From c710b211c16d68c00b9389515cdc014650ff0f29 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Rapha=C3=ABl=20Barrois?= Date: Wed, 30 Jun 2010 16:40:29 +0200 Subject: [PATCH] Fix photo edition by other users (Closes #1160) MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Raphaël Barrois --- modules/profile.php | 84 ++++++++++++++++++++------------- modules/profile/general.inc.php | 2 +- templates/include/form.valid.photos.tpl | 4 +- templates/profile/general.tpl | 2 +- templates/profile/trombino.tpl | 6 +-- 5 files changed, 58 insertions(+), 40 deletions(-) diff --git a/modules/profile.php b/modules/profile.php index d0c33ea..20305e3 100644 --- a/modules/profile.php +++ b/modules/profile.php @@ -91,7 +91,7 @@ class ProfileModule extends PLModule // Retrieve the photo and its mime type. if ($req && S::logged()) { include 'validations.inc.php'; - $myphoto = PhotoReq::get_request($profile->owner()->id()); + $myphoto = PhotoReq::get_request($profile->id()); $photo = PlImage::fromData($myphoto->data, $myphoto->mimetype); } else { $photo = $profile->getPhoto(true, true); @@ -143,22 +143,51 @@ class ProfileModule extends PLModule exit; } - function handler_photo_change(&$page) + /** Tries to return the correct user from given hrpid + * Will redirect to $returnurl$hrpid if $hrpid was empty + */ + private function findProfile($returnurl, $hrpid = null) + { + if (is_null($hrpid)) { + $user = S::user(); + if (!$user->hasProfile()) { + return PL_NOT_FOUND; + } else { + pl_redirect($returnurl . $user->profile()->hrid()); + } + } else { + $profile = Profile::get($hrpid); + if (!$profile) { + return PL_NOT_FOUND; + } else if (!S::user()->canEdit($profile) && Platal::notAllowed()) { + return PL_FORBIDDEN; + } + } + return $profile; + } + + function handler_photo_change(&$page, $hrpid = null) { global $globals; + $profile = $this->findProfile('photo/change/', $hrpid); + if (! ($profile instanceof Profile) && ($profile == PL_NOT_FOUND || $profile == PL_FORBIDDEN)) { + return $profile; + } + $page->changeTpl('profile/trombino.tpl'); + $page->assign('hrpid', $profile->hrid()); require_once('validations.inc.php'); - $trombi_x = '/home/web/trombino/photos' . S::v('promo') . '/' . S::user()->login() . '.jpg'; + $trombi_x = '/home/web/trombino/photos' . $profile->promo() . '/' . $profile->hrid() . '.jpg'; if (Env::has('upload')) { S::assert_xsrf_token(); - $upload = new PlUpload(S::user()->login(), 'photo'); + $upload = new PlUpload($profile->hrid(), 'photo'); if (!$upload->upload($_FILES['userfile']) && !$upload->download(Env::v('photo'))) { $page->trigError('Une erreur est survenue lors du téléchargement du fichier'); } else { - $myphoto = new PhotoReq(S::user(), $upload); + $myphoto = new PhotoReq(S::user(), $profile, $upload); if ($myphoto->isValid()) { $myphoto->submit(); } @@ -166,9 +195,9 @@ class ProfileModule extends PLModule } elseif (Env::has('trombi')) { S::assert_xsrf_token(); - $upload = new PlUpload(S::user()->login(), 'photo'); + $upload = new PlUpload($profile->hrid(), 'photo'); if ($upload->copyFrom($trombi_x)) { - $myphoto = new PhotoReq(S::user(), $upload); + $myphoto = new PhotoReq(S::user(), $profile, $upload); if ($myphoto->isValid()) { $myphoto->commit(); $myphoto->clean(); @@ -179,25 +208,25 @@ class ProfileModule extends PLModule XDB::execute('DELETE FROM profile_photos WHERE pid = {?}', - S::user()->profile()->id()); + $profile->id()); XDB::execute("DELETE FROM requests - WHERE uid = {?} AND type = 'photo'", - S::v('uid')); + WHERE pid = {?} AND type = 'photo'", + $profile->id()); $globals->updateNbValid(); $page->trigSuccess("Ta photo a bien été supprimée. Elle ne sera plus visible sur le site dans au plus une heure."); } elseif (Env::v('cancel')) { S::assert_xsrf_token(); $sql = XDB::query("DELETE FROM requests - WHERE uid = {?} AND type = 'photo'", - S::v('uid')); + WHERE pid = {?} AND type = 'photo'", + $profile->id()); $globals->updateNbValid(); } $sql = XDB::query("SELECT COUNT(*) FROM requests - WHERE uid = {?