function handler_index(&$page)
{
$page->changeTpl('carnet/index.tpl');
- $page->assign('xorg_title','Polytechnique.org - Mon carnet');
+ $page->setTitle('Mon carnet');
$this->_add_rss_link($page);
}
$page->changeTpl('carnet/panel.tpl');
if (Get::has('read')) {
- $_SESSION['watch_last'] = Get::v('read');
- update_NbNotifs();
+ S::set('watch_last', Get::v('read'));
+ Platal::session()->updateNbNotifs();
pl_redirect('carnet/panel');
}
if(preg_match('!^ *(\d{4}) *$!', $arg, $matches)) {
$p = intval($matches[1]);
if($p<1900 || $p>2100) {
- $page->trig("la promo entrée est invalide");
+ $page->trigError("la promo entrée est invalide");
} else {
if ($action == 'add_promo') {
$watch->_promos->add($p);
$p1 = intval($matches[1]);
$p2 = intval($matches[2]);
if($p1<1900 || $p1>2100) {
- $page->trig('la première promo de la plage entrée est invalide');
+ $page->trigError('la première promo de la plage entrée est invalide');
} elseif($p2<1900 || $p2>2100) {
- $page->trig('la seconde promo de la plage entrée est invalide');
+ $page->trigError('la seconde promo de la plage entrée est invalide');
} else {
if ($action == 'add_promo') {
$watch->_promos->addRange($p1, $p2);
}
}
} else {
- $page->trig("La promo (ou la plage de promo) entrée est dans un format incorrect.");
+ $page->trigError("La promo (ou la plage de promo) entrée est dans un format incorrect.");
}
}
$promo_sortie = $res->fetchOneCell();
$page->assign('promo_sortie', $promo_sortie);
+ if ($action) {
+ S::assert_xsrf_token();
+ }
switch ($action) {
case 'add_promo':
case 'del_promo':
break;
}
- if (Env::has('subs')) $watch->_subs->update('sub');
+ if (Env::has('subs')) {
+ S::assert_xsrf_token();
+ $watch->_subs->update('sub');
+ }
+
if (Env::has('flags_contacts')) {
+ S::assert_xsrf_token();
$watch->watch_contacts = Env::b('contacts');
$watch->saveFlags();
}
+
if (Env::has('flags_mail')) {
- $watch->watch_mail = Env::b('mail');
+ S::assert_xsrf_token();
+ $watch->watch_mail = Env::b('mail');
$watch->saveFlags();
}
}
function searchErrorHandler($explain) {
- global $page;
- $page->trig($explain);
+ $page =& Platal::page();
+ $page->trigError($explain);
$this->handler_contacts($page);
}
function handler_contacts(&$page, $action = null, $subaction = null, $ssaction = null)
{
- $page->assign('xorg_title','Polytechnique.org - Mes contacts');
+ $page->setTitle('Mes contacts');
$this->_add_rss_link($page);
$uid = S::v('uid');
$user = Env::v('user');
+ // For XSRF protection, checks both the normal xsrf token, and the special RSS token.
+ // It allows direct linking to contact adding in the RSS feed.
+ if (Env::v('action') && Env::v('token') !== S::v('core_rss_hash')) {
+ S::assert_xsrf_token();
+ }
switch (Env::v('action')) {
case 'retirer':
- if (is_numeric($user)) {
- if (XDB::execute('DELETE FROM contacts
- WHERE uid = {?} AND contact = {?}',
- $uid, $user))
- {
- $page->trig("Contact retiré !");
- }
- } else {
- if (XDB::execute(
- 'DELETE FROM c
- USING contacts AS c
- INNER JOIN aliases AS a ON (c.contact=a.id and a.type!="homonyme")
- WHERE c.uid = {?} AND a.alias={?}', $uid, $user))
- {
- $page->trig("Contact retiré !");
+ if (($user = User::get(Env::v('user')))) {
+ if (XDB::execute("DELETE FROM contacts
+ WHERE uid = {?} AND contact = {?}", $uid, $user->id())) {
+ $page->trigSuccess("Contact retiré !");
}
}
break;
case 'ajouter':
- require_once('user.func.inc.php');
- if (($login = get_user_login($user)) !== false) {
- if (XDB::execute(
- 'REPLACE INTO contacts (uid, contact)
- SELECT {?}, id
- FROM aliases
- WHERE alias = {?}', $uid, $login))
- {
- $page->trig('Contact ajouté !');
+ if (($user = User::get(Env::v('user')))) {
+ if (XDB::execute("REPLACE INTO contacts (uid, contact)
+ VALUES ({?}, {?})", $uid, $user->id())) {
+ $page->trigSuccess('Contact ajouté !');
} else {
- $page->trig('Contact déjà dans la liste !');
+ $page->trigWarning('Contact déjà dans la liste !');
}
}
+ break;
}
$search = false;
$base = 'carnet/contacts';
$view = new UserSet("INNER JOIN contacts AS c2 ON (u.user_id = c2.contact)", " c2.uid = $uid ");
}
- $view->addMod('minifiche', 'Mini-Fiches', true);
+ $view->addMod('minifiche', 'Mini-fiches', true);
$view->addMod('trombi', 'Trombinoscope', false, array('with_admin' => false, 'with_promo' => true));
$view->addMod('geoloc', 'Planisphère', false, array('with_annu' => 'carnet/contacts/search'));
$view->apply($base, $page, $action, $subaction);
require_once dirname(__FILE__).'/carnet/contacts.pdf.inc.php';
require_once 'user.func.inc.php';
- session_write_close();
+ Platal::session()->close();
$sql = "SELECT a.alias
FROM aliases AS a
if (!$uid) {
$uid = S::i('uid');
} else if ($uid != S::i('uid')) {
- require_once 'xorg.misc.inc.php';
send_warning_email("Récupération d\'un autre utilisateur ($uid)");
}
} else if (!$uid) {
projects / platal.git / blobdiff