Fixed a few things related to the User Status on the Edit Form

For Issue #1046.

- Fixed if user email verification link not correct a 404 error will be returned
- Fixed Users should not be set to a status of Awaiting Activation by Admins. This is an automated status only (like Awaiting Authorization that is used for the User Submission).
- Fixed Users who are locked, their profile should still be viewable by all users.
- Added an explanation of statuses on the edit form so Admins not confused.

language/english.php

@@ -1218,6 +1218,16 @@
     44 => 'Awaiting Authorization',
     45 => 'Active',
     46 => 'User Status',
+    'user_status_desc' => 'An explanation of all possible user statuses: <ul>
+        <li><strong>Awaiting Activation</strong> - New account awaiting user to login. Email has been sent but not verified. This is only set for a new account and is an automated status (Admins cannot set accounts to this status manually)</li>
+        <li><strong>Awaiting Authorization</strong> - New account awaiting moderator approval in the User Submission Queue. When User Submission approved, user will be sent email with password. This is only set for a new account and is an automated status (Admins cannot set accounts to this status manually)</li>
+        <li><strong>Active</strong> - This is an Active account.</li>
+        <li><strong>Banned</strong> -  This Account is banned/disabled. Username is crossed out on the site for any content they have submitted, User cannot login, emails to account is disabled, and profile cannot be viewed by any user except Admins.</li>
+        <li><strong>Locked</strong> - This Account is locked. User cannot login, emails to account is disabled, but profile can still be viewed by all.</li>
+        <li><strong>New Email Required</strong> - Emails to account is disabled. When user logs in again they must submit new email address and verify before access to rest of the website (under this user account). Status stays the same until email is verified. If "Require User Email" config option true then any users who login (includes remote accounts) that do not have an email address will automatically switch to this status.</li>
+        <li><strong>New Password Required</strong> -  When the user logs in they must submit a new password before access to rest of website (under this user account). This is only for regular accounts and not remote accounts.</li>
+        </ul>
+    ',
     47 => 'Edit',
     48 => 'Show Admin Groups',
     49 => 'Admin Group',

language/english_utf-8.php

@@ -1217,6 +1217,16 @@
     44 => 'Awaiting Authorization',
     45 => 'Active',
     46 => 'User Status',
+    'user_status_desc' => 'An explanation of all possible user statuses: <ul>
+        <li><strong>Awaiting Activation</strong> - New account awaiting user to login. Email has been sent but not verified. This is only set for a new account and is an automated status (Admins cannot set accounts to this status manually)</li>
+        <li><strong>Awaiting Authorization</strong> - New account awaiting moderator approval in the User Submission Queue. When User Submission approved, user will be sent email with password. This is only set for a new account and is an automated status (Admins cannot set accounts to this status manually)</li>
+        <li><strong>Active</strong> - This is an Active account.</li>
+        <li><strong>Banned</strong> -  This Account is banned/disabled. Username is crossed out on the site for any content they have submitted, User cannot login, emails to account is disabled, and profile cannot be viewed by any user except Admins.</li>
+        <li><strong>Locked</strong> - This Account is locked. User cannot login, emails to account is disabled, but profile can still be viewed by all.</li>
+        <li><strong>New Email Required</strong> - Emails to account is disabled. When user logs in again they must submit new email address and verify before access to rest of the website (under this user account). Status stays the same until email is verified. If "Require User Email" config option true then any users who login (includes remote accounts) that do not have an email address will automatically switch to this status.</li>
+        <li><strong>New Password Required</strong> -  When the user logs in they must submit a new password before access to rest of website (under this user account). This is only for regular accounts and not remote accounts.</li>
+        </ul>
+    ',
     47 => 'Edit',
     48 => 'Show Admin Groups',
     49 => 'Admin Group',

