made a copy

[atutor.git] / admin / create_user.php

<?php\r
/************************************************************************/\r
/* ATutor                                                                                                                               */\r
/************************************************************************/\r
/* Copyright (c) 2002-2008 by Greg Gay, Joel Kronenberg & Heidi Hazelton*/\r
/* Adaptive Technology Resource Centre / University of Toronto                  */\r
/* http://atutor.ca                                                                                                             */\r
/*                                                                                                                                              */\r
/* This program is free software. You can redistribute it and/or                */\r
/* modify it under the terms of the GNU General Public License                  */\r
/* as published by the Free Software Foundation.                                                */\r
/************************************************************************/\r
// $Id$\r
\r
define('AT_INCLUDE_PATH', '../include/');\r
require(AT_INCLUDE_PATH.'vitals.inc.php');\r
admin_authenticate(AT_ADMIN_PRIV_USERS);\r
\r
if (isset($_POST['cancel'])) {\r
        header('Location: '.AT_BASE_HREF.'admin/users.php');\r
        exit;\r
}\r
\r
if (isset($_POST['submit'])) {\r
        $missing_fields = array();\r
\r
        //check if student id (public field) is already being used\r
        if (!$_POST['overwrite'] && !empty($_POST['student_id'])) {\r
                $result = mysql_query("SELECT * FROM ".TABLE_PREFIX."master_list WHERE public_field='$_POST[student_id]' && member_id<>0",$db);\r
                if (mysql_num_rows($result) != 0) {\r
                        $msg->addError('CREATE_MASTER_USED');\r
                }\r
        }\r
\r
        /* login name check */\r
        if ($_POST['login'] == '') {\r
                $missing_fields[] = _AT('login_name');\r
        } else {\r
                /* check for special characters */\r
                if (!(preg_match("/^[a-zA-Z0-9_.-]([a-zA-Z0-9_.-])*$/i", $_POST['login']))) {\r
                        $msg->addError('LOGIN_CHARS');\r
                } else {\r
                        $result = mysql_query("SELECT * FROM ".TABLE_PREFIX."members WHERE login='$_POST[login]'",$db);\r
                        if (mysql_num_rows($result) != 0) {\r
                                $valid = 'no';\r
                                $msg->addError('LOGIN_EXISTS');\r
                        }  else {\r
                                $result = mysql_query("SELECT * FROM ".TABLE_PREFIX."admins WHERE login='$_POST[login]'",$db);\r
                                if (mysql_num_rows($result) != 0) {\r
                                        $msg->addError('LOGIN_EXISTS');\r
                                }\r
                        }\r
                }\r
        }\r
\r
        /* password check:      */\r
        $_POST['password'] = $_POST['form_password_hidden'];\r
\r
        /* password check: password is verified front end by javascript. here is to handle the errors from javascript */\r
        if ($_POST['password_error'] <> "")\r
        {\r
                $pwd_errors = explode(",", $_POST['password_error']);\r
\r
                foreach ($pwd_errors as $pwd_error)\r
                {\r
                        if ($pwd_error == "missing_password")\r
                                $missing_fields[] = _AT('password');\r
                        else\r
                                $msg->addError($pwd_error);\r
                }\r
        }\r
\r
        /* email check */\r
        if ($_POST['email'] == '') {\r
                $missing_fields[] = _AT('email');\r
        } else if (!preg_match("/^[a-z0-9\._-]+@+[a-z0-9\._-]+\.+[a-z]{2,6}$/i", $_POST['email'])) {\r
                $msg->addError('EMAIL_INVALID');\r
        }\r
\r
        $_POST['email'] = $addslashes($_POST['email']);\r
