Merge with git+ssh://git.catalyst.net.nz/var/git/mahara.git

htdocs/admin/usermanagement/adminusers.php

@@ -24,13 +24,54 @@
  *
  */
 
+// NOTE: This script is VERY SIMILAR to the staffusers.php script, a bug fixed
+// here might need to be fixed there too.
 define('INTERNAL', 1);
 define('ADMIN', 1);
 define('MENUITEM', 'usermanagement');
 define('SUBMENUITEM', 'adminusers');
 require(dirname(dirname(dirname(__FILE__))) . '/init.php');
-
+require_once('form.php');
 $smarty = smarty();
+
+// Get users who are currently administrators
+// @todo later, exclude the user with uid 1
+$adminusers = get_column('usr', 'id', 'admin', 1);
+
+$form = array(
+    'name' => 'adminusers',
+    'method' => 'post',
+    'action' => '',
+    'elements' => array(
+        'users' => array(
+            'type' => 'userlist',
+            'title' => get_string('adminusers', 'admin'),
+            'defaultvalue' => $adminusers,
+            'filter' => false
+        ),
+        'submit' => array(
+            'type' => 'submitcancel',
+            'value' => array(get_string('submit'), get_string('cancel'))
+        )
+    )
+);
+
+function adminusers_submit($values) {
+    global $SESSION;
+    
+    db_begin();
+    execute_sql('UPDATE usr
+        SET admin = 0
+        WHERE admin = 1');
+    execute_sql('UPDATE usr
+        SET admin = 1
+        WHERE id IN (' . join(',', $values['users']) . ')');
+    db_commit();
+    $SESSION->add_ok_msg(get_string('adminusersupdated', 'admin'));
+    redirect(get_config('wwwroot') . 'admin/usermanagement/adminusers.php');
+}
+
+$smarty->assign('adminusersform', form($form));
 $smarty->display('admin/usermanagement/adminusers.tpl');
 
 ?>

htdocs/admin/usermanagement/staffusers.php

@@ -24,13 +24,53 @@
  *
  */
 
+// NOTE: This script is VERY SIMILAR to the adminusers.php script, a bug fixed
+// here might need to be fixed there too.
 define('INTERNAL', 1);
 define('ADMIN', 1);
 define('MENUITEM', 'usermanagement');
 define('SUBMENUITEM', 'staffusers');
 require(dirname(dirname(dirname(__FILE__))) . '/init.php');
-
+require_once('form.php');
 $smarty = smarty();
+
+// Get users who are currently staff
+$staffusers = get_column('usr', 'id', 'staff', 1);
+
+$form = array(
+    'name' => 'staffusers',
+    'method' => 'post',
+    'action' => '',
+    'elements' => array(
+        'users' => array(
+            'type' => 'userlist',
+            'title' => get_string('staffusers', 'admin'),
+            'defaultvalue' => $staffusers,
+            'filter' => false
+        ),
+        'submit' => array(
+            'type' => 'submitcancel',
+            'value' => array(get_string('submit'), get_string('cancel'))
+        )
+    )
+);
+
+function staffusers_submit($values) {
+    global $SESSION;
+    
+    db_begin();
+    execute_sql('UPDATE usr
+        SET staff = 0
+        WHERE staff = 1');
+    execute_sql('UPDATE usr
+        SET staff = 1
+        WHERE id IN (' . join(',', $values['users']) . ')');
+    db_commit();
+    $SESSION->add_ok_msg(get_string('staffusersupdated', 'admin'));
+    redirect(get_config('wwwroot') . 'admin/usermanagement/staffusers.php');
+}
+
+$smarty->assign('staffusersform', form($form));
 $smarty->display('admin/usermanagement/staffusers.tpl');
 
