public function handle_request($get, $post, $cookie) { $env =& $this->server; $cfg =& $this->config; $sess =& $this->session; $action = empty($post['action']) ? empty($get['action']) ? '' : $get['action'] : $post['action']; if ($action === 'session-dump') { header("Content-Type: text/plain"); print_r($_SESSION); return; } if ($action === 'logout') { foreach ($sess as $k => $v) { unset($sess[$k]); } return $this->redirect(''); } if (empty($sess['user_id']) || !$sess['user_id']) { $ok = false; if ($action === 'login') { $ok = $this->handle_login($get, $post, $cookie); } if (!$ok) { return $this->show_login_form($get, $post, $cookie); } } $is_admin = $_SESSION['roles'][ROLE_ADMINISTRATOR]; $parts = explode('/', $env['PATH_INFO']); if (empty($parts[0])) { array_shift($parts); } $component = array_shift($parts); $id = array_shift($parts); if (empty($component)) { return $this->redirect('client'); } elseif ($component === 'client') { $crud = new ClientForm($is_admin, $this->config, $this); if ($id && !empty($parts[0])) { $form_id = $parts[0]; return $crud->handle_form($id, $form_id, $get, $post, $cookie); } elseif ($id) { return $crud->handle_client($id, $get, $post, $cookie); } else { return $crud->handle_list($get, $post, $cookie); } } elseif ($component === 'form') { $crud = new FormManager($is_admin, $this->config, $this); if (strlen($id)) { return $crud->handle_form($id, $parts, $get, $post, $cookie); } else { return $crud->handle_list($parts, $get, $post, $cookie); } } elseif ($is_admin) { $crud = new CrudForm($component, $this->config, $this); return $id ? $crud->handle_item($id, $parts, $get, $post, $cookie) : $crud->handle_index($parts, $get, $post, $cookie); } else { return $this->error_message('Permission denied. Administrator access required.'); } }
/** * Apply the results of an update form to the database * * Here is a sample call: * * $tablename = "tsugi_lti_key"; * $fields = array("key_id", "key_key", "secret", "created_at", "updated_at"); * $where_clause .= "user_id = :UID"; * $query_fields = array(":UID" => $_SESSION['id']); * $row = CrudForm::handleUpdate($tablename, $fields, $where_clause, $query_fields, true, true); * * This code very much depends on the $_POST data being generated from the * form that this class created. For example it decides to delete or update * based on a $_POST field from the button that was pushed. Also the * primary key comes from the $_POST data, so this routine checks for * consistency and provides a WHERE clause capability to make sure folks * can only update data that belongs to them. * * Also this code depends on database column naming conventions - * in particular it knows that key_id is a primary key. In the above * example, the ultimate WHERE clause will effectively be as follows: * * UPDATE ... WHERE key_id = $_POST['key_id'] AND user_id = $_SESSION['id'] * * This way, even if the user forges the key_id data to be one that does * not belong to them, the AND clause will stop the UPDATE from happening. * If this is an administrator that can update any record - simply set * the $where_clause to an empty string and $query_fields to an empty * array. * * If we were editing some context-wide data as instructor, we might add * the current context_id of the logged in instructor to the WHERE clause. * * @param $fields An array of fields to be updated. These items must be * in the $_POST data as well. The primary key should be the first field * in the list and end in "_id". * @param $where_clause An optional (can be an empty string) WHERE clause limiting * which primary keys can be updated. * @param $query_parms If there is a where clause, this is an associative array * providing the values for the substitutable items in the WHERE clause. * @param $allow_edit True/false as to whether editing is allowed * @param $allow_delete True/false as to whether deleting is allowed * @return int Returns the constant for SUCCESS, FAIL, or NONE */ public static function handleUpdate($tablename, $fields, $where_clause = false, $query_parms = array(), $allow_edit = false, $allow_delete = false) { global $PDOX; $key = $fields['0']; if (!isset($_REQUEST[$key])) { $_SESSION['error'] = "Required {$key}= parameter"; return self::CRUD_FAIL; } // Inner WHERE clause $key_value = $_REQUEST[$key] + 0; if ($where_clause === false || strlen($where_clause) < 1) { $where_clause = "{$key} = :KID"; } else { $where_clause = "( " . $where_clause . " ) AND {$key} = :KID"; } $query_parms[":KID"] = $key_value; $do_edit = isset($_REQUEST['edit']) && $_REQUEST['edit'] == 'yes'; $sql = CrudForm::selectSql($tablename, $fields, $where_clause); $row = $PDOX->rowDie($sql, $query_parms); if ($row === false) { $_SESSION['error'] = "Unable to retrieve row"; return self::CRUD_FAIL; } // We know we are OK because we already retrieved the row if ($allow_delete && isset($_POST['doDelete'])) { $sql = "DELETE FROM {$tablename} WHERE {$where_clause}"; $stmt = $PDOX->queryDie($sql, $query_parms); $_SESSION['success'] = _m("Record deleted"); return self::CRUD_SUCCESS; } // The update if ($allow_edit && $do_edit && isset($_POST['doUpdate']) && count($_POST) > 0) { $set = ''; $parms = $query_parms; for ($i = 0; $i < count($fields); $i++) { $field = $fields[$i]; if ($i == 0 && strpos($field, "_id") > 0) { continue; } if ($field != 'updated_at' && strpos($field, "_at") > 0) { continue; } if (strlen($set) > 0) { $set .= ', '; } if ($field == 'updated_at') { $set .= $field . "= NOW()"; continue; } if (!isset($_POST[$field])) { $_SESSION['error'] = _m("Missing POST field: ") . $field; return self::CRUD_FAIL; } $set .= $field . "= :" . $i; $parms[':' . $i] = $_POST[$field]; } $sql = "UPDATE {$tablename} SET {$set} WHERE {$where_clause}"; $stmt = $PDOX->queryDie($sql, $parms); $_SESSION['success'] = "Record Updated"; return self::CRUD_SUCCESS; } return $row; }
public function getForm($id, $parent = null) { $form = new CrudForm($this, $id, $parent); if ($form->submitted('submit' . ucfirst($id))) { if ($form->validate()) { $result = $this->save(); if ($result !== false) { throw new FormSuccessException($form); } } throw new FormFailException($form); } return $form; }