--- /dev/null
+<?php\r
+/*\r
+UserCake Version: 2.0.2\r
+http://usercake.com\r
+*/\r
+\r
+//Functions that do not interact with DB\r
+//------------------------------------------------------------------------------\r
+\r
+//Retrieve a list of all .php files in models/languages\r
+function getLanguageFiles()\r
+{\r
+ $directory = "models/languages/";\r
+ $languages = glob($directory . "*.php");\r
+ //print each file name\r
+ return $languages;\r
+}\r
+\r
+//Retrieve a list of all .css files in models/site-templates \r
+function getTemplateFiles()\r
+{\r
+ $directory = "models/site-templates/";\r
+ $languages = glob($directory . "*.css");\r
+ //print each file name\r
+ return $languages;\r
+}\r
+\r
+//Retrieve a list of all .php files in root files folder\r
+function getPageFiles()\r
+{\r
+ $directory = "";\r
+ $pages = glob($directory . "*.php");\r
+ //print each file name\r
+ foreach ($pages as $page){\r
+ $row[$page] = $page;\r
+ }\r
+ return $row;\r
+}\r
+\r
+//Destroys a session as part of logout\r
+function destroySession($name)\r
+{\r
+ if(isset($_SESSION[$name]))\r
+ {\r
+ $_SESSION[$name] = NULL;\r
+ unset($_SESSION[$name]);\r
+ }\r
+}\r
+\r
+//Generate a unique code\r
+function getUniqueCode($length = "")\r
+{ \r
+ $code = md5(uniqid(rand(), true));\r
+ if ($length != "") return substr($code, 0, $length);\r
+ else return $code;\r
+}\r
+\r
+//Generate an activation key\r
+function generateActivationToken($gen = null)\r
+{\r
+ do\r
+ {\r
+ $gen = md5(uniqid(mt_rand(), false));\r
+ }\r
+ while(validateActivationToken($gen));\r
+ return $gen;\r
+}\r
+\r
+//@ Thanks to - http://phpsec.org\r
+function generateHash($plainText, $salt = null)\r
+{\r
+ if ($salt === null)\r
+ {\r
+ $salt = substr(md5(uniqid(rand(), true)), 0, 25);\r
+ }\r
+ else\r
+ {\r
+ $salt = substr($salt, 0, 25);\r
+ }\r
+ \r
+ return $salt . sha1($salt . $plainText);\r
+}\r
+\r
+//Checks if an email is valid\r
+function isValidEmail($email)\r
+{\r
+ if (filter_var($email, FILTER_VALIDATE_EMAIL)) {\r
+ return true;\r
+ }\r
+ else {\r
+ return false;\r
+ }\r
+}\r
+\r
+//Inputs language strings from selected language.\r
+function lang($key,$markers = NULL)\r
+{\r
+ global $lang;\r
+ if($markers == NULL)\r
+ {\r
+ $str = $lang[$key];\r
+ }\r
+ else\r
+ {\r
+ //Replace any dyamic markers\r
+ $str = $lang[$key];\r
+ $iteration = 1;\r
+ foreach($markers as $marker)\r
+ {\r
+ $str = str_replace("%m".$iteration."%",$marker,$str);\r
+ $iteration++;\r
+ }\r
+ }\r
+ //Ensure we have something to return\r
+ if($str == "")\r
+ {\r
+ return ("No language key found");\r
+ }\r
+ else\r
+ {\r
+ return $str;\r
+ }\r
+}\r
+\r
+//Checks if a string is within a min and max length\r
+function minMaxRange($min, $max, $what)\r
+{\r
+ if(strlen(trim($what)) < $min)\r
+ return true;\r
+ else if(strlen(trim($what)) > $max)\r
+ return true;\r
+ else\r
+ return false;\r
+}\r
+\r
+//Replaces hooks with specified text\r
+function replaceDefaultHook($str)\r
+{\r
+ global $default_hooks,$default_replace; \r
+ return (str_replace($default_hooks,$default_replace,$str));\r
+}\r
+\r
+//Displays error and success messages\r
+function resultBlock($errors,$successes){\r
+ //Error block\r
+ if(count($errors) > 0)\r
+ {\r
+ echo "<div id='error'>\r
+ <a href='#' onclick=\"showHide('error');\">[X]</a>\r
+ <ul>";\r
+ foreach($errors as $error)\r
+ {\r
+ echo "<li>".$error."</li>";\r
+ }\r
+ echo "</ul>";\r
+ echo "</div>";\r
+ }\r
+ //Success block\r
+ if(count($successes) > 0)\r
+ {\r
+ echo "<div id='success'>\r
+ <a href='#' onclick=\"showHide('success');\">[X]</a>\r
+ <ul>";\r
