|
ZenCart_Documentation
1.5.0
http://www.collinsharper.com
|
|
ZenCart_Documentation
1.5.0
http://www.collinsharper.com
|
00001 <?php 00015 function check_page($page, $params) { 00016 global $db; 00017 00018 // Most entries (normal case) have their own pages. However, everything on the Configuration 00019 // and Modules menus are handled by the single pages configuration.php and modules.php. So for 00020 // these pages we check their respective get params too. 00021 if ($page == 'modules') { 00022 $page_params = 'set=' . $params['set']; 00023 } elseif ($page == 'configuration') { 00024 $page_params = 'gID=' . $params['gID']; 00025 } else { 00026 $page_params = ''; 00027 } 00028 00029 $sql = "SELECT ap.main_page, ap.page_params 00030 FROM " . TABLE_ADMIN . " a 00031 LEFT JOIN " . TABLE_ADMIN_PAGES_TO_PROFILES . " ap2p ON ap2p.profile_id = a.admin_profile 00032 LEFT JOIN " . TABLE_ADMIN_PAGES . " ap ON ap.page_key = ap2p.page_key 00033 WHERE admin_id = :adminId:"; 00034 $sql = $db->bindVars($sql, ':adminId:', $_SESSION['admin_id'], 'integer'); 00035 $result = $db->Execute($sql); 00036 00037 $retVal = FALSE; 00038 while (!$result->EOF) { 00039 if (constant($result->fields['main_page']) == $page && $result->fields['page_params'] == $page_params) { 00040 $retVal = TRUE; 00041 } 00042 $result->MoveNext(); 00043 } 00044 00045 return $retVal; 00046 } 00047 00048 function zen_is_superuser() 00049 { 00050 global $db; 00051 $sql = 'SELECT admin_id from ' . TABLE_ADMIN . ' 00052 WHERE admin_id = :adminId: 00053 AND admin_profile = ' . SUPERUSER_PROFILE; 00054 $sql = $db->bindVars($sql, ':adminId:', $_SESSION['admin_id'], 'integer'); 00055 $result = $db->Execute($sql); 00056 return $result->RecordCount() > 0 ? true : false; 00057 } 00058 00059 function zen_get_users($limit = '') 00060 { 00061 global $db; 00062 $retVal = array(); 00063 $sql = 'SELECT a.*, p.profile_name FROM ' . TABLE_ADMIN . ' a 00064 LEFT JOIN ' . TABLE_ADMIN_PROFILES . ' p ON p.profile_id = a.admin_profile'; 00065 if ($limit != '') { 00066 $sql .= ' WHERE a.admin_id = :adminid: LIMIT 1 '; 00067 $sql = $db->bindVars($sql, ':adminid:', $limit, 'integer'); 00068 } 00069 $result = $db->Execute($sql); 00070 while (!$result->EOF) 00071 { 00072 $retVal[] = array('id' => $result->fields['admin_id'], 00073 'name' => $result->fields['admin_name'], 00074 'email' => $result->fields['admin_email'], 00075 'profile' => $result->fields['admin_profile'], 00076 'profileName' => $result->fields['profile_name']); 00077 $result->MoveNext(); 00078 } 00079 return $retVal; 00080 } 00081 00082 function zen_delete_user($id) 00083 { 00084 global $db; 00085 $result = $db->Execute("select count(admin_id) as count from " . TABLE_ADMIN . " where admin_id != '" . (int)$id . "'"); 00086 if ($result->fields['count'] < 1) { 00087 $messageStack->add(ERROR_CANNOT_DELETE_LAST_ADMIN, 'error'); 00088 } elseif ($id == $_SESSION['admin_id']) { 00089 $messageStack->add(ERROR_CANNOT_DELETE_SELF, 'error'); 00090 } else { 00091 $delname = preg_replace('/[^\d\w._-]/', '*', zen_get_admin_name($id)) . ' [id: ' . (int)$id . ']'; 00092 $sql = "DELETE FROM " . TABLE_ADMIN . " WHERE admin_id = :user:"; 00093 $sql = $db->bindVars($sql, ':user:', $id, 'integer'); 00094 $db->Execute($sql); 00095 $admname = '{' . preg_replace('/[^\d\w._-]/', '*', zen_get_admin_name()) . ' [id: ' . (int)$_SESSION['admin_id'] . ']}'; 00096 zen_mail(STORE_OWNER_EMAIL_ADDRESS, STORE_OWNER_EMAIL_ADDRESS, TEXT_EMAIL_SUBJECT_ADMIN_USER_DELETED, sprintf(TEXT_EMAIL_MESSAGE_ADMIN_USER_DELETED, $delname, $admname), STORE_NAME, EMAIL_FROM, array(), 'admin_settings_changed'); 00097 } 00098 } 00099 00100 function zen_check_for_invalid_admin_chars($val) 00101 { 00102 $matchstring = '[\d\w._-]'; // could expand this regex to allow other than non-accented latin chars 00103 $isValid = FALSE; 00104 if (preg_match('|' . $matchstring . '|', $val)) $isValid = TRUE; 00105 return $isValid; 00106 } 00107 00108 function zen_insert_user($name, $email, $password, $confirm, $profile) 00109 { 00110 global $db; 00111 $errors = array(); 00112 if (zen_check_for_invalid_admin_chars($name) == FALSE) { 00113 $errors[] = ERROR_ADMIN_INVALID_CHARS_IN_USERNAME; 00114 } 00115 $name = zen_db_prepare_input($name); 00116 if (strlen($name) < ((int)ADMIN_NAME_MINIMUM_LENGTH < 4 ? 