X-Git-Url: http://git.polytechnique.org/?a=blobdiff_plain;f=modules%2Fadmin.php;h=e9e899ddf1a89884279fd977a1882075afea4dab;hb=e8dfa21cb3ade890694157170de1a1c6d7519531;hp=ef9fa0e02ed687aa4e64a7ccd6374cb6b6c2455b;hpb=61c98f4b3582ad22edc5b85648c7eed3a4836147;p=platal.git
diff --git a/modules/admin.php b/modules/admin.php
index ef9fa0e..e9e899d 100644
--- a/modules/admin.php
+++ b/modules/admin.php
@@ -406,12 +406,16 @@ class AdminModule extends PLModule
}
$mr = $r->fetchOneAssoc();
- if (!is_numeric($login)) { //user has a forlife
+ // Checks the user has a forlife, as non-registered user can't have redirections.
+ if ($mr['forlife']) {
$redirect = new Redirect($mr['user_id']);
}
// Check if there was a submission
foreach($_POST as $key => $val) {
+ if (!S::has_xsrf_token()) {
+ $page->kill("L'opération de modification de l'utilisateur a échouée, merci de réessayer.");
+ }
switch ($key) {
case "add_fwd":
$email = trim(Env::v('email'));
@@ -614,7 +618,8 @@ class AdminModule extends PLModule
update_NbIns();
$page->trig("'{$mr['user_id']}' a été désinscrit !");
$mailer = new PlMailer("admin/useredit.mail.tpl");
- $mailer->assign("user", S::v('forlife'));
+ $mailer->assign("admin", S::v('forlife'));
+ $mailer->assign("user", $mr['forlife']);
$mailer->assign("deletion", true);
$mailer->send();
break;
@@ -735,24 +740,34 @@ class AdminModule extends PLModule
}
}
- $page->assign('op',$op);
- $page->assign('target',$target);
+ $page->assign('op', $op);
+ $page->assign('target', $target);
// on a un $target valide, on prepare les mails
if ($target) {
-
// on examine l'op a effectuer
switch ($op) {
case 'mail':
- send_warning_homonyme($prenom, $nom, $forlife, $loginbis);
- switch_bestalias($target, $loginbis);
+ if (S::has_xsrf_token()) {
+ send_warning_homonyme($prenom, $nom, $forlife, $loginbis);
+ switch_bestalias($target, $loginbis);
+ } else {
+ $page->assign('op', 'list');
+ $page->trig("L'envoi du mail d'homonymie a échoué, merci de réessayer.");
+ }
$op = 'list';
break;
+
case 'correct':
- switch_bestalias($target, $loginbis);
- XDB::execute("UPDATE aliases SET type='homonyme',expire=NOW() WHERE alias={?}", $loginbis);
- XDB::execute("REPLACE INTO homonymes (homonyme_id,user_id) VALUES({?},{?})", $target, $target);
- send_robot_homonyme($prenom, $nom, $forlife, $loginbis);
+ if (S::has_xsrf_token()) {
+ switch_bestalias($target, $loginbis);
+ XDB::execute("UPDATE aliases SET type='homonyme',expire=NOW() WHERE alias={?}", $loginbis);
+ XDB::execute("REPLACE INTO homonymes (homonyme_id,user_id) VALUES({?},{?})", $target, $target);
+ send_robot_homonyme($prenom, $nom, $forlife, $loginbis);
+ } else {
+ $page->assign('op', 'list');
+ $page->trig("La correction de l'homonymie a échouée, merci de réessayer.");
+ }
$op = 'list';
break;
}
@@ -819,22 +834,27 @@ class AdminModule extends PLModule
$page->assign('promo',$promo);
- if ($validate) {
+ if ($validate && S::has_xsrf_token()) {
$new_deces = array();
$res = XDB::iterRow("SELECT user_id,matricule,nom,prenom,deces FROM auth_user_md5 WHERE promo = {?}", $promo);
while (list($uid,$mat,$nom,$prenom,$deces) = $res->next()) {
$val = Env::v($mat);
- if($val == $deces || empty($val)) continue;
- XDB::execute('UPDATE auth_user_md5 SET deces={?} WHERE matricule = {?}', $val, $mat);
- $new_deces[] = array('name' => "$prenom $nom", 'date' => "$val");
- if($deces=='0000-00-00' or empty($deces)) {
- require_once('notifs.inc.php');
- register_watch_op($uid, WATCH_DEATH, $val);
- require_once('user.func.inc.php');
- user_clear_all_subs($uid, false); // by default, dead ppl do not loose their email
- }
+ if($val == $deces || empty($val)) {
+ continue;
+ }
+
+ XDB::execute('UPDATE auth_user_md5 SET deces={?} WHERE matricule = {?}', $val, $mat);
+ $new_deces[] = array('name' => "$prenom $nom", 'date' => "$val");
+ if($deces == '0000-00-00' || empty($deces)) {
+ require_once('notifs.inc.php');
+ register_watch_op($uid, WATCH_DEATH, $val);
+ require_once('user.func.inc.php');
+ user_clear_all_subs($uid, false); // by default, dead ppl do not loose their email
+ }
}
$page->assign('new_deces',$new_deces);
+ } else if ($validate) {
