user.module

<?php
// $Id$

session_set_save_handler("sess_open", "sess_close", "sess_read", "sess_write", "sess_destroy", "sess_gc");
session_start();

function user_system($field){
  $system["description"] = t("Enables the user registration and login system.");
  return $system[$field];
}

/*** Session functions *****************************************************/

function sess_open($save_path, $session_name) {
  return 1;
}

function sess_close() {
  return 1;
}

function sess_read($key) {
  global $user;
  $user = user_load(array("sid" => $key, "status" => 1));

  return !empty($user->session) ? $user->session : '';
}

function sess_write($key, $value) {
  global $HTTP_SERVER_VARS;

  db_query("UPDATE users SET hostname = '%s', session = '%s', timestamp = '%s' WHERE sid = '$key'", $HTTP_SERVER_VARS["REMOTE_ADDR"], $value, time());

  return '';
}

function sess_destroy($key) {
  global $HTTP_SERVER_VARS;

  db_query("UPDATE users SET hostname = '%s', timestamp = '%s', sid = '' WHERE sid = '$key'", $HTTP_SERVER_VARS["REMOTE_ADDR"], time());
}

function sess_gc($lifetime) {
  return 1;
}

/*** Common functions ******************************************************/

function user_external_load($authname) {
  $arr_uid = db_query("SELECT uid FROM authmap WHERE authname = '%s'", $authname);

  if (db_fetch_object($arr_uid)) {
    $uid = db_result($arr_uid);
    return user_load(array("uid" => $uid));
  }
  else {
    return 0;
  }
}

function user_load($array = array()) {

  /*
  ** Dynamically compose a SQL query:
  */

  $query = "";

  foreach ($array as $key => $value) {
    if ($key == "pass") {
      $query .= "u.$key = '". md5($value) ."' AND ";
     }
    else {
      $query .= "u.$key = '". check_query($value) ."' AND ";
    }
  }
  $result = db_query("SELECT u.*, r.name AS role FROM users u LEFT JOIN role r ON u.rid = r.rid WHERE $query u.status < 3 LIMIT 1");

  $user = db_fetch_object($result);
  if ($user->data && $data = unserialize($user->data)) {
    foreach ($data as $key => $value) {
      if (!isset($user->$key)) {
        $user->$key = $value;
      }
    }
  }

  return $user;
}

function user_save($account, $array = array()) {
  /*
  ** Dynamically compose a SQL query:
  */

  $user_fields = user_fields();
  if ($account->uid) {
    $data = unserialize(db_result(db_query("SELECT data FROM users WHERE uid = '$account->uid'")));
    foreach ($array as $key => $value) {
      if ($key == "pass") {
        $query .= "$key = '". md5($value) ."', ";
      }
      else if (substr($key, 0, 4) !== "auth") {
        if (in_array($key, $user_fields)) {
          $query .= "$key = '". check_query($value) ."', ";
        }
        else {
          $data[$key] = $value;
        }
      }
    }
    $query .= "data = '". check_query(serialize($data)) ."', ";

    db_query("UPDATE users SET $query timestamp = '%s' WHERE uid = '$account->uid'", time());

    $user = user_load(array("uid" => $account->uid));
  }
  else {
    $array["timestamp"] = time();

    foreach ($array as $key => $value) {
      if ($key == "pass") {
        $fields[] = check_query($key);
        $values[] = "'". md5($value) ."'";
      }
      else if (substr($key, 0, 4) !== "auth") {
        if (in_array($key, $user_fields)) {
          $fields[] = check_query($key);
          $values[] = "'". check_query($value) ."'";
        }
        else {
          $data[$key] = $value;
        }
      }
    }

    $fields[] = "data";
    $values[] = "'". check_query(serialize($data)) ."'";

    db_query("INSERT INTO users (". implode(", ", $fields) .") VALUES (". implode(", ", $values) .")");

    $user = user_load(array("name" => $array["name"]));
  }

  foreach ($array as $key => $value) {
    if (substr($key, 0, 4) == "auth") {
      $authmaps[$key] = $value;
    }
  }

  if ($authmaps) {
    $result = user_set_authmaps($user, $authmaps);
  }

  return $user;
}

function user_set($account, $key, $value) {
  $account->data[$key] = $value;
  return $account;
}

function user_get($account, $key) {
  return $account->data[$key];
}

function user_validate_name($name) {

  /*
  ** Verify the syntax of the given name:
  */

  if (!$name) return t("You must enter a username.");
  if (ereg("^ ", $name)) return t("The username cannot begin with a space.");
  if (ereg(" \$", $name)) return t("The username cannot end with a space.");
  if (ereg("  ", $name)) return t("The username cannot contain multiple spaces in a row.");
  // if (ereg("[^a-zA-Z0-9@-@]", $name)) return t("The username contains an illegal character.");
  if (ereg('@', $name) && !eregi('@([0-9a-z](-?[0-9a-z])*\.)+[a-z]{2}([zmuvtg]|fo|me)?$', $name)) return t("The username is not a valid authentication ID.");
  if (!eregi('^[[:print:]]+', $name)) return t("The name contains an illegal character.");
  if (strlen($name) > 56) return t("The username '$name' is too long: it must be less than 56 characters.");
}

function user_validate_mail($mail) {

  /*
  ** Verify the syntax of the given e-mail address.  Empty e-mail addresses
  ** allowed.
  */

  if ($mail && !eregi("^[0-9a-z_\.-]+@(([0-9]{1,3}\.){3}[0-9]{1,3}|([0-9a-z][0-9a-z-]*[0-9a-z]\.)+[a-z]{2,})$", $mail)) {
    return t("The e-mail address '%mail' is not valid.", array("%mail" => $mail));
  }
}

function user_validate_authmap($account, $authname, $module) {
  $result = db_query("SELECT COUNT(*) from authmap WHERE uid != '$account->uid' && authname = '%s'", $authname);
  if (db_result($result) > 0) {
    $name = module_invoke($module, "info", "name");
    return t("The %u ID %s is already taken.", array("%u" => ucfirst($name), "%s" => "<i>$authname</i>"));
  }
}

function user_password($min_length = 6) {

  /*
  ** Generate a human-readable password:
  */

  mt_srand((double)microtime() * 1000000);
  $words = explode(",", variable_get("user_password", "foo,bar,guy,neo,tux,moo,sun,asm,dot,god,axe,geek,nerd,fish,hack,star,mice,warp,moon,hero,cola,girl,fish,java,perl,boss,dark,sith,jedi,drop,mojo"));
  while (strlen($password) < $min_length) $password .= trim($words[mt_rand(0, count($words))]);
  return $password;
}

function user_access($string) {

  global $user;
  static $perm;