4 : (int)ADMIN_NAME_MINIMUM_LENGTH)) 00117 { 00118 $errors[] = sprintf(ERROR_ADMIN_NAME_TOO_SHORT, ((int)ADMIN_NAME_MINIMUM_LENGTH < 4 ? 4 : (int)ADMIN_NAME_MINIMUM_LENGTH)); 00119 } 00120 $existingCheck = zen_read_user($name); 00121 if ($existingCheck !== FALSE) 00122 { 00123 $errors[] = ERROR_DUPLICATE_USER; 00124 } 00125 $email = zen_db_prepare_input($email); 00126 if (zen_validate_email($email) == FALSE) { 00127 $errors[] = ERROR_ADMIN_INVALID_EMAIL_ADDRESS; 00128 } 00129 $password = zen_db_prepare_input($password); 00130 $confirm = zen_db_prepare_input($confirm); 00131 $profile = zen_db_prepare_input($profile); 00132 if ($password != $confirm) 00133 { 00134 $errors[] = ERROR_PASSWORDS_NOT_MATCHING; 00135 } 00136 if (zen_check_for_password_problems($password, 0)) { 00137 $errors[] = ENTRY_PASSWORD_CHANGE_ERROR . ' ' . sprintf(ERROR_PASSWORD_RULES, ((int)ADMIN_PASSWORD_MIN_LENGTH < 7 ? 7 : (int)ADMIN_PASSWORD_MIN_LENGTH)); 00138 } 00139 if ($profile == 0) 00140 { 00141 $errors[] = ERROR_USER_MUST_HAVE_PROFILE; 00142 } 00143 if (sizeof($errors) == 0) 00144 { 00145 $sql = "INSERT INTO " . TABLE_ADMIN . " 00146 SET admin_name = :name:, 00147 admin_email = :email:, 00148 admin_pass = :password:, 00149 admin_profile = :profile:, 00150 pwd_last_change_date = now(), 00151 last_modified = now()"; 00152 $sql = $db->bindVars($sql, ':name:', $name, 'string'); 00153 $sql = $db->bindVars($sql, ':email:', $email, 'string'); 00154 $sql = $db->bindVars($sql, ':password:', zen_encrypt_password($password), 'string'); 00155 $sql = $db->bindVars($sql, ':profile:', $profile, 'integer'); 00156 $db->Execute($sql); 00157 00158 $newname = preg_replace('/[^\d\w._-]/', '*', $name); 00159 $admname = '{' . preg_replace('/[^\d\w._-]/', '*', zen_get_admin_name()) . ' [id: ' . (int)$_SESSION['admin_id'] . ']}'; 00160 zen_mail(STORE_OWNER_EMAIL_ADDRESS, STORE_OWNER_EMAIL_ADDRESS, TEXT_EMAIL_SUBJECT_ADMIN_USER_ADDED, sprintf(TEXT_EMAIL_MESSAGE_ADMIN_USER_ADDED, $newname, $admname), STORE_NAME, EMAIL_FROM, array(), 'admin_settings_changed'); 00161 } 00162 return $errors; 00163 } 00164 00165 function zen_update_user($name, $email, $id, $profile) 00166 { 00167 global $db; 00168 $errors = array(); 00169 if ($name !== FALSE) 00170 { 00171 if (strlen($name) >= ((int)ADMIN_NAME_MINIMUM_LENGTH < 4 ? 4 : (int)ADMIN_NAME_MINIMUM_LENGTH)) 00172 { 00173 $name = zen_db_prepare_input($name); 00174 } else 00175 { 00176 $errors[] = sprintf(ERROR_ADMIN_NAME_TOO_SHORT, ((int)ADMIN_NAME_MINIMUM_LENGTH < 4 ? 4 : (int)ADMIN_NAME_MINIMUM_LENGTH)); 00177 } 00178 if (zen_check_for_invalid_admin_chars($name) == FALSE) { 00179 $errors[] = ERROR_ADMIN_INVALID_CHARS_IN_USERNAME; 00180 } 00181 } 00182 $email = zen_db_prepare_input($email); 00183 if (zen_validate_email($email) == FALSE) { 00184 $errors[] = ERROR_ADMIN_INVALID_EMAIL_ADDRESS; 00185 } 00186 if (sizeof($errors) == 0) 00187 { 00188 $oldData = zen_read_user(zen_get_admin_name($id)); 00189 $id = (int)$id; 00190 $sql = "UPDATE " . TABLE_ADMIN . " 00191 SET admin_email = :email:, "; 00192 if (isset($name) && $name !== FALSE && $name != $oldData['admin_name']) $sql .= "admin_name = :name:, "; 00193 if (isset($profile) && $profile > 0 && $profile != $oldData['admin_profile']) $sql .= "admin_profile = :profile:, "; 00194 $sql .