move code up one directory

[atutor.git] / mods / _core / users / edit_user.php

<?php\r
/************************************************************************/\r
/* ATutor                                                                                                                               */\r
/************************************************************************/\r
/* Copyright (c) 2002-2010                                              */\r
/* Inclusive Design Institute                                           */\r
/* http://atutor.ca                                                                                                             */\r
/*                                                                                                                                              */\r
/* This program is free software. You can redistribute it and/or        */\r
/* modify it under the terms of the GNU General Public License          */\r
/* as published by the Free Software Foundation.                        */\r
/************************************************************************/\r
// $Id$\r
\r
define('AT_INCLUDE_PATH', '../../../include/');\r
require(AT_INCLUDE_PATH.'vitals.inc.php');\r
admin_authenticate(AT_ADMIN_PRIV_USERS);\r
\r
if (isset($_POST['cancel'])) {\r
        if (isset($_POST['ml']) && $_REQUEST['ml']) {\r
                header('Location: '.AT_BASE_HREF.'mods/_core/users/master_list.php');\r
        } else {\r
                header('Location: '.AT_BASE_HREF.'mods/_core/users/users.php');\r
        }\r
        exit;\r
}\r
\r
if (isset($_POST['submit'])) {\r
        $missing_fields = array();\r
\r
        $id = intval($_POST['id']);\r
        //$_POST['password']   = $addslashes($_POST['password']);\r
    $_POST['website']    = $addslashes($_POST['website']);\r
    $_POST['first_name'] = $addslashes($_POST['first_name']);\r
    $_POST['second_name'] = $addslashes($_POST['second_name']);\r
    $_POST['last_name']  = $addslashes($_POST['last_name']);\r
    $_POST['address']    = $addslashes($_POST['address']);\r
    $_POST['postal']     = $addslashes($_POST['postal']);\r
    $_POST['city']       = $addslashes($_POST['city']);\r
    $_POST['province']   = $addslashes($_POST['province']);\r
    $_POST['country']    = $addslashes($_POST['country']);\r
    $_POST['phone']      = $addslashes($_POST['phone']);\r
    $_POST['status']     = intval($_POST['status']);\r
    $_POST['old_status']     = intval($_POST['old_status']);\r
    $_POST['gender']     = $addslashes($_POST['gender']);\r
    $_POST['student_id'] = intval($_POST['student_id']);\r
    $_POST['email']      = $addslashes($_POST['email']);\r
\r
        //check if student id (public field) is already being used\r
        if (!$_POST['overwrite'] && !empty($_POST['student_id'])) {\r
                $result = mysql_query("SELECT public_field FROM ".TABLE_PREFIX."master_list WHERE public_field='$_POST[student_id]' AND member_id<>0 AND member_id<>$id",$db);\r
                if (mysql_num_rows($result) != 0) {\r
                        $msg->addError('CREATE_MASTER_USED');\r
                }\r
        }\r
\r
        /* email check */\r
        if ($_POST['email'] == '') {\r
                $missing_fields[] = _AT('email');\r
        } else if (!preg_match("/^[a-z0-9\._-]+@+[a-z0-9\._-]+\.+[a-z]{2,6}$/i", $_POST['email'])) {\r
                $msg->addError('EMAIL_INVALID');\r
        }\r
        $result = mysql_query("SELECT * FROM ".TABLE_PREFIX."members WHERE email LIKE '$_POST[email]' AND member_id <> $id",$db);\r
\r
        if (mysql_num_rows($result) != 0) {\r
                $valid = 'no';\r
                $msg->addError('EMAIL_EXISTS');\r
        }\r
\r
        if (!$_POST['first_name']) { \r
                $missing_fields[] = _AT('first_name');\r
        }\r
\r
        if (!$_POST['last_name']) { \r
                $missing_fields[] = _AT('last_name');\r
        }\r
\r
        $_POST['first_name'] = str_replace('<', '', $_POST['first_name']);\r
        $_POST['second_name'] = str_replace('<', '', $_POST['second_name']);\r
        $_POST['last_name'] = str_replace('<', '', $_POST['last_name']);\r
\r
        // check if first+last is unique\r
        /*\r
         * http://www.atutor.ca/atutor/mantis/view.php?id=3760\r
        if ($_POST['first_name'] && $_POST['last_name']) {\r
                $first_name_sql  = $addslashes($_POST['first_name']);\r
                $last_name_sql   = $addslashes($_POST['last_name']);\r
                $second_name_sql = $addslashes($_POST['second_name']);\r
\r
                $sql = "SELECT member_id FROM ".TABLE_PREFIX."members WHERE first_name='$first_name_sql' AND second_name='$second_name_sql' AND last_name='$last_name_sql' AND member_id<>$id LIMIT 1";\r
