Untitled

<?php
/*****************************************************************************\
*                                                                            *
*   File name     edit_users.php                                             *
*                                                                            *
*   Description   Edit the user database                                     *
*                                                                            *
*   Notes         Automatically creates the database if it's not present.    *
*                                                                            *
*                 Designed to be easily extensible:                          *
*                 Adding more fields for each user does not require          *
*                 modifying the editor code. Only to add the fields in       *
*                 the database creation code.                                *
*                                                                            *
*                 An admin rights model is used where the level (an          *
*                 integer between 0 and $max_level) denotes rights:          *
*                      0:  no rights                                         *
*                      1:  an ordinary user                                  *
*                      2+: admins, with increasing rights.   Designed to     *
*                          allow more granularity of admin rights, for       *
*                          example by having booking admins, user admins     *
*                          snd system admins.  (System admins might be       *
*                          necessary in the future if, for example, some     *
*                          parameters curreently in the config file are      *
*                          made editable from MRBS)                          *
*                                                                            *
*                 Only admins with at least user editing rights (level >=    *
*                 $min_user_editing_level) can edit other users, and they    *
*                 cannot edit users with a higher level than themselves      *
*                                                                            *
*                 To do:                                                     *
*                     - Localisability                                       *
*                                                                            *
*   History                                                                  *
*                 2003/12/29 JFL Created this file                           *
*                                                                            *
\*****************************************************************************/

// $Id: edit_users.php 1779 2011-01-30 10:06:06Z cimorrison $

require_once "defaultincludes.inc";

// Get non-standard form variables
$Action = get_form_var('Action', 'string');
$Id = get_form_var('Id', 'int');
$password0 = get_form_var('password0', 'string');
$password1 = get_form_var('password1', 'string');
$invalid_email = get_form_var('invalid_email', 'int');
$name_empty = get_form_var('name_empty', 'int');
$name_not_unique = get_form_var('name_not_unique', 'int');
$taken_name = get_form_var('taken_name', 'string');
$pwd_not_match = get_form_var('pwd_not_match', 'string');
$pwd_invalid = get_form_var('pwd_invalid', 'string');

// Validates that the password conforms to the password policy
// (Ideally this function should also be matched by client-side
// validation, but unfortunately JavaScript's native support for Unicode
// pattern matching is very limited.   Would need to be implemented using
// an add-in library).
function validate_password($password)
{
  global $pwd_policy;

  if (isset($pwd_policy))
  {
    // Set up regular expressions.  Use p{Ll} instead of [a-z] etc.
    // to make sure accented characters are included
    $pattern = array('alpha'   => '/\p{L}/',
                     'lower'   => '/\p{Ll}/',
                     'upper'   => '/\p{Lu}/',
                     'numeric' => '/\p{N}/',
                     'special' => '/[^\p{L}|\p{N}]/');
    // Check for conformance to each rule
    foreach($pwd_policy as $rule => $value)
    {
      switch($rule)
      {
        case 'length':
          // assumes that the site has enabled multi-byte string function
          // overloading if necessary in php.ini
          if (strlen($password) < $pwd_policy[$rule])
          {
            return FALSE;
          }
          break;
        default:
          // turn on Unicode matching
          $pattern[$rule] .= 'u';

          $n = preg_match_all($pattern[$rule], $password, $matches);
          if (($n === FALSE) || ($n < $pwd_policy[$rule]))
          {
            return FALSE;
          }
          break;
      }
    }
  }

  // Everything is OK
  return TRUE;
}


// Get the type that should be used with get_form_var() for
// a field which is a member of the array returned by get_field_info()
function get_form_var_type($field)
{
  switch($field['nature'])
  {
    case 'character':
      $type = 'string';
      break;
    case 'integer':
      $type = 'int';
      break;
    // We can only really deal with the types above at the moment
    default:
      $type = 'string';
      break;
  }
  return $type;
}