        $result = mysql_query("SELECT member_id FROM ".TABLE_PREFIX."members WHERE email LIKE '$_POST[email]'",$db);\r
        if (mysql_num_rows($result) != 0) {\r
                $msg->addError('EMAIL_EXISTS');\r
        }\r
\r
        if (!$_POST['first_name']) {\r
                $missing_fields[] = _AT('first_name');\r
        }\r
\r
        if (!$_POST['last_name']) {\r
                $missing_fields[] = _AT('last_name');\r
        }\r
\r
        $_POST['first_name'] = str_replace('<', '', $_POST['first_name']);\r
        $_POST['second_name'] = str_replace('<', '', $_POST['second_name']);\r
        $_POST['last_name'] = str_replace('<', '', $_POST['last_name']);\r
\r
        // check if first+last is unique\r
        /*\r
         * http://www.atutor.ca/atutor/mantis/view.php?id=3760\r
        if ($_POST['first_name'] && $_POST['last_name']) {\r
                $first_name_sql  = $addslashes($_POST['first_name']);\r
                $last_name_sql   = $addslashes($_POST['last_name']);\r
                $second_name_sql = $addslashes($_POST['second_name']);\r
\r
                $sql = "SELECT member_id FROM ".TABLE_PREFIX."members WHERE first_name='$first_name_sql' AND second_name='$second_name_sql' AND last_name='$last_name_sql' LIMIT 1";\r
                $result = mysql_query($sql, $db);\r
                if (mysql_fetch_assoc($result)) {\r
                        $msg->addError('FIRST_LAST_NAME_UNIQUE');\r
                }\r
        }\r
        */\r
\r
\r
        $_POST['login'] = strtolower($_POST['login']);\r
\r
        //check date of birth\r
        $mo = intval($_POST['month']);\r
        $day = intval($_POST['day']);\r
        $yr = intval($_POST['year']);\r
\r
        /* let's us take (one or) two digit years (ex. 78 = 1978, 3 = 2003) */\r
        if ($yr < date('y')) { \r
                $yr += 2000; \r
        } else if ($yr < 1900) { \r
                $yr += 1900; \r
        } \r
\r
        $dob = $yr.'-'.$mo.'-'.$day;\r
\r
        if ($mo && $day && $yr && !checkdate($mo, $day, $yr)) { \r
                $msg->addError('DOB_INVALID');\r
        } else if (!$mo || !$day || !$yr) {\r
                $dob = '0000-00-00';\r
                $yr = $mo = $day = 0;\r
        }\r
\r
        if ($missing_fields) {\r
                $missing_fields = implode(', ', $missing_fields);\r
                $msg->addError(array('EMPTY_FIELDS', $missing_fields));\r
        }\r
\r
        if (!$msg->containsErrors()) {\r
                if (($_POST['website']) && (!strstr($_POST['website'], '://'))) { \r
                        $_POST['website'] = 'http://' . $_POST['website']; \r
                }\r
                if ($_POST['website'] == 'http://') { \r
                        $_POST['website'] = ''; \r
                }\r
                $_POST['postal'] = strtoupper(trim($_POST['postal']));\r
        \r
                if (isset($_POST['private_email'])) {\r
                        $_POST['private_email'] = 1;\r
                } else {\r
                        $_POST['private_email'] = 0;\r
                }\r
                $_POST['password']   = $addslashes($_POST['password']);\r
                $_POST['website']    = $addslashes($_POST['website']);\r
                $_POST['first_name'] = $addslashes($_POST['first_name']);\r
                $_POST['second_name']  = $addslashes($_POST['second_name']);\r
                $_POST['last_name']  = $addslashes($_POST['last_name']);\r
                $_POST['address']    = $addslashes($_POST['address']);\r
                $_POST['postal']     = $addslashes($_POST['postal']);\r
                $_POST['city']       = $addslashes($_POST['city']);\r
                $_POST['province']   = $addslashes($_POST['province']);\r
                $_POST['country']    = $addslashes($_POST['country']);\r
                $_POST['phone']      = $addslashes($_POST['phone']);\r
                $_POST['status']     = intval($_POST['status']);\r
                $_POST['gender']     = $addslashes($_POST['gender']);\r
\r
                $now = date('Y-m-d H:i:s'); // we use this later for the email confirmation.\r
