2 /****************************************************************/
4 /****************************************************************/
5 /* Copyright (c) 2002-2010 */
6 /* Inclusive Design Institute */
9 /* This program is free software. You can redistribute it and/or*/
10 /* modify it under the terms of the GNU General Public License */
11 /* as published by the Free Software Foundation. */
12 /****************************************************************/
15 $_user_location = 'admin';
17 define('AT_INCLUDE_PATH', '../../../include/');
18 require(AT_INCLUDE_PATH.'vitals.inc.php');
19 admin_authenticate(AT_ADMIN_PRIV_USERS);
22 * A simple method to sign the request with the secret using HMAC.
23 * @param String Use UTC time, gmdate("Y-m-d\TH:i:s\Z");
24 * @param String Hashed secret. Unique per user.
26 function at_sign_request($timestamp, $publicKey) {
28 if (!isset($_SESSION['login'])) {
31 $sql = 'SELECT last_login FROM ' . TABLE_PREFIX . "admins WHERE login='$_SESSION[login]'";
32 $result = mysql_query($sql, $db);
33 $row = mysql_fetch_assoc($result);
34 //This key should be unique often enough yet binds to the user only.
35 //easier way is to create a key table
36 $privateKey = hash_hmac('sha256', $row['last_login'], $row['password']);
39 * Our simple way to sign the key
40 * include GET header, then sort query, add current timestamp, sign it.
42 $canonicalArray['publicKey'] = $publicKey;
43 $canonicalArray['timestamp'] = $timestamp;
45 $str = "GET http/1.0\n";
46 foreach ($canonicalArray as $k => $v) {
47 $str .= "$k=" . rawurlencode($v) . "\n";
49 $hmacSignature = base64_encode(hash_hmac('sha512', $str, $privateKey, true));
50 return rawurlencode($hmacSignature);
54 * Verify request by the given signedUrl
55 * @param String querystring without '?', usually the $_SERVER['QUERY_STRING']
58 function at_verify_request($signature, $timestamp, $publicKey) {
60 if ($signature == "" || $timestamp == "" || $publicKey == "") {
61 //if parameters are empty, return false.
64 $sql = 'SELECT last_login FROM ' . TABLE_PREFIX . "admins WHERE login='$_SESSION[login]'";
65 $result = mysql_query($sql, $db);
66 $row = mysql_fetch_assoc($result);
67 $privateKey = hash_hmac('sha256', $row['last_login'], $row['password']);
69 $canonicalArray = array();
70 $canonicalArray['publicKey'] = $publicKey;
71 $canonicalArray['timestamp'] = $timestamp;
73 $timeDiff = time() - strtotime($canonicalArray['timestamp']);
74 if ($timeDiff > 36000) {
75 //more than 10mins, expired.
76 //TODO: use constants.
80 //check data integrity
81 //generate our own hmac to check
82 $str = "GET http/1.0\n";
83 foreach ($canonicalArray as $k => $v) {
84 $str .= "$k=" . rawurlencode($v) . "\n";
86 $hmacSignature = base64_encode(hash_hmac('sha512', $str, $privateKey, true));
87 if (rawurldecode($signature) === $hmacSignature) {
93 if (isset($_GET['deny']) && isset($_GET['id'])) {
94 header('Location: admin_deny.php?id='.$_GET['id']);
97 $sql = 'DELETE FROM '.TABLE_PREFIX.'instructor_approvals WHERE member_id='.intval($_GET['id']);
98 $result = mysql_query($sql, $db);
100 write_to_log(AT_ADMIN_LOG_DELETE, 'instructor_approvals', mysql_affected_rows($db), $sql);
103 } else if (isset($_GET['approve']) && isset($_GET['id'])) {
104 //verify token first.
105 if (!at_verify_request($_GET['auth_token'], $_GET['auth_timestamp'], $_GET['auth_publicKey'])) {
106 $msg->addError('INVALID_AUTH_REQUEST');
107 header('Location: instructor_requests.php');
111 $id = intval($_GET['id']);
113 $sql = 'DELETE FROM '.TABLE_PREFIX.'instructor_approvals WHERE member_id='.$id;
114 $result = mysql_query($sql, $db);
116 write_to_log(AT_ADMIN_LOG_DELETE, 'instructor_approvals', mysql_affected_rows($db), $sql);
118 $sql = 'UPDATE '.TABLE_PREFIX.'members SET status='.AT_STATUS_INSTRUCTOR.', creation_date=creation_date, last_login=last_login WHERE member_id='.$id;
119 $result = mysql_query($sql, $db);
121 write_to_log(AT_ADMIN_LOG_UPDATE, 'members', mysql_affected_rows($db), $sql);
123 /* notify the users that they have been approved: */
124 $sql = "SELECT email, first_name, last_name FROM ".TABLE_PREFIX."members WHERE member_id=$id";
125 $result = mysql_query($sql, $db);
126 if ($row = mysql_fetch_assoc($result)) {
127 $to_email = $row['email'];
129 if ($row['first_name']!="" || $row['last_name']!="") {
130 $tmp_message = $row['first_name'].' '.$row['last_name'].",\n\n";
132 $tmp_message .= _AT('instructor_request_reply', AT_BASE_HREF);
134 if ($to_email != '') {
135 require(AT_INCLUDE_PATH . 'classes/phpmailer/atutormailer.class.php');
137 $mail = new ATutorMailer;
139 $mail->From = $_config['contact_email'];
140 $mail->AddAddress($to_email);
141 $mail->Subject = _AT('instructor_request');
142 $mail->Body = $tmp_message;
145 //echo 'There was an error sending the message';
146 $msg->addError('SENDING_ERROR');
153 $msg->addFeedback('PROFILE_UPDATED_ADMIN');
154 } else if (!empty($_GET) && !$_GET['submit']) {
155 $msg->addError('NO_ITEM_SELECTED');
158 /* Authentication info */
159 $timestamp = gmdate("Y-m-d\TH:i:s\Z");
160 $publicKey = hash('sha256', mt_rand());
162 require(AT_INCLUDE_PATH.'header.inc.php');
164 $sql = "SELECT M.login, M.first_name, M.last_name, M.email, M.member_id, A.* FROM ".TABLE_PREFIX."members M, ".TABLE_PREFIX."instructor_approvals A WHERE A.member_id=M.member_id ORDER BY M.login";
165 $result = mysql_query($sql, $db);
166 $num_pending = mysql_num_rows($result);
168 $savant->assign('result', $result);
169 $savant->assign('num_pending', $num_pending);
170 $savant->display('admin/users/instructor_requests.tmpl.php');
172 require(AT_INCLUDE_PATH.'footer.inc.php');