  /*
  ** To reduce the number of SQL queries, we cache the user's permissions
  ** in a static variable.
  */

  if (!$perm) {
    if ($user->uid) {
      $perm = db_result(db_query("SELECT p.perm FROM role r, permission p WHERE r.rid = p.rid AND name = '$user->role'"), 0);
    }
    else {
      $perm = db_result(db_query("SELECT p.perm FROM role r, permission p WHERE r.rid = p.rid AND name = 'anonymous user'"), 0);
    }
  }

  if ($user->uid == 1) {
    return 1;
  }
  else {
    return strstr($perm, $string);
  }

}

function user_mail($mail, $subject, $message, $header) {
  if (variable_get("smtp_library", "") && file_exists(variable_get("smtp_library", ""))) {
    include_once variable_get("smtp_library", "");
    return user_mail_wrapper($mail, $subject, $message, $header);
  }
  else {
    /*
    ** Note: if you are having problems with sending mail, or mails look wrong
    ** when they are recieved you may have to modify the str_replace to suit
    ** your systems.
    **  - \r\n will work under dos and windows.
    **  - \n will work for linux, unix and BSDs.
    **  - \r will work for macs.
    */
    return mail($mail, $subject, str_replace("\r", "", $message), $header);
  }
}

function user_deny($type, $mask) {

  $allow = db_fetch_object(db_query("SELECT * FROM access WHERE status = '1' AND type = '%s' AND LOWER('%s') LIKE LOWER(mask)", $type, $mask));

  $deny = db_fetch_object(db_query("SELECT * FROM access WHERE status = '0' AND type = '%s' AND LOWER('%s') LIKE LOWER(mask)", $type, $mask));

  if ($deny && !$allow) {
    return 1;
  }
  else {
    return 0;
  }
}

function user_fields() {
  static $fields;

  if (!$fields) {
    $result = db_query("SELECT * FROM users WHERE uid = 1");
    if (db_num_rows($result)) {
      $fields = array_keys(db_fetch_array($result));
    }
  }

  // Make sure we return the default fields at least
  return is_array($fields) ? $fields: array("uid", "name", "pass", "mail", "homepage", "mode", "sort", "threshold", "theme", "signature", "timestamp", "hostname", "status", "timezone", "rating", "language", "sid", "init", "session", "data", "rid");
}

/*** Module hooks **********************************************************/

function user_perm() {
  return array("administer users");
}

function user_search($keys) {
  global $PHP_SELF;
  $result = db_query("SELECT * FROM users WHERE name LIKE '%$keys%' LIMIT 20");
  while ($account = db_fetch_object($result)) {
    $find[$i++] = array("title" => $account->name, "link" => (strstr($PHP_SELF, "admin.php") ? drupal_url(array("mod" => "user", "op" => "edit", "id" => $account->uid), "admin") : drupal_url(array("mod" => "user", "op" => "view", "id" => $account->uid), "module")), "user" => $account->name);
  }
  return $find;
}

function user_block() {
  global $user, $edit;

  if ($user->uid) {
    // Display account settings:
    $block[0]["subject"] = $user->name;

    $output = "<div style=\"{ width: 155; }\">\n";

    $links = array_merge(module_invoke_all("link", "menu.create"), array(""), module_invoke_all("link", "menu.view"), array(""), module_invoke_all("link", "menu.settings"), array(""), module_invoke_all("link", "menu.misc"));
    $output .= @implode("<br />\n", $links);

    $output .= "</div>";
    $block[0]["content"] = $output;
  }
  else {
    $block[1]["subject"] = t("Log in");

    $output = "<div align=\"center\">\n";
    $output .= "<form action=\"". drupal_url(array("mod" => "user", "op" => "login"), "module") ."\" method=\"post\">\n";
    // Save the referer.  We record where the user came from such that we
    // can redirect him after having completed the login form.
    if (!$edit["destination"]) $edit["destination"] = request_uri();
    $output .= "<input name=\"edit[destination]\" type=\"hidden\" value=\"" . $edit["destination"] . "\" />";
    $output .= "<b>". t("Username") .":</b><br /><input name=\"edit[name]\" size=\"15\" /><br />\n";
    $output .= "<b>". t("Password") .":</b><br /><input name=\"edit[pass]\" size=\"15\" type=\"password\" /><br />\n";
    $output .= "<input name=\"edit[remember_me]\" type=\"checkbox\" />". t("Remember me") ."<br />\n";
    $output .= "<input name=\"edit[op]\" type=\"submit\" value=\"". t("Log in") ."\" /><br />\n";
    $output .= "</form></div>\n";
    if (variable_get("user_register", 1)) {
      $output .= "&raquo; ". lm(t("Create account?"), array("mod" => "user", "op" => "register"), "", array("title" => t("Create a new user account."))) ."<br />\n";
    }
    $output .= "&raquo; ". lm(t("Forgot password?"), array("mod" => "user", "op" => "password"), "", array("title" => t("Request new password via e-mail.")));

    $block[1]["content"] = $output;
  }

  $block[0]["info"] = t("User information");
  $block[0]["link"] = drupal_url(array("mod" => "user"), "module");

  $block[1]["info"] = t("Log in");
  $block[1]["link"] = drupal_url(array("mod" => "user"), "module");

