diff --git a/html/user/edit_action.php b/html/user/edit_action.php index 19433cdb23..62aae78a47 100644 --- a/html/user/edit_action.php +++ b/html/user/edit_action.php @@ -8,11 +8,8 @@ $authenticator = init_session(); db_init(); $user = get_user_from_auth($authenticator); + require_login($user); - if (!$user) { - print_login_form(); - exit(); - } page_head("Updating User Account"); $my_email = $HTTP_POST_VARS["my_email"]; $my_name = $HTTP_POST_VARS["my_name"]; diff --git a/html/user/edit_user_info.php b/html/user/edit_user_info.php index 8513fccee8..4f1babd8ca 100644 --- a/html/user/edit_user_info.php +++ b/html/user/edit_user_info.php @@ -6,15 +6,12 @@ db_init(); $authenticator = init_session(); $user = get_user_from_auth($authenticator); + require_login($user); - if ($user) { $head = sprintf("Edit %s's User Information", $user->name); page_head($head); print_edit_user_info($user); page_tail(); - } else { - print_login_form(); - } ?> diff --git a/html/user/home.php b/html/user/home.php index 1fe350959d..a3693ef6e8 100644 --- a/html/user/home.php +++ b/html/user/home.php @@ -6,6 +6,7 @@ // show the home page of whoever's logged in $authenticator = init_session(); + db_init(); $user = get_user_from_auth($authenticator); if ($user) { diff --git a/html/user/index.php b/html/user/index.php index e7afb36359..b48fe287c8 100644 --- a/html/user/index.php +++ b/html/user/index.php @@ -71,7 +71,7 @@ To join this list, go to diff --git a/html/user/prefs.php b/html/user/prefs.php index 9b6ab6071c..e80f2b495b 100644 --- a/html/user/prefs.php +++ b/html/user/prefs.php @@ -7,12 +7,10 @@ db_init(); $user = get_user_from_auth($authenticator); - if ($user) { + require_login($user); + page_head("Preferences"); print_prefs_display($user); page_tail(); - } else { - print_login_form(); - } ?> diff --git a/html/user/show_hosts.php b/html/user/show_hosts.php index da73cc0dad..57dca643da 100644 --- a/html/user/show_hosts.php +++ b/html/user/show_hosts.php @@ -7,11 +7,9 @@ $authenticator = init_session(); db_init(); $user = get_user_from_auth($authenticator); - if ($user) { + require_login($user); + page_head("Hosts stats"); show_hosts($user); page_tail(); - } else { - print_login_form(); - } ?> diff --git a/html/user/team.inc b/html/user/team.inc index 838c5c4777..da12fcc1b0 100644 --- a/html/user/team.inc +++ b/html/user/team.inc @@ -93,4 +93,27 @@ function display_team_page($team) { page_tail(); } +// requires that the team exist +function require_team($team) { + if (!$team) { + page_head("Error"); + echo "Team does not exist."; + page_tail(); + exit(); + } +} + +// requires that the user is logged in as the founder of +// the team trying to be edited +function require_founder_login($user, $team) { + require_login($user); + require_team($team); + if ($user->id != $team->userid) { + page_head("Permission denied"); + echo "Only a team's founder may edit a team."; + page_tail(); + exit(); + } +} + ?> diff --git a/html/user/team_disband_action.php b/html/user/team_disband_action.php index b38c983be6..4f6528a902 100644 --- a/html/user/team_disband_action.php +++ b/html/user/team_disband_action.php @@ -13,15 +13,12 @@ $HTTP_POST_VARS["id"] ); $result = mysql_query($query); - $team = mysql_fetch_object($result); - mysql_free_result($result); - if (!$team) { - page_head("Error"); - echo "The team you tried to disband does not exist."; - } else if ($user->id != $team->userid) { - page_head("Permission denied"); - echo "Only a team's founder may disband a team."; - } else { + if ($result) { + $team = mysql_fetch_object($result); + mysql_free_result($result); + } + require_founder_login($user, $team); + $query_team_table = sprintf( "delete from team where id = %d", $team->id @@ -38,7 +35,6 @@ page_head("Error"); echo "Couldn't disband team - please try later.