// Produce the HTML for a freeze_panes sub-table
//
//   $info       an array containing the data
//   $columns    the columns in that data to display
//   $class      the class name tio assign to the table
//   $action     whether an action button is required
function freeze_panes_table_html($info, $columns, $class, $action=FALSE)
{
  global $tbl_users, $PHP_SELF;
  global $user, $level, $min_user_editing_level, $max_content_length;
  global $fields, $auth;

  $html = '';
  $html .= "<div class=\"$class\">\n";
  $html .= "<table class=\"admin_table\">\n";
  $html .= "<thead>\n";
  $html .= "<tr>";
  if ($action)
  {
    // First column which is an action button
    $html .= "<th><div>" . get_vocab("action") . "</div></th>";
  }

  // Column headers
  foreach ($fields as $field)
  {
    $fieldname = $field['name'];
    if (in_array($fieldname, $columns))
    {
      $html .= "<th><div>" . get_loc_field_name($tbl_users, $fieldname) . "</div></th>";
    }
  }

  $html .= "</tr>\n";
  $html .= "</thead>\n";

  $html .= "<tbody>\n";
  $row_class = "odd_row";
  foreach ($info as $line)
  {
    // Check whether ordinary users are allowed to see other users' details.  If not,
    // then skip past this row if it's not the current user or the user is not an admin
    if ($auth['only_admin_can_see_other_users'] &&
        ($level < $min_user_editing_level) &&
        (strcasecmp($line['name'], $user) != 0))
    {
      continue;
    }

    $row_class = ($row_class == "even_row") ? "odd_row" : "even_row";
    $html .= "<tr class=\"$row_class\">\n";
    if ($action)
    {
      // First column (the action button)
      $html .= "<td class=\"action\"><div>\n";
      // You can only edit a user if you have sufficient admin rights, or else if that user is yourself
      if (($level >= $min_user_editing_level) || (strcasecmp($line['name'], $user) == 0))
      {
        $html .= "<form method=\"post\" action=\"" . htmlspecialchars(basename($PHP_SELF)) . "\">\n";
        $html .= "<div>\n";
        $html .= "<input type=\"hidden\" name=\"Action\" value=\"Edit\">\n";
        $html .= "<input type=\"hidden\" name=\"Id\" value=\"" . $line['id'] . "\">\n";
        $html .= "<input type=\"image\" class=\"button\" src=\"images/edit.png\"
                   title=\"" . get_vocab("edit") . "\" alt=\"" . get_vocab("edit") . "\">\n";
        $html .= "</div>\n";
        $html .= "</form>\n";
      }
      else
      {
        $html .= "&nbsp;\n";
      }
      $html .= "</div></td>\n";
    }

    // Column contents
    foreach ($fields as $field)
    {
      $key = $field['name'];
      if (in_array($key, $columns))
      {
        $col_value = $line[$key];
        switch($key)
        {
          // special treatment for some fields
          case 'level':
            // the level field contains a code and we want to display a string
            $html .= "<td><div>" . get_vocab("level_$col_value") . "</div></td>\n";
            break;
          case 'email':
            // we don't want to truncate the email address
            $html .= "<td><div>" . htmlspecialchars($col_value) . "</div></td>\n";
            break;
          default:
            if (($field['nature'] == 'boolean') ||
                (($field['nature'] == 'integer') && isset($field['length']) && ($field['length'] <= 2)) )
            {
              // booleans: represent by a checkmark
              $html .= "<td class=\"int\"><div>";
              $html .= (!empty($col_value)) ? "<img src=\"images/check.png\" alt=\"check mark\" width=\"16\" height=\"16\">" : "&nbsp;";
              $html .= "</div></td>\n";
            }
            elseif (($field['nature'] == 'integer') && isset($field['length']) && ($field['length'] > 2))
            {
              // integer values
              $html .= "<td class=\"int\"><div>" . $col_value . "</div></td>\n";
            }
            else
            {
               // strings
              $html .= "<td title=\"" . htmlspecialchars($col_value) . "\"><div>";
              // Truncate before conversion, otherwise you could chop off in the middle of an entity
              $html .= htmlspecialchars(substr($col_value, 0, $max_content_length));
              $html .= (strlen($col_value) > $max_content_length) ? " ..." : "";
              $html .= "</div></td>\n";
            }
            break;
        }  // end switch
      }
    }  // end foreach