+ foreach($successes as $success)\r
+ {\r
+ echo "<li>".$success."</li>";\r
+ }\r
+ echo "</ul>";\r
+ echo "</div>";\r
+ }\r
+}\r
+\r
+//Completely sanitizes text\r
+function sanitize($str)\r
+{\r
+ return strtolower(strip_tags(trim(($str))));\r
+}\r
+\r
+//Functions that interact mainly with .users table\r
+//------------------------------------------------------------------------------\r
+\r
+//Delete a defined array of users\r
+function deleteUsers($users) {\r
+ global $mysqli,$db_table_prefix; \r
+ $i = 0;\r
+ $stmt = $mysqli->prepare("DELETE FROM ".$db_table_prefix."users \r
+ WHERE id = ?");\r
+ $stmt2 = $mysqli->prepare("DELETE FROM ".$db_table_prefix."user_permission_matches \r
+ WHERE user_id = ?");\r
+ foreach($users as $id){\r
+ $stmt->bind_param("i", $id);\r
+ $stmt->execute();\r
+ $stmt2->bind_param("i", $id);\r
+ $stmt2->execute();\r
+ $i++;\r
+ }\r
+ $stmt->close();\r
+ $stmt2->close();\r
+ return $i;\r
+}\r
+\r
+//Check if a display name exists in the DB\r
+function displayNameExists($displayname)\r
+{\r
+ global $mysqli,$db_table_prefix;\r
+ $stmt = $mysqli->prepare("SELECT active\r
+ FROM ".$db_table_prefix."users\r
+ WHERE\r
+ display_name = ?\r
+ LIMIT 1");\r
+ $stmt->bind_param("s", $displayname); \r
+ $stmt->execute();\r
+ $stmt->store_result();\r
+ $num_returns = $stmt->num_rows;\r
+ $stmt->close();\r
+ \r
+ if ($num_returns > 0)\r
+ {\r
+ return true;\r
+ }\r
+ else\r
+ {\r
+ return false; \r
+ }\r
+}\r
+\r
+//Check if an email exists in the DB\r
+function emailExists($email)\r
+{\r
+ global $mysqli,$db_table_prefix;\r
+ $stmt = $mysqli->prepare("SELECT active\r
+ FROM ".$db_table_prefix."users\r
+ WHERE\r
+ email = ?\r
+ LIMIT 1");\r
+ $stmt->bind_param("s", $email); \r
+ $stmt->execute();\r
+ $stmt->store_result();\r
+ $num_returns = $stmt->num_rows;\r
+ $stmt->close();\r
+ \r
+ if ($num_returns > 0)\r
+ {\r
+ return true;\r
+ }\r
+ else\r
+ {\r
+ return false; \r
+ }\r
+}\r
+\r
+//Check if a user name and email belong to the same user\r
+function emailUsernameLinked($email,$username)\r
+{\r
+ global $mysqli,$db_table_prefix;\r
+ $stmt = $mysqli->prepare("SELECT active\r
+ FROM ".$db_table_prefix."users\r
+ WHERE user_name = ?\r
+ AND\r
+ email = ?\r
+ LIMIT 1\r
+ ");\r
+ $stmt->bind_param("ss", $username, $email); \r
+ $stmt->execute();\r
+ $stmt->store_result();\r
+ $num_returns = $stmt->num_rows;\r
+ $stmt->close();\r
+ \r
+ if ($num_returns > 0)\r
+ {\r
+ return true;\r
+ }\r
+ else\r
+ {\r
+ return false; \r
+ }\r
+}\r
+\r
+//Retrieve information for all users\r
+function fetchAllUsers()\r
+{\r
+ global $mysqli,$db_table_prefix; \r
+ $stmt = $mysqli->prepare("SELECT \r
+ id,\r
+ user_name,\r
+ display_name,\r
+ password,\r
+ email,\r
+ activation_token,\r
+ last_activation_request,\r
+ lost_password_request,\r
+ active,\r
+ title,\r
+ sign_up_stamp,\r
+ last_sign_in_stamp\r
+ FROM ".$db_table_prefix."users");\r
+ $stmt->execute();\r
+ $stmt->bind_result($id, $user, $display, $password, $email, $token, $activationRequest, $passwordRequest, $active, $title, $signUp, $signIn);\r
+ \r
+ while ($stmt->fetch()){\r
+ $row[] = array('id' => $id, 'user_name' => $user, 'display_name' => $display, 'password' => $password, 'email' => $email, 'activation_token' => $token, 'last_activation_request' => $activationRequest, 'lost_password_request' => $passwordRequest, 'active' => $active, 'title' => $title, 'sign_up_stamp' => $signUp, 'last_sign_in_stamp' => $signIn);\r
+ }\r
+ $stmt->close();\r
+ return ($row);\r
+}\r
+\r
+//Retrieve complete user information by username, token or ID\r
