<?php include __DIR__ . "/include.php"; check_access(ADMIN); list($m, $points, $description) = apiCheckParams("milestone", "points", "description"); $description = trim($description); apiCheck(dbExists("SELECT id FROM milestone WHERE id = :id", ["id" => $m]), "Unbekannte Etappe"); if ($points) { apiCheck(ctype_digit($points), "Punkte müssen eine Zahl sein"); apiCheck(!dbExists("SELECT id FROM milestone WHERE points = :p", ["p" => $points]), "Punkte schon vorhanden"); } apiAction(function () use($m, $points, $description) { if ($points) { dbExecute("UPDATE milestone SET points = :points WHERE id = :id", ["points" => $points, "id" => $m]); } if ($description) { dbExecute("UPDATE milestone SET description = :description WHERE id = :id", ["description" => $description, "id" => $m]); } });
<?php include __DIR__ . "/include.php"; check_access(TEACHER); list($class, $challenge) = apiCheckParams("class", "challenge"); $user = $_SESSION["user"]; $extra = isset($_POST["extra"]); apiCheck(dbExists(isTeacher() ? "SELECT id FROM class WHERE id = :class AND teacher = :teacher" : "SELECT id FROM class WHERE id = :class AND :teacher != -1", ['class' => $class, "teacher" => $user]), "Ungültige Klasse"); apiCheck(dbExists("SELECT id FROM challenge WHERE id = :id", ["id" => $challenge]), "Ungültige Challenge"); apiCheck(!dbExists("SELECT * FROM solved_challenge WHERE class = :class AND challenge = :challenge", ["class" => $class, "challenge" => $challenge]), "Challenge wurde von der Klasse schon gelöst"); apiCheck(!$extra || dbExists("SELECT id FROM challenge WHERE id = :id AND extrapoints IS NOT NULL", ["id" => $challenge]), "Kann keine Extrapunkte für Challenge ohne Extrapunkte setzen!"); apiAction(function () use($class, $challenge, $extra) { checkMilestone($class, function () use($class, $challenge, $extra) { dbExecute("INSERT INTO solved_challenge (class, challenge, extra, at) VALUES (:class, :challenge, :extra, NOW())", ["class" => $class, "challenge" => $challenge, "extra" => $extra]); }); });
<?php include __DIR__ . "/include.php"; check_access(TEACHER); list($user, $email, $password, $password2) = apiCheckParams("user", "email", "password", "password2"); apiCheck(isAdmin() || $user === $_SESSION["user"], "Keine Berechtigung"); apiCheck(dbExists("SELECT id FROM user WHERE id = :id", ["id" => $user]), "Unbekannter Benutzer"); if ($email) { apiCheck(filter_var($email, FILTER_VALIDATE_EMAIL), "Bitte eine gültige Email angeben."); apiCheck(!dbExists("SELECT id FROM user WHERE email = :email", ['email' => $email]), "Diese E-Mail-Adresse ist bereits vergeben."); } apiCheck($password == $password2, "Die Passwörter müssen übereinstimmen."); apiAction(function () use($user, $password, $email) { if ($email) { dbExecute("UPDATE user SET email = :email WHERE id = :id", ["email" => $email, "id" => $user]); } if ($password) { $password_hash = password_hash($password, PASSWORD_DEFAULT); dbExecute("UPDATE user SET password = :password WHERE id = :id", ["password" => $password_hash, "id" => $user]); } });
<?php include __DIR__ . "/include.php"; check_access(ADMIN); list($id, $table) = apiCheckParams("id", "table"); // user has special rules (can't delete admin) if (in_array($table, ["leckerwissen", "milestone", "suggested", "solved_challenge"])) { apiCheck(dbExists("SELECT id FROM {$table} WHERE id = :id", ['id' => $id]), "Eintrag existiert nicht!"); } else { apiAddError("Ungültiger Tabellenname"); } apiAction(function () use($id, $table) { dbExecute("DELETE FROM {$table} WHERE id = :id", ['id' => $id]); });
