-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathprocess.php
executable file
·369 lines (335 loc) · 16.4 KB
/
process.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
<?php
//go_functions.php gives us access to the isSuperAdmin and isAdmin functions
require_once "go_functions.php";
//go.php handles the session and xss check for admin
//pages and pages where a session is necessary
require_once "go.php";
// Add the results of $_POST to $_SESSION. We'll use
// this to repopulate values in the form if it fails
// validation
$_SESSION['form_values'] = $_POST;
// Add the current code to form values for our check to see if we're
// still editing the same code or have switched to editing a different one
$_SESSION['form_values']['this_code'] = isset($_POST['code']) ? $_POST['code'] : NULL;
//check for xss attempt
if ($_POST['xsrfkey'] != $_SESSION['xsrfkey']) {
die("Session variables do not match");
}
// This should only be available to authenticated users
if (isset($_SESSION['AUTH'])) {
// Is logged in user an admin?
//$is_admin = isAdmin($_POST['code'], $_POST['institution']);
// This is only available to authenticated users
if (isset($_SESSION['AUTH'])) {
//if (isSuperAdmin($_SESSION['AUTH']->getCurrentUserId()) || $is_admin) {
//make the following check only if we are trying to create a code (not update)
if(isset($_POST['create'])) {
//if the code is already being used as an alias, throw an error.
if (Alias::exists($_POST['code'], $_POST['institution'])) {
$_SESSION['update_message'][] = "<p class='update_message_failure'>The shortcut you are trying to make is already an alias of another code.".$_POST['institution']."</p>";
// This tells us the ID of the field that is in error
// if this validation fails. Used to change the class
// of the failed field when redirected back to the
// original form
$_SESSION['field_id_in_error'] = 'code';
// Redirect to originating location
die(header("location: " . $_POST['form_url']));
}
}
// We have two submit buttons on the edit form (the one on the create for is still
// named "update" in order to trigger the same behavior as the button on edit).
// We want to do the following when "Apply" aka. "update" is pressed
// if delete was pressed then delete would be set and update would not.
// We'll do something different in that case
if(isset($_POST['update'])) {
// Check our input
if (!Code::isValidCode($_POST['code'])) {
// We add these to an array so that we can print out
// more than one message at a time
$_SESSION['update_message'][] = "<p class='update_message_failure'>The shortcut you are trying to make contains invalid characters. Shortcuts may only contain letters, numbers, and the following punctuation; _, +, ?. Given ".$_POST['code']."</p>";
// This tells us the ID of the field that is in error
// if this validation fails. Used to change the class
// of the failed field when redirected back to the
// original form
$_SESSION['field_id_in_error'] = 'code';
// Redirect to originating location
die(header("location: " . $_POST['form_url']));
}
if (!Code::isValidUrl($_POST['update_url'])) {
$_SESSION['update_message'][] = "<p class='update_message_failure'>The URL you are trying to set (".$_POST['update_url'].") is not valid. Please enter a properly formed URL.</p>";
$_SESSION['field_id_in_error'] = 'update_url';
// Redirect to originating location
die(header("location: " . $_POST['form_url']));
}
if (!Code::isValidDescription($_POST['update_description'])) {
$_SESSION['update_message'][] = "<p class='update_message_failure'>The description you are trying to set contains invalid characters. The characters allowed are letters, numbers, and common puntcuation. Please make adjustments and try again.</p>";
$_SESSION['field_id_in_error'] = 'update_description';
// Redirect to originating location
die(header("location: " . $_POST['form_url']));
}
if (isset($_POST['alias_list'])) {
foreach ($_POST['alias_list'] as $current_alias) {
if (!Code::isValidCode($current_alias)) {
$_SESSION['update_message'][] = "<p class='update_message_failure'>The alias you are trying to add contains invalid characters. Shortcuts may only contain letters, numbers, and the following punctuation; _, +, ?. Given ".$current_alias."</p>";
$_SESSION['field_id_in_error'] = 'add_alias_text';
// Redirect to originating location
die(header("location: " . $_POST['form_url']));
}
}
}
if (isset($_POST['admin_list'])) {
foreach ($_POST['admin_list'] as $current_admin) {
if (!Code::isValidAdmin($current_admin)) {
$_SESSION['update_message'][] = "<p class='update_message_failure'>The admin you are trying to add contains invalid characters. Admins may only contain letters and numbers. Given ".$current_admin."</p>";
$_SESSION['field_id_in_error'] = 'add_admin_text';
// Redirect to originating location
die(header("location: " . $_POST['form_url']));
}
}
}
// Set messages for the create process (as opposed to the edit
// process. We're using this script for both).
