Closed hole when using userid information from form data (merged from STABLE)
[moodle.git] / user / edit.php
1 <?PHP // $Id$
3     require_once("../config.php");
4     require_once("$CFG->libdir/gdlib.php");
6     optional_variable($id);       // user id
7     optional_variable($course);   // course id
9     if (empty($id)) {         // See your own profile by default
10         require_login();
11         $id = $USER->id;
12     }
14     if (empty($course)) {     // See it at site level by default
15         $course = SITEID;
16     }
18     if (! $user = get_record("user", "id", $id)) {
19         error("User ID was incorrect");
20     }
22     if (! $course = get_record("course", "id", $course)) {
23         error("Course ID was incorrect");
24     }
26     if ($user->confirmed and user_not_fully_set_up($user)) {
27         // Special case which can only occur when a new account
28         // has just been created by EXTERNAL authentication
29         // This is the only page in Moodle that has the exception
30         // so that users can set up their accounts
31         $newaccount  = true;
33         if (empty($USER)) {
34             error("Sessions don't seem to be working on this server!");
35         }
37     } else {
38         $newaccount  = false;
39         require_login($course->id);
40     }
42     if (($USER->id <> $user->id) && !isadmin()) {
43         error("You can only edit your own information");
44     }
46     if (isguest()) {
47         error("The guest user cannot edit their profile.");
48     }
50     if (isguest($user->id)) {
51         error("Sorry, the guest user cannot be edited.");
52     }
54     // load the relevant auth libraries
55     if ($user->auth) { 
56         $auth = $user->auth;
57         if (!file_exists("$CFG->dirroot/auth/$auth/lib.php")) {
58             $auth = "manual";    // Can't find auth module, default to internal
59         }
60         require_once("$CFG->dirroot/auth/$auth/lib.php");
61     }
63     
64 /// If data submitted, then process and store.
66     if ($usernew = data_submitted()) {
68         if (($USER->id <> $usernew->id) && !isadmin()) {
69             error("You can only edit your own information");
70         }
72         if (isset($USER->username)) {
73             check_for_restricted_user($USER->username, "$CFG->wwwroot/course/view.php?id=$course->id");
74         }
76         foreach ($usernew as $key => $data) {
77             $usernew->$key = addslashes(clean_text(stripslashes($usernew->$key), FORMAT_MOODLE));
78         }
80         $usernew->firstname = trim(strip_tags($usernew->firstname));
81         $usernew->lastname  = trim(strip_tags($usernew->lastname));
83         if (isset($usernew->username)) {
84             $usernew->username = trim(moodle_strtolower($usernew->username));
85         }
88         require_once($CFG->dirroot.'/lib/uploadlib.php');
89         $um = new upload_manager('imagefile',false,false,null,false,0,true,true);
91         if (find_form_errors($user, $usernew, $err, $um)) {
92             if (empty($err['imagefile']) && $usernew->picture = save_profile_image($user->id, $um,'users')) {
93                 set_field('user', 'picture', $usernew->picture, 'id', $user->id);  /// Note picture in DB
94             } else {
95                 if (!empty($usernew->deletepicture)) {
96                     set_field('user', 'picture', 0, 'id', $user->id);  /// Delete picture
97                     $usernew->picture = 0;
98                 }
99             }
101             $user = $usernew;
103         } else {
104             $timenow = time();
106             if (!$usernew->picture = save_profile_image($user->id,$um,'users')) {
107                 if (!empty($usernew->deletepicture)) {
108                     set_field('user', 'picture', 0, 'id', $user->id);  /// Delete picture
109                     $usernew->picture = 0;
110                 } else {
111                     $usernew->picture = $user->picture;
112                 }
113             }
115             $usernew->timemodified = time();
117             if (isadmin()) {
118                 if (!empty($usernew->newpassword)) {
119                     $usernew->password = md5($usernew->newpassword);
120                     // update external passwords
121                     if (!empty($CFG->{'auth_'. $user->auth.'_stdchangepassword'})) {
122                         if (function_exists('auth_user_update_password')){
123                             if (!auth_user_update_password($user->username, $usernew->newpassword)){
124                                 error('Failed to update password on external auth: ' . $user->auth .
