From 8272ffb725f0e31b41d7493fff4f0735a53b16c3 Mon Sep 17 00:00:00 2001
From: Phyks <webmaster@phyks.me>
Date: Sun, 25 Aug 2013 23:06:47 +0200
Subject: [PATCH] Bug corrections

---
 TODO                                          |  15 ++
 inc/User.class.php                            |   4 +-
 index.php                                     | 133 ++++++++++--------
 ....af3906cfde643ae7f290cfdc51cc9342.rtpl.php |   9 +-
 ....af3906cfde643ae7f290cfdc51cc9342.rtpl.php |  12 +-
 tpl/edit_users.html                           |   7 +-
 tpl/new_invoice.html                          |   6 +-
 7 files changed, 115 insertions(+), 71 deletions(-)

diff --git a/TODO b/TODO
index 96026cf..05a5b1d 100755
--- a/TODO
+++ b/TODO
@@ -17,3 +17,18 @@ inc/Invoices.class.php :
 
 Manage paybacks :
 =================
+* TODO : Payback system
+
+Tests :
+=======
+* Remember me ?
+* Add a bill
+* Edit a bill
+* Change settings
+
+Tests passed (quick tests) :
+============================
+* Connection form
+* Edit notice
+* Add / Edit user
+* Change password
diff --git a/inc/User.class.php b/inc/User.class.php
index 1c633e0..9cdafbf 100644
--- a/inc/User.class.php
+++ b/inc/User.class.php
@@ -65,7 +65,7 @@ class User extends Storage {
         $user_data = $this->load(array('login'=>$this->login));
         if(count($user_data) == 1) {
             $this->setId($user_data[0]['id']);
-            $this->setDisplayName($user_data[0]['admin']);
+            $this->setDisplayName($user_data[0]['display_name']);
             $this->setAdmin($user_data[0]['admin']);
             $this->setPassword($user_data[0]['password']);
 
@@ -122,7 +122,7 @@ class User extends Storage {
     }
 
     public function isUnique() {
-        if(count($this->load_users(array('login'=>$this->login))) == 0) {
+        if(count($this->load_users(array('login'=>$this->login))) == 0 && count($this->load_users(array('display_name'=>$this->display_name)))) {
             return true;
         }
         else {
diff --git a/index.php b/index.php
index e3d7c29..f9ef3f2 100644
--- a/index.php
+++ b/index.php
@@ -118,17 +118,23 @@
         case 'password':
             if(!empty($_POST['password']) && !empty($_POST['password_confirm'])) {
                 if($_POST['password'] == $_POST['password_confirm']) {
-                    $current_user->setPassword($current_user->encrypt($_POST['password']));
-                    $current_user->save();
+                    if(check_token(600, 'password')) {
+                        $current_user->setPassword($current_user->encrypt($_POST['password']));
+                        $current_user->save();
 
-                    header('location: index.php');
-                    exit();
+                        header('location: index.php');
+                        exit();
+                    }
+                    else {
+                        $tpl->assign('error', 'Token error. Please resubmit the form.');
+                    }
                 }
                 else {
                     $tpl->assign('error', 'The content of the two password fields doesn\'t match.');
                 }
             }
             $tpl->assign('view', 'password');
+            $tpl->assign('token', generate_token('password'));
             $tpl->draw('edit_users');
             break;
 
@@ -140,7 +146,7 @@
             }
 
             if(!empty($_POST['login']) && !empty($_POST['display_name']) && (!empty($_POST['password']) || !empty($_POST['user_id'])) && isset($_POST['admin'])) {
-                if(check_token('edit_users')) {
+                if(check_token(600, 'edit_users')) {
                     $user = new User();
                     if(!empty($_POST['user_id'])) {
                         $user->setId($_POST['user_id']);
@@ -152,15 +158,18 @@
                     }
                     $user->setAdmin($_POST['admin']);
 