+function fetchUserDetails($username=NULL,$token=NULL, $id=NULL)\r
+{\r
+ if($username!=NULL) {\r
+ $column = "user_name";\r
+ $data = $username;\r
+ }\r
+ elseif($token!=NULL) {\r
+ $column = "activation_token";\r
+ $data = $token;\r
+ }\r
+ elseif($id!=NULL) {\r
+ $column = "id";\r
+ $data = $id;\r
+ }\r
+ global $mysqli,$db_table_prefix; \r
+ $stmt = $mysqli->prepare("SELECT \r
+ id,\r
+ user_name,\r
+ display_name,\r
+ password,\r
+ email,\r
+ activation_token,\r
+ last_activation_request,\r
+ lost_password_request,\r
+ active,\r
+ title,\r
+ sign_up_stamp,\r
+ last_sign_in_stamp\r
+ FROM ".$db_table_prefix."users\r
+ WHERE\r
+ $column = ?\r
+ LIMIT 1");\r
+ $stmt->bind_param("s", $data);\r
+ \r
+ $stmt->execute();\r
+ $stmt->bind_result($id, $user, $display, $password, $email, $token, $activationRequest, $passwordRequest, $active, $title, $signUp, $signIn);\r
+ while ($stmt->fetch()){\r
+ $row = array('id' => $id, 'user_name' => $user, 'display_name' => $display, 'password' => $password, 'email' => $email, 'activation_token' => $token, 'last_activation_request' => $activationRequest, 'lost_password_request' => $passwordRequest, 'active' => $active, 'title' => $title, 'sign_up_stamp' => $signUp, 'last_sign_in_stamp' => $signIn);\r
+ }\r
+ $stmt->close();\r
+ return ($row);\r
+}\r
+\r
+//Toggle if lost password request flag on or off\r
+function flagLostPasswordRequest($username,$value)\r
+{\r
+ global $mysqli,$db_table_prefix;\r
+ $stmt = $mysqli->prepare("UPDATE ".$db_table_prefix."users\r
+ SET lost_password_request = ?\r
+ WHERE\r
+ user_name = ?\r
+ LIMIT 1\r
+ ");\r
+ $stmt->bind_param("ss", $value, $username);\r
+ $result = $stmt->execute();\r
+ $stmt->close();\r
+ return $result;\r
+}\r
+\r
+//Check if a user is logged in\r
+function isUserLoggedIn()\r
+{\r
+ global $loggedInUser,$mysqli,$db_table_prefix;\r
+ $stmt = $mysqli->prepare("SELECT \r
+ id,\r
+ password\r
+ FROM ".$db_table_prefix."users\r
+ WHERE\r
+ id = ?\r
+ AND \r
+ password = ? \r
+ AND\r
+ active = 1\r
+ LIMIT 1");\r
+ $stmt->bind_param("is", $loggedInUser->user_id, $loggedInUser->hash_pw); \r
+ $stmt->execute();\r
+ $stmt->store_result();\r
+ $num_returns = $stmt->num_rows;\r
+ $stmt->close();\r
+ \r
+ if($loggedInUser == NULL)\r
+ {\r
+ return false;\r
+ }\r
+ else\r
+ {\r
+ if ($num_returns > 0)\r
+ {\r
+ return true;\r
+ }\r
+ else\r
+ {\r
+ destroySession("userCakeUser");\r
+ return false; \r
+ }\r
+ }\r
+}\r
+\r
+//Change a user from inactive to active\r
+function setUserActive($token)\r
+{\r
+ global $mysqli,$db_table_prefix;\r
+ $stmt = $mysqli->prepare("UPDATE ".$db_table_prefix."users\r
+ SET active = 1\r
+ WHERE\r
+ activation_token = ?\r
+ LIMIT 1");\r
+ $stmt->bind_param("s", $token);\r
+ $result = $stmt->execute();\r
+ $stmt->close(); \r
+ return $result;\r
+}\r
+\r
+//Change a user's display name\r
+function updateDisplayName($id, $display)\r
+{\r
+ global $mysqli,$db_table_prefix;\r
+ $stmt = $mysqli->prepare("UPDATE ".$db_table_prefix."users\r
+ SET display_name = ?\r
+ WHERE\r
+ id = ?\r
+ LIMIT 1");\r
+ $stmt->bind_param("si", $display, $id);\r
+ $result = $stmt->execute();\r
+ $stmt->close();\r
+ return $result;\r
+}\r
+\r
+//Update a user's email\r
+function updateEmail($id, $email)\r
+{\r
+ global $mysqli,$db_table_prefix;\r
+ $stmt = $mysqli->prepare("UPDATE ".$db_table_prefix."users\r
+ SET \r
+ email = ?\r
+ WHERE\r
+ id = ?");\r
+ $stmt->bind_param("si", $email, $id);\r
+ $result = $stmt->execute();\r
+ $stmt->close(); \r
+ return $result;\r
+}\r
+\r
+//Input new activation token, and update the time of the most recent activation request\r
