mirror of
https://gitlab.com/animath/si/plateforme.git
synced 2025-11-04 09:42:10 +01:00
Quelques éléments de vérification de sécurité
This commit is contained in:
Yohann
@@ -3,7 +3,7 @@
|
|||||||
include 'config.php';
|
include 'config.php';
|
||||||
|
|
||||||
if (!isset($_SESSION["team_id"]))
|
if (!isset($_SESSION["team_id"]))
|
||||||
error403();
|
include "403.php";
|
||||||
|
|
||||||
if (isset($_POST["send_solution"])) {
|
if (isset($_POST["send_solution"])) {
|
||||||
$error_message = saveSolution();
|
$error_message = saveSolution();
|
||||||
|
|||||||
@@ -2,6 +2,9 @@
|
|||||||
|
|
||||||
<?php
|
<?php
|
||||||
|
|
||||||
|
if (!isset($_SESSION["role"]) || $_SESSION["role"] != "ADMIN" && $_SESSION["role"] != "ORGANIZER")
|
||||||
|
include "403.php";
|
||||||
|
|
||||||
if (isset($_POST["download_zip"])) {
|
if (isset($_POST["download_zip"])) {
|
||||||
$id = $_POST["tournament"];
|
$id = $_POST["tournament"];
|
||||||
$tournament_name = $_POST["tournament_name"];
|
$tournament_name = $_POST["tournament_name"];
|
||||||
|
|||||||
@@ -3,7 +3,7 @@
|
|||||||
include 'config.php';
|
include 'config.php';
|
||||||
|
|
||||||
if (!isset($_SESSION["team_id"]))
|
if (!isset($_SESSION["team_id"]))
|
||||||
error403();
|
include "403.php";
|
||||||
|
|
||||||
if (isset($_POST["send_synthese"])) {
|
if (isset($_POST["send_synthese"])) {
|
||||||
$error_message = saveSynthese();
|
$error_message = saveSynthese();
|
||||||
|
|||||||
@@ -2,10 +2,13 @@
|
|||||||
|
|
||||||
<?php
|
<?php
|
||||||
|
|
||||||
|
if (!isset($_SESSION["role"]) || $_SESSION["role"] != "ADMIN" && $_SESSION["role"] != "ORGANIZER")
|
||||||
|
include "403.php";
|
||||||
|
|
||||||
if (isset($_POST["download_zip"])) {
|
if (isset($_POST["download_zip"])) {
|
||||||
$id = $_POST["tournament"];
|
$id = $_POST["tournament"];
|
||||||
$tournament_name = $_POST["tournament_name"];
|
$tournament_name = $_POST["tournament_name"];
|
||||||
$files_req = $DB->query("SELECT *, COUNT(`dest`) AS `version` FROM `syntheses` WHERE `tournament` = '$id' GROUP BY `team`, `dest` ORDER BY `team`, `dest`, `uploaded_at` DESC;");
|
$files_req = $DB->query("SELECT *, COUNT(`dest`) AS `version` FROM `syntheses` WHERE `tournament` = '$id' GROUP BY `team`, `dest`, `uploaded_at` ORDER BY `team`, `dest`, `uploaded_at` DESC;");
|
||||||
|
|
||||||
$zip = new ZipArchive();
|
$zip = new ZipArchive();
|
||||||
|
|
||||||
@@ -46,12 +49,12 @@ if (isset($_POST["download_zip"])) {
|
|||||||
|
|
||||||
$req = $DB->query("SELECT `tournaments`.`id`, `name` FROM `tournaments` JOIN `organizers` ON `tournament` = `tournaments`.`id` WHERE "
|
$req = $DB->query("SELECT `tournaments`.`id`, `name` FROM `tournaments` JOIN `organizers` ON `tournament` = `tournaments`.`id` WHERE "
|
||||||
. ($_SESSION["role"] == "ADMIN" ? "" : "`organizer` = '" . $_SESSION["user_id"] . "' AND ")
|
. ($_SESSION["role"] == "ADMIN" ? "" : "`organizer` = '" . $_SESSION["user_id"] . "' AND ")
|
