fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
49bd973e2190dadfa8d63b27ca9843b8af35cb50
luos/workflow/engine/methods/users/usersAjax.php
davidcallizaya 086cc31982 HOR-3921 
Fix CSRF security issue.
2017-10-13 07:57:22 -04:00

489 lines
21 KiB
PHP
Raw Blame History

<?php
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
if(isset($_SESSION['USER_LOGGED'])) {
$_SESSION['USER_LOGGED'] = $filter->xssFilterHard($_SESSION['USER_LOGGED']);
}
if(isset($_SESSION['USR_USERNAME'])) {
$_SESSION['USR_USERNAME'] = $filter->xssFilterHard($_SESSION['USR_USERNAME']);
}
global $RBAC;
$result = new StdClass();
switch ($_POST['action']) {
case 'countryList':
require_once ("classes/model/IsoCountry.php");
$c = new Criteria();
$c->add(IsoCountryPeer::IC_UID, null, Criteria::ISNOTNULL);
$c->addAscendingOrderByColumn(IsoCountryPeer::IC_NAME);
$countries = IsoCountryPeer::doSelect($c);
foreach ($countries as $rowid => $row) {
$oData[] = Array('IC_UID' => $row->getICUid(), 'IC_NAME' => $row->getICName());
}
print (G::json_encode($oData));
break;
case 'stateList':
require_once ("classes/model/IsoSubdivision.php");
$c = new Criteria();
$country = $_POST['IC_UID'];
$c->add(IsoSubdivisionPeer::IC_UID, $country, Criteria::EQUAL);
$c->addAscendingOrderByColumn(IsoSubdivisionPeer::IS_NAME);
$locations = IsoSubdivisionPeer::doSelect($c);
$oData = Array();
foreach ($locations as $rowid => $row) {
if (($row->getISUid() != '') && ($row->getISName() != '')) {
$oData[] = Array('IS_UID' => $row->getISUid(), 'IS_NAME' => $row->getISName());
}
}
print (G::json_encode($oData));
break;
case 'locationList':
require_once ("classes/model/IsoLocation.php");
$c = new Criteria();
$country = $_POST['IC_UID'];
$state = $_POST['IS_UID'];
$c->add(IsoLocationPeer::IC_UID, $country, Criteria::EQUAL);
$c->add(IsoLocationPeer::IS_UID, $state, Criteria::EQUAL);
$c->addAscendingOrderByColumn(IsoLocationPeer::IL_NAME);
$locations = IsoLocationPeer::doSelect($c);
$oData = Array();
foreach ($locations as $rowid => $row) {
if (($row->getILUid() != '') && ($row->getILName() != '')) {
$oData[] = Array('IL_UID' => $row->getILUid(), 'IL_NAME' => $row->getILName());
}
}
print (G::json_encode($oData));
break;
case 'usersList':
$filter = (isset($_POST['filter']))? $_POST['filter'] : '';
$arrayUser = [];
$user = new \ProcessMaker\BusinessModel\User();
$conf = new Configurations();
$arrayConfFormat = $conf->getFormats();
$arrayCondition = [[UsersPeer::USR_STATUS, ['ACTIVE', 'VACATION'], Criteria::IN]];
if (isset($_POST['USR_UID'])) {
$arrayCondition[] = [UsersPeer::USR_UID, $_POST['USR_UID'], Criteria::NOT_EQUAL];
}
$result = $user->getUsers(['condition' => $arrayCondition, 'filter' => $filter], null, null, null, 25);
foreach ($result['data'] as $record) {
$arrayUser[] = [
'USR_UID' => $record['USR_UID'],
'USER_FULLNAME' => G::getFormatUserList($arrayConfFormat['format'], $record)
];
}
echo G::json_encode($arrayUser);
break;
case 'availableCalendars':
$calendar = new Calendar();
$calendarObj = $calendar->getCalendarList(true, true);
$oData[] = array('CALENDAR_UID' => '', 'CALENDAR_NAME' => '- ' . G::LoadTranslation('ID_NONE') . ' -');
foreach ($calendarObj['array'] as $rowid => $row) {
if ($rowid > 0) {
$oData[] = array('CALENDAR_UID' => $row['CALENDAR_UID'], 'CALENDAR_NAME' => $row['CALENDAR_NAME']);