// If the code is new then say it was created, otherwise it's
// being edited and we don't need to say that.
if (!Code::exists($_POST['code'], $_POST['institution'])) {
$showCreateMessage = true;
} else {
// If it does exist, we need to know if it's being edited or created
// Check the "udate" value (the value of the submit button). If it's
// 'Create Shortcut' then complain that it already exists (if we're editing
// then it should already exist and we don't need a message. We also
// should not run the rest of the script, we don't want the values being
// updated via the create screen
if ($_POST['update'] == 'Create Shortcut') {
$_SESSION['update_message'][] = "<p class='update_message_failure'>The shortcut ".$_POST['code']." already exists. The shortcut was not created. Would you like to <a href='my_codes.php'>edit your codes</a>?</p>";
// Redirect to originating location
die(header("location: " . $_POST['form_url']));
}
}
// Instantiate a code object using the submitted name/institution
try {
$code = new Code($_POST['code'], $_POST['institution']);
if (!empty($showCreateMessage))
$_SESSION['update_message'][] = "<p class='update_message_success'>The shortcut ".$_POST['code']." was created.</p>";
} catch (Throwable $e) {
error_log($e->getMessage(), 3);
$_SESSION['update_message'][] = "<p class='update_message_failure'>Adding code failed." . $e->getMessage() . " Please try again and contact ".GO_HELP_HTML." if you encounter an error.</p>";
header("location: " . $_POST['form_url']);
exit;
}
//update url in database
if ($code->getUrl() != $_POST['update_url']) {
$code->setUrl($_POST['update_url'], true);
$_SESSION['update_message'][] = "<p class='update_message_success'>The url was set to '".htmlentities($_POST['update_url'])."' for shortcut ".$_POST['code'].".</p>";
}
//update description in database
if ($code->getDescription() != $_POST['update_description']) {
$code->setDescription($_POST['update_description'], true);
$_SESSION['update_message'][] = "<p class='update_message_success'>The description was set to '".$_POST['update_description']."' for shortcut ".$_POST['code'].".</p>";
}
//update show in gotionary in database
if (isSuperAdmin($_SESSION['AUTH']->getCurrentUserId())) {
if ($code->getPublic() != $_POST['public']) {
$code->setPublic((bool) $_POST['public'], true);
if ($_POST['public']) {
$_SESSION['update_message'][] = "<p class='update_message_success'>The publicity was set to 'true' for shortcut ".$_POST['code'].".</p>";
} else {
$_SESSION['update_message'][] = "<p class='update_message_success'>The publicity was set to 'false' for shortcut ".$_POST['code'].".</p>";
}
}
}
//update unsearchable on main site in database
if (isSuperAdmin($_SESSION['AUTH']->getCurrentUserId())) {
if ($code->getUnsearchable() != $_POST['unsearchable']) {
$code->setUnsearchable((bool) $_POST['unsearchable'], true);
if ($_POST['unsearchable']) {
$_SESSION['update_message'][] = "<p class='update_message_success'>The searchability was set to 'false' for shortcut ".$_POST['code'].".</p>";
} else {
$_SESSION['update_message'][] = "<p class='update_message_success'>The searchability was set to 'true' for shortcut ".$_POST['code'].".</p>";
}
}
}
// ADD ALIAS STUFF
if (isset($_POST['alias_list'])) {
foreach ($_POST['alias_list'] as $current_alias) {
// Trim in case there is extra whitespace
$current_alias = trim($current_alias);
// This is where we do a quick check to see if the
// alias already exists
$select = $connection->prepare("
(SELECT
code
FROM
alias
WHERE
institution = ?