  $block[2]["subject"] = t("Who's new");
  $block[2]["info"] = t("Who's new");
  $block[2]["content"] = user_new_users();

  return $block;
}

function user_new_users() {
  $result = db_query("SELECT uid, name FROM users WHERE status != '0' ORDER BY uid DESC LIMIT 5");
  while ($account = db_fetch_object($result)) {
    $output .= lm((strlen($account->name) > 15 ? substr($account->name, 0, 15) . '...' : $account->name), array("mod" =>user, "op" => "view", "id" => $account->uid)) ."<br />";
  }
  return $output;
}

function user_link($type) {
  if ($type == "page") {
    $links[] = lm(t("user account"), array("mod" => "user"), "", array("title" => t("Create a user account, request a new password or edit your account settings.")));
  }

  if ($type == "menu.settings") {
    $links[] = lm(t("edit account"), array("mod" => "user", "op" => "edit"), "", array("title" => t("View and edit your account information.")));
  }

  if ($type == "menu.misc") {
    if (user_access("access administration pages")) {
      $links[] = la(t("administer %a", array("%a" => variable_get("site_name", "drupal"))), array(), "", array("title" => t("Access administration pages.")));
    }

    $links[] = lm(t("logout"), array("mod" => "user", "op" => "logout"), "", array("title" => t("Logout.")));
  }

  if ($type == "admin" && user_access("administer users")) {
    $links[] = la(t("user management"), array("mod" => "user"));
  }

  return $links ? $links : array();
}

function drupal_login($arguments) {
   // an XML-RPC method called by external clients (usually other Drupal instances)
  $argument = $arguments->getparam(0);
  $username = $argument->scalarval();
  $argument = $arguments->getparam(1);
  $password = $argument->scalarval();

  if ($user = user_load(array(name => "$username", "pass" => $password, "status" => 1))) {
    return new xmlrpcresp(new xmlrpcval($user->uid, "int"));
  }
  else {
    return new xmlrpcresp(new xmlrpcval(0, "int"));
  }
}


function user_xmlrpc() {
  return array("drupal.login" => array("function" => "drupal_login"));
}

/*** Authentication methods ************************************************/

function user_get_authname($account, $module) {

  /*
  **  Called by authentication modules in order to edit/view their authmap information.
  */

  $result = db_query("SELECT authname FROM authmap WHERE uid = '$account->uid' && module = '$module'");
  return db_result($result);
}


function user_get_authmaps($authname = NULL) {

  /*
  ** Accepts an user object, $account, or an DA name and returns an
  ** associtive array of modules and DA names. Called at external login.
  */

  $result = db_query("SELECT authname, module FROM authmap WHERE authname = '%s'", $authname);
  if (db_num_rows($result) > 0) {
    while ($authmap = db_fetch_object($result)) {
      $authmaps[$authmap->module] = $authmap->authname;
    }
    return $authmaps;
  }
  else {
    return 0;
  }
}

function user_set_authmaps($account, $authmaps) {
  foreach ($authmaps as $key => $value) {
    $module = explode("_", $key, 2);
    if ($value) {
      $result = db_query("SELECT COUNT(*) from authmap WHERE uid = '$account->uid' && module = '$module[1]'");
      if (db_result($result) == 0) {
        $result = db_query("INSERT INTO authmap (authname, uid, module) VALUES ('%s', '%s', '%s')", $value, $account->uid, $module[1]);
      }
      else {
        $result = db_query("UPDATE authmap SET authname = '%s' WHERE uid = '$account->uid' && module = '$module[1]'", $value);
      }
    }
    else {
      $result = db_query("DELETE FROM authmap WHERE uid = '$account->uid' && module = '$module[1]'");
    }
  }
  return $result;
}

function user_auth_help_links() {
  $links = array();
  foreach (module_list() as $module) {
    if (module_hook($module, "auth_help")) {
      $links[] = lm(module_invoke($module, "info", "name"), array("mod" => "user", "op" => "help"), $module);
    }
  }
  return $links;
}

/*** User features *********************************************************/

function user_login($edit = array(), $msg = "") {
  global $user, $referer;

  /*
  ** If we are already logged on, go to the user page instead.
  */

  if ($user->uid) {
    drupal_goto(drupal_url(array("mod" => "user"), "module"));
  }

  if (user_deny("user", $edit["name"])) {
    $error = t("The name '%s' has been denied access.", array("%s" => $edit["name"]));
  }
  else if ($edit["name"] && $edit["pass"]) {

    /*
    ** Try to log in the user locally:
    */

    if (!$user) {
      $name = check_input($edit["name"]);
      $pass = check_input($edit["pass"]);
      $user = user_load(array("name" => $name, "pass" => $pass, "status" => 1));
    }

    /*
    ** Strip name and server from ID:
    */

    if ($server = strrchr($edit["name"], "@")) {
      $name = check_input(substr($edit["name"], 0, strlen($edit["name"]) - strlen($server)));
      $server = check_input(substr($server, 1));
      $pass = check_input($edit["pass"]);
    }

    /*
    ** When possible, determine corrosponding external auth source. Invoke source, and login user if successful:
    */

    if (!$user && $server && $result = user_get_authmaps("$name@$server")) {
      if (module_invoke(key($result), "auth", $name, $pass, $server)) {
        $user = user_external_load("$name@$server");
        watchdog("user", "external load: $name@$server, module: " . key($result));
      }
      else {
        $error = t("Invalid password for %s.", array("%s" => "<i>$name@$server</i>"));
      }
    }

     /*
    ** Try each external authentication source in series. Register user if successful.
    */

    else if (!$user && $server) {
      foreach (module_list() as $module) {
        if (module_hook($module, "auth")) {
          if (module_invoke($module, "auth", $name, $pass, $server)) {
            if (variable_get("user_register", 1) == 1 && !user_load(array("name" => "$name@$server"))) { //register this new user
              watchdog("user", "new user: $name@$server ($module ID)");
              $user = user_save("", array("name" => "$name@$server", "pass" => user_password(), "init" => "$name@$server", "status" => 1, "authname_$module" => "$name@$server"));
              break;
            }
          }
        }
      }
    }

    if ($user->uid) {
      watchdog("user", "session opened for '$user->name'");

      /*
      ** Write session ID to database:
      */

      user_save($user, array("sid" => session_id()));

      /*
      ** If the user wants to be remembered, set the proper cookie such
      ** that the session won't expire.
      */

      if ($edit["remember_me"]) {
        setcookie(session_name(), session_id(), time() + 3600 * 24 * 365);
      }
      else {
        setcookie(session_name(), session_id());
      }

