admFunctions_8i_source.html

<?php
/**
 * function Set2FactorAdmin($p_pwd, $p_email, $p_conf_word, $Cn, $setCookieIfNotExists=false)
 * Set the authentication cookie and test on next login to see if exists.
 *
 * @param string $p_pwd -- the password (not clear text; this is after the encrypt method or directly from the user record)
 * @param string $p_email -- the email of the user
 * @param string $p_conf_word -- the confidence word
 * @param array $challengeArray -- the array of challenge questions as if just decoded from the mfaquest column
 * @param string $Cn -- the logged in user
 * @param boolean $setCookieIfNotExists -- if true, then the cookie will be set (on login).  If false, it is will be updated iff it exists (on security changes).
 */
function Set2FactorAdmin($pSysEnv, $p_pwd, $p_email, $p_conf_word, $challengeArray, $Cn, $setCookieIfNotExists=false)
{
  $p_pwd = trim($p_pwd);
  $p_email = trim($p_email);
  $p_conf_word = trim($p_conf_word);

  $cookiename = sha1("HCUAdminTu0geethSaith7ch" . $Cn);

    if (!$setCookieIfNotExists && !isset($_COOKIE[$cookiename]))
      return; // Do nothing.

  // if more than 23 homecu cookies exist, nuke all except the session cookies
  if (sizeof($_COOKIE) > 23)
  {
    reset ($_COOKIE);
    $persists = (time() - 3600);
    foreach ($_COOKIE as $thisCookiename => $cookiecontent)
    {
      if (!preg_match("/^(Tx_aURI|aTicket|webconnect|_userc.*)/",$thisCookiename))
      {
        HCU_setcookie_env($pSysEnv, $thisCookiename, "", $persists);
      }
    }
  }

  $addToCookie = array();
  $challengeArray = HCU_array_key_value("answers", $challengeArray);
  $challengeArray = $challengeArray === false ? array() : $challengeArray;

  if (isset($challengeArray))
  {
    ksort($challengeArray, SORT_NUMERIC); // Sort the challenge question ids numerically in the off chance that they are not sorted.
    $find= array("\n", "\\", "=", "|");
    $replace= array("", "\\\\", "\\=", "\\|"); // Replace = and | so that strings with them in it cannot match what they are not supposed to match.
    foreach($challengeArray as $questId => $questValue)
    {
      $questId= intval($questId);
      $questValue= trim(str_replace($find, $replace, $questValue));
      $addToCookie[]= "$questId=$questValue";
    }
  }
  $addToCookie= implode("|", $addToCookie);

  $cookiecontent=sha1($p_pwd . $p_email .  $p_conf_word . $addToCookie);

  $persists = time() + $pSysEnv['ticket']['persists'];
  HCU_setcookie_env($pSysEnv, "$cookiename", "$cookiecontent", $persists);
}

/**
 * showProductName:
 *
 * show the product name for the credit union
 *
 * @param string $pName   :   name of credit union
 */
function showProductName($pName) {
  ?>
  <script type='text/javascript'>

  <?php if ($pName == "NONE" || $pName == "") { ?>
  $("#logo-bar p.navbar-title").html("&nbsp;");
  <?php } else { ?>
  $("#logo-bar p.navbar-title").text("<?php echo $pName ?>");
  <?php } ?>
  </script>
  <?php
}

/**
 *  checkOrgName:
 *
 *  get the org name for credit union
 *
 *  @param string $cu         :   credit union code
 *  @return string $cu_pname  :   blank if cu code doesn't exist or pname is NONE
 */
function checkOrgName($cu) {
  global $dbh;

  $sqlSelect = "SELECT orgname FROM cuadmin a WHERE cu = '$cu'";
  $sqlSelectRs = db_query($sqlSelect, $dbh);
  $sqlData = db_fetch_assoc($sqlSelectRs, 0);

  $orgname = isset($sqlData['orgname']) ? $sqlData['orgname'] : null;
  $orgname = $orgname == null ? "" : trim($orgname);

  return $orgname;
}

/**
 * function checkPerm($user, $script, $cu_name)
 * Moved from the main script a while ago
 *
 * @param string $user -- the username
 * @param string $script -- the script
 * @param string $cu_name -- the credit union
 * @return array --
 *    $master -- if the record is the master record for the credit union
 *    $ret_pass -- if they pass?
 *    $ret_su -- if they have master privileges
 *    $ipCheckPassed -- this one is in camelcase.  If the ip check passed.
 */
function checkPerm($user, $script, $cu_name)
{
  global $logger, $SYSENV, $dbh;

  $settings = $SYSENV;

  $ret_pass = ""; // determines if we passed validation or not
  $ret_su = 0;    // reflects 'allow master privileges' status for non-master
  $sth = db_query("select trim(user_name), ip_acl from cuadmin where cu='$cu_name';",$dbh);
  list($master, $ipACL) = db_fetch_array($sth,0);

  // make sure they have IP access restrictions are set up
  $ipCheckPassed = false;
  if ( strlen( $ipACL ) > 0 ) {
    // make sure the IP addresses start at character offset 1 so the strpos function is easier to test
    $ipACL = " " . trim( $ipACL );

    // check if coming in through admin (using HomeCU's static ip addresses)
    $ipACL .=  ";{$settings['admin']['ip_acl']}";

    // see if user passes
    $ipAddress = trim( $_SERVER["REMOTE_ADDR"] );

    if ( strpos( $ipACL, $ipAddress ) > 0 ) {
      // ip check passed
      $ipCheckPassed = true;
    } else {
      // see if user set up for remote access
      $sql = "select userflags, remoteip
              from cuadminusers
              where lower(user_name) = '" . strtolower(prep_save($user)) . "'
                and cu = '$cu_name' ";
      $sth = db_query( $sql, $dbh );
      list( $userFlags, $remoteIP ) = db_fetch_array( $sth, 0 );

      if ( ($userFlags & GetAdminUserFlagsValue("ADM_REMOTE_ACCESS_ALLOWED")) > 0 ) {
        if ( trim( $remoteIP ) == $ipAddress ) {
          $ipCheckPassed = true;
        }
      }
    }

    if (!$ipCheckPassed) {
      $logger->info("Invalid IP Address for service: {$ipAddress}");
    }
  } else {
    $ipCheckPassed = true;
  }

  if ($master == "$user") {
    // For the master user -- Check for script in the cuadminexclude list
    $sql = "select *
            from cuadminexclude
            where cuadminexclude.program = '$script'
              and cuadminexclude.cu = '$cu_name' ";
    $ovr_rs = db_query($sql, $dbh);
    // If the record IS found, permission is denied
    // FAIL even for master user
    if (db_num_rows($ovr_rs) > 0) {
      $ret_pass = 0;
    } else {
      $ret_pass = 1;
    }
    db_free_result($ovr_rs);
  } else {
    // not the master, find out what permissions user has

    $sql = "select a.user_name
          from cuadminallow a
          where lower(a.user_name) = '" . strtolower(prep_save($user)) . "'
            and program = '$script' and a.cu = '$cu_name'
            and not exists (select *
                  from cuadminexclude
                  where cuadminexclude.program = a.program
                  and cuadminexclude.cu = '$cu_name') ";
    $sth = db_query($sql,$dbh);
    $num = db_num_rows($sth);

    if (db_num_rows($sth) > 0) {
      $ret_pass = 1;
    } else {
      $ret_pass = 0;
      $sql = "select userflags from cuadminusers
              where lower(user_name) = '" . strtolower(prep_save($user)) . "'
              and cu = '$cu_name'";
      $sth = db_query($sql,$dbh);
      list($ret_su) = db_fetch_array($sth,0);
      $ret_su = ($ret_su & 4);
    }
    db_free_result($sth);
  }

  return array ($master, $ret_pass, $ret_su, $ipCheckPassed);
}


/**
 * function getVariablesForMenu(&$SYSENV)
 * Gets particular counts that show up on the menu items
 *
 * @param $SYSENV -- the system environment variables
 */
function getVariablesForMenu($dbh, &$menuVariables, $Cu)
{
  $menuVariables["secureDocumentsText"] = "Secure Documents";
  getNewMessageCount($dbh, $menuVariables, $Cu);
  getAdmCount($dbh, $menuVariables, $Cu);
  getLoanCount($dbh, $menuVariables, $Cu);
  getExtCounts($dbh, $menuVariables, $Cu);

  $docCount = $menuVariables["secureFormCount"] + $menuVariables["messageCount"];
  $docCount = $docCount > 0 ? ($docCount > 9 ? "9+" : "$docCount") : "";
  $menuVariables["secureDocumentsText"]= "Secure Documents" . ($docCount == "" ? "" : " <span class='badge'>$docCount</span>");
}

/**
 * function getNewMessageCount(&$SYSENV)
 * Gets the number of unread messages the CU has
 *
 * @param $SYSENV -- the system environment variables
 */
function getNewMessageCount($dbh, &$menuVariables, $Cu)
{
  if (trim($Cu) != "")
  {
    $sql = "select count(*) from cuadmeco where cu = '$Cu' and origination = 1 and unread and not admdeleted";
    $sth = db_query($sql, $dbh);
    list($messageCount) =  db_fetch_array($sth,0);

    $text= "Secure Messages";
    $menuVariables["messageCount"] = intval($messageCount);
    $messageCount= $messageCount > 0 ? ($messageCount > 9 ? "9+" : "$messageCount") : "";
    $menuVariables["messageText"] = "Secure Messages" . ($messageCount == "" ? "" : " <span class='badge'>$messageCount</span>");
  }
  else
  {
    $menuVariables["messageCount"] = 0;
    $menuVariables["messageText"] = "Secure Messages";
  }
}

/**
 * function getAdmCount(&$SYSENV)
 * Gets the count for secure forms
 *
 * @param $SYSENV -- the system environment variables
 */
function getAdmCount($dbh, &$menuVariables, $Cu)
{
  if (trim($Cu) != "")
  {
    $secpath = "/home/" . strtolower($Cu) . "/sslforms";
    $secforms = sizeof(glob("$secpath/*.html"));
    $menuVariables["secureFormCount"] = $secforms;
    $secformCount = $secforms > 0 ? ($secforms > 9 ? "9+" : "$secforms") : "";
    $menuVariables["secureFormText"] = "Secure Forms" . ($secformCount == "" ? "" : " <span class='badge'>$secformCount</span>");
  }
  else
  {
    $menuVariables["secureFormCount"] = 0;
    $menuVariables["secureFormText"] = "Secure Forms";
  }
}

/**
 * function getLoanCount(&$SYSENV)
 * Check for a configuration in the lnappconfig table.  If a record exists, then show the menu.
 *
 * @param $SYSENV -- the system environment variables
 */
function getLoanCount($dbh, &$menuVariables, $Cu)
{
    $sql = "select count(*) from lnappconfig where cu = '$Cu'";
    $sth = db_query($sql, $dbh);
    list ($loanCount) = db_fetch_array($sth, 0);
    $menuVariables["loanCount"] = intval($loanCount);
}

/**
 * function getEzCount(&$SYSENV)
 * Gets the count for the EZ Card
 *
 * @param $SYSENV -- the system environment variables
 */
function getExtCounts($dbh, &$menuVariables, $Cu)
{
    if ($Cu != "")
    {
      include_once(dirname(__FILE__) . "/../../shared/library/cutrusted.i");
      # check if this client uses local EZCARD settings
      $trustedIds= array("hasEZ" => "HcuEZCARD", "hasDMI" => "HcuDMI", "hasMIR" => "HcuMIR"); // with an implode, the values are concatenated.  The keys don't matter.
      $parms = array('Cu' => $Cu, "trustedids" => $trustedIds);
      $return = cutd_list($dbh, $parms);

      foreach($trustedIds as $key => $value)
      {
        $menuVariables[$key] = isset($return['data']["$Cu|$value"]);
      }

    }
    else
    {
      $menuVariables["hasEZ"] = false;
      $menuVariables["hasDMI"] = false;
      $menuVariables["hasMIR"] = false;
    }
}

/**
 * function getAdmChallengeQuestions($dbh, $cuCode, $username, $showSQL= false)
 *
 * Gets the challenge questions for admin using the new mfaquest column, rather than the table.
 *
 * @param integer $dbh -- the database connection
 * @param string $cuCode -- the CU
 * @param string $username -- the username to log in as
 * @param boolean $showSQL -- if true, also include all the SQL
 *
 * @throws exception when queries fail or when cu_flagconst.i is not included
 * @return array("code" => "$code", "errors" => $errors, "data" => $challengeQuestions);
 */
function getAdmChallengeQuestions($dbh, $cuCode, $username, $mode, $actuallyUser=false)
{
  $code= 0;
  $errors= array();
  $challengeQuestions= array();
  $challengeQuestionDDL= array();
  $sqls= array();
  $isRandom= false;
  $noRecord= false;
  $noChallengeQuestions= false;
  $forceChallengeQuestions= false;
  $forcePassword= false;
  $username= strtolower($username);

  global $CU2_RANDOM_CHAL;
  $bitValue= intval($CU2_RANDOM_CHAL);