+function updateLastActivationRequest($new_activation_token,$username,$email)\r
+{\r
+ global $mysqli,$db_table_prefix; \r
+ $stmt = $mysqli->prepare("UPDATE ".$db_table_prefix."users\r
+ SET activation_token = ?,\r
+ last_activation_request = ?\r
+ WHERE email = ?\r
+ AND\r
+ user_name = ?");\r
+ $stmt->bind_param("ssss", $new_activation_token, time(), $email, $username);\r
+ $result = $stmt->execute();\r
+ $stmt->close(); \r
+ return $result;\r
+}\r
+\r
+//Generate a random password, and new token\r
+function updatePasswordFromToken($pass,$token)\r
+{\r
+ global $mysqli,$db_table_prefix;\r
+ $new_activation_token = generateActivationToken();\r
+ $stmt = $mysqli->prepare("UPDATE ".$db_table_prefix."users\r
+ SET password = ?,\r
+ activation_token = ?\r
+ WHERE\r
+ activation_token = ?");\r
+ $stmt->bind_param("sss", $pass, $new_activation_token, $token);\r
+ $result = $stmt->execute();\r
+ $stmt->close(); \r
+ return $result;\r
+}\r
+\r
+//Update a user's title\r
+function updateTitle($id, $title)\r
+{\r
+ global $mysqli,$db_table_prefix;\r
+ $stmt = $mysqli->prepare("UPDATE ".$db_table_prefix."users\r
+ SET \r
+ title = ?\r
+ WHERE\r
+ id = ?");\r
+ $stmt->bind_param("si", $title, $id);\r
+ $result = $stmt->execute();\r
+ $stmt->close(); \r
+ return $result; \r
+}\r
+\r
+//Check if a user ID exists in the DB\r
+function userIdExists($id)\r
+{\r
+ global $mysqli,$db_table_prefix;\r
+ $stmt = $mysqli->prepare("SELECT active\r
+ FROM ".$db_table_prefix."users\r
+ WHERE\r
+ id = ?\r
+ LIMIT 1");\r
+ $stmt->bind_param("i", $id); \r
+ $stmt->execute();\r
+ $stmt->store_result();\r
+ $num_returns = $stmt->num_rows;\r
+ $stmt->close();\r
+ \r
+ if ($num_returns > 0)\r
+ {\r
+ return true;\r
+ }\r
+ else\r
+ {\r
+ return false; \r
+ }\r
+}\r
+\r
+//Checks if a username exists in the DB\r
+function usernameExists($username)\r
+{\r
+ global $mysqli,$db_table_prefix;\r
+ $stmt = $mysqli->prepare("SELECT active\r
+ FROM ".$db_table_prefix."users\r
+ WHERE\r
+ user_name = ?\r
+ LIMIT 1");\r
+ $stmt->bind_param("s", $username); \r
+ $stmt->execute();\r
+ $stmt->store_result();\r
+ $num_returns = $stmt->num_rows;\r
+ $stmt->close();\r
+ \r
+ if ($num_returns > 0)\r
+ {\r
+ return true;\r
+ }\r
+ else\r
+ {\r
+ return false; \r
+ }\r
+}\r
+\r
+//Check if activation token exists in DB\r
+function validateActivationToken($token,$lostpass=NULL)\r
+{\r
+ global $mysqli,$db_table_prefix;\r
+ if($lostpass == NULL) \r
+ { \r
+ $stmt = $mysqli->prepare("SELECT active\r
+ FROM ".$db_table_prefix."users\r
+ WHERE active = 0\r
+ AND\r
+ activation_token = ?\r
+ LIMIT 1");\r
+ }\r
+ else \r
+ {\r
+ $stmt = $mysqli->prepare("SELECT active\r
+ FROM ".$db_table_prefix."users\r
+ WHERE active = 1\r
+ AND\r
+ activation_token = ?\r
+ AND\r
+ lost_password_request = 1 \r
+ LIMIT 1");\r
+ }\r
+ $stmt->bind_param("s", $token);\r
+ $stmt->execute();\r
+ $stmt->store_result();\r
+ $num_returns = $stmt->num_rows;\r
+ $stmt->close();\r
+ \r
+ if ($num_returns > 0)\r
+ {\r
+ return true;\r
+ }\r
+ else\r
+ {\r
+ return false; \r
+ }\r
+}\r
+\r
+//Functions that interact mainly with .permissions table\r
+//------------------------------------------------------------------------------\r
+\r
+//Create a permission level in DB\r
+function createPermission($permission) {\r
+ global $mysqli,$db_table_prefix; \r
+ $stmt = $mysqli->prepare("INSERT INTO ".$db_table_prefix."permissions (\r
+ name\r
+ )\r
+ VALUES (\r
+ ?\r
+ )");\r
+ $stmt->bind_param("s", $permission);\r
+ $result = $stmt->execute();\r
+ $stmt->close(); \r
+ return $result;\r
+}\r
+\r