}
}
print (G::json_encode($oData));
break;
case 'rolesList':
require_once PATH_RBAC . "model/Roles.php";
$roles = new Roles();
$rolesData = $roles->getAllRoles();
foreach ($rolesData as $rowid => $row) {
$oData[] = array('ROL_UID' => $row['ROL_CODE'], 'ROL_CODE' => $row['ROL_NAME']);
}
print (G::json_encode($oData));
break;
case 'getUserLogedRole':
require_once 'classes/model/Users.php';
$oUser = new Users();
$aUserLog = $oUser->loadDetailed($_SESSION['USER_LOGGED']);
print (G::json_encode(array(
'USR_UID' => $aUserLog['USR_UID'],
'USR_USERNAME' => $aUserLog['USR_USERNAME'],
'USR_ROLE' => $aUserLog['USR_ROLE']
)));
break;
case 'languagesList':
$Translations = new Translation();
$langs = $Translations->getTranslationEnvironments();
$oData[] = array('LAN_ID' => '', 'LAN_NAME' => '- ' . G::LoadTranslation('ID_NONE') . ' -');
foreach ($langs as $lang) {
$oData[] = array ('LAN_ID' => $lang['LOCALE'],'LAN_NAME' => $lang['LANGUAGE']
);
}
print (G::json_encode($oData));
break;
case 'saveUser':
case 'savePersonalInfo':
try {
verifyCsrfToken($_POST);
$user = new \ProcessMaker\BusinessModel\User();
$form = $_POST;
$permissionsToSaveData = $user->getPermissionsForEdit();
$form = $user->checkPermissionForEdit($_SESSION['USER_LOGGED'], $permissionsToSaveData, $form);
switch ($_POST['action']) {
case 'saveUser';
if (!$user->checkPermission($_SESSION['USER_LOGGED'], 'PM_USERS')) {
throw new Exception(G::LoadTranslation('ID_USER_NOT_HAVE_PERMISSION', [$_SESSION['USER_LOGGED']]));
}
break;
case 'savePersonalInfo':
if (!$user->checkPermission($_SESSION['USER_LOGGED'], 'PM_USERS') &&
!$user->checkPermission($_SESSION['USER_LOGGED'], 'PM_EDITPERSONALINFO')
) {
throw new Exception(G::LoadTranslation('ID_USER_NOT_HAVE_PERMISSION', [$_SESSION['USER_LOGGED']]));
}
break;
default:
throw new Exception(G::LoadTranslation('ID_INVALID_DATA'));
break;
}
if (array_key_exists('USR_LOGGED_NEXT_TIME', $form)) {
$form['USR_LOGGED_NEXT_TIME'] = ($form['USR_LOGGED_NEXT_TIME']) ? 1 : 0;
}
$userUid = '';
$auditLogType = '';
if ($form['USR_UID'] == '') {
$arrayUserData = $user->create($form);
$userUid = $arrayUserData['USR_UID'];
$auditLogType = 'INS';
} else {
if (array_key_exists('USR_NEW_PASS', $form) && $form['USR_NEW_PASS'] == '') {
unset($form['USR_NEW_PASS']);
}
$result = $user->update($form['USR_UID'], $form, $_SESSION['USER_LOGGED']);
$userUid = $form['USR_UID'];
$arrayUserData = $user->getUserRecordByPk($userUid, [], false);
$auditLogType = 'UPD';
}
$user->auditLog($auditLogType, array_merge(['USR_UID' => $userUid, 'USR_USERNAME' => $arrayUserData['USR_USERNAME']], $form));
/* Saving preferences */
$def_lang = isset($form['PREF_DEFAULT_LANG']) ? $form['PREF_DEFAULT_LANG'] : '';
$def_menu = isset($form['PREF_DEFAULT_MENUSELECTED']) ? $form['PREF_DEFAULT_MENUSELECTED'] : '';
$def_cases_menu = isset($form['PREF_DEFAULT_CASES_MENUSELECTED']) ? $form['PREF_DEFAULT_CASES_MENUSELECTED'] : '';
$oConf = new Configurations();
$aConf = Array('DEFAULT_LANG' => $def_lang, 'DEFAULT_MENU' => $def_menu, 'DEFAULT_CASES_MENU' => $def_cases_menu);
$oConf->aConfig = $aConf;
$oConf->saveConfig('USER_PREFERENCES', '', '', $userUid);
if ($user->checkPermission($userUid, 'PM_EDIT_USER_PROFILE_PHOTO')) {
try {
$user->uploadImage($userUid);