= "last_modified = NOW() 00195 WHERE admin_id=" . $id; 00196 $sql = $db->bindVars($sql, ':name:', $name, 'string'); 00197 $sql = $db->bindVars($sql, ':email:', $email, 'string'); 00198 $sql = $db->bindVars($sql, ':profile:', $profile, 'integer'); 00199 $db->Execute($sql); 00200 // Now notify admin and user of changes 00201 $newData = zen_read_user(zen_get_admin_name($id)); 00202 $admname = preg_replace('/[^\d\w._-]/', '*', zen_get_admin_name()) . '[' . (int)$_SESSION['admin_id'] . ']'; 00203 $changes = array(); 00204 if ($oldData['admin_email'] != $newData['admin_email']) { 00205 $changes['email'] = array('old' => $oldData['admin_email'], 'new' => $newData['admin_email']); 00206 } 00207 if ($oldData['admin_name'] != $newData['admin_name']) { 00208 $changes['name'] = array('old' => $oldData['admin_name'], 'new' => $newData['admin_name']); 00209 } 00210 if ($oldData['admin_profile'] != $newData['admin_profile']) { 00211 $changes['profile'] = array('old' => zen_get_profile_name($oldData['admin_profile']) . '(' . $oldData['admin_profile'] . ')', 'new' => zen_get_profile_name($newData['admin_profile']) . '(' . $newData['admin_profile'] . ')'); 00212 } 00213 $alertText = ''; 00214 if (isset($changes['email'])) $alertText .= sprintf(TEXT_EMAIL_ALERT_ADM_EMAIL_CHANGED, $oldData['admin_name'], $changes['email']['old'], $changes['email']['new'], $admname) . "\n"; 00215 if (isset($changes['name'])) $alertText .= sprintf(TEXT_EMAIL_ALERT_ADM_NAME_CHANGED, $oldData['admin_name'], $changes['name']['old'], $changes['name']['new'], $admname) . "\n"; 00216 if (isset($changes['profile'])) $alertText .= sprintf(TEXT_EMAIL_ALERT_ADM_PROFILE_CHANGED, $oldData['admin_name'], $changes['profile']['old'], $changes['profile']['new'], $admname) . "\n"; 00217 if ($alertText != '') zen_mail(STORE_OWNER_EMAIL_ADDRESS, STORE_OWNER_EMAIL_ADDRESS, TEXT_EMAIL_SUBJECT_ADMIN_USER_CHANGED, $alertText, STORE_NAME, EMAIL_FROM, array(), 'admin_settings_changed'); 00218 if ($alertText != '') zen_mail($oldData['admin_email'], $oldData['admin_email'], TEXT_EMAIL_SUBJECT_ADMIN_USER_CHANGED, $alertText, STORE_NAME, EMAIL_FROM, array(), 'admin_settings_changed'); 00219 } 00220 return $errors; 00221 } 00226 function zen_read_user($name) 00227 { 00228 global $db; 00229 $sql = "select admin_id, admin_name, admin_email, admin_pass, pwd_last_change_date, reset_token, failed_logins, lockout_expires, admin_profile from " . TABLE_ADMIN . " where admin_name = :adminname: LIMIT 1"; 00230 $sql = $db->bindVars($sql, ':adminname:', $name, 'string'); 00231 $result = $db->Execute($sql); 00232 if ($result->EOF || $result->RecordCount() < 1) return FALSE; 00233 return $result->fields; 00234 } 00239 function zen_get_admin_name($id = '') 00240 { 00241 global $db; 00242 if ($id == '') $id = $_SESSION['admin_id']; 00243 $sql = "select admin_name from " . TABLE_ADMIN . " where admin_id = :adminid: LIMIT 1"; 00244 $sql = $db->bindVars($sql, ':adminid:', $id, 'integer'); 00245 $result = $db->Execute($sql); 00246 return $result->fields['admin_name']; 00247 } 00253 function zen_validate_user_login($admin_name, $admin_pass) 00254 { 00255 global $db; 00256 $camefrom = isset($_GET['camefrom']) ? $_GET['camefrom'] : FILENAME_DEFAULT; 00257 $error = $expired = false; 00258 $message = $redirect = ''; 00259 $expired_token = 0; 00260 $result = zen_read_user($admin_name); 00261 if (!isset($result) || $result == FALSE || $admin_name != $result['admin_name']) 00262 { 00263 $error = true; 00264 $message = ERROR_WRONG_LOGIN; 00265 } else { 00266 if ($result['lockout_expires'] > time()) 00267 { 00268 $error = true; 00269 $message = ERROR_SECURITY_ERROR; // account locked. Simply give generic error, since otherwise we alert that the account name is correct 00270 } 00271 if ($result['reset_token'] != '') 00272 { 00273 list ($expired_token, $token) = explode('}', $result['reset_token']); 00274 if ($expired_token > 0) 00275 { 00276 if ($expired_token <= time() && $result['admin_pass'] != '') 00277 { 00278 // reset the reset_token field to blank, since token has expired 00279 $sql = "update " . TABLE_ADMIN . " set reset_token = '' where admin_name = :adminname: "; 00280 $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string'); 00281 $db->Execute($sql); 00282 $expired = false; 00283 } else 00284 { 00285 if (! zen_validate_password($admin_pass, $token)) 00286 { 00287 $error = true; 00288 $message = ERROR_WRONG_LOGIN; 00289 } else 00290 { 00291 $error = true; 00292 $expired = true; 00293 $message = TEXT_TEMPORARY_PASSWORD_MUST_BE_CHANGED; 00294 } 00295 00296 } 00297 } 00298 } 00299 if ($result['admin_pass'] == '') 00300 { 00301 $error = true; 00302 $expired = true; 00303 $message = TEXT_TEMPORARY_PASSWORD_MUST_BE_CHANGED; 00304 } else if (!zen_validate_password($admin_pass, $result['admin_pass'])) 00305 { 00306 $error = true; 00307 if (!