  1138. function user_get_bug_filter( $p_user_id, $p_project_id = null ) {
    1139. 

  1139. 	if( null === $p_project_id ) {
    1140. 

  1140. 		$t_project_id = helper_get_current_project();
    1141. 

  1141. 	} else {
    1142. 

  1142. 		$t_project_id = $p_project_id;
    1143. 

  1143. 	}
    1144. 

  1144. 

  1145. 	$t_view_all_cookie_id = filter_db_get_project_current( $t_project_id, $p_user_id );
    1146. 

  1146. 	$t_view_all_cookie = filter_db_get_filter( $t_view_all_cookie_id, $p_user_id );
    1147. 

  1147. 	$t_cookie_detail = explode( '#', $t_view_all_cookie, 2 );
    1148. 

  1148. 

  1149. 	if( !isset( $t_cookie_detail[1] ) ) {
    1150. 

  1150. 		return false;
    1151. 

  1151. 	}
    1152. 

  1152. 

  1153. 	$t_filter = unserialize( $t_cookie_detail[1] );
    1154. 

  1154. 

  1155. 	$t_filter = filter_ensure_valid_filter( $t_filter );
    1156. 

  1156. 

  1157. 	return $t_filter;
    1158. 

  1158. }
    1159. 

  1159. 

  1160. # ===================================
    1161. 

  1161. # Data Modification
    1162. 

  1162. # ===================================
    1163. 

  1163. # --------------------
    1164. 

  1164. # Update the last_visited field to be now
    1165. 

  1165. function user_update_last_visit( $p_user_id ) {
    1166. 

  1166. 	$c_user_id = db_prepare_int( $p_user_id );
    1167. 

  1167. 	$c_value = db_now();
    1168. 

  1168. 

  1169. 	$t_user_table = db_get_table( 'user' );
    1170. 

  1170. 

  1171. 	$query = "UPDATE $t_user_table
    1172. 

  1172. 				  SET last_visit= " . db_param() . "
    1173. 

  1173. 				  WHERE id=" . db_param();
    1174. 

    1175. 

  1175. 	db_query_bound( $query, Array( $c_value, $c_user_id ) );
    1176. 

  1176. 

  1177. 	user_update_cache( $p_user_id, 'last_visit', $c_value );
    1178. 

  1178. 

  1179. 	# db_query errors on failure so:
    1180. 

  1180. 	return true;
    1181. 

  1181. }
    1182. 

  1182. 

  1183. # --------------------
    1184. 

  1184. # Increment the number of times the user has logegd in
    1185. 

  1185. # This function is only called from the login.php script
    1186. 

  1186. function user_increment_login_count( $p_user_id ) {
    1187. 

  1187. 	$t_user_table = db_get_table( 'user' );
    1188. 

  1188. 

  1189. 	$query = "UPDATE $t_user_table
    1190. 

  1190. 				SET login_count=login_count+1
    1191. 

  1191. 				WHERE id=" . db_param();
    1192. 

    1193. 

  1193. 	db_query_bound( $query, Array( $p_user_id ) );
    1194. 

  1194. 

  1195. 	user_clear_cache( $p_user_id );
    1196. 

  1196. 

  1197. 	# db_query errors on failure so:
    1198. 

  1198. 	return true;
    1199. 

  1199. }
    1200. 

  1200. 

  1201. # --------------------
    1202. 

  1202. # Reset to zero the failed login attempts
    1203. 

  1203. function user_reset_failed_login_count_to_zero( $p_user_id ) {
    1204. 

  1204. 	$t_user_table = db_get_table( 'user' );
    1205. 

  1205. 

  1206. 	$query = "UPDATE $t_user_table
    1207. 

  1207. 				SET failed_login_count=0
    1208. 

  1208. 				WHERE id=" . db_param();
    1209. 

  1209. 	db_query_bound( $query, Array( $p_user_id ) );
    1210. 

  1210. 

  1211. 	user_clear_cache( $p_user_id );
    1212. 

  1212. 

  1213. 	return true;
    1214. 

  1214. }
    1215. 

  1215. 

  1216. # --------------------
    1217. 

  1217. # Increment the failed login count by 1
    1218. 

  1218. function user_increment_failed_login_count( $p_user_id ) {
    1219. 

  1219. 	$t_user_table = db_get_table( 'user' );
    1220. 

  1220. 

  1221. 	$query = "UPDATE $t_user_table
    1222. 

  1222. 				SET failed_login_count=failed_login_count+1
    1223. 

  1223. 				WHERE id=" . db_param();
    1224. 

  1224. 	db_query_bound( $query, Array( $p_user_id ) );
    1225. 

  1225. 

