projects / platal.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix a bug giving read access to the contacts of another user when
[platal.git] / modules / carnet.php
1 <?php
2 /***************************************************************************
3 * Copyright (C) 2003-2010 Polytechnique.org *
4 * http://opensource.polytechnique.org/ *
5 * *
6 * This program is free software; you can redistribute it and/or modify *
7 * it under the terms of the GNU General Public License as published by *
8 * the Free Software Foundation; either version 2 of the License, or *
9 * (at your option) any later version. *
10 * *
11 * This program is distributed in the hope that it will be useful, *
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of *
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
14 * GNU General Public License for more details. *
15 * *
16 * You should have received a copy of the GNU General Public License *
17 * along with this program; if not, write to the Free Software *
18 * Foundation, Inc., *
19 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
20 ***************************************************************************/
21
22 class CarnetModule extends PLModule
23 {
24 function handlers()
25 {
26 return array(
27 'carnet' => $this->make_hook('index', AUTH_COOKIE),
28 'carnet/panel' => $this->make_hook('panel', AUTH_COOKIE),
29 'carnet/notifs' => $this->make_hook('notifs', AUTH_COOKIE),
30
31 'carnet/contacts' => $this->make_hook('contacts', AUTH_COOKIE),
32 'carnet/contacts/pdf' => $this->make_hook('pdf', AUTH_COOKIE),
33 'carnet/contacts/vcard' => $this->make_hook('vcard', AUTH_COOKIE),
34 'carnet/contacts/ical' => $this->make_hook('ical', AUTH_PUBLIC, 'user', NO_HTTPS),
35 'carnet/contacts/csv' => $this->make_hook('csv', AUTH_PUBLIC, 'user', NO_HTTPS),
36 'carnet/contacts/csv/birthday' => $this->make_hook('csv_birthday', AUTH_PUBLIC, 'user', NO_HTTPS),
37
38 'carnet/rss' => $this->make_hook('rss', AUTH_PUBLIC, 'user', NO_HTTPS),
39 );
40 }
41
42 function _add_rss_link(&$page)
43 {
44 if (!S::hasAuthToken()) {
45 return;
46 }
47 $page->setRssLink('Polytechnique.org :: Carnet',
48 '/carnet/rss/'.S::v('hruid').'/'.S::v('token').'/rss.xml');
49 }
50
51 function handler_index(&$page)
52 {
53 $page->changeTpl('carnet/index.tpl');
54 $page->setTitle('Mon carnet');
55 $this->_add_rss_link($page);
56 }
57
58 function handler_panel(&$page)
59 {
60 $page->changeTpl('carnet/panel.tpl');
61
62 if (Get::has('read')) {
63 XDB::execute('UPDATE watch
64 SET last = FROM_UNIXTIME({?})
65 WHERE uid = {?}',
66 Get::i('read'), S::i('uid'));
67 S::set('watch_last', Get::i('read'));
68 Platal::session()->updateNbNotifs();
69 pl_redirect('carnet/panel');
70 }
71
72 require_once 'notifs.inc.php';
73 $page->assign('now', time());
74
75 $user = S::user();
76 $notifs = Watch::getEvents($user, time() - (7 * 86400));
77 $page->assign('notifs', $notifs);
78 $page->assign('today', date('Y-m-d'));
79 $this->_add_rss_link($page);
80 }
81
82 private function getSinglePromotion(PlPage &$page, $promo)
83 {
84 if (!(is_int($promo) || ctype_digit($promo)) || $promo < 1920 || $promo > date('Y')) {