\n"; } - } page_tail(); diff --git a/html/user/team_disband_form.php b/html/user/team_disband_form.php index 8861146d3f..477a54d629 100644 --- a/html/user/team_disband_form.php +++ b/html/user/team_disband_form.php @@ -5,6 +5,7 @@ require_once("team.inc"); $authenticator = init_session(); db_init(); +$user = get_user_from_auth($authenticator); $id = $HTTP_GET_VARS["id"]; $query = sprintf( @@ -16,6 +17,7 @@ $id = $HTTP_GET_VARS["id"]; $team = mysql_fetch_object($result); mysql_free_result($result); } + require_founder_login($user, $team); $team_name = $team->name; $team_id = $team->id; page_head("Disband $team_name"); diff --git a/html/user/team_edit_action.php b/html/user/team_edit_action.php index a8d3a96f1d..8ff0500049 100644 --- a/html/user/team_edit_action.php +++ b/html/user/team_edit_action.php @@ -7,18 +7,26 @@ $authenticator = init_session(); db_init(); $user = get_user_from_auth($authenticator); + $id = $HTTP_POST_VARS["id"]; - $query = sprintf( - "select * from team where id = %d", - $HTTP_POST_VARS["id"] - ); + $query = "select * from team where id = $id"; $result = mysql_query($query); - $team = mysql_fetch_object($result); - mysql_free_result($result); - if ($user->id != $team->userid) { - page_head("Permission denied"); - echo "Only a team's founder may edit a team."; - } else { + if ($result) { + $team = mysql_fetch_object($result); + mysql_free_result($result); + } + require_founder_login($user, $team); + + $team_url = ereg_replace("\"", "'", $HTTP_POST_VARS["url"]); + $pos = strpos($team_url, "http://"); + if (!($pos === false)) { // note: three equal signs + $team_url = substr($team_url, 7); + } + $team_name = ereg_replace("\"", "'", $HTTP_POST_VARS["name"]); + $team_name_html = ereg_replace("\"", "'", $HTTP_POST_VARS["name_html"]); + $team_description = ereg_replace("\"", "'", $HTTP_POST_VARS["description"]); + + $query_team_table = sprintf( "update team set name = '%s', name_html = '%s', @@ -26,10 +34,10 @@ description = '%s', type = %d where id = %d", - $HTTP_POST_VARS["name"], - $HTTP_POST_VARS["name_html"], - $HTTP_POST_VARS["url"], - $HTTP_POST_VARS["description"], + $team_name, + $team_name_html, + $new_url, + $team_description, $HTTP_POST_VARS["type"], $team->id ); @@ -43,7 +51,6 @@ page_head("Error"); echo "Couldn't edit team - please try later.\n"; } - } page_tail(); diff --git a/html/user/team_edit_form.php b/html/user/team_edit_form.php index 92c5d28e3b..04a5c6f4a4 100644 --- a/html/user/team_edit_form.php +++ b/html/user/team_edit_form.php @@ -5,19 +5,21 @@ require_once("team.inc"); $authenticator = init_session(); db_init(); - +$user = get_user_from_auth($authenticator); $id = $HTTP_GET_VARS["id"]; + $query = "select * from team where id = $id"; $result = mysql_query($query); if ($result) { $team = mysql_fetch_object($result); mysql_free_result($result); } - $team_name = $team->name; + require_founder_login($user, $team); + $team_name = ereg_replace("\"", "'", $team->name); $team_id = $team->id; - $team_name_html = $team->name_html; - $team_url = $team->url; - $team_description = $team->description; + $team_name_html = ereg_replace("\"", "'", $team->name_html); + $team_url = ereg_replace("\"", "'", $team->url); + $team_description = ereg_replace("\"", "'", $team->description); $team_type = $team->type; page_head("Edit $team_name"); echo " @@ -27,12 +29,12 @@ db_init();
- -
Team name (plain-text version):