125                                         '. See the server logs for more details.');
126                             }
127                         } else {
128                             error('Your external authentication module is misconfigued!'); 
129                         }
130                     }
131                 }
132                 // store forcepasswordchange in user's preferences
133                 if (!empty($usernew->forcepasswordchange)){
134                     set_user_preference('auth_forcepasswordchange', 1, $user->id);
135                 } else {
136                     unset_user_preference('auth_forcepasswordchange', $user->id);
137                 }
138             } else {
139                 if (isset($usernew->newpassword)) {
140                     error("You can not change the password like that");
141                 }
142             }
143             if ($usernew->url and !(substr($usernew->url, 0, 4) == "http")) {
144                 $usernew->url = "http://".$usernew->url;
145             }
147             if (update_record("user", $usernew)) {
148                 if (function_exists("auth_user_update")){ 
149                     auth_user_update($user, $usernew);
150                 }
151                 add_to_log($course->id, "user", "update", "view.php?id=$user->id&course=$course->id", "");
153                 if ($user->id == $USER->id) {
154                     // Copy data into $USER session variable
155                     $usernew = (array)$usernew;
156                     foreach ($usernew as $variable => $value) {
157                         $USER->$variable = stripslashes($value);
158                     }
159                     if (isset($USER->newadminuser)) {
160                         unset($USER->newadminuser);
161                         redirect("$CFG->wwwroot/", get_string("changessaved"));
162                     }
163                     redirect("$CFG->wwwroot/user/view.php?id=$user->id&course=$course->id", get_string("changessaved"));
164                 } else {
165                     redirect("$CFG->wwwroot/$CFG->admin/user.php", get_string("changessaved"));
166                 }
167             } else {
168                 error("Could not update the user record ($user->id)");
169             }
170         }
171     }
173 /// Otherwise fill and print the form.
175     $streditmyprofile = get_string("editmyprofile");
176     $strparticipants = get_string("participants");
177     $strnewuser = get_string("newuser");
179     if (($user->firstname and $user->lastname) or $newaccount) {
180         if ($newaccount) {
181             $userfullname = $strnewuser;
182         } else {
183             $userfullname = fullname($user, isteacher($course->id));
184         }
185         if ($course->category) {
186             print_header("$course->shortname: $streditmyprofile", "$course->fullname: $streditmyprofile",
187                         "<a href=\"$CFG->wwwroot/course/view.php?id=$course->id\">$course->shortname</a>
188                         -> <a href=\"index.php?id=$course->id\">$strparticipants</a>
189                         -> <a href=\"view.php?id=$user->id&amp;course=$course->id\">$userfullname</a>
190                         -> $streditmyprofile", "");
191         } else {
192             if (isset($USER->newadminuser)) {
193                 print_header();
194             } else {
195                 print_header("$course->shortname: $streditmyprofile", "$course->fullname",
196                              "<a href=\"view.php?id=$user->id&amp;course=$course->id\">$userfullname</a>
197                               -> $streditmyprofile", "");
198             }
199         }
200     } else {
201         $userfullname = $strnewuser;
202         $straddnewuser = get_string("addnewuser");
204         $stradministration = get_string("administration");
205         print_header("$course->shortname: $streditmyprofile", "$course->fullname",
206                      "<a href=\"$CFG->wwwroot/$CFG->admin/\">$stradministration</a> -> ".
