*/ require_once '../.lib/functions.php'; restrict_access('A'); if (isset($_POST['do_add_file_category'])) { do_add(); } else { if (isset($_POST['do_edit_file_category'])) { do_edit(); } else { if (isset($_GET['Delete'])) { do_delete(); } else { if (isset($_GET['Add'])) { show_add_page(''); } else { show_edit_page(''); } } } } function show_add_page($err) { global $body_onload; $body_onload = 'document.forms[\'addFileCategory\'].name.focus()'; if ($err != '') { $err = "\n <div class=\"error\">{$err}</div><br />\n"; } $name = htmlentities($_POST['name']); page_header('Add File Category'); echo <<<HEREDOC <h1>Add a File Category</h1>
function do_edit() { if ($_POST['xsrf_token'] != $_SESSION['xsrf_token']) { trigger_error('XSRF code incorrect', E_USER_ERROR); } $display_name = htmlentities($_POST['name']); if (strlen($display_name) > 100) { trigger_error('Edit: name > 100 characters', E_USER_ERROR); } if ($display_name == '') { show_edit_page('Display Name cannot be blank'); return; } $visibility = $_POST['visibility']; if ($visibility != 'P' && $visibility != 'M' && $visibility != 'A') { trigger_error('Edit: visibility not P, M or A', E_USER_ERROR); } $category_id = htmlentities($_POST['category']); if ($category_id != '0') { $query = 'SELECT * FROM file_categories WHERE category_id="' . mysqli_real_escape_string(DB::get(), $category_id) . '"'; $result = DB::queryRaw($query); if (mysqli_num_rows($result) != 1) { trigger_error('Edit: Incorrect number of categories match submitted ID', E_USER_ERROR); } } $query = 'SELECT category, order_num FROM files WHERE file_id="' . mysqli_real_escape_string(DB::get(), $_GET['ID']) . '"'; $result = DB::queryRaw($query); $row = mysqli_fetch_assoc($result); if (!$row) { trigger_error('Edit: file not found', E_USER_ERROR); } $old_category = $row['category']; $order = $row['order_num']; if ($old_category != $category_id) { $query = 'SELECT MAX(order_num) FROM files WHERE category="' . mysqli_real_escape_string(DB::get(), $category_id) . '"'; $result = DB::queryRaw($query); $row = mysqli_fetch_assoc($result); $order = $row['MAX(order_num)'] + 1; } // VALIDATION COMPLETE $query = 'UPDATE files SET name="' . mysqli_real_escape_string(DB::get(), $display_name) . '", permissions="' . mysqli_real_escape_string(DB::get(), $visibility) . '", category="' . mysqli_real_escape_string(DB::get(), $category_id) . '", order_num="' . mysqli_real_escape_string(DB::get(), $order) . '" WHERE file_id="' . mysqli_real_escape_string(DB::get(), $_GET['ID']) . '" LIMIT 1'; DB::queryRaw($query); $_SESSION['FILE_edited'] = 'The file "' . $display_name . '" has been edited'; header('Location: Files'); }
function do_delete() { if ($_POST['xsrf_token'] != $_SESSION['xsrf_token']) { trigger_error('XSRF code incorrect', E_USER_ERROR); } // Ensure that the team exists and belongs to this user's school if (DB::queryFirstField('SELECT COUNT(*) FROM teams WHERE team_id=%i AND school=%i', $_GET['Delete'], $_SESSION['LMT_user_id']) == 0) { show_edit_page('Invalid team.'); } DB::delete('teams', 'team_id=%i', $_GET['Delete']); DB::delete('teams', 'individuals=%i', $_GET['Delete']); header('Location: Home'); }