  1226. 	user_clear_cache( $p_user_id );
    1227. 

  1227. 

  1228. 	return true;
    1229. 

  1229. }
    1230. 

  1230. 

  1231. # --------------------
    1232. 

  1232. # Reset to zero the 'lost password' in progress attempts
    1233. 

  1233. function user_reset_lost_password_in_progress_count_to_zero( $p_user_id ) {
    1234. 

  1234. 	$t_user_table = db_get_table( 'user' );
    1235. 

  1235. 

  1236. 	$query = "UPDATE $t_user_table
    1237. 

  1237. 				SET lost_password_request_count=0
    1238. 

  1238. 				WHERE id=" . db_param();
    1239. 

  1239. 	db_query_bound( $query, Array( $p_user_id ) );
    1240. 

  1240. 

  1241. 	user_clear_cache( $p_user_id );
    1242. 

  1242. 

  1243. 	return true;
    1244. 

  1244. }
    1245. 

  1245. 

  1246. # --------------------
    1247. 

  1247. # Increment the failed login count by 1
    1248. 

  1248. function user_increment_lost_password_in_progress_count( $p_user_id ) {
    1249. 

  1249. 	$t_user_table = db_get_table( 'user' );
    1250. 

  1250. 

  1251. 	$query = "UPDATE $t_user_table
    1252. 

  1252. 				SET lost_password_request_count=lost_password_request_count+1
    1253. 

  1253. 				WHERE id=" . db_param();
    1254. 

  1254. 	db_query_bound( $query, Array( $p_user_id ) );
    1255. 

  1255. 

  1256. 	user_clear_cache( $p_user_id );
    1257. 

  1257. 

  1258. 	return true;
    1259. 

  1259. }
    1260. 

  1260. 

  1261. # --------------------
    1262. 

  1262. # Set a user field
    1263. 

  1263. function user_set_field( $p_user_id, $p_field_name, $p_field_value ) {
    1264. 

  1264. 	$c_user_id = db_prepare_int( $p_user_id );
    1265. 

  1265. 	$c_field_name = db_prepare_string( $p_field_name );
    1266. 

  1266. 

  1267. 	if( $p_field_name != 'protected' ) {
    1268. 

  1268. 		user_ensure_unprotected( $p_user_id );
    1269. 

  1269. 	}
    1270. 

  1270. 

  1271. 	$t_user_table = db_get_table( 'user' );
    1272. 

  1272. 

  1273. 	$query = 'UPDATE ' . $t_user_table .
    1274. 

  1274. 		     ' SET ' . $c_field_name . '=' . db_param() .
    1275. 

  1275. 			 ' WHERE id=' . db_param();
    1276. 

  1276. 

  1277. 	db_query_bound( $query, Array( $p_field_value, $c_user_id ) );
    1278. 

  1278. 

  1279. 	user_clear_cache( $p_user_id );
    1280. 

  1280. 

  1281. 	# db_query errors on failure so:
    1282. 

  1282. 	return true;
    1283. 

  1283. }
    1284. 

  1284. 

  1285. # --------------------
    1286. 

  1286. # Set the user's default project
    1287. 

  1287. function user_set_default_project( $p_user_id, $p_project_id ) {
    1288. 

  1288. 	return user_pref_set_pref( $p_user_id, 'default_project', (int) $p_project_id );
    1289. 

  1289. }
    1290. 

  1290. 

  1291. # --------------------
    1292. 

  1292. # Set the user's password to the given string, encoded as appropriate
    1293. 

  1293. function user_set_password( $p_user_id, $p_password, $p_allow_protected = false ) {
    1294. 

  1294. 	if( !$p_allow_protected ) {
    1295. 

  1295. 		user_ensure_unprotected( $p_user_id );
    1296. 

  1296. 	}
    1297. 

  1297. 

  1298. 	$t_email = user_get_field( $p_user_id, 'email' );
    1299. 

  1299. 	$t_username = user_get_field( $p_user_id, 'username' );
    1300. 

  1300. 

  1301. 	# When the password is changed, invalidate the cookie to expire sessions that
    1302. 

  1302. 	# may be active on all browsers.
    1303. 

  1303. 	$t_seed = $t_email . $t_username;
    1304. 

  1304. 	$c_cookie_string = auth_generate_unique_cookie_string( $t_seed );
    1305. 

  1305. 

  1306. 	$c_user_id = db_prepare_int( $p_user_id );
    1307. 

  1307. 	$c_password = auth_process_plain_password( $p_password );
    1308. 

  1308. 	$c_user_table = db_get_table( 'user' );
    1309. 

  1309. 

  1310. 	$query = "UPDATE $c_user_table
    1311. 

