$max) return true; else return false; } //Replaces hooks with specified text function replaceDefaultHook($str) { global $default_hooks,$default_replace; return (str_replace($default_hooks,$default_replace,$str)); } //Displays error and success messages function resultBlock($errors,$successes){ //Error block if(count($errors) > 0) { echo "
"; foreach($errors as $error) { echo "

".$error."

"; } echo "
"; } //Success block if(count($successes) > 0) { echo "
"; foreach($successes as $success) { echo "

".$success.""; } echo "

"; } } function notificationBlock($errors, $successes) { if (count($errors) > 0 || count($successes) > 0) { echo '
Dismiss
Notifications
'; foreach ($errors as $error) { echo '

'.$error.'

'; } foreach ($successes as $success) { echo '

'.$success.'

'; } echo '
'; } } //Completely sanitizes text function sanitize($str) { return strtolower(strip_tags(trim(($str)))); } //Functions that interact mainly with .users table //------------------------------------------------------------------------------ //Delete a defined array of users function deleteUsers($users) { global $mysqli,$db_table_prefix; $i = 0; $stmt = $mysqli->prepare("DELETE FROM ".$db_table_prefix."users WHERE id = ?"); $stmt2 = $mysqli->prepare("DELETE FROM ".$db_table_prefix."user_permission_matches WHERE user_id = ?"); foreach($users as $id){ $stmt->bind_param("i", $id); $stmt->execute(); $stmt2->bind_param("i", $id); $stmt2->execute(); $i++; } $stmt->close(); $stmt2->close(); return $i; } //Check if a display name exists in the DB function displayNameExists($displayname) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("SELECT active FROM ".$db_table_prefix."users WHERE display_name = ? LIMIT 1"); $stmt->bind_param("s", $displayname); $stmt->execute(); $stmt->store_result(); $num_returns = $stmt->num_rows; $stmt->close(); if ($num_returns > 0) { return true; } else { return false; } } //Check if an email exists in the DB function emailExists($email) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("SELECT active FROM ".$db_table_prefix."users WHERE email = ? LIMIT 1"); $stmt->bind_param("s", $email); $stmt->execute(); $stmt->store_result(); $num_returns = $stmt->num_rows; $stmt->close(); if ($num_returns > 0) { return true; } else { return false; } } //Check if a user name and email belong to the same user function emailUsernameLinked($email,$username) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("SELECT active FROM ".$db_table_prefix."users WHERE user_name = ? AND email = ? LIMIT 1 "); $stmt->bind_param("ss", $username, $email); $stmt->execute(); $stmt->store_result(); $num_returns = $stmt->num_rows; $stmt->close(); if ($num_returns > 0) { return true; } else { return false; } } function permissionNameToId($permission) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("SELECT id FROM ".$db_table_prefix."permissions WHERE name = ? LIMIT 1"); $stmt->bind_param("s", $permission); $stmt->execute(); $stmt->bind_result($id); while ($stmt->fetch()){ $perm_id = $id; } $stmt->close(); return $perm_id; } function fetchAllUsersWithPerm($perm_name) { global $mysqli,$db_table_prefix; $perm_id = permissionNameToId($perm_name); $stmt = $mysqli->prepare("SELECT p1.id FROM ".$db_table_prefix."users p1 WHERE EXISTS (SELECT * FROM ".$db_table_prefix."user_permission_matches WHERE user_id=p1.id AND permission_id=?)" ); $stmt->bind_param("i", $perm_id); $stmt->execute(); $stmt->bind_result($id); while ($stmt->fetch()){ $row[] = $id; } $stmt->close(); return ($row); } function fetchAllUsersWithoutPerm($perm_name) { global $mysqli,$db_table_prefix; $perm_id = permissionNameToId($perm_name); $stmt = $mysqli->prepare("SELECT p1.id FROM ".$db_table_prefix."users p1 WHERE NOT EXISTS (SELECT * FROM ".