1	# =====================================================================
     2	# updateUser.awk: RPC I/O function for rpclib/updateUser.
     3	#
     4	# Copyright (c) 2007,2008,2009,2010 Carlo Strozzi
     5	#
     6	# This program is free software; you can redistribute it and/or modify
     7	# it under the terms of the GNU General Public License as published by
     8	# the Free Software Foundation; version 2 dated June, 1991.
     9	#
    10	# This program is distributed in the hope that it will be useful,
    11	# but WITHOUT ANY WARRANTY; without even the implied warranty of
    12	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13	# GNU General Public License for more details.
    14	#
    15	# You should have received a copy of the GNU General Public License
    16	# along with this program; if not, write to the Free Software
    17	# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
    18	#
    19	# =====================================================================
    20	
    21	# =====================================================================
    22	# void _userproc(int mode)
    23	# =====================================================================
    24	
    25	function _userproc(mode,		      value,len,a,i,tmp,tmp1) {
    26	
    27	   if (mode == _O_REQUEST) {				# request.
    28	
    29	      # target group
    30	      value = _request("1",1)
    31	
    32	      # group must not be null and it may not contain the
    33	      # unescaped ``.'' character.
    34	
    35	      if (value != _NULL && value !~ /\./) {
    36		 _rcset("cgi.group",unixify(value))
    37		 _rcset("cgi.group.literal",value)
    38	      }
    39	
    40	      # user-id will always be considered lower-case and using
    41	      # an e-mail should not be allowed, to prevent breaking
    42	      # privacy when a user-id is virtually cancelled.
    43	
    44	      value = tolower(_strip(_request("userid",1)))
    45	      len = length(value)
    46	      if (value ~ /^[a-z][-_a-z0-9.]*$/ && len > 4 && len < 17) {
    47		 _rcset("cgi.auth.userid",value)
    48	
    49		 # escape grep(1) regexp chars in user-id.
    50		 #gsub(/[][\\^$.*|()]/,"\\\&",value)
    51		 gsub(/[][\\^$.*|()]/,"\\&",value)
    52		 _rcset("cgi.grep.userid",value)
    53	      }
    54	
    55	      # Handle malformed user-id by setting it to "." .
    56	      else if (value != _NULL) _rcset("cgi.auth.userid",".")
    57	
    58	      # password (case-sensitive).
    59	      value = _strip(_request("passwd",1))
    60	      len = length(value)
    61	
    62	      if (value ~ /^[-+_a-zA-Z0-9.!:]+$/ && len > 5 && len < 51) {
    63		 _rcset("cgi.auth.passwd",value)
    64	
    65		 # If the user entered something in the password field, then
    66		 # if the verification field does not match then the password
    67		 # is assigned the bogus value "-", which will trigger the
    68		 # proper action in the underlying shell script.
    69	
    70		 if (_strip(_request("verify",1)) != value)
    71						_rcset("cgi.auth.passwd","-")
    72	      }
    73	
    74	      # Handle malformed password by setting it to "." .
    75	      else if (value != _NULL) _rcset("cgi.auth.passwd",".")
    76	
    77	      # first name.
    78	      value = _request("firstname",1)
    79	      gsub(/[\t\r\n<>,]+/," ",value)
    80	      if (value ~ /[a-zA-Z]/)
    81		    _rcset("cgi.auth.firstname", _strip(value,_O_MIDDLE))
    82	
    83	      # last name.
    84	      value = _request("lastname",1)
    85	      gsub(/[\t\r\n<>,]+/," ",value)
    86	      if (value ~ /[a-zA-Z]/)
    87		    _rcset("cgi.auth.lastname", _strip(value,_O_MIDDLE))
    88	
    89	      # Full-name. Must be in the form "Last,First" and if present
    90	      # it will override first/last above. Note that if this field
    91	      # was obtained through OpenID and it is not in the expected
    92	      # format, then the user will have to fix it manually in the
    93	      # relevant entry field befor submitting the registration form,
    94	      # or the system will complain.
    95	
    96	      value = _request("fullname",1)
    97	      gsub(/[\t\r\n<>]+/," ",value)
    98	      len = length(value)
    99	      if (value ~ /[a-zA-Z]/ && value ~ /[^,]+,[^,]+/ && \
   100						len > 7 && len < 51) {
   101	
   102		 # The following heuristics is far from being bullet-proof
   103		 # (think of "Mr. Joseph Robert Smarr, Esq."), but that's it.
   104	
   105		 if (split(value,a,",") == 2) {
   106		    _rcset("cgi.auth.lastname", _strip(a[1],_O_MIDDLE))
   107		    _rcset("cgi.auth.firstname", _strip(a[2],_O_MIDDLE))
   108		 }
   109	
   110	         # Handle malformed fullname by setting first name to "." .
   111		 else _rcset("cgi.auth.firstname",".")
   112	      }
   113	
   114	      # Again, handle malformed fullname by setting first name to "." .
   115	      else if (value != _NULL) _rcset("cgi.auth.firstname",".")
   116	
   117	      # e-mail address.
   118	      value = _strip(_request("email",1))
   119	      len = length(value)
   120	      if (_isemail(value) != _EINVAL && len > 4 && len < 51)
   121						_rcset("cgi.auth.email",value)
   122	
   123	      # This is how to permanently delete an account.