$expired) $message = ERROR_WRONG_LOGIN; 00308 } 00309 00310 // BEGIN 2-factor authentication 00311 if ($error == FALSE && defined('ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE') && ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE != '') 00312 { 00313 if (function_exists(ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE)) 00314 { 00315 $response = zen_call_function(ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE, array($result['admin_id'], $result['admin_email'], $result['admin_name'])); 00316 if ($response !== TRUE) 00317 { 00318 $error = TRUE; 00319 $message = ERROR_WRONG_LOGIN; 00320 } 00321 } 00322 } 00323 } 00324 00325 // BEGIN LOGIN SLAM PREVENTION 00326 if ($error == TRUE) 00327 { 00328 if (! isset($_SESSION['login_attempt'])) $_SESSION['login_attempt'] = 0; 00329 $_SESSION['login_attempt'] ++; 00330 $sql = "UPDATE " . TABLE_ADMIN . " SET failed_logins = failed_logins + 1, last_failed_attempt = now(), last_failed_ip = :ip: WHERE admin_name = :adminname: "; 00331 $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string'); 00332 $sql = $db->bindVars($sql, ':ip:', $_SERVER['REMOTE_ADDR'], 'string'); 00333 $db->Execute($sql); 00334 if (($_SESSION['login_attempt'] > 3 || $result['failed_logins'] > 3) && isset($result['admin_email']) && $result['admin_email'] != '' && ADMIN_SWITCH_SEND_LOGIN_FAILURE_EMAILS == 'Yes') 00335 { 00336 $html_msg['EMAIL_CUSTOMERS_NAME'] = $result['admin_name']; 00337 $html_msg['EMAIL_MESSAGE_HTML'] = sprintf(TEXT_EMAIL_MULTIPLE_LOGIN_FAILURES, $_SERVER['REMOTE_ADDR']); 00338 zen_mail($result['admin_name'], $result['admin_email'], TEXT_EMAIL_SUBJECT_LOGIN_FAILURES, sprintf(TEXT_EMAIL_MULTIPLE_LOGIN_FAILURES, $_SERVER['REMOTE_ADDR']), STORE_NAME, EMAIL_FROM, $html_msg, 'no_archive'); 00339 } 00340 if ($expired_token < 10000) 00341 { 00342 if ($_SESSION['login_attempt'] > 6 || $result['failed_logins'] > 6) 00343 { 00344 $sql = "UPDATE " . TABLE_ADMIN . " SET lockout_expires = " . (time() + ADMIN_LOGIN_LOCKOUT_TIMER) . " WHERE admin_name = :adminname: "; 00345 $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string'); 00346 $db->Execute($sql); 00347 zen_session_destroy(); 00348 sleep(15); 00349 $redirect = zen_href_link(FILENAME_DEFAULT, '', 'SSL'); 00350 return array($error, $expired, $message, $redirect); 00351 } else 00352 { 00353 sleep(4); 00354 } 00355 } 00356 } // END LOGIN SLAM PREVENTION 00357 // deal with expireds 00358 if ($error == FALSE && $result['pwd_last_change_date'] < date('Y-m-d H:i:s', ADMIN_PASSWORD_EXPIRES_INTERVAL)) 00359 { 00360 $expired = true; 00361 $error = true; 00362 if ($result['pwd_last_change_date'] == '1990-01-01 14:02:22') $message = ($message == '' ? '' : $message . '<br /><br />') . EXPIRED_DUE_TO_SSL; 00363 } 00364 if ($error == false) 00365 { 00366 unset($_SESSION['login_attempt']); 00367 $sql = "UPDATE " . TABLE_ADMIN . " SET failed_logins = 0, lockout_expires = 0, last_login_date = now(), last_login_ip = :ip: WHERE admin_name = :adminname: "; 00368 $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string'); 00369 $sql = $db->bindVars($sql, ':ip:', $_SERVER['REMOTE_ADDR'], 'string'); 00370 $db->Execute($sql); 00371 $_SESSION['admin_id'] = $result['admin_id']; 00372 if (SESSION_RECREATE == 'True') 00373 { 00374 zen_session_recreate(); 00375 } 00376 $redirect = zen_href_link($camefrom, zen_get_all_get_params(array('camefrom')), 'SSL'); 00377 } 00378 return array($error, $expired, $message, $redirect); 00379 } 00380 00391 function zen_check_for_password_problems($password, $adminID = 0) 00392 { 00393 global $db; 00394 $error = FALSE; 00395 00396 // admin passwords must be 7 chars long at the very least 00397 $minLength = (int)ADMIN_PASSWORD_MIN_LENGTH < 7 ? 