  1311. 				  SET password=" . db_param() . ",
    1312. 

  1312. 				  cookie_string=" . db_param() . "
    1313. 

  1313. 				  WHERE id=" . db_param();
    1314. 

  1314. 	db_query_bound( $query, Array( $c_password, $c_cookie_string, $c_user_id ) );
    1315. 

  1315. 

  1316. 	# db_query errors on failure so:
    1317. 

  1317. 	return true;
    1318. 

  1318. }
    1319. 

  1319. 

  1320. # --------------------
    1321. 

  1321. # Set the user's email to the given string after checking that it is a valid email
    1322. 

  1322. function user_set_email( $p_user_id, $p_email ) {
    1323. 

  1323. 	email_ensure_valid( $p_email );
    1324. 

  1324. 

  1325. 	return user_set_field( $p_user_id, 'email', $p_email );
    1326. 

  1326. }
    1327. 

  1327. 

  1328. # --------------------
    1329. 

  1329. # Set the user's realname to the given string after checking validity
    1330. 

  1330. function user_set_realname( $p_user_id, $p_realname ) {
    1331. 

  1331. 	/** @todo ensure_realname_valid( $p_realname ); */
    1332. 

  1332. 

  1333. 	return user_set_field( $p_user_id, 'realname', $p_realname );
    1334. 

  1334. }
    1335. 

  1335. 

  1336. # --------------------
    1337. 

  1337. # Set the user's username to the given string after checking that it is valid
    1338. 

  1338. function user_set_name( $p_user_id, $p_username ) {
    1339. 

  1339. 	user_ensure_name_valid( $p_username );
    1340. 

  1340. 	user_ensure_name_unique( $p_username );
    1341. 

  1341. 

  1342. 	return user_set_field( $p_user_id, 'username', $p_username );
    1343. 

  1343. }
    1344. 

  1344. 

  1345. # --------------------
    1346. 

  1346. # Reset the user's password
    1347. 

  1347. #  Take into account the 'send_reset_password' setting
    1348. 

  1348. #   - if it is ON, generate a random password and send an email
    1349. 

  1349. #      (unless the second parameter is false)
    1350. 

  1350. #   - if it is OFF, set the password to blank
    1351. 

  1351. #  Return false if the user is protected, true if the password was
    1352. 

  1352. #   successfully reset
    1353. 

  1353. function user_reset_password( $p_user_id, $p_send_email = true ) {
    1354. 

  1354. 	$t_protected = user_get_field( $p_user_id, 'protected' );
    1355. 

  1355. 

  1356. 	# Go with random password and email it to the user
    1357. 

  1357. 	if( ON == $t_protected ) {
    1358. 

  1358. 		return false;
    1359. 

  1359. 	}
    1360. 

  1360. 

  1361. 	# @@@ do we want to force blank password instead of random if
    1362. 

  1362. 	#      email notifications are turned off?
    1363. 

  1363. 	#     How would we indicate that we had done this with a return value?
    1364. 

  1364. 	#     Should we just have two functions? (user_reset_password_random()
    1365. 

  1365. 	#     and user_reset_password() )?
    1366. 

  1366. 	if(( ON == config_get( 'send_reset_password' ) ) && ( ON == config_get( 'enable_email_notification' ) ) ) {
    1367. 

  1367. 

  1368. 		# Create random password
    1369. 

  1369. 		$t_email = user_get_field( $p_user_id, 'email' );
    1370. 

  1370. 		$t_password = auth_generate_random_password( $t_email );
    1371. 

  1371. 		$t_password2 = auth_process_plain_password( $t_password );
    1372. 

  1372. 

  1373. 		user_set_field( $p_user_id, 'password', $t_password2 );
    1374. 

  1374. 

  1375. 		# Send notification email
    1376. 

  1376. 		if( $p_send_email ) {
    1377. 

  1377. 			$t_confirm_hash = auth_generate_confirm_hash( $p_user_id );
    1378. 

  1378. 			email_send_confirm_hash_url( $p_user_id, $t_confirm_hash );
    1379. 

  1379. 		}
    1380. 

  1380. 	} else {
    1381. 

  1381. 

  1382. 		# use blank password, no emailing
    1383. 

  1383. 		$t_password = auth_process_plain_password( '' );
    1384. 

  1384. 		user_set_field( $p_user_id, 'password', $t_password );
    1385. 

  1385. 

  1386. 		# reset the failed login count because in this mode there is no emailing
    1387. 

  1387. 		user_reset_failed_login_count_to_zero( $p_user_id );
    1388. 

  1388. 	}
    1389. 

  1389. 

  1390. 	return true;
    1391. 

  1391. }
    1392. 

  1392.