public function handle_request($get, $post, $cookie)
{
$env =& $this->server;
$cfg =& $this->config;
$sess =& $this->session;
$action = empty($post['action']) ? empty($get['action']) ? '' : $get['action'] : $post['action'];
if ($action === 'session-dump') {
header("Content-Type: text/plain");
print_r($_SESSION);
return;
}
if ($action === 'logout') {
foreach ($sess as $k => $v) {
unset($sess[$k]);
}
return $this->redirect('');
}
if (empty($sess['user_id']) || !$sess['user_id']) {
$ok = false;
if ($action === 'login') {
$ok = $this->handle_login($get, $post, $cookie);
}
if (!$ok) {
return $this->show_login_form($get, $post, $cookie);
}
}
$is_admin = $_SESSION['roles'][ROLE_ADMINISTRATOR];
$parts = explode('/', $env['PATH_INFO']);
if (empty($parts[0])) {
array_shift($parts);
}
$component = array_shift($parts);
$id = array_shift($parts);
if (empty($component)) {
return $this->redirect('client');
} elseif ($component === 'client') {
$crud = new ClientForm($is_admin, $this->config, $this);
if ($id && !empty($parts[0])) {
$form_id = $parts[0];
return $crud->handle_form($id, $form_id, $get, $post, $cookie);
} elseif ($id) {
return $crud->handle_client($id, $get, $post, $cookie);
} else {
return $crud->handle_list($get, $post, $cookie);
}
} elseif ($component === 'form') {
$crud = new FormManager($is_admin, $this->config, $this);
if (strlen($id)) {
return $crud->handle_form($id, $parts, $get, $post, $cookie);
} else {
return $crud->handle_list($parts, $get, $post, $cookie);
}
} elseif ($is_admin) {
$crud = new CrudForm($component, $this->config, $this);
return $id ? $crud->handle_item($id, $parts, $get, $post, $cookie) : $crud->handle_index($parts, $get, $post, $cookie);
} else {
return $this->error_message('Permission denied. Administrator access required.');
}
}
/**
* Apply the results of an update form to the database
*
* Here is a sample call:
*
* $tablename = "tsugi_lti_key";
* $fields = array("key_id", "key_key", "secret", "created_at", "updated_at");
* $where_clause .= "user_id = :UID";
* $query_fields = array(":UID" => $_SESSION['id']);
* $row = CrudForm::handleUpdate($tablename, $fields, $where_clause, $query_fields, true, true);
*
* This code very much depends on the $_POST data being generated from the
* form that this class created. For example it decides to delete or update
* based on a $_POST field from the button that was pushed. Also the
* primary key comes from the $_POST data, so this routine checks for
* consistency and provides a WHERE clause capability to make sure folks
* can only update data that belongs to them.
*
* Also this code depends on database column naming conventions -
* in particular it knows that key_id is a primary key. In the above
* example, the ultimate WHERE clause will effectively be as follows:
*
* UPDATE ... WHERE key_id = $_POST['key_id'] AND user_id = $_SESSION['id']
*
* This way, even if the user forges the key_id data to be one that does
* not belong to them, the AND clause will stop the UPDATE from happening.
* If this is an administrator that can update any record - simply set
* the $where_clause to an empty string and $query_fields to an empty
* array.
*
* If we were editing some context-wide data as instructor, we might add
* the current context_id of the logged in instructor to the WHERE clause.
*
* @param $fields An array of fields to be updated. These items must be
* in the $_POST data as well. The primary key should be the first field
* in the list and end in "_id".
* @param $where_clause An optional (can be an empty string) WHERE clause limiting
* which primary keys can be updated.
* @param $query_parms If there is a where clause, this is an associative array
* providing the values for the substitutable items in the WHERE clause.
* @param $allow_edit True/false as to whether editing is allowed
* @param $allow_delete True/false as to whether deleting is allowed
* @return int Returns the constant for SUCCESS, FAIL, or NONE
*/
public static function handleUpdate($tablename, $fields, $where_clause = false, $query_parms = array(), $allow_edit = false, $allow_delete = false)
{
global $PDOX;
$key = $fields['0'];
if (!isset($_REQUEST[$key])) {
$_SESSION['error'] = "Required {$key}= parameter";
return self::CRUD_FAIL;
}
// Inner WHERE clause
$key_value = $_REQUEST[$key] + 0;
if ($where_clause === false || strlen($where_clause) < 1) {
$where_clause = "{$key} = :KID";
} else {
$where_clause = "( " . $where_clause . " ) AND {$key} = :KID";
}
$query_parms[":KID"] = $key_value;
$do_edit = isset($_REQUEST['edit']) && $_REQUEST['edit'] == 'yes';
$sql = CrudForm::selectSql($tablename, $fields, $where_clause);
$row = $PDOX->rowDie($sql, $query_parms);
if ($row === false) {
$_SESSION['error'] = "Unable to retrieve row";
return self::CRUD_FAIL;
}
// We know we are OK because we already retrieved the row
if ($allow_delete && isset($_POST['doDelete'])) {
$sql = "DELETE FROM {$tablename} WHERE {$where_clause}";
$stmt = $PDOX->queryDie($sql, $query_parms);
$_SESSION['success'] = _m("Record deleted");
return self::CRUD_SUCCESS;
}
// The update
if ($allow_edit && $do_edit && isset($_POST['doUpdate']) && count($_POST) > 0) {
$set = '';
$parms = $query_parms;
for ($i = 0; $i < count($fields); $i++) {
$field = $fields[$i];
if ($i == 0 && strpos($field, "_id") > 0) {
continue;
}
if ($field != 'updated_at' && strpos($field, "_at") > 0) {
continue;
}
if (strlen($set) > 0) {
$set .= ', ';
}
if ($field == 'updated_at') {
$set .= $field . "= NOW()";
continue;
}
if (!isset($_POST[$field])) {
$_SESSION['error'] = _m("Missing POST field: ") . $field;
return self::CRUD_FAIL;
}
$set .= $field . "= :" . $i;
$parms[':' . $i] = $_POST[$field];
}
$sql = "UPDATE {$tablename} SET {$set} WHERE {$where_clause}";
$stmt = $PDOX->queryDie($sql, $parms);
$_SESSION['success'] = "Record Updated";
return self::CRUD_SUCCESS;
}
return $row;
}
public function getForm($id, $parent = null)
{
$form = new CrudForm($this, $id, $parent);
if ($form->submitted('submit' . ucfirst($id))) {
if ($form->validate()) {
$result = $this->save();
if ($result !== false) {
throw new FormSuccessException($form);
}
}
throw new FormFailException($form);
}
return $form;
}