   124	      if (value == "DELETE") _rcset("cgi.auth.email",value)
   125	
   126	      # Mandatory comma- or blank-separated list of authentication
   127	      # groups the target account must belong into. If one such group
   128	      # is "editor" it will be responsibility of the underlying shell
   129	      # script to ensure that it is interpreted as group-level editor.
   130	      # Input can be either or both an rc(1) list and a comma-separated
   131	      # scalar, so let's be compatible with both forms. Authorization
   132	      # groups are like user IDs: they must always be lower-case, or
   133	      # things may become messy.
   134	
   135	      value=_NULL; tmp1 = ","
   136	      tmp = tolower(_request("auth"))
   137	      gsub(/[\001, ]+/," ",tmp)
   138	      split(tmp,a," ")
   139	      for (i in a) {
   140		  # remove any duplicates along the way.
   141		  if (a[i] ~ /^[a-z][a-z0-9]+$/) {
   142		     if (tmp1 !~ "," a[i] ",") value = value " " a[i]
   143		     tmp1 = tmp1 a[i] ","
   144		  }
   145	      }
   146	
   147	      if (split(value,a,/ +/)) {
   148	
   149		 # turn into the final rc(1) list.
   150		 for (i in a) _rcset("cgi.auth.groups",a[i],_NULL,_O_APPEND)
   151	      }
   152	
   153	      # Optional OpenID URL.
   154	
   155	      if ((value=_strip(_request("openid",1),_O_CRUSH)) != _NULL) {
   156	
   157		 # Set bogus OpenID URL value if necessary, to trigger an
   158		 # exception in the underlying shell script.
   159	
   160		 if (_isuri(value) != _TRUE) value = "."
   161		 else if (value ~ /[\t\r\n<>]+/) value = "."
   162	
   163		 _rcset("cgi.auth.openid",value)
   164	
   165		 # escape grep(1) regexp chars in OpenID URL.
   166		 #gsub(/[][\\^$.*|()]/,"\\\&",value)
   167		 gsub(/[][\\^$.*|()]/,"\\&",value)
   168	
   169		 _rcset("cgi.grep.openid",value)
   170	      }
   171	
   172	      # Optional preferred editing user interface, only
   173	      # useful if the registering user will eventually
   174	      # be granted the group-editor status. If this field
   175	      # begins with (or contains only) "-", then the target
   176	      # account will be temporarily suspended. If a user
   177	      # diables her own account, she will no longer be able
   178	      # to log-in after she logs out, so she will need to ask
   179	      # a global editor to have the account re-enabled.
   180	      # We have two methods to prepend the suspend flag to
   181	      # gui value: eithe rby including it in the gui value
   182	      # itself or by specifying the disablement in a separate
   183	      # form value. In either cases the result will be "-gui".
   184	      # This was done to accomodate different user editing
   185	      # interfaces (see tw-edit-user.txt).
   186	
   187	      value = tolower(_strip(_request("gui",1)))
   188	
   189	      if (_bool(_request("suspend",1)) == _TRUE) value = "-" value
   190	      else sub(/^-*/,"",value)
   191	
   192	      sub(/^-+/,"-",value)
   193	
   194	      # in case it contains just "-" .
   195	      if (value ~ /^-$/) value = "-default"
   196	      if (value \
   197		 ~ /^-?(parsewiki|rawhtml|tinymce|nicedit|ckeditor|default)$/)
   198						    _rcset("cgi.auth.gui",value)
   199	
   200	      # Optional extra values. This field can contain pretty much
   201	      # anything at the moment, and the correctness of its content
   202	      # is entirely up to the editing user. This means also that the
   203	      # *entire* content of this field, included all of its subfields,
   204	      # are editable by the record owner.
   205	
   206	      value = _request("other",1)
   207	      if (value ~ /[a-zA-Z0-9]/) {
   208		 gsub(/,+/,",",value)		# strip repeated commas.
   209		 _rcset("cgi.auth.other", _strip(value,_O_CRUSH))
   210	      }
   211	
   212	      value = _request("checksum",1)
   213	      if (value ~ /^[a-zA-Z0-9]*$/) _rcset("cgi.checksum",value)
   214	
   215	      # The following test is necessary since the address could,
   216	      # at least in theory, have been set to any string by the
   217	      # remote user, due to how it is handled to cope with stunnel(8)
   218	      # and the lack of transproxy support in kernel 2.4.x.
   219	
   220	      if (_isipaddr(ENVIRON["REMOTE_ADDR"]) == _TRUE)
   221					value = ENVIRON["REMOTE_ADDR"]
   222	      else value = "0.0.0.0"
   223	
   224	      _rcset("REMOTE_ADDR",value)
   225	   }
   226	
   227	   else {					# response.
   228	
   229	      # generic template conditionals.
   230	      ifsections()
   231	
   232	      # Remove surrounding commas from displayed value.
   233	      value = _rcget("tpl.var.tw.auth.group",1)
   234	      sub(/^,+/,"",value); sub(/,+$/,"",value)
   235	      _response("tpl.var.tw.auth.group",value)
   236	   }
   237	} 
   238	
   239	# EOF