<?php
require_once(dirname(__FILE__) . '/../lib/prepend.php');
require_once(dirname(__FILE__) . '/../lib/db.php');
require_once(dirname(__FILE__) . '/../lib/dbedit.php');

// File for handling simple database requests:
// - insert one row of one table,
// - update one row of one table,
// - delete one row of one table

// The array $_POST is taken to get the $key => $value pairs.
//
// All keys that begin with : are treated as special words:
//   :tablename
//   :operation_insert
//   :operation_update
//   :operation_delete
//   :nextpage
//
// All keys that end with : are taken as $key => $value pairs
//   for identifying a row when updating or deleting.
//   They are taken as normal fields when inserting (but this behavior may change).
//
// All keys that have the form <functionname>@<keyname> are taken as
// <keyname> => <functionname>(<value>).
// This is mainly intended for applying the md5 function to values:
// md5@password
//
// All other pairs are taken as fieldname => value and they are not
// expected to be encoded.
//
// :nextpage is the filename to call via location (http://... is added automatically)
//   after completion of this script.

$allowedfunctions = array('md5');


// returns true if permitted, the error message as string otherwise
// personid specifies the user who wants to do the operation.
function checkPermission($db_conn, $table, $operation, $key_field_value_map, $field_value_map, $personid) {
	// Is personid valid?
	if (!is_numeric($personid)) return('Invalid person id');
	$personid = (int) $personid;
	
	// manageperson, addappointment
	$sql = "select manageperson, addappointment from person where id=$personid";
	$result = pg_u_query_assoc($db_conn, $sql);
	if (count($result) != 1) return "Person with id $personid does not exist";
	extract($result[0]);
	
	// table person
	if ($table == 'person') {
		if ($manageperson == 't') return TRUE;
		if ($key_field_value_map['id'] == $personid
		&& $operation == 'update'
		&& !in_array('manageperson', array_keys($field_value_map))
		&& !in_array('addappointment', array_keys($field_value_map))) return TRUE;
		return 'No right to manage persons!';
	}
	
	// table appointment
	if ($table == 'appointment' && $operation == 'insert') {
		if ($addappointment != 't') return 'No right to add an appointment!';
		return TRUE;
	}
	
	
	// get selected permission (found in table permission) for user $personid and
	// for appointment $appointmentid (these two fields are the primary key fields).
	// $appointmentid is checked to be numeric.
	// The permission is returned as bool. If an error occurs, 
	// it is returned as string.
	function getPermissions($db_conn, $wantedpermission, $personid, $appointmentid) {
		// Is $appointmentid numeric?
		if (!is_numeric($appointmentid)) return('Invalid appointment id: ' . $appointmentid);
		$appointmentid = (int) $appointmentid;
		
		// Query right
		$sql = "select $wantedpermission from permission where personid=$personid and appointmentid=$appointmentid";
		$result = pg_u_query_num($db_conn, $sql);
		if (count($result) != 1) return "No right to change things for appointment with id $appointmentid or this appointment does not exist.";
		return $result[0][0] == 't';
	}
	
	
	// table appointment
	if ($table == 'appointment') {
		$manageappointment = getPermissions($db_conn, 'manageappointment', $personid, $key_field_value_map['id']);
		if (is_string($manageappointment)) return $manageappointment;
		if (!$manageappointment) return "No right to $operation appointment";
		return TRUE;
	}
	
	// table proposal
	if ($table == 'proposal') {
		$manageproposal = getPermissions($db_conn, 'manageproposal', $personid, $field_value_map['appointmentid']);
		if (is_string($manageproposal)) return $manageproposal;
		if (!$manageproposal) return "No right to $operation proposals.";
		return TRUE;
	}
	
	// table permission
	if ($table == 'permission') {
		$manageappointmentperson = getPermissions($db_conn, 'manageperson', $personid, $key_field_value_map['appointmentid']);
		if (is_string($manageappointmentperson)) return $manageappointmentperson;
		if (!$manageappointmentperson) return "No right to $operation persons for this appointment";
		return TRUE;
	}
	
	// table response
	if ($table == 'response') {
		if ($personid != $_SESSION['person']['id']) return "No right to $operation other people's data.";
		$proposalid=(int) $key_field_value_map['proposalid'];
		$sql = "select personid, appointmentid from permission where personid=$personid and appointmentid=(select appointmentid from proposal where id=$proposalid)";
		$result = pg_u_query_num($db_conn, $sql);
		if (count($result) != 1) return "No right to $operation for this response.";
		return TRUE;
	}
	
	return "Table $table unknown or operation on it not permitted";
}


// put the functionality in a function:
// returns errormessage as string if an error occurs
// returns TRUE if success
function doEditDb($db_conn, $request) {
	global $allowedfunctions;

	// Decode data
	$metaData = decodeRequestMetaData($request, TRUE);
	
	if (!isset($metaData['tablename'])) return 'There is no table name submitted.';
	$tablename = $metaData['tablename'];
	
	$operation = NULL;
	if (isset($metaData['operation_insert'])) $operation = 'insert';
	if (isset($metaData['operation_update'])) $operation = 'update';
	if (isset($metaData['operation_delete'])) $operation = 'delete';
	if (is_null($operation)) return 'No operation (insert, update, delete)';
	
	decodeRequest($request, $key_field_value_map, $field_value_map,
	$key_function_map);
	
	// Security check
	$result = checkPermission($db_conn, $tablename, $operation, $key_field_value_map, $field_value_map, $_SESSION['person']['id']);
	if (!($result === TRUE)) return $result;
	
	// Apply function
	foreach ($key_function_map as $key => $function) {
		// Special functions
		if ($function == 'pwd') {
			if ($operation == 'insert') $function = 'md5';
			elseif ($operation == 'update') {
				// ... to do: better coding ...
				if ($field_value_map[$key] == 'XXXXXX') {
					unset($field_value_map[$key]); 
					continue;
				} else $function = 'md5';
			} else continue;
		}
		// Other functions
		if (!in_array($function, $allowedfunctions)) return "Function $function not allowed.";
		if (isset($key_field_value_map[$key])) $key_field_value_map[$key] = $function($key_field_value_map[$key]);
		if (isset($field_value_map[$key])) $field_value_map[$key] = $function($field_value_map[$key]);
	}

	// Value check
	$result = pg_checkcolumnvalues($db_conn, $tablename, array_merge($key_field_value_map, $field_value_map));
	if ($result === FALSE) return 'The data types could not be checked.';
	else if (is_string($result)) return $result;
	
	// Operate
	if ($operation == 'insert') {
		$msg = pg_e_insert($db_conn, $tablename, array_merge($key_field_value_map, $field_value_map));
		if (!($msg === TRUE)) return $msg;
	}
	if ($operation == 'update') {
		$msg = pg_e_update($db_conn, $tablename, $field_value_map, $key_field_value_map);
		if (!($msg === TRUE)) return $msg;
	}
	if ($operation == 'delete') {
		$msg = pg_e_delete($db_conn, $tablename, $key_field_value_map);
		if (!($msg === TRUE)) return $msg;
	}
	
	return TRUE;
}


$result = doEditDb($db_conn, $_POST);

// Error handling
if (!($result === TRUE)) {
	$_SESSION['editdbmsg'] = $result;
	$_SESSION['editdbsuccess'] = FALSE;
} else {
	$_SESSION['editdbmsg'] = _('Operation successful.');
	$_SESSION['editdbsuccess'] = TRUE;
}

// To 'result' page
$nextpage = $_POST[':nextpage'];
header('location:' . $project_options['projecturl'] . $nextpage);

?>