+ $page->trig("La mise à jour des dates de decès à échouée, merci de réessayer.");
}
$res = XDB::iterator('SELECT matricule, nom, prenom, deces FROM auth_user_md5 WHERE promo = {?} ORDER BY nom,prenom', $promo);
@@ -918,7 +938,11 @@ class AdminModule extends PLModule
if(Env::has('uid') && Env::has('type') && Env::has('stamp')) {
$req = Validate::get_typed_request(Env::v('uid'), Env::v('type'), Env::v('stamp'));
- if($req) { $req->handle_formu(); }
+ if($req && S::has_xsrf_token()) {
+ $req->handle_formu();
+ } else if ($req) {
+ $page->trig("L'opération a échoué, merci de réessayer.");
+ }
}
$r = XDB::iterator('SHOW COLUMNS FROM requests_answers');
@@ -940,6 +964,9 @@ class AdminModule extends PLModule
}
$page->assign('hide_requests', $hidden);
+ // Update the count of item to validate here... useful in development configuration
+ // where several copies of the site use the same DB, but not the same "dynamic configuration"
+ update_NbValid();
$page->assign('vit', new ValidateIterator());
}
@@ -1017,8 +1044,9 @@ class AdminModule extends PLModule
$page->setRssLink('Changement Récents',
'/Site/AllRecentChanges?action=rss&user=' . S::v('forlife') . '&hash=' . S::v('core_rss_hash'));
}
+
// update wiki perms
- if ($action == 'update') {
+ if ($action == 'update' && S::has_xsrf_token()) {
$perms_read = Post::v('read');
$perms_edot = Post::v('edit');
if ($perms_read || $perms_edit) {
@@ -1033,17 +1061,21 @@ class AdminModule extends PLModule
wiki_set_perms($wiki_page, $perms0, $perms1);
}
}
+ } elseif ($action == 'update') {
+ $page->trig("La mise à jour des permissions wiki a échouée, merci de réessayer.");
}
- if ($action == 'delete' && $wikipage != '') {
+ if ($action == 'delete' && $wikipage != '' && S::has_xsrf_token()) {
if (wiki_delete_page($wikipage)) {
$page->trig("La page ".$wikipage." a été supprimée.");
} else {
$page->trig("Impossible de supprimer la page ".$wikipage.".");
}
+ } elseif ($action == 'delete' && $wikipage != '') {
+ $page->trig("La suppression de la page wiki a échouée, merci de réessayer.");
}
- if ($action == 'rename' && $wikipage != '' && $wikipage2 != '' && $wikipage != $wikipage2) {
+ if ($action == 'rename' && $wikipage != '' && $wikipage2 != '' && $wikipage != $wikipage2 && S::has_xsrf_token()) {
if ($changedLinks = wiki_rename_page($wikipage, $wikipage2)) {
$s = 'La page '.$wikipage.' a été déplacée en '.$wikipage2.'.';
if (is_numeric($changedLinks)) {
@@ -1053,6 +1085,8 @@ class AdminModule extends PLModule
} else {
$page->trig("Impossible de déplacer la page ".$wikipage);
}
+ } elseif ($action == 'rename' && $wikipage != '' && $wikipage2 != '' && $wikipage != $wikipage2) {
+ $page->trig("Le renommage de la page wiki a échoué, merci de réessayer.");
}
$perms = wiki_perms_options();
@@ -1099,8 +1133,12 @@ class AdminModule extends PLModule
$page->assign('states', $states);
switch (Post::v('action')) {
- case 'create':
+ case 'create':
if (trim(Post::v('ipN')) != '') {
+ if (!S::has_xsrf_token()) {
+ $page->trig("L'ajout d'une IP à surveiller a échoué, merci de réessayer.");
+ break;
+ }
Xdb::execute('INSERT IGNORE INTO ip_watch (ip, mask, state, detection, last, uid, description)
VALUES ({?}, {?}, {?}, CURDATE(), NOW(), {?}, {?})',
ip_to_uint(trim(Post::v('ipN'))), ip_to_uint(trim(Post::v('maskN'))),
@@ -1108,16 +1146,24 @@ class AdminModule extends PLModule
};
break;
- case 'edit':
+ case 'edit':
+ if (!S::has_xsrf_token()) {
+ $page->trig("L'édition de l'IP a échoué, merci de réessayer.");
+ break;
+ }
Xdb::execute('UPDATE ip_watch
SET state = {?}, last = NOW(), uid = {?}, description = {?}, mask = {?}
WHERE ip = {?}', Post::v('stateN'), S::i('uid'), Post::v('descriptionN'),
ip_to_uint(Post::v('maskN')), ip_to_uint(Post::v('ipN')));
break;
- default:
+ default:
if ($action == 'delete' && !is_null($ip)) {
- Xdb::execute('DELETE FROM ip_watch WHERE ip = {?}', ip_to_uint($ip));
+ if (S::has_xsrf_token()) {
+ Xdb::execute('DELETE FROM ip_watch WHERE ip = {?}', ip_to_uint($ip));
+ } else {
+ $page->trig("La suppression de l'adresse IP a échouée, merci de réessayer.");
+ }
}
}
if ($action != 'create' && $action != 'edit') {