$db_table_prefix."user_permission_matches WHERE user_id=p1.id AND permission_id=?)" ); $stmt->bind_param("i", $perm_id); $stmt->execute(); $stmt->bind_result($id); while ($stmt->fetch()){ $row[] = $id; } $stmt->close(); return ($row); } //Retrieve information for all users function fetchAllUsers() { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("SELECT id, user_name, display_name, password, email, activation_token, last_activation_request, lost_password_request, active, title, sign_up_stamp, last_sign_in_stamp FROM ".$db_table_prefix."users"); $stmt->execute(); $stmt->bind_result($id, $user, $display, $password, $email, $token, $activationRequest, $passwordRequest, $active, $title, $signUp, $signIn); while ($stmt->fetch()){ $row[] = array('id' => $id, 'user_name' => $user, 'display_name' => $display, 'password' => $password, 'email' => $email, 'activation_token' => $token, 'last_activation_request' => $activationRequest, 'lost_password_request' => $passwordRequest, 'active' => $active, 'title' => $title, 'sign_up_stamp' => $signUp, 'last_sign_in_stamp' => $signIn); } $stmt->close(); return ($row); } //Yeah usercake... Fetches the user id from username function fetchUserId($username) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("SELECT id FROM ".$db_table_prefix."users WHERE user_name = ? LIMIT 1"); $stmt->bind_param("s", $username); $stmt->execute(); $stmt->bind_result($id); while ($stmt->fetch()){ $user_id = $id; } $stmt->close(); return $user_id; } //Retrieve complete user information by username, token or ID function fetchUserDetails($username=NULL,$token=NULL, $id=NULL) { if($username!=NULL) { $column = "user_name"; $data = $username; } elseif($token!=NULL) { $column = "activation_token"; $data = $token; } elseif($id!=NULL) { $column = "id"; $data = $id; } global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("SELECT id, user_name, display_name, password, email, activation_token, last_activation_request, lost_password_request, active, title, sign_up_stamp, last_sign_in_stamp FROM ".$db_table_prefix."users WHERE $column = ? LIMIT 1"); $stmt->bind_param("s", $data); $stmt->execute(); $stmt->bind_result($id, $user, $display, $password, $email, $token, $activationRequest, $passwordRequest, $active, $title, $signUp, $signIn); while ($stmt->fetch()){ $row = array('id' => $id, 'user_name' => $user, 'display_name' => $display, 'password' => $password, 'email' => $email, 'activation_token' => $token, 'last_activation_request' => $activationRequest, 'lost_password_request' => $passwordRequest, 'active' => $active, 'title' => $title, 'sign_up_stamp' => $signUp, 'last_sign_in_stamp' => $signIn); } $stmt->close(); return ($row); } //Toggle if lost password request flag on or off function flagLostPasswordRequest($username,$value) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("UPDATE ".$db_table_prefix."users SET lost_password_request = ? WHERE user_name = ? LIMIT 1 "); $stmt->bind_param("ss", $value, $username); $result = $stmt->execute(); $stmt->close(); return $result; } //Check if a user is logged in function isUserLoggedIn() { global $loggedInUser,$mysqli,$db_table_prefix; $stmt = $mysqli->prepare("SELECT id, password FROM ".$db_table_prefix."users WHERE id = ? AND password = ? AND active = 1 LIMIT 1"); $stmt->bind_param("is", $loggedInUser->user_id, $loggedInUser->hash_pw); $stmt->execute(); $stmt->store_result(); $num_returns = $stmt->num_rows; $stmt->close(); if($loggedInUser == NULL) { return false; } else { if ($num_returns > 0) { return true; } else { destroySession("userCakeUser"); return false; } } } //Change a user from inactive to active function setUserActive($token) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("UPDATE ".$db_table_prefix."users SET active = 1 WHERE activation_token = ? LIMIT 1"); $stmt->bind_param("s", $token); $result = $stmt->execute(); $stmt->close(); return $result; } //Change a user's display name function updateDisplayName($id, $display) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("UPDATE ".