      /*
      ** Redirect the user to the page he logged on from.
      */

      drupal_goto($edit["destination"]);
    }
    else {
      if (!$error) {
        $error = t("Sorry.  Unrecognized username or password.") ." ". lm(t("Have you forgotten your password?"), array("mod" => "user", "op" => "password"));
      }
      if ($server) {
        watchdog("user", "failed login for '$name@$server': $error");
      }
      else {
        watchdog("user", "failed login for '$name': $error");
      }
    }
  }

  /*
  ** Display error message (if any):
  */

  if ($error) {
    $output .= theme_invoke("theme_error", check_output($error));
  }

  /*
  ** Save the referer.  We record where the user came from such that we
  ** can redirect him after having completed the login form.
  */

  if (!$edit["destination"]) {
    $edit["destination"] = request_uri();
  }
  $output .= form_hidden("destination", $edit["destination"]);

  /*
  ** Display login form:
  */

  if ($msg) {
    $output .= "<p>$msg</p>";
  }
  //TODO: alter text if there are not affiliates
  $output .= form_textfield(t("Username"), "name", $edit["name"], 20, 64, t("Enter your %s username, or an ID from one of our affiliates: %a.", array("%s" => variable_get("site_name", "local"), "%a" => implode(", ", user_auth_help_links()))));
  $output .= form_password(t("Password"), "pass", $pass, 20, 64, t("Enter the password that accompanies your username."));
  $output .= form_checkbox(t("Remember me"), "remember_me", 1, 0, 0);
  $output .= form_submit(t("Log in"));
  $output .= "<p>&raquo; ". lm(t("E-mail new password"), array("mod" => "user", "op" => "password")). "<br />";
  if (variable_get("user_register", 1)) {
    $output .= "&raquo; ". lm(t("Create new account"), array("mod" => "user", "op" => "register"));
  }
  $output .= "</p>";

  return form($output, "post", drupal_url(array ("mod" => "user"), "module"));
}

function _user_authenticated_id() {
  return db_result(db_query("SELECT rid FROM role WHERE name = 'authenticated user'"));
}

function user_logout() {
  global $user;

  if ($user->uid) {
    watchdog("user", "session closed for user '$user->name'");

    /*
    ** Destroy the current session:
    */

    session_destroy();
    unset($user);
  }

  /*
  ** Redirect the user to his personal information page:
  */

  drupal_goto("index.php");

}

function user_pass($edit = array()) {

  if ($edit["name"]) {
    $account = db_fetch_object(db_query("SELECT uid, name, mail FROM users WHERE name = '%s'", $edit["name"]));
    if (!$account) $error = t("Sorry. The username <i>%s</i> is not recognized.", array("%s" => $edit["name"]));
  }
  else if ($edit["mail"]) {
    $account = db_fetch_object(db_query("SELECT uid, name, mail FROM users WHERE mail = '%s'", $edit["mail"]));
    if (!$account) $error = t("Sorry. The e-mail address <i>%s</i> is not recognized.", array("%s" => $edit["mail"]));
  }
  if ($account) {

      $from = variable_get("site_mail", ini_get("sendmail_from"));
      $pass = user_password();

      /*
      ** Save new password:
      */

      user_save($account, array("pass" => $pass));

      /*
      ** Mail new password:
      */

      $variables = array("%username" => $account->name, "%site" => variable_get("site_name", "drupal"), "%password" => $pass, "%uri" => path_uri(), "%uri_brief" => path_uri(1), "%mailto" => $account->mail, "%date" => format_date(time()));
      $subject = strtr(variable_get("user_mail_pass_subject", t("Replacement login information for %username at %site")), $variables);
      $body = strtr(variable_get("user_mail_pass_body", t("%username,\n\nHere is your new password for %site.  You may now login to %uri". drupal_url(array("mod" => "user", "op" => "login"), "module") ." using the following username and password:\n\nusername: %username\npassword: %password\n\nAfter logging in, you may wish to change your password at %uri". drupal_url(array("mod" => "user", "op" => "edit"), "module") .".\n\nYour new %site membership also enables you to login to other Drupal powered websites (e.g. http://www.drop.org/) without registering.  Just use the following Drupal ID and password:\n\nDrupal ID: %username@%uri_brief\npassword: %password\n\n\n-- %site team")), $variables);
      $headers = "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from";
      user_mail($account->mail, $subject, $body, $headers);

      watchdog("user", "mail password: '". $account->name ."' &lt;". $account->mail ."&gt;");

      return t("Your password and further instructions have been sent to your e-mail address.");
    }
    else {

    // Display error message if necessary.
    if ($error) {
      $output .= theme_invoke("theme_error", check_output($error));
    }

    /*
    ** Display form:
    */

    $output .= "<p>". sprintf(t("Enter your username %sor%s your e-mail address."), "<b><i>", "</i></b>") ."</p>";
    $output .= form_textfield(t("Username"), "name", $edit["name"], 30, 64);
    $output .= form_textfield(t("E-mail address"), "mail", $edit["mail"], 30, 64);
    $output .= form_submit(t("E-mail new password"));
    $output .= "<p>&raquo; ". lm(t("Log in"), array("mod" =>user, "op" => "login")) ."<br />";
    if (variable_get("user_register", 1)) {
      $output .= "&raquo; ". lm(t("Create new account"), array("mod" => "user", "op" => "register"));
    }
    $output .= "</p>";

    return form($output, "post", drupal_url(array ("mod" => "user"), "module"));
  }
}

function user_register($edit = array()) {
  global $user;