7 : (int)ADMIN_PASSWORD_MIN_LENGTH; 00398 00399 // admin passwords must contain at least 1 letter and 1 number and be of required minimum length 00400 if (!preg_match('/^(?=.*[a-zA-Z]+.*)(?=.*[\d]+.*)[\d\w[:punct:]]{' . $minLength . ',}$/', $password)) { 00401 $error = TRUE; 00402 } 00403 // if no user specified, skip checking history 00404 if ($adminID == 0) return $error; 00405 // passwords cannot be same as last 4 00406 $sql = "SELECT admin_pass, prev_pass1, prev_pass2, prev_pass3 FROM " . TABLE_ADMIN . " 00407 WHERE admin_id = :adminID:"; 00408 $sql = $db->bindVars($sql, ':adminID:', $adminID, 'integer'); 00409 $result = $db->Execute($sql); 00410 if ($result->RecordCount()) { 00411 foreach($result->fields as $val) { 00412 if (zen_validate_password($password, $val)) { 00413 $error = TRUE; 00414 } 00415 } 00416 } 00417 return $error; 00418 } 00419 00426 function zen_check_for_expired_pwd ($adminID) { 00427 global $db; 00428 $sql = "SELECT admin_id FROM " . TABLE_ADMIN . " 00429 WHERE admin_id = :adminID: 00430 AND pwd_last_change_date < DATE_SUB(CURDATE(),INTERVAL 90 DAY)"; 00431 $sql = $db->bindVars($sql, ':adminID:', $adminID, 'integer'); 00432 $result = $db->Execute($sql); 00433 $retVal = $result->RecordCount(); 00434 return $retVal; 00435 } 00436 00437 function zen_reset_password($id, $password, $compare) 00438 { 00439 global $db; 00440 $errors = array(); 00441 $id = (int)$id; 00442 if ($password != 'no password' || $compare != 'no password') 00443 { 00444 $password = zen_db_prepare_input($password); 00445 $compare = zen_db_prepare_input($compare); 00446 if ($password != $compare) 00447 { 00448 $errors[] = ERROR_PASSWORDS_NOT_MATCHING; 00449 } 00450 if (zen_check_for_password_problems($password, $id)) { 00451 $errors[] = ENTRY_PASSWORD_CHANGE_ERROR . ' ' . sprintf(ERROR_PASSWORD_RULES, ((int)ADMIN_PASSWORD_MIN_LENGTH < 7 ? 7 : (int)ADMIN_PASSWORD_MIN_LENGTH)); 00452 } 00453 } 00454 if (sizeof($errors) == 0) 00455 { 00456 $encryptedPassword = zen_encrypt_password($password); 00457 $sql = "UPDATE " . TABLE_ADMIN . " 00458 SET prev_pass3 = prev_pass2, prev_pass2 = prev_pass1, prev_pass1 = admin_pass, admin_pass = :newpwd:, pwd_last_change_date = now() 00459 WHERE admin_id = :adminID:"; 00460 $sql = $db->bindVars($sql, ':adminID:', $id, 'integer'); 00461 $sql = $db->bindVars($sql, ':newpwd:', zen_encrypt_password($password), 'string'); 00462 $db->Execute($sql); 00463 } 00464 return $errors; 00465 } 00466 00474 function zen_validate_pwd_reset_request($admin_name, $adm_old_pwd, $adm_new_pwd, $adm_conf_pwd) 00475 { 00476 global $db; 00477 $errors = array(); 00478 $result = zen_read_user($admin_name); 00479 if (!isset($result) || $admin_name != $result['admin_name']) 00480 { 00481 $errors[] = ERROR_WRONG_LOGIN; 00482 } 00483 if ($result['lockout_expires'] > time()) 00484 { 00485 $errors[] = ERROR_SECURITY_ERROR; 00486 } 00487 // if entered password doesn't match current password, check for reset token 00488 if (!isset($result) || !zen_validate_password($adm_old_pwd, $result['admin_pass'])) 00489 { 00490 if ($result['reset_token'] != '') 00491 { 00492 list ($expired_token, $token) = explode('}', $result['reset_token']); 00493 if ($expired_token > 0) 00494 { 00495 if ($expired_token <= time()) 00496 { 00497 // reset the reset_token field to blank, since token has expired 00498 $sql = "update " . TABLE_ADMIN . " set reset_token = '' where admin_name = :adminname: "; 00499 $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string'); 00500 $db->Execute($sql); 00501 } else 00502 { // if we have a token and it hasn't expired, check password against token 00503 if (!zen_validate_password($adm_old_pwd, $token)) 00504 { 00505 $errors[] = ERROR_WRONG_LOGIN; 00506 } else 00507 { // temporary password is good, so attempt to reset using new password 00508 $moreErrors = zen_reset_password($result['admin_id'], $adm_new_pwd, $adm_conf_pwd); 00509 if (sizeof($moreErrors)) { 00510 $errors = array_merge($errors, $moreErrors); 00511 } else { 00512 // password change was accepted, so reset token 00513 $sql = "update " . TABLE_ADMIN . " set reset_token = '', failed_logins = 0 where admin_name = :adminname: "; 00514 $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string'); 00515 $db->Execute($sql); 00516 } 00517 } 00518 } 00519 } 00520 } else 00521 { 00522 $errors[] = ENTRY_PASSWORD_CHANGE_ERROR . ' ' . sprintf(ERROR_PASSWORD_RULES, ((int)ADMIN_PASSWORD_MIN_LENGTH < 7 ? 