2009-11-27 Sancho lerena <slerena@artica.es>

* operation/menu.php: User section has no ACL check, always can be seen. * index.php: Added suppor for user-defined custom language (this code was on my disk for 3 months, pending to be commited!). * include/functions_db.php, * include/functions_agents.php, * godmode/alerts/alert_list.php, * godmode/agentes/modificar_agente.php, * godmode/agentes/configurar_agente.php: Added audit calls to several management operations who don't have or have insufficient audit info. * godmode/users/configure_user.php: Fixed several annoyings bugs. Added custom language support, and added more audit info on management operations. * godmode/users/user_list.php: More audit info. * include/config_process.php: Add new debug option to render error log to /pandora_console.log. Also set timezone if not defined (this makes warnings on several PHP 5.x setups). Added user custom language support. * include/functions_events.php: More audit info. Fixed problems with HTML encoding render. * functions_io.php: Some cleaning. * include/functions_messages.php: Fixed problems with HTML encoding render. * functions_ui.php: Fixed problems with HTML encoding render in print_string_substr() function. * auth/mysql.php: is_user_admin() functions seems to be broken ¿?¿!. Fixed. * styles/pandora.css: removed green colored left border in default style. * message.php, incident*: Fixed problems with HTML encoding render. * user.php: Better ACL check before let user to view/edit another user. * user_edit: Removed some un-used form fields, some arrangements in layout, and FIXED forever problems with password change (new code written). * users/user_statistics.php: Now user can see its own audit records. git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@2139 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
2025-07-30 17:25:26 +02:00 · 2009-11-27 20:02:12 +00:00 · 2009-11-27 20:02:12 +00:00 · b8d839b5c7
commit b8d839b5c7
parent 864840773b
23 changed files with 381 additions and 125 deletions
--- a/pandora_console/ChangeLog
+++ b/pandora_console/ChangeLog
@ -1,3 +1,50 @@
 2009-11-27  Sancho lerena <slerena@artica.es>
 	* operation/menu.php: User section has no ACL check, always can be seen.
 	* index.php: Added suppor for user-defined custom language (this code was
 	on my disk for 3 months, pending to be commited!).
 	* include/functions_db.php,
 	* include/functions_agents.php,
 	* godmode/alerts/alert_list.php,
 	* godmode/agentes/modificar_agente.php, 
 	* godmode/agentes/configurar_agente.php: Added audit calls to several 
 	management operations who don't have or have insufficient audit info.
 	* godmode/users/configure_user.php: Fixed several annoyings bugs. Added
 	custom language support, and added more audit info on management operations.
 	* godmode/users/user_list.php: More audit info.
 	* include/config_process.php: Add new debug option to render error log to
 	/pandora_console.log. Also set timezone if not defined (this makes warnings
 	on several PHP 5.x setups). Added user custom language support.
 	* include/functions_events.php: More audit info. Fixed problems with HTML
 	encoding render.
 	* functions_io.php: Some cleaning.
 	* include/functions_messages.php: Fixed problems with HTML
 	encoding render.
 	* functions_ui.php: Fixed problems with HTML encoding render in 
 	print_string_substr() function.
 	* auth/mysql.php: is_user_admin() functions seems to be broken ¿?¿!. Fixed.
 	* styles/pandora.css: removed green colored left border in default style.
 	* message.php, incident*:  Fixed problems with HTML encoding render.
 	* user.php: Better ACL check before let user to view/edit another user.
 	* user_edit: Removed some un-used form fields, some arrangements in layout,
 	and FIXED forever problems with password change (new code written).  
 	* users/user_statistics.php: Now user can see its own audit records.
 2009-11-27  Miguel de Dios  <miguel.dedios@artica.es>
 	* include/functions_html.php: add disabled parameter in functions,
--- a/pandora_console/godmode/agentes/configurar_agente.php
+++ b/pandora_console/godmode/agentes/configurar_agente.php
@ -146,6 +146,9 @@ if ($create_agent) {
 			$agent_created_ok = true;
 			audit_db ($config['id_user'], $REMOTE_ADDR, "Agent management",
 		"Created agent $nombre_agente");
 			// Create special module agent_keepalive
 			$id_agent_module = process_sql_insert ('tagente_modulo', 
 				array ('nombre' => 'agent_keepalive',
@ -345,6 +348,9 @@ if (isset($_POST["update_agent"])) { // if modified some agent paramenter
 		} else {
 			enterprise_hook ('update_agent', array ($id_agente));
 			print_success_message (__('Successfully updated'));
 			audit_db ($config['id_user'], $REMOTE_ADDR, "Agent management",
 		"Updated agent $nombre_agente");
 		}
 	}
 }
@ -483,6 +489,11 @@ if ($update_module) {
 		echo '<h3 class="suc">'.__('Module successfully updated').'</h3>';
 		$id_agent_module = false;
 		$edit_module = false;
 		$agent = get_db_row ('tagente', 'id_agente', $id_agente);
 		audit_db ($config['id_user'], $REMOTE_ADDR, "Agent management",
 		"Updated module '$name' for agent ".$agent["nombre"]);
 	}
 }
@ -537,6 +548,10 @@ if ($create_module) {
 		echo '<h3 class="suc">'.__('Module added successfully').'</h3>';
 		$id_agent_module = false;
 		$edit_module = false;
 		$agent = get_db_row ('tagente', 'id_agente', $id_agente);
 		audit_db ($config['id_user'], $REMOTE_ADDR, "Agent management",
 		"Added module '$name' for agent ".$agent["nombre"]);
 	}
 }
@ -544,6 +559,7 @@ if ($create_module) {
 // =================
 if (isset ($_GET["delete_module"])){ // DELETE agent module !