+//Delete a permission level from the DB\r
+function deletePermission($permission) {\r
+ global $mysqli,$db_table_prefix,$errors; \r
+ $i = 0;\r
+ $stmt = $mysqli->prepare("DELETE FROM ".$db_table_prefix."permissions \r
+ WHERE id = ?");\r
+ $stmt2 = $mysqli->prepare("DELETE FROM ".$db_table_prefix."user_permission_matches \r
+ WHERE permission_id = ?");\r
+ $stmt3 = $mysqli->prepare("DELETE FROM ".$db_table_prefix."permission_page_matches \r
+ WHERE permission_id = ?");\r
+ foreach($permission as $id){\r
+ if ($id == 1){\r
+ $errors[] = lang("CANNOT_DELETE_NEWUSERS");\r
+ }\r
+ elseif ($id == 2){\r
+ $errors[] = lang("CANNOT_DELETE_ADMIN");\r
+ }\r
+ else{\r
+ $stmt->bind_param("i", $id);\r
+ $stmt->execute();\r
+ $stmt2->bind_param("i", $id);\r
+ $stmt2->execute();\r
+ $stmt3->bind_param("i", $id);\r
+ $stmt3->execute();\r
+ $i++;\r
+ }\r
+ }\r
+ $stmt->close();\r
+ $stmt2->close();\r
+ $stmt3->close();\r
+ return $i;\r
+}\r
+\r
+//Retrieve information for all permission levels\r
+function fetchAllPermissions()\r
+{\r
+ global $mysqli,$db_table_prefix; \r
+ $stmt = $mysqli->prepare("SELECT \r
+ id,\r
+ name\r
+ FROM ".$db_table_prefix."permissions");\r
+ $stmt->execute();\r
+ $stmt->bind_result($id, $name);\r
+ while ($stmt->fetch()){\r
+ $row[] = array('id' => $id, 'name' => $name);\r
+ }\r
+ $stmt->close();\r
+ return ($row);\r
+}\r
+\r
+//Retrieve information for a single permission level\r
+function fetchPermissionDetails($id)\r
+{\r
+ global $mysqli,$db_table_prefix; \r
+ $stmt = $mysqli->prepare("SELECT \r
+ id,\r
+ name\r
+ FROM ".$db_table_prefix."permissions\r
+ WHERE\r
+ id = ?\r
+ LIMIT 1");\r
+ $stmt->bind_param("i", $id);\r
+ $stmt->execute();\r
+ $stmt->bind_result($id, $name);\r
+ while ($stmt->fetch()){\r
+ $row = array('id' => $id, 'name' => $name);\r
+ }\r
+ $stmt->close();\r
+ return ($row);\r
+}\r
+\r
+//Check if a permission level ID exists in the DB\r
+function permissionIdExists($id)\r
+{\r
+ global $mysqli,$db_table_prefix;\r
+ $stmt = $mysqli->prepare("SELECT id\r
+ FROM ".$db_table_prefix."permissions\r
+ WHERE\r
+ id = ?\r
+ LIMIT 1");\r
+ $stmt->bind_param("i", $id); \r
+ $stmt->execute();\r
+ $stmt->store_result();\r
+ $num_returns = $stmt->num_rows;\r
+ $stmt->close();\r
+ \r
+ if ($num_returns > 0)\r
+ {\r
+ return true;\r
+ }\r
+ else\r
+ {\r
+ return false; \r
+ }\r
+}\r
+\r
+//Check if a permission level name exists in the DB\r
+function permissionNameExists($permission)\r
+{\r
+ global $mysqli,$db_table_prefix;\r
+ $stmt = $mysqli->prepare("SELECT id\r
+ FROM ".$db_table_prefix."permissions\r
+ WHERE\r
+ name = ?\r
+ LIMIT 1");\r
+ $stmt->bind_param("s", $permission); \r
+ $stmt->execute();\r
+ $stmt->store_result();\r
+ $num_returns = $stmt->num_rows;\r
+ $stmt->close();\r
+ \r
+ if ($num_returns > 0)\r
+ {\r
+ return true;\r
+ }\r
+ else\r
+ {\r
+ return false; \r
+ }\r
+}\r
+\r
+//Change a permission level's name\r
+function updatePermissionName($id, $name)\r
+{\r
+ global $mysqli,$db_table_prefix;\r
+ $stmt = $mysqli->prepare("UPDATE ".$db_table_prefix."permissions\r
+ SET name = ?\r
+ WHERE\r
+ id = ?\r
+ LIMIT 1");\r
+ $stmt->bind_param("si", $name, $id);\r
+ $result = $stmt->execute();\r
+ $stmt->close(); \r
+ return $result; \r
+}\r
+\r
+//Functions that interact mainly with .user_permission_matches table\r
+//------------------------------------------------------------------------------\r
+\r
+//Match permission level(s) with user(s)\r
+function addPermission($permission, $user) {\r
+ global $mysqli,$db_table_prefix; \r
+ $i = 0;\r
+ $stmt = $mysqli->prepare("INSERT INTO ".$db_table_prefix."user_permission_matches (\r
