<?php

include __DIR__ . "/include.php";
check_access(ADMIN);
list($m, $points, $description) = apiCheckParams("milestone", "points", "description");
$description = trim($description);
apiCheck(dbExists("SELECT id FROM milestone WHERE id = :id", ["id" => $m]), "Unbekannte Etappe");
if ($points) {
    apiCheck(ctype_digit($points), "Punkte müssen eine Zahl sein");
    apiCheck(!dbExists("SELECT id FROM milestone WHERE points = :p", ["p" => $points]), "Punkte schon vorhanden");
}
apiAction(function () use($m, $points, $description) {
    if ($points) {
        dbExecute("UPDATE milestone SET points = :points WHERE id = :id", ["points" => $points, "id" => $m]);
    }
    if ($description) {
        dbExecute("UPDATE milestone SET description = :description WHERE id = :id", ["description" => $description, "id" => $m]);
    }
});
<?php

include __DIR__ . "/include.php";
check_access(TEACHER);
list($challenge, $fun, $integration, $duration, $problems, $comment) = apiCheckParams("challenge", "fun", "integration", "duration", "problems", "comment");
apiCheck(ctype_digit($fun) && ctype_digit($integration) && ctype_digit($duration) && ctype_digit($problems), "Werte müssen Zahlen sein!");
$challengeRow = fetch("SELECT name FROM challenge WHERE id = :id", ["id" => $challenge]);
apiCheck($challengeRow !== false, "Unbekannte Challenge");
apiAction(function () use($challenge, $fun, $integration, $duration, $problems, $comment, $challengeRow) {
    dbExecute("INSERT INTO feedback (challenge, fun, integration, duration, problems, comment) VALUES (:challenge, :fun, :integration, :duration, :problems, :comment)", ["challenge" => $challenge, "fun" => $fun, "integration" => $integration, "duration" => $duration, "problems" => $problems, "comment" => $comment]);
    own_mail("*****@*****.**", "Neues Feedback", "Es ist ein neues Feedback für die Challenge " . e($challengeRow->name) . " eingegangen.\r\nGehe auf www.weltfairsteher.de/feedback.php zu anzeigen!");
});
<?php

include __DIR__ . "/include.php";
check_access(TEACHER);
list($user, $email, $password, $password2) = apiCheckParams("user", "email", "password", "password2");
apiCheck(isAdmin() || $user === $_SESSION["user"], "Keine Berechtigung");
apiCheck(dbExists("SELECT id FROM user WHERE id = :id", ["id" => $user]), "Unbekannter Benutzer");
if ($email) {
    apiCheck(filter_var($email, FILTER_VALIDATE_EMAIL), "Bitte eine gültige Email angeben.");
    apiCheck(!dbExists("SELECT id FROM user WHERE email = :email", ['email' => $email]), "Diese E-Mail-Adresse ist bereits vergeben.");
}
apiCheck($password == $password2, "Die Passwörter müssen übereinstimmen.");
apiAction(function () use($user, $password, $email) {
    if ($email) {
        dbExecute("UPDATE user SET email = :email WHERE id = :id", ["email" => $email, "id" => $user]);
    }
    if ($password) {
        $password_hash = password_hash($password, PASSWORD_DEFAULT);
        dbExecute("UPDATE user SET password = :password WHERE id = :id", ["password" => $password_hash, "id" => $user]);
    }
});
<?php

include __DIR__ . "/include.php";
check_access(ADMIN);
list($id, $table) = apiCheckParams("id", "table");
// user has special rules (can't delete admin)
if (in_array($table, ["leckerwissen", "milestone", "suggested", "solved_challenge"])) {
    apiCheck(dbExists("SELECT id FROM {$table} WHERE id = :id", ['id' => $id]), "Eintrag existiert nicht!");
} else {
    apiAddError("Ungültiger Tabellenname");
}
apiAction(function () use($id, $table) {
    dbExecute("DELETE FROM {$table} WHERE id = :id", ['id' => $id]);
});
<?php

