Use UserUpdateCommand from Web UI

Fixes #32464
mantisbt · May 17, 2023 · 09441d7 · 09441d7
1 parent c64f051
commit 09441d7
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 181 deletions.
diff --git a/lang/strings_english.txt b/lang/strings_english.txt
@@ -973,7 +973,6 @@ $s_account_reset_msg2 = 'Account password has been set to blank...';
 $s_account_unlock_msg = 'The account has been unlocked.';
 
 # manage_user_update.php
-$s_manage_user_protected_msg = 'Account protected; the \'Access Level\' and \'Enabled\' fields cannot be modified. Other fields were successfully updated.';
 $s_manage_user_updated_msg = 'Account successfully updated...';
 $s_email_user_updated_subject = 'Account updated';
 $s_email_user_updated_msg = 'Your account has been updated by an administrator. A list of these changes is provided below. You can update your account details and preferences at any time by visiting the following URL:';

diff --git a/manage_user_update.php b/manage_user_update.php
@@ -23,46 +23,23 @@
  * @link http://www.mantisbt.org
  *
  * @uses core.php
- * @uses access_api.php
  * @uses authentication_api.php
- * @uses config_api.php
- * @uses constant_inc.php
- * @uses database_api.php
- * @uses email_api.php
  * @uses form_api.php
  * @uses gpc_api.php
  * @uses helper_api.php
  * @uses html_api.php
- * @uses lang_api.php
- * @uses logging_api.php
- * @uses print_api.php
- * @uses string_api.php
- * @uses user_api.php
- * @uses user_pref_api.php
  */
 
 require_once( 'core.php' );
-require_api( 'access_api.php' );
 require_api( 'authentication_api.php' );
-require_api( 'config_api.php' );
-require_api( 'constant_inc.php' );
-require_api( 'database_api.php' );
-require_api( 'email_api.php' );
 require_api( 'form_api.php' );
 require_api( 'gpc_api.php' );
 require_api( 'helper_api.php' );
 require_api( 'html_api.php' );
-require_api( 'lang_api.php' );
-require_api( 'logging_api.php' );
-require_api( 'print_api.php' );
-require_api( 'string_api.php' );
-require_api( 'user_api.php' );
-require_api( 'user_pref_api.php' );
 
 form_security_validate( 'manage_user_update' );
 
 auth_reauthenticate();
-access_ensure_global_level( config_get( 'manage_user_threshold' ) );
 
 $f_protected	= gpc_get_bool( 'protected' );
 $f_enabled		= gpc_get_bool( 'enabled' );
@@ -72,164 +49,29 @@
 $f_access_level	= gpc_get_int( 'access_level' );
 $f_user_id		= gpc_get_int( 'user_id' );
 