  /*
  ** If we are already logged on, go to the user page instead.
  */

  if ($user->uid) {
    drupal_goto(drupal_url(array("mod" => "user", "op" => "edit"), "module"));
  }

  if ($edit["name"] && $edit["mail"]) {
    if ($error = user_validate_name($edit["name"])) {
      // do nothing
    }
    else if ($error = user_validate_mail($edit["mail"])) {
      // do nothing
    }
    else if (user_deny("user", $edit["name"])) {
      $error = t("The name '%s' has been denied access.", array("%s" => $edit["name"]));
    }
    else if (user_deny("mail", $edit["mail"])) {
      $error = t("The e-mail address '%s' has been denied access.", array("%s" => $edit["mail"]));
    }
    else if (db_num_rows(db_query("SELECT name FROM users WHERE LOWER(name) = LOWER('%s')", $edit["name"])) > 0) {
      $error = t("The name '%s' is already taken.", array("%s" => $edit["name"]));
    }
    else if (db_num_rows(db_query("SELECT mail FROM users WHERE LOWER(mail) = LOWER('%s')", $edit["mail"])) > 0) {
      $error = t("The e-mail address '%s' is already taken.", array("%s" => $edit["mail"]));
    }
    else if (variable_get("user_register", 1) == 0) {
      $error = t("Public registrations have been disabled by the site administrator.");
    }
    else {
      foreach (module_list() as $module) {
        if (module_hook($module, "user")) {
          $result = module_invoke($module, "user", "register_validate", $edit, $user);
          if (is_array($result)) {
            $data = array_merge($data, $result);
          }
          elseif (is_string($result)) {
            $error = $result;
            break;
          }
        }
      }
      if (!$error) {
        $success = 1;
      }
    }
  }

  if ($success) {

    $from = variable_get("site_mail", ini_get("sendmail_from"));
    $pass = user_password();

    // create new user account, noting whether administrator approval is required
    user_role_init();
    // TODO: is this necessary? Won't session_write replicate this?
    unset($edit["session"]);
    $account = user_save("", array_merge(array("name" => $edit["name"], "pass" => $pass, "init" => $edit["mail"], "mail" => $edit["mail"], "rid" => _user_authenticated_id(), "rating" => 0, "status" => (variable_get("user_register", 1) == 1 ? 1 : 0)), $data));
    watchdog("user", "new user: '". $edit["name"] ."' &lt;". $edit["mail"] ."&gt;");

    $variables = array("%username" => $edit["name"], "%site" => variable_get("site_name", "drupal"), "%password" => $pass, "%uri" => path_uri(), "%uri_brief" => path_uri(1), "%mailto" => $edit["mail"], "%date" => format_date(time()));

    //the first user may login immediately, and receives a customized welcome e-mail.
    if ($account->uid == 1) {
      user_mail($edit["mail"], t("drupal user account details for %s", array("%s" => $edit["name"])), strtr(t("%username,\n\nYou may now login to %uri using the following username and password:\n\n  username: %username\n  password: %password\n\nAfter logging in, you may wish to visit the following pages:\n\nAdministration: %uriadmin.php\nEdit user account: %uri". drupal_url(array("mod" => "user", "op" => "edit"), "module") ."\n\n--drupal"), $variables), "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from");
      // This should not be t()'ed. No point as its only shown once in the sites lifetime, and it would be bad to store the password
      $output .= "<p>Welcome to Drupal. You are user #1, which gives you full and immediate access.  All future registrants will receive their passwords via e-mail, so please configure your e-mail settings using the Administration pages.</p><p> Your password is <b>$pass</b>. You may change your password on the next page.</p><p>Please login below.</p>";
      $output .= form_hidden("name", $account->name);
      $output .= form_hidden("pass", $pass);
      $output .= form_submit(t("Log in"));
      return form($output);
    }
    else {
      if ($account->status) {
        /*
        ** Create new user account, no administrator approval required:
        */

        $subject = strtr(variable_get("user_mail_welcome_subject", t("User account details for %username at %site")), $variables);
        $body = strtr(variable_get("user_mail_welcome_body", t("%username,\n\nThank you for registering at %site. You may now login to %uri". drupal_url(array("mod" => "user", "op" => "login"), "module") ." using the following username and password:\n\nusername: %username\npassword: %password\n\nAfter logging in, you may wish to change your password at %urimodule.php?mod=user&op=edit\n\nYour new %site membership also enables to you to login to other Drupal powered websites (e.g. http://www.drop.org/) without registering. Just use the following Drupal ID and password:\n\nDrupal ID: %username@%uri_brief\npassword: %password\n\n\n--  %site team")), $variables);
        user_mail($edit["mail"], $subject, $body, "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from");
        return t("Your password and further instructions have been sent to your e-mail address.");
      }
      else {
        /*
        ** Create new user account, administrator approval required:
        */
        $subject = strtr(variable_get("user_mail_welcome_subject", t("User account details for %username at %site")), $variables);
        $body = strtr(variable_get("user_mail_welcome_body", t("%username,\n\nThank you for registering at %site. Your account will have to be approved by the site administrator. You may now login to %uri". drupal_url(array("mod" => "user", "op" => "login"), "module") ." using the following username and password:\n\nusername: %username\npassword: %password\n\nAfter logging in, you may wish to change your password at %urimodule.php?mod=user&op=edit\n\nYour new %site membership also enables to you to login to other Drupal powered websites (e.g. http://www.drop.org/) without registering. Just use the following Drupal ID and password:\n\nDrupal ID: %username@%uri_brief\npassword: %password\n\n\n--  %site team")), $variables);
        user_mail($edit["mail"], $subject, $body, "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from");
        user_mail(variable_get("site_mail", ini_get("sendmail_from")), $subject, t("%u has applied for an account.\n\n%uri", array("%u" => $account->name, "%uri" => path_uri() . drupal_url(array("mod" => "user", "op" => "edit", "id" => $account->uid), "admin"))), "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from");
        return t("Your password and further instructions have been sent to your e-mail address.");
      }
    }
  }
  else {
    if ($error) {
      $output .= theme_invoke("theme_error", check_output($error));
    }
  }