 	$id_borrar_modulo = (int) get_parameter_get ("delete_module",0);
 	$module_data = get_db_row ('tagente_modulo', 'id_agente_modulo', $id_borrar_modulo);
 	$id_grupo = (int) dame_id_grupo ($id_agente);
 	if (! give_acl ($config["id_user"], $id_grupo, "AW")) {
@ -556,7 +572,7 @@ if (isset ($_GET["delete_module"])){ // DELETE agent module !
 	if ($id_borrar_modulo < 1) {
 		audit_db ($config["id_user"],$REMOTE_ADDR, "HACK Attempt",
 		"Expected variable from form is not correct");
-		die ("Nice try buddy");
+		require ("general/noaccess.php");
 		exit;
 	}
@ -585,6 +601,10 @@ if (isset ($_GET["delete_module"])){ // DELETE agent module !
 	} else {
 		process_sql_commit ();
 		print_success_message (__('Module deleted succesfully'));
 		$agent = get_db_row ('tagente', 'id_agente', $id_agente);
 		audit_db ($config['id_user'], $REMOTE_ADDR, "Agent management",
 		"Deleted module '".$module_data["nombre"]."' for agent ".$agent["nombre"]);
 	}
 }
--- a/pandora_console/godmode/agentes/modificar_agente.php
+++ b/pandora_console/godmode/agentes/modificar_agente.php
@ -42,8 +42,7 @@ if (isset ($_GET["borrar_agente"])) { // if delete agent
 	$id_grupo = dame_id_grupo ($id_agente);
 	if (give_acl ($config["id_user"], $id_grupo, "AW")==1) {
 		$id_agentes[0] = $id_agente;
-		if (delete_agent ($id_agentes))
+		delete_agent ($id_agentes);
 		  audit_db($config["id_user"],$REMOTE_ADDR, "Agent \'$agent_name\' deleted", "Agent Management");
 	} else { // NO permissions.
 		audit_db ($config["id_user"],$REMOTE_ADDR, "ACL Violation",
 			"Trying to delete agent \'$agent_name\'");
--- a/pandora_console/godmode/alerts/alert_list.php
+++ b/pandora_console/godmode/alerts/alert_list.php
@ -118,6 +118,16 @@ if ($create_alert) {
 	}
 	else {
 		$id = create_alert_agent_module ($id_agent_module, $id_alert_template);
 //get_db_value ('name', 'tperfil', 'id_perfil', (int) $id_profile);
 		$alert_template_name = get_db_value ("name", "talert_templates","id", $id_alert_template);
 		$module_name = get_db_value ("nombre", "tagente_modulo","id_agente_modulo", $id_agent_module);
 		$agent_name = get_agent_name (get_db_value ("id_agente", "tagente_modulo","id_agente_modulo", $id_agent_module)); 
 		audit_db ($config["id_user"],$REMOTE_ADDR, "Alert management",
 		"Added alert '$alert_template_name' for module '$module_name' in agent '$agent_name'");
 		print_result_message ($id,
 			__('Successfully created'),
 			__('Could not be created'));
@ -138,6 +148,16 @@ if ($create_alert) {
 if ($delete_alert) {
 	$id_alert_agent_module = (int) get_parameter ('id_alert');
 	$temp =  get_db_row ("talert_template_modules","id", $id_alert_agent_module);
 	$id_alert_template = $temp["id_alert_template"];
 	$id_agent_module = $temp["id_agent_module"];
 	$alert_template_name = get_db_value ("name", "talert_templates","id", $id_alert_template);
 	$module_name = get_db_value ("nombre", "tagente_modulo","id_agente_modulo", $id_agent_module);
 	$agent_name = get_agent_name (get_db_value ("id_agente", "tagente_modulo","id_agente_modulo", $id_agent_module)); 
 	audit_db ($config["id_user"],$REMOTE_ADDR, "Alert management",
 	"Deleted alert '$alert_template_name' for module '$module_name' in agent '$agent_name'");
 	$result = delete_alert_agent_module ($id_alert_agent_module);
 	print_result_message ($id,
 		__('Successfully deleted'),
--- a/pandora_console/godmode/users/configure_user.php
+++ b/pandora_console/godmode/users/configure_user.php
@ -19,6 +19,9 @@ require_once ('include/config.php');
 check_login ();
 $id = get_parameter ('id', $config['id_user']); // ID given as parameter
 $user_info = get_user_info ($id);
 if ($user_info["language"] == ""){
 	$user_info["language"] = $config["language"];
 }
 $id = $user_info['id_user'];
 if (! give_acl ($config['id_user'], 0, "UM")) {
@ -50,6 +53,7 @@ if ($new_user && $config['admin_can_add_user']) {
 	$user_info['phone'] = '';
 	$user_info['comments'] = '';
 	$user_info['is_admin'] = 0;
 	$user_info['language'] = $config["language"];
 }
 if ($create_user) {
@ -63,12 +67,13 @@ if ($create_user) {
 	$values['fullname'] = (string) get_parameter ('fullname');
 	$values['firstname'] = (string) get_parameter ('firstname');
 	$values['lastname'] = (string) get_parameter ('lastname');
-	$password_new = (string) get_parameter ('password_new');
+	$password_new = (string) get_parameter ('password_new', '');
-	$password_confirm = (string) get_parameter ('password_confirm');
+	$password_confirm = (string) get_parameter ('password_confirm', '');
 	$values['email'] = (string) get_parameter ('email');
 	$values['phone'] = (string) get_parameter ('phone');
 	$values['comments'] = (string) get_parameter ('comments');
-	$values['is_admin'] = $is_admin = (bool) get_parameter ('is_admin', 0);
+	$values['is_admin'] = get_parameter ('is_admin', 0);
 	$values['language'] = get_parameter ('language', $config["language"]);
 	if ($password_new == '') {
 		print_error_message (__('Passwords cannot be empty'));
@ -86,15 +91,19 @@ if ($create_user) {
 	}
 	else {
 		$result = create_user ($id, $password_new, $values);
 		audit_db ($config['id_user'], $REMOTE_ADDR, "User management",
 		"Created user ".safe_input($id));
 		print_result_message ($result,
 			__('Successfully created'),
 			__('Could not be created'));
 		$user_info = get_user_info ($id);
 		$password_new = '';
 		$password_confirm = '';
 		$new_user = false;