207                      "<a href=\"$CFG->wwwroot/$CFG->admin/users.php\">$strusers</a> -> $straddnewuser", "");
208     }
210     $teacher = strtolower($course->teacher);
211     if (!isadmin()) {
212         $teacheronly = "(".get_string("teacheronly", "", $teacher).")";
213     } else {
214         $teacheronly = "";
215     }
217     print_heading( get_string("userprofilefor", "", "$userfullname") );
219     if (isset($USER->newadminuser)) {
220         print_simple_box(get_string("configintroadmin"), "center", "50%");
221         echo "<br />";
222     }
224     print_simple_box_start("center", "", "$THEME->cellheading");
226     if (!empty($err)) {
227         echo "<center>";
228         notify(get_string("someerrorswerefound"));
229         echo "</center>";
230     }
232     include("edit.html");
234     if (!isadmin()) {      /// Lock all the locked fields using Javascript
235         $fields = get_user_fieldnames();
237         echo '<script type="text/javascript">'."\n";
238         echo '<!--'."\n";
240         foreach ($fields as $field) {
241             $configvariable = 'auth_user_'.$field.'_editlock';
242             if (!empty($CFG->$configvariable)) {
243                 echo "eval('document.form.$field.disabled=true');\n";
244             }
245         }
247         echo '-->'."\n";
248         echo '</script>'."\n";
249     }
251     print_simple_box_end();
253     if (!isset($USER->newadminuser)) {
254         print_footer($course);
255     }
257     exit;
261 /// FUNCTIONS ////////////////////
263 function find_form_errors(&$user, &$usernew, &$err, &$um) {
264     global $CFG;
266     if (isadmin()) {
267         if (empty($usernew->username)) {
268             $err["username"] = get_string("missingusername");
270         } else if (record_exists("user", "username", $usernew->username) and $user->username == "changeme") {
271             $err["username"] = get_string("usernameexists");
273         } else {
274             if (empty($CFG->extendedusernamechars)) {
275                 $string = eregi_replace("[^(-\.[:alnum:])]", "", $usernew->username);
276                 if (strcmp($usernew->username, $string)) {
277                     $err["username"] = get_string("alphanumerical");
278                 }
279             }
280         }
282         if (empty($usernew->newpassword) and empty($user->password) and is_internal_auth() )
283             $err["newpassword"] = get_string("missingpassword");
285         if (($usernew->newpassword == "admin") or ($user->password == md5("admin") and empty($usernew->newpassword)) ) {
286             $err["newpassword"] = get_string("unsafepassword");
287         }
288     }
290     if (empty($usernew->email))
291         $err["email"] = get_string("missingemail");
293     if (empty($usernew->description) and !isadmin())
294         $err["description"] = get_string("missingdescription");
296     if (empty($usernew->city))
297         $err["city"] = get_string("missingcity");
299     if (empty($usernew->firstname))
300         $err["firstname"] = get_string("missingfirstname");
302     if (empty($usernew->lastname))
303         $err["lastname"] = get_string("missinglastname");
305     if (empty($usernew->country))
306         $err["country"] = get_string("missingcountry");
308     if (! validate_email($usernew->email)) {
309         $err["email"] = get_string("invalidemail");
311     } else if ($otheruser = get_record("user", "email", $usernew->email)) {
312         if ($otheruser->id <> $user->id) {
313             $err["email"] = get_string("emailexists");
314         }
315     }
317     if (empty($err["email"]) and !isadmin()) {
318         if ($error = email_is_not_allowed($usernew->email)) {
319             $err["email"] = $error;
320         }
321     }
323     if (!$um->preprocess_files()) {
324         $err['imagefile'] = $um->notify;
325     }
327     if (!isadmin()) {      /// Make sure that locked fields are not being edited
328         $fields = get_user_fieldnames();
330         foreach ($fields as $field) {
331             $configvariable = 'auth_user_'.$field.'_editlock';
332             if (!empty($CFG->$configvariable)) {
333                 if ($user->$field !== $usernew->$field) {
334                     $err[$field] = get_string("editlock");
335                 }
336             }
337         }
338     }
340     $user->email = $usernew->email;
342     return count($err);
346 ?>