7 : (int)ADMIN_PASSWORD_MIN_LENGTH)); 00523 } 00524 } else 00525 { // password matched, so proceed with reset 00526 $moreErrors = zen_reset_password($result['admin_id'], $adm_new_pwd, $adm_conf_pwd); 00527 if (sizeof($moreErrors)) { 00528 $errors = array_merge($errors, $moreErrors); 00529 } else 00530 { 00531 $sql = "update " . TABLE_ADMIN . " set reset_token = '' where admin_name = :adminname: "; 00532 $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string'); 00533 $db->Execute($sql); 00534 } 00535 } 00536 return $errors; 00537 } 00538 00543 function zen_get_profiles($withUsers = FALSE) 00544 { 00545 global $db; 00546 $retVal = array(); 00547 if ($withUsers) 00548 { 00549 $sql = "SELECT p.profile_id, p.profile_name, COUNT(a.admin_profile) as profile_users 00550 FROM " . TABLE_ADMIN_PROFILES . " p 00551 LEFT JOIN " . TABLE_ADMIN . " a ON a.admin_profile = p.profile_id 00552 GROUP BY p.profile_id"; 00553 $result = $db->Execute($sql); 00554 while (!$result->EOF) 00555 { 00556 $retVal[] = array('id' => $result->fields['profile_id'], 'name' => $result->fields['profile_name'], 'users' => $result->fields['profile_users']); 00557 $result->MoveNext(); 00558 } 00559 } else 00560 { 00561 $sql = 'SELECT * FROM ' . TABLE_ADMIN_PROFILES; 00562 $result = $db->Execute($sql); 00563 while (!$result->EOF) 00564 { 00565 $retVal[] = array('id' => $result->fields['profile_id'], 'text' => $result->fields['profile_name']); 00566 $result->MoveNext(); 00567 } 00568 } 00569 return $retVal; 00570 } 00571 00572 function zen_get_profile_name($profile) 00573 { 00574 global $db; 00575 $sql = "SELECT profile_name FROM " . TABLE_ADMIN_PROFILES . " WHERE profile_id = :profile:"; 00576 $sql = $db->bindVars($sql, ':profile:', $profile, 'integer'); 00577 $result = $db->Execute($sql); 00578 return $result->fields['profile_name']; 00579 } 00580 00581 function zen_update_profile_name($profile, $profile_name) 00582 { 00583 global $db; 00584 $sql = "UPDATE " . TABLE_ADMIN_PROFILES . " 00585 SET profile_name = :profileName: 00586 WHERE profile_id = :profile:"; 00587 $sql = $db->bindVars($sql, ':profileName:', zen_db_prepare_input($profile_name), 'string'); 00588 $sql = $db->bindVars($sql, ':profile:', $profile, 'integer'); 00589 $db->Execute($sql); 00590 } 00591 00592 function zen_get_admin_pages($menu_only) 00593 { 00594 global $db; 00595 00599 $sql = "SELECT ap.menu_key, ap.page_key, ap.main_page, ap.page_params, ap.language_key as page_name 00600 FROM " . TABLE_ADMIN_PAGES . " ap 00601 LEFT JOIN " . TABLE_ADMIN_MENUS . " am ON am.menu_key = ap.menu_key "; 00602 if ($menu_only) $sql .= "WHERE ap.display_on_menu = 'Y' "; 00603 $sql .= "ORDER BY am.sort_order, ap.sort_order"; 00604 $result = $db->Execute($sql); 00605 while (!$result->EOF) 00606 { 00607 if (defined($result->fields['main_page']) && defined($result->fields['page_name'])) { 00608 $retVal[$result->fields['menu_key']][$result->fields['page_key']] = array('name' => constant($result->fields['page_name']), 00609 'file' => constant($result->fields['main_page']), 00610 'params' => $result->fields['page_params']); 00611 } 00612 $result->MoveNext(); 00613 } 00614 00618 // Include Linkpoint review only if the payment mod is enabled 00619 if (!defined('MODULE_PAYMENT_LINKPOINT_API_STATUS') || MODULE_PAYMENT_LINKPOINT_API_STATUS != 'True') 00620 { 00621 unset ($retVal['customers']['linkpointReview']); 00622 } 00623 // Include paypal ipn menu only if the payment mod is enabled 00624 if (!(defined('MODULE_PAYMENT_PAYPAL_STATUS') && MODULE_PAYMENT_PAYPAL_STATUS == 'True') && 00625 !(defined('MODULE_PAYMENT_PAYPALWPP_STATUS') && MODULE_PAYMENT_PAYPALWPP_STATUS == 'True') && 00626 !