require_once 'config.php'; require_once 'auth.php'; require_once 'verify_lib.php'; header("Content-Type: application/json"); if ($https && !isset($_SERVER['HTTPS'])) { // We're using mod_rewrite .htaccess for HTTPS redirect; this shouldn't happen header($_SERVER['SERVER_PROTOCOL'] . ' 500 Internal Server Error', true, 500); exit; } if (!user_logged_in()) { exit(json_encode(array('error' => 'not_logged_in'))); } if (!isset($_POST['email']) || !isset($_POST['new_password']) || !isset($_POST['old_password'])) { exit(json_encode(array('error' => 'invalid_parameters'))); } $user = get_viewer_id(); $old_password = $_POST['old_password']; $new_password = $_POST['new_password']; $email = $_POST['email']; $result = $conn->query("SELECT username, email, hash FROM users WHERE id=\"{$user}\""); $user_row = $result->fetch_assoc(); if (!$user_row) { exit(json_encode(array('error' => 'internal_error'))); } if (!password_verify($old_password, $user_row['hash'])) { exit(json_encode(array('error' => 'invalid_credentials'))); } $change_email = ""; if ($user_row['email'] !== $email) { $valid_email_regex = "/^[a-zA-Z0-9.!#\$%&'*+\\/=?^_`{|}~-]+" . "@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?" . "(?:\\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*\$/"; if (!preg_match($valid_email_regex, $email)) {
header($_SERVER['SERVER_PROTOCOL'] . ' 500 Internal Server Error', true, 500); exit; } if (!isset($_POST['id']) || !isset($_POST['timestamp']) || !isset($_POST['session_id'])) { exit(json_encode(array('error' => 'invalid_parameters'))); } $id = intval($_POST['id']); $timestamp = intval($_POST['timestamp']); $session_id = $conn->real_escape_string($_POST['session_id']); $can_see = viewer_can_see_entry($id); if ($can_see === null) { exit(json_encode(array('error' => 'invalid_parameters'))); } if (!$can_see) { exit(json_encode(array('error' => 'invalid_credentials'))); } $result = $conn->query("SELECT r.id, r.author, r.text, r.session_id, r.last_update, r.deleted, " . "e.creation_time " . "FROM revisions r LEFT JOIN entries e ON r.entry = e.id " . "LEFT JOIN days d ON d.id = e.day " . "WHERE r.entry = {$id} ORDER BY r.last_update DESC LIMIT 1"); $last_revision_row = $result->fetch_assoc(); if (!$last_revision_row) { exit(json_encode(array('error' => 'unknown_error'))); } if (!$last_revision_row['deleted']) { exit(json_encode(array('error' => 'entry_not_deleted'))); } $text = $last_revision_row['text']; $viewer_id = get_viewer_id(); $conn->query("INSERT INTO ids(table_name) VALUES('revisions')"); $revision_id = $conn->insert_id; $conn->query("INSERT INTO revisions(id, entry, author, text, creation_time, " . "session_id, last_update, deleted) VALUES ({$revision_id}, {$id}, " . "{$viewer_id}, '{$text}', {$timestamp}, '{$session_id}', {$timestamp}, 0)"); $conn->query("UPDATE entries SET deleted = 0 WHERE id = {$id}"); exit(json_encode(array('success' => true, 'creation_time' => intval($last_revision_row['creation_time']), 'text' => $text)));
function viewer_can_see_entry($entry) { global $conn; $viewer_id = get_viewer_id(); $result = $conn->query("SELECT c.hash IS NOT NULL AND (r.calendar IS NULL OR r.role < " . ROLE_SUCCESSFUL_AUTH . ") AS requires_auth FROM entries e " . "LEFT JOIN days d ON d.id = e.day " . "LEFT JOIN calendars c ON c.id = d.calendar " . "LEFT JOIN roles r ON r.calendar = d.calendar AND r.user = {$viewer_id} " . "WHERE e.id = {$entry}"); $entry_row = $result->fetch_assoc(); if (!$entry_row) { return null; } return !$entry_row['requires_auth']; }
break; default: } } User::leaveStatusMode(); include "views/show.view.php"; } } } else { if ($action == 'login') { $vid = get_viewer_id(); session_regenerate_id(); $res = User::Authenticate($params['name'], $params['password'], $error); if ($res) { Error::generate('notice', 'Authentication successful'); Pageview::RenameUser($vid, get_viewer_id()); if (isset($_SESSION) && $_SESSION['last_rendered_page']) { redirect_raw($_SESSION['last_rendered_page']); } else { redirect(); } } else { Error::generate('notice', $error, Error::$FLAGS['single']); include "views/login.view.php"; } } else { if ($action == 'forgot_password') { $name = $params['name']; $email = User::GetAttrib(User::GetUserID($name), 'email'); if ($email != $params['email']) { Error::generate('notice', 'Invalid email address and/or username');
<?php /***** RECENTLY VIEWED COURSES *****/ $recents = Pageview::ListAllForUser(get_viewer_id()); Error::generate('debug', $recents); if ($recents && count($recents) > 0) { ?> <div id="recent_courses"> <?php } else { ?> <div id="recent_courses" class="hidden"> <?php } ?> <div id="sidebar_recent_courses">Recent courses:</div> <?php $ctr = 0; $unique_recents = array(); foreach ($recents as $r) { $found = false; foreach ($unique_recents as $u) { if ($u['comment_id'] == $r['comment_id']) { $found = true; break; } } if (!$found) { $unique_recents[] = $r; if (++$ctr == 5) { break;
if (strtolower($name) === "home") { exit(json_encode(array('error' => 'name_taken'))); } $result = $conn->query("SELECT id FROM calendars WHERE LCASE(name) = LCASE('{$name}')"); $calendar_row = $result->fetch_assoc(); if ($calendar_row) { exit(json_encode(array('error' => 'name_taken'))); } $is_closed = $_POST['type'] === 'closed'; $password = null; if ($is_closed) { if (!isset($_POST['password'])) { exit(json_encode(array('error' => 'invalid_parameters'))); } $password = $_POST['password']; } $time = round(microtime(true) * 1000); // in milliseconds $conn->query("INSERT INTO ids(table_name) VALUES('calendars')"); $id = $conn->insert_id; $creator = get_viewer_id(); $edit_rules = $is_closed ? 1 : 0; // temporary hack if ($is_closed) { $hash = password_hash($password, PASSWORD_BCRYPT); $conn->query("INSERT INTO calendars" . "(id, name, description, hash, edit_rules, " . "creator, creation_time, color) " . "VALUES ({$id}, '{$name}', '{$description}', '{$hash}', " . "{$edit_rules}, {$creator}, {$time}, '{$color}')"); } else { $conn->query("INSERT INTO calendars" . "(id, name, description, hash, edit_rules, " . "creator, creation_time, color) " . "VALUES ({$id}, '{$name}', '{$description}', NULL, {$edit_rules}, " . "{$creator}, {$time}, '{$color}')"); } $conn->query("INSERT INTO roles(calendar, user, creation_time, last_view, role, " . "subscribed) " . "VALUES ({$id}, {$creator}, {$time}, {$time}, " . ROLE_CREATOR . ", 1)"); exit(json_encode(array('success' => true, 'new_calendar_id' => $id)));
public static function format_error($error) { global $CONFIG; if ($CONFIG['debug']) { return sprintf("%s | %s > %s [%d] %s\r\n", $GLOBALS['client'], substr((string) get_viewer_id(), 0, 5), number_format(profiling_get_elapsed('all')), $error['priority'], $error['msg']); } else { return sprintf("%s\r\n", $error['msg']); } }