  // Get the challenge questions
  if (!$actuallyUser)
    $sql = "select au.mfaquest, coalesce(a.flagset2,0) & $bitValue, coalesce(au.userflags, 0) & 2, au.forcechange from cuadminusers au inner join cuadmin a on au.cu = a.cu
    and lower(au.user_name) = '" . prep_save($username, 50) . "' and au.cu = '" . prep_save($cuCode, 10) . "'";
  else
    $sql = "select au.mfaquest, coalesce(a.flagset2,0) & $bitValue, coalesce(au.userflags, 0) & 2, au.forcechange from ${cuCode}user au inner join cuadmin a on lower(au.user_name)='"
      . prep_save($username, 50) . "' and a.cu = '" . prep_save($cuCode, 10) . "'";

  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new Exception("mfaquest query failed.", 1);
  if (db_num_rows($sth) == 0)
  {
    $noRecord = true;
    switch($mode)
    {
      case "login verify":
        break; // do nothing because we don't want to give hacker any info.
      case "login display": // This will pretend that it is a correct login to not give hacker any info.
        $sql = "select quest_id, quest_text, example_text from cuquestmaster where quest_lang = 'en_US' order by random() limit 3";
        // Get three random questions when the username or CU is not correct.
        $sqls[] = $sql;
        $sth = db_query($sql, $dbh);
        if (!$sth)
            throw new Exception("master question query failed.", 2);
        for($i = 0; $array = db_fetch_assoc($sth, $i); $i++)
        {
          $array["answer"] = "";
          $challengeQuestions[] = $array;
        }
        break;
      default: // Other parts will need to notify the user
        throw new Exception ("Username record doesn't exist.", 3);
        break;
    }
  }
  else
  {
    $row = db_fetch_row($sth, 0);
    $encodedAnswers = trim($row[0]);
    $decodedAnswers = HCU_MFADecode(HCU_JsonDecode($encodedAnswers));
    unset($encodedAnswers);
    $isRandom= intval($row[1]) != 0;
    $forceChallengeQuestions = intval($row[2]) != 0 && in_array($mode, array("login verify", "login display"));
    $forcePassword= trim($row[3]) == "Y";

    if (!$forceChallengeQuestions)
    {
      switch($mode)
      {
        case "login verify":
        case "login display":
        case "admin display":
          if ($decodedAnswers["mfacount"] > 0)
          {
            $sql = "select quest_id, quest_text, example_text from cuquestmaster where quest_lang = 'en_US' and quest_id in (" . implode(", ", array_keys($decodedAnswers["answers"]))
              . ") order by quest_id";

            $sqls[] = $sql;
            $sth = db_query($sql, $dbh);
            if (!$sth)
              throw new Exception("master question query failed.", 4);
            for($i = 0; $array = db_fetch_assoc($sth, $i); $i++)
            {
              $answer = $decodedAnswers["answers"][$array["quest_id"]];
              $array["answer"] = $answer == null ? "" : $answer;
              $challengeQuestions[$array["quest_id"]] = $array;
            }

            if ($isRandom && $mode != "admin display")
            {
              if (intval($decodedAnswers["challenge"]) == 0)
              {
                // Now save with random index
                $decodedAnswers["challenge"] = array_rand($decodedAnswers["answers"]);
                $sql= "update cuadminusers set mfaquest = '" . prep_save(PrepareMfaQuestString($decodedAnswers))
                . "' where lower(user_name) = '" . prep_save($username, 50)
                . "'" . (trim($cuCode) != "" ? " and cu = '" . prep_save($cuCode, 10) . "'" : "");
                $sqls[] = $sql;
                $sth = db_query($sql, $dbh);
                if (!$sth)
                  throw new Exception("update challenge query failed.", 5);
              }

              if (intval($decodedAnswers["challenge"]) > 0)
              {
                $challengeQuestions= isset($challengeQuestions[$decodedAnswers["challenge"]]) ? array($challengeQuestions[$decodedAnswers["challenge"]]) : array();
              }
            }
            else // not random, just need a list.
            {
              $challengeQuestions = array_values($challengeQuestions);
            }
          }
          else $noChallengeQuestions = true;
        break;
        case "security display":
            $sql = "select quest_id, quest_text, example_text from cuquestmaster where quest_lang = 'en_US' order by quest_id";
            $sqls[] = $sql;
            $sth = db_query($sql, $dbh);
            if (!$sth)
              throw new Exception("master question query failed.", 6);
            for($i = 0; $array = db_fetch_assoc($sth, $i); $i++)
            {
              $id = HCU_array_key_exists("quest_id", $array) ? intval($array["quest_id"]) : 0;
              $answer = HCU_array_key_exists($id, $decodedAnswers["answers"]) ? $decodedAnswers["answers"][$id] : null;
              $challengeQuestionDDL[] = $array;
              if (isset($answer))
              {
                $array["answer"] = $answer;
                $challengeQuestions[] = $array;
              }
            }
        break;
      }
    }


  }

  $returnArray= array("code" => "$code", "errors" => $errors, "data" => $challengeQuestions, "noRecord" => $noRecord, "sqls" => $sqls,
    "requireChallengeQuestions" => $noChallengeQuestions || $forceChallengeQuestions, "forcePassword" => $forcePassword);
  if ($mode == "security display")
    $returnArray["ddl"] = $challengeQuestionDDL;
  return $returnArray;
}

/**
 * function loginPrintButtons($isLogin=false, $showStartOver=true)
 * Prints out the buttons for the login screen
 *
 * @param boolean $isLogin -- if true, the label will be changed slightly
 * @param boolean $showStartOver -- if true, show the start over button
 */
function loginPrintButtons($isLogin = false, $showStartOver = true)
{
  $continueLabel = $isLogin ? "Log In" : "Continue";
  ?>
  <div class="form-group hcuSpacer">
    <div class="col-xs-12 col-sm-6 col-md-4">
      <button tabindex="0" id="submitBtn" class="k-button k-primary hcu-all-100 hcu-xs-btn-margin-top hcu-xs-btn-pad"><i class="fa fa-lock fa-lg"></i><?php echo $continueLabel; ?></button>
    </div>
    <?php if ($showStartOver) { ?>
    <div class="col-xs-12 col-sm-6 col-md-4">
      <button tabindex="0" id="clearBtn" class="k-button hcu-all-100 hcu-xs-btn-margin-top hcu-xs-btn-pad"><i class="fa fa-refresh fa-lg"></i>Start Over</button>
    </div>
    <?php } ?>
  </div>
<?php }

/**
 * function printButtons($buttonArray, $inModal=false)
 * Prints out some buttons
 *
 * @param array $buttonArray -- an array of buttons
 * @param boolean $inModal -- if it is in a modal or not
 */
function printButtons($buttonArray, $inModal = false, $inTemplate = false)
{
  $buttonString = "";
  $buttonString .= "<div class=\"row form-group hcuSpacer hcu-sm-auto-width\">";
  $buttonFound = false;
  foreach($buttonArray as $record)
  {
    if (HCU_array_key_exists("isLink", $record) && $record["isLink"] !== true)
    {
      $buttonFound = true;
      break;
    }
  }
  foreach($buttonArray as $record)
  {
      $primary = HCU_array_key_exists("primary", $record) ? $record["primary"] : false;
      $primaryClass = $primary === true ? "k-primary" : "";
      $iconClasses = $primary === true ? "class=\"fa fa-lock fa-lg\"" : "";
      $sz1 = 12;
      $sz2 = 6;
      $sz3 = 3;
      if ($inModal)
      {
        $sz1--;
        $sz2--;
      }

      $sizeClass = HCU_array_key_exists("sizeClass", $record) ? trim($record["sizeClass"]) : "col-md-$sz3";
      $href = HCU_array_key_exists("href", $record) ? trim($record["href"]) : "";
      $href = $href == "" ? ($inTemplate ? 'href="\\\\#"' : "href=\"#\"") : "href=\"$href\"";
      $type = HCU_array_key_exists("isFormSubmit", $record) ? $record["isFormSubmit"] : false;
      $type = $type === true ? "type=\"submit\"" : "";
      $disabledClass = HCU_array_key_exists("disabled", $record) ? $record["disabled"] : false;
      $disabledClass = $disabledClass === true ? "k-state-disabled" : "";
      $class = HCU_array_key_exists("class", $record) ? trim($record["class"]) : "";
      $isLink = HCU_array_key_exists("isLink", $record) ? $record["isLink"] : false;
      $id = HCU_array_key_exists("id", $record) ? trim($record["id"]) : "";
      $text = HCU_array_key_exists("text", $record) ? trim($record["text"]) : "";
      $additionalClasses = HCU_array_key_exists("additionalClasses", $record) ? trim($record["additionalClasses"]) : "";

      $buttonString .= "<div class=\"col-xs-$sz1 col-sm-$sz2 $sizeClass\">";
      if ($isLink === true)
      {
        $buttonString .= "<a $href id=\"$id\" class=\"linkLikeButton $primaryClass $disabledClass $class hcu-xs-100-only hcu-all-100 hcu-xs-btn-margin-top"
         . " hcu-xs-btn-pad $additionalClasses\">$text</a>";
      }
      else
      {
        // has to be like this because javascript doesn't handle newlines well.
        $buttonString .= "<button $type tabindex=\"0\" id=\"$id\" class=\"k-button $primaryClass $disabledClass $class hcu-xs-100-only hcu-all-100 hcu-xs-btn-margin-top";
        $buttonString .= " hcu-xs-btn-pad $additionalClasses\"><i $iconClasses></i>$text</button>";
      }
      $buttonString .= "</div>";
  }
  $buttonString .= "</div>";
  print $buttonString;
}

/**
 * function printLabelBlock($labelArray)
 * Prints out a label block
 *
 * @param array $labelArray -- the label block to display
 */
function printHubLabelBlock($labelArray)
{ ?>
    <?php foreach($labelArray as $label => $value) { ?>
      <div class="col-xs-12 col-sm-6">
        <label><?php echo $label; ?>&nbsp;</label><?php echo trim(str_replace('\\', '\\\\', $value)); ?>
      </div>
    <?php } ?>
<?php }

/**
 * function loginPrintLabelBlock($labelArray)
 * Prints out a label block for logins
 *
 * @param array $labelArray -- the label block to display
 */
function loginPrintLabelBlock($labelArray)
{ ?>
  <div class="form-group col-xs-12"><div class="k-block hcu-login-block"><div class="hcu-summary-block"><div class="summary-desc">
    <?php foreach($labelArray as $label => $value) { ?>
      <?php if (trim($value) != "") { ?>
      <div class="form-group col-xs-12">
        <label class="col-xs-12"><?php echo $label; ?>&nbsp;</label>
        <div class="col-xs-12 admIndent"><?php echo trim(str_replace('\\', '\\\\', $value)); ?></div>
      </div>
      <?php } ?>
    <?php } ?>
  </div></div></div></div>
<?php }

/**
 * function loginPrintInputLine($label, $value, $name, $maxlength=0, $autofocus=false, $hasSpacer=true, $type="text", $requiredMsg="", $additionalClasses="")
 * Prints out an line with an input in it
 *
 * @param string $label -- the label to print
 * @param string $value -- value of input
 * @param string $name -- the name of the input
 * @param integer $maxlength -- maxlength of the input (assuming text; otherwise does nothing)
 * @param boolean|string $autofocus -- if true, "autofocus" attribute is used.  If false, it isn't.  If it a string, than that is used instead.
 * @param boolean $hasSpacer -- uses the hcuSpacer class if true
 * @param string $type -- the type of the input
 * @param string $requiredMsg -- if nonempty, required attribute is set with data-required-msg set to text here.
 * @param string $additionalClasses -- these are added to the end of whatever other classes are needed.
 */
function loginPrintInputLine($label, $value, $name, $maxlength=0, $autofocus=false, $hasSpacer=true, $type="text", $requiredMsg="", $additionalClasses="", $deliminated=false)
{
  $requiredMsg = trim($requiredMsg);
  $requiredText = $requiredMsg == "" ? "" : "required data-required-msg=\"$requiredMsg\"";
  $autofocusText = $autofocus === true ? "autofocus" : ($autofocus === false ? "" : $autofocus);
  $spacerText = $hasSpacer ? "hcuSpacer" : "";
  $maxlengthText = $maxlength == 0 ? "" : "maxlength=\"$maxlength\"";
  $classes = array("hcu-all-100");
  $typeText = "type=\"$type\"";
  $delimStart = $deliminated ? "+ '" : "";
  $delimEnd = $deliminated ? "'" : "";
  ?>
  <?php echo $delimEnd; ?><div class="row form-group <?php echo $spacerText; ?>"><?php echo $delimEnd; ?>
    <?php echo $delimStart; ?><label class="col-xs-12 col-md-8"><?php echo $label; ?>&nbsp;</label><?php echo $delimEnd; ?>
    <?php echo $delimStart; ?><div class="col-xs-12 col-md-8"><?php echo $delimEnd; ?>
      <?php echo $delimStart; ?><input name="<?php echo $name; ?>" class=<?php echo chr(34); if ($type != 'checkbox') { ?>hcu-all-100 k-input k-textbox<?php }?><?php echo $delimEnd; ?>
      <?php echo $delimStart; ?><?php echo $additionalClasses . chr(34) // fixup code highlighting; ?><?php echo " " . $requiredText; ?> <?php echo $autofocusText ; ?> value="<?php echo $value; ?>" <?php echo $delimEnd; ?>
      <?php echo $delimStart; ?><?php echo $typeText; ?> <?php echo $maxlengthText; ?>>

