<?php
/*********************************************************************************************************
  "Ensemble" is the proprietary property of The Regents of the University of California ("The Regents.")

  Copyright (c) 2005-10 The Regents of the University of California, Davis campus. All Rights Reserved.

  Redistribution and use in source and binary forms, with or without modification, are permitted by
  nonprofit, research institutions for research use only, provided the conditions in the included
  license agreement are met.

  Refer to the file "ensemble_license.txt" for the license agreement,
  located in the top level directory of this distribution.

**********************************************************************************************************/
//Author: Stefan Tomic 5/19/2010
//Janata Lab
//Center for Mind and Brain
//Developed for the Ensemble Project

/*
This form presents the security question(s) associated with a name and birthday so that a passcode can be retrieved.
If any one of the security question(s) match, the associated passcode will be displayed, the subject ID will be
assigned to the session, and the experiment will proceed.

NOTE: If a match could not be found, this handler still moves onto the next form without assigning a subject ID. You should follow this form with
      a form associated with form_subject_id_not_assigned.php (which presents a message when subIDs are not assigned or another form which perhaps ends the session.
	  The reason for not just ending the session here is to allow for flexibility on how mismatches are handled. One may add an alternate subject ID form for example.

*/

include_once('../include/subject_includes.php');

//form_type is passed to display_form_fields, which may change its display depending on type
$form_type = 'security_questions';

//get info from experiment_x_form and form tables
include_once('query_form_info.php');

//first time visiting this form, before posting, check to see if the subject_id is already set
if(!isset($_POST['submit_security_quest'])) {
	//see if subject is in subject table (i.e. subject ID was assigned and we are not using tmp_ or anon_ subid)
	if(subID_in_subject_table($_SESSION['subject_id'])) {
		//if the subject_id is already set, move on to the next form. This handler only presents when a participant is having 
		//trouble with their passcode, in which case the subject_id is not assigned yet.
		include('update_session.php');
	}
}

$enc_key = subinfo_encryption_key();

$gotoNextForm = false;
if(isset($_SESSION['security_first_name']))
	$first_name_match = $_SESSION['security_first_name'];
elseif(isset($_SESSION['security_first_initial']))
	$first_name_match = $_SESSION['security_first_initial'] . "%";
else
	$gotoNextForm = true;
	
if(isset($_SESSION['security_last_name']))
	$last_name_match = $_SESSION['security_last_name'];
elseif(isset($_SESSION['security_last_initial']))
	$last_name_match = $_SESSION['security_last_initial'] . "%";
else
	$gotoNextForm = true;
	
if(isset($_SESSION['security_dob']))
	$dob_match = $_SESSION['security_dob'];
else
	$gotoNextForm = true;

if($gotoNextForm) {
	include('update_session.php');
}


if(isset($_POST) && isset($_POST['submit_security_quest'])) { 

	//this section checks the posted responses to security questions. If a match is found, sets the subject ID, 
	//displays the subject's passcode so they can record it, and reinstates the subject's session (if a previous session exists)


	//Since the security_questions may not be in the same order for every subject, parsing through all of the security_questions
	//can be pretty costly. So we're first going to check if we found a match with a given security_response first for the subject name and dob, then see if the security_question matches
	//this should save some processing time

	$questResps = $_POST;
	unset($questResps['submit_security_quest']);
	
	//remove blank responses
	$questResps = array_filter($questResps,strlen);

	$subjectMatched = false;

	//check each response that was submitted to see if there was a match
	foreach($questResps as $questKey=>$respText) {
		$respText = strtolower(trim($respText));

		//find the security questions that match the submitted question (using keymap)
		$matchedSecQ = $_SESSION['security_keymap'][$questKey];
		
		foreach($matchedSecQ as $qIdx) {
			//check each matched question in $_SESSION['security_questions'] that matched the posted question
			//the posted question is mapped to $_SESSION['security_questions'] through $_SESSION['security_keymap']
			$checkThisResp = strtolower(trim(preg_replace('/\"(.*)\"/','$1',$_SESSION['security_responses'][$qIdx])));
			
			if(strcmp($checkThisResp,$respText) == 0) {
				//A match was found!
				$subjectMatched = true;
				include_once('htmlhead_name_mesg.php');
				
				//Present the subject with their password, set their subject ID, reinstate their old session (if exists), and allow them to proceed.
				print "<p>" . LANGUAGE_TEXT_YOUR_PASSCODE_IS . $_SESSION['security_passphrases'][$qIdx] .". ";
				print LANGUAGE_TEXT_PRINT_OR_WRITE_INSTRUCTION . "</p>";
				
				//assign the subject_id
				$_SESSION['subject_id'] = $_SESSION['security_subject_ids'][$qIdx];
				
				if(responses_exist_for_sub($_SESSION['subject_id'],$_SESSION['response_table'])) {
					find_old_session($_SESSION['subject_id']);
				}
				else {
					//if there are no pre-existing responses, update the current session ID and responses with the subject ID
				
					// add the subject id to the session information
					$sql_update_session = sprintf("update session set subject_id = %s, php_session_id=%s where session_id = %s ",
							GetSQLValueString($_SESSION['subject_id'],"text"),
							GetSQLValueString($_COOKIE[$QPI_SESSION_NAME],"text"),
							GetSQLValueString($_SESSION['session_id'],"int"));
					mysql_update($sql_update_session);
	  