include __DIR__ . "/include.php";
check_access(ADMIN);
list($lw, $link, $title, $type, $category) = apiCheckParams("lw", "link", "title", "type", "category");
apiCheck(dbExists("SELECT id FROM leckerwissen WHERE id = :id", ["id" => $lw]), "Ungültiges Leckerwissen");
if ($category) {
    apiCheck($category == "other" || array_filter($categories, function ($cat) use($category) {
        return $cat->name === $category;
    }), "Ungültige Kategorie");
}
if ($type) {
    apiCheck(array_filter($leckerwissenTypes, function ($t) use($type) {
        return $t["name"] === $type;
    }), "Ungültiger Typ");
}
apiAction(function () use($lw, $link, $title, $type, $category) {
    if ($link) {
        dbExecute("UPDATE leckerwissen SET link = :link WHERE id = :id", ["id" => $lw, "link" => $link]);
    }
    if ($title) {
        dbExecute("UPDATE leckerwissen SET title = :title WHERE id = :id", ["id" => $lw, "title" => $title]);
    }
    if ($category) {
        dbExecute("UPDATE leckerwissen SET category = :category WHERE id = :id", ["id" => $lw, "category" => $category]);
    }
    if ($type) {
        dbExecute("UPDATE leckerwissen SET type = :type WHERE id = :id", ["id" => $lw, "type" => $type]);
    }
});
<?php

include __DIR__ . "/include.php";
list($email) = apiCheckParams("email");
$email = trim($email);
apiCheck(filter_var($email, FILTER_VALIDATE_EMAIL), "Bitte eine gültige Email angeben.");
apiAction(function () use($email) {
    // don't leak information over registered emails
    $user = fetch("SELECT id FROM user WHERE email = :email", ["email" => $email]);
    if ($user !== false) {
        // from http://stackoverflow.com/a/17649993
        $rand = bin2hex(openssl_random_pseudo_bytes(16));
        dbExecute("INSERT INTO forgot (id, user, created_at) VALUES (:rand, :user, NOW())", ["user" => $user->id, "rand" => $rand]);
        own_mail($email, "Passwort vergessen", "Hallo,\r\num dein Passwort zurückzusetzen gehe bitte auf diesen Link: https://www.weltfairsteher.de/resetPassword.php?forgotid={$rand}\r\nViele Grüße\r\nDein Weltfairsteher Team");
    }
});
<?php

include __DIR__ . "/include.php";
//check_access(TEACHER);
list($link, $title, $type, $category, $captcha) = apiCheckParams("link", "title", "type", "category", "captcha_code");
apiCheck(strlen($link) != 0, "Link darf nicht leer sein");
apiCheck(strlen($title) != 0, "Titel darf nicht leer sein");
apiCheck($category == "other" || array_filter($categories, function ($cat) use($category) {
    return $cat->name === $category;
}), "Ungültige Kategorie");
apiCheck(array_filter($leckerwissenTypes, function ($t) use($type) {
    return $t["name"] === $type;
}), "Ungültiger Typ");
apiCheck($captcha === $_SESSION['captcha_spam'], "Der Captcha-Code war leider falsch!");
apiAction(function () use($link, $title, $type, $category) {
    dbExecute("INSERT INTO leckerwissen (link, title, type, category) VALUES (:link, :title, :type, :category)", ["link" => $link, "title" => $title, "type" => $type, "category" => $category]);
});
<?php

include __DIR__ . "/include.php";
check_access(TEACHER);
define("MAX_SELFMADE_PER_CLASS", 5);
list($class, $title, $desc, $points, $suggested, $category, $location, $extrapoints) = apiCheckParams("class", "title", "description", "points", "suggested", "category", "location", "extrapoints");
$user = $_SESSION["user"];
$suggested = !!$suggested;
$title = trim($title);
$desc = trim($desc);
$extrapoints = trim($extrapoints);
if (!$extrapoints) {
    $extrapoints = null;
}
apiCheck(ctype_digit($points), "Punkte müssen eine Zahl sein");
apiCheck(!$extrapoints || ctype_digit($extrapoints), "Extrapunkte müssen eine Zahl sein");
apiCheck(strlen($title) !== 0, "Titel darf nicht leer sein");
apiCheck(strlen($desc) !== 0, "Beschreibung darf nicht leer sein");
apiCheck(isAdmin() || dbExists("SELECT id FROM class WHERE id = :id AND teacher = :teacher", ["id" => $class, "teacher" => $user]), "Keine Berechtigung für diese Klasse");
apiCheck(!$suggested || dbExists("SELECT id FROM class WHERE id = :id", ["id" => $class]), "Ungültige Klasse");
apiCheck(isAdmin() || $suggested, "Keine Berechtigung");
apiCheck($suggested || $category === "selfmade" || array_filter($categories, function ($cat) use($category) {
    return $cat->name === $category;
}), "Ungültige Kategorie");
apiCheck(array_filter($locationTypes, function ($lt) use($location) {
    return $lt["name"] === $location;
}), "Ungültige Location!");
apiCheck(!$suggested || fetch("SELECT COUNT(*) AS count FROM (SELECT class FROM suggested UNION ALL SELECT author AS class FROM challenge) AS c WHERE c.class = :id", ["id" => $class])->count < MAX_SELFMADE_PER_CLASS, "Es sind maximal " . MAX_SELFMADE_PER_CLASS . " Eigenkreationen pro Klasse erlaubt.");
apiAction(function () use($title, $desc, $class, $points, $suggested, $category, $location, $extrapoints) {
    if ($suggested) {
        dbExecute("INSERT INTO suggested (title, description, class, points, location, extrapoints) VALUES (:title, :desc, :class, :points, :location, :extrapoints)", ["title" => $title, "desc" => $desc, "class" => $class, "points" => $points, "location" => $location, "extrapoints" => $extrapoints]);
<?php