-                    if($user->isUnique()) {
+                    if(!empty($_POST['user_id']) || $user->isUnique()) {
                         $user->save();
                         header('location: index.php?do=edit_users');
                         exit();
                     }
                     else {
-                        $tpl->assign('error', 'A user with the same login exists. Choose a different login.');
+                        $tpl->assign('error', 'A user with the same login or display name already exists. Choose a different login.');
                     }
                 }
+                else {
+                    $tpl->assign('error', 'Token error. Please resubmit the form.');
+                }
             }
  
             if(!empty($_GET['user_id']) || $_GET['do'] == 'add_user') {
@@ -212,41 +221,46 @@
             break;
 
         case 'settings':
-            if(!empty($_POST['mysql_host']) && !empty($_POST['mysql_login']) && !empty($_POST['mysql_db']) && !empty($_POST['currency']) && !empty($_POST['instance_title']) && !empty($_POST['base_url']) && !empty($_POST['timezone']) && !empty($_POST['email_webmaster']) && check_token(600, 'settings')) {
-                if(!is_writable('data/')) {
-                    $tpl>assign('error', 'The script can\'t write in data/ dir, check permissions set on this folder.');
-                }
-                $config = file('data/config.php');
+            if(!empty($_POST['mysql_host']) && !empty($_POST['mysql_login']) && !empty($_POST['mysql_db']) && !empty($_POST['currency']) && !empty($_POST['instance_title']) && !empty($_POST['base_url']) && !empty($_POST['timezone']) && !empty($_POST['email_webmaster'])) {
+                if(check_token(600, 'settings')) {
+                    if(!is_writable('data/')) {
+                        $tpl>assign('error', 'The script can\'t write in data/ dir, check permissions set on this folder.');
+                    }
+                    $config = file('data/config.php');
 
-                foreach($config as $line_number=>$line) {
-                    if(strpos($line, "MYSQL_HOST") !== FALSE)
-                        $config[$line_number] = "\tdefine('MYSQL_HOST', '".$_POST['mysql_host']."');\n";
-                    elseif(strpos($line, "MYSQL_LOGIN") !== FALSE)
-                        $config[$line_number] = "\tdefine('MYSQL_LOGIN', '".$_POST['mysql_login']."');\n";
-                    elseif(strpos($line, "MYSQL_PASSWORD") !== FALSE && !empty($_POST['mysql_password']))
-                        $config[$line_number] = "\tdefine('MYSQL_PASSWORD', '".$_POST['mysql_password']."');\n";
-                    elseif(strpos($line, "MYSQL_DB") !== FALSE)
-                        $config[$line_number] = "\tdefine('MYSQL_DB', '".$_POST['mysql_db']."');\n";
-                    elseif(strpos($line, "MYSQL_PREFIX") !== FALSE && !empty($_POST['mysql_prefix']))
-                        $config[$line_number] = "\tdefine('MYSQL_PREFIX', '".$_POST['mysql_prefix']."');\n";
-                    elseif(strpos($line, "INSTANCE_TITLE") !== FALSE)
-                        $config[$line_number] = "\tdefine('INSTANCE_TITLE', '".$_POST['instance_title']."');\n";
-                    elseif(strpos($line, "BASE_URL") !== FALSE)
-                        $config[$line_number] = "\tdefine('BASE_URL', '".$_POST['base_url']."');\n";
-                    elseif(strpos($line, "CURRENCY") !== FALSE)
-                        $config[$line_number] = "\tdefine('CURRENCY', '".$_POST['currency']."');\n";
-                    elseif(strpos($line, "EMAIL_WEBMASTER") !== FALSE)
-                        $config[$line_number] = "\tdefine('EMAIL_WEBMASTER', '".$_POST['email_webmaster']."');\n";
-                    elseif(strpos($line_number, 'date_default_timezone_set') !== FALSE)
-                        $config[$line_number] = "\tdate_default_timezone_set('".$_POST['timezone']."');\n";
-                }
+                    foreach($config as $line_number=>$line) {
+                        if(strpos($line, "MYSQL_HOST") !== FALSE)
+                            $config[$line_number] = "\tdefine('MYSQL_HOST', '".$_POST['mysql_host']."');\n";
+                        elseif(strpos($line, "MYSQL_LOGIN") !== FALSE)
+                            $config[$line_number] = "\tdefine('MYSQL_LOGIN', '".$_POST['mysql_login']."');\n";
+                        elseif(strpos($line, "MYSQL_PASSWORD") !== FALSE && !empty($_POST['mysql_password']))
+                            $config[$line_number] = "\tdefine('MYSQL_PASSWORD', '".$_POST['mysql_password']."');\n";
+                        elseif(strpos($line, "MYSQL_DB") !== FALSE)
+                            $config[$line_number] = "\tdefine('MYSQL_DB', '".$_POST['mysql_db']."');\n";
+                        elseif(strpos($line, "MYSQL_PREFIX") !== FALSE && !empty($_POST['mysql_prefix']))
+                            $config[$line_number] = "\tdefine('MYSQL_PREFIX', '".$_POST['mysql_prefix']."');\n";
+                        elseif(strpos($line, "INSTANCE_TITLE") !== FALSE)
+                            $config[$line_number] = "\tdefine('INSTANCE_TITLE', '".$_POST['instance_title']."');\n";
+                        elseif(strpos($line, "BASE_URL") !== FALSE)
+                            $config[$line_number] = "\tdefine('BASE_URL', '".$_POST['base_url']."');\n";
+                        elseif(strpos($line, "CURRENCY") !== FALSE)
+                            $config[$line_number] = "\tdefine('CURRENCY', '".$_POST['currency']."');\n";
+                        elseif(strpos($line, "EMAIL_WEBMASTER") !== FALSE)
+                            $config[$line_number] = "\tdefine('EMAIL_WEBMASTER', '".$_POST['email_webmaster']."');\n";
+                        elseif(strpos($line_number, 'date_default_timezone_set') !== FALSE)
+                            $config[$line_number] = "\tdate_default_timezone_set('".$_POST['timezone']."');\n";
+                    }
 