  // display the registration form
  $affiliates = user_auth_help_links();
  if (array_count_values($affiliates) > 1) {
    $affiliates = implode(", ", $affiliates);
    $output .= "<p>" . t("Note: If you have an account with one of our affiliates (%s), you may ". lm("login now", array("mod" => "user", "op" => "login")) ." instead of registering.", array("%s" => $affiliates)) ."</p>";
  }
  $output .= form_textfield(t("Username"), "name", $edit["name"], 30, 64, t("Your full name or your prefered username: only letters, numbers and spaces are allowed."));
  $output .= form_textfield(t("E-mail address"), "mail", $edit["mail"], 30, 64, t("A password and instructions will be sent to this e-mail address, so make sure it is accurate."));
  foreach (module_list() as $module) {
    if (module_hook($module, "user")) {
      $output .= module_invoke($module, "user", "register_form", $edit, $user);
    }
  }
  $output .= form_submit(t("Create new account"));
  $output .= "<p>&raquo; ". lm(t("E-mail new password"), array("mod" => "user", "op" => "password")). "<br />";
  $output .= "&raquo; " .lm(t("Log in"), array("mod" => "user", "op" => "login")). "</p>";

  return form($output);
}


function user_delete() {
  global $edit, $user;

  if ($edit["confirm"]) {
    watchdog(user,"$user->name deactivated her own account.");
    db_query("UPDATE users SET mail = 'deleted', status='0' WHERE uid = '$user->uid'");
    $output .= t("Your account has been deactivated.");
  }
  else {
    $output .= form_item(t("Confirm Deletion"), t("You are about to deactivate your own user account. In addition, your e-mail address will be removed from the database."));
    $output .= form_hidden("confirm", 1);
    $output .= form_submit(t("Delete account"));
    $output = form($output);
  }
  return $output;
}

function user_edit($edit = array()) {
  global $user, $languages;

  if ($user->uid) {
    if ($edit["name"]) {
      if ($error = user_validate_name($edit["name"])) {
        // do nothing
      }
      else if ($error = user_validate_mail($edit["mail"])) {
        // do nothing
      }
      else if (db_num_rows(db_query("SELECT uid FROM users WHERE uid != '$user->uid' AND LOWER(name) = LOWER('%s')", $edit["name"])) > 0) {
        $error = t("The name '%s' is already taken.", array("%s" => $edit["name"]));
      }
      else if ($edit["mail"] && db_num_rows(db_query("SELECT uid FROM users WHERE uid != '$user->uid' AND LOWER(mail) = LOWER('%s')", $edit["mail"])) > 0) {
        $error = t("The e-mail address '%s' is already taken.", array("%s" => $edit["mail"]));
      }
      else if ($user->uid) {
        foreach (module_list() as $module) {
          if (module_hook($module, "user")) {
            $result = module_invoke($module, "user", "edit_validate", $edit, $user);
          }
          if (is_array($result)) {
            $data = array_merge($data, $result);
          }
          elseif (is_string($result)) {
            $error = $result;
            break;
          }
        }

        /*
        ** If required, check that proposed passwords match.  If so,
        ** add new password to $edit.
        */

        if ($edit["pass1"]) {
          if ($edit["pass1"] == $edit["pass2"]) {
            $edit["pass"] = $edit["pass1"];
          }
          else {
            $error = t("The specified passwords do not match.");
          }
        }
        unset($edit["pass1"], $edit["pass2"]);

        /*
        ** Validate input fields to make sure users don't submit
        ** invalid form data.
        */

        if (!user_access("administer users")) {
           if (array_intersect(array_keys($edit), array("rid", "init", "rating", "session"))) {
             watchdog("warning", "detected malicious attempt to alter a protected database field");
           }

           $edit["rid"] = $user->rid;
           $edit["init"] = $user->init;
           $edit["rating"] = $user->rating;
           $edit["session"] = $user->session;
        }

        if (!$error) {
          /*
          ** Save user information:
          */

          $user = user_save($user, array_merge($edit, $data));

          $output .= t("Your user information changes have been saved.");
        }
      }
    }

    if ($error) {
      $output .= theme_invoke("theme_error", check_output($error));
    }

    if (!$edit) {
      $edit = object2array($user);
    }

    $output .= form_textfield(t("Username"), "name", $edit["name"], 30, 55, t("Your full name or your prefered username: only letters, numbers and spaces are allowed."));
    $output .= form_textfield(t("E-mail address"), "mail", $edit["mail"], 30, 55, t("Insert a valid e-mail address.  All e-mails from the system will be sent to this address. The e-mail address is not made public and will only be used if you wish to receive a new password or wish to receive certain news or notifications by e-mail."));

    foreach (module_list() as $module) {
      if (module_hook($module, "user")) {
        $output .= module_invoke($module, "user", "edit_form", $edit, $user);
      }
    }

    $options = "<option value=\"\"". (("" == $key) ? " selected=\"selected\"" : "") .">". t("Default theme") ."</option>\n";
    foreach (theme_list() as $key => $value) {
      $options .= "<option value=\"$key\"". (($edit["theme"] == $key) ? " selected=\"selected\"" : "") .">$key - $value->description</option>\n";
    }
    $output .= form_item(t("Theme"), "<select name=\"edit[theme]\">$options</select>", t("Selecting a different theme will change the look and feel of the site."));
    for ($zone = -43200; $zone <= 46800; $zone += 3600) $zones[$zone] = date("l, F dS, Y - h:i A", time() - date("Z") + $zone) ." (GMT ". $zone / 3600 .")";
    $output .= form_select(t("Timezone"), "timezone", $edit["timezone"], $zones, t("Select what time you currently have and your timezone settings will be set appropriate."));
    $output .= form_select(t("Language"), "language", $edit["language"], $languages, t("Selecting a different language will change the language of the site."));
    $output .= form_item(t("Password"), "<input type=\"password\" name=\"edit[pass1]\" size=\"12\" maxlength=\"24\" /> <input type=\"password\" name=\"edit[pass2]\" size=\"12\" maxlength=\"24\" />", t("Enter your new password twice if you want to change your current password or leave it blank if you are happy with your current password."));
    $output .= form_submit(t("Save user information"));