$db_table_prefix."users SET display_name = ? WHERE id = ? LIMIT 1"); $stmt->bind_param("si", $display, $id); $result = $stmt->execute(); $stmt->close(); return $result; } //Update a user's email function updateEmail($id, $email) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("UPDATE ".$db_table_prefix."users SET email = ? WHERE id = ?"); $stmt->bind_param("si", $email, $id); $result = $stmt->execute(); $stmt->close(); return $result; } //Input new activation token, and update the time of the most recent activation request function updateLastActivationRequest($new_activation_token,$username,$email) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("UPDATE ".$db_table_prefix."users SET activation_token = ?, last_activation_request = ? WHERE email = ? AND user_name = ?"); $stmt->bind_param("ssss", $new_activation_token, time(), $email, $username); $result = $stmt->execute(); $stmt->close(); return $result; } //Generate a random password, and new token function updatePasswordFromToken($pass,$token) { global $mysqli,$db_table_prefix; $new_activation_token = generateActivationToken(); $stmt = $mysqli->prepare("UPDATE ".$db_table_prefix."users SET password = ?, activation_token = ? WHERE activation_token = ?"); $stmt->bind_param("sss", $pass, $new_activation_token, $token); $result = $stmt->execute(); $stmt->close(); return $result; } //Update a user's title function updateTitle($id, $title) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("UPDATE ".$db_table_prefix."users SET title = ? WHERE id = ?"); $stmt->bind_param("si", $title, $id); $result = $stmt->execute(); $stmt->close(); return $result; } //Check if a user ID exists in the DB function userIdExists($id) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("SELECT active FROM ".$db_table_prefix."users WHERE id = ? LIMIT 1"); $stmt->bind_param("i", $id); $stmt->execute(); $stmt->store_result(); $num_returns = $stmt->num_rows; $stmt->close(); if ($num_returns > 0) { return true; } else { return false; } } //Checks if a username exists in the DB function usernameExists($username) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("SELECT active FROM ".$db_table_prefix."users WHERE user_name = ? LIMIT 1"); $stmt->bind_param("s", $username); $stmt->execute(); $stmt->store_result(); $num_returns = $stmt->num_rows; $stmt->close(); if ($num_returns > 0) { return true; } else { return false; } } //Check if activation token exists in DB function validateActivationToken($token,$lostpass=NULL) { global $mysqli,$db_table_prefix; if($lostpass == NULL) { $stmt = $mysqli->prepare("SELECT active FROM ".$db_table_prefix."users WHERE active = 0 AND activation_token = ? LIMIT 1"); } else { $stmt = $mysqli->prepare("SELECT active FROM ".$db_table_prefix."users WHERE active = 1 AND activation_token = ? AND lost_password_request = 1 LIMIT 1"); } $stmt->bind_param("s", $token); $stmt->execute(); $stmt->store_result(); $num_returns = $stmt->num_rows; $stmt->close(); if ($num_returns > 0) { return true; } else { return false; } } //Functions that interact mainly with .permissions table //------------------------------------------------------------------------------ //Create a permission level in DB function createPermission($permission) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("INSERT INTO ".$db_table_prefix."permissions ( name ) VALUES ( ? )"); $stmt->bind_param("s", $permission); $result = $stmt->execute(); $stmt->close(); return $result; } //Delete a permission level from the DB function deletePermission($permission) { global $mysqli,$db_table_prefix,$errors; $i = 0; $stmt = $mysqli->prepare("DELETE FROM ".$db_table_prefix."permissions WHERE id = ?"); $stmt2 = $mysqli->prepare("DELETE FROM ".$db_table_prefix."user_permission_matches WHERE permission_id = ?"); $stmt3 = $mysqli->prepare("DELETE FROM ".