<?php
/***************************************************************************
- * Copyright (C) 2003-2007 Polytechnique.org *
+ * Copyright (C) 2003-2008 Polytechnique.org *
* http://opensource.polytechnique.org/ *
* *
* This program is free software; you can redistribute it and/or modify *
if (Get::has('read')) {
$_SESSION['watch_last'] = Get::v('read');
+ update_NbNotifs();
pl_redirect('carnet/panel');
}
if(preg_match('!^ *(\d{4}) *$!', $arg, $matches)) {
$p = intval($matches[1]);
if($p<1900 || $p>2100) {
- $page->trig("la promo entrée est invalide");
+ $page->trigError("la promo entrée est invalide");
} else {
if ($action == 'add_promo') {
$watch->_promos->add($p);
$p1 = intval($matches[1]);
$p2 = intval($matches[2]);
if($p1<1900 || $p1>2100) {
- $page->trig('la première promo de la plage entrée est invalide');
+ $page->trigError('la première promo de la plage entrée est invalide');
} elseif($p2<1900 || $p2>2100) {
- $page->trig('la seconde promo de la plage entrée est invalide');
+ $page->trigError('la seconde promo de la plage entrée est invalide');
} else {
if ($action == 'add_promo') {
$watch->_promos->addRange($p1, $p2);
}
}
} else {
- $page->trig("La promo (ou la plage de promo) entrée est dans un format incorrect.");
+ $page->trigError("La promo (ou la plage de promo) entrée est dans un format incorrect.");
}
}
$promo_sortie = $res->fetchOneCell();
$page->assign('promo_sortie', $promo_sortie);
+ if ($action) {
+ S::assert_xsrf_token();
+ }
switch ($action) {
case 'add_promo':
case 'del_promo':
break;
}
- if (Env::has('subs')) $watch->_subs->update('sub');
+ if (Env::has('subs')) {
+ S::assert_xsrf_token();
+ $watch->_subs->update('sub');
+ }
+
if (Env::has('flags_contacts')) {
+ S::assert_xsrf_token();
$watch->watch_contacts = Env::b('contacts');
$watch->saveFlags();
}
+
if (Env::has('flags_mail')) {
- $watch->watch_mail = Env::b('mail');
+ S::assert_xsrf_token();
+ $watch->watch_mail = Env::b('mail');
$watch->saveFlags();
}
function searchErrorHandler($explain) {
global $page;
- $page->trig($explain);
+ $page->trigError($explain);
$this->handler_contacts($page);
}
$uid = S::v('uid');
$user = Env::v('user');
+ // For XSRF protection, checks both the normal xsrf token, and the special RSS token.
+ // It allows direct linking to contact adding in the RSS feed.
+ if (Env::v('action') && Env::v('token') !== S::v('core_rss_hash')) {
+ S::assert_xsrf_token();
+ }
switch (Env::v('action')) {
case 'retirer':
- if (is_numeric($user)) {
- if (XDB::execute('DELETE FROM contacts
- WHERE uid = {?} AND contact = {?}',
- $uid, $user))
- {
- $page->trig("Contact retiré !");
- }
- } else {
- if (XDB::execute(
- 'DELETE FROM c
- USING contacts AS c
- INNER JOIN aliases AS a ON (c.contact=a.id and a.type!="homonyme")
- WHERE c.uid = {?} AND a.alias={?}', $uid, $user))
- {
- $page->trig("Contact retiré !");
+ if (($user = User::get(Env::v('user')))) {
+ if (XDB::execute("DELETE FROM contacts
+ WHERE uid = {?} AND contact = {?}", $uid, $user->id())) {
+ $page->trigSuccess("Contact retiré !");
}
}
break;
case 'ajouter':
- require_once('user.func.inc.php');
- if (($login = get_user_login($user)) !== false) {
- if (XDB::execute(
- 'REPLACE INTO contacts (uid, contact)
- SELECT {?}, id
- FROM aliases
- WHERE alias = {?}', $uid, $login))
- {
- $page->trig('Contact ajouté !');
+ if (($user = User::get(Env::v('user')))) {
+ if (XDB::execute("REPLACE INTO contacts (uid, contact)
+ VALUES ({?}, {?})", $uid, $user->id())) {
+ $page->trigSuccess('Contact ajouté !');
} else {
- $page->trig('Contact déjà dans la liste !');
+ $page->trigWarning('Contact déjà dans la liste !');
}
}
+ break;
}
$search = false;