(defined('MODULE_PAYMENT_PAYPALDP_STATUS') && MODULE_PAYMENT_PAYPALDP_STATUS == 'True')) 00627 { 00628 unset ($retVal['customers']['paypal']); 00629 } 00630 00631 // don't show Coupon Admin unless installed 00632 if (!defined('MODULE_ORDER_TOTAL_COUPON_STATUS') || MODULE_ORDER_TOTAL_COUPON_STATUS != 'true') { 00633 unset ($retVal['gv']['couponAdmin']); 00634 } 00635 // don't show Gift Vouchers unless installed 00636 if (!defined('MODULE_ORDER_TOTAL_GV_STATUS') || MODULE_ORDER_TOTAL_GV_STATUS != 'true') { 00637 unset ($retVal['gv']['gvQueue']); 00638 unset ($retVal['gv']['gvMail']); 00639 unset ($retVal['gv']['gvSent']); 00640 } 00641 // if Coupons and Gift Vouchers are off display msg 00642 if (!defined('MODULE_ORDER_TOTAL_COUPON_STATUS') && !defined('MODULE_ORDER_TOTAL_GV_STATUS')) { 00643 $retVal['gv']['message'] = array('name' => NOT_INSTALLED_TEXT, 00644 'file' => FILENAME_MODULES, 00645 'params' => 'set=ordertotal'); 00646 } 00647 00648 return $retVal; 00649 } 00650 00651 function zen_get_permitted_pages_for_profile($profile) 00652 { 00653 global $db; 00654 $retVal = array(); 00655 $sql = "SELECT page_key FROM " . TABLE_ADMIN_PAGES_TO_PROFILES . " WHERE profile_id = :profile:"; 00656 $sql = $db->bindVars($sql, ':profile:', $profile, 'integer'); 00657 $result = $db->Execute($sql); 00658 while (!$result->EOF) 00659 { 00660 $retVal[] = $result->fields['page_key']; 00661 $result->MoveNext(); 00662 } 00663 return $retVal; 00664 } 00665 00666 function zen_delete_profile($profile) 00667 { 00668 global $db; 00669 $error = ''; 00670 $sql = "SELECT admin_id FROM " . TABLE_ADMIN . " WHERE admin_profile = :profile:"; 00671 $sql = $db->bindVars($sql, ':profile:', $profile, 'integer'); 00672 $result = $db->Execute($sql); 00673 if ($result->RecordCount() == 0) 00674 { 00675 $sql = "DELETE FROM " . TABLE_ADMIN_PAGES_TO_PROFILES . " WHERE profile_id = :profile:"; 00676 $sql = $db->bindVars($sql, ':profile:', $profile, 'integer'); 00677 $db->Execute($sql); 00678 $sql = "DELETE FROM " . TABLE_ADMIN_PROFILES . " WHERE profile_id = :profile:"; 00679 $sql = $db->bindVars($sql, ':profile:', $profile, 'integer'); 00680 $db->Execute($sql); 00681 } else 00682 { 00683 $error = ERROR_PROFILE_HAS_USERS_ATTACHED; 00684 } 00685 return $error; 00686 } 00687 00688 function zen_create_profile($profileData) 00689 { 00690 global $db; 00691 $retVal = ''; 00692 if (!isset($profileData['name'])) { 00693 $retVal = ERROR_NO_PROFILE_NAME; 00694 } else { 00695 $name = zen_db_prepare_input($profileData['name']); 00696 if (empty($name)) { 00697 $retVal = ERROR_INVALID_PROFILE_NAME; 00698 } else { 00699 $sql = "SELECT profile_id FROM " . TABLE_ADMIN_PROFILES . " WHERE profile_name = :name:"; 00700 $sql = $db->bindVars($sql, ':name:', $name, 'string'); 00701 $result = $db->Execute($sql); 00702 if ($result->RecordCount() > 0) 00703 { 00704 $retVal = ERROR_DUPLICATE_PROFILE_NAME; 00705 } else if (!isset($profileData['p']) || !is_array($profileData['p']) || sizeof($profileData['p']) == 0) { 00706 $retVal = ERROR_NO_PAGES_IN_PROFILE; 00707 } else { 00708 $sql = "INSERT INTO " . TABLE_ADMIN_PROFILES . " 00709 SET profile_name = :name:"; 00710 $sql = $db->bindVars($sql, ':name:', $name, 'string'); 00711 $db->Execute($sql); 00712 $profileId = $db->Insert_ID(); 00713 if (is_numeric($profileId)) { 00714 // suceeded in creating the profile so result returned was the profile ID 00715 zen_insert_pages_into_profile($profileId, $profileData['p']); 00716 } else { 00717 // failed to create the profile return error message 00718 $retVal = ERROR_UNABLE_TO_CREATE_PROFILE; 00719 } 00720 } 00721 } 00722 } 00723 return $retVal; 00724 } 00725 00726 function zen_remove_profile_permits($profile) 00727 { 00728 global $db; 00729 $sql = "DELETE FROM " . TABLE_ADMIN_PAGES_TO_PROFILES . " WHERE profile_id = :profile:"; 00730 $sql = $db->bindVars($sql, ':profile:', $profile, 'integer'); 00731 $db->Execute($sql); 00732 } 00733 00734 function zen_insert_pages_into_profile($id, $pages) 00735 { 00736 global $db; 