/[debian]/quickappoint/branches/upstream/current/cgi-bin/editdb.php
ViewVC logotype

Contents of /quickappoint/branches/upstream/current/cgi-bin/editdb.php

Parent Directory Parent Directory | Revision Log Revision Log


Revision 140 - (show annotations)
Sat Feb 25 17:48:32 2006 UTC (15 years, 5 months ago) by gregoa
File size: 7572 byte(s)
[svn-inject] Installing original source of quickappoint
1 <?php
2 require_once(dirname(__FILE__) . '/../lib/prepend.php');
3 require_once(dirname(__FILE__) . '/../lib/db.php');
4 require_once(dirname(__FILE__) . '/../lib/dbedit.php');
5
6 // File for handling simple database requests:
7 // - insert one row of one table,
8 // - update one row of one table,
9 // - delete one row of one table
10
11 // The array $_POST is taken to get the $key => $value pairs.
12 //
13 // All keys that begin with : are treated as special words:
14 // :tablename
15 // :operation_insert
16 // :operation_update
17 // :operation_delete
18 // :nextpage
19 //
20 // All keys that end with : are taken as $key => $value pairs
21 // for identifying a row when updating or deleting.
22 // They are taken as normal fields when inserting (but this behavior may change).
23 //
24 // All keys that have the form <functionname>@<keyname> are taken as
25 // <keyname> => <functionname>(<value>).
26 // This is mainly intended for applying the md5 function to values:
27 // md5@password
28 //
29 // All other pairs are taken as fieldname => value and they are not
30 // expected to be encoded.
31 //
32 // :nextpage is the filename to call via location (http://... is added automatically)
33 // after completion of this script.
34
35 $allowedfunctions = array('md5');
36
37
38 // returns true if permitted, the error message as string otherwise
39 // personid specifies the user who wants to do the operation.
40 function checkPermission($db_conn, $table, $operation, $key_field_value_map, $field_value_map, $personid) {
41 // Is personid valid?
42 if (!is_numeric($personid)) return('Invalid person id');
43 $personid = (int) $personid;
44
45 // manageperson, addappointment
46 $sql = "select manageperson, addappointment from person where id=$personid";
47 $result = pg_u_query_assoc($db_conn, $sql);
48 if (count($result) != 1) return "Person with id $personid does not exist";
49 extract($result[0]);
50
51 // table person
52 if ($table == 'person') {
53 if ($manageperson == 't') return TRUE;
54 if ($key_field_value_map['id'] == $personid
55 && $operation == 'update'
56 && !in_array('manageperson', array_keys($field_value_map))
57 && !in_array('addappointment', array_keys($field_value_map))) return TRUE;
58 return 'No right to manage persons!';
59 }
60
61 // table appointment
62 if ($table == 'appointment' && $operation == 'insert') {
63 if ($addappointment != 't') return 'No right to add an appointment!';
64 return TRUE;
65 }
66
67
68 // get selected permission (found in table permission) for user $personid and
69 // for appointment $appointmentid (these two fields are the primary key fields).
70 // $appointmentid is checked to be numeric.
71 // The permission is returned as bool. If an error occurs,
72 // it is returned as string.
73 function getPermissions($db_conn, $wantedpermission, $personid, $appointmentid) {
74 // Is $appointmentid numeric?
75 if (!is_numeric($appointmentid)) return('Invalid appointment id: ' . $appointmentid);
76 $appointmentid = (int) $appointmentid;
77
78 // Query right
79 $sql = "select $wantedpermission from permission where personid=$personid and appointmentid=$appointmentid";
80 $result = pg_u_query_num($db_conn, $sql);
81 if (count($result) != 1) return "No right to change things for appointment with id $appointmentid or this appointment does not exist.";
82 return $result[0][0] == 't';
83 }
84
85
86 // table appointment
87 if ($table == 'appointment') {
88 $manageappointment = getPermissions($db_conn, 'manageappointment', $personid, $key_field_value_map['id']);
89 if (is_string($manageappointment)) return $manageappointment;
90 if (!$manageappointment) return "No right to $operation appointment";
91 return TRUE;
92 }
93
94 // table proposal
95 if ($table == 'proposal') {
96 $manageproposal = getPermissions($db_conn, 'manageproposal', $personid, $field_value_map['appointmentid']);
