From 683b8c71b780bc8a7097bacfea6a6fab5afb148d Mon Sep 17 00:00:00 2001
From: Yohann <yohann.danello@gmail.com>
Date: Mon, 2 Sep 2019 21:21:37 +0200
Subject: [PATCH] =?UTF-8?q?Quelques=20=C3=A9l=C3=A9ments=20de=20v=C3=A9rif?=
 =?UTF-8?q?ication=20de=20s=C3=A9curit=C3=A9?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server_files/solutions.php      |  2 +-
 server_files/solutions_orga.php |  3 +++
 server_files/syntheses.php      |  2 +-
 server_files/syntheses_orga.php |  9 ++++++---
 server_files/tournoi.php        | 22 +++++++++++++++-------
 5 files changed, 26 insertions(+), 12 deletions(-)

diff --git a/server_files/solutions.php b/server_files/solutions.php
index 6eb747c..4e4f85f 100644
--- a/server_files/solutions.php
+++ b/server_files/solutions.php
@@ -3,7 +3,7 @@
 include 'config.php';
 
 if (!isset($_SESSION["team_id"]))
-	error403();
+	include "403.php";
 
 if (isset($_POST["send_solution"])) {
     $error_message = saveSolution();
diff --git a/server_files/solutions_orga.php b/server_files/solutions_orga.php
index 041fd32..94a52fd 100644
--- a/server_files/solutions_orga.php
+++ b/server_files/solutions_orga.php
@@ -2,6 +2,9 @@
 
 <?php
 
+if (!isset($_SESSION["role"]) || $_SESSION["role"] != "ADMIN" && $_SESSION["role"] != "ORGANIZER")
+    include "403.php";
+
 if (isset($_POST["download_zip"])) {
     $id = $_POST["tournament"];
     $tournament_name = $_POST["tournament_name"];
diff --git a/server_files/syntheses.php b/server_files/syntheses.php
index 8e692d0..729e2a0 100644
--- a/server_files/syntheses.php
+++ b/server_files/syntheses.php
@@ -3,7 +3,7 @@
 include 'config.php';
 
 if (!isset($_SESSION["team_id"]))
-	error403();
+	include "403.php";
 
 if (isset($_POST["send_synthese"])) {
     $error_message = saveSynthese();
diff --git a/server_files/syntheses_orga.php b/server_files/syntheses_orga.php
index 91d69a4..322e07e 100644
--- a/server_files/syntheses_orga.php
+++ b/server_files/syntheses_orga.php
@@ -2,10 +2,13 @@
 
 <?php
 
+if (!isset($_SESSION["role"]) || $_SESSION["role"] != "ADMIN" && $_SESSION["role"] != "ORGANIZER")
+	include "403.php";
+
 if (isset($_POST["download_zip"])) {
     $id = $_POST["tournament"];
     $tournament_name = $_POST["tournament_name"];
-    $files_req = $DB->query("SELECT *, COUNT(`dest`) AS `version` FROM `syntheses` WHERE `tournament` = '$id' GROUP BY `team`, `dest` ORDER BY `team`, `dest`, `uploaded_at` DESC;");
+    $files_req = $DB->query("SELECT *, COUNT(`dest`) AS `version` FROM `syntheses` WHERE `tournament` = '$id' GROUP BY `team`, `dest`, `uploaded_at` ORDER BY `team`, `dest`, `uploaded_at` DESC;");
 
     $zip = new ZipArchive();
 
@@ -46,12 +49,12 @@ if (isset($_POST["download_zip"])) {
 
 $req = $DB->query("SELECT `tournaments`.`id`, `name` FROM `tournaments` JOIN `organizers` ON `tournament` = `tournaments`.`id` WHERE "
     . ($_SESSION["role"] == "ADMIN" ? "" : "`organizer` = '" . $_SESSION["user_id"] . "' AND ")
-    . "`year` = $YEAR GROUP BY `tournament` ORDER BY `name`;");
+    . "`year` = $YEAR GROUP BY `tournament`, `name` ORDER BY `name`;");
 
 while (($data_tournament = $req->fetch()) !== false) {
     echo "<h1>Tournoi de " . $data_tournament["name"] . "</h1>\n";
     $id = $data_tournament["id"];
-    $files_req = $DB->query("SELECT *, COUNT(`dest`) AS `version` FROM `syntheses` WHERE `tournament` = '$id' GROUP BY `team`, `dest` ORDER BY `team`, `dest`, `uploaded_at` DESC;");
+    $files_req = $DB->query("SELECT *, COUNT(`dest`) AS `version` FROM `syntheses` WHERE `tournament` = '$id' GROUP BY `team`, `dest`, `uploaded_at` ORDER BY `team`, `dest`, `uploaded_at` DESC;");
     while (($data_file = $files_req->fetch()) !== false) {
         $file_id = $data_file["file_id"];
         $dest = $data_file["dest"];
diff --git a/server_files/tournoi.php b/server_files/tournoi.php
index 40c2f50..982f764 100644
--- a/server_files/tournoi.php
+++ b/server_files/tournoi.php
@@ -10,10 +10,15 @@ $data = $response->fetch();
 