+ permission_id,\r
+ user_id\r
+ )\r
+ VALUES (\r
+ ?,\r
+ ?\r
+ )");\r
+ if (is_array($permission)){\r
+ foreach($permission as $id){\r
+ $stmt->bind_param("ii", $id, $user);\r
+ $stmt->execute();\r
+ $i++;\r
+ }\r
+ }\r
+ elseif (is_array($user)){\r
+ foreach($user as $id){\r
+ $stmt->bind_param("ii", $permission, $id);\r
+ $stmt->execute();\r
+ $i++;\r
+ }\r
+ }\r
+ else {\r
+ $stmt->bind_param("ii", $permission, $user);\r
+ $stmt->execute();\r
+ $i++;\r
+ }\r
+ $stmt->close();\r
+ return $i;\r
+}\r
+\r
+//Retrieve information for all user/permission level matches\r
+function fetchAllMatches()\r
+{\r
+ global $mysqli,$db_table_prefix; \r
+ $stmt = $mysqli->prepare("SELECT \r
+ id,\r
+ user_id,\r
+ permission_id\r
+ FROM ".$db_table_prefix."user_permission_matches");\r
+ $stmt->execute();\r
+ $stmt->bind_result($id, $user, $permission);\r
+ while ($stmt->fetch()){\r
+ $row[] = array('id' => $id, 'user_id' => $user, 'permission_id' => $permission);\r
+ }\r
+ $stmt->close();\r
+ return ($row); \r
+}\r
+\r
+//Retrieve list of permission levels a user has\r
+function fetchUserPermissions($user_id)\r
+{\r
+ global $mysqli,$db_table_prefix; \r
+ $stmt = $mysqli->prepare("SELECT\r
+ id,\r
+ permission_id\r
+ FROM ".$db_table_prefix."user_permission_matches\r
+ WHERE user_id = ?\r
+ ");\r
+ $stmt->bind_param("i", $user_id); \r
+ $stmt->execute();\r
+ $stmt->bind_result($id, $permission);\r
+ while ($stmt->fetch()){\r
+ $row[$permission] = array('id' => $id, 'permission_id' => $permission);\r
+ }\r
+ $stmt->close();\r
+ if (isset($row)){\r
+ return ($row);\r
+ }\r
+}\r
+\r
+//Retrieve list of users who have a permission level\r
+function fetchPermissionUsers($permission_id)\r
+{\r
+ global $mysqli,$db_table_prefix; \r
+ $stmt = $mysqli->prepare("SELECT id, user_id\r
+ FROM ".$db_table_prefix."user_permission_matches\r
+ WHERE permission_id = ?\r
+ ");\r
+ $stmt->bind_param("i", $permission_id); \r
+ $stmt->execute();\r
+ $stmt->bind_result($id, $user);\r
+ while ($stmt->fetch()){\r
+ $row[$user] = array('id' => $id, 'user_id' => $user);\r
+ }\r
+ $stmt->close();\r
+ if (isset($row)){\r
+ return ($row);\r
+ }\r
+}\r
+\r
+//Unmatch permission level(s) from user(s)\r
+function removePermission($permission, $user) {\r
+ global $mysqli,$db_table_prefix; \r
+ $i = 0;\r
+ $stmt = $mysqli->prepare("DELETE FROM ".$db_table_prefix."user_permission_matches \r
+ WHERE permission_id = ?\r
+ AND user_id =?");\r
+ if (is_array($permission)){\r
+ foreach($permission as $id){\r
+ $stmt->bind_param("ii", $id, $user);\r
+ $stmt->execute();\r
+ $i++;\r
+ }\r
+ }\r
+ elseif (is_array($user)){\r
+ foreach($user as $id){\r
+ $stmt->bind_param("ii", $permission, $id);\r
+ $stmt->execute();\r
+ $i++;\r
+ }\r
+ }\r
+ else {\r
+ $stmt->bind_param("ii", $permission, $user);\r
+ $stmt->execute();\r
+ $i++;\r
+ }\r
+ $stmt->close();\r
+ return $i;\r
+}\r
+\r
+//Functions that interact mainly with .configuration table\r
+//------------------------------------------------------------------------------\r
+\r
+//Update configuration table\r
+function updateConfig($id, $value)\r
+{\r
+ global $mysqli,$db_table_prefix;\r
+ $stmt = $mysqli->prepare("UPDATE ".$db_table_prefix."configuration\r
+ SET \r
+ value = ?\r
+ WHERE\r
+ id = ?");\r
+ foreach ($id as $cfg){\r
+ $stmt->bind_param("si", $value[$cfg], $cfg);\r
+ $stmt->execute();\r
+ }\r
+ $stmt->close(); \r
+}\r
+\r
+//Functions that interact mainly with .pages table\r
+//------------------------------------------------------------------------------\r
+\r
