claunia/qemudb
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Filter all user input to reduce the security impact of manipulated data

Browse Source
This commit is contained in:
EA Durbin
2006-06-17 06:10:10 +00:00
committed by WineHQ
parent 02c5682c01
commit f982c8459e
53 changed files with 988 additions and 542 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
admin/addAppNote.php
View File

@@ -8,36 +8,45 @@ require(BASE."include/incl.php");
require(BASE."include/application.php");
require(BASE."include/mail.php");
$aClean = array(); //array of filtered user input
$aClean['versionId'] = makeSafe($_REQUEST['versionId']);
$aClean['appId'] = makeSafe( $_REQUEST['appId']);
$aClean['sub'] = makeSafe($_REQUEST['sub']);
$aClean['submit'] = makeSafe($_REQUEST['submit']);
$aClean['noteTitle'] = makeSafe($_REQUEST['noteTitle']);
$aClean['noteDesc'] = makeSafe($_REQUEST['noteDesc']);
//FIXME: get rid of appId references everywhere, as version is enough.
$sQuery = "SELECT appId FROM appVersion WHERE versionId = '".$_REQUEST['versionId']."'";
$sQuery = "SELECT appId FROM appVersion WHERE versionId = '".$aClean['versionId']."'";
$hResult = query_appdb($sQuery);
$oRow = mysql_fetch_object($hResult);
$appId = $oRow->appId;
//check for admin privs
if(!$_SESSION['current']->hasPriv("admin") && !$_SESSION['current']->isMaintainer($_REQUEST['versionId']) && !$_SESSION['current']->isSuperMaintainer($_REQUEST['appId']))
if(!$_SESSION['current']->hasPriv("admin") && !$_SESSION['current']->isMaintainer($aClean['versionId']) && !$_SESSION['current']->isSuperMaintainer($aClean['appId']))
{
errorpage("Insufficient Privileges!");
exit;
}
//set link for version
if(is_numeric($_REQUEST['versionId']) and !empty($_REQUEST['versionId']))
if(is_numeric($aClean['versionId']) and !empty($aClean['versionId']))
{
$versionLink = "versionId={$_REQUEST['versionId']}";
$versionLink = "versionId={$aClean['versionId']}";
}
else
exit;
if($_REQUEST['sub'] == "Submit")
if($aClean['sub'] == "Submit")
{
$oNote = new Note();
$oNote->create($_REQUEST['noteTitle'], $_REQUEST['noteDesc'], $_REQUEST['versionId']);
$oNote->create($aClean['noteTitle'], $aClean['noteDesc'], $aClean['versionId']);
redirect(apidb_fullurl("appview.php?".$versionLink));
exit;
}
else if($_REQUEST['sub'] == 'Preview' OR empty($_REQUEST['submit']))
else if($aClean['sub'] == 'Preview' OR empty($aClean['submit']))
{
HtmlAreaLoaderScript(array("editor"));
@@ -47,22 +56,22 @@ else if($_REQUEST['sub'] == 'Preview' OR empty($_REQUEST['submit']))
echo html_frame_start("Add Application Note", "90%","",0);
echo html_table_begin("width='100%' border=0 align=left cellpadding=6 cellspacing=0 class='box-body'");
echo "<input type=\"hidden\" name=\"versionId\" value=\"{$_REQUEST['versionId']}\">";
echo add_br($_REQUEST['noteDesc']);
echo "<input type=\"hidden\" name=\"versionId\" value=\"{$aClean['versionId']}\">";
echo add_br($aClean['noteDesc']);
if ($_REQUEST['noteTitle'] == "HOWTO" || $_REQUEST['noteTitle'] == "WARNING")
if ($aClean['noteTitle'] == "HOWTO" || $aClean['noteTitle'] == "WARNING")
{
echo "<input type=hidden name='noteTitle' value='{$_REQUEST['noteTitle']}'>";
echo "<tr><td class=color1>Type</td><td class=color0>{$_REQUEST['noteTitle']}</td></tr>\n";
echo "<input type=hidden name='noteTitle' value='{$aClean['noteTitle']}'>";
echo "<tr><td class=color1>Type</td><td class=color0>{$aClean['noteTitle']}</td></tr>\n";
}
else
{
echo "<tr><td class=color1>Title</td><td class=color0><input size='80%' type='text' name='noteTitle' type='text' value='{$_REQUEST['noteTitle']}'></td></tr>\n";
echo "<tr><td class=color1>Title</td><td class=color0><input size='80%' type='text' name='noteTitle' type='text' value='{$aClean['noteTitle']}'></td></tr>\n";
}
echo '<tr><td class="color4">Description</td><td class="color0">', "\n";
if(trim(strip_tags($_REQUEST['noteDesc']))=="") $_REQUEST['noteDesc']="<p>Enter note here</p>";
if ( $aClean['noteDesc'] == "" ) $aClean['noteDesc']="<p>Enter note here</p>";
echo '<p style="width:700px">', "\n";
echo '<textarea cols="80" rows="20" id="editor" name="noteDesc">'.stripslashes($_REQUEST['noteDesc']).'</textarea>',"\n";
echo '<textarea cols="80" rows="20" id="editor" name="noteDesc">'.stripslashes($aClean['noteDesc']).'</textarea>',"\n";
echo '</p>';
echo '</td></tr><tr><td colspan="2" align="center" class="color3">',"\n";
echo '<input type="submit" name="sub" value="Preview">&nbsp',"\n";