 	}
 	$user_info['is_admin'] = $is_admin;
 }
 if ($update_user) {
@ -105,14 +114,15 @@ if ($update_user) {
 	$values['email'] = (string) get_parameter ('email');
 	$values['phone'] = (string) get_parameter ('phone');
 	$values['comments'] = (string) get_parameter ('comments');
-	$values['is_admin'] = (bool) get_parameter ('is_admin');
+	$values['is_admin'] = get_parameter ('is_admin', 0 );
 	$values['language'] = (string) get_parameter ('language', $config["language"]);
 	$res1 = update_user ($id, $values);
 	if ($config['user_can_update_password']) {
-		$password_new = (string) get_parameter ('password_new');
+		$password_new = (string) get_parameter ('password_new', '');
-		$password_confirm = (string) get_parameter ('password_confirm');
+		$password_confirm = (string) get_parameter ('password_confirm', '');
-		if ($password_new !== '') {
+		if ($password_new != '') {
 			if ($password_confirm == $password_new) {
 				$res2 = update_user_password ($id, $password_new);
 				print_result_message ($res1 || $res2,
@ -122,6 +132,8 @@ if ($update_user) {
 				print_error_message (__('Passwords does not match'));
 			}
 		} else {
 			audit_db ($config['id_user'], $REMOTE_ADDR, "User management",
 		"Updated user ".safe_input($id));
 			print_result_message ($res1,
 				__('User info successfully updated'),
 				__('Error updating user info (no change?)'));
@ -136,20 +148,24 @@ if ($update_user) {
 }
 if ($add_profile) {
-	$id = (string) get_parameter ('id_user');
+	$id2 = (string) get_parameter ('id_user');
-	$group = (int) get_parameter ('assign_group');
+	$group2 = (int) get_parameter ('assign_group');
-	$profile = (int) get_parameter ('assign_profile');
+	$profile2 = (int) get_parameter ('assign_profile');
-	
+	audit_db ($config['id_user'], $REMOTE_ADDR, "User management",
-	$return = create_user_profile ($id, $profile, $group);
+		"Added profile for user ".safe_input($id2));
 	$return = create_user_profile ($id2, $profile2, $group2);
 	print_result_message ($return,
-		__('Successfully created'),
+		__('Profile added successfully'),
-		__('Could not be created'));
+		__('Profile cannot be added'));
 }
 if ($delete_profile) {
 	$id = (string) get_parameter ('id_user');
 	$id_up = (int) get_parameter ('id_user_profile');
 	audit_db ($config['id_user'], $REMOTE_ADDR, "User management",
 		"Deleted profile for user ".safe_input($id));
 	$return = delete_user_profile ($id, $id_up);
 	print_result_message ($return,
 		__('Successfully deleted'),
@ -158,7 +174,7 @@ if ($delete_profile) {
 echo "<h2>".__('Pandora users')." &raquo; ".__('User detail editor')."</h2>";
-$table->width = '50%';
+$table->width = '80%';
 $table->data = array ();
 $table->colspan = array ();
 $table->size = array ();
@ -175,6 +191,11 @@ $table->data[1][0] = __('Full (display) name');
 $table->data[1][1] = print_input_text_extended ('fullname', $user_info['fullname'],
 	'', '', 30, 255, $view_mode, '', '', true);
 $table->data[2][0] = __('Language');
 $table->data[2][1] = print_select_from_sql ('SELECT id_language, name FROM tlanguage',
 	'language', $user_info["language"], '', '', '', true);
 /*
 $table->data[2][0] = __('First name');
 $table->data[2][1] = print_input_text_extended ('firstname', $user_info['firstname'],
 	'', '', 30, 255, $view_mode, '', '', true);
@ -182,6 +203,7 @@ $table->data[2][1] = print_input_text_extended ('firstname', $user_info['firstna
 $table->data[3][0] = __('Last name');
 $table->data[3][1] = print_input_text_extended ('lastname', $user_info['lastname'],
 	'', '', 30, 255, $view_mode, '', '', true);
 */
 if ($config['user_can_update_password']) {
 	$table->data[4][0] = __('Password');
@ -194,7 +216,6 @@ if ($config['user_can_update_password']) {
 if ($config['admin_can_make_admin']) {
 	$table->data[6][0] = __('Global Profile');
 	$table->data[6][1] = print_radio_button ('is_admin', 1, '', $user_info['is_admin'], true);
 	$table->data[6][1] .= __('Administrator');
 	$table->data[6][1] .= print_help_tip (__("This user has permissions to manage all. This is admin user and overwrites all permissions given in profiles/groups"), true);
@ -214,7 +235,7 @@ $table->data[8][1] = print_input_text_extended ("phone", $user_info['phone'],
 	'', '', 10, 30, $view_mode, '', '', true);
 $table->data[9][0] = __('Comments');
-$table->data[9][1] = print_textarea ("comments", 5, 55, $user_info['comments'],
+$table->data[9][1] = print_textarea ("comments", 2, 65, $user_info['comments'],
 	($view_mode ? 'readonly="readonly"' : ''), true);
 echo '<form method="post">';
--- a/pandora_console/godmode/users/user_list.php
+++ b/pandora_console/godmode/users/user_list.php
@ -28,6 +28,10 @@ if (! give_acl ($config['id_user'], 0, "UM")) {
 if (isset ($_GET["user_del"])) { //delete user
 	$id_user = get_parameter_post ("delete_user");
 	$result = delete_user ($id_user);
 	audit_db ($config['id_user'], $REMOTE_ADDR, "User management",
 		"Deleted user ".safe_input($id_user));
 	print_result_message ($result,
 		__('Successfully deleted'),
 		__('There was a problem deleting the user'));
--- a/pandora_console/include/auth/mysql.php
+++ b/pandora_console/include/auth/mysql.php
@ -67,10 +67,13 @@ function process_user_login ($login, $pass) {
 * @return bool True is the user is admin
 */
 function is_user_admin ($id_user) {
 	/* This code below was here, but I don't understand WHY. This always returns TRUE ¿?¿?