language/japanese_utf-8.php

@@ -1236,6 +1236,16 @@
     44 => '承認が通るのを待機中',
     45 => '有効',
     46 => 'ユーザーの状態',
+    'user_status_desc' => 'An explanation of all possible user statuses: <ul>
+        <li><strong>Awaiting Activation</strong> - New account awaiting user to login. Email has been sent but not verified. This is only set for a new account and is an automated status (Admins cannot set accounts to this status manually)</li>
+        <li><strong>Awaiting Authorization</strong> - New account awaiting moderator approval in the User Submission Queue. When User Submission approved, user will be sent email with password. This is only set for a new account and is an automated status (Admins cannot set accounts to this status manually)</li>
+        <li><strong>Active</strong> - This is an Active account.</li>
+        <li><strong>Banned</strong> -  This Account is banned/disabled. Username is crossed out on the site for any content they have submitted, User cannot login, emails to account is disabled, and profile cannot be viewed by any user except Admins.</li>
+        <li><strong>Locked</strong> - This Account is locked. User cannot login, emails to account is disabled, but profile can still be viewed by all.</li>
+        <li><strong>New Email Required</strong> - Emails to account is disabled. When user logs in again they must submit new email address and verify before access to rest of the website (under this user account). Status stays the same until email is verified. If "Require User Email" config option true then any users who login (includes remote accounts) that do not have an email address will automatically switch to this status.</li>
+        <li><strong>New Password Required</strong> -  When the user logs in they must submit a new password before access to rest of website (under this user account). This is only for regular accounts and not remote accounts.</li>
+        </ul>
+    ',
     47 => '編集',
     48 => '管理者グループを表示',
     49 => '管理者グループ',
@@ -1991,7 +2001,7 @@
 
 ###############################################################################
 # "What's New" Time Strings
-# 
+#
 # This here determines the order of the sentence "No new articles in 2 hrs"
 # order it so it makes sense in your language:
 # %i    item, "Articles"
@@ -2049,7 +2059,7 @@
 
 ###############################################################################
 # Admin - Strings
-# 
+#
 # These are some standard strings used by core functions as well as plugins to
 # display administration lists and edit pages
 
@@ -2740,4 +2750,3 @@
     'config_setting_lang_array' => 'それぞれのキーには他と異なるユニークな言語ショートカット(\'en\', \'de\', \'ja\'など)を指定し、対応するフィールドには言語ファイル名から .php を除いたものを指定してください',
     'config_setting_lang_array_element_req' => '少なくとも1つキーを指定してください。それぞれのキーには他と異なるユニークな言語ショートカット(\'en\', \'de\', \'ja\'など)を指定し、対応するフィールドには言語ファイル名から .php を除いたものを指定してください'
 );
-

public_html/admin/user.php

@@ -314,10 +314,15 @@ function edituser($uid = 0, $msg = 0)
     $user_templates->set_var('user_about', htmlspecialchars($A['about']));
 
     $statusarray = array(
-        USER_ACCOUNT_AWAITING_ACTIVATION => $LANG28[43],
         USER_ACCOUNT_ACTIVE              => $LANG28[45],
     );
 
+    // Only show Awaiting Activation status if user already this status as this is an automated status and should not be set by Admin
+    // Admin should use USER_ACCOUNT_NEW_EMAIL instead
+    if ($A['status'] == USER_ACCOUNT_AWAITING_ACTIVATION && !empty($uid)) {
+        $statusarray[USER_ACCOUNT_AWAITING_ACTIVATION] = $LANG28[43];
+    }
+
     $allow_other_statuses = true;
     // do not allow to ban yourself or forcing new email or password
     if (!empty($uid)) {
@@ -343,7 +348,9 @@ function edituser($uid = 0, $msg = 0)
         }
     }
 
-    if (($_CONF['usersubmission'] == 1) && !empty($uid)) {
+    // If this status then $_CONF['usersubmission'] == 1 better be true
+    // Only show Awaiting Authorization status if user already this status as this is an automated status and should not be set by Admin
+    if (($A['status'] == USER_ACCOUNT_AWAITING_APPROVAL) && !empty($uid)) {
         $statusarray[USER_ACCOUNT_AWAITING_APPROVAL] = $LANG28[44];
     }
     asort($statusarray);
@@ -362,6 +369,7 @@ function edituser($uid = 0, $msg = 0)
     ));
     $user_templates->set_var('user_status', $statusselect);
     $user_templates->set_var('lang_user_status', $LANG28[46]);
+    $user_templates->set_var('lang_user_status_desc', $LANG28['user_status_desc']);
 
     if ($_CONF['custom_registration'] AND function_exists('CUSTOM_userEdit')) {
         if (!empty($uid) && ($uid > 1)) {