} catch (Exception $e) {
$result = new stdClass();
$result->success = false;
$result->fileError = true;
echo G::json_encode($result);
exit(0);
}
}
if ($_SESSION['USER_LOGGED'] == $form['USR_UID']) {
/* UPDATING SESSION VARIABLES */
$aUser = $RBAC->userObj->load($_SESSION['USER_LOGGED']);
$_SESSION['USR_FULLNAME'] = $aUser['USR_FIRSTNAME'] . ' ' . $aUser['USR_LASTNAME'];
}
$result = new stdClass();
$result->success = true;
print (G::json_encode($result));
} catch (Exception $e) {
$result = new stdClass();
$result->success = false;
$result->error = $e->getMessage();
print (G::json_encode($result));
}
break;
case 'userData':
require_once 'classes/model/Users.php';
$_SESSION['CURRENT_USER'] = $_POST['USR_UID'];
$oUser = new Users();
$aFields = $oUser->loadDetailed($_POST['USR_UID']);
//Load Calendar options and falue for this user
$calendar = new Calendar();
$calendarInfo = $calendar->getCalendarFor($_POST['USR_UID'], $_POST['USR_UID'], $_POST['USR_UID']);
//If the function returns a DEFAULT calendar it means that this object doesn't have assigned any calendar
$aFields['USR_CALENDAR'] = $calendarInfo['CALENDAR_APPLIED'] != 'DEFAULT' ? $calendarInfo['CALENDAR_UID'] : "";
$aFields['CALENDAR_NAME'] = $calendarInfo['CALENDAR_NAME'];
#verifying if it has any preferences on the configurations table
$oConf = new Configurations();
$oConf->loadConfig($x, 'USER_PREFERENCES', '', '', $aFields['USR_UID'], '');
$aFields['PREF_DEFAULT_MENUSELECTED'] = '';
$aFields['PREF_DEFAULT_CASES_MENUSELECTED'] = '';
if (sizeof($oConf->Fields) > 0) {
// this user has a configuration record
$aFields['PREF_DEFAULT_LANG'] = $oConf->aConfig['DEFAULT_LANG'];
$aFields['PREF_DEFAULT_MENUSELECTED'] = isset($oConf->aConfig['DEFAULT_MENU']) ? $oConf->aConfig['DEFAULT_MENU'] : '';
$aFields['PREF_DEFAULT_CASES_MENUSELECTED'] = isset($oConf->aConfig['DEFAULT_CASES_MENU']) ? $oConf->aConfig['DEFAULT_CASES_MENU'] : '';
} else {
switch ($RBAC->aUserInfo['PROCESSMAKER']['ROLE']['ROL_CODE']) {
case 'PROCESSMAKER_ADMIN':
$aFields['PREF_DEFAULT_MENUSELECTED'] = 'PM_SETUP';
break;
case 'PROCESSMAKER_OPERATOR':
$aFields['PREF_DEFAULT_MENUSELECTED'] = 'PM_CASES';
break;
}
$aFields['PREF_DEFAULT_LANG'] = SYS_LANG;
}
if ($aFields['USR_REPLACED_BY'] != '') {
$user = new Users();
$u = $user->load($aFields['USR_REPLACED_BY']);
if ($u['USR_STATUS'] == 'CLOSED') {
$replaced_by = '';
$aFields['USR_REPLACED_BY'] = '';
} else {
$c = new Configurations();
$arrayConfFormat = $c->getFormats();
$replaced_by = G::getFormatUserList($arrayConfFormat['format'], $u);
}
} else {
$replaced_by = '';
}
$aFields['REPLACED_NAME'] = $replaced_by;
$menuSelected = '';
if ($aFields['PREF_DEFAULT_MENUSELECTED'] != '') {
foreach ($RBAC->aUserInfo['PROCESSMAKER']['PERMISSIONS'] as $permission) {
if ($aFields['PREF_DEFAULT_MENUSELECTED'] == $permission['PER_CODE']) {
switch ($permission['PER_CODE']) {
case 'PM_USERS':
case 'PM_SETUP':
$menuSelected = strtoupper(G::LoadTranslation('ID_SETUP'));
break;
case 'PM_CASES':
$menuSelected = strtoupper(G::LoadTranslation('ID_CASES'));
break;
case 'PM_FACTORY':
$menuSelected = strtoupper(G::LoadTranslation('ID_APPLICATIONS'));
break;
case 'PM_DASHBOARD':
$menuSelected = strtoupper(G::LoadTranslation('ID_DASHBOARD'));
break;
}
} else {