} AND type = 'photo'", - S::v('uid')); + WHERE pid = {?} AND type = 'photo'", + $profile->id()); $page->assign('submited', $sql->fetchOneCell()); $page->assign('has_trombi_x', file_exists($trombi_x)); } @@ -272,24 +301,13 @@ class ProfileModule extends PLModule http_redirect("http://www.polytechniciens.com/?page=AX_FICHE_ANCIEN&ancc_id=" . $user->ax_id); } - function handler_p_edit(&$page, $user = null, $opened_tab = null, $mode = null, $success = null) + function handler_p_edit(&$page, $hrpid = null, $opened_tab = null, $mode = null, $success = null) { global $globals; - if (is_null($user)) { - $user = S::user(); - if (!$user->hasProfile()) { - return PL_NOT_FOUND; - } else { - pl_redirect('profile/edit/' . $user->profile()->hrid()); - } - } else { - $user = Profile::get($user); - if (!$user) { - return PL_NOT_FOUND; - } else if (!S::user()->canEdit($user) && Platal::notAllowed()) { - return PL_FORBIDDEN; - } + $profile = $this->findProfile('profile/edit/', $hrpid); + if (! ($profile instanceof Profile) && ($profile == PL_NOT_FOUND || $profile == PL_FORBIDDEN)) { + return $profile; } // Build the page @@ -299,8 +317,8 @@ class ProfileModule extends PLModule $page->addJsLink('profile.js'); $page->addJsLink('jquery.autocomplete.js'); $wiz = new PlWizard('Profil', PlPage::getCoreTpl('plwizard.tpl'), true, true, false); - $wiz->addUserData('profile', $user); - $wiz->addUserData('owner', $user->owner()); + $wiz->addUserData('profile', $profile); + $wiz->addUserData('owner', $profile->owner()); $this->load('page.inc.php'); $wiz->addPage('ProfileSettingGeneral', 'Général', 'general'); $wiz->addPage('ProfileSettingAddresses', 'Adresses personnelles', 'adresses'); @@ -309,9 +327,9 @@ class ProfileModule extends PLModule $wiz->addPage('ProfileSettingJobs', 'Informations professionnelles', 'emploi'); $wiz->addPage('ProfileSettingSkills', 'Compétences diverses', 'skill'); $wiz->addPage('ProfileSettingMentor', 'Mentoring', 'mentor'); - $wiz->apply($page, 'profile/edit/' . $user->hrid(), $opened_tab, $mode); + $wiz->apply($page, 'profile/edit/' . $profile->hrid(), $opened_tab, $mode); - if (!$user->birthdate) { + if (!$profile->birthdate) { $page->trigWarning("Ta date de naissance n'est pas renseignée, ce qui t'empêcheras de réaliser" . " la procédure de récupération de mot de passe si un jour tu le perdais."); } diff --git a/modules/profile/general.inc.php b/modules/profile/general.inc.php index 088277c..db75a30 100644 --- a/modules/profile/general.inc.php +++ b/modules/profile/general.inc.php @@ -524,7 +524,7 @@ class ProfileSettingGeneral extends ProfilePage if ($this->owner) { $res = XDB::query("SELECT COUNT(*) FROM requests - WHERE type = 'photo' AND uid = {?}", + WHERE type = 'photo' AND pid = {?}", $this->owner->id()); $this->values['nouvellephoto'] = $res->fetchOneCell(); } else { diff --git a/templates/include/form.valid.photos.tpl b/templates/include/form.valid.photos.tpl index b7382f9..6bbf8ec 100644 --- a/templates/include/form.valid.photos.tpl +++ b/templates/include/form.valid.photos.tpl @@ -23,9 +23,9 @@ Photos - [ PHOTO ] + [ PHOTO ]      - [ PHOTO ] + [ PHOTO ] diff --git a/templates/profile/general.tpl b/templates/profile/general.tpl index 87eb54e..aae79e1 100644 --- a/templates/profile/general.tpl +++ b/templates/profile/general.tpl @@ -229,7 +229,7 @@ quelque part (sur ton ordinateur ou sur Internet) d'une photo d'identité (dans un fichier au format JPEG, PNG ou GIF).
- Éditer ta photo + Éditer ta photo
diff --git a/templates/profile/trombino.tpl b/templates/profile/trombino.tpl index 029bbd4..1d9ed15 100644 --- a/templates/profile/trombino.tpl +++ b/templates/profile/trombino.tpl @@ -23,7 +23,7 @@

Trombinoscope

-
+ {xsrf_token_field} {assign var="profile" value=$smarty.session.user->profile()} {if $profile && (($profile->yearpromo() ge 1995) || ($profile->yearpromo() le 2002))} @@ -45,11 +45,11 @@ - [ PHOTO ] + [ PHOTO ] {if $submited} - [ PHOTO ] + [ PHOTO ] {else} Pas d'image soumise {/if} -- 2.1.4