ynerant/plateforme-tfjm2
1
0
Fork 0
mirror of https://gitlab.com/animath/si/plateforme.git synced 2025-06-25 06:20:36 +02:00
Code Issues Releases Wiki Activity

Quelques éléments de vérification de sécurité

Browse Source
This commit is contained in:
Yohann
2019-09-02 21:21:37 +02:00
parent 946d261c71
commit 683b8c71b7
5 changed files with 26 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
server_files/tournoi.php
View File

@ -10,10 +10,15 @@ $data = $response->fetch();
$orgas_req = $DB->query("SELECT `users`.`id` AS `id`, `surname`, `first_name` FROM `users` JOIN `organizers` ON `users`.`id` = `organizer` WHERE `tournament` = " . $data["id"] . ";");
$orgas = [];
$orgas_id = [];
while (($orga_data = $orgas_req->fetch()) !== false) {
$orgas[] = [$orga_data["id"], $orga_data["first_name"] . " " . $orga_data["surname"]];
$orgas[] = $orga_data["first_name"] . " " . $orga_data["surname"];
$orgas_id[] = $orga_data["id"];
}
if (isset($_GET["modifier"]) && $_SESSION["role"] != "ADMIN" && !in_array($_SESSION["user_id"], $orgas_id))
include "403.php";
if (isset($_POST["edit_tournament"])) {
$error_message = updateTournament();
}
@ -23,7 +28,7 @@ $teams_response = $DB->query("SELECT `id`, `name`, `trigram`, `inscription_date`
$orgas_response = $DB->query("SELECT `id`, `surname`, `first_name` FROM `users` WHERE (`role` = 'ORGANIZER' OR `role` = 'ADMIN') AND `year` = '$YEAR';");
function updateTournament() {
global $DB, $URL_BASE, $YEAR, $MAIL_ADDRESS, $data;
global $DB, $URL_BASE, $YEAR, $data;
$tournament_id = $data["id"];
@ -126,11 +131,11 @@ function updateTournament() {
<strong>Organisateur<?= sizeof($orgas) >= 2 ? 's' : '' ?> :</strong>
<?php
$s = "";
foreach ($orgas as $orga) {
for ($i = 0; $i < sizeof($orgas); ++$i) {
if ($_SESSION["role"] == "ORGANIZER" || $_SESSION["role"] == "ADMIN")
$s .= "<a href=\"$URL_BASE/informations/$orga[0]/$orga[1]\">$orga[1]</a>";
$s .= "<a href=\"$URL_BASE/informations/$orgas_id[$i]/$orgas[$i]\">$orgas[$i]</a>";
else
$s .= $orga[1];
$s .= $orgas[$i];
$s .= ", ";
}
echo substr($s, 0, -2);
@ -145,9 +150,12 @@ function updateTournament() {
<strong>Date limite d'envoi des notes de synthèse :</strong> <?php echo echo_date($data["date_syntheses"], true) ?><br />
<strong>Description :</strong> <?php echo $data["description"] ?><br />
<?php if (!isset($_GET["modifier"])) { ?>
<?php if (!isset($_GET["modifier"]) && ($_SESSION["role"] == "ADMIN" || $_SESSION["role"] == "ORGANIZER" && in_array($_SESSION["user_id"], $orgas_id))) { ?>
<a href="<?= $URL_BASE ?>/tournoi/<?= $data["name"] ?>/modifier">Éditer le tournoi</a>
<?php } ?>
<?php if (!isset($_GET["modifier"])) { ?>
<hr/>
<h2>Équipes inscrites à ce tournoi :</h2>
@ -176,7 +184,7 @@ function updateTournament() {
<tr>
<td style="border: 1px solid black; text-align: center">
<?php
if (isset($_SESSION["role"]) && ($_SESSION["role"] == "ADMIN" || ($_SESSION["role"] == "ORGANIZER" && $data["organizer"] == $_SESSION["user_id"])))
if (isset($_SESSION["role"]) && ($_SESSION["role"] == "ADMIN" || ($_SESSION["role"] == "ORGANIZER" && in_array($_SESSION["user_id"], $orgas_id))))
echo "<a href=\"$URL_BASE/equipe/" . $team_data["trigram"] . "\">" . $team_data["name"] . "</a>";
else
echo $team_data["name"];