if ($aFields['PREF_DEFAULT_MENUSELECTED'] == 'PM_STRATEGIC_DASHBOARD') {
$menuSelected = strtoupper(G::LoadTranslation('ID_STRATEGIC_DASHBOARD'));
}
}
}
}
$aFields['MENUSELECTED_NAME'] = $menuSelected;
$oMenu = new Menu();
$oMenu->load('cases');
$casesMenuSelected = '';
if ($aFields['PREF_DEFAULT_CASES_MENUSELECTED'] != '') {
foreach ($oMenu->Id as $i => $item) {
if ($aFields['PREF_DEFAULT_CASES_MENUSELECTED'] == $item) {
$casesMenuSelected = $oMenu->Labels[$i];
}
}
}
require_once 'classes/model/Users.php';
$oUser = new Users();
$aUserLog = $oUser->loadDetailed($_SESSION['USER_LOGGED']);
$aFields['USER_LOGGED_NAME'] = $aUserLog['USR_USERNAME'];
$aFields['USER_LOGGED_ROLE'] = $aUserLog['USR_ROLE'];
$aFields['CASES_MENUSELECTED_NAME'] = $casesMenuSelected;
require_once 'classes/model/UsersProperties.php';
$oUserProperty = new UsersProperties();
$aUserProperty = $oUserProperty->loadOrCreateIfNotExists($aFields['USR_UID'], array('USR_PASSWORD_HISTORY' => serialize(array($oUser->getUsrPassword()))));
$aFields['USR_LOGGED_NEXT_TIME'] = $aUserProperty['USR_LOGGED_NEXT_TIME'];
if (array_key_exists('USR_PASSWORD', $aFields)) {
unset($aFields['USR_PASSWORD']);
}
$userPermissions = new \ProcessMaker\BusinessModel\User();
$permissions = $userPermissions->loadDetailedPermissions($aFields);
$result->success = true;
$result->user = $aFields;
$result->permission = $permissions;
print (G::json_encode($result));
break;
case 'defaultMainMenuOptionList':
foreach ($RBAC->aUserInfo['PROCESSMAKER']['PERMISSIONS'] as $permission) {
switch ($permission['PER_CODE']) {
case 'PM_USERS':
case 'PM_SETUP':
$rows[] = Array('id' => 'PM_SETUP', 'name' => strtoupper(G::LoadTranslation('ID_SETUP'))
);
break;
case 'PM_CASES':
$rows[] = Array('id' => 'PM_CASES', 'name' => strtoupper(G::LoadTranslation('ID_CASES'))
);
break;
case 'PM_FACTORY':
$rows[] = Array('id' => 'PM_FACTORY', 'name' => strtoupper(G::LoadTranslation('ID_APPLICATIONS'))
);
break;
case 'PM_DASHBOARD':
$rows[] = Array('id' => 'PM_DASHBOARD', 'name' => strtoupper(G::LoadTranslation('ID_DASHBOARD'))
);
/*----------------------------------********---------------------------------*/
// NEW DASHBOARD MODULE
$licensedFeatures = & PMLicensedFeatures::getSingleton();
if ($licensedFeatures->verifyfeature('r19Vm5DK1UrT09MenlLYjZxejlhNUZ1b1NhV0JHWjBsZEJ6dnpJa3dTeWVLVT0=')) {
$rows[] = Array('id' => 'PM_STRATEGIC_DASHBOARD', 'name' => strtoupper(G::LoadTranslation('ID_STRATEGIC_DASHBOARD'))
);
}
/*----------------------------------********---------------------------------*/
break;
}
}
print (G::json_encode($rows));
break;
case 'defaultCasesMenuOptionList':
$oMenu = new Menu();
$oMenu->load('cases');
foreach ($oMenu->Id as $i => $item) {
if ($oMenu->Types[$i] != 'blockHeader') {
$rowsCasesMenu[] = Array('id' => $item, 'name' => $oMenu->Labels[$i]);
}
}
print (G::json_encode($rowsCasesMenu));
break;
case 'testPassword':
require_once 'classes/model/UsersProperties.php';
$oUserProperty = new UsersProperties();
$aFields = array();
$color = '';
$img = '';
$dateNow = date('Y-m-d H:i:s');
$aErrors = $oUserProperty->validatePassword($_POST['PASSWORD_TEXT'], $dateNow, $dateNow);
if (!empty($aErrors)) {
$img = '/images/delete.png';
$color = 'red';
if (!defined('NO_DISPLAY_USERNAME')) {
define('NO_DISPLAY_USERNAME', 1);
}