                $result = mysql_query($sql, $db);\r
                if (mysql_fetch_assoc($result)) {\r
                        $msg->addError('FIRST_LAST_NAME_UNIQUE');\r
                }\r
        }\r
        */\r
\r
        \r
        //check date of birth\r
        $mo = intval($_POST['month']);\r
        $day = intval($_POST['day']);\r
        $yr = intval($_POST['year']);\r
\r
        /* let's us take (one or) two digit years (ex. 78 = 1978, 3 = 2003) */\r
        if ($yr < date('y')) { \r
                $yr += 2000; \r
        } else if ($yr < 1900) { \r
                $yr += 1900; \r
        } \r
\r
        $dob = $yr.'-'.$mo.'-'.$day;\r
\r
        if ($mo && $day && $yr && !checkdate($mo, $day, $yr)) { \r
                $msg->addError('DOB_INVALID');\r
        } else if (!$mo || !$day || !$yr) {\r
                $dob = '0000-00-00';\r
                $yr = $mo = $day = 0;\r
        }\r
\r
\r
        if ($missing_fields) {\r
                $missing_fields = implode(', ', $missing_fields);\r
                $msg->addError(array('EMPTY_FIELDS', $missing_fields));\r
        }\r
\r
        if (!$msg->containsErrors()) {\r
                if (isset($_POST['profile_pic_delete'])) {\r
                        profile_image_delete($id);\r
                }\r
                if (($_POST['website']) && (!strstr($_POST['website'], "://"))) { \r
                        $_POST['website'] = "http://".$_POST['website']; \r
                }\r
                if ($_POST['website'] == 'http://') { \r
                        $_POST['website'] = ''; \r
                }\r
                $_POST['postal'] = strtoupper(trim($_POST['postal']));\r
\r
                if (isset($_POST['private_email'])) {\r
                        $_POST['private_email'] = 1;\r
                } else {\r
                        $_POST['private_email'] = 0;\r
                }\r
\r
                /* insert into the db. (the last 0 for status) */\r
                $sql = "UPDATE ".TABLE_PREFIX."members SET      email      = '$_POST[email]',\r
                                                                                                        website    = '$_POST[website]',\r
                                                                                                        first_name = '$_POST[first_name]',\r
                                                                                                        second_name= '$_POST[second_name]',\r
                                                                                                        last_name  = '$_POST[last_name]', \r
                                                                                                        dob      = '$dob',\r
                                                                                                        gender   = '$_POST[gender]', \r
                                                                                                        address  = '$_POST[address]',\r
                                                                                                        postal   = '$_POST[postal]',\r
                                                                                                        city     = '$_POST[city]',\r
                                                                                                        province = '$_POST[province]',\r
                                                                                                        country  = '$_POST[country]', \r
                                                                                                        phone    = '$_POST[phone]',\r
                                                                                                        status   = $_POST[status],\r
                                                                                                        language = '$_SESSION[lang]', \r
                                                                                                        private_email = $_POST[private_email],\r
                                                                                                        creation_date=creation_date,\r
                                                                                                        last_login=last_login\r
                                WHERE member_id = $id";\r
                $result = mysql_query($sql, $db);\r
                if (!$result) {\r
                        require(AT_INCLUDE_PATH.'header.inc.php');\r
