Quelques éléments de vérification de sécurité

This commit is contained in:
Yohann 2019-09-02 21:21:37 +02:00
parent 946d261c71
commit 683b8c71b7
5 changed files with 26 additions and 12 deletions

View File

@ -3,7 +3,7 @@
include 'config.php';
if (!isset($_SESSION["team_id"]))
error403();
include "403.php";
if (isset($_POST["send_solution"])) {
$error_message = saveSolution();

View File

@ -2,6 +2,9 @@
<?php
if (!isset($_SESSION["role"]) || $_SESSION["role"] != "ADMIN" && $_SESSION["role"] != "ORGANIZER")
include "403.php";
if (isset($_POST["download_zip"])) {
$id = $_POST["tournament"];
$tournament_name = $_POST["tournament_name"];

View File

@ -3,7 +3,7 @@
include 'config.php';
if (!isset($_SESSION["team_id"]))
error403();
include "403.php";
if (isset($_POST["send_synthese"])) {
$error_message = saveSynthese();

View File

@ -2,10 +2,13 @@
<?php
if (!isset($_SESSION["role"]) || $_SESSION["role"] != "ADMIN" && $_SESSION["role"] != "ORGANIZER")
include "403.php";
if (isset($_POST["download_zip"])) {
$id = $_POST["tournament"];
$tournament_name = $_POST["tournament_name"];
$files_req = $DB->query("SELECT *, COUNT(`dest`) AS `version` FROM `syntheses` WHERE `tournament` = '$id' GROUP BY `team`, `dest` ORDER BY `team`, `dest`, `uploaded_at` DESC;");
$files_req = $DB->query("SELECT *, COUNT(`dest`) AS `version` FROM `syntheses` WHERE `tournament` = '$id' GROUP BY `team`, `dest`, `uploaded_at` ORDER BY `team`, `dest`, `uploaded_at` DESC;");
$zip = new ZipArchive();
@ -46,12 +49,12 @@ if (isset($_POST["download_zip"])) {
$req = $DB->query("SELECT `tournaments`.`id`, `name` FROM `tournaments` JOIN `organizers` ON `tournament` = `tournaments`.`id` WHERE "
. ($_SESSION["role"] == "ADMIN" ? "" : "`organizer` = '" . $_SESSION["user_id"] . "' AND ")
. "`year` = $YEAR GROUP BY `tournament` ORDER BY `name`;");
. "`year` = $YEAR GROUP BY `tournament`, `name` ORDER BY `name`;");
while (($data_tournament = $req->fetch()) !== false) {
echo "<h1>Tournoi de " . $data_tournament["name"] . "</h1>\n";
$id = $data_tournament["id"];
$files_req = $DB->query("SELECT *, COUNT(`dest`) AS `version` FROM `syntheses` WHERE `tournament` = '$id' GROUP BY `team`, `dest` ORDER BY `team`, `dest`, `uploaded_at` DESC;");
$files_req = $DB->query("SELECT *, COUNT(`dest`) AS `version` FROM `syntheses` WHERE `tournament` = '$id' GROUP BY `team`, `dest`, `uploaded_at` ORDER BY `team`, `dest`, `uploaded_at` DESC;");
while (($data_file = $files_req->fetch()) !== false) {
$file_id = $data_file["file_id"];
$dest = $data_file["dest"];

View File

@ -10,10 +10,15 @@ $data = $response->fetch();
$orgas_req = $DB->query("SELECT `users`.`id` AS `id`, `surname`, `first_name` FROM `users` JOIN `organizers` ON `users`.`id` = `organizer` WHERE `tournament` = " . $data["id"] . ";");
$orgas = [];
$orgas_id = [];
while (($orga_data = $orgas_req->fetch()) !== false) {
$orgas[] = [$orga_data["id"], $orga_data["first_name"] . " " . $orga_data["surname"]];
$orgas[] = $orga_data["first_name"] . " " . $orga_data["surname"];
$orgas_id[] = $orga_data["id"];
}
if (isset($_GET["modifier"]) && $_SESSION["role"] != "ADMIN" && !in_array($_SESSION["user_id"], $orgas_id))
include "403.php";
if (isset($_POST["edit_tournament"])) {
$error_message = updateTournament();
}
@ -23,7 +28,7 @@ $teams_response = $DB->query("SELECT `id`, `name`, `trigram`, `inscription_date`
$orgas_response = $DB->query("SELECT `id`, `surname`, `first_name` FROM `users` WHERE (`role` = 'ORGANIZER' OR `role` = 'ADMIN') AND `year` = '$YEAR';");
function updateTournament() {
global $DB, $URL_BASE, $YEAR, $MAIL_ADDRESS, $data;
global $DB, $URL_BASE, $YEAR, $data;
$tournament_id = $data["id"];
@ -126,11 +131,11 @@ function updateTournament() {
<strong>Organisateur<?= sizeof($orgas) >= 2 ? 's' : '' ?> :</strong>
<?php
$s = "";
foreach ($orgas as $orga) {
for ($i = 0; $i < sizeof($orgas); ++$i) {
if ($_SESSION["role"] == "ORGANIZER" || $_SESSION["role"] == "ADMIN")
$s .= "<a href=\"$URL_BASE/informations/$orga[0]/$orga[1]\">$orga[1]</a>";
$s .= "<a href=\"$URL_BASE/informations/$orgas_id[$i]/$orgas[$i]\">$orgas[$i]</a>";
else
$s .= $orga[1];
$s .= $orgas[$i];
$s .= ", ";
}
echo substr($s, 0, -2);
@ -145,9 +150,12 @@ function updateTournament() {
<strong>Date limite d'envoi des notes de synthèse :</strong> <?php echo echo_date($data["date_syntheses"], true) ?><br />
<strong>Description :</strong> <?php echo $data["description"] ?><br />
<?php if (!isset($_GET["modifier"])) { ?>
<?php if (!isset($_GET["modifier"]) && ($_SESSION["role"] == "ADMIN" || $_SESSION["role"] == "ORGANIZER" && in_array($_SESSION["user_id"], $orgas_id))) { ?>
<a href="<?= $URL_BASE ?>/tournoi/<?= $data["name"] ?>/modifier">Éditer le tournoi</a>
<?php } ?>
<?php if (!isset($_GET["modifier"])) { ?>
<hr/>
<h2>Équipes inscrites à ce tournoi :</h2>
@ -176,7 +184,7 @@ function updateTournament() {
<tr>
<td style="border: 1px solid black; text-align: center">
<?php
if (isset($_SESSION["role"]) && ($_SESSION["role"] == "ADMIN" || ($_SESSION["role"] == "ORGANIZER" && $data["organizer"] == $_SESSION["user_id"])))
if (isset($_SESSION["role"]) && ($_SESSION["role"] == "ADMIN" || ($_SESSION["role"] == "ORGANIZER" && in_array($_SESSION["user_id"], $orgas_id))))
echo "<a href=\"$URL_BASE/equipe/" . $team_data["trigram"] . "\">" . $team_data["name"] . "</a>";
else
echo $team_data["name"];