 	static $is_admin = -1;
 	if ($is_admin !== -1)
 		return $is_admin;
 	*/
 	$is_admin = (bool) get_db_value ('is_admin', 'tusuario', 'id_user', $id_user);
 	return $is_admin;
--- a/pandora_console/include/config_process.php
+++ b/pandora_console/include/config_process.php
@ -22,12 +22,25 @@
 /**
 * Pandora build version and version 
 */
-$build_version = 'PC091103';
+$build_version = 'PC091127';
-$pandora_version = 'v3.0RC2';
+$pandora_version = 'v3.0RC3-dev';
 /* Help to debug problems. Override global PHP configuration */
 error_reporting(E_ERROR);
 ini_set("display_errors", 0);
 ini_set("error_log", $config["homedir"]."/pandora_console.log");
 // Set a default timezone default if not configured
 // to avoid warnings and bad timestamp calculation in PHP > 5.1 
 if (ini_get('date.timezone') == ""){
 	date_default_timezone_set("Europe/Berlin");
 }
 $config['start_time'] = microtime (true);
-//Non-persistent connection. If you want persistent conn change it to mysql_pconnect()
+// Non-persistent connection: This will help to avoid mysql errors like "has gone away" or locking problems
 // If you want persistent connections change it to mysql_pconnect(). 
 $config['dbconnection'] = mysql_connect ($config["dbhost"], $config["dbuser"], $config["dbpass"]);
 if (! $config['dbconnection']) {
 	include ($config["homedir"]."/general/error_authconfig.php");
@ -44,6 +57,15 @@ process_config ();
 require_once ('streams.php');
 require_once ('gettext.php');
 // Set user language if provided, overriding System language
 if (isset ($config['id_user'])){
 	$userinfo = get_user_info ($config['id_user']);
 	if ($userinfo["language"] != ""){
 		$config['language'] = $userinfo["language"];
 	}
 } 
 $l10n = NULL;
 if (file_exists ('./include/languages/'.$config["language"].'.mo')) {
 	$l10n = new gettext_reader (new CachedFileReader ('./include/languages/'.$config["language"].'.mo'));
--- a/pandora_console/include/functions_agents.php
+++ b/pandora_console/include/functions_agents.php
@ -91,6 +91,9 @@ function create_agent ($name, $id_group, $interval, $ip_address, $values = false
 	process_sql_commit ();
 	audit_db ($config['id_user'], $REMOTE_ADDR, "Agent management",
 		"New agent '$name' created");
 	return $id_agent;
 }
--- a/pandora_console/include/functions_db.php
+++ b/pandora_console/include/functions_db.php
@ -1489,6 +1489,10 @@ function agent_delete_address ($id_agent, $ip_address) {
 		$sql = sprintf ("DELETE FROM taddress_agent WHERE id_ag = %d",$id_ag);	
 		process_sql ($sql);
 	}
 	$agent_name = get_agent_name($id_agent, "");
 	audit_db ($config['id_user'], $REMOTE_ADDR, "Agent management",
 	"Deleted IP $ip_address from agent '$agent_name'");
 	// Need to change main address?
 	if (get_agent_address ($id_agent) == $ip_address) {
 		$new_ips = get_agent_addresses ($id_agent);
@ -2761,6 +2765,8 @@ function delete_agent ($id_agents) {
 		if ($id_agent < 1)
 			continue;
 		$agent_name = get_agent_name($id_agent, "");
 		/* Check for deletion permissions */
 		$id_group = get_agent_group ($id_agent);
 		if (! give_acl ($config['id_user'], $id_group, "AW")) {
@ -2828,7 +2834,7 @@ function delete_agent ($id_agents) {
 		// Delete remote configuration
 		if (isset ($config["remote_config"])) {
-			$agent_md5 = md5 (get_agent_name ($id_agent,'none'), FALSE);
+			$agent_md5 = md5 ($agent_name, FALSE);
 			if (file_exists ($config["remote_config"]."/md5/".$agent_md5.".md5")) {
 				// Agent remote configuration editor
@ -2843,6 +2849,10 @@ function delete_agent ($id_agents) {
 		//And at long last, the agent
 		temp_sql_delete ("tagente", "id_agente", $id_agent);
 		audit_db ($config['id_user'], $REMOTE_ADDR, "Agent management",
 		"Deleted agent '$agent_name'");
 		/* Break the loop on error */
 		if ($error)
 			break;
--- a/pandora_console/include/functions_events.php
+++ b/pandora_console/include/functions_events.php
@ -123,8 +123,10 @@ function delete_event ($id_event, $similar = true) {
 			//Check ACL
 			audit_db ($config["id_user"], $config["remote_addr"], "ACL Violation", "Attempted deleting event #".$event);
 		} elseif ($ret !== false) {
 			audit_db ($config["id_user"], $config["remote_addr"], "Event deleted", "Deleted event #".$event);
 			//ACL didn't fail nor did return
 			continue;
 		}
 		$errors++;
@ -135,9 +137,6 @@ function delete_event ($id_event, $similar = true) {
 		process_sql_rollback ();
 		return false;
 	} else {
 		foreach ($id_event as $event) {
 			audit_db ($config["id_user"], $config["remote_addr"], "Event deleted", "Deleted event #".$event);
 		}
 		process_sql_commit ();
 		return true;
 	}
@ -351,7 +350,10 @@ function print_events_table ($filter = "", $limit = 10, $width = 440, $return =
 			// Event description wrap around by default at 44 or ~3 lines (10 seems to be a good ratio to wrap around for most sizes. Smaller number gets longer strings)
 			$wrap = floor ($width / 10);
-			$data[3] = '<span class="'.get_priority_class ($event["criticity"]).'f9" title="'.safe_input ($event["evento"]).'">'.safe_input ($event["evento"]).'</span>';
+
 			$data[3] = '<span class="'.get_priority_class ($event["criticity"]).'f9">'. print_string_substr ($event["evento"],45,true). '</span>';
 			if ($event["id_agente"] > 0) {
 				// Agent name
--- a/pandora_console/include/functions_io.php
+++ b/pandora_console/include/functions_io.php
@ -36,6 +36,34 @@ function safe_input($value) {
 	return $valueHtmlEncode;
 }
 /**
 * Convert the $value encode in html entity to clear char string. This function 
 * should be called always to "clean" HTML encoded data; to render to a text
 * plain ascii file, to render to console, or to put in any kind of data field
 * who doesn't make the HTML render by itself.