$db_table_prefix."permission_page_matches WHERE permission_id = ?"); foreach($permission as $id){ if ($id == 1){ $errors[] = lang("CANNOT_DELETE_NEWUSERS"); } elseif ($id == 2){ $errors[] = lang("CANNOT_DELETE_ADMIN"); } else{ $stmt->bind_param("i", $id); $stmt->execute(); $stmt2->bind_param("i", $id); $stmt2->execute(); $stmt3->bind_param("i", $id); $stmt3->execute(); $i++; } } $stmt->close(); $stmt2->close(); $stmt3->close(); return $i; } //Retrieve information for all permission levels function fetchAllPermissions() { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("SELECT id, name FROM ".$db_table_prefix."permissions"); $stmt->execute(); $stmt->bind_result($id, $name); while ($stmt->fetch()){ $row[] = array('id' => $id, 'name' => $name); } $stmt->close(); return ($row); } //Retrieve information for a single permission level function fetchPermissionDetails($id) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("SELECT id, name FROM ".$db_table_prefix."permissions WHERE id = ? LIMIT 1"); $stmt->bind_param("i", $id); $stmt->execute(); $stmt->bind_result($id, $name); while ($stmt->fetch()){ $row = array('id' => $id, 'name' => $name); } $stmt->close(); return ($row); } //Check if a permission level ID exists in the DB function permissionIdExists($id) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("SELECT id FROM ".$db_table_prefix."permissions WHERE id = ? LIMIT 1"); $stmt->bind_param("i", $id); $stmt->execute(); $stmt->store_result(); $num_returns = $stmt->num_rows; $stmt->close(); if ($num_returns > 0) { return true; } else { return false; } } //Check if a permission level name exists in the DB function permissionNameExists($permission) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("SELECT id FROM ".$db_table_prefix."permissions WHERE name = ? LIMIT 1"); $stmt->bind_param("s", $permission); $stmt->execute(); $stmt->store_result(); $num_returns = $stmt->num_rows; $stmt->close(); if ($num_returns > 0) { return true; } else { return false; } } //Change a permission level's name function updatePermissionName($id, $name) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("UPDATE ".$db_table_prefix."permissions SET name = ? WHERE id = ? LIMIT 1"); $stmt->bind_param("si", $name, $id); $result = $stmt->execute(); $stmt->close(); return $result; } //Functions that interact mainly with .user_permission_matches table //------------------------------------------------------------------------------ //Match permission level(s) with user(s) function addPermission($permission, $user) { global $mysqli,$db_table_prefix; $i = 0; $stmt = $mysqli->prepare("INSERT INTO ".$db_table_prefix."user_permission_matches ( permission_id, user_id ) VALUES ( ?, ? )"); if (is_array($permission)){ foreach($permission as $id){ $stmt->bind_param("ii", $id, $user); $stmt->execute(); $i++; } } elseif (is_array($user)){ foreach($user as $id){ $stmt->bind_param("ii", $permission, $id); $stmt->execute(); $i++; } } else { $stmt->bind_param("ii", $permission, $user); $stmt->execute(); $i++; } $stmt->close(); return $i; } //Retrieve information for all user/permission level matches function fetchAllMatches() { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("SELECT id, user_id, permission_id FROM ".$db_table_prefix."user_permission_matches"); $stmt->execute(); $stmt->bind_result($id, $user, $permission); while ($stmt->fetch()){ $row[] = array('id' => $id, 'user_id' => $user, 'permission_id' => $permission); } $stmt->close(); return ($row); } //Retrieve list of permission levels a user has function fetchUserPermissions($user_id) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("SELECT id, permission_id FROM ".