AND
name = ?)
UNION
(SELECT
name
FROM
code
WHERE
institution = ?
AND
name = ?)
");
$select->execute(array($_POST['institution'], $current_alias, $_POST['institution'], $current_alias));
// If there are results then don't make the alias and set a message.
$results = $select->fetchAll();
$match = 0;
if ($results[0][0] == $current_alias) {
$match = 1;
}
if(count($results)) {
if ($match == 1) {
$_SESSION['update_message'][] = "<p class='update_message_failure'>Alias '".$current_alias."' already exists as a GO shortcut. Was not created as an alias of '".$code->getName()."'.</p>";
} else {
$_SESSION['update_message'][] = "<p class='update_message_failure'>Alias '".$current_alias."' already exists as an alias of the code '".$results[0][0]."'. Was not created as an alias of '".$code->getName()."'.</p>";
}
} else {
try {
// Otherwise make a new alias and set a message
$alias = new Alias($current_alias, $_POST['code'], $_POST['institution']);
$_SESSION['update_message'][] = "<p class='update_message_success'>Alias ".$current_alias." was added to '".$code->getName()."'.</p>";
} catch (Throwable $e) {
error_log($e->getMessage(), 3);
$_SESSION['update_message'][] = "<p class='update_message_failure'>Adding alias ".$current_alias." failed. Please try again and contact ".GO_HELP_HTML." if you encounter an error.</p>";
}
}
}
}
// ADD ADMIN STUFF
if (isset($_POST['admin_list'])) {
foreach ($_POST['admin_list'] as $current_admin) {
// Trim in case there is extra whitespace
$current_admin = trim($current_admin);
if (GoAuth::getIdForUser($current_admin)) {
// Check to see if user is already an admin
$select = $connection->prepare("SELECT user FROM user_to_code WHERE user = ? AND code = ? AND institution = ?");
$select->bindValue(1, GoAuth::getIdForUser($current_admin));
$select->bindValue(2, $_POST['code']);
$select->bindValue(3, $_POST['institution']);
$select->execute();
$result = $select->fetchAll();
// If they aren't already an admin
if (!count($result)) {
// Add the user to the code and set a message
$code->addUser(GoAuth::getIdForUser($current_admin));
$_SESSION['update_message'][] = "<p class='update_message_success'>User ".$current_admin." was added as an admin of '".$code->getName()."'.</p>";
}
else {
// Otherwise set a message saying the user is already an admin
$_SESSION['update_message'][] = "<p class='update_message_failure'>User ".$current_admin." is already an admin of '".$code->getName()."'.</p>";
}
}
}
}
// DELETE ALIAS STUFF
if (isset($_POST['alias_list_del'])) {
foreach ($_POST['alias_list_del'] as $current_alias) {
// Trim in case there is extra whitespace
$current_alias = trim($current_alias);
// Check to see if the same alias is being added as is being deleted. If so
// don't delete it.
// This might sound weird, but it's in the case that a user deletes an alias
// and then decides they want it and adds it back on the same page load.
// It will appear in the remove and add lists but we only want to keep it.
if (isset($_POST['alias_list'])) {
$dont_delete_current_alias = 0;
foreach ($_POST['alias_list'] as $add_alias) {
// Keep the alias
if ($add_alias == $current_alias) {
$dont_delete_current_alias = 1;
}
// Don't keep the alias
if (!$dont_delete_current_alias) {
$alias = new Alias($current_alias, $_POST['code'], $_POST['institution']);
$alias->delete();
$_SESSION['update_message'][] = "<p class='update_message_success'>Alias ".$current_alias." was removed from '".$code->getName()."'.</p>";
}
}
// Otherwise none are being added so just go ahead and delete all
// the aliases in the "delete list".