<?php include __DIR__ . "/include.php"; check_access(ADMIN); list($c, $name, $desc, $points, $category, $location, $extrapoints) = apiCheckParams("challenge", "name", "description", "points", "category", "location", "extrapoints"); $name = trim($name); $desc = trim($desc); $extrapoints = trim($extrapoints); if (!$extrapoints) { $extrapoints = null; } apiCheck(dbExists("SELECT id FROM challenge WHERE id = :id", ["id" => $c]), "Ungültige Challenge"); if ($points) { apiCheck(ctype_digit($points), "Punkte müssen eine Zahl sein"); } if ($extrapoints != "nochange") { apiCheck(!$extrapoints || ctype_digit($extrapoints), "Extrapunkte müssen eine Zahl sein"); } if ($category) { apiCheck(array_filter($categories, function ($cat) use($category) { return $cat->name === $category; }), "Ungültige Kategorie"); } if ($location) { apiCheck(array_filter($locationTypes, function ($lt) use($location) { return $lt["name"] === $location; }), "Ungültige Location!"); } apiAction(function () use($c, $name, $desc, $points, $category, $location, $extrapoints) { if ($name) { dbExecute("UPDATE challenge SET name = :name WHERE id = :id", ["id" => $c, "name" => $name]);
<?php include __DIR__ . "/include.php"; check_access(ADMIN); list($lw, $link, $title, $type, $category) = apiCheckParams("lw", "link", "title", "type", "category"); apiCheck(dbExists("SELECT id FROM leckerwissen WHERE id = :id", ["id" => $lw]), "Ungültiges Leckerwissen"); if ($category) { apiCheck($category == "other" || array_filter($categories, function ($cat) use($category) { return $cat->name === $category; }), "Ungültige Kategorie"); } if ($type) { apiCheck(array_filter($leckerwissenTypes, function ($t) use($type) { return $t["name"] === $type; }), "Ungültiger Typ"); } apiAction(function () use($lw, $link, $title, $type, $category) { if ($link) { dbExecute("UPDATE leckerwissen SET link = :link WHERE id = :id", ["id" => $lw, "link" => $link]); } if ($title) { dbExecute("UPDATE leckerwissen SET title = :title WHERE id = :id", ["id" => $lw, "title" => $title]); } if ($category) { dbExecute("UPDATE leckerwissen SET category = :category WHERE id = :id", ["id" => $lw, "category" => $category]); } if ($type) { dbExecute("UPDATE leckerwissen SET type = :type WHERE id = :id", ["id" => $lw, "type" => $type]); } });
<?php include __DIR__ . "/include.php"; check_access(ADMIN); list($name, $teacher, $class) = apiCheckParams("name", "teacher", "class"); $name = trim($name); apiCheck(dbExists("SELECT id FROM class WHERE id = :id", ["id" => $class]), "Klasse existiert nicht."); if (!empty($name)) { apiCheck(!dbExists("SELECT id FROM class WHERE name = :name", ["name" => $name]), "Name ist bereits vorhanden."); } if ($teacher >= 0) { apiCheck(dbExists("SELECT id FROM user WHERE id = :id", ["id" => $teacher]), "Lehrer existiert nicht."); } apiAction(function () use($class, $name, $teacher, $db) { if (!empty($name)) { dbExecute("UPDATE class SET name = :name WHERE id = :id ", ["name" => $name, "id" => $class]); } if ($teacher >= 0) { dbExecute("UPDATE class SET teacher = :teacher WHERE id = :id ", ["teacher" => $teacher, "id" => $class]); } });
<?php include __DIR__ . "/include.php"; check_access(ADMIN); list($name, $teacher) = apiCheckParams("name", "teacher"); $name = trim($name); apiCheck(strlen($name) != 0, "Bitte einen Namen angeben."); apiCheck(strlen($name) < 90, "Der Klassenname ist zu lang."); apiCheck(!dbExists("SELECT id FROM class WHERE name = :name", ['name' => $name]), "Dieser Klassenname ist bereits vergeben."); apiCheck(dbExists("SELECT id FROM user WHERE id = :id", ['id' => $teacher]), "Unbekannter Lehrer"); apiAction(function () use($name, $teacher, $db) { $statement = $db->prepare("INSERT INTO class (name, teacher) VALUES (:name, :teacher)"); $result = $statement->execute(['name' => $name, 'teacher' => $teacher]); });