$db_table_prefix."user_permission_matches WHERE user_id = ? "); $stmt->bind_param("i", $user_id); $stmt->execute(); $stmt->bind_result($id, $permission); while ($stmt->fetch()){ $row[$permission] = array('id' => $id, 'permission_id' => $permission); } $stmt->close(); if (isset($row)){ return ($row); } } //Retrieve list of users who have a permission level function fetchPermissionUsers($permission_id) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("SELECT id, user_id FROM ".$db_table_prefix."user_permission_matches WHERE permission_id = ? "); $stmt->bind_param("i", $permission_id); $stmt->execute(); $stmt->bind_result($id, $user); while ($stmt->fetch()){ $row[$user] = array('id' => $id, 'user_id' => $user); } $stmt->close(); if (isset($row)){ return ($row); } } //Unmatch permission level(s) from user(s) function removePermission($permission, $user) { global $mysqli,$db_table_prefix; $i = 0; $stmt = $mysqli->prepare("DELETE FROM ".$db_table_prefix."user_permission_matches WHERE permission_id = ? AND user_id =?"); if (is_array($permission)){ foreach($permission as $id){ $stmt->bind_param("ii", $id, $user); $stmt->execute(); $i++; } } elseif (is_array($user)){ foreach($user as $id){ $stmt->bind_param("ii", $permission, $id); $stmt->execute(); $i++; } } else { $stmt->bind_param("ii", $permission, $user); $stmt->execute(); $i++; } $stmt->close(); return $i; } //Functions that interact mainly with .configuration table //------------------------------------------------------------------------------ //Update configuration table function updateConfig($id, $value) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("UPDATE ".$db_table_prefix."configuration SET value = ? WHERE id = ?"); foreach ($id as $cfg){ $stmt->bind_param("si", $value[$cfg], $cfg); $stmt->execute(); } $stmt->close(); } //Functions that interact mainly with .pages table //------------------------------------------------------------------------------ //Add a page to the DB function createPages($pages) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("INSERT INTO ".$db_table_prefix."pages ( page ) VALUES ( ? )"); foreach($pages as $page){ $stmt->bind_param("s", $page); $stmt->execute(); } $stmt->close(); } //Delete a page from the DB function deletePages($pages) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("DELETE FROM ".$db_table_prefix."pages WHERE id = ?"); $stmt2 = $mysqli->prepare("DELETE FROM ".$db_table_prefix."permission_page_matches WHERE page_id = ?"); foreach($pages as $id){ $stmt->bind_param("i", $id); $stmt->execute(); $stmt2->bind_param("i", $id); $stmt2->execute(); } $stmt->close(); $stmt2->close(); } //Fetch information on all pages function fetchAllPages() { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("SELECT id, page, private FROM ".$db_table_prefix."pages"); $stmt->execute(); $stmt->bind_result($id, $page, $private); while ($stmt->fetch()){ $row[$page] = array('id' => $id, 'page' => $page, 'private' => $private); } $stmt->close(); if (isset($row)){ return ($row); } } //Fetch information for a specific page function fetchPageDetails($id) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("SELECT id, page, private FROM ".$db_table_prefix."pages WHERE id = ? LIMIT 1"); $stmt->bind_param("i", $id); $stmt->execute(); $stmt->bind_result($id, $page, $private); while ($stmt->fetch()){ $row = array('id' => $id, 'page' => $page, 'private' => $private); } $stmt->close(); return ($row); } //Check if a page ID exists function pageIdExists($id) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("SELECT private FROM ".$db_table_prefix."pages WHERE id = ? LIMIT 1"); $stmt->bind_param("i", $id); $stmt->execute(); $stmt->store_result(); $num_returns = $stmt->num_rows; $stmt->close(); if ($num_returns > 0) { return true; } else { return false; } } //Toggle private/public setting of a page function updatePrivate($id, $private) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("UPDATE ".