      <p data-for=<?php echo chr(34) . $name . chr(34); ?> class="k-invalid-msg"></p></div></div><?php echo $delimEnd; ?>
<?php }

function dialogPrintInputLine($label, $value, $name, $maxlength = 0, $autofocus = false, $type = "text", $padding=false, $additionalClasses = "", $delimiter = true, $usePlus = true,
  $thankYouSirMayIHaveAnother = false)
{
  $delimiter = $delimiter === true ? "'" : ($delimiter === false ? "" : $delimiter);
  $usePlus = !$delimiter || !$usePlus ? "" : "+";
  $padding = !$padding ? "hcu-no-padding" : "";
  $spacingA = !$thankYouSirMayIHaveAnother ? "col-xs-4" : "col-xs-3";
  $spacingB = !$thankYouSirMayIHaveAnother ? "col-xs-8" : "col-xs-9";
  print "$usePlus $delimiter<div class=\"row hcuSpacer\"><label class=\"$spacingA $padding\">$label</label><div class=\"$spacingB $padding\">"
      . "<input value=\"$value\" id=\"$name\" name=\"$name\" type=\"$type\" " . ($maxlength != 0 ? "maxlength=\"$maxlength\"" : "") . "$autofocus class=\"hcu-all-100 k-input k-textbox $additionalClasses\">"
    . "</div></div>$delimiter";
}

function dialogPrintCheckboxLine($name, $text, $checked=true, $additionalClasses = "", $offset = true, $padding = true, $delimiter = true, $usePlus = true,
  $thankYouSirMayIHaveAnother = false)
{
  $delimiter = $delimiter === true ? "'" : ($delimiter === false ? "" : $delimiter);
  $usePlus = !$delimiter || !$usePlus ? "" : "+";
  $checked = $checked === true ? "checked" : ($checked === false ? "" : $checked);
  $padding = $padding ? "" : "hcu-no-padding";
  $spacingA = !$thankYouSirMayIHaveAnother ? "col-xs-4" : "col-xs-3";
  $spacingB = !$thankYouSirMayIHaveAnother ? "col-xs-8" : "col-xs-9";
  $offset = $offset ? "<label class=\"$spacingA $padding\">&nbsp;</label>" : "";
  print "$usePlus $delimiter<div class=\"row hcuSpacer\">$offset"
    . "<div class=\"$spacingB checkbox $padding $additionalClasses\"><label><input name=\"$name\" type=\"checkbox\" $checked>$text</label></div></div>$delimiter";
}

/**
 * function printCheckboxLine($label, $name, $checked=false, $hasSpacer=true, $additionalClasses)
 * Prints out a checkbox line
 *
 * @param string $label -- the label to print
 * @param string $name -- the name of the input
 * @param boolean $checked -- if true, the "checked" attribute is added
 * @param boolean $hasSpacer -- uses the hcuSpacer class if true
 * @param string $additionalClasses -- these are added to the end of whatever other classes are needed.
 */
function printCheckboxLine($label, $name, $checked=false, $hasSpacer=true, $additionalClasses="")
{
  $spacerText = $hasSpacer ? "hcuSpacer" : "";
  $checkedText = $checked === true ? "checked" : ($checked === false ? "" : $checked);
  ?>
  <div class="row form-group <?php echo $spacerText; ?>">
    <label class="col-xs-10 col-md-10"><?php echo $label; ?>&nbsp;</label>
    <div class="col-xs-1 col-md-1">
      <input name="<?php echo $name; ?>" type="checkbox" <?php echo $checkedText; ?> class="<?php echo $additionalClasses; ?>">
    </div>
  </div>
<?php }

/**
 * function loginPrintDivLine($label, $id, $hasSpacer=true, $classes="hcu-all-100")
 * Prints out a DIV line for login
 *
 * @param string $label -- the label to print
 * @param string $id -- the id of the DIV
 * @param boolean $hasSpacer -- uses the hcuSpacer class if true
 * @param string $classes -- what classes to add?
 */
function loginPrintDivLine($label, $id, $hasSpacer=true, $classes="hcu-all-100")
{ ?>
  <div class="row form-group <?php echo $hasSpacer ? 'hcuSpacer' : ''; ?>">
    <?php if (trim($label) != "") { ?>
    <label class="col-xs-12 col-md-8"><?php echo $label; ?>&nbsp;</label>
    <?php } ?>
    <div class="col-xs-12 col-md-8">
      <div id="<?php echo $id; ?>" class="<?php echo $classes; ?>"></div>
    </div>
  </div>
<?php }

/**
 * function printHeader($message, $isModal=false)
 * Prints a header
 *
 * @param string $message -- the message
 * @param boolean $isModal -- if modal or not
 */
function printHeader($message, $isModal=false)
{
  printSimple("<h4 class=\"h4 hcuSpacerx\">$message</h4>", $isModal);
}

/**
 * function printMessage($message, $isModal=false)
 * Prints a message
 *
 * @param string $message -- the message
 * @param boolean $isModal -- if modal or not
 */
function printMessage($message, $isModal=false)
{
  printSimple($message, $isModal);
}

/**
 * function printGridDiv($message, $isModal=false)
 * Prints a grid DIV
 *
 * @param string $id -- the id of the grid
 * @param boolean $isModal -- if modal or not
 */
function printGridDiv($id, $isModal=false)
{
  printSimple("<div id='$id'></div>", $isModal);
}

/**
 * function printSimple($message, $isModal=false)
 * Prints a simple line thingy
 *
 * @param string $line -- the line
 * @param boolean $isModal -- if modal or not
 */
function printSimple($line, $isModal=false)
{
  $sz = $isModal ? 11 : 12;
  ?>
  <div class="row form-group"><div class="col-xs-<?php echo $sz; ?>"><?php echo $line; ?></div></div>
<?php }

/**
 * function checkPass($dbh, $username, $password, $chksecure)
 *
 * @param array $pSysEnv - This is the current system environment settings from main
 * @param integer $dbh -- the database connection
 * @param string $username -- the username to check
 * @param string $password -- the password to check
 * @param boolean $chksecure -- if true, create a coooooooooooookkkkiee
 *
 * @throws "Invalid User Name or Password"
 * @return array("code" => 0, "error" => "", "expired" => {true/false});
 */
function checkPass($pSysEnv, $dbh, $username, $password, $cu, $chksecure, $creditUnionCookieName = "", $creditUnionCookieKey = "", $accessCheck = false, $email = "",
  $doUnionStuff = true, $isSkip = false, $setCookieIfNotExists = true)
{
  $code = 0;
  $sqls = array();
  $error = "";
  global $MEM_FORCE_RESET;

  try
  {
    $TicketExpires = (array_key_exists('expires', $pSysEnv['ticket']) ? $pSysEnv['ticket']['expires'] : 900);

    $username = strtolower(trim($username));
    $sql = "select trim(a.pname), trim(au.passwd), trim(au.cu), db, lastupdate, livebatch, au.failedremain, au.forceremain, au.forcechange, au.pwchange, au.lastlogin, au.failedlogin, a.flagset, a.flagset2, a.flagset3, trim(au.email), trim(au.confidence), au.userflags & {$MEM_FORCE_RESET}::int4, au.mfaquest from cuadmin a join cuadminusers au on a.cu = au.cu
      where lower(au.user_name)='" . prep_save($username) . "' and au.cu= '" . prep_save($cu) . "' limit 1";
    $sqls[] = $sql;
    $sth = db_query($sql,$dbh);
    if (!$sth)
      throw new exception("User query failed.", 4);
    if (db_num_rows($sth) == 0)
      throw new Exception("User not found.", 3);
      list($savename, $savepass,$cu, $db, $lastupdate, $lb, $failedremain, $fremain, $fchange, $pchange, $llog, $flog, $flagset, $flagset2, $flagset3,
        $savemail,$saveword, $freset, $mfa) = db_fetch_array($sth,0);

      $failedremain = (is_null($failedremain) ? 5 : $failedremain);
      $fremain = (is_null($fremain) ? 5 : $fremain);
      $fchange = (is_null($fchange) ? 'N' : $fchange);
      $db = (trim($db)=="" ? "_" : strtoupper(rtrim($db)));
      $lastupdate = (trim("$lastupdate")=="" ? "Unknown" : urlencode(trim($lastupdate)));
      $lb = (is_null($lb) ? "B" : strtoupper(rtrim($lb)));
      $flagset = (is_null($flagset) ? 0 : $flagset);
      $flagset2 = (is_null($flagset2) ? 0 : $flagset2);
      $flagset3 = (is_null($flagset3) ? 0 : $flagset3);

    if ($doUnionStuff)
    {
      if ($failedremain <= 0 || (($fchange =='Y' || $freset != 0) && $fremain <=0))
        throw new Exception("Account is Locked", 1);

      $email = trim($email);
      if ($accessCheck && strtolower(trim($savemail)) != strtolower($email) && trim($savemail) != '')
        throw new exception("Email doesn't match.", 5);

        if (!password_verify($password, $savepass))
          throw new Exception("Password doesn't match.", 2);
    }

      $pchange = (is_null($pchange) ? date('Ymd') : $pchange);
      $llog = (trim("$llog")=="" ? "None" : urlencode(trim($llog)));
      $flog = (trim("$flog")=="" ? "None" : urlencode(trim($flog)));

    $now = time();
    $expires = $now + $TicketExpires;
    $ip_address = $_SERVER['REMOTE_ADDR'];

      $mycookie =  "Cip=$ip_address&Ctime=$now&Cu=$cu&Cn=$username&Cname=$savename&Cd=$db&Ch=hash&Ce=$expires&Cl=$lb&Clu=$lastupdate&Fplog=$llog&Fflog=$flog&Ffchg=$fchange"
        . "&Ffremain=$fremain&Fset=$flagset&Fset2=$flagset2&Fset3=$flagset3";

      Set_aTicket($pSysEnv, "","$mycookie");

      apache_note('user_name',"${cu}:${username}");

      $mfa = HCU_JsonDecode($mfa);
    if (!is_array($mfa))
      $mfa = array("answers" => array());
    $mfa["challenge"] = 0;  // Reset because of successful login

    if (!$accessCheck && $chksecure == 'Y')
      Set2FactorAdmin($pSysEnv, $savepass, $savemail, $saveword, $mfa, $username, $setCookieIfNotExists);

    $sql = "select admtrackmfa('$cu','$username', '" . ($isSkip ? $fchange : "N") . "','$pchange', '" . prep_save(PrepareMfaQuestString($mfa)) . "')";
    $sqls[] = $sql;
    $sth = db_query($sql,$dbh);

    $expired = $doUnionStuff && $fchange == 'Y';
    if ($doUnionStuff)
    {
      $persists = time() + $pSysEnv['ticket']['persists'];
      $ticketContents = hcuOpenSSLEncrypt($cu, "NONE");

      HCU_setcookie_env($pSysEnv, $creditUnionCookieName, $ticketContents["message"], $persists);
      HCU_setcookie_env($pSysEnv, "${creditUnionCookieName}Hash", $ticketContents["hash"], $persists);
    }

  }
  catch(exception $e)
  {
    if ($e->getCode() != 1) // All get failed logging EXCEPT for locked account.
    {
        $sql = "select admfailmfa('$cu', '$username',32, '$mfa')";
        $sqls[] = $sql;
        $sth = db_query($sql, $dbh);
        throw new Exception("Invalid User Name or Password.", 1);
    }
  }