public_html/docs/english/config.html

@@ -1178,7 +1178,9 @@ <h3><a name="users_usersub">Users and Submissions: User Submission</a></h3>
   <td valign="top"><a name="desc_usersubmission">usersubmission</a></td>
   <td valign="top">0</td>
   <td valign="top">Enable (1) or disable (0) the user submission queue (i.e.
-      new users must be approved before they receive their password)</td></tr>
+      new users must be approved before they receive their password).<br><br>
+      Note: If disabling this make sure you have no users currently in the user
+      submission queue.</td></tr>
 <tr>
   <td valign="top"><a name="desc_allow_domains">allow_domains</a></td>
   <td valign="top"><span class="tt">''</span> <em>(empty)</em></td>

public_html/docs/history

@@ -10,12 +10,15 @@ For more in-depth explanation of the issues below see: https://github.com/Geeklo
 - [Security] [NA] XSS issue with the Plugin Admin interface. (reported by Netsparker.com) [Mystralkk]
 - [Security] [NA] Issue with the comment library. (reported by Netsparker.com) [Tom]
 
+- [Feature] [#1016] Staticpages can now be set individually if they will appear in the search results or not [Tom]
+
 - [Improvement] [#1038] Staticpages which use PHP, and the template class with a theme that contains PHP, now will error gracefully for sites using PHP 7 or higher [Mystralkk]
 
 - [Bug] [#1043] Fixed hardcoded table names in upgrade for Geeklog v2.2.1 [Tom]
 - [Bug] [#1043] Fixed issue where the install would fail in some cases because it did not know where the system directory was [Tom]
 - [Bug] [#1045] Fixed tooltip links for Denim and Denim_three themes [Tom]
 - [Bug] [#1044] Fixed searching just articles [Tom]
+- [Bug] [#1046] Fixed Users can only be set to certain statuses by Admins [Tom]
 
 The following items are all current Geeklog API, functions, and/or global variables that are planned to be either required or depreciated by a current Geeklog version. Plugin and Theme developers please take note of these changes in case they affect you.
 

public_html/docs/japanese/history.html

@@ -31,6 +31,10 @@ <h2>March ? 2020 (2.2.1sr1)</h2>
     <li>[Security] [NA] Issue with the comment library. (reported by Netsparker.com) [Tom]</li>
 </ul>
 
+<ul>
+    <li>[Feature] [#1016] Staticpages can now be set individually if they will appear in the search results or not [Tom]</li>
+</ul>
+
 <ul>
     <li>[Improvement] [#1038] Staticpages which use PHP, and the template class with a theme that contains PHP, now will error gracefully for sites using PHP 7 or higher [Mystralkk]</li>
 </ul>
@@ -40,6 +44,7 @@ <h2>March ? 2020 (2.2.1sr1)</h2>
     <li>[Bug] [#1043] Fixed issue where the install would fail in some cases because it did not know where the system directory was [Tom]</li>
     <li>[Bug] [#1045] Fixed tooltip links for Denim and Denim_three themes [Tom]</li>
     <li>[Bug] [#1044] Fixed searching just articles [Tom]</li>
+    <li>[Bug] [#1046] Fixed Users can only be set to certain statuses by Admins [Tom]</li>
 </ul>
 
 <p>The following items are all current Geeklog API, functions, and/or global variables that are planned to be either required or depreciated by a current Geeklog version. Plugin and Theme developers please take note of these changes in case they affect you.<br>

public_html/layout/denim/admin/user/edituser.thtml

@@ -42,7 +42,7 @@
             {enable_tfa_options}
           </select>
         </dd>
-        <dd>{lang_tfa_user_edit_desc}</dd>
+        <dd class="description" id="desc-admin-edituser-enable_tfa">{lang_tfa_user_edit_desc}</dd>
       {!endif}
 
       <dt><label for="admin-edituser-homepage">{lang_homepage}</label></dt>
@@ -66,8 +66,9 @@
 
       {display_fields}
 
-      <dt>{lang_user_status}</dt>
+      <dt><label for="admin-edituser-userstatus">{lang_user_status}</label></dt>
       <dd>{user_status}</dd>
+      <dd class="description" id="desc-admin-edituser-userstatus">{lang_user_status_desc}</dd>
     </dl>
   </div>
 

public_html/layout/denim_three/admin/user/edituser.thtml

@@ -42,7 +42,7 @@
             {enable_tfa_options}
           </select>
         </dd>
-        <dd>{lang_tfa_user_edit_desc}</dd>
+        <dd class="description" id="desc-admin-edituser-enable_tfa">{lang_tfa_user_edit_desc}</dd>
       {!endif}
 
       <dt><label for="admin-edituser-homepage">{lang_homepage}</label></dt>
@@ -66,8 +66,9 @@
 