||||||
. "`year` = $YEAR GROUP BY `tournament` ORDER BY `name`;");
|
. "`year` = $YEAR GROUP BY `tournament`, `name` ORDER BY `name`;");
|
||||||
|
|
||||||
while (($data_tournament = $req->fetch()) !== false) {
|
while (($data_tournament = $req->fetch()) !== false) {
|
||||||
echo "<h1>Tournoi de " . $data_tournament["name"] . "</h1>\n";
|
echo "<h1>Tournoi de " . $data_tournament["name"] . "</h1>\n";
|
||||||
$id = $data_tournament["id"];
|
$id = $data_tournament["id"];
|
||||||
$files_req = $DB->query("SELECT *, COUNT(`dest`) AS `version` FROM `syntheses` WHERE `tournament` = '$id' GROUP BY `team`, `dest` ORDER BY `team`, `dest`, `uploaded_at` DESC;");
|
$files_req = $DB->query("SELECT *, COUNT(`dest`) AS `version` FROM `syntheses` WHERE `tournament` = '$id' GROUP BY `team`, `dest`, `uploaded_at` ORDER BY `team`, `dest`, `uploaded_at` DESC;");
|
||||||
while (($data_file = $files_req->fetch()) !== false) {
|
while (($data_file = $files_req->fetch()) !== false) {
|
||||||
$file_id = $data_file["file_id"];
|
$file_id = $data_file["file_id"];
|
||||||
$dest = $data_file["dest"];
|
$dest = $data_file["dest"];
|
||||||
|
|||||||
@@ -10,10 +10,15 @@ $data = $response->fetch();
|
|||||||
|
|
||||||
$orgas_req = $DB->query("SELECT `users`.`id` AS `id`, `surname`, `first_name` FROM `users` JOIN `organizers` ON `users`.`id` = `organizer` WHERE `tournament` = " . $data["id"] . ";");
|
$orgas_req = $DB->query("SELECT `users`.`id` AS `id`, `surname`, `first_name` FROM `users` JOIN `organizers` ON `users`.`id` = `organizer` WHERE `tournament` = " . $data["id"] . ";");
|
||||||
$orgas = [];
|
$orgas = [];
|
||||||
|
$orgas_id = [];
|
||||||
while (($orga_data = $orgas_req->fetch()) !== false) {
|
while (($orga_data = $orgas_req->fetch()) !== false) {
|
||||||
$orgas[] = [$orga_data["id"], $orga_data["first_name"] . " " . $orga_data["surname"]];
|
$orgas[] = $orga_data["first_name"] . " " . $orga_data["surname"];
|
||||||
|
$orgas_id[] = $orga_data["id"];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (isset($_GET["modifier"]) && $_SESSION["role"] != "ADMIN" && !in_array($_SESSION["user_id"], $orgas_id))
|
||||||
|
include "403.php";
|
||||||
|
|
||||||
if (isset($_POST["edit_tournament"])) {
|
if (isset($_POST["edit_tournament"])) {
|
||||||
$error_message = updateTournament();
|
$error_message = updateTournament();
|
||||||
}
|
}
|
||||||
@@ -23,7 +28,7 @@ $teams_response = $DB->query("SELECT `id`, `name`, `trigram`, `inscription_date`
|
|||||||
$orgas_response = $DB->query("SELECT `id`, `surname`, `first_name` FROM `users` WHERE (`role` = 'ORGANIZER' OR `role` = 'ADMIN') AND `year` = '$YEAR';");
|
$orgas_response = $DB->query("SELECT `id`, `surname`, `first_name` FROM `users` WHERE (`role` = 'ORGANIZER' OR `role` = 'ADMIN') AND `year` = '$YEAR';");
|
||||||
|
|
||||||
function updateTournament() {
|
function updateTournament() {
|
||||||
global $DB, $URL_BASE, $YEAR, $MAIL_ADDRESS, $data;
|