 * 
 * @param mixed String or array of strings to be cleaned.
 * 
 * @return unknown_type
 */
 function safe_output($value)
 {	
 	if (is_numeric($value))
 		return $value;
 	if (is_array($value)) {
 		array_walk($value, "safe_output");
 		return $value;
 	}
 	if (! mb_check_encoding ($value, 'UTF-8'))
 		$value = utf8_encode ($value);
 	$valueHtmlEncode =  html_entity_decode ($value, ENT_QUOTES, "UTF-8");
 	return $valueHtmlEncode;	
 }
 /** 
 * Use to clean HTML entities when get_parameter or safe_input functions dont work
 * 
@ -105,28 +133,5 @@ function unsafe_string ($string) {
 	return $string;
 }
 /**
 * Convert the $value encode in html entity to clear char string.
 * 
 * @param mixed String or array of strings to be cleaned.
 * 
 * @return unknown_type
 */
 function safe_output($value)
 {	
 	if (is_numeric($value))
 		return $value;
 	if (is_array($value)) {
 		array_walk($value, "safe_output");
 		return $value;
 	}
 	if (! mb_check_encoding ($value, 'UTF-8'))
 		$value = utf8_encode ($value);
 	$valueHtmlEncode =  html_entity_decode ($value, ENT_QUOTES, "UTF-8");
 	return $valueHtmlEncode;	
 }
 ?>
--- a/pandora_console/include/functions_messages.php
+++ b/pandora_console/include/functions_messages.php
@ -40,8 +40,8 @@ function create_message ($usuario_origen, $usuario_destino, $subject, $mensaje)
 	$values = array ();
 	$values["id_usuario_origen"] = $usuario_origen;
 	$values["id_usuario_destino"] = $usuario_destino;
-	$values["subject"] = safe_input ($subject);
+	$values["subject"] = $subject;
-	$values["mensaje"] = safe_input ($mensaje);
+	$values["mensaje"] = $mensaje;
 	$values["timestamp"] = get_system_time ();
 	$return = process_sql_insert ("tmensajes", $values);
@ -146,8 +146,8 @@ function get_message ($message_id) {
 	}
 	$return["sender"] = $row["id_usuario_origen"];
-	$return["subject"] = safe_input ($row["subject"]); //Although not strictly necessary, we don't know what other systems might dump in this. So we clean up
+	$return["subject"] = $row["subject"];
-	$return["message"] = safe_input ($row["mensaje"]);
+	$return["message"] = $row["mensaje"];
 	$return["timestamp"] = $row["timestamp"];
 	return $return;
--- a/pandora_console/include/functions_ui.php
+++ b/pandora_console/include/functions_ui.php
@ -419,7 +419,17 @@ function print_string_substr ($string, $cutoff = 16, $return = false) {
 	if (empty ($string)) {
 		return "";
 	}
-	$string = '<span title="'.safe_input ($string).'">'.mb_substr ($string, 0, $cutoff, "UTF-8").(mb_strlen ($string. "UTF-8") > $cutoff ? '...' : '').'</span>';
+
 	$string2 = safe_output ($string);
 	if (mb_strlen($string2, "UTF-8") >  $cutoff){
 		$string3 = "...";
 	} else {
 		$string3 = "";
 	}
 	$string = '<span title="'.safe_input($string2).'">'.mb_substr ($string2, 0, $cutoff, "UTF-8").$string3.'</span>';
 	if ($return === false) {
 		echo $string;
 	} 
--- a/pandora_console/include/styles/pandora.css
+++ b/pandora_console/include/styles/pandora.css
@ -628,7 +628,7 @@ span.rmess, span.nrmess {
 	background-color: #fafafa;
 }
 .databox_color {
-	border-left: 4px solid #786;
+	background-color: #fafafa;
 }
 #head_l {
 	float: left;
--- a/pandora_console/index.php
+++ b/pandora_console/index.php
@ -165,6 +165,18 @@ if (! isset ($config['id_user']) && isset ($_GET["loginhash"])) {
 		$config['id_user'] = $nick;
 		//Remove everything that might have to do with people's passwords or logins
 		unset ($_GET['pass'], $pass, $_POST['pass'], $_REQUEST['pass'], $login_good);
 		// Set user language if provided, overriding System language
 		$userinfo = get_user_info ($config['id_user']);
 		if ($userinfo["language"] != ""){
 			$config['language'] = $userinfo["language"];
 		}
 		$l10n = NULL;
 		if (file_exists ('./include/languages/'.$config["language"].'.mo')) {
 			$l10n = new gettext_reader (new CachedFileReader ('./include/languages/'.$config["language"].'.mo'));
 			$l10n->load_tables();
 		}
 	} else {
 		// User not known
 		$login_failed = true;
--- a/pandora_console/operation/incidents/incident.php
+++ b/pandora_console/operation/incidents/incident.php
@ -290,7 +290,7 @@ if ($count < 1) {
 		$data[1] = print_incidents_status_img ($row["estado"], true);
-		$data[2] = '<a href="index.php?sec=incidencias&amp;sec2=operation/incidents/incident_detail&amp;id='.$row["id_incidencia"].'">'.safe_input (substr ($row["titulo"],0,45)).'</a>';
+		$data[2] = '<a href="index.php?sec=incidencias&amp;sec2=operation/incidents/incident_detail&amp;id='.$row["id_incidencia"].'">'.substr(safe_output($row["titulo"]),0,45).'</a>';