 		 +
This name will be print as-is
and is the name you should use when searching for your team.
Team name (HTML version):

 		 +
This name will be printed as HTML source, so you may include any HTML
code that you want. This will only be displayed in your team's page.
If you don't know HTML, just leave this box blank. diff --git a/html/user/team_email_list.php b/html/user/team_email_list.php index 606c38c29a..c2788d639f 100644 --- a/html/user/team_email_list.php +++ b/html/user/team_email_list.php @@ -16,15 +16,11 @@ $query = sprintf( $result = mysql_query($query); if ($result) { $team = mysql_fetch_object($result); + mysql_free_result($result); } -if (!$team) { - page_head("Unable to display team members' email addresses"); - echo ("We are unable to display the email addresses of the members of that team"); - page_tail(); -} else if ($user->id != $team->userid) { - page_head("Permission denied"); - echo "Only a team's founder may view a team's email list.\n
\n"; -} else { + + require_founder_login($user, $team); + page_head("$team->name Email List"); echo "

"; echo ""; @@ -45,7 +41,7 @@ if (!$team) { } } echo "
"; -} + page_tail(); ?> diff --git a/html/user/team_join_action.php b/html/user/team_join_action.php index 47656791a5..580718f80f 100644 --- a/html/user/team_join_action.php +++ b/html/user/team_join_action.php @@ -7,6 +7,7 @@ $authenticator = init_session(); db_init(); $user = get_user_from_auth($authenticator); + require_login($user); $query = sprintf( "select * from team where id = %d", @@ -55,7 +56,7 @@ echo "

Added to team

"; echo "You have been added to id>$team_name.
"; echo "If you were previously a part of a team you are no longer a member of it. "; - echo "You may only be part of one team at a time."; + echo "You may only be part of one team at a time.

"; } else { page_head("Error"); echo "Couldn't join team - please try later.\n"; diff --git a/html/user/team_quit_action.php b/html/user/team_quit_action.php index b1aba82945..398e1575ae 100644 --- a/html/user/team_quit_action.php +++ b/html/user/team_quit_action.php @@ -7,7 +7,8 @@ $authenticator = init_session(); db_init(); $user = get_user_from_auth($authenticator); - + require_login($user); + $query = sprintf( "select * from team where id = %d", $HTTP_POST_VARS["id"] diff --git a/html/user/team_remove_inactive_action.php b/html/user/team_remove_inactive_action.php index 1bcc280ff1..e55766a665 100644 --- a/html/user/team_remove_inactive_action.php +++ b/html/user/team_remove_inactive_action.php @@ -13,12 +13,12 @@ $HTTP_POST_VARS["id"] ); $result = mysql_query($query); - $team = mysql_fetch_object($result); - mysql_free_result($result); - if ($user->id != $team->userid) { - page_head("Permission denied"); - echo "Only a team's founder may remove members from a team."; - } else { + if($result) { + $team = mysql_fetch_object($result); + mysql_free_result($result); + } + require_founder_login($user, $team); + $nmembers = 0; $unable_to_remove = FALSE; $user_table_error = FALSE; @@ -73,7 +73,6 @@ page_head("Error"); echo "Couldn't remove users - please try later.\n"; } - } page_tail(); diff --git a/html/user/team_remove_inactive_form.php b/html/user/team_remove_inactive_form.php index ab918c9128..99f5facaee 100644 --- a/html/user/team_remove_inactive_form.php +++ b/html/user/team_remove_inactive_form.php @@ -4,6 +4,7 @@ require_once("util.inc"); require_once("team.inc"); $authenticator = init_session(); db_init(); +$user = get_user_from_auth($authenticator); $id = $HTTP_GET_VARS["id"]; $query = sprintf( @@ -15,6 +16,7 @@ $id = $HTTP_GET_VARS["id"]; $team = mysql_fetch_object($result); mysql_free_result($result); } + require_founder_login($user, $team); $team_name = $team->name; $team_id = $team->id; $nusers = $team->nusers; diff --git a/html/user/top_teams.php b/html/user/top_teams.php index 65b9834f27..650a6ce832 100644 --- a/html/user/top_teams.php +++ b/html/user/top_teams.php @@ -37,8 +37,8 @@ function show_team_row($team) { $result2 = mysql_query($query); $nmembers = mysql_result($result2, 0); - $total_credit = $total_credit_sum/$nmembers; - $expavg_credit = $expavg_credit_sum/$nmembers; + $total_credit = $total_credit_sum; + $expavg_credit = $expavg_credit_sum; $query = "update team set nusers=$nmembers, total_credit=$total_credit, expavg_credit=$expavg_credit where id=$team->id"; $result2 = mysql_query($query); } diff --git a/html/user/util.inc b/html/user/util.inc index 296be9cb35..8bd837ce3a 100644 --- a/html/user/util.inc +++ b/html/user/util.inc @@ -35,11 +35,19 @@ function send_auth_email($email_addr, $auth) { function init_session() { session_start(); if (!isset($_SESSION["authenticator"])) { - $_SESSION["authenticator"] = ""; + $_SESSION["authenticator"] = $authenticator; } return $_SESSION["authenticator"]; } +// requires that the user be logged in +function require_login($user) { + if (!$user) { + print_login_form(); + exit(); + } +} + function get_user_from_auth($auth) { if ($auth) return lookup_user_auth($auth); return NULL; @@ -74,7 +82,7 @@ function page_head($title) { function page_tail() { - echo "Return to main ".PROJECT." page
\n"; + echo "

Return to main ".PROJECT." page
\n"; // put your copyright notice etc. here