    $html .= "</tr>\n";

  }  // end while

  $html .= "</tbody>\n";
  $html .= "</table>\n";
  $html .= "</div>\n";

  return $html;
}


// Get the information about the fields in the users table
$fields = sql_field_info($tbl_users);

$nusers = sql_query1("SELECT COUNT(*) FROM $tbl_users");

/*---------------------------------------------------------------------------*\
|                         Authenticate the current user                         |
\*---------------------------------------------------------------------------*/

$initial_user_creation = 0;

if ($nusers > 0)
{
  $user = getUserName();
  $level = authGetUserLevel($user);
  // Check the user is authorised for this page
  checkAuthorised();
}
else
// We've just created the table.   Assume the person doing this IS an administrator
// and then send them through to the screen to add the first user (which we'll force
// to be an admin)
{
  $initial_user_creation = 1;
  if (!isset($Action))   // second time through it will be set to "Update"
  {
    $Action = "Add";
    $Id = -1;
  }
  $level = $max_level;
  $user = "";           // to avoid an undefined variable notice
}

/*---------------------------------------------------------------------------*\
|             Edit a given entry - 1st phase: Get the user input.             |
\*---------------------------------------------------------------------------*/

if (isset($Action) && ( ($Action == "Edit") or ($Action == "Add") ))
{

  if ($Id >= 0) /* -1 for new users, or >=0 for existing ones */
  {
    // If it's an existing user then get the data from the database
    $result = sql_query("select * from $tbl_users where id=$Id");
    $data = sql_row_keyed($result, 0);
    sql_free($result);
  }
  if (($Id == -1) || (!$data))
  {
    // Otherwise try and get the data from the query string, and if it's
    // not there set the default to be blank.  (The data will be in the
    // query string if there was an error on validating the data after it
    // had been submitted.   We want to preserve the user's original values
    // so that they don't have to re-type them).
    foreach ($fields as $field)
    {
      $type = get_form_var_type($field);
      $value = get_form_var($field['name'], $type);
      $data[$field['name']] = (isset($value)) ? $value : "";
    }
  }

  /* First make sure the user is authorized */
  if (!$initial_user_creation && !auth_can_edit_user($user, $data['name']))
  {
    showAccessDenied(0, 0, 0, "", "");
    exit();
  }

  print_header(0, 0, 0, 0, "");

  if ($initial_user_creation == 1)
  {
    print "<h3>" . get_vocab("no_users_initial") . "</h3>\n";
    print "<p>" . get_vocab("no_users_create_first_admin") . "</p>\n";
  }

  print "<div id=\"form_container\">";
  print "<form id=\"form_edit_users\" method=\"post\" action=\"" . htmlspecialchars(basename($PHP_SELF)). "\">\n";
    ?>
        <fieldset class="admin">
        <legend><?php echo (($Action == "Edit") ? get_vocab("edit_user") : get_vocab("add_new_user"));?></legend>
        <div id="edit_users_input_container">
          <?php
          // Find out how many admins are left in the table - it's disastrous if the last one is deleted,
          // or admin rights are removed!
          if ($Action == "Edit")
          {
            $n_admins = sql_query1("select count(*) from $tbl_users where level=$max_level");
            $editing_last_admin = ($n_admins <= 1) && ($data['level'] == $max_level);
          }
          else
          {
            $editing_last_admin = FALSE;
          }