 		$data[3] = print_incidents_priority_img ($row["prioridad"], true);																																																													
--- a/pandora_console/operation/incidents/incident_detail.php
+++ b/pandora_console/operation/incidents/incident_detail.php
@ -286,12 +286,13 @@ if (empty ($id_creator)) {
 echo '</td></tr><tr><td class="datos2" colspan="4">';
 if ((give_acl ($config["id_user"], $id_grupo, "IM") == 1) OR ($usuario == $config["id_user"])) {
-	print_textarea ("descripcion", 15, 80, safe_input ($texto), 'style="height:200px;"');
+	print_textarea ("descripcion", 15, 80,  $texto, 'style="height:200px;"');
 } else {
-	print_textarea ("descripcion", 15, 80, safe_input ($texto), 'style="height:200px;" disabled');
+	print_textarea ("descripcion", 15, 80,  $texto, 'style="height:200px;" disabled');
 }
 echo '</td></tr></table><div style="width: 600px; text-align:right;">';
 // Only if user is the used who opened incident or (s)he is admin
 if (isset ($id_inc) AND ((give_acl ($config["id_user"], $id_grupo, "IM") == 1) OR ($usuario == $config["id_user"]))) {
 	print_submit_button (__('Update incident'), "accion", false, 'class="sub upd"');
@ -337,7 +338,7 @@ if (isset ($id_inc)) {
 		if ((give_acl ($config["id_user"], $id_grupo, "IM") == 1) OR ($row["id_usuario"] == $config["id_user"])) {
 			$data[0] .= print_input_image ("delete_nota", "images/cross.png", $row["id_nota"], 'border:0px;" onClick="if (!confirm(\' '.__('Are you sure?').'\')) return false;', true);
 		}
-		$data[1] = safe_input ($row["nota"]);
+		$data[1] = $row["nota"];
 		array_push ($table->data, $data);
 	}
--- a/pandora_console/operation/menu.php
+++ b/pandora_console/operation/menu.php
@ -132,6 +132,9 @@ if (give_acl ($config['id_user'], 0, "AR")) {
 	$sub["operation/events/events_marquee.php"]["type"] = "direct";
 	$menu["eventos"]["sub"] = $sub;
 }
 // ANY user can view itself !
 // Users
 $menu["usuarios"]["text"] = __('View users');
@ -150,6 +153,9 @@ if (give_acl ($config['id_user'], 0, "AR")) {
 $menu["usuarios"]["sub"] = $sub;
 //End of Users
 // Rest of options, all with AR privilege (or should events be with incidents?)
 if (give_acl ($config['id_user'], 0, "AR")) {
 	//SNMP Console
 	$menu["snmpconsole"]["text"] = __('SNMP console');
 	$menu["snmpconsole"]["refr"] = 60;
--- a/pandora_console/operation/messages/message.php
+++ b/pandora_console/operation/messages/message.php
@ -65,7 +65,7 @@ if (isset ($_GET["mark_read"]) || isset ($_GET["mark_unread"])) {
 if (isset ($_GET["new_msg"])) { //create message
 	echo "<h2>".__('Messages')." &raquo; ".__('New message').'</h2>';
 	echo '<form method="POST" action="index.php?sec=messages&amp;sec2=operation/messages/message&amp;send_message=1">
-	<table width="600" class="databox_color" cellpadding="4" cellspacing="4">
+	<table width="85%" class="databox_color" cellpadding="4" cellspacing="4">
 	<tr>
 		<td class="datos">'.__('From').':</td>
 		<td class="datos"><b>'.print_username ($config["id_user"], true).'</b></td>
@ -158,7 +158,7 @@ if (isset ($_GET["read_message"]) || !isset ($_GET["new_msg"])) {
 	if (empty ($messages)) {
 		echo '<div class="nf">'.__('There are no messages').'</div>';
 	} else {
-		$table->width = "100%";
+		$table->width = "85%";
 		$table->class = "databox";
 		$table->cellpadding = 4;
 		$table->cellspacing = 4;
@ -217,7 +217,7 @@ if (isset ($_GET["read_message"]) || !isset ($_GET["new_msg"])) {
 		print_table ($table);
 		echo '</form>';
 	}
-	echo '<div class="action-buttons" style="width:100%">';
+	echo '<div class="action-buttons" style="width:85%">';
 	echo '<form method="post" action="index.php?sec=messages&amp;sec2=operation/messages/message&amp;new_msg=1">';
 	print_submit_button (__('New message'), "send_mes", false, 'class="sub next"');
 	echo '</form></div>';
--- a/pandora_console/operation/users/user.php
+++ b/pandora_console/operation/users/user.php
@ -56,7 +56,11 @@ foreach ($info as $user_id => $user_info) {
 	$rowPair = !$rowPair;
 	$iterator++;
-	$data[0] = '<a href="index.php?sec=usuarios&amp;sec2=operation/users/user_edit&amp;id='.$user_id.'">'.$user_id.'</a>';
+	if ((check_acl ($config["id_user"], get_user_groups ($user_id), "UM")) OR ($config["id_user"] == $user_id)){
 		$data[0] = '<b><a href="index.php?sec=usuarios&amp;sec2=operation/users/user_edit&amp;id='.$user_id.'">'.$user_id.'</a></b>';
 	} else {
 		$data[0] = $user_id;
 	}
 	$data[1] = $user_info["fullname"].'<a href="#" class="tip"><span>';
 	$data[1] .= __('First name').': '.$user_info["firstname"].'<br />';