00737 foreach ($pages as $page) { 00738 $sql = "INSERT INTO " . TABLE_ADMIN_PAGES_TO_PROFILES . " 00739 SET page_key=:page:, 00740 profile_id=:profileId:"; 00741 $sql = $db->bindVars($sql, ':page:', $page, 'string'); 00742 $sql = $db->bindVars($sql, ':profileId:', $id, 'integer'); 00743 $db->Execute($sql); 00744 } 00745 } 00746 00747 function zen_get_admin_menu_for_user() 00748 { 00749 global $db; 00750 if (zen_is_superuser()) 00751 { 00752 // get all registered admin pages that should appear in the menu 00753 $retVal = zen_get_admin_pages(TRUE); 00754 } else 00755 { 00756 // get only those registered pages allowed by the current user's profile 00757 $retVal = array(); 00758 $sql = "SELECT ap.menu_key, ap.page_key, ap.main_page, ap.page_params, ap.language_key as pageName 00759 FROM " . TABLE_ADMIN . " a 00760 LEFT JOIN " . TABLE_ADMIN_PAGES_TO_PROFILES . " ap2p ON ap2p.profile_id = a.admin_profile 00761 LEFT JOIN " . TABLE_ADMIN_PAGES . " ap ON ap.page_key = ap2p.page_key 00762 LEFT JOIN " . TABLE_ADMIN_MENUS . " am ON am.menu_key = ap.menu_key 00763 WHERE a.admin_id = :user: 00764 AND ap.display_on_menu = 'Y' 00765 ORDER BY am.sort_order, ap.sort_order"; 00766 $sql = $db->bindVars($sql, ':user:', $_SESSION['admin_id'], 'integer'); 00767 $result = $db->Execute($sql); 00768 while (!$result->EOF) 00769 { 00770 $retVal[$result->fields['menu_key']][$result->fields['page_key']] = array('name' => constant($result->fields['pageName']), 00771 'file' => constant($result->fields['main_page']), 00772 'params' => $result->fields['page_params']); 00773 $result->MoveNext(); 00774 } 00775 } 00776 return $retVal; 00777 } 00778 00779 function zen_get_menu_titles() 00780 { 00781 global $db; 00782 $retval = array(); 00783 $sql = "SELECT menu_key, language_key FROM " . TABLE_ADMIN_MENUS . " ORDER BY sort_order"; 00784 $result = $db->Execute($sql); 00785 while (!$result->EOF) 00786 { 00787 $retVal[$result->fields['menu_key']] = constant($result->fields['language_key']); 00788 $result->MoveNext(); 00789 } 00790 return $retVal; 00791 } 00792 00793 function zen_page_key_exists($page_key) 00794 { 00795 global $db; 00796 $sql = "SELECT page_key FROM " . TABLE_ADMIN_PAGES . " WHERE page_key = :page_key:"; 00797 $sql = $db->bindVars($sql, ':page_key:', $page_key, 'string'); 00798 $result = $db->Execute($sql); 00799 return $result->RecordCount() >= 1 ? TRUE : FALSE; 00800 } 00801 00802 function zen_register_admin_page($page_key, $language_key, $main_page, $page_params, $menu_key, $display_on_menu, $sort_order) 00803 { 00804 global $db; 00805 $sql = "INSERT INTO " . TABLE_ADMIN_PAGES . " 00806 SET page_key = :page_key:, 00807 language_key = :language_key:, 00808 main_page = :main_page:, 00809 page_params = :page_params:, 00810 menu_key = :menu_key:, 00811 display_on_menu = :display_on_menu:, 00812 sort_order = :sort_order:"; 00813 $sql = $db->bindVars($sql, ':page_key:', $page_key, 'string'); 00814 $sql = $db->bindVars($sql, ':language_key:', $language_key, 'string'); 00815 $sql = $db->bindVars($sql, ':main_page:', $main_page, 'string'); 00816 $sql = $db->bindVars($sql, ':page_params:', $page_params, 'string'); 00817 $sql = $db->bindVars($sql, ':menu_key:', $menu_key, 'string'); 00818 $sql = $db->bindVars($sql, ':display_on_menu:', $display_on_menu, 'string'); 00819 $sql = $db->bindVars($sql, ':sort_order:', $sort_order, 'integer'); 00820 $db->Execute($sql); 00821 } 00822 00823 function zen_deregister_admin_pages($pages) 00824 { 00825 global $db; 00826 if (!empty($pages)) 00827 { 00828 if (is_array($pages)) 00829 { 00830 $sql = "DELETE FROM " . TABLE_ADMIN_PAGES . " WHERE page_key IN ("; 00831 foreach ($pages as $page) 00832 { 00833 $sql .= ":page_key:,"; 00834 $sql = $db->bindVars($sql, ':page_key:', $page, 'string'); 00835 } 00836 $sql = substr($sql, 0, -1) . ")"; 00837 } else 00838 { 00839 $sql = "DELETE FROM " . TABLE_ADMIN_PAGES . " WHERE page_key = :page_key:"; 00840 $sql = $db->bindVars($sql, ':page_key:', $pages, 'string'); 00841 } 00842 $db->Execute($sql); 00843 } 00844 }
1.7.6.1 
