boinc/html/user/create_account.php

<?php
// This file is part of BOINC.
// http://boinc.berkeley.edu
// Copyright (C) 2008 University of California
//
// BOINC is free software; you can redistribute it and/or modify it
// under the terms of the GNU Lesser General Public License
// as published by the Free Software Foundation,
// either version 3 of the License, or (at your option) any later version.
//
// BOINC is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
// See the GNU Lesser General Public License for more details.
//
// You should have received a copy of the GNU Lesser General Public License
// along with BOINC.  If not, see <http://www.gnu.org/licenses/>.

// RPC handler for account creation

require_once("../inc/boinc_db.inc");
require_once("../inc/util.inc");
require_once("../inc/email.inc");
require_once("../inc/xml.inc");
require_once("../inc/user_util.inc");
require_once("../inc/team.inc");
require_once("../inc/password_compat/password.inc");
require_once("../inc/consent.inc");

xml_header();

$retval = db_init_xml();
if ($retval) xml_error($retval);

$config = get_config();
if (parse_bool($config, "disable_account_creation")) {
    xml_error(ERR_ACCT_CREATION_DISABLED);
}
if (parse_bool($config, "disable_account_creation_rpc")) {
    xml_error(ERR_ACCT_CREATION_DISABLED);
}

if(defined('INVITE_CODES')) {
    $invite_code = get_str("invite_code");
    if (!preg_match(INVITE_CODES, $invite_code)) {
        xml_error(ERR_ATTACH_FAIL_INIT);
    }
} 

$email_addr = get_str("email_addr");
$email_addr = strtolower($email_addr);
$passwd_hash = get_str("passwd_hash");
$user_name = get_str("user_name");
$team_name = get_str("team_name", true);

$consent_flag = get_str("consent_flag", true);
$source = get_str("source", true);

if (!is_valid_user_name($user_name, $reason)) {
    xml_error(ERR_BAD_USER_NAME, $reason);
}

if (!is_valid_email_addr($email_addr)) {
    xml_error(ERR_BAD_EMAIL_ADDR);
}

if (is_banned_email_addr($email_addr)) {
    xml_error(ERR_BAD_EMAIL_ADDR);
}

if (strlen($passwd_hash) != 32) {
    xml_error(-1, "password hash length not 32");
}

$tmpuser = BoincUser::lookup_prev_email_addr($email_addr);
if ($tmpuser) {
    xml_error(ERR_DB_NOT_UNIQUE);
}

$user = BoincUser::lookup_email_addr($email_addr);
if ($user) {
    if ($user->passwd_hash != $passwd_hash && !password_verify($passwd_hash, $user->passwd_hash)) {
        xml_error(ERR_DB_NOT_UNIQUE);
    } else {
        $authenticator = $user->authenticator;
    }
} else {
    $user = make_user($email_addr, $user_name, $passwd_hash, 'International');
    if (!$user) {
        xml_error(ERR_DB_NOT_UNIQUE);
    }
    
    if (defined('INVITE_CODES')) {
        error_log("Account for '$email_addr' created using invitation code '$invite_code'");
    }

    // If the project has configured to use the CONSENT_TYPE_ENROLL, then
    // record it.
    list($checkct, $ctid) = check_consent_type(CONSENT_TYPE_ENROLL);
    if ($checkct and check_termsofuse()) {
        // As of Sept 2018, this code allows 'legacy' boinc clients to
        // create accounts. If consent_flag is null the code creates
        // an account as normal and there is no update to the consent
        // DB table.
        //
        // Logic:
        // * An old(er) BOINC Manager or third party GUI that doesn't
        // * support the new consent features.
        //   -> consent_flag not set (NULL).
        // * A new(er) BOINC GUI, the terms of use are shown and user
        // * agrees.
        //   -> consent_flag=1
        // * A new or older GUI, terms of use shown but the user not
        // * not agree.
        //   -> no create account RPC at all
        //
        // In the future, when the majority of BOINC clients and
        // Account Managers have been updated to use the consent_flag
        // parameter, then this code should be revised to only allow
        // clients who do use this flag to continue. I.e., if
        // is_null($consent_flag) returns TRUE, then return an
        // xml_error(-1, ...).
        if ( (!is_null($consent_flag)) and $source) {
            // Record the user giving consent in database - if consent_flag is 0,
            // this is an 'anonymous account' and consent_not_required is
            // set to 1.
            if ($consent_flag==0) {
                $rc = consent_to_a_policy($user, $ctid, 0, 1, $source);
            } else  {
                $rc = consent_to_a_policy($user, $ctid, 1, 0, $source);
            }
            if (!$rc) {
                xml_error(-1, "database error, please contact site administrators");
            }
        }
    }