+//Add a page to the DB\r
+function createPages($pages) {\r
+ global $mysqli,$db_table_prefix; \r
+ $stmt = $mysqli->prepare("INSERT INTO ".$db_table_prefix."pages (\r
+ page\r
+ )\r
+ VALUES (\r
+ ?\r
+ )");\r
+ foreach($pages as $page){\r
+ $stmt->bind_param("s", $page);\r
+ $stmt->execute();\r
+ }\r
+ $stmt->close();\r
+}\r
+\r
+//Delete a page from the DB\r
+function deletePages($pages) {\r
+ global $mysqli,$db_table_prefix; \r
+ $stmt = $mysqli->prepare("DELETE FROM ".$db_table_prefix."pages \r
+ WHERE id = ?");\r
+ $stmt2 = $mysqli->prepare("DELETE FROM ".$db_table_prefix."permission_page_matches \r
+ WHERE page_id = ?");\r
+ foreach($pages as $id){\r
+ $stmt->bind_param("i", $id);\r
+ $stmt->execute();\r
+ $stmt2->bind_param("i", $id);\r
+ $stmt2->execute();\r
+ }\r
+ $stmt->close();\r
+ $stmt2->close();\r
+}\r
+\r
+//Fetch information on all pages\r
+function fetchAllPages()\r
+{\r
+ global $mysqli,$db_table_prefix; \r
+ $stmt = $mysqli->prepare("SELECT \r
+ id,\r
+ page,\r
+ private\r
+ FROM ".$db_table_prefix."pages");\r
+ $stmt->execute();\r
+ $stmt->bind_result($id, $page, $private);\r
+ while ($stmt->fetch()){\r
+ $row[$page] = array('id' => $id, 'page' => $page, 'private' => $private);\r
+ }\r
+ $stmt->close();\r
+ if (isset($row)){\r
+ return ($row);\r
+ }\r
+}\r
+\r
+//Fetch information for a specific page\r
+function fetchPageDetails($id)\r
+{\r
+ global $mysqli,$db_table_prefix; \r
+ $stmt = $mysqli->prepare("SELECT \r
+ id,\r
+ page,\r
+ private\r
+ FROM ".$db_table_prefix."pages\r
+ WHERE\r
+ id = ?\r
+ LIMIT 1");\r
+ $stmt->bind_param("i", $id);\r
+ $stmt->execute();\r
+ $stmt->bind_result($id, $page, $private);\r
+ while ($stmt->fetch()){\r
+ $row = array('id' => $id, 'page' => $page, 'private' => $private);\r
+ }\r
+ $stmt->close();\r
+ return ($row);\r
+}\r
+\r
+//Check if a page ID exists\r
+function pageIdExists($id)\r
+{\r
+ global $mysqli,$db_table_prefix;\r
+ $stmt = $mysqli->prepare("SELECT private\r
+ FROM ".$db_table_prefix."pages\r
+ WHERE\r
+ id = ?\r
+ LIMIT 1");\r
+ $stmt->bind_param("i", $id); \r
+ $stmt->execute();\r
+ $stmt->store_result(); \r
+ $num_returns = $stmt->num_rows;\r
+ $stmt->close();\r
+ \r
+ if ($num_returns > 0)\r
+ {\r
+ return true;\r
+ }\r
+ else\r
+ {\r
+ return false; \r
+ }\r
+}\r
+\r
+//Toggle private/public setting of a page\r
+function updatePrivate($id, $private)\r
+{\r
+ global $mysqli,$db_table_prefix;\r
+ $stmt = $mysqli->prepare("UPDATE ".$db_table_prefix."pages\r
+ SET \r
+ private = ?\r
+ WHERE\r
+ id = ?");\r
+ $stmt->bind_param("ii", $private, $id);\r
+ $result = $stmt->execute();\r
+ $stmt->close(); \r
+ return $result; \r
+}\r
+\r
+//Functions that interact mainly with .permission_page_matches table\r
+//------------------------------------------------------------------------------\r
+\r
+//Match permission level(s) with page(s)\r
+function addPage($page, $permission) {\r
+ global $mysqli,$db_table_prefix; \r
+ $i = 0;\r
+ $stmt = $mysqli->prepare("INSERT INTO ".$db_table_prefix."permission_page_matches (\r
+ permission_id,\r
+ page_id\r
+ )\r
+ VALUES (\r
+ ?,\r
+ ?\r
+ )");\r
+ if (is_array($permission)){\r
+ foreach($permission as $id){\r
+ $stmt->bind_param("ii", $id, $page);\r
+ $stmt->execute();\r
+ $i++;\r
+ }\r
+ }\r
+ elseif (is_array($page)){\r
+ foreach($page as $id){\r
+ $stmt->bind_param("ii", $permission, $id);\r
+ $stmt->execute();\r
+ $i++;\r
+ }\r
+ }\r
+ else {\r
+ $stmt->bind_param("ii", $permission, $page);\r
+ $stmt->execute();\r
+ $i++;\r
+ }\r
+ $stmt->close();\r
+ return $i;\r
+}\r
+\r
+//Retrieve list of permission levels that can access a page\r
