<?php
/***************************************************************************
- * Copyright (C) 2003-2007 Polytechnique.org *
+ * Copyright (C) 2003-2008 Polytechnique.org *
* http://opensource.polytechnique.org/ *
* *
* This program is free software; you can redistribute it and/or modify *
'carnet/notifs' => $this->make_hook('notifs', AUTH_COOKIE),
'carnet/contacts' => $this->make_hook('contacts', AUTH_COOKIE),
- 'carnet/contacts/pdf' => $this->make_hook('pdf', AUTH_COOKIE),
- 'carnet/contacts/ical' => $this->make_hook('ical', AUTH_PUBLIC),
- 'carnet/contacts/vcard' => $this->make_hook('vcard', AUTH_COOKIE),
+ 'carnet/contacts/pdf' => $this->make_hook('pdf', AUTH_COOKIE, 'user', NO_HTTPS),
+ 'carnet/contacts/ical' => $this->make_hook('ical', AUTH_PUBLIC, 'user', NO_HTTPS),
+ 'carnet/contacts/vcard' => $this->make_hook('vcard', AUTH_COOKIE, 'user', NO_HTTPS),
- 'carnet/rss' => $this->make_hook('rss', AUTH_PUBLIC),
+ 'carnet/rss' => $this->make_hook('rss', AUTH_PUBLIC, 'user', NO_HTTPS),
);
}
if (Get::has('read')) {
$_SESSION['watch_last'] = Get::v('read');
+ update_NbNotifs();
pl_redirect('carnet/panel');
}
if(preg_match('!^ *(\d{4}) *$!', $arg, $matches)) {
$p = intval($matches[1]);
if($p<1900 || $p>2100) {
- $page->trig("la promo entrée est invalide");
+ $page->trigError("la promo entrée est invalide");
} else {
if ($action == 'add_promo') {
$watch->_promos->add($p);
$p1 = intval($matches[1]);
$p2 = intval($matches[2]);
if($p1<1900 || $p1>2100) {
- $page->trig('la première promo de la plage entrée est invalide');
+ $page->trigError('la première promo de la plage entrée est invalide');
} elseif($p2<1900 || $p2>2100) {
- $page->trig('la seconde promo de la plage entrée est invalide');
+ $page->trigError('la seconde promo de la plage entrée est invalide');
} else {
if ($action == 'add_promo') {
$watch->_promos->addRange($p1, $p2);
}
}
} else {
- $page->trig("La promo (ou la plage de promo) entrée est dans un format incorrect.");
+ $page->trigError("La promo (ou la plage de promo) entrée est dans un format incorrect.");
}
}
$promo_sortie = $res->fetchOneCell();
$page->assign('promo_sortie', $promo_sortie);
+ if ($action) {
+ S::assert_xsrf_token();
+ }
switch ($action) {
case 'add_promo':
case 'del_promo':
break;
}
- if (Env::has('subs')) $watch->_subs->update('sub');
+ if (Env::has('subs')) {
+ S::assert_xsrf_token();
+ $watch->_subs->update('sub');
+ }
+
if (Env::has('flags_contacts')) {
+ S::assert_xsrf_token();
$watch->watch_contacts = Env::b('contacts');
$watch->saveFlags();
}
+
if (Env::has('flags_mail')) {
- $watch->watch_mail = Env::b('mail');
+ S::assert_xsrf_token();
+ $watch->watch_mail = Env::b('mail');
$watch->saveFlags();
}
function searchErrorHandler($explain) {
global $page;
- $page->trig($explain);
+ $page->trigError($explain);
$this->handler_contacts($page);
}
$uid = S::v('uid');
$user = Env::v('user');
+ // For XSRF protection, checks both the normal xsrf token, and the special RSS token.
+ // It allows direct linking to contact adding in the RSS feed.
+ if (Env::v('action') && Env::v('token') !== S::v('core_rss_hash')) {
+ S::assert_xsrf_token();
+ }
switch (Env::v('action')) {
case 'retirer':
if (is_numeric($user)) {
WHERE uid = {?} AND contact = {?}',
$uid, $user))
{
- $page->trig("Contact retiré !");
+ $page->trigSuccess("Contact retiré !");
}
} else {
if (XDB::execute(
INNER JOIN aliases AS a ON (c.contact=a.id and a.type!="homonyme")
WHERE c.uid = {?} AND a.alias={?}', $uid, $user))
{
- $page->trig("Contact retiré !");
+ $page->trigSuccess("Contact retiré !");
}
}
break;
FROM aliases
WHERE alias = {?}', $uid, $login))
{
- $page->trig('Contact ajouté !');
+ $page->trigSuccess('Contact ajouté !');
} else {
- $page->trig('Contact déjà dans la liste !');
+ $page->trigWarning('Contact déjà dans la liste !');
}
}
}