}

if ($team_name) {
    $team_name = BoincDb::escape_string($team_name);
    $team = BoincTeam::lookup("name='$team_name'");
    if ($team && $team->joinable) {
        user_join_team($team, $user);
    }
}

echo " <account_out>\n";
echo "   <authenticator>$user->authenticator</authenticator>\n";
echo "</account_out>\n";

?>
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00			`<?php`
- web: added copyright and license info to PHP files svn path=/trunk/boinc/; revision=15758 2008-08-05 22:43:14 +00:00			`// This file is part of BOINC.`
			`// http://boinc.berkeley.edu`
			`// Copyright (C) 2008 University of California`
			`//`
			`// BOINC is free software; you can redistribute it and/or modify it`
			`// under the terms of the GNU Lesser General Public License`
			`// as published by the Free Software Foundation,`
			`// either version 3 of the License, or (at your option) any later version.`
			`//`
			`// BOINC is distributed in the hope that it will be useful,`
			`// but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.`
			`// See the GNU Lesser General Public License for more details.`
			`//`
			`// You should have received a copy of the GNU Lesser General Public License`
			`// along with BOINC. If not, see <http://www.gnu.org/licenses/>.`
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00
			`// RPC handler for account creation`

web: use new DB API here and there; should be no visible changes 2014-04-24 16:41:59 +00:00			`require_once("../inc/boinc_db.inc");`
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00			`require_once("../inc/util.inc");`
			`require_once("../inc/email.inc");`
			`require_once("../inc/xml.inc");`
web: code shuffle, no functional changes separate user-related code into: user.php (web display of accounts) user_util.php (creating/deleting accounts) 2017-06-22 08:07:25 +00:00			`require_once("../inc/user_util.inc");`
- client/manager/GUI RPC: project_info.xml file can contain <team_name>. If present, and a new user account is created, it will be made a member of that team if it exists. svn path=/trunk/boinc/; revision=21030 2010-03-30 17:46:09 +00:00			`require_once("../inc/team.inc");`
web: refactor password hashing changes to move compatibility library as a .inc file and to move common functions into user_util.inc 2018-04-04 18:47:26 +00:00			`require_once("../inc/password_compat/password.inc");`
web: Add functionality of consent to Web site and RPCs. create_account RPC modified to record a user's consent. am_set_info RPC modified to allow for modification of user's consent. Account registration on Web site modified to show terms_of_use.txt file and record user's consent. 2018-05-04 23:42:05 +00:00			`require_once("../inc/consent.inc");`
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00
			`xml_header();`

* empty log message * svn path=/trunk/boinc/; revision=11117 2006-09-06 20:56:55 +00:00			`$retval = db_init_xml();`
			`if ($retval) xml_error($retval);`

* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00			`$config = get_config();`
account creation via RPC with invitation code svn path=/trunk/boinc/; revision=11314 2006-10-19 18:09:02 +00:00			`if (parse_bool($config, "disable_account_creation")) {`
Extend PHP interface for Web RPCs - add a PHP interface for lookup_account() - PHP interfaces return error number as well as message (messages change; numbers don't) - using symbolic error codes instead of hardwired numbers in PHP code 2013-12-29 06:50:59 +00:00			`xml_error(ERR_ACCT_CREATION_DISABLED);`
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00			`}`
web: fix problem with Recaptcha display in create-account form. Also add <disable_account_creation_rpc> config flag, to disable account creation via Web RPC (which is not Recaptcha-protected) 2013-11-26 06:07:20 +00:00			`if (parse_bool($config, "disable_account_creation_rpc")) {`
Extend PHP interface for Web RPCs - add a PHP interface for lookup_account() - PHP interfaces return error number as well as message (messages change; numbers don't) - using symbolic error codes instead of hardwired numbers in PHP code 2013-12-29 06:50:59 +00:00			`xml_error(ERR_ACCT_CREATION_DISABLED);`
web: fix problem with Recaptcha display in create-account form. Also add <disable_account_creation_rpc> config flag, to disable account creation via Web RPC (which is not Recaptcha-protected) 2013-11-26 06:07:20 +00:00			`}`
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00
account creation via RPC with invitation code svn path=/trunk/boinc/; revision=11314 2006-10-19 18:09:02 +00:00			`if(defined('INVITE_CODES')) {`
- web: cleaned up logic of string processing. There are two aspects: 1) undoing magic quotes (if it's being used). This must be done for all GET and POST string inputs. It is now done automatically by get_str() and post_str(). The places that refer to $_GET and $_POST directly must do it themselves using undo_magic_quotes(). 2) Escaping user-supplied strings before using them in DB queries. This is done by process_user_text() (which should be renamed db_escape_string()). The new principle: call process_user_text() in the function that does the DB query (not at any higher level). svn path=/trunk/boinc/; revision=15389 2008-06-11 19:36:10 +00:00			`$invite_code = get_str("invite_code");`
account creation via RPC with invitation code svn path=/trunk/boinc/; revision=11314 2006-10-19 18:09:02 +00:00			`if (!preg_match(INVITE_CODES, $invite_code)) {`
Extend PHP interface for Web RPCs - add a PHP interface for lookup_account() - PHP interfaces return error number as well as message (messages change; numbers don't) - using symbolic error codes instead of hardwired numbers in PHP code 2013-12-29 06:50:59 +00:00			`xml_error(ERR_ATTACH_FAIL_INIT);`
account creation via RPC with invitation code svn path=/trunk/boinc/; revision=11314 2006-10-19 18:09:02 +00:00			`}`
			`}`

* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00			`$email_addr = get_str("email_addr");`
- web: cleaned up logic of string processing. There are two aspects: 1) undoing magic quotes (if it's being used). This must be done for all GET and POST string inputs. It is now done automatically by get_str() and post_str(). The places that refer to $_GET and $_POST directly must do it themselves using undo_magic_quotes(). 2) Escaping user-supplied strings before using them in DB queries. This is done by process_user_text() (which should be renamed db_escape_string()). The new principle: call process_user_text() in the function that does the DB query (not at any higher level). svn path=/trunk/boinc/; revision=15389 2008-06-11 19:36:10 +00:00			`$email_addr = strtolower($email_addr);`
			`$passwd_hash = get_str("passwd_hash");`
			`$user_name = get_str("user_name");`
- finish up the auto-team feature svn path=/trunk/boinc/; revision=21033 2010-03-30 20:58:39 +00:00			`$team_name = get_str("team_name", true);`
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00
web: modified RPCs to use new consent_type table definitions. Added check consent type function for RPCs and Web forms. 2018-06-01 20:13:51 +00:00			`$consent_flag = get_str("consent_flag", true);`
web: Add functionality of consent to Web site and RPCs. create_account RPC modified to record a user's consent. am_set_info RPC modified to allow for modification of user's consent. Account registration on Web site modified to show terms_of_use.txt file and record user's consent. 2018-05-04 23:42:05 +00:00			`$source = get_str("source", true);`

Fix account creation RPC svn path=/trunk/boinc/; revision=25488 2012-03-26 05:48:38 +00:00			`if (!is_valid_user_name($user_name, $reason)) {`
Extend PHP interface for Web RPCs - add a PHP interface for lookup_account() - PHP interfaces return error number as well as message (messages change; numbers don't) - using symbolic error codes instead of hardwired numbers in PHP code 2013-12-29 06:50:59 +00:00			`xml_error(ERR_BAD_USER_NAME, $reason);`
- client/server: estimate FLOPS for NVIDIA GPUs with compute capability 3.x. Not sure if the parameters are right (128 cores/proc, 2 flops/clock) but they're better than nothing. - web: don't allow user names that have leading or trailing white space, or HTML tags, or are empty svn path=/trunk/boinc/; revision=25485 2012-03-24 06:31:03 +00:00			`}`

* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00			`if (!is_valid_email_addr($email_addr)) {`
Extend PHP interface for Web RPCs - add a PHP interface for lookup_account() - PHP interfaces return error number as well as message (messages change; numbers don't) - using symbolic error codes instead of hardwired numbers in PHP code 2013-12-29 06:50:59 +00:00			`xml_error(ERR_BAD_EMAIL_ADDR);`
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00			`}`
- client/server: estimate FLOPS for NVIDIA GPUs with compute capability 3.x. Not sure if the parameters are right (128 cores/proc, 2 flops/clock) but they're better than nothing. - web: don't allow user names that have leading or trailing white space, or HTML tags, or are empty svn path=/trunk/boinc/; revision=25485 2012-03-24 06:31:03 +00:00
svn path=/trunk/boinc/; revision=18353 2009-06-10 18:42:15 +00:00			`if (is_banned_email_addr($email_addr)) {`
Extend PHP interface for Web RPCs - add a PHP interface for lookup_account() - PHP interfaces return error number as well as message (messages change; numbers don't) - using symbolic error codes instead of hardwired numbers in PHP code 2013-12-29 06:50:59 +00:00			`xml_error(ERR_BAD_EMAIL_ADDR);`
svn path=/trunk/boinc/; revision=18353 2009-06-10 18:42:15 +00:00			`}`
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00
			`if (strlen($passwd_hash) != 32) {`
* empty log message * svn path=/trunk/boinc/; revision=11125 2006-09-08 19:51:33 +00:00			`xml_error(-1, "password hash length not 32");`
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00			`}`