-                if(file_put_contents("data/config.php", $config)) {
-                    header('location: index.php');
-                    exit();
+                    if(file_put_contents("data/config.php", $config)) {
+                        header('location: index.php');
+                        exit();
+                    }
+                    else {
+                        $tpl->assign('error', 'Unable to write data/config.php file.');
+                    }
                 }
                 else {
-                    $tpl->assign('error', 'Unable to write data/config.php file.');
+                    $tpl->assign('error', 'Token error. Please resubmit the form.');
                 }
             }
 
@@ -282,29 +296,34 @@
             if(!empty($_POST['date_year'])) $date_year = $_POST['date_year'];
             if(!empty($_POST['users_in'])) $users_in = $_POST['users_in'];
 
-            if(!empty($_POST['what']) && !empty($_POST['amount']) && (float) $_POST['amount'] != 0 && !empty($_POST['date_day']) && !empty($_POST['date_month']) && !empty($_POST['date_year']) && !empty($_POST['users_in']) && check_token(600, 'new_invoice')) {
-                $invoice = new Invoice();
+            if(!empty($_POST['what']) && !empty($_POST['amount']) && (float) $_POST['amount'] != 0 && !empty($_POST['date_day']) && !empty($_POST['date_month']) && !empty($_POST['date_year']) && !empty($_POST['users_in'])) {
+                if(check_token(600, 'new_invoice')) {
+                    $invoice = new Invoice();
 
-                if(!empty($_POST['id']))
-                    $invoice->setId($_POST['id']);
+                    if(!empty($_POST['id']))
+                        $invoice->setId($_POST['id']);
 
-                $invoice->setWhat($_POST['what']);
-                $invoice->setAmount($_POST['amount']);
-                $invoice->setBuyer($current_user->getId());
-                $invoice->setDate($date_day, $date_month, $date_year);
+                    $invoice->setWhat($_POST['what']);
+                    $invoice->setAmount($_POST['amount']);
+                    $invoice->setBuyer($current_user->getId());
+                    $invoice->setDate($date_day, $date_month, $date_year);
 