97 if (is_string($manageproposal)) return $manageproposal;
98 if (!$manageproposal) return "No right to $operation proposals.";
99 return TRUE;
100 }
101
102 // table permission
103 if ($table == 'permission') {
104 $manageappointmentperson = getPermissions($db_conn, 'manageperson', $personid, $key_field_value_map['appointmentid']);
105 if (is_string($manageappointmentperson)) return $manageappointmentperson;
106 if (!$manageappointmentperson) return "No right to $operation persons for this appointment";
107 return TRUE;
108 }
109
110 // table response
111 if ($table == 'response') {
112 if ($personid != $_SESSION['person']['id']) return "No right to $operation other people's data.";
113 $proposalid=(int) $key_field_value_map['proposalid'];
114 $sql = "select personid, appointmentid from permission where personid=$personid and appointmentid=(select appointmentid from proposal where id=$proposalid)";
115 $result = pg_u_query_num($db_conn, $sql);
116 if (count($result) != 1) return "No right to $operation for this response.";
117 return TRUE;
118 }
119
120 return "Table $table unknown or operation on it not permitted";
121 }
122
123
124 // put the functionality in a function:
125 // returns errormessage as string if an error occurs
126 // returns TRUE if success
127 function doEditDb($db_conn, $request) {
128 global $allowedfunctions;
129
130 // Decode data
131 $metaData = decodeRequestMetaData($request, TRUE);
132
133 if (!isset($metaData['tablename'])) return 'There is no table name submitted.';
134 $tablename = $metaData['tablename'];
135
136 $operation = NULL;
137 if (isset($metaData['operation_insert'])) $operation = 'insert';
138 if (isset($metaData['operation_update'])) $operation = 'update';
139 if (isset($metaData['operation_delete'])) $operation = 'delete';
140 if (is_null($operation)) return 'No operation (insert, update, delete)';
141
142 decodeRequest($request, $key_field_value_map, $field_value_map,
143 $key_function_map);
144
145 // Security check
146 $result = checkPermission($db_conn, $tablename, $operation, $key_field_value_map, $field_value_map, $_SESSION['person']['id']);
147 if (!($result === TRUE)) return $result;
148
149 // Apply function
150 foreach ($key_function_map as $key => $function) {
151 // Special functions
152 if ($function == 'pwd') {
153 if ($operation == 'insert') $function = 'md5';
154 elseif ($operation == 'update') {
155 // ... to do: better coding ...
156 if ($field_value_map[$key] == 'XXXXXX') {
157 unset($field_value_map[$key]);
158 continue;
159 } else $function = 'md5';
160 } else continue;
161 }
162 // Other functions
163 if (!in_array($function, $allowedfunctions)) return "Function $function not allowed.";
164 if (isset($key_field_value_map[$key])) $key_field_value_map[$key] = $function($key_field_value_map[$key]);
165 if (isset($field_value_map[$key])) $field_value_map[$key] = $function($field_value_map[$key]);
166 }
167
168 // Value check
169 $result = pg_checkcolumnvalues($db_conn, $tablename, array_merge($key_field_value_map, $field_value_map));
170 if ($result === FALSE) return 'The data types could not be checked.';
171 else if (is_string($result)) return $result;
172
173 // Operate
174 if ($operation == 'insert') {
175 $msg = pg_e_insert($db_conn, $tablename, array_merge($key_field_value_map, $field_value_map));
176 if (!($msg === TRUE)) return $msg;
177 }
178 if ($operation == 'update') {
179 $msg = pg_e_update($db_conn, $tablename, $field_value_map, $key_field_value_map);
180 if (!($msg === TRUE)) return $msg;
181 }
182 if ($operation == 'delete') {
183 $msg = pg_e_delete($db_conn, $tablename, $key_field_value_map);
184 if (!($msg === TRUE)) return $msg;
185 }
186
187 return TRUE;
188 }
189
190
191 $result = doEditDb($db_conn, $_POST);
192
193 // Error handling
194 if (!($result === TRUE)) {
195 $_SESSION['editdbmsg'] = $result;
196 $_SESSION['editdbsuccess'] = FALSE;
197 } else {
198 $_SESSION['editdbmsg'] = _('Operation successful.');
199 $_SESSION['editdbsuccess'] = TRUE;
200 }
201
202 // To 'result' page
203 $nextpage = $_POST[':nextpage'];
204 header('location:' . $project_options['projecturl'] . $nextpage);
205
206 ?>

  ViewVC Help
Powered by ViewVC 1.1.26