          // Work out whether the level select input should be disabled (NB you can't make a <select> readonly)
          // We don't want the user to be able to change the level if (a) it's the first user being created or
          // (b) it's the last admin left or (c) they don't have admin rights
          $disable_select = ($initial_user_creation || $editing_last_admin || ($level < $min_user_editing_level));

          foreach ($fields as $field)
          {
            $key = $field['name'];
            $var_name = VAR_PREFIX . $key;
            // First of all output the input for the field
            // The ID field cannot change; The password field must not be shown.
            switch($key)
            {
              case 'id':
                echo "<input type=\"hidden\" name=\"Id\" value=\"$Id\">\n";
                break;
              case 'password':
                echo "<input type=\"hidden\" name=\"$var_name\" value=\"". htmlspecialchars($data[$key]) . "\">\n";
                break;
              default:
                echo "<div>\n";
                $label_text = get_loc_field_name($tbl_users, $key);
                switch($key)
                {
                  case 'level':
                    echo "<label for=\"$var_name\">$label_text:</label>\n";
                    echo "<select id=\"$var_name\" name=\"$var_name\"" . ($disable_select ? " disabled=\"disabled\"" : "") . ">\n";
                    // Only display options up to and including one's own level (you can't upgrade yourself).
                    // If you're not some kind of admin then the select will also be disabled.
                    // (Note - disabling individual options doesn't work in older browsers, eg IE6)
                    for ($i=0; $i<=$level; $i++)
                    {
                      echo "<option value=\"$i\"";
                      // Work out which option should be selected by default:
                      //   if we're editing an existing entry, then it should be the current value;
                      //   if we're adding the very first entry, then it should be an admin;
                      //   if we're adding a subsequent entry, then it should be an ordinary user;
                      if ( (($Action == "Edit")  && ($i == $data[$key])) ||
                           (($Action == "Add") && $initial_user_creation && ($i == $max_level)) ||
                           (($Action == "Add") && !$initial_user_creation && ($i == 1)) )
                      {
                        echo " selected=\"selected\"";
                      }
                      echo ">" . get_vocab("level_$i") . "</option>\n";
                    }
                    echo "</select>\n";
                    // If the level select input was disabled, we still need to submit a value with
                    // the form.   <select> can't be set to 'readonly' so instead we'll use a hidden input
                    if ($disable_select)
                    {
                      if ($initial_user_creation)
                      {
                        $v = $max_level;
                      }
                      else
                      {
                        $v = $data[$key];
                      }
                      echo "<input type=\"hidden\" name=\"$var_name\" value=\"$v\">\n";
                    }
                    break;
                  case 'name':
                    // you cannot change a username (even your own) unless you have user editing rights
                    echo "<label for=\"$var_name\">$label_text:</label>\n";
                    echo "<input id=\"$var_name\" name=\"$var_name\" type=\"text\" " .
                         ((isset($maxlength["users.$key"])) ? "maxlength=\"" . $maxlength["users.$key"] . "\" " : '') .
                         (($level < $min_user_editing_level) ? "disabled=\"disabled\" " : "") .
                          "value=\"" . htmlspecialchars($data[$key]) . "\">\n";
                    // if the field was disabled then we still need to pass through the value as a hidden input
                    if ($level < $min_user_editing_level)
                    {
                      echo "<input type=\"hidden\" name=\"$var_name\" value=\"" . $data[$key] . "\">\n";
                    }
                    break;
                  case 'email':
                    generate_input($label_text, $var_name, $data[$key], FALSE, isset($maxlength["users.$key"]) ? $maxlength["users.$key"] : NULL);
                    break;
                  default:
                    // Output a checkbox if it's a boolean or integer <= 2 bytes (which we will
                    // assume are intended to be booleans)
                    if (($field['nature'] == 'boolean') ||
                        (($field['nature'] == 'integer') && isset($field['length']) && ($field['length'] <= 2)) )
                    {
                      echo "<label for=\"$var_name\">$label_text:</label>\n";
                      echo "<input type=\"checkbox\" class=\"checkbox\" " .
                            "id=\"$var_name\" name=\"$var_name\" value=\"1\"" .
                            ((!empty($data[$key])) ? " checked=\"checked\"" : "") .
                            ">\n";
                    }
                    // Output a select box if they want one
                    elseif (count($select_options["users.$key"]) > 0)
                    {
                      generate_select($label_text, $var_name, $data[$key], $select_options["users.$key"]);
                    }
                    // Output a textarea if it's a character string longer than the limit for a
                    // text input
                    elseif (($field['nature'] == 'character') && isset($field['length']) && ($field['length'] > $text_input_max))
                    {
                      generate_textarea($label_text, $var_name, $data[$key]);
                    }
                    // Otherwise output a text input
                    else
                    {
                      generate_input($label_text, $var_name, $data[$key], FALSE, isset($maxlength["users.$key"]) ? $maxlength["users.$key"] : NULL);
                    }
                    break;
                } // end switch
                echo "</div>\n";
            } // end switch