-                $users_in = '';
-                $guests = array();
-                foreach($_POST['users_in'] as $user) {
-                    $users_in .= ($users_in != '') ? ', ' : '';
-                    $users_in .= $user.'('.(!empty($_POST['guest_user_'.$user]) ? (int) $_POST['guest_user_'.$user] : '0').')';
-                    $guests[$user] = (int) $_POST['guest_user_'.$user];
+                    $users_in = '';
+                    $guests = array();
+                    foreach($_POST['users_in'] as $user) {
+                        $users_in .= ($users_in != '') ? ', ' : '';
+                        $users_in .= $user.'('.(!empty($_POST['guest_user_'.$user]) ? (int) $_POST['guest_user_'.$user] : '0').')';
+                        $guests[$user] = (int) $_POST['guest_user_'.$user];
+                    }
+                    $invoice->setUsersIn($users_in);
+
+                    $invoice->save();
+                    header('location: index.php');
+                    exit();
+                }
+                else {
+                    $tpl->assign('error', 'Token error. Please resubmit the form.');
                 }
-                $invoice->setUsersIn($users_in);
-
-                $invoice->save();
-                header('location: index.php');
-                exit();
             }
 
             $users_list = new User();
diff --git a/tmp/edit_users.af3906cfde643ae7f290cfdc51cc9342.rtpl.php b/tmp/edit_users.af3906cfde643ae7f290cfdc51cc9342.rtpl.php
index 0c9ff25..acf8606 100644
--- a/tmp/edit_users.af3906cfde643ae7f290cfdc51cc9342.rtpl.php
+++ b/tmp/edit_users.af3906cfde643ae7f290cfdc51cc9342.rtpl.php
@@ -35,13 +35,13 @@
 </table>
 <?php }elseif( $view == 'edit_user' ){ ?>
 
-<h2>Edit a user</h2>
-<form method="post" action="index.php?do=add_user" id="edit_user_form">
+<h2><?php echo $user_id != -1 ? 'Edit' : 'Add';?> a user</h2>
+<form method="post" action="index.php?do=<?php echo $user_id != -1 ? 'edit_users' : 'add_user';?>" id="edit_user_form">
     <p>
         <label for="login" class="label-block">Login : </label><input type="text" name="login" id="login" <?php if( $login_post != '' ){ ?> value="<?php echo $login_post;?>" <?php }else{ ?> <?php echo $user_id != -1 ? 'value="'.$user_data->getLogin().'"' : '';?> <?php } ?>/>
     </p>
     <p>
-        <label for="display_name" class="label-block">Displayed name : </label><input type="text" name="display_name" id="display_name" <?php if( $display_name_post != '' ){ ?> value="<?php echo $display_name_post;?>" {/else} <?php echo $user_id != -1 ? 'value="'.$user_data->getDisplayName().'"' : '';?> <?php } ?>/>
+        <label for="display_name" class="label-block">Displayed name : </label><input type="text" name="display_name" id="display_name" <?php if( $display_name_post != '' ){ ?> value="<?php echo $display_name_post;?>" <?php }else{ ?> <?php echo $user_id != -1 ? 'value="'.$user_data->getDisplayName().'"' : '';?> <?php } ?>/>
     </p>
     <p>
         <label for="password" class="label-block">Password : </label><input type="password" name="password" id="password"/>
@@ -60,6 +60,7 @@
         <input type="submit" value="<?php echo $user_id != -1 ? 'Edit' : 'Add';?>"/>
         <?php if( $user_id != -1 ){ ?><input type="hidden" name="user_id" value="<?php echo $user_id;?>"/><?php } ?>
 
+        <input type="hidden" name="token" value="<?php echo $token;?>"/>
     </p>
 </form>
 
@@ -69,7 +70,7 @@
 <form method="post" action="index.php?do=password" id="edit_password_form">
     <p><label for="password" class="label-block">New password : </label><input type="password" id="password" name="password"/></p>
     <p><label for="password_confirm" class="label-block">Confirm new password : </label><input type="password" id="password_confirm" name="password_confirm"/></p>
-    <p class="center"><input type="submit" value="Update"/></p>
+    <p class="center"><input type="submit" value="Update"/><input type="hidden" name="token" value="<?php echo $token;?>"</p>
 </form>
 <?php } ?>
 
diff --git a/tmp/settings.af3906cfde643ae7f290cfdc51cc9342.rtpl.php b/tmp/settings.af3906cfde643ae7f290cfdc51cc9342.rtpl.php
index 50dfde4..6d72e6d 100644
--- a/tmp/settings.af3906cfde643ae7f290cfdc51cc9342.rtpl.php
+++ b/tmp/settings.af3906cfde643ae7f290cfdc51cc9342.rtpl.php
@@ -4,19 +4,25 @@
 <?php if( !$show_settings ){ ?>
 