 ?>

htdocs/auth/lib.php

@@ -202,6 +202,22 @@ function auth_setup () {
     if ($sessionlogouttime > time()) {
         // The session is still active, so continue it.
         log_debug('session still active from previous time');
+
+        // Make sure that if a user's admin status has changed, they're kicked
+        // out of the admin section
+        if (defined('ADMIN')) {
+            $userreallyadmin = get_field('usr', 'admin', 'id', $SESSION->get('id'));
+            if (!$SESSION->get('admin') && $userreallyadmin) {
+                // The user has been made into an admin
+                $SESSION->set('admin', 1);
+            }
+            else if ($SESSION->get('admin') && !$userreallyadmin) {
+                // The user's admin rights have been taken away
+                $SESSION->set('admin', 0);
+                $SESSION->add_err_msg(get_string('accessforbiddentoadminsection'));
+                redirect(get_config('wwwroot'));
+            }
+        }
         $USER = $SESSION->renew();
         auth_check_password_change();
         return $USER;
@@ -610,6 +626,12 @@ function login_submit($values) {
                 $USER = get_record('usr', 'username', $username, null, null, null, null, '*, ' . db_format_tsfield('expiry'));
             }
 
+            // Only admins in the admin section!
+            if (defined('ADMIN') && !$USER->admin) {
+                $SESSION->add_err_msg(get_string('accessforbiddentoadminsection'));
+                redirect(get_config('wwwroot'));
+            }
+
             // Check if the user's account has expired
             if ($USER->expiry > 0 && time() > $USER->expiry) {
                 log_debug('the user account has expired');

htdocs/lang/en.utf8/admin.php

@@ -59,4 +59,6 @@ $string['uploadcsverrorinvalidpassword'] = 'Error on line %s of your file: The p
 $string['uploadcsverrorinvalidusername'] = 'Error on line %s of your file: The username for this user is not in correct form';
 $string['uploadcsverrorincorrectfieldcount'] = 'Line %s of the file does not have the correct number of fields';
 $string['uploadcsvfile'] = 'Upload CSV File';
+$string['uploadcsvfiledescription'] = 'You may use this facility to upload new users via a <acronym title="Comma Separated Values">CSV</acronym> file. Each record in the file must have a username, e-mail address and password.';
+
 ?>

htdocs/lang/en.utf8/mahara.php

@@ -36,10 +36,13 @@ $string['prevpage'] = 'Previous page';
 // auth
 $string['accountexpired'] = 'Sorry, your account has expired';
 $string['accountsuspended'] = 'Your account has been suspeneded as of %s. The reason for your suspension is:<blockquote>%s</blockquote>';
+$string['changepassword'] = 'Change Password';
+$string['changepasswordinfo'] = 'You are required to change your password before you can proceed.';
 $string['confirmpassword'] = 'Confirm password';
 $string['loggedoutok'] = 'You have been logged out successfully';
 $string['login'] = 'Log In';
 $string['loginfailed'] = 'You have not provided the correct credentials to log in. Please check your username and password are correct.';
+$string['newpassword'] = 'New Password';
 $string['password'] = 'Password';
 $string['passworddesc'] = 'Your password';
 $string['passwordnotchanged'] = 'You did not change your password, please choose a new password';
@@ -49,6 +52,8 @@ $string['passwordtooeasy'] = 'Your password is too easy! Please choose a harder
 $string['username'] = 'Username';
 $string['usernamedesc'] = 'Your username';
 $string['usernamehelp'] = 'The username you have been given to access this system.';
+$string['yournewpassword'] = 'Your new password';
+$string['yournewpasswordagain'] = 'Your new password again';
 
 // Registration
 $string['registeredemailsubject'] = 'You have registered at Mahara';

htdocs/lib/dml.php

@@ -613,7 +613,7 @@ function get_records_sql_menu($sql,$values=null) {
  * Get a single value from a table row where all the given fields match the given values.
  *
  * @param string $table the table to query.
- * @param string $return the field to return the value of.
+ * @param string $field the field to return the value of.
  * @param string $field1 the first field to check (optional).
  * @param string $value1 the value field1 must have (requred if field1 is given, else optional).
  * @param string $field2 the second field to check (optional).
@@ -630,11 +630,27 @@ function get_field($table, $field, $field1, $value1, $field2=null, $value2=null,
     return get_field_sql('SELECT ' . $field . ' FROM ' . get_config('dbprefix') . $table . ' ' . $select, $values);
 }
 