<?php include __DIR__ . "/include.php"; check_access(ADMIN); list($teacher) = apiCheckParams("teacher"); apiCheck(dbExists("SELECT id FROM user WHERE id = :teacher AND role != :admin", ['teacher' => $teacher, "admin" => ADMIN]), "Lehrer existiert nicht oder ist ein Admin"); apiCheck(!dbExists("SELECT id FROM class WHERE teacher = :id", ["id" => $teacher]), "Benutzer kann nur entfernt werden, wenn er keine Klassen mehr hat."); apiAction(function () use($teacher, $db) { $statement = $db->prepare("DELETE FROM user WHERE id = :teacher"); $result = $statement->execute(['teacher' => $teacher]); dbExecute("DELETE FROM forgot WHERE user = :id", ["id" => $id]); });
$extrapoints = null; } apiCheck(ctype_digit($points), "Punkte müssen eine Zahl sein"); apiCheck(!$extrapoints || ctype_digit($extrapoints), "Extrapunkte müssen eine Zahl sein"); apiCheck(strlen($title) !== 0, "Titel darf nicht leer sein"); apiCheck(strlen($desc) !== 0, "Beschreibung darf nicht leer sein"); apiCheck(isAdmin() || dbExists("SELECT id FROM class WHERE id = :id AND teacher = :teacher", ["id" => $class, "teacher" => $user]), "Keine Berechtigung für diese Klasse"); apiCheck(!$suggested || dbExists("SELECT id FROM class WHERE id = :id", ["id" => $class]), "Ungültige Klasse"); apiCheck(isAdmin() || $suggested, "Keine Berechtigung"); apiCheck($suggested || $category === "selfmade" || array_filter($categories, function ($cat) use($category) { return $cat->name === $category; }), "Ungültige Kategorie"); apiCheck(array_filter($locationTypes, function ($lt) use($location) { return $lt["name"] === $location; }), "Ungültige Location!"); apiCheck(!$suggested || fetch("SELECT COUNT(*) AS count FROM (SELECT class FROM suggested UNION ALL SELECT author AS class FROM challenge) AS c WHERE c.class = :id", ["id" => $class])->count < MAX_SELFMADE_PER_CLASS, "Es sind maximal " . MAX_SELFMADE_PER_CLASS . " Eigenkreationen pro Klasse erlaubt."); apiAction(function () use($title, $desc, $class, $points, $suggested, $category, $location, $extrapoints) { if ($suggested) { dbExecute("INSERT INTO suggested (title, description, class, points, location, extrapoints) VALUES (:title, :desc, :class, :points, :location, :extrapoints)", ["title" => $title, "desc" => $desc, "class" => $class, "points" => $points, "location" => $location, "extrapoints" => $extrapoints]); foreach (fetchAll("SELECT email FROM user WHERE role = :admin", ["admin" => ADMIN]) as $admin) { own_mail($admin->email, "Challenge vorgeschlagen", "Es wurde eine neue Challenge vorgeschlagen.\r\n\r\nTitel: {$title}\r\nBeschreibung:\r\n{$desc}\r\n\r\nZum Ablehnen oder Bestätigen bitte auf www.weltfairsteher.de/admin.php gehen."); } } else { if (!dbExists("SELECT id FROM class WHERE id = :id", ["id" => $class])) { $class = NULL; } checkMilestone($class, function () use($title, $desc, $class, $points, $suggested, $category, $location, $extrapoints) { dbExecute("INSERT INTO challenge (name, description, author, points, category, author_time, location, extrapoints) VALUES (:title, :desc, :class, :points, :category, NOW(), :location, :extrapoints)", ["title" => $title, "desc" => $desc, "class" => $class, "points" => $points, "location" => $location, "category" => $category, "extrapoints" => $extrapoints]); }); } });
<?php include __DIR__ . "/include.php"; check_access(ADMIN); list($challenge, $type) = apiCheckParams("challenge", "type"); $file = $_FILES["file"]; apiCheck(dbExists("SELECT id FROM challenge WHERE id = :challenge", ['challenge' => $challenge]), "Challenge existiert nicht!"); apiCheck(pathinfo($file["name"], PATHINFO_EXTENSION) === "pdf", "Nur pdf-Dateien erlaubt"); apiCheck($file["size"] < MAX_PDF_SIZE, "Datei zu groß!"); apiCheck($type === TEACHER_PDF || $type === PUPIL_PDF, "Ungütiger Typ"); apiAction(function () use($challenge, $file, $type) { move_uploaded_file($file["tmp_name"], getPDFPath($challenge, $type)); });