TomaHost/Chamilo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Upgrade 1-11.38

Browse Source
This commit is contained in:
xesmyd
2026-03-30 14:10:30 +02:00
parent f2a7e6d1fc
commit ac648ef29d
24665 changed files with 69682 additions and 2205004 deletions
Download Patch File Download Diff File Expand all files Collapse all files
main/inc/lib/usermanager.lib.php
+66 -14
View File
@@ -2343,7 +2343,13 @@ class UserManager
}
}
$sql .= str_replace("\'", "'", Database::escape_string($extraConditions));
// $extraConditions is a caller-constructed SQL fragment, not a scalar
// value — escaping it as a string then immediately un-escaping the
// result (str_replace("\'", "'", ...)) produced a net-zero effect while
// giving a false sense of safety. Callers are responsible for ensuring
// any values embedded in $extraConditions are individually escaped or
// validated before being passed here.
$sql .= $extraConditions;
if (!empty($order_by) && count($order_by) > 0) {
$sql .= ' ORDER BY '.Database::escape_string(implode(',', $order_by));
@@ -4513,18 +4519,16 @@ class UserManager
if ($user_id === false) {
return false;
}
$service_name = Database::escape_string($api_service);
if (is_string($service_name) === false) {
return false;
}
$t_api = Database::get_main_table(TABLE_MAIN_USER_API_KEY);
$md5 = md5((time() + ($user_id * 5)) - rand(10000, 10000)); //generate some kind of random key
$sql = "INSERT INTO $t_api (user_id, api_key,api_service) VALUES ($user_id,'$md5','$service_name')";
$res = Database::query($sql);
if ($res === false) {
return false;
} //error during query
$num = Database::insert_id();
$apiKey = bin2hex(random_bytes(16)); // cryptographically secure random API key
$num = Database::insert(
Database::get_main_table(TABLE_MAIN_USER_API_KEY),
[
'user_id' => $user_id,
'api_key' => $apiKey,
'api_service' => $api_service,
]
);
return $num == 0 ? false : $num;
}
@@ -6988,7 +6992,7 @@ SQL;
public static function blockIfMaxLoginAttempts(array $userInfo)
{
if (false === (bool) $userInfo['active'] || null === $userInfo['last_login']) {
if (!isset($userInfo['active']) || false === (bool) $userInfo['active'] || null === $userInfo['last_login']) {
return;
}
@@ -8312,6 +8316,54 @@ SQL;
return Database::store_result(Database::query($sql), 'ASSOC');
}
/**
* Check or fetch a user by extrafield on this portal.
*
* @param string $value The extrafield value to test (e.g. DNI).
* @param bool $returnId If true, return the existing user ID or null; otherwise return true/false for uniqueness.
*
* @return bool|int|null When $returnId===false: true if unique, false if already exists.
* When $returnId===true: existing user ID or null if none.
*/
public static function isExtraFieldValueUniquePerUrl(string $value, bool $returnId = false)
{
$field = api_get_configuration_value('extra_field_to_validate_on_user_registration');
if (empty($field) || $value === '') {
// If there's nothing to check, treat as “unique” or “no ID”
return $returnId ? null : true;
}
$accessUrlId = api_get_current_access_url_id();
$tUser = Database::get_main_table(TABLE_MAIN_USER);
$tField = Database::get_main_table(TABLE_EXTRA_FIELD);
$tValue = Database::get_main_table(TABLE_EXTRA_FIELD_VALUES);
$tRelUrl = Database::get_main_table(TABLE_MAIN_ACCESS_URL_REL_USER);
$sql = "
SELECT u.id
FROM {$tUser} u
JOIN {$tValue} v ON v.item_id = u.id
JOIN {$tField} f ON f.id = v.field_id
JOIN {$tRelUrl} url ON url.user_id = u.id
WHERE f.variable = '".Database::escape_string($field)."'
AND v.value = '".Database::escape_string($value)."'
AND url.access_url_id = {$accessUrlId}
LIMIT 1
";
$result = Database::query($sql);
$row = Database::fetch_array($result, 'ASSOC');
if ($returnId) {
// return the existing user ID, or null if none
return $row['id'] ?? null;
}
// return true if no match was found (i.e. unique), false otherwise
return empty($row);
}
/**
* @return EncoderFactory
*/