$aFields = array();
$aFields['DESCRIPTION'] = G::LoadTranslation('ID_POLICY_ALERT') . ':<br />';
foreach ($aErrors as $sError) {
switch ($sError) {
case 'ID_PPP_MINIMUM_LENGTH':
$aFields['DESCRIPTION'] .= ' - ' . G::LoadTranslation($sError) . ': ' . PPP_MINIMUM_LENGTH . '<br />';
$aFields[substr($sError, 3)] = PPP_MINIMUM_LENGTH;
break;
case 'ID_PPP_MAXIMUM_LENGTH':
$aFields['DESCRIPTION'] .= ' - ' . G::LoadTranslation($sError) . ': ' . PPP_MAXIMUM_LENGTH . '<br />';
$aFields[substr($sError, 3)] = PPP_MAXIMUM_LENGTH;
break;
case 'ID_PPP_EXPIRATION_IN':
$aFields['DESCRIPTION'] .= ' - ' . G::LoadTranslation($sError) . ' ' . PPP_EXPIRATION_IN . ' ' . G::LoadTranslation('ID_DAYS') . '<br />';
$aFields[substr($sError, 3)] = PPP_EXPIRATION_IN;
break;
default:
$aFields['DESCRIPTION'] .= ' - ' . G::LoadTranslation($sError) . '<br />';
$aFields[substr($sError, 3)] = 1;
break;
}
}
$aFields['DESCRIPTION'] .= G::LoadTranslation('ID_PLEASE_CHANGE_PASSWORD_POLICY') . '</span>';
$aFields['STATUS'] = false;
} else {
$color = 'green';
$img = '/images/dialog-ok-apply.png';
$aFields['DESCRIPTION'] = G::LoadTranslation('ID_PASSWORD_COMPLIES_POLICIES') . '</span>';
$aFields['STATUS'] = true;
}
$span = '<span style="color: ' . $color . '; font: 9px tahoma,arial,helvetica,sans-serif;">';
$gif = '<img width="13" height="13" border="0" src="' . $img . '">';
$aFields['DESCRIPTION'] = $span . $gif . $aFields['DESCRIPTION'];
print (G::json_encode($aFields));
break;
case 'testUsername':
require_once 'classes/model/Users.php';
$_POST['NEW_USERNAME'] = trim($_POST['NEW_USERNAME']);
$USR_UID = isset($_POST['USR_UID']) ? $_POST['USR_UID'] : '';
$response = array("success" => true);
$oCriteria = new Criteria();
$oCriteria->addSelectColumn(UsersPeer::USR_USERNAME);
$oCriteria->add(UsersPeer::USR_USERNAME, utf8_encode($_POST['NEW_USERNAME']));
if ($USR_UID != '') {
$oCriteria->add(UsersPeer::USR_UID, array($_POST['USR_UID']), Criteria::NOT_IN);
}
$oDataset = UsersPeer::doSelectRS($oCriteria);
$oDataset->setFetchmode(ResultSet::FETCHMODE_ASSOC);
$oDataset->next();
$aRow = $oDataset->getRow();
if (is_array($aRow) || $_POST['NEW_USERNAME'] == '') {
$color = 'red';
$img = '/images/delete.png';
$dataVar['USER_ID'] = $_POST['NEW_USERNAME'];
$text = G::LoadTranslation('ID_USERNAME_ALREADY_EXISTS', $dataVar);
$text = ($_POST['NEW_USERNAME'] == '') ? G::LoadTranslation('ID_MSG_ERROR_USR_USERNAME') : $text;
$response['exists'] = true;
} else {
$color = 'green';
$img = '/images/dialog-ok-apply.png';
$text = G::LoadTranslation('ID_USERNAME_CORRECT');
$response['exists'] = false;
}
$span = '<span style="color: ' . $color . '; font: 9px tahoma,arial,helvetica,sans-serif;">';
$gif = '<img width="13" height="13" border="0" src="' . $img . '">';
$response['descriptionText'] = $span . $gif . $text . '</span>';
echo G::json_encode($response);
break;
case "passwordValidate":
$messageResultLogin = "";
$password = $_POST["password"];
$resultLogin = $RBAC->VerifyLogin($_SESSION["USR_USERNAME"], $password);
if($resultLogin == $_SESSION["USER_LOGGED"]) {
$messageResultLogin = "OK";
} else {
$messageResultLogin = "ERROR";
}
$response = array();
$response["result"] = $messageResultLogin;
echo G::json_encode($response);
break;
}
Reference in New Issue View Git Blame Copy Permalink