X-Git-Url: http://git.polytechnique.org/?a=blobdiff_plain;f=modules%2Fcarnet.php;h=cf1cd16277f90a5dfa0b56929f467d275dae4cb8;hb=6dae45b393a59fd04713b9c651ff0970aeec84d7;hp=24bdaaa200691fda476fd81eb09e5e939fa8ab5b;hpb=ac73e29443d4a8d8558fdf82a92f9b4c2fa4adeb;p=platal.git

diff --git a/modules/carnet.php b/modules/carnet.php
index 24bdaaa..cf1cd16 100644
--- a/modules/carnet.php
+++ b/modules/carnet.php
@@ -1,6 +1,6 @@
 <?php
 /***************************************************************************
- *  Copyright (C) 2003-2007 Polytechnique.org                              *
+ *  Copyright (C) 2003-2008 Polytechnique.org                              *
  *  http://opensource.polytechnique.org/                                   *
  *                                                                         *
  *  This program is free software; you can redistribute it and/or modify   *
@@ -29,11 +29,11 @@ class CarnetModule extends PLModule
             'carnet/notifs'         => $this->make_hook('notifs',   AUTH_COOKIE),
 
             'carnet/contacts'       => $this->make_hook('contacts', AUTH_COOKIE),
-            'carnet/contacts/pdf'   => $this->make_hook('pdf',      AUTH_COOKIE),
-            'carnet/contacts/ical'  => $this->make_hook('ical',     AUTH_PUBLIC),
-            'carnet/contacts/vcard' => $this->make_hook('vcard',    AUTH_COOKIE),
+            'carnet/contacts/pdf'   => $this->make_hook('pdf',      AUTH_COOKIE, 'user', NO_HTTPS),
+            'carnet/contacts/ical'  => $this->make_hook('ical',     AUTH_PUBLIC, 'user', NO_HTTPS),
+            'carnet/contacts/vcard' => $this->make_hook('vcard',    AUTH_COOKIE, 'user', NO_HTTPS),
 
-            'carnet/rss'            => $this->make_hook('rss',      AUTH_PUBLIC),
+            'carnet/rss'            => $this->make_hook('rss',      AUTH_PUBLIC, 'user', NO_HTTPS),
         );
     }
 
@@ -66,6 +66,7 @@ class CarnetModule extends PLModule
 
         if (Get::has('read')) {
             $_SESSION['watch_last'] = Get::v('read');
+            update_NbNotifs();
             pl_redirect('carnet/panel');
         }
 
@@ -126,6 +127,9 @@ class CarnetModule extends PLModule
         $promo_sortie = $res->fetchOneCell();
         $page->assign('promo_sortie', $promo_sortie);
 
+        if ($action) {
+            S::assert_xsrf_token();
+        }
         switch ($action) {
           case 'add_promo':
           case 'del_promo':
@@ -141,13 +145,20 @@ class CarnetModule extends PLModule
             break;
         }
 
-        if (Env::has('subs'))       $watch->_subs->update('sub');
+        if (Env::has('subs')) {
+            S::assert_xsrf_token();
+            $watch->_subs->update('sub');
+        }
+
         if (Env::has('flags_contacts')) {
+            S::assert_xsrf_token();
             $watch->watch_contacts = Env::b('contacts');
             $watch->saveFlags();
         }
+
         if (Env::has('flags_mail')) {
-            $watch->watch_mail     = Env::b('mail');
+            S::assert_xsrf_token();
+            $watch->watch_mail = Env::b('mail');
             $watch->saveFlags();
         }
 
@@ -183,7 +194,13 @@ class CarnetModule extends PLModule
         return Array($total, $list);
     }
 
-    function handler_contacts(&$page, $action = null, $subaction = null)
+    function searchErrorHandler($explain) {
+        global $page;
+        $page->trig($explain);
+        $this->handler_contacts($page);
+    }
+
+    function handler_contacts(&$page, $action = null, $subaction = null, $ssaction = null)
     {
         $page->assign('xorg_title','Polytechnique.org - Mes contacts');
         $this->_add_rss_link($page);
@@ -191,6 +208,11 @@ class CarnetModule extends PLModule
         $uid  = S::v('uid');
         $user = Env::v('user');
 
+        // For XSRF protection, checks both the normal xsrf token, and the special RSS token.
+        // It allows direct linking to contact adding in the RSS feed.
+        if (Env::v('action') && Env::v('token') !== S::v('core_rss_hash')) {
+            S::assert_xsrf_token();
+        }
         switch (Env::v('action')) {
             case 'retirer':
                 if (is_numeric($user)) {
@@ -228,12 +250,28 @@ class CarnetModule extends PLModule
                 }
         }
 
-        $view = new UserSet("INNER JOIN contacts AS c2 ON (u.user_id = c2.contact)", " c2.uid = $uid ");
+        $search = false;
+        if ($action == 'search') {
+            $action = $subaction;
+            $subaction = $ssaction;
+            $search = true;
+        }
+        if ($search && trim(Env::v('quick'))) {
+            require_once 'userset.inc.php';
+            $base = 'carnet/contacts/search';
+
+            require_once(dirname(__FILE__) . '/search/classes.inc.php');
+            ThrowError::$throwHook = array($this, 'searchErrorHandler');
+            $view = new SearchSet(true, false, "INNER JOIN contacts AS c2 ON (u.user_id = c2.contact)", "c2.uid = $uid");
+        } else {
+            $base = 'carnet/contacts';
+            $view = new UserSet("INNER JOIN contacts AS c2 ON (u.user_id = c2.contact)", " c2.uid = $uid ");
+        }
         $view->addMod('minifiche', 'Mini-Fiches', true);
         $view->addMod('trombi', 'Trombinoscope', false, array('with_admin' => false, 'with_promo' => true));
-        $view->addMod('geoloc', 'Planisphère');
-        $view->apply('carnet/contacts', $page, $action, $subaction);
-        if ($action != 'geoloc' || !$subaction) {
+        $view->addMod('geoloc', 'Planisphère', false, array('with_annu' => 'carnet/contacts/search'));
+        $view->apply($base, $page, $action, $subaction);
+        if ($action != 'geoloc' || ($search && !$ssaction) || (!$search && !$subaction)) {
             $page->changeTpl('carnet/mescontacts.tpl');
         }
     }