            // Then output any error messages associated with the field
            // except for the password field which is a special case
            switch($key)
            {
              case 'email':
                if (!empty($invalid_email))
                {
                  echo "<p class=\"error\">" . get_vocab('invalid_email') . "</p>\n";
                }
                break;
              case 'name':
                if (!empty($name_not_unique))
                {
                  echo "<p class=\"error\">'" . htmlspecialchars($taken_name) . "' " . get_vocab('name_not_unique') . "<p>\n";
                }
                if (!empty($name_empty))
                {
                  echo "<p class=\"error\">" . get_vocab('name_empty') . "<p>\n";
                }
                break;
            }

          } // end foreach

          print "<div><p>" . get_vocab("password_twice") . "...</p></div>\n";

          for ($i=0; $i<2; $i++)
          {
            print "<div>\n";
            print "<label for=\"password$i\">" . get_vocab("users.password") . ":</label>\n";
            print "<input type=\"password\" id=\"password$i\" name=\"password$i\" value=\"\">\n";
            print "</div>\n";
          }

          // Now do any password error messages
          if (!empty($pwd_not_match))
          {
            echo "<p class=\"error\">" . get_vocab("passwords_not_eq") . "</p>\n";
          }
          if (!empty($pwd_invalid))
          {
            echo "<p class=\"error\">" . get_vocab("password_invalid") . "</p>\n";
            if (isset($pwd_policy))
            {
              echo "<ul class=\"error\">\n";
              foreach ($pwd_policy as $rule => $value)
              {
                echo "<li>$value " . get_vocab("policy_" . $rule) . "</li>\n";
              }
              echo "</ul>\n";
            }
          }

          if ($editing_last_admin)
          {
            echo "<p><em>(" . get_vocab("warning_last_admin") . ")</em></p>\n";
          }
          ?>
          <input type="hidden" name="Action" value="Update">
          <input class="submit" type="submit" value="<?php echo(get_vocab("save")); ?>">

        </div>
        </fieldset>
      </form>
      <?php
      /* Administrators get the right to delete users, but only those at the same level as them or lower */
      if (($Id >= 0) && ($level >= $min_user_editing_level) && ($level >= $data['level']))
      {
        echo "<form id=\"form_delete_users\" method=\"post\" action=\"" . htmlspecialchars(basename($PHP_SELF)) . "\">\n";
        echo "<div>\n";
        echo "<input type=\"hidden\" name=\"Action\" value=\"Delete\">\n";
        echo "<input type=\"hidden\" name=\"Id\" value=\"$Id\">\n";
        echo "<input class=\"submit\" type=\"submit\" " .
              (($editing_last_admin) ? "disabled=\"disabled\"" : "") .
              "value=\"" . get_vocab("delete_user") . "\">\n";
        echo "</div>\n";
        echo "</form>\n";
      }
?>
      </div>
<?php