85 $page->trigError('Promotion invalide&nbsp;: ' . $promo . '.');
86 return null;
87 }
88 return (int)$promo;
89 }
90
91 private function getPromo(PlPage &$page, $promo)
92 {
93 if (strpos($promo, '-') === false) {
94 $promo = $this->getSinglePromotion($page, $promo);
95 if (!$promo) {
96 return null;
97 } else {
98 return array($promo);
99 }
100 }
101
102 list($promo1, $promo2) = explode('-', $promo);
103 $promo1 = $this->getSinglePromotion($page, $promo1);
104 if (!$promo1) {
105 return null;
106 }
107 $promo2 = $this->getSinglePromotion($page, $promo2);
108 if (!$promo2) {
109 return null;
110 }
111 if ($promo1 > $promo2) {
112 $page->trigError('Intervalle non valide :&nbsp;' . $promo . '.');
113 return null;
114 }
115 $array = array();
116 for ($i = $promo1 ; $i <= $promo2 ; ++$i) {
117 $array[] = $i;
118 }
119 return $array;
120 }
121
122 private function addPromo(PlPage &$page, $promo)
123 {
124 $promos = $this->getPromo($page, $promo);
125 if (!$promos || count($promos) == 0) {
126 return;
127 }
128 $to_add = array();
129 foreach ($promos as $promo) {
130 $to_add[] = XDB::format('({?}, {?})', S::i('uid'), $promo);
131 }
132 XDB::execute('INSERT IGNORE INTO watch_promo (uid, promo)
133 VALUES ' . implode(', ', $to_add));
134 }
135
136 private function delPromo(PlPage &$page, $promo)
137 {
138 $promos = $this->getPromo($page, $promo);
139 if (!$promos || count($promos) == 0) {
140 return;
141 }
142 $to_delete = array();
143 foreach ($promos as $promo) {
144 $to_delete[] = XDB::format('{?}', $promo);
145 }
146 XDB::execute('DELETE FROM watch_promo
147 WHERE ' . XDB::format('uid = {?}', S::i('uid')) . '
148 AND promo IN (' . implode(', ', $to_delete) . ')');
149 }
150
151 public function addNonRegistered(PlPage &$page, PlUser &$user)
152 {
153 XDB::execute('INSERT IGNORE INTO watch_nonins (uid, ni_id)
154 VALUES ({?}, {?})', S::i('uid'), $user->id());
155 }
156
157 public function delNonRegistered(PlPage &$page, PlUser &$user)
158 {
159 XDB::execute('DELETE FROM watch_nonins
160 WHERE uid = {?} AND ni_id = {?}',
161 S::i('uid'), $user->id());
162 }
163
164 public function handler_notifs(&$page, $action = null, $arg = null)
165 {
166 $page->changeTpl('carnet/notifs.tpl');
167
168 if ($action) {
169 S::assert_xsrf_token();
170 switch ($action) {
171 case 'add_promo':
172 $this->addPromo($page, $arg);
173 break;
174
175 case 'del_promo':
176 $this->delPromo($page, $arg);
177 break;
178
179 case 'del_nonins':
180 $user = User::get($arg);
181 if ($user) {
182 $this->delNonRegistered($page, $user);
183 }
184 break;
185
186 case 'add_nonins':
187 $user = User::get($arg);
188 if ($user) {
189 $this->addNonRegistered($page, $user);
190 }
191 break;
192 }
193 }
194
195 if (Env::has('subs')) {
196 S::assert_xsrf_token();
197 $flags = new PlFlagSet();
198 foreach (Env::v('sub') as $key=>$value) {
199 $flags->addFlag($key, $value);
200 }
201 XDB::execute('UPDATE watch
202 SET actions = {?}
203 WHERE uid = {?}', $flags, S::i('uid'));
204 }
205
206 if (Env::has('flags_contacts')) {
207 S::assert_xsrf_token();
208 XDB::execute('UPDATE watch