\r
                /* insert into the db. (the last 0 for status) */\r
                $sql = "INSERT INTO ".TABLE_PREFIX."members VALUES (NULL,'$_POST[login]','$_POST[password]','$_POST[email]','$_POST[website]','$_POST[first_name]', '$_POST[second_name]', '$_POST[last_name]', '$dob', '$_POST[gender]', '$_POST[address]','$_POST[postal]','$_POST[city]','$_POST[province]','$_POST[country]', '$_POST[phone]',$_POST[status], '$_config[pref_defaults]', '$now','$_config[default_language]', $_config[pref_inbox_notify], $_POST[private_email], '0000-00-00 00:00:00')";\r
\r
                $result = mysql_query($sql, $db);\r
\r
                $m_id   = mysql_insert_id($db);\r
                if (!$result) {\r
                        require(AT_INCLUDE_PATH.'header.inc.php');\r
                        $msg->addError('DB_NOT_UPDATED');\r
                        $msg->printAll();\r
                        require(AT_INCLUDE_PATH.'footer.inc.php');\r
                        exit;\r
                }\r
\r
                if (defined('AT_MASTER_LIST') && AT_MASTER_LIST) {\r
                        $student_id  = $addslashes($_POST['student_id']);\r
                        $student_pin = md5($addslashes($_POST['student_pin']));\r
                        if ($student_id) {\r
                                $sql = "UPDATE ".TABLE_PREFIX."master_list SET member_id=$m_id WHERE public_field='$student_id'";\r
                                mysql_query($sql, $db);\r
                                if (mysql_affected_rows($db) == 0) {\r
                                        $sql = "REPLACE INTO ".TABLE_PREFIX."master_list VALUES ('$student_id', '$student_pin', $m_id)";\r
                                        mysql_query($sql, $db);\r
                                }\r
                        }\r
                }\r
\r
\r
                if ($_POST['pref'] == 'access') {\r
                        $_SESSION['member_id'] = $m_id;\r
                        save_prefs();\r
                        unset($_SESSION['member_id']);\r
                }\r
\r
\r
                require(AT_INCLUDE_PATH . 'classes/phpmailer/atutormailer.class.php');\r
                $mail = new ATutorMailer();\r
                $mail->AddAddress($_POST['email']);\r
                $mail->From    = $_config['contact_email'];\r
                \r
                if (defined('AT_EMAIL_CONFIRMATION') && AT_EMAIL_CONFIRMATION && ($_POST['status'] == AT_STATUS_UNCONFIRMED)) {\r
                        $code = substr(md5($_POST['email'] . $now . $m_id), 0, 10);\r
                        $confirmation_link = AT_BASE_HREF . 'confirm.php?id='.$m_id.SEP.'m='.$code;\r
\r
                        /* send the email confirmation message: */\r
                        $mail->Subject = $_config['site_name'] . ': ' . _AT('email_confirmation_subject');\r
                        $body .= _AT('admin_new_account_confirm', $_config['site_name'], $confirmation_link)."\n\n";\r
\r
                } else {\r
                        $mail->Subject = $_config['site_name'].": "._AT('account_information');\r
                        $body .= _AT('admin_new_account', $_config['site_name'])."\n\n";\r
                }\r
                $body .= _AT('web_site') .' : '.AT_BASE_HREF."\n";\r
                $body .= _AT('login_name') .' : '.$_POST['login'] . "\n";\r
//              $body .= _AT('password') .' : '.$_POST['password'] . "\n";\r
                $mail->Body    = $body;\r
                $mail->Send();\r
\r
                $msg->addFeedback('PROFILE_CREATED_ADMIN');\r
                header('Location: '.AT_BASE_HREF.'admin/users.php');\r
                exit;\r
        }\r
}\r
\r
$onload = 'document.form.login.focus();';\r
\r
$savant->assign('languageManager', $languageManager);\r
\r
if (!isset($_POST['status'])) {\r
        if (defined('AT_EMAIL_CONFIRMATION') && AT_EMAIL_CONFIRMATION) {\r
                $_POST['status'] = AT_STATUS_UNCONFIRMED;\r
        } else {\r
                $_POST['status'] = AT_STATUS_STUDENT;\r
        }\r
}\r
\r
$savant->display('registration.tmpl.php');\r
\r
?>