$db_table_prefix."pages SET private = ? WHERE id = ?"); $stmt->bind_param("ii", $private, $id); $result = $stmt->execute(); $stmt->close(); return $result; } //Functions that interact mainly with .permission_page_matches table //------------------------------------------------------------------------------ //Match permission level(s) with page(s) function addPage($page, $permission) { global $mysqli,$db_table_prefix; $i = 0; $stmt = $mysqli->prepare("INSERT INTO ".$db_table_prefix."permission_page_matches ( permission_id, page_id ) VALUES ( ?, ? )"); if (is_array($permission)){ foreach($permission as $id){ $stmt->bind_param("ii", $id, $page); $stmt->execute(); $i++; } } elseif (is_array($page)){ foreach($page as $id){ $stmt->bind_param("ii", $permission, $id); $stmt->execute(); $i++; } } else { $stmt->bind_param("ii", $permission, $page); $stmt->execute(); $i++; } $stmt->close(); return $i; } //Retrieve list of permission levels that can access a page function fetchPagePermissions($page_id) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("SELECT id, permission_id FROM ".$db_table_prefix."permission_page_matches WHERE page_id = ? "); $stmt->bind_param("i", $page_id); $stmt->execute(); $stmt->bind_result($id, $permission); while ($stmt->fetch()){ $row[$permission] = array('id' => $id, 'permission_id' => $permission); } $stmt->close(); if (isset($row)){ return ($row); } } //Retrieve list of pages that a permission level can access function fetchPermissionPages($permission_id) { global $mysqli,$db_table_prefix; $stmt = $mysqli->prepare("SELECT id, page_id FROM ".$db_table_prefix."permission_page_matches WHERE permission_id = ? "); $stmt->bind_param("i", $permission_id); $stmt->execute(); $stmt->bind_result($id, $page); while ($stmt->fetch()){ $row[$page] = array('id' => $id, 'permission_id' => $page); } $stmt->close(); if (isset($row)){ return ($row); } } //Unmatched permission and page function removePage($page, $permission) { global $mysqli,$db_table_prefix; $i = 0; $stmt = $mysqli->prepare("DELETE FROM ".$db_table_prefix."permission_page_matches WHERE page_id = ? AND permission_id =?"); if (is_array($page)){ foreach($page as $id){ $stmt->bind_param("ii", $id, $permission); $stmt->execute(); $i++; } } elseif (is_array($permission)){ foreach($permission as $id){ $stmt->bind_param("ii", $page, $id); $stmt->execute(); $i++; } } else { $stmt->bind_param("ii", $permission, $user); $stmt->execute(); $i++; } $stmt->close(); return $i; } //Check if a user has access to a page function securePage($uri){ //Separate document name from uri $tokens = explode('/', $uri); $page = $tokens[sizeof($tokens)-1]; global $mysqli,$db_table_prefix,$loggedInUser; //retrieve page details $stmt = $mysqli->prepare("SELECT id, page, private FROM ".$db_table_prefix."pages WHERE page = ? LIMIT 1"); $stmt->bind_param("s", $page); $stmt->execute(); $stmt->bind_result($id, $page, $private); while ($stmt->fetch()){ $pageDetails = array('id' => $id, 'page' => $page, 'private' => $private); } $stmt->close(); //If page does not exist in DB, allow access if (empty($pageDetails)){ return true; } //If page is public, allow access elseif ($pageDetails['private'] == 0) { return true; } //If user is not logged in, deny access elseif(!isUserLoggedIn()) { header("Location: login.php"); return false; } else { //Retrieve list of permission levels with access to page $stmt = $mysqli->prepare("SELECT permission_id FROM ".$db_table_prefix."permission_page_matches WHERE page_id = ? "); $stmt->bind_param("i", $pageDetails['id']); $stmt->execute(); $stmt->bind_result($permission); while ($stmt->fetch()){ $pagePermissions[] = $permission; } $stmt->close(); //Check if user's permission levels allow access to page if ($loggedInUser->checkPermission($pagePermissions)){ return true; } //Grant access if master user elseif ($loggedInUser->user_id == $master_account){ return true; } else { header("Location: index.php"); return false; } } } ?>