209 SET ' . XDB::changeFlag('flags', 'contacts', Env::b('contacts')) . '
210 WHERE uid = {?}', S::i('uid'));
211 }
212
213 if (Env::has('flags_mail')) {
214 S::assert_xsrf_token();
215 XDB::execute('UPDATE watch
216 SET ' . XDB::changeFlag('flags', 'mail', Env::b('mail')) . '
217 WHERE uid = {?}', S::i('uid'));
218 }
219
220 $user = S::user();
221 $nonins = new UserFilter(new UFC_WatchRegistration($user));
222
223 $promo = XDB::fetchColumn('SELECT promo
224 FROM watch_promo
225 WHERE uid = {?}
226 ORDER BY promo', S::i('uid'));
227 $page->assign('promo_count', count($promo));
228 $ranges = array();
229 $range_start = null;
230 $range_end = null;
231 foreach ($promo as $p) {
232 if (is_null($range_start)) {
233 $range_start = $range_end = $p;
234 } else if ($p != $range_end + 1) {
235 $ranges[] = array($range_start, $range_end);
236 $range_start = $range_end = $p;
237 } else {
238 $range_end = $p;
239 }
240 }
241 $ranges[] = array($range_start, $range_end);
242 $page->assign('promo_ranges', $ranges);
243 $page->assign('nonins', $nonins->getUsers());
244
245 list($flags, $actions) = XDB::fetchOneRow('SELECT flags, actions
246 FROM watch
247 WHERE uid = {?}', S::i('uid'));
248 $flags = new PlFlagSet($flags);
249 $actions = new PlFlagSet($actions);
250 $page->assign('flags', $flags);
251 $page->assign('actions', $actions);
252 }
253
254 function handler_contacts(&$page, $action = null, $subaction = null, $ssaction = null)
255 {
256 $page->setTitle('Mes contacts');
257 $this->_add_rss_link($page);
258
259 $uid = S::i('uid');
260 $user = S::user();
261
262 // For XSRF protection, checks both the normal xsrf token, and the special RSS token.
263 // It allows direct linking to contact adding in the RSS feed.
264 if (Env::v('action') && Env::v('token') !== S::v('token')) {
265 S::assert_xsrf_token();
266 }
267 switch (Env::v('action')) {
268 case 'retirer':
269 if (($contact = User::get(Env::v('user')))) {
270 if (XDB::execute("DELETE FROM contacts
271 WHERE uid = {?} AND contact = {?}",
272 $uid, $contact->id())) {
273 $page->trigSuccess("Contact retiré&nbsp;!");
274 }
275 }
276 break;
277
278 case 'ajouter':
279 if (($contact = User::get(Env::v('user')))) {
280 if (XDB::execute("REPLACE INTO contacts (uid, contact)
281 VALUES ({?}, {?})",
282 $uid, $contact->id())) {
283 $page->trigSuccess('Contact ajouté&nbsp;!');
284 } else {
285 $page->trigWarning('Contact déjà dans la liste&nbsp;!');
286 }
287 }
288 break;
289 }
290
291 $search = false;
292
293 require_once 'userset.inc.php';
294
295 if ($action == 'search') {
296 $action = $subaction;
297 $subaction = $ssaction;
298 $search = true;
299 }
300 if ($search && trim(Env::v('quick'))) {
301 $base = 'carnet/contacts/search';
302 $view = new SearchSet(true, false, new UFC_Contact($user));
303 } else {
304 $base = 'carnet/contacts';
305 $view = new ProfileSet(new UFC_Contact($user));
306 }
307
308 $view->addMod('minifiche', 'Mini-fiches', true);
309 $view->addMod('trombi', 'Trombinoscope', false, array('with_admin' => false, 'with_promo' => true));
310 // TODO: Reactivate when the new map is completed.