include __DIR__ . "/include.php";
check_access(ADMIN);
list($name, $teacher, $class) = apiCheckParams("name", "teacher", "class");
$name = trim($name);
apiCheck(dbExists("SELECT id FROM class WHERE id = :id", ["id" => $class]), "Klasse existiert nicht.");
if (!empty($name)) {
    apiCheck(!dbExists("SELECT id FROM class WHERE name = :name", ["name" => $name]), "Name ist bereits vorhanden.");
}
if ($teacher >= 0) {
    apiCheck(dbExists("SELECT id FROM user WHERE id = :id", ["id" => $teacher]), "Lehrer existiert nicht.");
}
apiAction(function () use($class, $name, $teacher, $db) {
    if (!empty($name)) {
        dbExecute("UPDATE class SET name = :name WHERE id = :id ", ["name" => $name, "id" => $class]);
    }
    if ($teacher >= 0) {
        dbExecute("UPDATE class SET teacher = :teacher WHERE id = :id ", ["teacher" => $teacher, "id" => $class]);
    }
});
<?php

include __DIR__ . "/include.php";
check_access(ADMIN);
list($email, $password, $password2) = apiCheckParams("email", "password", "password2");
apiCheck(strlen($email) != 0, "Die Emailadresse darf nicht leer sein.");
apiCheck(strlen($email) < 150, "Die Emailadresse ist zu lang.");
apiCheck(filter_var($email, FILTER_VALIDATE_EMAIL), "Bitte eine gültige Email angeben.");
apiCheck(strlen($password) != 0, "Bitte ein Passwort angeben.");
apiCheck($password == $password2, "Die Passwörter müssen übereinstimmen.");
apiCheck(!dbExists("SELECT id FROM user WHERE email = :email", ['email' => $email]), "Diese E-Mail-Adresse ist bereits vergeben.");
apiAction(function () use($password, $email, $db) {
    $password_hash = password_hash($password, PASSWORD_DEFAULT);
    $statement = $db->prepare("INSERT INTO user (email, password, role) VALUES (:email, :password, :role)");
    $result = $statement->execute(['email' => $email, 'password' => $password_hash, 'role' => TEACHER]);
});
<?php

include __DIR__ . "/include.php";
check_access(ADMIN);
list($name, $teacher) = apiCheckParams("name", "teacher");
$name = trim($name);
apiCheck(strlen($name) != 0, "Bitte einen Namen angeben.");
apiCheck(strlen($name) < 90, "Der Klassenname ist zu lang.");
apiCheck(!dbExists("SELECT id FROM class WHERE name = :name", ['name' => $name]), "Dieser Klassenname ist bereits vergeben.");
apiCheck(dbExists("SELECT id FROM user WHERE id = :id", ['id' => $teacher]), "Unbekannter Lehrer");
apiAction(function () use($name, $teacher, $db) {
    $statement = $db->prepare("INSERT INTO class (name, teacher) VALUES (:name, :teacher)");
    $result = $statement->execute(['name' => $name, 'teacher' => $teacher]);
});
<?php

include __DIR__ . "/include.php";
check_access(ADMIN);
list($teacher) = apiCheckParams("teacher");
apiCheck(dbExists("SELECT id FROM user WHERE id = :teacher AND role != :admin", ['teacher' => $teacher, "admin" => ADMIN]), "Lehrer existiert nicht oder ist ein Admin");
apiCheck(!dbExists("SELECT id FROM class WHERE teacher = :id", ["id" => $teacher]), "Benutzer kann nur entfernt werden, wenn er keine Klassen mehr hat.");
apiAction(function () use($teacher, $db) {
    $statement = $db->prepare("DELETE FROM user WHERE id = :teacher");
    $result = $statement->execute(['teacher' => $teacher]);
    dbExecute("DELETE FROM forgot WHERE user = :id", ["id" => $id]);
});
<?php