 <h2>Edit homepage notice</h2>
+<?php if( $error ){ ?><p class="error"><?php echo $error;?></p><?php } ?>
+
 <form method="post" id="notice_form" action="index.php?do=edit_notice">
     <p>
         <label for="textarea_notice">Homepage notice :</label><br/>
         <textarea name="notice" rows="15" id="textarea_notice"><?php echo $notice;?></textarea>
     </p>
     <p><em>Note :</em> You can use HTML formatting in this form.</p>
-    <input type="submit" value="Submit"/>
+    <p>
+        <input type="submit" value="Submit"/>
+        <input type="hidden" name="token" value="<?php echo $token;?>"/>
+    </p>
 </form>
 
 <?php }else{ ?>
 
-
 <h2>Change settings of your Bouffe@Ulm installation</h2>
+<?php if( $error ){ ?><p class="error"><?php echo $error;?></p><?php } ?>
+
 <form method="post" action="index.php?do=settings" id="settings_form">
     <fieldset>
         <legend>Database</legend>
@@ -50,7 +56,7 @@
         </p>
         <p><label for="email_webmaster">Webmaster's email : </label><input type="text" name="email_webmaster" id="email_webmaster" value="<?php echo $email_webmaster;?>"/></p>
     </fieldset>
-    <p class="center"><input type="submit" value="Update settings"></p>
+    <p class="center"><input type="submit" value="Update settings"><input type="hidden" name="token" value="<?php echo $token;?>"/></p>
 </form>
 
 <?php } ?>
diff --git a/tpl/edit_users.html b/tpl/edit_users.html
index 5ba3f47..ee5c805 100644
--- a/tpl/edit_users.html
+++ b/tpl/edit_users.html
@@ -28,14 +28,13 @@
     {/loop}
 </table>
 {elseif condition="$view == 'edit_user'"}
-<h2>Edit a user</h2>
-{if condition="$error"}<p class="error">{$error}</p>{/if}
-<form method="post" action="index.php?do=add_user" id="edit_user_form">
+<h2>{$user_id != -1 ? 'Edit' : 'Add'} a user</h2>
+<form method="post" action="index.php?do={$user_id != -1 ? 'edit_users' : 'add_user'}" id="edit_user_form">
     <p>
         <label for="login" class="label-block">Login : </label><input type="text" name="login" id="login" {if condition="$login_post != ''"} value="{$login_post}" {else} {$user_id != -1 ? 'value="'.$user_data->getLogin().'"' : ''} {/if}/>
     </p>
     <p>
-        <label for="display_name" class="label-block">Displayed name : </label><input type="text" name="display_name" id="display_name" {if condition="$display_name_post != ''"} value="{$display_name_post}" {/else} {$user_id != -1 ? 'value="'.$user_data->getDisplayName().'"' : ''} {/if}/>
+        <label for="display_name" class="label-block">Displayed name : </label><input type="text" name="display_name" id="display_name" {if condition="$display_name_post != ''"} value="{$display_name_post}" {else} {$user_id != -1 ? 'value="'.$user_data->getDisplayName().'"' : ''} {/if}/>
     </p>
     <p>
         <label for="password" class="label-block">Password : </label><input type="password" name="password" id="password"/>
diff --git a/tpl/new_invoice.html b/tpl/new_invoice.html
index 0c6e8c2..3c974f5 100755
--- a/tpl/new_invoice.html
+++ b/tpl/new_invoice.html
@@ -1,5 +1,9 @@
 {include="header"}
 
+{if condition="$error != ''"}
+    <p class="error">{$error}</p>
+{/if}
+
 <h2>Add a bill</h2>
 
 <form method="post" action="index.php?do=new_invoice" id="invoice_form">
@@ -38,7 +42,7 @@
     <p>
         <input type="submit" value="Add"/>
         {if condition="$id != 0"}<input type="hidden" name="id" value="{$id}"/>{/if}
-        <input type="hidden" name="token" value="{$token"}/>
+        <input type="hidden" name="token" value="{$token}"/>
     </p>
 </form>