adm_program/modules/profile-fields/profile_fields_function.php
<?php
/**
***********************************************************************************************
* Various functions for profile fields
*
* @copyright The Admidio Team
* @see https://www.admidio.org/
* @license https://www.gnu.org/licenses/gpl-2.0.html GNU General Public License v2.0 only
***********************************************************************************************
*/
/******************************************************************************
* Parameters:
*
* uuid : UUID of the profile field that should be edited
* mode : edit - create or edit profile field
* delete - delete profile field
* sequence - change sequence of profile field
* direction : Direction to change the sequence of the category
*
*****************************************************************************/
use Admidio\Exception;
try {
require_once(__DIR__ . '/../../system/common.php');
require(__DIR__ . '/../../system/login_valid.php');
// Initialize and check the parameters
$getUsfUUID = admFuncVariableIsValid($_GET, 'uuid', 'uuid');
$getMode = admFuncVariableIsValid($_GET, 'mode', 'string', array('requireValue' => true, 'validValues' => array('edit', 'delete', 'sequence')));
$getOrder = admFuncVariableIsValid($_GET, 'order', 'array');
// only authorized users can edit the profile fields
if (!$gCurrentUser->isAdministrator()) {
throw new Exception('SYS_NO_RIGHTS');
}
// create user field object
$userField = new TableUserField($gDb);
if ($getUsfUUID !== '') {
$userField->readDataByUuid($getUsfUUID);
// check if profile field belongs to actual organization
if ($userField->getValue('cat_org_id') > 0
&& (int)$userField->getValue('cat_org_id') !== $gCurrentOrgId) {
throw new Exception('SYS_NO_RIGHTS');
}
// if system profile field then set usf_type to default
if ($userField->getValue('usf_system') == 1) {
$_POST['usf_type'] = $userField->getValue('usf_type');
}
}
if ($getMode === 'edit') {
// Create or edit profile field
// lastname and firstname must always be mandatory fields and visible in registration dialog
if ($userField->getValue('usf_name_intern') === 'LAST_NAME'
|| $userField->getValue('usf_name_intern') === 'FIRST_NAME') {
$_POST['usf_required_input'] = 1;
$_POST['usf_registration'] = 1;
}
// email must always be visible in registration dialog
if ($userField->getValue('usf_name_intern') === 'EMAIL') {
$_POST['usf_registration'] = 1;
}
// Swap input, because the field name is different from the dialog
if (isset($_POST['usf_hidden'])) {
$_POST['usf_hidden'] = 0;
} else {
$_POST['usf_hidden'] = 1;
}
// check form field input and sanitized it from malicious content
$profileFieldsEditForm = $gCurrentSession->getFormObject($_POST['admidio-csrf-token']);
$formValues = $profileFieldsEditForm->validate($_POST);
if (isset($_POST['usf_name']) && $userField->getValue('usf_name') !== $_POST['usf_name']) {
// See if the field already exists
$sql = 'SELECT COUNT(*) AS count
FROM ' . TBL_USER_FIELDS . '
WHERE usf_name = ? -- $_POST[\'usf_name\']
AND usf_cat_id = ? -- $_POST[\'usf_cat_id\']
AND usf_uuid <> ? -- $getUsfUUID';
$pdoStatement = $gDb->queryPrepared($sql, array($_POST['usf_name'], (int)$_POST['usf_cat_id'], $getUsfUUID));
if ($pdoStatement->fetchColumn() > 0) {
throw new Exception('ORG_FIELD_EXIST');
}
}
// write form values in user field object
foreach ($formValues as $key => $value) {
if (str_starts_with($key, 'usf_')) {
$userField->setValue($key, $value);
}
}
$userField->save();
$gNavigation->deleteLastUrl();
echo json_encode(array('status' => 'success', 'url' => $gNavigation->getUrl()));
exit();
} elseif ($getMode === 'delete') {
// delete profile field
if ($userField->getValue('usf_system') == 1) {
// System fields must not be deleted
throw new Exception('SYS_INVALID_PAGE_VIEW');
}
$userField->delete();
echo json_encode(array('status' => 'success'));
exit();
} elseif ($getMode === 'sequence') {
// update field order
$postSequence = admFuncVariableIsValid($_POST, 'direction', 'string', array('validValues' => array(TableUserField::MOVE_UP, TableUserField::MOVE_DOWN)));
// check the CSRF token of the form against the session token
SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
if (!empty($getOrder)) {
// set new order (drag and drop)
$userField->setSequence(explode(',', $getOrder));
} else {
// move field up/down by one
if ($userField->moveSequence($postSequence)) {
echo 'done';
} else {
throw new Exception('Sequence could not be changed.');
}
}
exit();
}
} catch (Exception $e) {
if ($getMode === 'sequence') {
echo $e->getMessage();
} else {
echo json_encode(array('status' => 'error', 'message' => $e->getMessage()));
}
}