Clean up boinc_db email calls. Moved edit_email_action to fix time of email change not being passed to next function. Added check for previous email address still within 7 days for create_account.php call. 2018-05-02 14:45:40 +00:00			`$tmpuser = BoincUser::lookup_prev_email_addr($email_addr);`
			`if ($tmpuser) {`
			`xml_error(ERR_DB_NOT_UNIQUE);`
			`}`

web: use new DB API here and there; should be no visible changes 2014-04-24 16:41:59 +00:00			`$user = BoincUser::lookup_email_addr($email_addr);`
* empty log message * svn path=/trunk/boinc/; revision=7360 2005-08-16 20:48:21 +00:00			`if ($user) {`
web: Fix style incompatibilities 2018-03-13 21:49:14 +00:00			`if ($user->passwd_hash != $passwd_hash && !password_verify($passwd_hash, $user->passwd_hash)) {`
Extend PHP interface for Web RPCs - add a PHP interface for lookup_account() - PHP interfaces return error number as well as message (messages change; numbers don't) - using symbolic error codes instead of hardwired numbers in PHP code 2013-12-29 06:50:59 +00:00			`xml_error(ERR_DB_NOT_UNIQUE);`
* empty log message * svn path=/trunk/boinc/; revision=7360 2005-08-16 20:48:21 +00:00			`} else {`
			`$authenticator = $user->authenticator;`
			`}`
			`} else {`
Do not allow blank or NULL countries svn path=/trunk/boinc/; revision=13462 2007-08-26 10:29:08 +00:00			`$user = make_user($email_addr, $user_name, $passwd_hash, 'International');`
- user web: code cleanup related to user creation. Make a single function that creates users and cleanses args. svn path=/trunk/boinc/; revision=13216 2007-07-25 15:11:14 +00:00			`if (!$user) {`
Extend PHP interface for Web RPCs - add a PHP interface for lookup_account() - PHP interfaces return error number as well as message (messages change; numbers don't) - using symbolic error codes instead of hardwired numbers in PHP code 2013-12-29 06:50:59 +00:00			`xml_error(ERR_DB_NOT_UNIQUE);`
* empty log message * svn path=/trunk/boinc/; revision=7360 2005-08-16 20:48:21 +00:00			`}`
Add a message to error_log when account is created using an invitation code (from Eric Myers) svn path=/trunk/boinc/; revision=11532 2006-11-15 20:15:01 +00:00
web: add code to optionally record user IP in DB 2015-03-16 00:59:57 +00:00			`if (defined('INVITE_CODES')) {`
- user web: code cleanup related to user creation. Make a single function that creates users and cleanses args. svn path=/trunk/boinc/; revision=13216 2007-07-25 15:11:14 +00:00			`error_log("Account for '$email_addr' created using invitation code '$invite_code'");`
Add a message to error_log when account is created using an invitation code (from Eric Myers) svn path=/trunk/boinc/; revision=11532 2006-11-15 20:15:01 +00:00			`}`
* empty log message * svn path=/trunk/boinc/; revision=7360 2005-08-16 20:48:21 +00:00
web: defined CONSENT_TYPE_ENROLL and replaced string 'ENROLL' with this define. No changes to functionally, only a new define(). 2018-09-17 15:39:24 +00:00			`// If the project has configured to use the CONSENT_TYPE_ENROLL, then`
web: modified RPCs to use new consent_type table definitions. Added check consent type function for RPCs and Web forms. 2018-06-01 20:13:51 +00:00			`// record it.`
web: defined CONSENT_TYPE_ENROLL and replaced string 'ENROLL' with this define. No changes to functionally, only a new define(). 2018-09-17 15:39:24 +00:00			`list($checkct, $ctid) = check_consent_type(CONSENT_TYPE_ENROLL);`
rpc: Add check terms-of-use file when creating account. Also rewrite parts of comment in code. 2018-09-28 16:34:54 +00:00			`if ($checkct and check_termsofuse()) {`
Added long docmentation about the create_account RPC, and what may need to change in the future. No functional changes. 2018-09-17 20:23:20 +00:00			`// As of Sept 2018, this code allows 'legacy' boinc clients to`
rpc: Removed min_version_number code block. 2018-10-05 17:38:21 +00:00			`// create accounts. If consent_flag is null the code creates`
			`// an account as normal and there is no update to the consent`
			`// DB table.`
rpc: Add check terms-of-use file when creating account. Also rewrite parts of comment in code. 2018-09-28 16:34:54 +00:00			`//`
rpc: Removed min_version_number code block. 2018-10-05 17:38:21 +00:00			`// Logic:`
			`// * An old(er) BOINC Manager or third party GUI that doesn't`
			`// * support the new consent features.`
			`// -> consent_flag not set (NULL).`
			`// * A new(er) BOINC GUI, the terms of use are shown and user`
			`// * agrees.`
			`// -> consent_flag=1`
			`// * A new or older GUI, terms of use shown but the user not`
			`// * not agree.`
			`// -> no create account RPC at all`
Added long docmentation about the create_account RPC, and what may need to change in the future. No functional changes. 2018-09-17 20:23:20 +00:00			`//`
			`// In the future, when the majority of BOINC clients and`
			`// Account Managers have been updated to use the consent_flag`
			`// parameter, then this code should be revised to only allow`
			`// clients who do use this flag to continue. I.e., if`
			`// is_null($consent_flag) returns TRUE, then return an`
			`// xml_error(-1, ...).`
web: modified RPCs to use new consent_type table definitions. Added check consent type function for RPCs and Web forms. 2018-06-01 20:13:51 +00:00			`if ( (!is_null($consent_flag)) and $source) {`
			`// Record the user giving consent in database - if consent_flag is 0,`
			`// this is an 'anonymous account' and consent_not_required is`
			`// set to 1.`
			`if ($consent_flag==0) {`
web: Web code modified to work with new database table definitions. Modified web code to use consent_type_id in place of consent_name in various places. RPCs also modified to use the new definitions. 2018-06-15 19:54:35 +00:00			`$rc = consent_to_a_policy($user, $ctid, 0, 1, $source);`
web: modified RPCs to use new consent_type table definitions. Added check consent type function for RPCs and Web forms. 2018-06-01 20:13:51 +00:00			`} else {`
web: Web code modified to work with new database table definitions. Modified web code to use consent_type_id in place of consent_name in various places. RPCs also modified to use the new definitions. 2018-06-15 19:54:35 +00:00			`$rc = consent_to_a_policy($user, $ctid, 1, 0, $source);`
web: modified RPCs to use new consent_type table definitions. Added check consent type function for RPCs and Web forms. 2018-06-01 20:13:51 +00:00			`}`
			`if (!$rc) {`
			`xml_error(-1, "database error, please contact site administrators");`
			`}`
web: Add functionality of consent to Web site and RPCs. create_account RPC modified to record a user's consent. am_set_info RPC modified to allow for modification of user's consent. Account registration on Web site modified to show terms_of_use.txt file and record user's consent. 2018-05-04 23:42:05 +00:00			`}`
			`}`
web: modified RPCs to use new consent_type table definitions. Added check consent type function for RPCs and Web forms. 2018-06-01 20:13:51 +00:00
web: Add functionality of consent to Web site and RPCs. create_account RPC modified to record a user's consent. am_set_info RPC modified to allow for modification of user's consent. Account registration on Web site modified to show terms_of_use.txt file and record user's consent. 2018-05-04 23:42:05 +00:00			`}`