 	$data[1] .= __('Last name').': '.$user_info["lastname"].'<br />';
--- a/pandora_console/operation/users/user_edit.php
+++ b/pandora_console/operation/users/user_edit.php
@ -21,10 +21,13 @@ check_login ();
 $id = get_parameter_get ("id", $config["id_user"]); // ID given as parameter
 $user_info = get_user_info ($id);
 if ($user_info["language"] == ""){
 	$user_info["language"] = $config["language"];
 }
 $id = $user_info["id_user"]; //This is done in case there are problems with uppercase/lowercase (MySQL auth has that problem)
-
+if ((!give_acl ($config["id_user"], get_user_groups ($id), "UM")) AND ($id != $config["id_user"])){
 if (!give_acl ($config["id_user"], get_user_groups ($id), "UM")){
 	audit_db ($config["id_user"], $config["remote_addr"], "ACL Violation","Trying to view a user without privileges");
 	require ("general/noaccess.php");
 	exit;
@ -42,27 +45,35 @@ if (isset ($_GET["modified"]) && !$view_mode) {
 	$upd_info["fullname"] = get_parameter_post ("fullname", $user_info["fullname"]);
 	$upd_info["firstname"] = get_parameter_post ("firstname", $user_info["firstname"]);
 	$upd_info["lastname"] = get_parameter_post ("lastname", $user_info["lastname"]);
-	$password_old = get_parameter_post ("password_old", "-");
+	$password_new = get_parameter_post ("password_new", "");
-	$password_new = get_parameter_post ("password_new", "-");
+	$password_confirm = get_parameter_post ("password_conf", "");
 	$password_confirm = get_parameter_post ("password_confirm", "-");
 	$upd_info["email"] = get_parameter_post ("email", $user_info["email"]);
 	$upd_info["phone"] = get_parameter_post ("phone", $user_info["phone"]);
 	$upd_info["comments"] = get_parameter_post ("comments", $user_info["comments"]);
 	$upd_info["language"] = get_parameter_post ("language", $user_info["language"]);
-	//If User can update password and the new password is not the same as the old one, it's not the default and it's not empty and the new password is the same as the confirmed one
+	if ( !empty ($password_new)) {
-	if ($config["user_can_update_password"] && $password_old !== $password_new && $password_new !== "-" && !empty ($password_new) && $password_confirm == $password_new) {
+		if ($config["user_can_update_password"] && $password_confirm == $password_new) {
-		$return = process_user_password ($id, $pass);
+			$return = update_user_password ($id, $password_new);
 			print_result_message ($return,
 				__('Password successfully updated'),
 				__('Error updating passwords: %s', $config['auth_error']));
-	} elseif ($password_new !== "-") {
+		} elseif ($password_new !== "NON-INIT") {
 			print_error_message (__('Passwords didn\'t match or other problem encountered while updating passwords'));
 		}
 	}
 	// No need to display "error" here, because when no update is needed (no changes in data) 
 	// SQL function returns	0 (FALSE), but is not an error, just no change. Previous error
 	// message could be confussing to the user.
 	$return = update_user ($id, $upd_info);
 	if ($return > 0) {
 		print_result_message ($return,
 			__('User info successfully updated'),
 			__('Error updating user info'));
 	}
 	$user_info = $upd_info;
 }
@ -70,53 +81,69 @@ echo "<h2>".__('Pandora users')." &raquo; ".__('User detail editor')."</h2>";
 echo '<form name="user_mod" method="post" action="index.php?sec=usuarios&amp;sec2=operation/users/user_edit&amp;modified=1&amp;id='.$id.'">';
-echo '<table cellpadding="4" cellspacing="4" class="databox_color" width="600">';
+echo '<table cellpadding="4" cellspacing="4" class="databox" width="90%">';
 echo '<tr><td class="datos">'.__('User ID').'</td>';
 echo '<td class="datos">';
-print_input_text_extended ("id_user", $id, '', '', '', '', $view_mode, '', 'class="input"');
+echo "<b>$id</b>";
 echo "</td>";
 // Show "Picture" (in future versions, why not, allow users to upload it's own avatar here.
 echo "<td rowspan=4>";
 if (is_user_admin ($id)) {
 	echo "<img src='images/people_1.png'>";
 } 
 else {
 	echo "<img src='images/people_2.png'>";
 }
 echo '</td></tr><tr><td class="datos2">'.__('Full (display) name').'</td><td class="datos2">';
-print_input_text_extended ("fullname", $user_info["fullname"], '', '', '', '', $view_mode, '', 'class="input"');
+print_input_text_extended ("fullname", $user_info["fullname"], '', '', 35, 100, $view_mode, '', 'class="input"');
 // Not used anymore. In 3.0 database schema continues storing it, but will be removed in the future, or we will 'reuse'
 // the database fields for anything more useful.