                        $msg->addError('DB_NOT_UPDATED');\r
                        $msg->printAll();\r
                        require(AT_INCLUDE_PATH.'footer.inc.php');\r
                        exit;\r
                }\r
\r
\r
                if (defined('AT_MASTER_LIST') && AT_MASTER_LIST) {\r
                        $_POST['student_id'] = $addslashes($_POST['student_id']);\r
                        $student_pin = sha1($addslashes($_POST['student_pin']));\r
\r
                        //if changed, delete old stud id\r
                        if (!empty($_POST['old_student_id']) && $_POST['old_student_id'] != $_POST['student_id']) {\r
                                $sql = "DELETE FROM ".TABLE_PREFIX."master_list WHERE public_field=".$_POST['old_student_id']." AND member_id=$id";\r
                                $result = mysql_query($sql, $db);\r
                        }\r
                        //if new is set\r
                        if (!empty($_POST['student_id']) && $_POST['old_student_id'] != $_POST['student_id']) {\r
                                $sql = "REPLACE INTO ".TABLE_PREFIX."master_list VALUES ('$_POST[student_id]', '', $id)";\r
                                $result = mysql_query($sql, $db);\r
                        }\r
                }\r
\r
\r
                if (defined('AT_EMAIL_CONFIRMATION') && AT_EMAIL_CONFIRMATION && ($_POST['status'] == AT_STATUS_UNCONFIRMED) && ($_POST['old_status'] != AT_STATUS_UNCONFIRMED)) {\r
\r
                        $sql    = "SELECT email, creation_date FROM ".TABLE_PREFIX."members WHERE member_id=$id";\r
                        $result = mysql_query($sql, $db);\r
                        $row    = mysql_fetch_assoc($result);\r
\r
                        $code = substr(md5($row['email'] . $row['creation_date']. $id), 0, 10);\r
                        $confirmation_link = AT_BASE_HREF . 'confirm.php?id='.$id.SEP.'m='.$code;\r
\r
                        /* send the email confirmation message: */\r
                        require(AT_INCLUDE_PATH . 'classes/phpmailer/atutormailer.class.php');\r
                        $mail = new ATutorMailer();\r
\r
                        $mail->AddAddress($row['email']);\r
                        $mail->From    = $_config['contact_email'];\r
                        $mail->Subject = $_config['site_name'] . ' - ' . _AT('email_confirmation_subject');\r
                        $mail->Body    = _AT('email_confirmation_message', $_config['site_name'], $confirmation_link);\r
\r
                        $mail->Send();\r
                }\r
\r
                $msg->addFeedback('PROFILE_UPDATED_ADMIN');\r
                if (isset($_POST['ml']) && $_REQUEST['ml']) {\r
                        header('Location: '.AT_BASE_HREF.'mods/_core/users/master_list.php');\r
                } else {\r
                        header('Location: '.AT_BASE_HREF.'mods/_core/users/users.php');\r
                }\r
                exit;\r
        }\r
}\r
\r
$id = intval($_REQUEST['id']);\r
\r
if (empty($_POST)) {\r
        $sql    = "SELECT * FROM ".TABLE_PREFIX."members WHERE member_id = $id";\r
        $result = mysql_query($sql, $db);\r
        if (!($row = mysql_fetch_assoc($result))) {\r
                require(AT_INCLUDE_PATH.'header.inc.php');      \r
                $msg->addError('USER_NOT_FOUND');       \r
                $msg->printAll();\r
                require(AT_INCLUDE_PATH.'footer.inc.php'); \r
                exit;\r
        }\r
        \r
        $_POST  = $row;\r
        list($_POST['year'],$_POST['month'],$_POST['day']) = explode('-', $row['dob']);\r
        //$_POST['password2']  = $_POST['password'];\r
        $_POST['old_status'] = $_POST['status'];\r
\r
        if (admin_authenticate(AT_ADMIN_PRIV_USERS, TRUE) && defined('AT_MASTER_LIST') && AT_MASTER_LIST) {\r
                $sql    = "SELECT public_field FROM ".TABLE_PREFIX."master_list WHERE member_id=$id";\r
                $result = mysql_query($sql, $db);\r
                if ($row = mysql_fetch_assoc($result)) {\r
                        $_POST['old_student_id'] = $row['public_field'];\r
                        $_POST['student_id'] = $row['public_field'];\r
                }\r
        }\r
}\r
\r
$savant->assign('languageManager', $languageManager);\r
\r
if (isset($_REQUEST['ml']) && $_REQUEST['ml']) {\r
        // redirect back to the master list\r
        $savant->assign('ml', 1);\r
} else {\r
        $savant->assign('ml', 0);\r
}\r
\r
\r
/* HAVE TO SEND MEMBER_ID THROUGH FORM AS A HIDDEN POST VARIABLE!!! */\r
/* PUT IN IF LOOP THAT LETS YOU SEE STATUS RADIO BUTTONS */\r
$savant->assign('no_captcha', true);\r
$savant->display('registration.tmpl.php');\r
\r
?>\r