  $answers = HCU_array_key_value("answers", $mfa);
  $hasAnswers = $answers === false ? false : count($answers) > 0;
  $returnArray = array("code" => "$code", "error" => "$error", "expired" => $expired, "cookie" => $mycookie, "forceSecurity" => $freset != 0 || !$hasAnswers,
    "forcePassword" => $fchange == "Y");
  return $returnArray;
}

/**
 * function printCaptureEnter()
 * Prints code for capturing the enter key
 */
function printCaptureEnter()
{ ?>
    $("body").on("keypress", "input,.k-button", function(e) {
      if ([10, 13].indexOf(e.which) != -1)
        $(this).hasClass("k-button") ? $(this).click() : $(this).closest("form").submit();
  });
<?php }

/**
 * function printCheckboxEvents($gridSelector, $deleteBtnSelector="", $closest="", $allCheckbox=".allCheckbox", $rowCheckbox=".rowCheckbox")
 * Prints out the logic for the checkbox columns on some grids
 *
 * @param string $gridSelector -- the jQuery selector of the grid with the checkboxes
 * @param string $deleteBtnSelector -- the jQuery selector of the delete button that gets enabled/disabled based on if any checkboxes are checked.
 * @param string $closest -- the jQuery selector of the intermediary table.  Mostly unused.
 * @param string $allCheckbox -- the jQuery selector of the allCheckbox
 * @param string $rowCheckbox -- the jQuery selector of the rowCheckbox
 */
function printCheckboxEvents($gridSelector, $deleteBtnSelector="", $closest="", $allCheckbox=".allCheckbox", $rowCheckbox=".rowCheckbox", $rowMethod="")
{
  if ($closest == "")
  {
    $closestCommand = "";
    $rcSelector = "$gridSelector $rowCheckbox:enabled";
    $rcCheckedSelector = "\$(\"$rcSelector:checked\")";
    $rcNotCheckedSelector = "\$(\"$rcSelector:not(:checked)\")";
    $acSelector = "\$(\"$gridSelector $allCheckbox\")";
    $rcSelector = "\$(\"$rcSelector\")";
  }
  else
  {
    $closestCommand = "var intermediate= \$(this).closest(\"$closest\");";
    $rcSelector = "\$(intermediate).find(\"$rowCheckbox";
    $rcCheckedSelector = "$rcSelector:checked\")";
    $rcNotCheckedSelector = "$rcSelector:not(:checked)\")";
    $acSelector = "\$(intermediate).find(\"$allCheckbox\")";
    $rcSelector = "$rcSelector\")";
  }
  ?>
    $("<?php echo $gridSelector; ?>").on("click", "<?php echo $allCheckbox; ?>", function() {
      var checked = $(this).prop("checked");
      var data = $("<?php echo $gridSelector; ?>").data("kendoGrid").dataSource.view(); <?php // Data to view: important when using a filter with the table in the case of access control. ?>
      for(var i = 0; i != data.length; i++)
      {
        data[i].checked = checked;
      }

      <?php if ($rowMethod != "") { ?>
        if (typeof(<?php echo $rowMethod; ?>) == "function")
        {
          if (checked)
          {
            <?php echo $rcNotCheckedSelector; ?>.each(function() {
              (<?php echo $rowMethod; ?>)(checked, $(this));
            });
          }
          else
          {
            <?php echo $rcCheckedSelector; ?>.each(function() {
              (<?php echo $rowMethod; ?>)(checked, $(this));
            });
          }
        }
      <?php } ?>

      <?php echo $closestCommand; ?>
      <?php echo $rcSelector; ?>.prop("checked", checked);

      <?php if ($deleteBtnSelector != "") { ?>
      if (<?php echo $rcCheckedSelector; ?>.length > 0)
        $("<?php echo $deleteBtnSelector; ?>").removeClass("k-state-disabled vsgDisabled");
      else
        $("<?php echo $deleteBtnSelector; ?>").addClass("k-state-disabled vsgDisabled");
      <?php } ?>
    });

    $("<?php echo $gridSelector; ?>").on("click", "<?php echo $rowCheckbox; ?>", function() {
      var checked = $(this).prop("checked");
      var dataItem = $("<?php echo $gridSelector; ?>").data("kendoGrid").dataItem($(this).closest("tr"));
      dataItem.checked = checked;

      <?php echo $closestCommand; ?>
      if (checked && <?php echo $rcNotCheckedSelector; ?>.length == 0)
        <?php echo $acSelector; ?>.prop("checked", true);
      else if (!checked)
        <?php echo $acSelector; ?>.prop("checked", false);

      <?php if ($deleteBtnSelector != "") { ?>
      if (<?php echo $rcCheckedSelector; ?>.length > 0)
        $("<?php echo $deleteBtnSelector; ?>").removeClass("k-state-disabled vsgDisabled");
      else
        $("<?php echo $deleteBtnSelector; ?>").addClass("k-state-disabled vsgDisabled");
      <?php } ?>

      <?php if ($rowMethod != "") { ?>
        if (typeof(<?php echo $rowMethod; ?>) == "function")
          (<?php echo $rowMethod; ?>)(checked, $(this));
      <?php } ?>
    });

    <?php if ($closest == "") { ?>
    var setAllCheckbox = <?php echo $rcSelector; ?>.length > 0 && <?php echo $rcNotCheckedSelector; ?>.length == 0;
    <?php echo $acSelector; ?>.prop("checked", setAllCheckbox);
    <?php } else { ?>
      $("<?php echo "$gridSelector $closest"; ?>").each(function() {
        var intermediate = $(this);
        var setAllCheckbox = <?php echo $rcSelector; ?>.length > 0 && <?php echo $rcNotCheckedSelector; ?>.length == 0;
        <?php echo $acSelector; ?>.prop("checked", setAllCheckbox);
      });
    <?php } ?>

    var thisParticularGrid= $("<?php echo $gridSelector; ?>").data("kendoGrid");
    thisParticularGrid.bind("filter", function(e) {
        if (!$("<?php echo $gridSelector; ?>").data("inFilter"))
        {
          $("<?php echo $gridSelector; ?>").data("inFilter", true);

          thisParticularGrid.dataSource.filter(e.filter);

          <?php if ($closest == "") { ?>
          var setAllCheckbox = <?php echo $rcSelector; ?>.length > 0 && <?php echo $rcNotCheckedSelector; ?>.length == 0;
          <?php echo $acSelector; ?>.prop("checked", setAllCheckbox);
          <?php } else { ?>
            $("<?php echo "$gridSelector $closest"; ?>").each(function() {
              var intermediate = $(this);
              var setAllCheckbox = <?php echo $rcSelector; ?>.length > 0 && <?php echo $rcNotCheckedSelector; ?>.length == 0;
              <?php echo $acSelector; ?>.prop("checked", setAllCheckbox);
            });
          <?php } ?>

          <?php if ($deleteBtnSelector != "") { ?>
          if (<?php echo $rcCheckedSelector; ?>.length > 0)
            $("<?php echo $deleteBtnSelector; ?>").removeClass("k-state-disabled");
          else
            $("<?php echo $deleteBtnSelector; ?>").addClass("k-state-disabled");
          <?php } ?>

          $("<?php echo $gridSelector; ?>").data("inFilter", false);
        }
    });
<?php }

/**
 * function validatePasswordRules($dbh, $cuCode, $showSQL, $password, $addRuleErrors)
 *
 * Validates the password rules for admin
 *
 * @param integer $dbh      The database connection
 * @param string $cuCode    The Credit Union
 * @param integer $userId     The userId of the ${cuCode}user record.
 * @param boolean $showSQL    If true, SQL is available for debug.
 * @param string $password    The password to check.
 * @param boolean $addRuleErrors  If true, if the password doesn't have the requirements, then it add errors.  Otherwise, it just populates the forceChange boolean.
 *
 * @return array("code" => integer, "errors" => array(), "data" => array(), "validForAdmin" => boolean, "forceChange" => boolean);
 * If there are errors, code is non-zero.  If $includeSQL is true, then array("sqls" => array()) is also available.
 * "validForAdmin" -- If there are any illegal characters then the password isn't valid even for admin.
 * "forceChange" -- If any of the password rules fails, then this will be true.
 */
function validatePasswordRules($dbh, $cuCode, $showSQL, $password, $addRuleErrors)
{
  $errors = array();
  $sqls = array();
  $code = 0;
  $validForAdmin = true;
  $forceChange = false;

  $sql = "select pwdconfig from cuadmin where cu='$cuCode'";
  $sqls[] = $sql;
  if (($sth = db_query($sql, $dbh)) === false)
  {
    $code |= 1;
    $errors[] = db_last_error();
  }
  else
  {
    $rules = trim(db_fetch_row($sth, 0)[0]);
    if ($rules != "")
    {
      $rules = HCU_JsonDecode($rules);
      if (!is_array($rules))
      {
        $code |= 2;
        $errors[] = "Password rules is not a valid json array.";
      }
      else
      {
        if (!isset($rules["use"]) || $rules["use"] != 1)
          $rules = array("len" => 6, "letter" => 1, "digit" => 1);

        if (isset($rules["len"]) && strlen($password) < $rules["len"])
        {
          $code |= 4;
          $errors[] = "Password is too short.";
          $forceChange = true;
        }

        preg_match('/\d/', $password, $numDigits);
        preg_match('/[[:lower:]]/', $password, $numLower);
        preg_match('/[[:upper:]]/', $password, $numUpper);
        preg_match('/[!#@$%^&*?_~()-]/', $password, $numSpec);
        preg_match('/[\'"]/', $password, $numInvalid);

        if (isset($rules["digit"]) && $numDigits < $rules["digit"])
        {
          if ($addRuleErrors)
          {
            $code |= 8;
            $errors[] = "Password needs " . $rules["digit"] . " digits.";
          }
          $forceChange = true;
        }

        if (isset($rules["lower"]) && $numLower < $rules["lower"])
        {
          if ($addRuleErrors)
          {
            $code |= 16;
            $errors[] = "Password needs " . $rules["lower"] . " lower letters.";
          }
          $forceChange = true;
        }

        if (isset($rules["upper"]) && $numUpper < $rules["upper"])
        {
          if ($addRuleErrors)
          {
            $code |= 32;
            $errors[] = "Password needs " . $rules["upper"] . " upper letters.";
          }
          $forceChange = true;
        }

        if (isset($rules["spec"]) && $numUpper < $rules["spec"])
        {
          if ($addRuleErrors)
          {
            $code |= 64;
            $errors[] = "Password needs " . $rules["spec"] . " special characters.";
          }
          $forceChange = true;
        }

        if ($numInvalid > 0)
        {
          $errors[] = "Password has illegal characters.";
          $validForAdmin = false;
        }
      }
    }
  }

  db_free_result($sth);
  $returnArray= array("code" => "$code", "errors" => $errors, "validForAdmin" => $validForAdmin, "forceChange" => $forceChange);
  if ($showSQL)
    $returnArray["sqls"]= $sqls;
  return $returnArray;
}

/**
 * function printJavascriptHashCode()
 * Gets a hashCode function similar to Java in JavaScript.
 * @link http://werxltd.com/wp/2010/05/13/javascript-implementation-of-javas-string-hashcode-method/
 */
function printJavascriptHashCode()
{ ?>
  String.prototype.hashCode = function()
  {
    var hash = 0;
    if (this.length == 0) return hash;
    for (i = 0; i < this.length; i++)
    {
      char = this.charCodeAt(i);
      hash = ((hash << 5)-hash)+char;
      hash = hash & hash; // Convert to 32bit integer
    }
    return hash;
  }
<?php }


/*--------------------------------------------
Admin delete functions that will be used in user, group, and member hubs.
----------------------------------------------*/

/**
 * function userDeletion($dbh, $Cu, $userId, &$sqls)
 * This will delete from all tables attached to the user.
 *
 * @param $dbh -- the database connection
 * @param $Cu -- the credit union
 * @param $userId -- the userId
 * @param $sqls -- the array to append SQLs to.
 *
 * @throws errors between 100 and 200 which will fail the transaction defined at a higher level.
 */
function userDeletion($dbh, $Cu, $userId, &$sqls)
{
  $sql = "delete from ${Cu}extaccount where user_id= $userId";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("extaccount delete failed.", 106);

  $sql = "delete from ${Cu}transdtl where id in (select dtl.id from ${Cu}transdtl dtl inner join ${Cu}transhdr hdr on dtl.transhdr_id = hdr.id and hdr.posted_by = $userId)";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("dtl delete failed.", 107);

  $sql = "delete from ${Cu}transhdr where posted_by = $userId";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("hdr delete failed.", 108);