 $orgas_req = $DB->query("SELECT `users`.`id` AS `id`, `surname`, `first_name` FROM `users` JOIN `organizers` ON `users`.`id` = `organizer` WHERE `tournament` = " . $data["id"] . ";");
 $orgas = [];
+$orgas_id = [];
 while (($orga_data = $orgas_req->fetch()) !== false) {
-    $orgas[] = [$orga_data["id"], $orga_data["first_name"] . " " . $orga_data["surname"]];
+    $orgas[] = $orga_data["first_name"] . " " . $orga_data["surname"];
+    $orgas_id[] = $orga_data["id"];
 }
 
+if (isset($_GET["modifier"]) && $_SESSION["role"] != "ADMIN" && !in_array($_SESSION["user_id"], $orgas_id))
+    include "403.php";
+
 if (isset($_POST["edit_tournament"])) {
 	$error_message = updateTournament();
 }
@@ -23,7 +28,7 @@ $teams_response = $DB->query("SELECT `id`, `name`, `trigram`, `inscription_date`
 $orgas_response = $DB->query("SELECT `id`, `surname`, `first_name` FROM `users` WHERE (`role` = 'ORGANIZER' OR `role` = 'ADMIN') AND `year` = '$YEAR';");
 
 function updateTournament() {
-	global $DB, $URL_BASE, $YEAR, $MAIL_ADDRESS, $data;
+	global $DB, $URL_BASE, $YEAR, $data;
 
 	$tournament_id = $data["id"];
 
@@ -126,11 +131,11 @@ function updateTournament() {
     <strong>Organisateur<?= sizeof($orgas) >= 2 ? 's' : '' ?> :</strong>
     <?php
     $s = "";
-    foreach ($orgas as $orga) {
+    for ($i = 0; $i < sizeof($orgas); ++$i) {
         if ($_SESSION["role"] == "ORGANIZER" || $_SESSION["role"] == "ADMIN")
-            $s .= "<a href=\"$URL_BASE/informations/$orga[0]/$orga[1]\">$orga[1]</a>";
+            $s .= "<a href=\"$URL_BASE/informations/$orgas_id[$i]/$orgas[$i]\">$orgas[$i]</a>";
         else
-		    $s .= $orga[1];
+		    $s .= $orgas[$i];
 		$s .= ", ";
 	}
     echo substr($s, 0, -2);
@@ -145,9 +150,12 @@ function updateTournament() {
     <strong>Date limite d'envoi des notes de synthèse :</strong> <?php echo echo_date($data["date_syntheses"], true) ?><br />
     <strong>Description :</strong> <?php echo $data["description"] ?><br />
 
-<?php if (!isset($_GET["modifier"])) { ?>
+<?php if (!isset($_GET["modifier"]) && ($_SESSION["role"] == "ADMIN" || $_SESSION["role"] == "ORGANIZER" && in_array($_SESSION["user_id"], $orgas_id))) { ?>
     <a href="<?= $URL_BASE ?>/tournoi/<?= $data["name"] ?>/modifier">Éditer le tournoi</a>
+<?php } ?>
 
+
+<?php if (!isset($_GET["modifier"])) { ?>
     <hr/>
 
     <h2>Équipes inscrites à ce tournoi :</h2>
@@ -176,7 +184,7 @@ function updateTournament() {
             <tr>
                 <td style="border: 1px solid black; text-align: center">
 					<?php
-					if (isset($_SESSION["role"]) && ($_SESSION["role"] == "ADMIN" || ($_SESSION["role"] == "ORGANIZER" && $data["organizer"] == $_SESSION["user_id"])))
+					if (isset($_SESSION["role"]) && ($_SESSION["role"] == "ADMIN" || ($_SESSION["role"] == "ORGANIZER" && in_array($_SESSION["user_id"], $orgas_id))))
 						echo "<a href=\"$URL_BASE/equipe/" . $team_data["trigram"] . "\">" . $team_data["name"] . "</a>";
 					else
 						echo $team_data["name"];