    $output = form($output, "post", 0, "enctype=\"multipart/form-data\"");
  }
  else {
    $output = user_login();
  }

  return $output;
}

function user_menu() {
  $links[] = lm(t("view user information"), array("mod" => "user", "op" => "view"));
  $links[] = lm(t("edit user information"), array("mod" => "user", "op" => "edit"));
  $links[] = lm(t("delete account"), array("mod" => "user", "op" => "delete"));

  return "<div align=\"center\">". implode(" &middot; ", $links) ."</div>";
}

function user_view($uid = 0) {
  global $theme, $user;

  if (!$uid) {
    $uid = $user->uid;
  }

  if ($user->uid && $user->uid == $uid) {
    $output = form_item(t("Name"), check_output("$user->name ($user->init)"));
    $output .= form_item(t("E-mail address"), check_output($user->mail));

    foreach (module_list() as $module) {
      if (module_hook($module, "user")) {
        $output .= module_invoke($module, "user", "view_private", "", $user);
      }
    }

    $theme->header();
    $theme->box(t("User account"), user_menu());
    $theme->box(t("View user information"), $output);
    $theme->footer();
  }
  else if ($uid && $account = user_load(array("uid" => $uid, "status" => 1))) {
    $output = form_item(t("Name"), check_output($account->name));

    foreach (module_list() as $module) {
      if (module_hook($module, "user")) {
        $output .= module_invoke($module, "user", "view_public", "", $account);
      }
    }

    $theme->header();
    $theme->box(t("View user information"), $output);
    $theme->footer();
  }
  else {
    $theme->header();
    $theme->box(t("Log in"), user_login());
    if (variable_get("user_register", 1)) {
      $theme->box(t("Create new user account"), user_register());
    }
    $theme->box(t("E-mail new password"), user_pass());
    $theme->footer();
  }
}

function user_page() {
  global $edit, $op, $id, $theme;

  switch ($op) {
    case t("E-mail new password");
    case "password":
      $theme->header();
      $theme->box(t("E-mail new password"), user_pass($edit));
      $theme->footer();
      break;
    case t("Create new account"):
    case "register":
      $output = user_register($edit);
      $theme->header();
      if (variable_get("user_register", 1)) {
        $theme->box(t("Create new account"), $output);
      }
      else {
        print message_access();
      }
      $theme->footer();
      break;
    case t("Log in"):
    case "login":
      $output = user_login($edit);
      $theme->header();
      $theme->box(t("Log in"), $output);
      $theme->footer();
      break;
    case t("Delete account"):
    case t("delete");
      $output = user_delete();
      $theme->header();
      $theme->box(t("User account"), user_menu());
      $theme->box(t("Delete account"), $output);
      $theme->footer();
      break;
    case t("Save user information"):
    case "edit":
      $output = user_edit($edit);
      $theme = theme_init();
      $theme->header();
      $theme->box(t("User account"), user_menu());
      $theme->box(t("Edit user information"), $output);
      $theme->footer();
      break;
    case "view":
      user_view($id);
      break;
    case t("Logout"):
    case "logout":
      print user_logout();
      break;
    case "help":
      $theme->header();
      $theme->box(t("Distributed authentication"), user_help_users_da());
      $theme->footer();
      break;
    default:
      print user_view();
  }

}

/*** Administrative features ***********************************************/

function user_conf_options() {
  $output .= form_select("Public registrations", "user_register", variable_get("user_register", 1), array("Only site administrators can create new user accounts.", "Visitors can create accounts and no administrator approval is required.", "Visitors can create accounts but administrator approval is required."));
  $output .= form_textfield("Password words", "user_password", variable_get("user_password", "foo,bar,guy,neo,tux,moo,sun,asm,dot,god,axe,geek,nerd,fish,hack,star,mice,warp,moon,hero,cola,girl,fish,java,perl,boss,dark,sith,jedi,drop,mojo"), 55, 256, "A comma separated list of short words that can be concatenated to generate human-readable passwords.");
  $output .= form_textfield("Welcome e-mail subject", "user_mail_welcome_subject", variable_get("user_mail_welcome_subject", t("User account details for %username at %site")), 80, 180, "Customize the subject of your welcome e-mail, which is sent to new members upon registering.  Available variables are: %username, %site, %password, %uri, %uri_brief, %mailto, %date");
  $output .= form_textarea("Welcome e-mail body", "user_mail_welcome_body", variable_get("user_mail_welcome_body", t("%username,\n\nThank you for registering at %site. You may now login to %uri". drupal_url(array("mod" => "user", "op" => "login"), "module") ." using the following username and password:\n\nusername: %username\npassword: %password\n\nAfter logging in, you may wish to change your password at %uri". drupal_url(array("mod" => "user", "op" => "edit"), "module") ."\n\nYour new %site membership also enables to you to login to other Drupal powered websites (e.g. http://www.drop.org/) without registering. Just use the following Drupal ID and password:\n\nDrupal ID: %username@%uri_brief\npassword: %password\n\n\n--  %site team")), 70, 10, "Customize the body of the welcome e-mail, which is sent to new members upon registering.  Available variables are: %username, %site, %password, %uri, %uri_brief, %mailto");
  $output .= form_textfield("Forgotten password e-mail subject", "user_mail_pass_subject", variable_get("user_mail_pass_subject", t("Replacement login information for %username at %site")), 80, 180, "Customize the Subject of your forgotten password e-mail.  Available variables are: %username, %site, %password, %uri, %uri_brief, %mailto, %date");
  $output .= form_textarea("Forgotten password e-mail body", "user_mail_pass_body", variable_get("user_mail_pass_body", t("%username,\n\nHere is your new password for %site. You may now login to %uri". drupal_url(array("mod" => "user", "op" => "login"), "module") ." using the following username and password:\n\nusername: %username\npassword: %password\n\nAfter logging in, you may wish to change your password at %uri". drupal_url(array("mod" => "user", "op" => "edit"), "module") ."\n\nYour new %site membership also enables to you to login to other Drupal powered websites (e.g. http://www.drop.org/) without registering. Just use the following Drupal ID and password:\n\nDrupal ID: %username@%uri_brief\npassword: %password\n\n\n--  %site team")), 70, 10, "Customize the body of the forgotten password e-mail.  Available variables are: %username, %site, %password, %uri, %uri_brief, %mailto");
  return $output;
}

function user_admin_settings($edit = array()) {
  global $op;

  if ($op == "Save configuration") {
    /*
    ** Save the configuration options:
    */

    foreach ($edit as $name => $value) variable_set($name, $value);
  }

  if ($op == "Reset to defaults") {
    /*
    ** Reset the configuration options to their default value:
    */

    foreach ($edit as $name=>$value) variable_del($name);
  }

  $output .= user_conf_options();
  $output .= form_submit("Save configuration");
  $output .= form_submit("Reset to defaults");

  return form($output);