  // Print footer and exit
  print_footer(TRUE);
}

/*---------------------------------------------------------------------------*\
|             Edit a given entry - 2nd phase: Update the database.            |
\*---------------------------------------------------------------------------*/

if (isset($Action) && ($Action == "Update"))
{
  // If you haven't got the rights to do this, then exit
  $my_id = sql_query1("SELECT id FROM $tbl_users WHERE name='".addslashes($user)."' LIMIT 1");
  if (($level < $min_user_editing_level) && ($Id != $my_id ))
  {
    Header("Location: edit_users.php");
    exit;
  }

  // otherwise go ahead and update the database
  else
  {
    $values = array();
    $q_string = ($Id >= 0) ? "Action=Edit" : "Action=Add";
    foreach ($fields as $field)
    {
      $fieldname = $field['name'];
      $type = get_form_var_type($field);
      if ($fieldname == 'id')
      {
        // id: don't need to do anything except add the id to the query string;
        // the field itself is auto-incremented
        $q_string .= "&Id=$Id";
        continue;
      }
      // first, get all the other form variables and put them into an array, $values, which
      // we will use for entering into the database assuming we pass validation
      $values[$fieldname] = get_form_var(VAR_PREFIX. $fieldname, $type);
      // Truncate the field to the maximum length as a precaution.
      if (isset($maxlength["users.$fieldname"]))
      {
        $values[$fieldname] = substr($values[$fieldname], 0, $maxlength["users.$fieldname"]);
      }
      // we will also put the data into a query string which we will use for passing
      // back to this page if we fail validation.   This will enable us to reload the
      // form with the original data so that the user doesn't have to
      // re-enter it.  (Instead of passing the data in a query string we
      // could pass them as session variables, but at the moment MRBS does
      // not rely on PHP sessions).
      switch ($fieldname)
      {
        // some of the fields get special treatment
        case 'name':
          // name: convert it to lower case
          $q_string .= "&$fieldname=" . urlencode($values[$fieldname]);
          $values[$fieldname] = strtolower($values[$fieldname]);
          break;
        case 'password':
          // password: if the password field is blank it means
          // that the user doesn't want to change the password
          // so don't do anything; otherwise get the MD5 hash.
          // Note: we don't put the password in the query string
          // for security reasons.
          if (!empty($password0))
          {
            $values[$fieldname]=md5($password0);
          }
          break;
        case 'level':
          // level:  set a safe default (lowest level of access)
          // if there is no value set
          $q_string .= "&$fieldname=" . $values[$fieldname];
          if (!isset($values[$fieldname]))
          {
            $values[$fieldname] = 0;
          }
          // Check that we are not trying to upgrade our level.    This shouldn't be possible
          // but someone might have spoofed the input in the edit form
          if ($values[$fieldname] > $level)
          {
            Header("Location: edit_users.php");
            exit;
          }
          break;
        default:
          $q_string .= "&$fieldname=" . urlencode($values[$fieldname]);
          break;
      }
    }

    // Now do some form validation
    $valid_data = TRUE;
    foreach ($values as $fieldname => $value)
    {
      switch ($fieldname)
      {
        case 'name':
          // check that the name is not empty
          if (empty($value))
          {
            $valid_data = FALSE;
            $q_string .= "&name_empty=1";
          }
          // Check that the name is unique.
          // If it's a new user, then to check to see if there are any rows with that name.
          // If it's an update, then check to see if there are any rows with that name, except
          // for that user.
          $query = "SELECT id FROM $tbl_users WHERE name='" . addslashes($value) . "'";
          if ($Id >= 0)
          {
            $query .= " AND id!='$Id'";
          }
          $query .= " LIMIT 1";  // we only want to know if there is at least one instance of the name
          $result = sql_query($query);
          if (sql_count($result) > 0)
          {
            $valid_data = FALSE;
            $q_string .= "&name_not_unique=1";
            $q_string .= "&taken_name=$value";
          }
          break;
        case 'password':
          // check that the two passwords match
          if ($password0 != $password1)
          {
            $valid_data = FALSE;
            $q_string .= "&pwd_not_match=1";
          }
          // check that the password conforms to the password policy
          // if it's a new user (Id < 0), or else it's an existing user
          // trying to change their password
          if (($Id <0) || !empty($password0))
          {
            if (!validate_password($password0))
            {
              $valid_data = FALSE;
              $q_string .= "&pwd_invalid=1";
            }
          }
          break;
        case 'email':
          // check that the email address is valid
          if (!empty($value) && !validate_email_list($value))
          {
            $valid_data = FALSE;
            $q_string .= "&invalid_email=1";
          }
          break;
      }
    }