311 // $view->addMod('geoloc', 'Planisphère', false, array('with_annu' => 'carnet/contacts/search'));
312 $view->apply('carnet/contacts', $page, $action, $subaction);
313 //if ($action != 'geoloc' || ($search && !$ssaction) || (!$search && !$subaction)) {
314 $page->changeTpl('carnet/mescontacts.tpl');
315 //}
316 }
317
318 function handler_pdf(&$page, $arg0 = null, $arg1 = null)
319 {
320 $this->load('contacts.pdf.inc.php');
321 $user = S::user();
322
323 Platal::session()->close();
324
325 $order = array(new UFO_Name(Profile::LASTNAME), new UFO_Name(Profile::FIRSTNAME));
326 if ($arg0 == 'promo') {
327 $order = array_unshift($order, new UFO_Promo());
328 } else {
329 $order[] = new UFO_Promo();
330 }
331 $filter = new UserFilter(new UFC_Contact($user), $order);
332
333 $pdf = new ContactsPDF();
334
335 $it = $filter->iterProfiles();
336 while ($p = $it->next()) {
337 $pdf = ContactsPDF::addContact($pdf, $p, $arg0 == 'photos' || $arg1 == 'photos');
338 }
339 $pdf->Output();
340
341 exit;
342 }
343
344 function handler_rss(&$page, $user = null, $hash = null)
345 {
346 $this->load('feed.inc.php');
347 $feed = new CarnetFeed();
348 return $feed->run($page, $user, $hash);
349 }
350
351 function buildBirthRef(Profile $profile)
352 {
353 $date = strtotime($profile->birthdate);
354 $tomorrow = $date + 86400;
355 return array(
356 'timestamp' => $date,
357 'date' => date('Ymd', $date),
358 'tomorrow' => date('Ymd', $tomorrow),
359 'hruid' => $profile->hrid(),
360 'summary' => 'Anniversaire de ' . $profile->fullName(true)
361 );
362 }
363
364 function handler_csv_birthday(&$page, $alias = null, $hash = null)
365 {
366 $user = Platal::session()->tokenAuth($alias, $hash);
367 if (is_null($user)) {
368 if (S::logged()) {
369 $user == S::user();
370 } else {
371 return PL_FORBIDDEN;
372 }
373 }
374
375 $page->changeTpl('carnet/calendar.outlook.tpl', NO_SKIN);
376 $filter = new UserFilter(new UFC_Contact($user));
377 $profiles = $filter->iterProfiles();
378 $page->assign('events', PlIteratorUtils::map($profiles, array($this, 'buildBirthRef')));
379 $years = array(date("Y"));
380 for ($i = 1; $i <= 10; ++$i) {
381 $years[] = $years[0] + $i;
382 }
383 $page->assign('years', $years);
384 $lang = 'fr';
385 if (preg_match('/([a-zA-Z]{2,8})($|[^a-zA-Z])/', $_SERVER['HTTP_ACCEPT_LANGUAGE'], $matches)) {
386 $lang = strtolower($matches[1]);
387 }
388 $page->assign('lang', $lang);
389 if ($lang == 'fr') {
390 $encoding = 'iso8859-15';
391 } else {
392 $encoding = 'utf-8';
393 }
394 pl_content_headers("text/comma-separated-values;charset=".$encoding);
395 }
396
397 function handler_ical(&$page, $alias = null, $hash = null)
398 {
399 $user = Platal::session()->tokenAuth($alias, $hash);
400 if (is_null($user)) {
401 if (S::logged()) {
402 $user == S::user();
403 } else {
404 return PL_FORBIDDEN;
405 }
406 }
407
408 require_once 'ical.inc.php';
409 $page->changeTpl('carnet/calendar.tpl', NO_SKIN);
410 $page->register_function('display_ical', 'display_ical');
411
412 $filter = new UserFilter(new UFC_Contact($user));
413 $profiles = $filter->iterProfiles();
414 $page->assign('events', PlIteratorUtils::map($profiles, array($this, 'buildBirthRef')));
415
416 pl_content_headers("text/calendar");
417 }
418
419 function handler_vcard(&$page, $photos = null)
420 {
421 $pf = new ProfileFilter(new UFC_Contact(S::user()));
422 $vcard = new VCard($photos == 'photos');
423 $vcard->addProfiles($pf->getProfiles());
424 $vcard->show();
425 }
426
427 function handler_csv(&$page, $alias = null, $hash = null)
428 {
429 $user = Platal::session()->tokenAuth($alias, $hash);
430 if (is_null($user)) {
431 if (S::logged()) {
432 $user == S::user();
433 } else {
434 return PL_FORBIDDEN;
435 }
436 }
437
438 $page->changeTpl('carnet/mescontacts.outlook.tpl', NO_SKIN);
439 $pf = new ProfileFilter(new UFC_Contact($user));
440 require_once 'carnet/outlook.inc.php';
441 Outlook::output_profiles($pf->getProfiles(), 'fr');
442 }
443 }
444
445 // vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8:
446 ?>
plat/al