+/**
+ * Get a single value from a table.
+ *
+ * @param string $sql an SQL statement expected to return a single value.
+ * @return mixed the specified value.
+ * @throws SQLException
+ */
+function get_field_sql($sql, $values=null) {
+    $rs = get_recordset_sql($sql, $values);
+    if ($rs && $rs->RecordCount() == 1) {
+        return reset($rs->fields);
+    } else {
+        return false;
+    }
+}
+
 /**
  * Get a single column from a table where all the given fields match the given values.
  *
  * @param string $table the table to query.
- * @param string $return the field to return the value of.
+ * @param string $field the field to return the value of.
  * @param string $field1 the first field to check (optional).
  * @param string $value1 the value field1 must have (requred if field1 is given, else optional).
  * @param string $field2 the second field to check (optional).
@@ -664,22 +680,6 @@ function get_column_sql($sql, $values=null) {
     return $db->GetCol($sql, $values);
 }
 
-/**
- * Get a single value from a table.
- *
- * @param string $sql an SQL statement expected to return a single value.
- * @return mixed the specified value.
- * @throws SQLException
- */
-function get_field_sql($sql, $values=null) {
-    $rs = get_recordset_sql($sql, $values);
-    if ($rs && $rs->RecordCount() == 1) {
-        return reset($rs->fields);
-    } else {
-        return false;
-    }
-}
-
 /**
  * Set a single field in every table row where all the given fields match the given values.
  *

htdocs/lib/form/elements/userlist.php

@@ -58,6 +58,9 @@ function form_render_userlist($element, Form $form) {
     }
 
     $smarty->assign('name', $element['name']);
+    if (!empty($element['filter'])) {
+        $smarty->assign('filter', true);
+    }
 
     return $smarty->fetch('form/userlist.tpl');
 }
@@ -92,4 +95,12 @@ function form_is_empty_userlist($value, $element) {
     return true;
 }
 
+function form_render_userlist_set_attributes($element) {
+    // By default, use the filter select box
+    if (!isset($element['filter'])) {
+        $element['filter'] = true;
+    }
+    return $element;
+}
+
 ?>

htdocs/theme/default/templates/admin/usermanagement/adminusers.tpl

@@ -2,4 +2,6 @@
 
 <h2>AdminUsers</h2>
 
+{$adminusersform}
+
 {include file="footer.tpl"}

htdocs/theme/default/templates/admin/usermanagement/staffusers.tpl

@@ -2,4 +2,6 @@
 
 <h2>StaffUsers</h2>
 
+{$staffusersform}
+
 {include file="footer.tpl"}

htdocs/theme/default/templates/admin/usermanagement/uploadcsv.tpl

 {include file="header.tpl"}
 
-<h2>UploadCSV</h2>
+<h2>{str tag="uploadcsvfile" section="admin"}</h2>
+
+<p>{str tag="uploadcsvfiledescription" section="admin"}</p>
 
 {$uploadcsvform}
 

htdocs/theme/default/templates/change_password.tpl

 {include file="header.tpl"}
 
-<h2>ChangePass</h2>
+<h2>{str tag="changepassword"}</h2>
 
-<p>[two messages here:]</p>
-<ol>
-    <li>your password has expired, please change it</li>
-    <li>you have chosen to change your password, here is the form to change it</li>
-</ol>
+<p>{str tag="changepasswordinfo"}</p>
 
 {$change_password_form}
 

htdocs/theme/default/templates/form/userlist.tpl

@@ -82,6 +82,7 @@
 </script>
 <table>
     <tr>
+        {{if $filter}}
         <td colspan="3">
             <select id="{{$name}}_groups">
                 <option value="all">All Users</option>
@@ -89,6 +90,7 @@
                 <option value="all">My Group</option>
             </select>
         </td>
+        {{/if}}
     </tr>
     <tr>
         <td colspan="3" id="{{$name}}_messages">