    // if validation failed, go back to this page with the query
    // string, which by now has both the error codes and the original
    // form values
    if (!$valid_data)
    {
      Header("Location: edit_users.php?$q_string");
      exit;
    }


    // If we got here, then we've passed validation and we need to
    // enter the data into the database

    $sql_fields = array();

    // For each db column get the value ready for the database
    foreach ($fields as $field)
    {
      $fieldname = $field['name'];
      if ($fieldname != 'id')
      {
        // pre-process the field value for SQL
        $value = $values[$fieldname];
        switch ($field['nature'])
        {
          case 'integer':
            if (!isset($value) || ($value === ''))
            {
              // Try and set it to NULL when we can because there will be cases when we
              // want to distinguish between NULL and 0 - especially when the field
              // is a genuine integer.
              $value = ($field['is_nullable']) ? 'NULL' : 0;
            }
            break;
          default:
            $value = "'" . addslashes($value) . "'";
            break;
        }

        /* If we got here, we have a valid, sql-ified value for this field,
         * so save it for later */
        $sql_fields[$fieldname] = $value;
      }
    } /* end for each column of user database */

    /* Now generate the SQL operation based on the given array of fields */
    if ($Id >= 0)
    {
      /* if the Id exists - then we are editing an existing user, rather th
       * creating a new one */

      $assign_array = array();
      $operation = "UPDATE $tbl_users SET ";

      foreach ($sql_fields as $fieldname => $value)
      {
        // Note that we don't have to escape or quote the fieldname
        // thanks to the restriction on custom field names
        array_push($assign_array,"$fieldname=$value");
      }
      $operation .= implode(",", $assign_array) . " WHERE id=$Id;";
    }
    else
    {
      /* The id field doesn't exist, so we're adding a new user */

      $fields_list = array();
      $values_list = array();

      foreach ($sql_fields as $fieldname => $value)
      {
        array_push($fields_list,$fieldname);
        array_push($values_list,$value);
      }
      // Note that we don't have to escape or quote the fieldname
      // thanks to the restriction on custom field names
      $operation = "INSERT INTO $tbl_users " .
        "(". implode(",",$fields_list) . ")" .
        " VALUES " . "(" . implode(",",$values_list) . ");";
    }

    /* DEBUG lines - check the actual sql statement going into the db */
    //echo "Final SQL string: <code>" . htmlspecialchars($operation) . "</code>";
    //exit;
    $r = sql_command($operation);
    if ($r == -1)
    {
      // Get the error message before the print_header() call because the print_header()
      // function can contain SQL queries and so reset the error message.
      trigger_error(sql_error(), E_USER_WARNING);
      print_header(0, 0, 0, "", "");

      // This is unlikely to happen in normal operation. Do not translate.

      print "<form class=\"edit_users_error\" method=\"post\" action=\"" . htmlspecialchars(basename($PHP_SELF)) . "\">\n";
      print "  <fieldset>\n";
      print "  <legend></legend>\n";
      print "    <p class=\"error\">Error updating the $tbl_users table.</p>\n";
      print "    <input type=\"submit\" value=\" " . get_vocab("ok") . " \">\n";
      print "  </fieldset>\n";
      print "</form>\n";

      // Print footer and exit
      print_footer(TRUE);
    }

    /* Success. Redirect to the user list, to remove the form args */
    Header("Location: edit_users.php");
  }
}