 /*
 echo '</td></tr><tr><td class="datos">'.__('First name').'</td><td class="datos">';
-print_input_text_extended ("firstname", $user_info["firstname"], '', '', '', '', $view_mode, '', 'class="input"');
+print_input_text_extended ("firstname", $user_info["firstname"], '', '', 25, 100, $view_mode, '', 'class="input"');
 echo '</td></tr><tr><td class="datos2">'.__('Last name').'</td><td class="datos2">';
-print_input_text_extended ("lastname", $user_info["lastname"], '', '', '', '', $view_mode, '', 'class="input"');
+print_input_text_extended ("lastname", $user_info["lastname"], '', '', 25, 100, $view_mode, '', 'class="input"');
 */
 if ($view_mode === false) {
 	echo '</td></tr><tr><td class="datos">'.__('Current password').'</td><td class="datos">';
 	if ($config["user_can_update_password"]) {
 		print_input_text_extended ("password_old", "-", '', '', '', '', $view_mode, '', 'class="input"', false, true);
 		echo '</td></tr><tr><td class="datos">'.__('New Password').'</td><td class="datos">';
-		print_input_text_extended ("password_new", "-", '', '', '', '', $view_mode, '', 'class="input"', false, true);
+		print_input_text_extended ("password_new", "", '', '', '15', '25', $view_mode, '', 'class="input"', false, true);
 		echo '</td></tr><tr><td class="datos">'.__('Password confirmation').'</td><td class="datos">';
-		print_input_text_extended ("password_conf", "-", '', '', '', '', $view_mode, '', 'class="input"', false, true);
+		print_input_text_extended ("password_conf", "", '', '', '15', '25', $view_mode, '', 'class="input"', false, true);
 	} else {
 		echo '<i>'.__('You can not change your password from Pandora FMS under the current authentication scheme').'</i>';
 	}
 }
 echo '</td></tr><tr><td class="datos2">'.__('E-mail').'</td><td class="datos2">';
-print_input_text_extended ("email", $user_info["email"], '', '', '', '', $view_mode, '', 'class="input"');
+print_input_text_extended ("email", $user_info["email"], '', '', '40', '100', $view_mode, '', 'class="input"');
 echo '</td></tr><tr><td class="datos">'.__('Phone number').'</td><td class="datos">';
-print_input_text_extended ("phone", $user_info["phone"], '', '', '', '', $view_mode, '', 'class="input"');
+print_input_text_extended ("phone", $user_info["phone"], '', '', '10', '30', $view_mode, '', 'class="input"');
-echo '</td></tr><tr><td class="datos2">'.__('Comments').'</td><td class="datos2">';
+echo '</td></tr><tr><td class="datos">'.__('Language').'</td><td class="datos2">';
-print_textarea ("comments", 4, 55, $user_info["comments"], ($view_mode ? 'readonly="readonly"' : ''));
+echo print_select_from_sql ('SELECT id_language, name FROM tlanguage',
 	'language', $user_info["language"], '', '', '', true);
 echo '</td></tr><tr><td class="datos2">'.__('Comments').'</td><td class="datos">';
 print_textarea ("comments", 2, 60, $user_info["comments"], ($view_mode ? 'readonly="readonly"' : ''));
 echo '</td></tr></table>';
-echo '<div style="width:600px; text-align:right;">';
+echo '<div style="width:90%; text-align:right;">';
 if (!$config["user_can_update_info"]) {
 	echo '<i>'.__('You can not change your user info from Pandora FMS under the current authentication scheme').'</i>';
 } else {
 	print_submit_button (__('Update'), 'uptbutton', $view_mode, 'class="sub upd"');
 }
-echo '</div></form><br />';
+echo '</div></form>';
 echo '<h3>'.__('Profiles/Groups assigned to this user').'</h3>';
--- a/pandora_console/operation/users/user_statistics.php
+++ b/pandora_console/operation/users/user_statistics.php
@ -29,4 +29,44 @@ if ($config['flash_charts']) {
 } else {
 	print_image ("include/fgraph.php?tipo=user_activity", false, array ("border" => 0));
 }
 echo '<div id="activity" style="width:700px;">';
 // Show last activity from this user
 echo "<h2>" . __('This is your last activity in Pandora FMS console') . "</h2>";
 $table->width = 650; //Don't specify px
 $table->data = array ();
 $table->size = array ();
 $table->size[2] = '130px';
 $table->size[4] = '200px';
 $table->head = array ();
 $table->head[0] = __('User');
 $table->head[1] = __('Category');
 $table->head[2] = __('Date');
 $table->head[3] = __('Source IP');
 $table->head[4] = __('Comments');
 $sql = sprintf ("SELECT id_usuario,accion,fecha,ip_origen,descripcion
 				FROM tsesion
 				WHERE (`utimestamp` > UNIX_TIMESTAMP(NOW()) - 604800) 
 				AND `id_usuario` = '%s' ORDER BY `fecha` DESC LIMIT 50", $config["id_user"]);
 $sessions = get_db_all_rows_sql ($sql);
 if ($sessions === false)
 	$sessions = array (); 
 foreach ($sessions as $session) {
 	$data = array ();
 	$data[0] = '<strong>'.$session['id_usuario'].'</strong>';
 	$data[1] = $session['accion'];
 	$data[2] = $session['fecha'];
 	$data[3] = $session['ip_origen'];
 	$data[4] = $session['descripcion'];
 	array_push ($table->data, $data);
 }
 print_table ($table);
 echo "</div>"; // activity
 ?>