global $DB, $URL_BASE, $YEAR, $data;
|
||||||
|
|
||||||
$tournament_id = $data["id"];
|
$tournament_id = $data["id"];
|
||||||
|
|
||||||
@@ -126,11 +131,11 @@ function updateTournament() {
|
|||||||
<strong>Organisateur<?= sizeof($orgas) >= 2 ? 's' : '' ?> :</strong>
|
<strong>Organisateur<?= sizeof($orgas) >= 2 ? 's' : '' ?> :</strong>
|
||||||
<?php
|
<?php
|
||||||
$s = "";
|
$s = "";
|
||||||
foreach ($orgas as $orga) {
|
for ($i = 0; $i < sizeof($orgas); ++$i) {
|
||||||
if ($_SESSION["role"] == "ORGANIZER" || $_SESSION["role"] == "ADMIN")
|
if ($_SESSION["role"] == "ORGANIZER" || $_SESSION["role"] == "ADMIN")
|
||||||
$s .= "<a href=\"$URL_BASE/informations/$orga[0]/$orga[1]\">$orga[1]</a>";
|
$s .= "<a href=\"$URL_BASE/informations/$orgas_id[$i]/$orgas[$i]\">$orgas[$i]</a>";
|
||||||
else
|
else
|
||||||
$s .= $orga[1];
|
$s .= $orgas[$i];
|
||||||
$s .= ", ";
|
$s .= ", ";
|
||||||
}
|
}
|
||||||
echo substr($s, 0, -2);
|
echo substr($s, 0, -2);
|
||||||
@@ -145,9 +150,12 @@ function updateTournament() {
|
|||||||
<strong>Date limite d'envoi des notes de synthèse :</strong> <?php echo echo_date($data["date_syntheses"], true) ?><br />
|
<strong>Date limite d'envoi des notes de synthèse :</strong> <?php echo echo_date($data["date_syntheses"], true) ?><br />
|
||||||
<strong>Description :</strong> <?php echo $data["description"] ?><br />
|
<strong>Description :</strong> <?php echo $data["description"] ?><br />
|
||||||
|
|
||||||
<?php if (!isset($_GET["modifier"])) { ?>
|
<?php if (!isset($_GET["modifier"]) && ($_SESSION["role"] == "ADMIN" || $_SESSION["role"] == "ORGANIZER" && in_array($_SESSION["user_id"], $orgas_id))) { ?>
|
||||||
<a href="<?= $URL_BASE ?>/tournoi/<?= $data["name"] ?>/modifier">Éditer le tournoi</a>
|
<a href="<?= $URL_BASE ?>/tournoi/<?= $data["name"] ?>/modifier">Éditer le tournoi</a>
|
||||||
|
<?php } ?>
|
||||||
|
|
||||||
|
|
||||||
|
<?php if (!isset($_GET["modifier"])) { ?>
|
||||||
<hr/>
|
<hr/>
|
||||||
|
|
||||||
<h2>Équipes inscrites à ce tournoi :</h2>
|
<h2>Équipes inscrites à ce tournoi :</h2>
|
||||||
@@ -176,7 +184,7 @@ function updateTournament() {
|
|||||||
<tr>
|
<tr>
|
||||||
<td style="border: 1px solid black; text-align: center">
|
<td style="border: 1px solid black; text-align: center">
|
||||||
<?php
|
<?php
|
||||||
if (isset($_SESSION["role"]) && ($_SESSION["role"] == "ADMIN" || ($_SESSION["role"] == "ORGANIZER" && $data["organizer"] == $_SESSION["user_id"])))
|
if (isset($_SESSION["role"]) && ($_SESSION["role"] == "ADMIN" || ($_SESSION["role"] == "ORGANIZER" && in_array($_SESSION["user_id"], $orgas_id))))
|
||||||
echo "<a href=\"$URL_BASE/equipe/" . $team_data["trigram"] . "\">" . $team_data["name"] . "</a>";
|
echo "<a href=\"$URL_BASE/equipe/" . $team_data["trigram"] . "\">" . $team_data["name"] . "</a>";
|
||||||
else
|
else
|
||||||
echo $team_data["name"];
|
echo $team_data["name"];
|
||||||
|
|||||||
Reference in New Issue
Block a user