X-Git-Url: http://git.polytechnique.org/?a=blobdiff_plain;f=modules%2Fcarnet.php;h=1d727749627d91379038dcb77edbc4ffd98d9214;hb=a8b4ccb6c163277c49fb92427a7bb4ace8469660;hp=4dbb162df1c95df6791546a6eb1d735ed9c8b062;hpb=a7c29df3b9bf8f3c3b23fec0f1d2feb814cb61fe;p=platal.git diff --git a/modules/carnet.php b/modules/carnet.php index 4dbb162..1d72774 100644 --- a/modules/carnet.php +++ b/modules/carnet.php @@ -56,7 +56,7 @@ class CarnetModule extends PLModule function handler_index(&$page) { $page->changeTpl('carnet/index.tpl'); - $page->assign('xorg_title','Polytechnique.org - Mon carnet'); + $page->setTitle('Mon carnet'); $this->_add_rss_link($page); } @@ -65,8 +65,8 @@ class CarnetModule extends PLModule $page->changeTpl('carnet/panel.tpl'); if (Get::has('read')) { - $_SESSION['watch_last'] = Get::v('read'); - update_NbNotifs(); + S::set('watch_last', Get::v('read')); + Platal::session()->updateNbNotifs(); pl_redirect('carnet/panel'); } @@ -85,7 +85,7 @@ class CarnetModule extends PLModule if(preg_match('!^ *(\d{4}) *$!', $arg, $matches)) { $p = intval($matches[1]); if($p<1900 || $p>2100) { - $page->trig("la promo entrée est invalide"); + $page->trigError("la promo entrée est invalide"); } else { if ($action == 'add_promo') { $watch->_promos->add($p); @@ -97,9 +97,9 @@ class CarnetModule extends PLModule $p1 = intval($matches[1]); $p2 = intval($matches[2]); if($p1<1900 || $p1>2100) { - $page->trig('la première promo de la plage entrée est invalide'); + $page->trigError('la première promo de la plage entrée est invalide'); } elseif($p2<1900 || $p2>2100) { - $page->trig('la seconde promo de la plage entrée est invalide'); + $page->trigError('la seconde promo de la plage entrée est invalide'); } else { if ($action == 'add_promo') { $watch->_promos->addRange($p1, $p2); @@ -108,7 +108,7 @@ class CarnetModule extends PLModule } } } else { - $page->trig("La promo (ou la plage de promo) entrée est dans un format incorrect."); + $page->trigError("La promo (ou la plage de promo) entrée est dans un format incorrect."); } } @@ -127,6 +127,9 @@ class CarnetModule extends PLModule $promo_sortie = $res->fetchOneCell(); $page->assign('promo_sortie', $promo_sortie); + if ($action) { + S::assert_xsrf_token(); + } switch ($action) { case 'add_promo': case 'del_promo': @@ -142,13 +145,20 @@ class CarnetModule extends PLModule break; } - if (Env::has('subs')) $watch->_subs->update('sub'); + if (Env::has('subs')) { + S::assert_xsrf_token(); + $watch->_subs->update('sub'); + } + if (Env::has('flags_contacts')) { + S::assert_xsrf_token(); $watch->watch_contacts = Env::b('contacts'); $watch->saveFlags(); } + if (Env::has('flags_mail')) { - $watch->watch_mail = Env::b('mail'); + S::assert_xsrf_token(); + $watch->watch_mail = Env::b('mail'); $watch->saveFlags(); } @@ -185,54 +195,44 @@ class CarnetModule extends PLModule } function searchErrorHandler($explain) { - global $page; - $page->trig($explain); + $page =& Platal::page(); + $page->trigError($explain); $this->handler_contacts($page); } function handler_contacts(&$page, $action = null, $subaction = null, $ssaction = null) { - $page->assign('xorg_title','Polytechnique.org - Mes contacts'); + $page->setTitle('Mes contacts'); $this->_add_rss_link($page); $uid = S::v('uid'); $user = Env::v('user'); + // For XSRF protection, checks both the normal xsrf token, and the special RSS token. + // It allows direct linking to contact adding in the RSS feed. + if (Env::v('action') && Env::v('token') !== S::v('core_rss_hash')) { + S::assert_xsrf_token(); + } switch (Env::v('action')) { case 'retirer': - if (is_numeric($user)) { - if (XDB::execute('DELETE FROM contacts - WHERE uid = {?} AND contact = {?}', - $uid, $user)) - { - $page->trig("Contact retiré !"); - } - } else { - if (XDB::execute( - 'DELETE FROM c - USING contacts AS c - INNER JOIN aliases AS a ON (c.contact=a.id and a.type!="homonyme") - WHERE c.uid = {?} AND a.alias={?}', $uid, $user)) - { - $page->trig("Contact retiré !"); + if (($user = User::get(Env::v('user')))) { + if (XDB::execute("DELETE FROM contacts + WHERE uid = {?} AND contact = {?}", $uid, $user->id())) { + $page->trigSuccess("Contact retiré !"); } } break; case 'ajouter': - require_once('user.func.inc.php'); - if (($login = get_user_login($user)) !== false) { - if (XDB::execute( - 'REPLACE INTO contacts (uid, contact) - SELECT {?}, id - FROM aliases - WHERE alias = {?}', $uid, $login)) - { - $page->trig('Contact ajouté !'); + if (($user = User::get(Env::v('user')))) { + if (XDB::execute("REPLACE INTO contacts (uid, contact) + VALUES ({?}, {?})", $uid, $user->id())) { + $page->trigSuccess('Contact ajouté !'); } else { - $page->trig('Contact déjà dans la liste !'); + $page->trigWarning('Contact déjà dans la liste !'); } } + break; } $search = false; @@ -252,7 +252,7 @@ class CarnetModule extends PLModule $base = 'carnet/contacts'; $view = new UserSet("INNER JOIN contacts AS c2 ON (u.user_id = c2.contact)", " c2.uid = $uid "); } - $view->addMod('minifiche', 'Mini-Fiches', true); + $view->addMod('minifiche', 'Mini-fiches', true); $view->addMod('trombi', 'Trombinoscope', false, array('with_admin' => false, 'with_promo' => true)); $view->addMod('geoloc', 'Planisphère', false, array('with_annu' => 'carnet/contacts/search')); $view->apply($base, $page, $action, $subaction); @@ -266,7 +266,7 @@ class CarnetModule extends PLModule require_once dirname(__FILE__).'/carnet/contacts.pdf.inc.php'; require_once 'user.func.inc.php'; - session_write_close(); + Platal::session()->close(); $sql = "SELECT a.alias FROM aliases AS a @@ -314,7 +314,6 @@ class CarnetModule extends PLModule if (!$uid) { $uid = S::i('uid'); } else if ($uid != S::i('uid')) { - require_once 'xorg.misc.inc.php'; send_warning_email("Récupération d\'un autre utilisateur ($uid)"); } } else if (!$uid) {