.'/'.S::v('forlife').'.jpg';
if (Env::has('upload')) {
+ S::assert_xsrf_token();
+
$upload = new PlUpload(S::v('forlife'), 'photo');
if (!$upload->upload($_FILES['userfile']) && !$upload->download(Env::v('photo'))) {
$page->trigError('Une erreur est survenue lors du téléchargement du fichier');
}
}
} elseif (Env::has('trombi')) {
+ S::assert_xsrf_token();
+
$upload = new PlUpload(S::v('forlife'), 'photo');
if ($upload->copyFrom($trombi_x)) {
$myphoto = new PhotoReq(S::v('uid'), $upload);
}
}
} elseif (Env::v('suppr')) {
+ S::assert_xsrf_token();
+
XDB::execute('DELETE FROM photo
WHERE uid = {?}',
S::v('uid'));
S::v('uid'));
$globals->updateNbValid();
} elseif (Env::v('cancel')) {
+ S::assert_xsrf_token();
+
$sql = XDB::query('DELETE FROM requests
WHERE user_id={?} AND type="photo"',
S::v('uid'));
if (!S::logged() || Env::v('view') == 'public') $view = 'public';
if (S::logged() && Env::v('view') == 'ax') $view = 'ax';
- if (is_numeric($x)) {
- $res = XDB::query(
- "SELECT alias
- FROM aliases AS a
- INNER JOIN auth_user_md5 AS u ON (a.id=u.user_id AND a.type='a_vie')
- WHERE matricule={?}", $x);
- $login = $res->fetchOneCell();
- } else {
- $login = get_user_forlife($x, S::logged() ? '_default_user_callback'
- : '_silent_user_callback');
+ $login = S::logged() ? User::get($x) : User::getSilent($x);
+ if (!$login) {
+ return PL_NOT_FOUND;
}
- if (empty($login)) {
+ $res = XDB::query("SELECT perms IN ('admin','user','disabled')
+ FROM auth_user_md5
+ WHERE user_id = {?}", $login->id());
+ if (!$res->fetchOneCell()) {
$user = get_not_registered_user($x, true);
if ($user->total() != 1) {
return PL_NOT_FOUND;
$user['forlife'] = $x;
} else {
$new = Env::v('modif') == 'new';
- $user = get_user_details($login, S::v('uid'), $view);
+ $user = get_user_details($login->login(), S::v('uid'), $view);
}
if (S::logged()) {
- S::logger()->log('view_profile', $login);
+ S::logger()->log('view_profile', $login->login());
}
$title = $user['prenom'] . ' ' . ( empty($user['nom_usage']) ? $user['nom'] : $user['nom_usage'] );
function handler_ax(&$page, $user = null)
{
- require_once 'user.func.inc.php';
- $user = get_user_forlife($user);
+ $user = User::get($user);
if (!$user) {
return PL_NOT_FOUND;
}
- $res = XDB::query('SELECT matricule_ax
- FROM auth_user_md5 AS u
- INNER JOIN aliases AS a ON (a.type = "a_vie" AND a.id = u.user_id)
- WHERE a.alias = {?}', $user);
+
+ $res = XDB::query("SELECT matricule_ax
+ FROM auth_user_md5
+ WHERE user_id = {?}", $user->id());
$mat = $res->fetchOneCell();
if (!intval($mat)) {
- $page->kill("Le matricule AX de $user est inconnu");
+ $page->kill("Le matricule AX de {$user->login()} est inconnu");
}
http_redirect("http://www.polytechniciens.com/?page=AX_FICHE_ANCIEN&anc_id=$mat");
}
if (!Env::has('promo_sortie')) {
return;
+ } else {
+ S::assert_xsrf_token();
}
$promo_sortie = Env::i('promo_sortie');
$page->assign('usage_req', $nom_usage);
if (Env::has('submit') && ($nom_usage != $usage_old)) {
+ S::assert_xsrf_token();
+
// on vient de recevoir une requete, differente de l'ancien nom d'usage
if ($nom_usage == $nom) {
$page->assign('same', true);
list($forlife, $promo) = $q->fetchOneRow();
switch ($action) {
-
case "original":
header("Content-type: image/jpeg");
readfile("/home/web/trombino/photos".$promo."/".$forlife.".jpg");
break;
case "new":
+ S::assert_xsrf_token();
+
$data = file_get_contents($_FILES['userfile']['tmp_name']);
list($x, $y) = getimagesize($_FILES['userfile']['tmp_name']);
$mimetype = substr($_FILES['userfile']['type'], 6);
break;
case "delete":
+ S::assert_xsrf_token();
+
XDB::execute('DELETE FROM photo WHERE uid = {?}', $uid);
break;
}
projects / platal.git / blobdiff