  $sql = "delete from cu_alerts where user_id= $userId and cu= '$Cu'";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("cu_alerts delete failed.", 110);

  $sql = "delete from ${Cu}userrights where user_id= $userId";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("userrights delete failed.", 112);

  $sql = "delete from ${Cu}usercontact where contact_id in (select contact from ${Cu}user where user_id= $userId)";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("usercontact delete failed.", 113);

  $sql = "delete from ${Cu}useraccounts where user_id= $userId";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("useraccounts delete failed.", 114);

  $sql = "delete from ${Cu}memberacctrights where user_id= $userId";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("memberacctrights delete failed.", 115);

  $sql = "delete from ${Cu}user where user_id= $userId";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("user delete failed.", 116);

  $sql = "delete from ${Cu}extkey where user_id= $userId";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("extkey failed.", 139);

  $sql = "delete from cusmstransaction where user_id= $userId and cu='$Cu'";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("cusmstransaction failed.", 140);

  $sql = "delete from cuadmeco where user_id= $userId and cu='$Cu'";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("cuadmeco failed.", 141);

  $sql = "delete from cucmsresponse where user_id= $userId and cu='$Cu'";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("cucmsresponse failed.", 142);

  $sql = "delete from cusmstrack where user_id= $userId and cu='$Cu'";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("cusmstrack failed.", 143);

  $sql = "delete from cusms where user_id= $userId and cu='$Cu'";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("cusms failed.", 144);

  $sql = "delete from cu_scheduledtxn where user_id= $userId and cu='$Cu'";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("cu_scheduledtxn failed.", 145);
}

/**
 * function groupDeletion($dbh, $Cu, $groupId, &$sqls)
 * This will delete from all tables attached to the group.
 *
 * @param $dbh -- the database connection
 * @param $Cu -- the credit union
 * @param $groupId -- the group id
 * @param $sqls -- the array to append the SQLs to.
 *
 * @throws errors between 100 and 200 which will fail the transaction defined at a higher level.
 */
function groupDeletion($dbh, $Cu, $groupId, &$sqls)
{
  $sql = "delete from ${Cu}grouprights where group_id= $groupId";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("grouprights delete failed.", 117);

  $sql = "delete from ${Cu}achpartner where group_id= $groupId";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("achpartner delete failed.", 118);

  $sql = "delete from ${Cu}usercontact where contact_id in (select contact from ${Cu}group where group_id= $groupId)";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("usercontact delete failed.", 131);

  $sql = "delete from ${Cu}group where group_id= $groupId";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("group delete failed.", 121);
}

/**
 * function accountDeletion($dbh, $Cu, $accountnumber, &$sqls, $allMeansAll=false)
 * This will delete from all tables attached to the account.
 *
 * @param $dbh -- the database connection
 * @param $Cu -- the credit union
 * @param $accountnumber -- the accountnumber
 * @param $sqls -- the array to append the SQLs to.
 * @param $allMeansAll -- if true, then it will also delete accountnumber records from tables that have both an user_id and an accountnumber column.
 *
 * @throws errors between 100 and 200 which will fail the transaction defined at a higher level.
 */
function accountDeletion($dbh, $Cu, $accountnumber, &$sqls, $allMeansAll=false)
{
  // These are the tables that have both an accountnumber and a userid.  If coming from user delete, we don't want to delete all for the accountnumber here.
  // Instead, we want to fail the transaction if the accountnumber is used by another user.  These tables are deleted according to the user id in the user deletion function.
  if ($allMeansAll)
  {
    $sql = "delete from ${Cu}extkey where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "'";
    $sqls[] = $sql;
    $sth = db_query($sql, $dbh);
    if (!$sth)
      throw new exception("extkey delete failed.", 124);

    $sql = "delete from cu_alerts where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "' and cu= '$Cu'";
    $sqls[] = $sql;
    $sth = db_query($sql, $dbh);
    if (!$sth)
      throw new exception("cu_alerts delete failed.", 111);

    $sql = "delete from cusmstransaction where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "' and cu= '$Cu'";
    $sqls[] = $sql;
    $sth = db_query($sql, $dbh);
    if (!$sth)
      throw new exception("cusmstransaction delete failed.", 126);

    $sql = "delete from cucmsresponse where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "' and cu='$Cu'";
    $sqls[] = $sql;
    $sth = db_query($sql, $dbh);
    if (!$sth)
      throw new exception("cucmsresponse delete failed.", 128);

    $sql = "delete from cusmstrack where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "' and cu='$Cu'";
    $sqls[] = $sql;
    $sth = db_query($sql, $dbh);
    if (!$sth)
      throw new exception("cusmstrack delete failed.", 129);

    $sql = "delete from cusms where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "' and cu='$Cu'";
    $sqls[] = $sql;
    $sth = db_query($sql, $dbh);
    if (!$sth)
      throw new exception("cusms delete failed.", 130);

    $sql = "delete from ${Cu}memberacctrights where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "'";
    $sqls[] = $sql;
    $sth = db_query($sql, $dbh);
    if (!$sth)
      throw new exception("memberacctrights delete failed.", 132);

    $sql = "delete from ${Cu}useraccounts where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "'";
    $sqls[] = $sql;
    $sth = db_query($sql, $dbh);
    if (!$sth)
      throw new exception("useraccounts delete failed.", 136);

    $sql = "delete from ${Cu}transdtl where id in (select dtl.id from ${Cu}memorizeddtl dtl inner join ${Cu}transhdr hdr
      on dtl.transhdr_id = hdr.id and hdr.accountnumber= '" . prep_save($accountnumber, 12) . "')";
    $sqls[] = $sql;
    $sth = db_query($sql, $dbh);
    if (!$sth)
      throw new exception("dtl delete failed.", 137);

    $sql = "delete from ${Cu}transhdr where accountnumber = '" . prep_save($accountnumber, 12) . "'";
    $sqls[] = $sql;
    $sth = db_query($sql, $dbh);
    if (!$sth)
      throw new exception("hdr delete failed.", 138);

    $sql = "delete from ${Cu}useraccounts where accountnumber = '" . prep_save($accountnumber, 12) . "'";
    $sqls[] = $sql;
    $sth = db_query($sql, $dbh);
    if (!$sth)
      throw new exception("useraccounts delete failed.", 139);
  }
  else // Okay, but we still need to remove from tables where there is an user_id but it is nullable.
  {
    $sql = "delete from cusmstransaction where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "' and cu= '$Cu' and user_id is null";
    $sqls[] = $sql;
    $sth = db_query($sql, $dbh);
    if (!$sth)
      throw new exception("cusmstransaction delete failed.", 145);
  }

  $sql = "delete from cuovermicr where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "' and cu= '$Cu'";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("cuovermicr delete failed.", 109);

  $sql = "delete from ${Cu}holds where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "'";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("holds delete failed.", 125);

  $sql = "delete from ${Cu}memberacct where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "'";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("memberacct delete failed.", 133);

  deleteAccountHistory($dbh, $Cu, $accountnumber, $sqls);

  $sql = "delete from ${Cu}accountbalance where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "'";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("accountbalance delete failed.", 134);

  $sql = "delete from ${Cu}loanbalance where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "'";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("loanbalance delete failed.", 135);

  $sql = "delete from ${Cu}crossaccounts where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "'";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("crossaccounts delete failed.", 136);
}

/**
 * function deleteAccountHistory($dbh, $Cu, $accountnumber, &$sqls)
 * This will delete from the account history tables.
 *
 * @param $dbh -- the database connection
 * @param $Cu -- the credit union
 * @param $accountnumber -- the accountnumber
 * @param $sqls -- the array to append the SQLs to.
 *
 * @throws errors between 100 and 200 which will fail the transaction defined at a higher level.
 */
function deleteAccountHistory($dbh, $Cu, $accountnumber, &$sqls)
{
  $sql = "delete from ${Cu}accounthistory where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "'";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("Account history delete failed.", 102);

  $sql = "delete from ${Cu}loanhistory where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "'";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("Loan history delete failed.", 103);
}

/**
 * function checkAccountUsage($dbh, $Cu, $userId, $accountnumber, &$sqls)
 * This will check to see if the account is used by another user and if so, fail.
 *
 * @param $dbh -- the database connection
 * @param $Cu -- the credit union
 * @param $userId -- the user id
 * @param $accountnumber -- the accountnumber
 * @param $sqls -- the array to append the SQLs to.
 *
 * @throws
 *    Between 1 and 100 -- Select queries failed.
 *    Between 200 and 300 -- There exists at least one record from the accountnumber and another user.
 */
function checkAccountUsage($dbh, $Cu, $userId, $accountnumber, &$sqls)
{
  $sql = "select 'FOUND' from ${Cu}extkey where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "' and user_id <> $userId";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("extkey failed.", 108);
  if (db_num_rows($sth) > 0)
    return false;

  $sql = "select 'FOUND' from cu_alerts where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "' and cu = '$Cu' and user_id <> $userId";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("cu_alerts failed.", 109);
  if (db_num_rows($sth) > 0)
    return false;

  $sql = "select 'FOUND' from ${Cu}useraccounts where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "' and user_id <> $userId";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("useraccounts failed.", 100);
  if (db_num_rows($sth) > 0)
    return false;

  $sql = "select 'FOUND' from ${Cu}memberacctrights where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "' and user_id <> $userId";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("memberacctrights failed.", 110);
  if (db_num_rows($sth) > 0)
    return false;

  $sql = "select 'FOUND' from cusmstransaction where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "' and user_id is not null and user_id <> $userId and cu='$Cu'";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("cusmstransaction failed.", 120);
  if (db_num_rows($sth) > 0)
    return false;

  $sql = "select 'FOUND' from cucmsresponse where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "' and user_id <> $userId and cu='$Cu'";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("cucmsresponse failed.", 140);
  if (db_num_rows($sth) > 0)
    return false;

  $sql = "select 'FOUND' from cusmstrack where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "' and user_id is not null and user_id <> $userId and cu='$Cu'";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("cusmstrack failed.", 150);
  if (db_num_rows($sth) > 0)
    return false;

  $sql = "select 'FOUND' from cusms where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "' and user_id is not null and user_id <> $userId and cu='$Cu'";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("cusms failed.", 160);
  if (db_num_rows($sth) > 0)
    return false;

  $sql = "select 'FOUND' from ${Cu}transhdr where trim(accountnumber) = '" . prep_save($accountnumber, 12) . "' and posted_by is not null and posted_by <> $userId";
  $sqls[] = $sql;
  $sth = db_query($sql, $dbh);
  if (!$sth)
    throw new exception("transhdr failed.", 170);
  if (db_num_rows($sth) > 0)
    return false;

  return true;
}

/*--------------------------------------------
END Admin delete functions
----------------------------------------------*/

/**
 * Print javascript necessary to print Google analytics on the page
 *
 * @param string $pServName - Server Name e.g. 'alpha.homecu.io'
 * @param string $pCu     - Credit Union Code
 * @param string $pScript -
 */
function PrintGAScript($pServName, $pCu, $pScript) {

  // Trim any extension off scriptname
  if (strrpos($pScript, ".") !== false) {
    $pScript = substr($pScript, 0, strrpos($pScript, "."));
  }

  print <<< GA_JS
      <script>
        if (typeof ga === 'function') {
          /* ** Make sure Google Analytics are installed */
          // tracking ID created in main.prg
          ga('set', 'dimension1', '$pServName' );
          ga('set', 'dimension2', '$pScript' );
          ga('set', 'dimension3', '$pCu' );
          ga('send', 'pageview');
        }
      </script>
GA_JS;