include __DIR__ . "/include.php";
check_access(ADMIN);
list($points, $description) = apiCheckParams("points", "description");
$description = trim($description);
apiCheck(ctype_digit($points), "Punkte müssen eine Zahl sein");
apiCheck(!dbExists("SELECT id FROM milestone WHERE points = :p", ["p" => $points]), "Punkte schon vorhanden");
apiCheck(strlen($description) !== 0, "Beschreibung darf nicht leer sein");
apiAction(function () use($points, $description) {
    dbExecute("INSERT INTO milestone (points, description) VALUES (:points, :description)", ["points" => $points, "description" => $description]);
});
<?php

include __DIR__ . "/include.php";
check_access(ADMIN);
list($id) = apiCheckParams("id");
apiAction(function () use($id) {
    dbExecute("DELETE FROM feedback WHERE challenge = :id", ['id' => $id]);
    dbExecute("DELETE FROM solved_challenge WHERE challenge = :id", ['id' => $id]);
    dbExecute("DELETE FROM challenge WHERE id = :id", ['id' => $id]);
});
<?php

include __DIR__ . "/include.php";
check_access(ADMIN);
list($c, $name, $desc, $points, $category, $location, $extrapoints) = apiCheckParams("challenge", "name", "description", "points", "category", "location", "extrapoints");
$name = trim($name);
$desc = trim($desc);
$extrapoints = trim($extrapoints);
if (!$extrapoints) {
    $extrapoints = null;
}
apiCheck(dbExists("SELECT id FROM challenge WHERE id = :id", ["id" => $c]), "Ungültige Challenge");
if ($points) {
    apiCheck(ctype_digit($points), "Punkte müssen eine Zahl sein");
}
if ($extrapoints != "nochange") {
    apiCheck(!$extrapoints || ctype_digit($extrapoints), "Extrapunkte müssen eine Zahl sein");
}
if ($category) {
    apiCheck(array_filter($categories, function ($cat) use($category) {
        return $cat->name === $category;
    }), "Ungültige Kategorie");
}
if ($location) {
    apiCheck(array_filter($locationTypes, function ($lt) use($location) {
        return $lt["name"] === $location;
    }), "Ungültige Location!");
}
apiAction(function () use($c, $name, $desc, $points, $category, $location, $extrapoints) {
    if ($name) {
        dbExecute("UPDATE challenge SET name = :name WHERE id = :id", ["id" => $c, "name" => $name]);
<?php

include __DIR__ . "/include.php";
check_access(TEACHER);
list($class, $challenge) = apiCheckParams("class", "challenge");
$user = $_SESSION["user"];
$extra = isset($_POST["extra"]);
apiCheck(dbExists(isTeacher() ? "SELECT id FROM class WHERE id = :class AND teacher = :teacher" : "SELECT id FROM class WHERE id = :class AND :teacher != -1", ['class' => $class, "teacher" => $user]), "Ungültige Klasse");
apiCheck(dbExists("SELECT id FROM challenge WHERE id = :id", ["id" => $challenge]), "Ungültige Challenge");
apiCheck(!dbExists("SELECT * FROM solved_challenge WHERE class = :class AND challenge = :challenge", ["class" => $class, "challenge" => $challenge]), "Challenge wurde von der Klasse schon gelöst");
apiCheck(!$extra || dbExists("SELECT id FROM challenge WHERE id = :id AND extrapoints IS NOT NULL", ["id" => $challenge]), "Kann keine Extrapunkte für Challenge ohne Extrapunkte setzen!");
apiAction(function () use($class, $challenge, $extra) {
    checkMilestone($class, function () use($class, $challenge, $extra) {
        dbExecute("INSERT INTO solved_challenge (class, challenge, extra, at) VALUES (:class, :challenge, :extra, NOW())", ["class" => $class, "challenge" => $challenge, "extra" => $extra]);
    });
});
Beispiel #17
0
<?php

include __DIR__ . "/include.php";
check_access(ADMIN);
list($challenge, $type) = apiCheckParams("challenge", "type");
$file = $_FILES["file"];
apiCheck(dbExists("SELECT id FROM challenge WHERE id = :challenge", ['challenge' => $challenge]), "Challenge existiert nicht!");
apiCheck(pathinfo($file["name"], PATHINFO_EXTENSION) === "pdf", "Nur pdf-Dateien erlaubt");
apiCheck($file["size"] < MAX_PDF_SIZE, "Datei zu groß!");
apiCheck($type === TEACHER_PDF || $type === PUPIL_PDF, "Ungütiger Typ");
apiAction(function () use($challenge, $file, $type) {
    move_uploaded_file($file["tmp_name"], getPDFPath($challenge, $type));
});