}

function user_admin_create($edit = array()) {

  if ($edit["name"] || $edit["mail"]) {
    if ($error = user_validate_name($edit["name"])) {
      // do nothing
    }
    else if ($error = user_validate_mail($edit["mail"])) {
      // do nothing
    }
    else if (db_num_rows(db_query("SELECT name FROM users WHERE LOWER(name) = LOWER('%s')", $edit["name"])) > 0) {
      $error = t("The name '%s' is already taken.", array("%s" => $edit["name"]));
    }
    else if (db_num_rows(db_query("SELECT mail FROM users WHERE LOWER(mail) = LOWER('%s')", $edit["mail"])) > 0) {
      $error = t("The e-mail address '%s' is already taken.", array("%s" => $edit["mail"]));
    }
    else {
      $success = 1;
    }
  }

  if ($success) {

    watchdog("user", "new user: '". $edit["name"] ."' &lt;". $edit["mail"] ."&gt;");

    user_save("", array("name" => $edit["name"], "pass" => $edit["pass"], "init" => $edit["mail"], "mail" => $edit["mail"], "rid" => _user_authenticated_id(), "status" => 1));

    return "Created a new user '". $edit["name"] ."'.  No e-mail has been sent.";
  }
  else {

    if ($error) {
      $output .= theme_invoke("theme_error", check_output($error));
    }

    $output .= form_textfield("Username", "name", $edit["name"], 30, 55);
    $output .= form_textfield("E-mail address", "mail", $edit["mail"], 30, 55);
    $output .= form_textfield("Password", "pass", $edit["pass"], 30, 55);
    $output .= form_submit("Create account");

    return form($output);
  }
}

function user_admin_access($edit = array()) {
  global $op, $id, $type;

  $output .= "<small>". la(t("e-mail rules"), array("mod" => "user", "op" => "access", "type" => "mail")) ." :: ". la(t("username rules"), array("mod" => "user", "op" => "access", "type" => "user")) ."</small><hr />";  // irc rules, too!

  if ($type != "user") {
    $output .= "<h3>E-mail rules</h3>";
    $type = "mail";
  }
  else {
    $output .= "<h3>Username rules</h3>";
  }

  if ($op == "Add rule") {
    db_query("INSERT INTO access (mask, type, status) VALUES ('%s', '%s', '%s')", $edit["mask"], $type, $edit["status"]);
  }
  else if ($op == "Check") {
    if (user_deny($type, $edit["test"])) {
      $message = "<b>'". $edit["test"] ."' is not allowed.</b><p />";
    }
    else {
      $message = "<b>'". $edit["test"] ."' is allowed.</b><p />";
    }
  }
  else if ($id) {
    db_query("DELETE FROM access WHERE aid = '%s'", $id);
  }

  $output .= "<table border=\"1\" cellpadding=\"2\" cellspacing=\"2\">";
  $output .= " <tr><th>type</th><th>mask</th><th>operations</th></tr>";

  $result = db_query("SELECT * FROM access WHERE type = '%s' AND status = '1' ORDER BY mask", $type);

  while ($rule = db_fetch_object($result)) {
    $output .= "<tr><td align=\"center\">allow</td><td>". check_output($rule->mask) ."</td><td>". la(t("delete rule"), array("mod" => "user", "op" => "access", "type" => $type, "id" => $rule->aid)) ."</td></tr>";
  }

  $result = db_query("SELECT * FROM access WHERE type = '%s' AND status = '0' ORDER BY mask", $type);

  while ($rule = db_fetch_object($result)) {
    $output .= "<tr><td align=\"center\">deny</td><td>". check_output($rule->mask) ."</td><td>". la(t("delete rule"), array("mod" => "user", "op" => "access", "type" => $type, "id" => $rule->aid)). "</td></tr>";
  }

  $output .= " <tr><td><select name=\"edit[status]\"><option value=\"1\">allow</option><option value=\"0\">deny</option></select></td><td><input size=\"32\" maxlength=\"64\" name=\"edit[mask]\" /></td><td><input type=\"submit\" name=\"op\" value=\"Add rule\" /></td></tr>";
  $output .= "</table>";
  $output .= "<p><small>%: matches any number of characters, even zero characters.<br />_: matches exactly one character.</small></p>";

  if ($type != "user") {
    $output .= "<h3>Check e-mail address</h3>";
  }
  else {
    $output .= "<h3>Check username</h3>";
  }

  $output .= "$message<input size=\"32\" maxlength=\"64\" name=\"edit[test]\" value=\"". $edit["test"] ."\" /><input type=\"submit\" name=\"op\" value=\"Check\" />";

  return form($output);
}

function user_roles($membersonly = 0) {
  $result = db_query("SELECT * FROM role ORDER BY name");
  while ($role = db_fetch_object($result)) {
    if (!$membersonly || ($membersonly && $role->name != "anonymous user")) {
      $roles[$role->rid] = $role->name;
    }
  }
  return $roles;
}

function user_admin_perm($edit = array()) {
  global $tid;

  if ($edit) {

    /*
    ** Save permissions:
    */

    $tid = check_input($edit["tid"]);

    $result = db_query("SELECT * FROM role");
    while ($role = db_fetch_object($result)) {
      // delete, so if we clear every checkbox we reset that role;
      // otherwise permissions are active and denied everywhere
      db_query("DELETE FROM permission WHERE rid = '%s' AND tid = '%s'", $role->rid, $tid);
      $perm = $edit[$role->rid] ? implode(", ", array_keys($edit[$role->rid])) : "";
      if ($perm) {
        db_query("INSERT INTO permission (rid, perm, tid) VALUES ('%s', '%s', %s'')", $role->rid, $perm, $tid);
      }

    }
  }

  /*
  ** Compile permission array:
  */

  foreach (module_list() as $name) {
    if (module_hook($name, "perm")) {