}

/**
 * function ReadUser($dbh, $cuCode, $username, $getPrograms, $getChallengeQuestions, $getAllChallengeQuestions, $getAlertProviders)
 * Read user.  Depending on where it is accessed, there are differences in what is shown.
 *
 * @param integer $dbh -- the database connection
 * @param string $cuCode -- the credit union
 * @param string $username -- the username to read
 * @param boolean $getPrograms -- if true, will get the available programs
 * @param boolean $getChallengeQuestions -- if true, will get the mfaquest column in the user record and extract it
 * @param boolean $getAllChallengeQuestions -- if true, will get all available challenge questions
 * @param boolean $getAlertProviders -- if true, will get a list of phone providers - removed
 * @param boolean $getAuditRecords -- whether or not to get the audit records.
 * @param object $logger -- logs
 *
 * @return array $returnArray --
 *    integer $returnArray["status"] -- "000" if successful; nonzero otherwise
 *    array $returnArray["error"] -- nonempty if there is an error
 *    array $returnArray["record"] -- contains the user record
 *    array $returnArray["privilege"] -- contains the programs that the user can see (if $getPrograms)
 *    array $returnArray["providers"] -- contains the phone providers (if $getAlertProviders)
 */
function ReadUser($dbh, $cuCode, $username, $getPrograms, $getChallengeQuestions, $getAllChallengeQuestions, $getAuditRecords, $logger) {
  //we no longer need providers here
  $records = array();
  $privilegeRecords = array();
  $username = mb_strtolower($username); // Needs the mb for converting Ö to ö for example.
  try {
    $sql = "select au.*, au.user_name as username, coalesce(a.retrylimit,5) as retry, coalesce(a.gracelimit,5) as grace, a.pwdconfig, a.ip_acl, a.user_name as ismaster
    from cuadminusers au inner join cuadmin a on au.cu = a.cu where au.cu='$cuCode' and lower(au.user_name)='" . prep_save($username, 50) . "' limit 1";
    $sth = db_query($sql, $dbh);
    if (!$sth) {
      throw new exception("Read query failed.", 1);
    }
    if (db_num_rows($sth) == 0) {
      throw new exception("No user found.", 3);
    }
    for($i = 0; $oldArray = db_fetch_assoc($sth, $i); $i++) {
      foreach($oldArray as $key => $value) {
        if ($key == "pwdconfig") {
          $value = HCU_JsonDecode($value);
          if (!is_array($value)) {
            throw new exception("Password array is malformed.", 4);
          }
          $array[$key] = $value;
        } else if ($key == "ismaster") {
          $array[$key] = trim($value) == trim($oldArray["username"]);
        } else {
          $array[$key] = trim($value);
        }
      }
      unset($oldArray);

      // removing provider/carrier from phone number
      if ($array["usersms"] == "") {
        $array["smsNumber"] = "";
      } else {

        $sms = explode("@", $array["usersms"]);
        $array["smsNumber"] = $sms[0];
      }

      if ($array["remoteip"] != "") {
        $validate = explode(".", $array["remoteip"]);
        if (count($validate) != 4) {
          throw new exception("Remote address is not valid.", 9);
        }
        foreach($validate as $num) {
          if (!is_numeric($num)) {
            throw new exception("Remote address are not valid.", 10);
          }
          if ($num < 0 || $num > 256) {
            throw new exception("Remote address are not valid.", 11);
          }
        }
      }

      if ($array["ip_acl"] == "") {
        $array["cuIps"] = array();
      } else {
        $cuIps = explode(";", $array["ip_acl"]);
        foreach($cuIps as $ip) {
          $validate = explode(".", $ip);
          if (count($validate) != 4) {
            throw new exception("Cu IP addresses are not valid.", 6);
          }
          foreach($validate as $num) {
            if (!is_numeric($num)) {
              throw new exception("Cu IP addresses are not valid.", 7);
            }
            if ($num < 0 || $num > 256) {
              throw new exception("Cu IP addresses are not valid.", 8);
            }
          }
        }
        $array["cuIps"] = $cuIps;
      }

      unset($array["usersms"]);
      unset($array["passwd"]);
      unset($array["ip_acl"]);

      $array["booleanForceChange"]= $array["forcechange"] == "Y";

      $userflags = intval($array["userflags"]);
      $array["booleanForceSecurity"] = ($userflags & 2) != 0;
      $array["booleanMasterPrivileges"] = ($userflags & 4) != 0;
      $array["booleanRemotePrivileges"] = ($userflags & 64) != 0;
      $array["booleanLockAccount"] = $array["failedremain"] < 1 || (($array["booleanForceChange"] || $array["booleanForceSecurity"]) && $array["forceremain"] < 1);
      $array["textLockout"] = $array["failedremain"] == -1 ? "Locked By CU" : $array["failedremain"];
      $array["numRemaining"] = $array["forceremain"];
      $array["cuRemoteEnabled"] = count($array["cuIps"]) > 0;

      $array["failReason"] = ($userflags & 8) != 0 ? "Email" : (($userflags & 16) != 0 ? "Challenge Response" : (($userflags & 32) != 0 ? "Password" : ""));
      $records[] = $array;
    }

    if ($getPrograms) { // Not shown on UI for master so why go through this effort to throw it away?
      $sql = "select ap.program, ap.displaytext, ap.description, a.program as checked from cuadminprogs ap
        left join cuadminallow a on ap.program = a.program and lower(a.user_name) = '" . prep_save($username, 50) . "' and a.cu = '$cuCode'
        order by ap.sort_order, ap.program";
      $sth = db_query($sql, $dbh);
      if (!$sth) {
        throw new exception("Program query failed.", 2);
      }
      for($i = 0; $oldArray = db_fetch_assoc($sth, $i); $i++) {
        foreach($oldArray as $key => $value) {
          $thisArray[$key] = trim($value);
        }
        unset($oldArray);
        $thisArray["checked"] = $thisArray["checked"] != "";
        $thisArray["prevChecked"] = $thisArray["checked"];
        $privilegeRecords[] = $thisArray;
      }
      $records[0]["programs"] = $privilegeRecords;
    }

    if ($getChallengeQuestions) {
      $challengeQuestions = getAdmChallengeQuestions($dbh, $cuCode, $username, $getAllChallengeQuestions ? "security display" : "admin display");
      $records[0]["mfaquest"] = $challengeQuestions["data"];
      $records[0]["mfaddl"] = $challengeQuestions["ddl"];
    }

    if ($getAuditRecords) {
      $records[0]["auditRecords"] = GetAuditRecords($dbh, $cuCode, $username, $logger);
    }

    $returnArray = array("status" => "000", "error" => "", "record" => $records);

  } catch (exception $e) {
    $returnArray = array("status" => $e->getCode(), "error" => $e->getMessage());
  }
  return $returnArray;
}

/**
 * function saveUser($dbh, $cuCode, $parameters, $loggedInUser, $securityMode)
 * Saves the admin user.  This can save for the user table, cuadmin table (Master IP addresses), and add and removals from the cuadminallowprogs table.
 * Next error code 46
 *
 * @param array $pSysEnv -- The System Environment variable from main
 *                            with the settings for this environment (production/development)
 * @param integer $dbh -- the database connection
 * @param string $cuCode -- the credit union
 * @param array $parameters -- the column changed
 * @param string $loggedInUser -- the logged in user.  For all modes, this is for the audit record.  For most modes, it is also the user being saved.
 * @param string $securityMode -- this has various codes below.  If there are no changes in one of the tables, then there will be no audit record for that table.
 *    "none" -- Save is coming from the admin user admin screen.  This means that there are a lot of stuff that can be saved.  Any changes to the user record are dependent
 *        on $parameter["isAdd"].  If this is "Y", then the audit will be a create with the code "USER_A".  Otherwise, the audit will be an update with the code "USER_U".
 *        If the user is a master and the master IP were changed, then an audit will be created with the code "RIP_U" for the cuadmin table.
 *        If programs were added to the user, then an audit will be created with the code "PROGS_A" for the cuadminallowprogs table.
 *        If programs were removed from the user, then an audit will be created with the code "PROGS_D" for the cuadminallowprogs table.
 *    "basic" -- Save is coming from the first page in the "change security settings" option.  User can only save email, remote access parameters, and password.
 *        An audit will be created with the code "USER_BSU" for the user table.  The authentication cookie will be updated with the new info.
 *    "advanced" -- Save is coming from the second page in the "change security settings" option.  User can only save confidence word and challenge questions.
 *        An audit will be created with the code "USER_ASU" for the user table.  The authentication cookie will be updated with the new info.
 *    "setup" -- Save is coming from the page that occurs when logging in without the challenge questions set.  User MUST save email, confidence word and challenge questions.
 *        If the forcechange parameter is set, then password also MUST be saved.  An audit will be created with the code "USER_STP" for the user table.
 *
 * @return array --
 *    array $sql -- list of sqls
 *    integer $code -- nonzero if error(s)
 *    array $error -- nonempty if error(s)
 */
function saveUser($pSysEnv, $dbh, $cuCode, $parameters, $loggedInUser, $securityMode, $createCookieIfNotExists=false, $isSkip=false, $passwordRequired=false)
{
  $errors = array();
  $sqls = array();
  $code = 0;
  $updateTable = array();
  $adminTicketString = "";
  $serverIPFound = false;
  $serverIPFoundRelevant = false;
  $serverIP = trim( $_SERVER["REMOTE_ADDR"] );

  try
  {
    $chkSecure = HCU_array_key_value("chksecure", $parameters);
    $chkSecure = $chkSecure === false ? false : trim($chkSecure) == "Y";
    $username = mb_strtolower(isset($parameters["username"]) ? trim($parameters["username"]) : $loggedInUser);
    $isLogInUser = $username == $loggedInUser;
    $parameters["username"] = $username;
    // Without the mb part, Â doesn't become â so then this is different than postgres's lower function.
    $sql = "select userflags from cuadminusers where lower(user_name)= '$username' and cu = '$cuCode'";
    $sqls[] = $sql;
    $sth = db_query($sql, $dbh);
    if (!$sth)
      throw new exception("Userflags query failed.", 43);
    $row = db_fetch_row($sth);
    $userFlags = intval($row[0]);
    $previousUserFlags = $userFlags;

    if ($securityMode == "none")
    {
      if ($username == "")
        throw new exception("Username is required.", 1);
      if(preg_match('/[\'";+]/',$username))
        throw new exception("Invalid Characters in Username.", 15);
    }
    else
      $username = mb_strtolower($loggedInUser);

    $remoteAccess = HCU_array_key_exists("remoteAccess", $parameters) ? trim($parameters["remoteAccess"]) : "U";
    $remoteAccessSet = HCU_array_key_exists("remoteAccessSet", $parameters) ? trim($parameters["remoteAccessSet"]) : "N";

    $sql = "select email, passwd, confidence, mfaquest, remoteip from cuadminusers where lower(user_name)= '" . mb_strtolower($loggedInUser) . "' and cu= '$cuCode'";
    $sqls[] = $sql;
    $sth = db_query($sql, $dbh);
    if (!$sth)
      throw new exception("Email query failed.", 9);

    $row = db_fetch_assoc($sth);
    $email = trim($row["email"]);
    $currentPassword = trim($row["passwd"]);
    $confidence = trim($row["confidence"]);
    $remoteipSet = isset($row["remoteip"]) ? trim($row["remoteip"]) : "";
    $challengeArray = HCU_JsonDecode(trim($row["mfaquest"]));
    $emailAddress = HCU_array_key_exists("emailAddress", $parameters) ? trim($parameters["emailAddress"]) : "";
    $password = HCU_array_key_exists("password", $parameters) ? trim($parameters["password"]) : "";


    if (in_array($securityMode, array("noneWithConfidence", "setup", "combined")))
    {
      $confidence = HCU_array_key_exists("confidence", $parameters) ? trim($parameters["confidence"]) : "";

      if ($confidence != "")
        $updateTable["confidence"] = $confidence;
      else if ($securityMode != "combined")
         throw new exception("Confidence word is required.", 30);


      $questIds = HCU_array_key_exists("questIds", $parameters) ? trim($parameters["questIds"]) : array_keys($challengeArray["answers"]);
      $questResponses = HCU_array_key_exists("questResponses", $parameters) ? trim($parameters["questResponses"]) : "";
      if ($questIds == "" || $questResponses == "")
      {
        if ($securityMode != "combined")
          throw new exception("Challenge questions are required.", 31);
      }
      else
      {
        $questIds = HCU_JsonDecode($questIds);
        if (!is_array($questIds))
          throw new exception("Question ids are not valid.", 32);
        $questResponses = HCU_JsonDecode($questResponses);
        if (!is_array($questResponses))
          throw new exception("Question responses are not valid.", 33);
        if (count($questIds) != 3)
          throw new exception("Question ids are not valid.", 34);
        if (count($questResponses) != 3)
          throw new exception("Question responses are not valid.", 35);
        foreach($questIds as $id)
        {
          if (!is_numeric($id) || $id == 0)
            throw new exception("Question ids are not valid.", 36);
        }
        foreach($questResponses as $response)
        {
          if (!isset($response))
            throw new exception("Question responses are not valid.", 39); // nulls in the encoded array.
        }

        // Verify that question ids selected exist in the master table.
        $sql = "select 'FOUND' from cuquestmaster where quest_lang = 'en_US' and quest_id in (" . implode(",", $questIds) . ")";
        $sqls[] = $sql;
        $sth = db_query($sql, $dbh);
        if (!$sth)
          throw new exception("Master sql failed.", 37);
        if (db_num_rows($sth) != 3)
          throw new exception("Question ids are not valid.", 38);
        $challengeArray = array("answers" => array(), "challenge" => 0); // Replaces the array from the user table so that the 2Factor is changed below.
        reset($questResponses);
        foreach($questIds as $id)
        {
          $challengeArray["answers"]["$id"] = current($questResponses);
          next($questResponses);
        }