- client/manager/GUI RPC: project_info.xml file can contain <team_name>. If present, and a new user account is created, it will be made a member of that team if it exists. svn path=/trunk/boinc/; revision=21030 2010-03-30 17:46:09 +00:00			`if ($team_name) {`
			`$team_name = BoincDb::escape_string($team_name);`
- finish up the auto-team feature svn path=/trunk/boinc/; revision=21033 2010-03-30 20:58:39 +00:00			`$team = BoincTeam::lookup("name='$team_name'");`
- client/manager/GUI RPC: project_info.xml file can contain <team_name>. If present, and a new user account is created, it will be made a member of that team if it exists. svn path=/trunk/boinc/; revision=21030 2010-03-30 17:46:09 +00:00			`if ($team && $team->joinable) {`
			`user_join_team($team, $user);`
			`}`
			`}`

* empty log message * svn path=/trunk/boinc/; revision=11125 2006-09-08 19:51:33 +00:00			`echo " <account_out>\n";`
- user web: code cleanup related to user creation. Make a single function that creates users and cleanses args. svn path=/trunk/boinc/; revision=13216 2007-07-25 15:11:14 +00:00			`echo " <authenticator>$user->authenticator</authenticator>\n";`
* empty log message * svn path=/trunk/boinc/; revision=11125 2006-09-08 19:51:33 +00:00			`echo "</account_out>\n";`
* empty log message * svn path=/trunk/boinc/; revision=7226 2005-08-10 08:55:57 +00:00
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00			`?>`