/*---------------------------------------------------------------------------*\
|                                Delete a user                                |
\*---------------------------------------------------------------------------*/

if (isset($Action) && ($Action == "Delete"))
{
  $target_level = sql_query1("SELECT level FROM $tbl_users WHERE id=$Id LIMIT 1");
  if ($target_level < 0)
  {
    fatal_error(TRUE, "Fatal error while deleting a user");
  }
  // you can't delete a user if you're not some kind of admin, and then you can't
  // delete someone higher than you
  if (($level < $min_user_editing_level) || ($level < $target_level))
  {
    showAccessDenied(0, 0, 0, "", "");
    exit();
  }

  $r = sql_command("delete from $tbl_users where id=$Id;");
  if ($r == -1)
  {
    print_header(0, 0, 0, "", "");

    // This is unlikely to happen in normal  operation. Do not translate.

    print "<form class=\"edit_users_error\" method=\"post\" action=\"" . htmlspecialchars(basename($PHP_SELF)) . "\">\n";
    print "  <fieldset>\n";
    print "  <legend></legend>\n";
    print "    <p class=\"error\">Error deleting entry $Id from the $tbl_users table.</p>\n";
    print "    <p class=\"error\">" . sql_error() . "</p>\n";
    print "    <input type=\"submit\" value=\" " . get_vocab("ok") . " \">\n";
    print "  </fieldset>\n";
    print "</form>\n";

    // Print footer and exit
    print_footer(TRUE);
  }

  /* Success. Do not display a message. Simply fall through into the list display. */
}

/*---------------------------------------------------------------------------*\
|                          Display the list of users                          |
\*---------------------------------------------------------------------------*/

/* Print the standard MRBS header */

print_header(0, 0, 0, "", "");

print "<h2>" . get_vocab("user_list") . "</h2>\n";

print "<h3> <a href='edit_organisations.php'>" . get_vocab("add_type_organisation") . " - ". get_vocab("add_organisation")."</a></h3>\n";

if ($level >= $min_user_editing_level) /* Administrators get the right to add new users */
{
  print "<form id=\"add_new_user\" method=\"post\" action=\"" . htmlspecialchars(basename($PHP_SELF)) . "\">\n";
  print "  <div>\n";
  print "    <input type=\"hidden\" name=\"Action\" value=\"Add\">\n";
  print "    <input type=\"hidden\" name=\"Id\" value=\"-1\">\n";
  print "    <input type=\"submit\" value=\"" . get_vocab("add_new_user") . "\">\n";
  print "  </div>\n";
  print "</form>\n";
}

if ($initial_user_creation != 1)   // don't print the user table if there are no users
{
  // Get the user information
  $res = sql_query("SELECT * FROM $tbl_users ORDER BY level DESC, name");
  // Build an array with the user info
  $info = array();
  for ($i = 0; ($row = sql_row_keyed($res, $i)); $i++)
  {
    $info[] = $row;
  }
  // Display it in a table [Actually two tables side by side so that we can
  // achieve a "Freeze Panes" effect: there doesn't seem to be a good way of
  // getting a colgroup to scroll, so we have to distort the mark-up a little]
  echo "<div id=\"user_list\">\n";
  echo "<div class=\"freeze_panes\">\n";
  // (a) the "header" columns containing the user names
  // For the header column we just want to use the level and name fields
  $columns = array('level', 'name');
  echo freeze_panes_table_html($info, $columns, 'header_columns', TRUE);

  // (b) the "body" columns containing the user info
  // For the body column we want all the other columns, except the id and password
  $columns[] = 'id';
  $columns[] = 'password';
  $all_columns = array();
  foreach ($fields as $field)
  {
    $all_columns[] = $field['name'];
  }
  $columns = array_diff($all_columns, $columns);
  echo freeze_panes_table_html($info, $columns, 'body_columns', FALSE);
  echo "</div>\n";   // freeze_panes
  echo "</div>\n";
}   // ($initial_user_creation != 1)

require_once "trailer.inc";

?>