        $updateTable["mfaquest"] = PrepareMfaQuestString($challengeArray);
      }

      $userFlags &= ~2;
    }

    if (in_array($securityMode, array("setup", "combined")))
    {
        $oldPassword = HCU_array_key_exists("oldPassword", $parameters) ? trim($parameters["oldPassword"]) : "";
        if ($passwordRequired || $password != "") // Don't care if the password is not also filled in.
        {
          if ($passwordRequired && $password == "")
            throw new exception("You must enter your new password.", 45);

          if ($oldPassword == "")
            throw new exception("You must enter your current password.", 27);

          if (!password_verify($oldPassword, $currentPassword))
            throw new exception("Invalid username or password.", 29);
          if (trim($password) == $oldPassword)
            throw new exception("New password cannot be the same as the old password.", 42);
          $updateTable["forcechange"] = "N";
        }
        if ($emailAddress != "")
          $adminTicketString .= "Ffchg=N&Ml=" . urlencode($emailAddress) . "&";
    }

    if (in_array($securityMode, array("none", "noneWithConfidence", "setup", "combined")))
    {
      if ($password != "")
        {
          $thisReturnArray = validatePasswordRules($dbh, $cuCode, true, $password, true);
          array_merge($sqls, $thisReturnArray["sqls"]);
          if ($thisReturnArray["code"] != 0)
            throw new exception("Password doesn't conform to the rules.", 5);

          $hash = password_hash($password, PASSWORD_DEFAULT);
          $updateTable["passwd"] = "$hash";
          $updateTable["pwchange"] = DBTIMESTAMP_USENOW;
        }

      if ($emailAddress != "")
      {
        if ($emailAddress != "" && !(preg_match("/^[A-Za-z0-9\.\-_]*\@[A-Za-z0-9\.\-_]*\.[A-Za-z0-9\-_]*/",$emailAddress)))
          throw new exception("Email address appears to be invalid.", 17);
        $updateTable["email"] = $emailAddress;
      }
    }

    if (in_array($securityMode, array("combined"))) {
      $remoteAccessSet = ($userFlags & 64) != 0 ? "Y" : "N";
      $remoteAccess = "U";
    }

    if (!isset($remoteAccess) || trim($remoteAccess) == "")
      $remoteAccess = "U";

    // There are a couple of cases where a refresh is required because the remote access dialogs happen inside this JSON.  Therefore, there are javascript errors AFTER a save.
    if (in_array($securityMode, array("none", "noneWithConfidence", "combined")))
    {

        if ($remoteAccessSet == "Y" || ($remoteAccessSet == "N" && $remoteAccess == "N"))
        {
          /* If the remote access is set to false, we are going to remove all options underneath.  This is regardless of if they are set to something different.
             The only reason why they would be set to something different is if the user checked the box, then set them and then unchecked the box.  In that case, ignore. */
          if ($remoteAccess == "N") {
            $smsNumber = "";
            $ipAddress = "NONE";
            $serverIPFoundRelevant = $isLogInUser;

          }
          else {
            // Underneath the remote access because changes are irrevelant if the remoteAccess is not set.  (User set it, changed these values and then unset it.)
            $smsNumber = HCU_array_key_exists("smsNumber", $parameters) ? trim($parameters["smsNumber"]) : "";
            $ipAddress = HCU_array_key_exists("ipAddress", $parameters) ? trim($parameters["ipAddress"]) : "";
          }

          $valid = $smsNumber == "" ? $smsNumber == "" : $smsNumber != "";


          if (!$valid)
            throw new exception("SMS number must be defined.", 28);
          if ($smsNumber != "") {
            if (!preg_match('/[2-9][0-9]{9}/', $smsNumber))
              throw new exception("SMS Number is invalid.", 23);
            $updateTable["usersms"] = "$smsNumber";
          }

          if ($ipAddress != "")
          {
            $serverIPFoundRelevant = $isLogInUser;
            if ($ipAddress == "NONE")
              $updateTable["remoteip"] = "";
            else
            {
              $ips = explode(";", $ipAddress);
              $validIp = true;
              foreach($ips as $ip)
              {
                $validIp = $validIp ? filter_var($ip, FILTER_VALIDATE_IP) : false;
                $serverIPFound = $serverIPFound || $serverIP == trim($ip);
              }
              if (!$validIp)
                throw new exception("IP Address isn't formatted correctly.", 21);
              $updateTable["remoteip"] = $ipAddress;
            }
          }
          else if ($isLogInUser) {
            $ips = explode(";", $remoteipSet);
            $serverIPFound = $serverIPFound || in_array($serverIP, $ips);
          }
        }
    }

    // SecurityMode none only
    if (in_array($securityMode, array("none", "noneWithConfidence", "combined")))
    {
      $realName = HCU_array_key_exists("realName", $parameters) ? trim($parameters["realName"]) : "";
      if ($realName != "")
      {
        $updateTable["realname"] = $realName;
        if (preg_match('/[\'"@;]/',$realName))
          throw new exception("Invalid Characters in Real Name.", 16);
      }

      $forceChangesAmount = HCU_array_key_exists("forceChangesAmount", $parameters) ? trim($parameters["forceChangesAmount"]) : "";
      if ($forceChangesAmount != "")
      {
        if (!is_numeric($forceChangesAmount))
          throw new exception("Force Changes Amount is not numeric.", 2);
        if ($forceChangesAmount < 0 || $forceChangesAmount > 99)
          throw new exception("Force Changes needs to be in the range 0-99.", 3);
        $updateTable["forceremain"] = intval($forceChangesAmount);
      }

      $masterPrivileges = HCU_array_key_exists("masterPrivileges", $parameters) ? trim($parameters["masterPrivileges"]) : "";
        if ($masterPrivileges != "")
        {
          if ($masterPrivileges == "Y")
            $userFlags |= 4;
          else
            $userFlags &= ~4;
        }
        $forceSecurity = HCU_array_key_exists("forceSecurity", $parameters) ? trim($parameters["forceSecurity"]) : "";
        if ($forceSecurity != "")
        {
          if ($forceSecurity == "Y")
            $userFlags |= 2;
          else
            $userFlags &= ~2;
        }
        $forcePassword = HCU_array_key_exists("forcePassword", $parameters) ? trim($parameters["forcePassword"]) : "";
        if ($forcePassword != "")
        {
          $updateTable["forcechange"] = $forcePassword == "Y" ? "Y" : "N";
        }

        $remoteAccess == "U" ? null : ($remoteAccess == "Y" ? $userFlags|= 64 : $userFlags&= ~64);

        $lockAccount = HCU_array_key_exists("lockAccount", $parameters) ? trim($parameters["lockAccount"]) : "";
        if ($lockAccount != "")
        {
          $sql = "select retrylimit from cuadmin where cu= '$cuCode' limit 1";
          $sqls[] = $sql;
          $sth = db_query($sql,$dbh);
          if (!$sth)
            throw new exception("Lock Account query failed.", 6);
          $retry = trim(db_fetch_row($sth)[0]);
          $retry = $retry == "" ? 5 : $retry;
          $updateTable["failedremain"] = trim($lockAccount) == "Y" ? -1 : $retry;
        }

        $sql = "select user_name, ip_acl from cuadmin where cu= '$cuCode' limit 1";
        $sqls[] = $sql;
        $sth = db_query($sql, $dbh);
        if (!$sth)
          throw new exception("username query failed.", 18);
        $row = db_fetch_assoc($sth,0);

        $masterIpAddress = HCU_array_key_exists("masterIpAddress", $parameters) ? trim($parameters["masterIpAddress"]) : "";
        if ($masterIpAddress != "")
        {
          if (trim($row["user_name"]) != $username)
            throw new exception("Only the Cu Master user can edit Allowed IP Addresses.", 19);

          $serverIPFoundRelevant = $isLogInUser; // Relevant when the IP address has changed but is not null (no longer have remote access at that point.)

          if ($masterIpAddress != "NONE")
          {
            $ips = explode(";", $masterIpAddress);
            $validIp = true;

            foreach($ips as $ip)
            {
                $validIp = $validIp ? filter_var($ip, FILTER_VALIDATE_IP) : false;
                $serverIPFound = $serverIPFound || $serverIP == trim($ip);
            }
            if (!$validIp)
              throw new exception("Master IP Address isn't formatted correctly.", 7);
           }
           else
            $masterIpAddress = "";
          $ipUpdate = array("cuadmin" => array(array("_action" => "update", "ip_acl" => $masterIpAddress, "cu" => $cuCode)));
        }
        else if ($isLogInUser) {
          $ips = explode(";", trim($row["ip_acl"]));
          $serverIPFound = $serverIPFound || in_array($serverIP, $ips);
        }

        $permTemp = array("cu" => $cuCode, "user_name" => $username);

        $addPermissions = HCU_array_key_exists("addPermissions", $parameters) ? trim($parameters["addPermissions"]) : "";
        if ($addPermissions != "")
        {
          $addPermissions = HCU_JsonDecode($addPermissions);
          if (!is_array($addPermissions))
            throw new exception("Add Permissions is not formatted correctly.", 10);
          if (count($addPermissions) > 0)
          {
            $permUpdate1 = array();
            foreach($addPermissions as $perm)
            {
              $record = $permTemp;
              $record["_action"] = "create";
              $record["program"] = $perm;
              $permUpdate1[] = $record;
            }
            // Wrap that:
            $permUpdate1 = array("cuadminallow" => $permUpdate1);
          }
        }

        $removePermissions = HCU_array_key_exists("removePermissions", $parameters) ? trim($parameters["removePermissions"]) : "";
        if ($removePermissions != "")
        {
          $removePermissions = HCU_JsonDecode($removePermissions);
          if (!is_array($removePermissions))
            throw new exception("Remove Permissions is not formatted correctly.", 11);
          if (count($removePermissions) > 0)
          {
            $permUpdate2 = array();
            foreach($removePermissions as $perm)
            {
              $record = $permTemp;
              $record["_action"] = "delete";
              $record["program"] = $perm;
              $permUpdate2[] = $record;
            }
            $permUpdate2 = array("cuadminallow" => $permUpdate2);
          }
        }
    } // End of save if not security
    else if ($securityMode == "setup")
    {
      if (trim($parameters["forcechange"]) == "Y" && !isset($password))
        throw new exception("Password is required.", 40);
      if (!isset($emailAddress))
        throw new exception("Email Address is required.", 41);

      $updateTable["forcechange"] = "N"; // In order to not go to this page anymore.
    }

    $envVars = array("cu" => $cuCode);

    if ($previousUserFlags != $userFlags)
      $updateTable["userflags"] = $userFlags;

    // Make sure that only updating when something changed on the base table.
    if (count($updateTable) > 0)
    {
      $updateTable["user_name"] = $username;
      $updateTable["cu"] = $cuCode;
      $updateTable["_action"] = "update";

      if ($securityMode == "setup")
      {
        $shortAction = "USER_STP";
        $longAction = "User Security Setup";
      }
      else if ($securityMode == "combined")
      {
        $shortAction = "USER_SU";
        $longAction = "Security Update";
      }
      else if (trim($parameters["isAdd"]) == "Y")
      {
        $updateTable["_action"] = "create";
        $shortAction = "USER_A";
        $longAction = "User Added";

        $sql = "select 'FOUND' from cuadminusers where cu = '$cuCode' and lower(user_name) = '" . prep_save($username) . "'";
        $sqls[] = $sql;
        $sth = db_query($sql, $dbh);
        if (!$sth)
          throw new exception("Found query failed.", 25);
        if (db_num_rows($sth) > 0)
          throw new exception("Username is duplicated.", 26);
      }
      else
      {
        $updateTable["_action"] = "update";
        $shortAction = "USER_U";
        $longAction = "User Updated";
      }

      $updateTable= array("cuadminusers" => array($updateTable));

      if (DataAdminTableUpdate($dbh, $envVars, $updateTable, $username, $shortAction, "AdmUsrMaint.prg", "A", $longAction, $loggedInUser, $email, trim($_SERVER["REMOTE_ADDR"])) === false)
        throw new exception("User update failed.", 12);
    }

    if (isset($ipUpdate)
      && DataAdminTableUpdate($dbh, $envVars, $ipUpdate, $username, "RIP_U", "AdmUsrMaint.prg", "A", "Remote IP Update", $loggedInUser, $email, trim($_SERVER["REMOTE_ADDR"])) === false)
        throw new exception("IP update failed.", 20);
    if (isset($permUpdate1)
      && DataAdminTableUpdate($dbh, $envVars, $permUpdate1, $username, "PROGS_A", "AdmUsrMaint.prg", "A", "Add Programs", $loggedInUser, $email, trim($_SERVER["REMOTE_ADDR"])) === false)
        throw new exception("Add programs update failed.", 13);
    if (isset($permUpdate2)
    && DataAdminTableUpdate($dbh, $envVars, $permUpdate2, $username, "PROGS_D", "AdmUsrMaint.prg", "A", "Delete Programs", $loggedInUser, $email, trim($_SERVER["REMOTE_ADDR"])) === false)
        throw new exception("Remove programs update failed.", 14);