+function fetchPagePermissions($page_id)\r
+{\r
+ global $mysqli,$db_table_prefix; \r
+ $stmt = $mysqli->prepare("SELECT\r
+ id,\r
+ permission_id\r
+ FROM ".$db_table_prefix."permission_page_matches\r
+ WHERE page_id = ?\r
+ ");\r
+ $stmt->bind_param("i", $page_id); \r
+ $stmt->execute();\r
+ $stmt->bind_result($id, $permission);\r
+ while ($stmt->fetch()){\r
+ $row[$permission] = array('id' => $id, 'permission_id' => $permission);\r
+ }\r
+ $stmt->close();\r
+ if (isset($row)){\r
+ return ($row);\r
+ }\r
+}\r
+\r
+//Retrieve list of pages that a permission level can access\r
+function fetchPermissionPages($permission_id)\r
+{\r
+ global $mysqli,$db_table_prefix; \r
+ $stmt = $mysqli->prepare("SELECT\r
+ id,\r
+ page_id\r
+ FROM ".$db_table_prefix."permission_page_matches\r
+ WHERE permission_id = ?\r
+ ");\r
+ $stmt->bind_param("i", $permission_id); \r
+ $stmt->execute();\r
+ $stmt->bind_result($id, $page);\r
+ while ($stmt->fetch()){\r
+ $row[$page] = array('id' => $id, 'permission_id' => $page);\r
+ }\r
+ $stmt->close();\r
+ if (isset($row)){\r
+ return ($row);\r
+ }\r
+}\r
+\r
+//Unmatched permission and page\r
+function removePage($page, $permission) {\r
+ global $mysqli,$db_table_prefix; \r
+ $i = 0;\r
+ $stmt = $mysqli->prepare("DELETE FROM ".$db_table_prefix."permission_page_matches \r
+ WHERE page_id = ?\r
+ AND permission_id =?");\r
+ if (is_array($page)){\r
+ foreach($page as $id){\r
+ $stmt->bind_param("ii", $id, $permission);\r
+ $stmt->execute();\r
+ $i++;\r
+ }\r
+ }\r
+ elseif (is_array($permission)){\r
+ foreach($permission as $id){\r
+ $stmt->bind_param("ii", $page, $id);\r
+ $stmt->execute();\r
+ $i++;\r
+ }\r
+ }\r
+ else {\r
+ $stmt->bind_param("ii", $permission, $user);\r
+ $stmt->execute();\r
+ $i++;\r
+ }\r
+ $stmt->close();\r
+ return $i;\r
+}\r
+\r
+//Check if a user has access to a page\r
+function securePage($uri){\r
+ \r
+ //Separate document name from uri\r
+ $tokens = explode('/', $uri);\r
+ $page = $tokens[sizeof($tokens)-1];\r
+ global $mysqli,$db_table_prefix,$loggedInUser;\r
+ //retrieve page details\r
+ $stmt = $mysqli->prepare("SELECT \r
+ id,\r
+ page,\r
+ private\r
+ FROM ".$db_table_prefix."pages\r
+ WHERE\r
+ page = ?\r
+ LIMIT 1");\r
+ $stmt->bind_param("s", $page);\r
+ $stmt->execute();\r
+ $stmt->bind_result($id, $page, $private);\r
+ while ($stmt->fetch()){\r
+ $pageDetails = array('id' => $id, 'page' => $page, 'private' => $private);\r
+ }\r
+ $stmt->close();\r
+ //If page does not exist in DB, allow access\r
+ if (empty($pageDetails)){\r
+ return true;\r
+ }\r
+ //If page is public, allow access\r
+ elseif ($pageDetails['private'] == 0) {\r
+ return true; \r
+ }\r
+ //If user is not logged in, deny access\r
+ elseif(!isUserLoggedIn()) \r
+ {\r
+ header("Location: login.php");\r
+ return false;\r
+ }\r
+ else {\r
+ //Retrieve list of permission levels with access to page\r
+ $stmt = $mysqli->prepare("SELECT\r
+ permission_id\r
+ FROM ".$db_table_prefix."permission_page_matches\r
+ WHERE page_id = ?\r
+ ");\r
+ $stmt->bind_param("i", $pageDetails['id']); \r
+ $stmt->execute();\r
+ $stmt->bind_result($permission);\r
+ while ($stmt->fetch()){\r
+ $pagePermissions[] = $permission;\r
+ }\r
+ $stmt->close();\r
+ //Check if user's permission levels allow access to page\r
+ if ($loggedInUser->checkPermission($pagePermissions)){ \r
+ return true;\r
+ }\r
+ //Grant access if master user\r
+ elseif ($loggedInUser->user_id == $master_account){\r
+ return true;\r
+ }\r
+ else {\r
+ header("Location: account.php");\r
+ return false; \r
+ }\r
+ }\r
+}\r
+\r
+?>\r