define("NO_SESSION_REGENERATION", true); require_once __DIR__ . "/config.php"; require_once TEMPLATES_PATH . "/utils.php"; require_once INCLUDES_PATH . "/authentication.php"; require_once INCLUDES_PATH . "/events.php"; require_once DATABASE_PATH . "/events.php"; try { if (!isset($_POST["id"])) { http_response_code(400); echo 'Missing event ID.'; } else { if (!isUserLoggedIn()) { http_response_code(403); echo 'You need to login to unregister this event.'; } else { if (!validateCSRFToken($_POST["csrf_token"])) { http_response_code(403); echo 'Invalid CSRF token.'; } else { $event_id = $_POST["id"]; if (!canSeeEvent(getUserID(), $event_id)) { http_response_code(403); echo 'You do not have access to edit this event.'; } else { unregisterFromEvent(getUserID(), $idEvent); } } } } } catch (InvalidArgumentException $e) { http_response_code(400);
<?php require_once './utils.php'; require_once './defs.php'; $valid = isset($_SERVER['HTTP_X_CSRF_TOKEN']) && validateCSRFToken($_SERVER['HTTP_X_CSRF_TOKEN']) && isset($_FILES['upfile']['error']) && is_int($_FILES['upfile']['error']) && $_FILES['upfile']['error'] === UPLOAD_ERR_OK; // invalid request if (!$valid) { http_response_code(400); // echo 'invalid'; // echo "\n"; // echo $_FILES['upfile']['error']; exit; } // file size is too large if ($_FILES['upfile']['size'] > MAX_FILE_SIZE) { http_response_code(400); // echo 'file size'; exit; } // file isn't zip $finfo = new finfo(FILEINFO_MIME_TYPE); switch ($finfo->file($_FILES['upfile']['tmp_name'])) { case 'application/octet-stream': case 'application/zip': case 'application/x-zip': case 'application/x-zip-compressed': case 'application/x-compress': case 'application/x-compressed': case 'multipart/x-zip': break; default:
/** * Validate * * @param mixed $value * @param array $arguments * @return bool */ public function validate($value, array $arguments) : bool { return validateCSRFToken($value); }
http_response_code(400); echo 'Missing event ID.'; } else { if (!isset($_GET["action"])) { http_response_code(400); echo 'Missing action value.'; } else { if (!isset($_GET["csrf_token"])) { http_response_code(400); echo 'Missing csrf token.'; } else { if (!isUserLoggedIn()) { http_response_code(403); echo 'You need to login to edit this event.'; } else { if (!validateCSRFToken(rawurldecode($_GET["csrf_token"]))) { http_response_code(403); echo 'Invalid CSRF token.'; } else { $event_id = $_GET["id"]; if (!canSeeEvent(getUserID(), $event_id)) { http_response_code(403); echo 'You do not have access to edit this event.'; } else { $event = Event::find($event_id); $make_public = $_GET['action']; if (getUserID() == $event->getOwner()) { if ($make_public == 1) { $event->setPublic(1); } else { $event->setPublic(0);
<?php require_once './utils.php'; require_once './defs.php'; $valid = isset($_SERVER['HTTP_X_CSRF_TOKEN']) && validateCSRFToken($_SERVER['HTTP_X_CSRF_TOKEN']); // invalid request if (!$valid) { http_response_code(400); exit; } $matching = array_filter(glob("{$_(UPLOAD_DIR)}/*"), function ($file) { return is_file($file); }); $files = array_map(function ($file) { return basename($file); }, $matching); header('Content-Type: application/json; charset=utf-8'); header('X-Content-Type-Options: nosniff'); header('Access-Control-Allow-Methods: GET'); header('X-Frame-Options: DENY'); echo json_encode($files);