    $cookieExists = HCU_array_key_exists("aTicket", $_COOKIE) && trim($_COOKIE["aTicket"]) != "";
    if ($createCookieIfNotExists || $cookieExists) {
      $theseResults = checkPass($pSysEnv, $dbh, $loggedInUser, $password, $cuCode, $chkSecure, null, null, false, $emailAddress, false, $isSkip, $createCookieIfNotExists);
      $cookie= $theseResults["cookie"];
      if ($theseResults["code"] != 0)
        throw new exception("Check password failed.", 44);
    }

  }
  catch(exception $e)
  {
    return array("code" => $e->getCode(), "error" => array($e->getMessage()), "sql" => $sqls, "serverIPFound" => $serverIPFound, "serverIPFoundRelevant" => $serverIPFoundRelevant);
  }

  return array("code" => 0, "error" => array(), "sql" => $sqls, "serverIPFound" => $serverIPFound, "serverIPFoundRelevant" => $serverIPFoundRelevant);
}

function getUsePhonesInsteadOfMFA($dbh, $Cu)
{
  global $CU3_MFA_AUTHCODE;
  try
  {
    $sql= "select flagset3 & $CU3_MFA_AUTHCODE from cuadmin where cu = '$Cu'";
    $sth= db_query($sql, $dbh);
    if (!$sth)
      throw new exception("Query failed.");
    $value= db_fetch_row($sth, 0)[0];
    return isset($value) ? $value != 0 : false;
  }
  catch(exception $e)
  {
    return false;
  }
}


/**
 * function ParseAuditRow($row, $Cu, $dbh)
 * This parses the audit for the admin side only.  (User audits have new functions.)
 *
 * @param $row -- the database row of the audit table.
 * @param $Cu -- the credit union.  This is needed for getting the time specific to the CU.
 * @param $dbh -- the database connection.  This is needed for getting the time specific to the CU as well as the mask.
 */
function ParseAuditRow($row, $Cu, $dbh) {
    try {
        $before = HCU_JsonDecode($row["before"]);
        if (!isset($before) || !is_array($before)) {
          throw new exception("Before JSON is not valid.", 13);
        }
        $after = HCU_JsonDecode($row["after"]);
        if (!isset($before) || !is_array($after)) {
          throw new exception("After JSON is not valid.", 14);
        }
        $details = array();

        foreach($before as $table => $changedRows) {
          $afterTable = HCU_array_key_value($table, $after) ? $after[$table] : null;

          if (!isset($afterTable)) {
            throw new exception("Table mismatch.", 15);
          }
          $tableDefinition = GetTableDefinition (array("cu" => $Cu), $table)[$table];

          $label = isset($tableDefinition["_label"]) ? $tableDefinition["_label"] : $table;
          $newTableRow = array("table" => $table, "label" => $label, "rows" => array());
          $tableTypeMap = array();
          $passwordMask = "********";

          if (!isset($changedRows) || !is_array($changedRows)) {
            throw new exception ("Changed rows is not valid.", 1);
          }
          foreach($changedRows as $j => $beforeRow) {
            $afterRow = $afterTable[$j];

            if (!isset($afterRow)) {
              throw new exception("Table mismatch.", 16);
            }
            $beforeEmpty = count($beforeRow) == 0;
            $afterEmpty = count($afterRow) == 0;
            $combinedRow = array();
            if ($beforeEmpty) {
              if ($afterEmpty) {
                continue;
              } else {
                if (!isset($afterRow) || !is_array($afterRow)) {
                  throw new exception ("After row is not an array.", 21);
                }
                foreach($afterRow as $colName => $colValue) {
                  $colDef = $tableDefinition["_cols"][$colName];
                  if (!isset($colDef)) {
                    throw new exception("Table mismatch.", 17);
                  }
                  $label = isset($colDef["label"]) ? $colDef["label"] : $colName;

                  $afterValue = !isset($colValue) || trim($colValue) == "" ? true : $colValue;
                  $same = false;

                  // Empty and null are the same and are set to "--"
                  $beforeValue = "--";
                  $afterValue = $afterValue === true ? "--" : (trim($colName) == "passwd" && $afterValue != "" ? $passwordMask : trim($afterValue));

                  // If time or timestamp, then format the output.  If timestamp, then remember to also output it in Credit Union time.
                  // NOTE: this doesn't catch the prior login / failed login / current login because that is in a STRING field for some reason.
                  switch($colDef["type"]) {
                    case DBTYPE_DATE:
                      $beforeValue = GetAuditTime($dbh, $beforeValue, $Cu, false, $tz);
                      $afterValue = GetAuditTime($dbh, $afterValue, $Cu, false, $tz);
                      break;
                    case DBTYPE_TIMESTAMPTZ:
                    case DBTYPE_TIMESTAMP:
                    case DBTIMESTAMP_USENOW:
                      $beforeValue = GetAuditTime($dbh, $beforeValue, $Cu, true, $tz);
                      $afterValue = GetAuditTime($dbh, $afterValue, $Cu, true, $tz);
                      break;
                  }

                  $combinedRow[] = array("col" => trim($colName), "before" => $beforeValue, "after" => $afterValue, "label" => trim($label), "same" => false);
                }
                $combinedRow = array("type" => "add", "values" => $combinedRow);
                $tableTypeMap["add"] = "add";
              }
            } else {
              if (!isset($beforeRow) || !is_array($beforeRow)) {
                throw new exception ("before row is invalid.", 2);
              }
              foreach($beforeRow as $colName => $colValue) {
                $colDef = $tableDefinition["_cols"][$colName];
                if (!isset($colDef)) {
                  throw new exception("Table mismatch.", 18);
                }

                $label = isset($colDef["label"]) ? $colDef["label"] : $colName;
                $afterValue = $afterEmpty || !HCU_array_key_exists($colName, $afterRow) ? false :
                  (!isset($afterRow[$colName]) || trim($afterRow[$colName]) == "" ? true : $afterRow[$colName]);
                $beforeValue = !isset($colValue) || trim($colValue) == "" ? true : $colValue;
                $same = false;
                if (!$afterEmpty && ($afterValue === false || $beforeValue === $afterValue)) {
                // If the afterValue was not found or if they are the same, then clear it and that means that it is the same.
                  $afterValue = "";
                  $same = true;
                }

                // Empty and null are the same and are set to "--"
                $beforeValue = $beforeValue === true ? "--" : (trim($colName) == "passwd" ? $passwordMask : trim($beforeValue));
                $afterValue = $afterValue === true ? "--" : (trim($colName) == "passwd" && $afterValue != "" ? $passwordMask : trim($afterValue));

                // If time or timestamp, then format the output.  If timestamp, then remember to also output it in Credit Union time.
                // NOTE: this doesn't catch the prior login / failed login / current login because that is in a STRING field for some reason.
                $tz = null;
                switch($colDef["type"]) {
                  case DBTYPE_DATE:
                    $beforeValue = GetAuditTime($dbh, $beforeValue, $Cu, false, $tz);
                    $afterValue = GetAuditTime($dbh, $afterValue, $Cu, false, $tz);
                    break;
                  case DBTYPE_TIMESTAMPTZ:
                  case DBTYPE_TIMESTAMP:
                  case DBTIMESTAMP_USENOW:
                    $beforeValue = GetAuditTime($dbh, $beforeValue, $Cu, true, $tz);
                    $afterValue = GetAuditTime($dbh, $afterValue, $Cu, true, $tz);
                    break;
                }

                $combinedRow[] = array("col" => trim($colName), "before" => $beforeValue, "after" => $afterValue, "label" => trim($label), "same" => $same);
              }
            if (!$afterEmpty) {
              if (!isset($afterRow) || !is_array($afterRow)) {
                throw new exception ("After row is not an array.", 20);
              }
              foreach($afterRow as $colName => $colValue) {
                $colDef = $tableDefinition["_cols"][$colName];
                if (isset($beforeRow[$colName])) {
                  continue; // Already processed above.
                }
                if (!isset($colDef)) {
                  throw new exception("Table mismatch.", 19);
                }

                $label = isset($colDef["label"]) ? $colDef["label"] : $colName;
                $afterValue = !isset($colValue) || trim($colValue) == "" ? true : $colValue;
                $beforeValue = !HCU_array_key_exists($colName, $beforeRow) ? false :
                  (!isset($beforeRow[$colName]) || trim($beforeRow[$colName]) == "" ? true : $beforeRow[$colName]);
                $same = false;

                // Empty and null are the same and are set to "--"
                $beforeValue = $beforeValue === true ? "--" : (trim($colName) == "passwd" ? $passwordMask : trim($beforeValue));
                $afterValue = $afterValue === true ? "--" : (trim($colName) == "passwd" && $afterValue != "" ? $passwordMask : trim($afterValue));

                // If time or timestamp, then format the output.  If timestamp, then remember to also output it in Credit Union time.
                // NOTE: this doesn't catch the prior login / failed login / current login because that is in a STRING field for some reason.
                switch($colDef["type"]) {
                  case DBTYPE_DATE:
                    $beforeValue = GetAuditTime($dbh, $beforeValue, $Cu, false, $tz);
                    $afterValue = GetAuditTime($dbh, $afterValue, $Cu, false, $tz);
                    break;
                  case DBTYPE_TIMESTAMPTZ:
                  case DBTYPE_TIMESTAMP:
                  case DBTIMESTAMP_USENOW:
                    $beforeValue = GetAuditTime($dbh, $beforeValue, $Cu, true, $tz);
                    $afterValue = GetAuditTime($dbh, $afterValue, $Cu, true, $tz);
                    break;
                }

                $combinedRow[] = array("col" => trim($colName), "before" => $beforeValue, "after" => $afterValue, "label" => trim($label), "same" => $same);
              }
            }
            $type = $afterEmpty ? "remove" : "update";
            $combinedRow = array("type" => $type, "values" => $combinedRow);
            $tableTypeMap[$type] = $type;
          }

          $newTableRow["rows"][] = $combinedRow;
          $newTableRow["type"] = count($tableTypeMap) > 1 ? "mixed" : current($tableTypeMap);
        }

        $details[] = $newTableRow;
      }

      unset($row["before"]);
      unset($row["after"]);
      $row["details"] = $details;

      $returnArray = array("status" => "000", "error" => "", "row" => $row);
    } catch (exception $e) {

      $returnArray = array("status" => $e->getCode(), "error" => $e->getMessage());
    }

    return $returnArray;
}

/**
 *  This function will determine if a particular header has been set for response to the client
 *
 *  @param string $header  The header text in question
 *
 *  @return boolean  {true - if header was found}
 */
function FindHeaderSent($header) {
    $headers = headers_list();
    $header = trim($header,': ');
    $result = false;

    if (count($headers) > 0) {
      foreach ($headers as $hdr) {
          if (stripos($hdr, $header) !== false) {
              $result = true;
          }
      }
    }
    return $result;
}

/**
 * HasMasterAccess
 * this function will check if the admin user currently
 * logged in has master access. Master access can come
 * from the user flag set in user maintenance or the cu
 * super user: cu name = username.
 *
 * @param $pAdmEnv    array     environment variable
 *    this usually holds the username, cu name and
 *    database handle.
 * @return $access    boolean
 */
function AdminHasMasterAccess($pAdmEnv) {
  $sql = "
    SELECT userflags FROM cuadminusers
    WHERE user_name = '{$pAdmEnv['Cn']}'
      AND cu = '{$pAdmEnv['Cu']}' ";
  $sqlRs = db_query($sql, $pAdmEnv['dbh']);
  if (!$sqlRs) {
    throw new Exception("Failed to read user access", 20);
  }

  $userFlagsAry = db_fetch_array($sqlRs, 0);
  $userFlags = $userFlagsAry['userflags'];

  $hasMasterFlag = ($userFlags & GetAdminUserFlagsValue("ADM_MASTER_PRIV")) == GetAdminUserFlagsValue("ADM_MASTER_PRIV");
  $hasSuperPrivillages = (strtolower($pAdmEnv['Cu']) == strtolower($pAdmEnv['Cn']));

  return ($hasSuperPrivillages || $hasMasterFlag);
}