-if( config_get( 'enable_email_notification' ) == ON ) {
-	$f_send_email_notification = gpc_get_bool( 'send_email_notification' );
-} else {
-	$f_send_email_notification = 0;
-}
-
-user_ensure_exists( $f_user_id );
-
-$t_user = user_get_row( $f_user_id );
-/**
- * @var $t_old_username
- * @var $t_old_access_level
- * @var $t_old_realname
- * @var $t_old_email
- * @var $t_old_protected
- */
-extract( $t_user, EXTR_PREFIX_ALL, 't_old');
-
-$f_username	= trim( $f_username );
-
-# Ensure that the account to be updated is of equal or lower access to the
-# current user.
-access_ensure_global_level( $t_old_access_level );
-
-# check that the username is unique
-if( 0 != strcasecmp( $t_old_username, $f_username )
-	&& false == user_is_name_unique( $f_username ) ) {
-	trigger_error( ERROR_USER_NAME_NOT_UNIQUE, ERROR );
-}
-
-user_ensure_name_valid( $f_username );
-
-$t_ldap = ( LDAP == config_get_global( 'login_method' ) );
-
-if( $t_ldap && config_get_global( 'use_ldap_realname' ) ) {
-	$t_realname = ldap_realname_from_username( $f_username ) ?: $t_old_realname;
-} else {
-	# strip extra space from real name
-	$t_realname = string_normalize( $f_realname );
-}
-
-if( $t_ldap && config_get_global( 'use_ldap_email' ) ) {
-	$t_email = ldap_email( $f_user_id ) ?: $t_old_email;
-} else {
-	$t_email = trim( $f_email );
-	email_ensure_valid( $t_email );
-	email_ensure_not_disposable( $t_email );
-	user_ensure_email_unique( $t_email, $f_user_id );
-}
-
-$c_email = $t_email;
-$c_username = $f_username;
-$c_realname = $t_realname;
-$c_protected = (bool)$f_protected;
-$c_enabled = (bool)$f_enabled;
-$c_user_id = (int)$f_user_id;
-$c_access_level = (int)$f_access_level;
-
-# Ensure that users aren't escalating privileges of accounts beyond their
-# own global access level.
-access_ensure_global_level( $f_access_level );
-
-# check that we are not downgrading the last administrator
-$t_admin_threshold = config_get_global( 'admin_site_threshold' );
-if( user_is_administrator( $f_user_id ) &&
-	user_count_level( $t_admin_threshold, /* enabled */ true ) <= 1 ) {
-	if( $f_access_level < $t_admin_threshold || $c_enabled === false ) {
-		trigger_error( ERROR_USER_CHANGE_LAST_ADMIN, ERROR );
-	}
-}
-
-# Project specific access rights override global levels, hence, for users who are changed
-# to be administrators, we have to remove project specific rights.
-if( ( $f_access_level != $t_old_access_level ) && ( $f_access_level >= $t_admin_threshold ) &&
-    ( !user_is_administrator( $f_user_id ) ) ) {
-    user_delete_project_specific_access_levels( $f_user_id );
-}
-
-# if the user is already protected and the admin is not removing the
-#  protected flag then don't update the access level and enabled flag.
-#  If the user was unprotected or the protected flag is being turned off
-#  then proceed with a full update.
-$t_query_params = array();
-if( $f_protected && $t_old_protected ) {
-	$t_query = 'UPDATE {user}
-			SET username=' . db_param() . ', email=' . db_param() . ',
-				protected=' . db_param() . ', realname=' . db_param() . '
-			WHERE id=' . db_param();
-	$t_query_params = array( $c_username, $c_email, $c_protected, $c_realname, $c_user_id );
-	# Prevent e-mail notification for a change that did not happen
-	$f_access_level = $t_old_access_level;
-} else {
-	$t_query = 'UPDATE {user}
-			SET username=' . db_param() . ', email=' . db_param() . ',
-				access_level=' . db_param() . ', enabled=' . db_param() . ',
-				protected=' . db_param() . ', realname=' . db_param() . '
-			WHERE id=' . db_param();
-	$t_query_params = array( $c_username, $c_email, $c_access_level, $c_enabled, $c_protected, $c_realname, $c_user_id );
-}
-
-$t_result = db_query( $t_query, $t_query_params );
-
-event_signal( 'EVENT_MANAGE_USER_UPDATE', array( $c_user_id ) );
-
-if( $f_send_email_notification ) {
-	lang_push( user_pref_get_language( $f_user_id ) );
-	$t_changes = '';
-
-	if( strcmp( $f_username, $t_old_username ) ) {
-		$t_changes .= lang_get( 'username_label' ) . ' ' . $t_old_username . ' => ' . $f_username . "\n";
-	}
-
-	if( strcmp( $t_realname, $t_old_realname ) ) {
-		$t_changes .= lang_get( 'realname_label' ) . ' ' . $t_old_realname . ' => ' . $t_realname . "\n";
-	}
-
-	if( strcmp( $t_email, $t_old_email ) ) {
-		$t_changes .= lang_get( 'email_label' ) . ' ' . $t_old_email . ' => ' . $t_email . "\n";
-	}
-
-	if( strcmp( $f_access_level, $t_old_access_level ) ) {
-		$t_old_access_string = get_enum_element( 'access_levels', $t_old_access_level );
-		$t_new_access_string = get_enum_element( 'access_levels', $f_access_level );
-		$t_changes .= lang_get( 'access_level_label' ) . ' ' . $t_old_access_string . ' => ' . $t_new_access_string . "\n\n";
-	}
-
-	if( !empty( $t_changes ) ) {
-		$t_subject = '[' . config_get( 'window_title' ) . '] ' . lang_get( 'email_user_updated_subject' );
-		$t_updated_msg = lang_get( 'email_user_updated_msg' );
-		$t_message = $t_updated_msg . "\n\n" . config_get_global( 'path' ) . 'account_page.php' . "\n\n" . $t_changes;
-
-		if( null === email_store( $t_email, $t_subject, $t_message ) ) {
-			log_event( LOG_EMAIL, 'Notification was NOT sent to ' . $f_username );
-		} else {
-			log_event( LOG_EMAIL, 'Account update notification sent to ' . $f_username . ' (' . $t_email . ')' );
-			if( config_get( 'email_send_using_cronjob' ) == OFF ) {
-				email_send_all();
-			}
-		}
-	}
-
-	lang_pop();
-}
-
-$t_redirect_url = 'manage_user_edit_page.php?user_id=' . $c_user_id;
+$t_data = array(
+	'query' => array(
+		'user_id' => $f_user_id
+	),
+	'payload' => array(
+		'user' => array(
+			'username' => $f_username,
+			'real_name' => $f_realname,
+			'email' => $f_email,
+			'access_level' => array( 'id' => $f_access_level ),
+			'enabled' => $f_enabled,
+			'protected' => $f_protected
+		)
+	)
+);
+
+$t_command = new UserUpdateCommand( $t_data );
+$t_command->execute();
+
+$t_redirect_url = 'manage_user_edit_page.php?user_id=' . (int)$f_user_id;
 
 form_security_purge( 'manage_user_update' );
-
-layout_page_header( null, $t_result ? $t_redirect_url : null );
-
+layout_page_header( null, $t_redirect_url );
 layout_page_begin( 'manage_overview_page.php' );
-
-if( $f_protected && $t_old_protected ) {
-	# PROTECTED
-	html_operation_warning( $t_redirect_url, lang_get( 'manage_user_protected_msg' ) );
-} else if( $t_result ) {
-	# SUCCESS
-	html_operation_successful( $t_redirect_url );
-}
-
+html_operation_successful( $t_redirect_url );
 layout_page_end();