} else {
$alias = new Alias($current_alias, $_POST['code'], $_POST['institution']);
$alias->delete();
$_SESSION['update_message'][] = "<p class='update_message_success'>Alias ".$current_alias." was removed from '".$code->getName()."'.</p>";
}
}
}
// DELETE ADMIN STUFF
if (isset($_POST['admin_list_del'])) {
foreach ($_POST['admin_list_del'] as $current_admin) {
// Trim in case there is extra whitespace
$current_admin = trim($current_admin);
// Check to see if the same admin is being added. If so, don't delete it.
if (isset($_POST['admin_list'])) {
$dont_delete_current_admin = 0;
foreach ($_POST['admin_list'] as $add_admin) {
if ($add_admin == $current_admin) {
$dont_delete_current_admin = 1;
}
if (!$dont_delete_current_admin) {
try {
$code->delUser(GoAuth::getIdForUser($current_admin));
//if the user isn't found and the ID is passed, just use the id
} catch (Throwable $e) {
$code->delUser($current_admin);
}
$_SESSION['update_message'][] = "<p class='update_message_success'>User ".$current_admin." was removed as an admin of '".$code->getName()."'.</p>";
}
}
// Otherwise none are being added so just go ahead and delete all
// the admins in the "delete list".
} else {
try {
$code->delUser(GoAuth::getIdForUser($current_admin));
//if the user isn't found and the ID is passed, just use the id
} catch (Throwable $e) {
$code->delUser($current_admin);
}
$_SESSION['update_message'][] = "<p class='update_message_success'>User ".$current_admin." was removed as an admin of '".$code->getName()."'.</p>";
}
}
}
}
// If delete was pressed just delete the code and set a message.
elseif(isset($_POST['delete'])) {
// Instantiate a code object using the submitted name/institution
$code = new Code($_POST['code'], $_POST['institution']);
$code->delete();
$_SESSION['update_message'][] = "<p class='update_message_success'>The shortcut " . $code->getName() . " was deleted.</p>";
}
// If delete_and_ban was pressed just delete the code and set a message.
elseif(isset($_POST['delete_and_ban']) && isSuperAdmin($_SESSION['AUTH']->getCurrentUserId())) {
// Instantiate a code object using the submitted name/institution
$code = new Code($_POST['code'], $_POST['institution']);
$code->delete();
Code::banCode($_POST['code']);
$_SESSION['update_message'][] = "<p class='update_message_success'>The shortcut " . $code->getName() . " was deleted and banned from future usage.</p>";
}
// If revert changes was pressed
elseif(isset($_POST['revert'])) {
$_SESSION['update_message'][] = "<p class='update_message_success'>Changes on this form have been reverted to default.</p>";
unset($_SESSION['form_values']);
die(header("location: " . $_POST['form_url']));
}
elseif(isset($_POST['notify'])) {
try {
$user = new User($_SESSION["AUTH"]->getCurrentUserId());
$user->setNotify(($_POST["notify"] == "1"), true);
$_SESSION['update_message'][] = "<p class='update_message_success'>Changed your notification preferences.</p>";
} catch (Throwable $e) {
error_log($e->getMessage(), 3);
$_SESSION['update_message'][] = "<p class='update_message_failure'>Setting notification preferences failed." . $e->getMessage() . " Please try again and contact ".GO_HELP_HTML." if you encounter an error.</p>";
header("location: " . $_POST['form_url']);
exit;
}
}
} //end if (isSuperAdmin($_SESSION['AUTH']->getCurrentUserId()) || $is_admin) {
} //end if (isset($_SESSION['AUTH'])) {
unset($_SESSION['form_values']);
// Finally redirect to originating location
header("location: " . $_POST['url']);