Fix SQL query.

[platal.git] / modules / events.php

diff --git a/modules/events.php b/modules/events.php
index 75ef0b2..3025862 100644 (file)
--- a/modules/events.php
+++ b/modules/events.php
@@ -59,7 +59,7 @@ class EventsModule extends PLModule
                          'special'   => true);
         }
 
-        $exclude  = is_null($exclude) ? '' : ' AND id != ' . $exclude . ' ';
+        $exclude  = is_null($exclude) ? '' : ' AND id != ' . intval($exclude) . ' ';
         $priority = rand(0, 510);
         do {
             $priority = (int)($priority/2);
@@ -81,7 +81,7 @@ class EventsModule extends PLModule
         return $res->fetchOneAssoc();
     }
 
-    private function upload_image(PlatalPage &$page, PlUpload &$upload)
+    private function upload_image(PlPage &$page, PlUpload &$upload)
     {
         if (@!$_FILES['image']['tmp_name'] && !Env::v('image_url')) {
             return true;
@@ -144,7 +144,7 @@ class EventsModule extends PLModule
 
         // cache les evenements lus et raffiche les evenements a relire
         if ($action == 'read' && $eid) {
-            XDB::execute('DELETE evenements_vus.*
+            XDB::execute('DELETE ev.*
                             FROM evenements_vus AS ev
                       INNER JOIN evenements AS e ON e.id = ev.evt_id
                            WHERE peremption < NOW()');
@@ -272,8 +272,8 @@ class EventsModule extends PLModule
         $page->changeTpl('events/submit.tpl');
         $page->addJsLink('ajax.js');
 
-        require_once('wiki.inc.php');
-        wiki_require_page('Xorg.Annonce');
+        $wp = new PlWikiPage('Xorg.Annonce');
+        $wp->buildCache();
 
         $titre      = Post::v('titre');
         $texte      = Post::v('texte');
@@ -308,6 +308,8 @@ class EventsModule extends PLModule
         } elseif ($action && (!trim($texte) || !trim($titre))) {
             $page->trigError("L'article doit avoir un titre et un contenu");
         } elseif ($action) {
+            S::assert_xsrf_token();
+
             require_once 'validations.inc.php';
             $evtreq = new EvtReq($titre, $texte, $promo_min, $promo_max,
                                  $peremption, $valid_mesg, S::v('uid'), $upload);
@@ -327,7 +329,7 @@ class EventsModule extends PLModule
 
     function handler_admin_tips(&$page, $action = 'list', $id = null)
     {
-        $page->assign('xorg_title', 'Polytechnique.org - Administration - Astuces');
+        $page->setTitle('Administration - Astuces');
         $page->assign('title', 'Gestion des Astuces');
         $table_editor = new PLTableEditor('admin/tips', 'tips', 'id');
         $table_editor->describe('peremption', 'date de péremption', true);
@@ -348,7 +350,7 @@ class EventsModule extends PLModule
     {
         $page->changeTpl('events/admin.tpl');
         $page->addJsLink('ajax.js');
-        $page->assign('xorg_title','Polytechnique.org - Administration - Evenements');
+        $page->setTitle('Administration - Evenements');
         $page->register_modifier('hde', 'html_entity_decode');
 
         $arch = $action == 'archives';
@@ -361,13 +363,16 @@ class EventsModule extends PLModule
         }
 
         if (Post::v('action') == 'Pas d\'image' && $eid) {
+            S::assert_xsrf_token();
             $upload->rm();
             XDB::execute("DELETE FROM evenements_photo WHERE eid = {?}", $eid);
             $action = 'edit';
         } elseif (Post::v('action') == 'Supprimer l\'image' && $eid) {
+            S::assert_xsrf_token();
             $upload->rm();
             $action = 'edit';
         } elseif (Post::v('action') == "Proposer" && $eid) {
+            S::assert_xsrf_token();
             $promo_min = Post::i('promo_min');
             $promo_max = Post::i('promo_max');
             if (($promo_min != 0 && ($promo_min <= 1900 || $promo_min >= 2020)) ||
@@ -377,7 +382,7 @@ class EventsModule extends PLModule
                 $action = 'edit';
             } else {
                 $res = XDB::query('SELECT flags FROM evenements WHERE id = {?}', $eid);
-                $flags = new FlagSet($res->fetchOneCell());
+                $flags = new PlFlagSet($res->fetchOneCell());
                 $flags->addFlag('wiki');
                 if (Post::v('important')) {
                     $flags->addFlag('important');
@@ -434,17 +439,20 @@ class EventsModule extends PLModule
         } else {
             switch ($action) {
                 case 'delete':
+                    S::assert_xsrf_token();
                     XDB::execute('DELETE from evenements
                                    WHERE id = {?}', $eid);
                     break;
 
                 case "archive":
+                    S::assert_xsrf_token();
                     XDB::execute('UPDATE evenements
                                      SET creation_date = creation_date, flags = CONCAT(flags,",archive")
                                    WHERE id = {?}', $eid);
                     break;
 
                 case "unarchive":
+                    S::assert_xsrf_token();
                     XDB::execute('UPDATE evenements
                                      SET creation_date = creation_date, flags = REPLACE(flags,"archive","")
                                    WHERE id = {?}', $eid);
@@ -453,12 +461,14 @@ class EventsModule extends PLModule
                     break;
 
                 case "valid":
+                    S::assert_xsrf_token();
                     XDB::execute('UPDATE evenements
                                      SET creation_date = creation_date, flags = CONCAT(flags,",valide")
                                    WHERE id = {?}', $eid);
                     break;
 
                 case "unvalid":
+                    S::assert_xsrf_token();
                     XDB::execute('UPDATE evenements
                                      SET creation_date = creation_date, flags = REPLACE(flags,"valide", "")
                                    WHERE id = {?}', $eid);