					// update any responses that have already been given in the experiment's response table
					$sql_update_responses = sprintf("update %s set subject_id = %s where session_id = %s ",
								$_SESSION['response_table'],
								GetSQLValueString($_SESSION['subject_id'],"text"),
								GetSQLValueString($_SESSION['session_id'],"int"));
					mysql_update($sql_update_responses);
				}//else
				
				
				//clear the security session variables
				unset($_SESSION['security_questions']);
				unset($_SESSION['security_responses']);
				unset($_SESSION['security_subject_ids']);
				unset($_SESSION['security_passphrases']);
				unset($_SESSION['security_keymap']);
				unset($_SESSION['security_first_name']);
				unset($_SESSION['security_last_name']);
				unset($_SESSION['security_dob']);
				
				//print a form to continue the session
				printf("<form action=\"update_session.php\" method=\"post\" id=\"security_responses\">\n");

				printf("<input type=\"submit\" id=\"submit name=\"submit\" value=\"%s\">\n",LANGUAGE_TEXT_QPI_NEXT_BUTTON);
				printf("\n</form>\n");
				
				//break out of both "for" loops
				break 2;
				
			} //if(strcmp($checkThisResp,$respText) == 0) 
		
		}  //foreach $matchedSecQ (matched questions to this name/dob combination

	} //foreach $questResps (each response that was posted to the security questions

	if(!$subjectMatched) {
		//if subject was not matched (no security responses matched), the survey will proceed without a subject ID
		//make sure to follow this form with another form that provides the subject with instructions on what to do
		//since there is no subject ID for this session! You may also want to assign appropriate form handlers to end the
		//session after providing the subject with a message.
		include('update_session.php');
	}


}
else { //this section displays the questions (prior to posting the form)

	//get all possible security questions and responses that match this subject
	$sql_get_security_questions = sprintf("select subject_id,security_questions,aes_decrypt(`security_responses`,'%s') as security_responses, " .
												" aes_decrypt(`passphrase`,'%s') as passphrase from subject where " .
												" lower(convert(aes_decrypt(`name_first`,'%s') using utf8)) like '%s' " .
												" and lower(convert(aes_decrypt(`name_last`,'%s') using utf8)) like '%s' " .
												" and aes_decrypt(`dob`,'%s') like '%s' ",
												$enc_key, $enc_key,
												$enc_key,strtolower($first_name_match),
												$enc_key,strtolower($last_name_match),
												$enc_key,$dob_match);

	$result_get_security_questions = mysql_query($sql_get_security_questions) or report_error_form(mysql_error());

	$seqQuestions = array();
	$seqResponses = array();
	$seqSIDs = array();
	$seqPassphrases = array();

	while($row_get_security_questions = mysql_fetch_assoc($result_get_security_questions)) {
	
		$questsThisSub = explode(",",$row_get_security_questions['security_questions']);
		$respsThisSub = explode(",",$row_get_security_questions['security_responses']);
		$nQuests = sizeof($questsThisSub);
	
		$seqQuestions = array_merge($seqQuestions,$questsThisSub);
		$seqResponses = array_merge($seqResponses,$respsThisSub);
	
		$thisSubID = $row_get_security_questions['subject_id'];
		$thisPassphrase = $row_get_security_questions['passphrase'];
	
		$seqSIDs = array_merge($seqSIDs,array_fill(0,$nQuests,$thisSubID));
		$seqPassphrases = array_merge($seqPassphrases,array_fill(0,$nQuests,$thisPassphrase));
	}

	$uniqueQuestions = array_unique($seqQuestions);
	//remove null values from $uniqueQuestions
	$uniqueQuestions = array_filter($uniqueQuestions,strlen);

	//if no $uniqueQuestions, just go to the next form. This means that there are no security questions in the subject table.
	if((sizeof($uniqueQuestions) == 0)) {
		include('update_session.php');	
	}

	$_SESSION['security_questions'] = $seqQuestions;
	$_SESSION['security_responses'] = $seqResponses;
	$_SESSION['security_subject_ids'] = $seqSIDs;
	$_SESSION['security_passphrases'] = $seqPassphrases;

	include_once('htmlhead_name_mesg_formhead.php');

	printf("<form action=\"%s\" method=\"post\" id=\"security_responses\">\n",$_SERVER['PHP_SELF']);

	//present the unique security questions for this name/dob match
	foreach ($uniqueQuestions as $questKey=>$thisQuest) {

		//find the mapping between unique questions and the security_questions list
		$_SESSION['security_keymap'][$questKey] = array_keys($_SESSION['security_questions'],$thisQuest);

		//remove the double quotes around the question for display
		$thisQuest = preg_replace('/\"(.*)\"/','$1',$thisQuest);
		printf("<p>%s<br>",$thisQuest);
		printf("<input type=\"text\" id=\"%s\" name=\"%s\" size=\"50\"></p>\n",$questKey,$questKey);
	
	}
	printf("<input type=\"hidden\" id=\"submit_security_quest\" name=\"submit_security_quest\">\n");
	printf("<input type=\"submit\" id=\"submit name=\"submit\" value=\"%s\">\n",LANGUAGE_TEXT_QPI_NEXT_BUTTON);
	printf("\n</form>\n");
	
} //else


?>