       {display_fields}
 
-      <dt>{lang_user_status}</dt>
+      <dt><label for="admin-edituser-userstatus">{lang_user_status}</label></dt>
       <dd>{user_status}</dd>
+      <dd class="description" id="desc-admin-edituser-userstatus">{lang_user_status_desc}</dd>
     </dl>
   </div>
 

public_html/layout/modern_curve/admin/user/edituser.thtml

@@ -70,8 +70,9 @@
 
       {display_fields}
 
-      <dt>{lang_user_status}</dt>
+      <dt><label for="admin-edituser-userstatus">{lang_user_status}</label></dt>
       <dd>{user_status}</dd>
+      <dd class="description">{lang_user_status_desc}</dd>
     </dl>
   </div>
 

public_html/users.php

@@ -1112,6 +1112,9 @@ function USER_tryTwoFactorAuth()
                 DB_query("UPDATE {$_TABLES['users']} SET emailconfirmid = NULL, emailtoconfirm = NULL WHERE uid = $uid");
 
                 COM_redirect($_CONF['site_url'] . '/users.php?msg=503');
+            } else {
+                // Not valid emailconfirmid
+                COM_handle404();
             }
         } elseif (!empty($_USER['uid']) && ($_USER['uid'] > 1) && ($_USER['status'] == USER_ACCOUNT_NEW_EMAIL)) {
             $msg = (int) Geeklog\Input::fRequest('msg', 0);

system/lib-security.php

@@ -69,12 +69,12 @@
 }
 
 /* Constants for account status */
-define('USER_ACCOUNT_DISABLED', 0); // Account is banned/disabled
-define('USER_ACCOUNT_AWAITING_ACTIVATION', 1); // Account awaiting user to login. Email has been sent
-define('USER_ACCOUNT_AWAITING_APPROVAL', 2); // Account awaiting moderator approval
+define('USER_ACCOUNT_DISABLED', 0); // Account is banned/disabled. Username is crossed out, User cannot login, emails to account is disabled, profile cannot be viewed
+define('USER_ACCOUNT_AWAITING_ACTIVATION', 1); // New Account awaiting user to login. Email has been sent but not verified. This is only set when a new account
+define('USER_ACCOUNT_AWAITING_APPROVAL', 2); // Account awaiting moderator approval in the User Submission Queue. Not for remote accounts. This is only set when a new account
 define('USER_ACCOUNT_ACTIVE', 3); // Active account
-define('USER_ACCOUNT_LOCKED', 4); // Account is locked. User cannot login, emails to account is disabled
-define('USER_ACCOUNT_NEW_EMAIL', 5); // Emails to account is disabled. User when login must submit new email address and verify before access to rest of website (under the user account)
+define('USER_ACCOUNT_LOCKED', 4); // Account is locked. User cannot login, emails to account is disabled, profile can still be viewed
+define('USER_ACCOUNT_NEW_EMAIL', 5); // Emails to account is disabled. User when login must submit new email address and verify before access to rest of website (under the user account). Status stays this until email verified
 define('USER_ACCOUNT_NEW_PASSWORD', 6); // User when login must submit new password before access to rest of website (under the user account), Only for regular accounts and not remote
 
 /* Constant for Security Token */

system/lib-user.php

@@ -1123,7 +1123,8 @@ function USER_showProfile($uid, $preview = false, $msg = 0, $plugin = '')
         COM_displayMessageAndAbort(30, '', 403, 'Forbidden');
     }
 
-    if ($A['status'] != USER_ACCOUNT_ACTIVE && !SEC_hasRights('user.edit')) {
+    // Profile still viewable under the following user statuses
+    if (($A['status'] != USER_ACCOUNT_ACTIVE && $A['status'] != USER_ACCOUNT_LOCKED && $A['status'] != USER_ACCOUNT_NEW_EMAIL && $A['status'] != USER_ACCOUNT_NEW_PASSWORD) && !SEC_hasRights('user.edit')) {
         COM_handle404();
     }
 
@@ -1607,6 +1608,6 @@ function USER_isBanned($uid = 0)
         $A = DB_fetchArray($result, false);
         $status = (int) $A['status'];
 
-        return ($status == USER_ACCOUNT_DISABLED) || ($status == USER_ACCOUNT_LOCKED);
+        return ($status == USER_ACCOUNT_DISABLED);
     }
 }