16
admin/addCategory.php
View File

@@ -3,21 +3,29 @@ include("path.php");
require(BASE."include/incl.php");
require(BASE."include/category.php");
$aClean = array(); //array of filtered user input
$aClean['catId'] = makeSafe($_REQUEST['catId']);
$aClean['name'] = makeSafe($_REQUEST['name']);
$aClean['description'] = makeSafe($_REQUEST['description']);
$aClean['parentId'] = makeSafe($_REQUEST['parentId']);
$aClean['submit'] = makeSafe($_REQUEST['submit']);
if(!$_SESSION['current']->hasPriv("admin"))
{
errorpage();
exit;
}
$oCat = new Category($_REQUEST['catId']);
if($_REQUEST['submit'])
$oCat = new Category($aClean['catId']);
if($aClean['submit'])
{
$oCat->update($_REQUEST['name'],$_REQUEST['description'],$_REQUEST['parentId']);
$oCat->update($aClean['name'],$aClean['description'],$aClean['parentId']);
redirect(apidb_fullurl("appbrowse.php?catId=".$oCat->iCatId));
}
else
{
apidb_header("Add Category");
$sQuery = "SELECT catId, catName FROM appCategory WHERE catId!='".$_REQUEST['catId']."'";
$sQuery = "SELECT catId, catName FROM appCategory WHERE catId!='".$aClean['catId']."'";
$hResult = query_appdb($sQuery);
while($oRow = mysql_fetch_object($hResult))
{

27
admin/adminAppDataQueue.php
View File

@@ -9,6 +9,15 @@ require(BASE."include/mail.php");
require(BASE."include/tableve.php");
require(BASE."include/application.php");
$aClean = array(); //array of user input
$aClean['id'] = makeSafe($_REQUEST['id']);
$aClean['sub'] = makeSafe($_REQUEST['sub']);
$aClean['add'] = makeSafe($_REQUEST['add']);
$aClean['description'] = makeSafe($_REQUEST['description']);
$aClean['replyText'] = makeSafe($_REQUEST['replyText']);
$aClean['reject'] = makeSafe($_REQUEST['reject']);
// deny access if not admin or at least some kind of maintainer
if(!$_SESSION['current']->hasPriv("admin") && !$_SESSION['current']->isMaintainer())
{
@@ -17,7 +26,7 @@ if(!$_SESSION['current']->hasPriv("admin") && !$_SESSION['current']->isMaintaine
}
// shows the list of appdata in queue
if (!$_REQUEST['id'])
if (!$aClean['id'])
{
apidb_header("Admin Application Data Queue");
@@ -76,10 +85,10 @@ if (!$_REQUEST['id'])
}
} else // shows a particular appdata
{
$hResult = $_SESSION['current']->getAppDataQuery($_REQUEST['id'], false, false);
$hResult = $_SESSION['current']->getAppDataQuery($aClean['id'], false, false);
$obj_row = mysql_fetch_object($hResult);
if(!$_REQUEST['sub']=="inside_form")
if(!$aClean['sub']=="inside_form")
{
apidb_header("Admin Application Data Queue");
@@ -146,9 +155,9 @@ if (!$_REQUEST['id'])
echo '</table>',"\n";
echo '<input type=hidden name="sub" value="inside_form" />',"\n";
echo '<input type=hidden name="id" value="'.$_REQUEST['id'].'" />',"\n";
echo '<input type=hidden name="id" value="'.$aClean['id'].'" />',"\n";
echo '</form>';
} elseif ($_REQUEST['add']) // we accepted the request
} elseif ($aClean['add']) // we accepted the request
{
$statusMessage = "";
$goodtogo = 0;
@@ -161,7 +170,7 @@ if (!$_REQUEST['id'])
elseif ($obj_row->type == "url")
{ // FIXME: use Link class
$query = "INSERT INTO appData VALUES (null, ".$obj_row->versionId.", 'url', ".
"'".addslashes($_REQUEST['description'])."', '".$obj_row->url."')";
"'".$aClean['description']."', '".$obj_row->url."')";
if (query_appdb($sQuery))
{
$statusMessage = "<p>The application data was successfully added into the database</p>\n";
@@ -175,7 +184,7 @@ if (!$_REQUEST['id'])
{
$sSubject = "Application Data Request Report";
$sMsg = "Your submission of an application data for ".lookup_app_name($obj_row->appId).lookup_version_name($obj_row->versionId)." has been accepted. ";
$sMsg .= $_REQUEST['replyText'];
$sMsg .= $aClean['replyText'];
$sMsg .= "We appreciate your help in making the Application Database better for all users.\r\n";
mail_appdb($oUser->sEmail, $sSubject ,$sMsg);
@@ -183,7 +192,7 @@ if (!$_REQUEST['id'])
}
}
redirect(apidb_fullurl("admin/adminAppDataQueue.php"));
} elseif ($_REQUEST['reject'])
} elseif ($aClean['reject'])
{
if($obj_row->type == "image")
{
@@ -197,7 +206,7 @@ if (!$_REQUEST['id'])
{
$sSubject = "Application Data Request Report";
$sMsg = "Your submission of an application data for ".lookup_app_name($obj_row->appId).lookup_version_name($obj_row->versionId)." was rejected. ";
$sMsg .= $_REQUEST['replyText'];
$sMsg .= $aClean['replyText'];
mail_appdb($oUser->sEmail, $sSubject ,$sMsg);
}

86
admin/adminAppQueue.php
View File

@@ -10,6 +10,20 @@ require(BASE."include/application.php");
require(BASE."include/mail.php");
require_once(BASE."include/testResults.php");
$aClean = array(); //array of filtered user input
$aClean['iTestingId'] = makeSafe($_REQUEST['iTestingId']);
$aClean['sub'] = makeSafe($_REQUEST['sub'] );
$aClean['apptype'] = makeSafe($_REQUEST['apptype']);
$aClean['appId'] = makeSafe($_REQUEST['appId']);
$aClean['versionId'] = makeSafe($_REQUEST['versionId']);
$aClean['appVendorName'] = makeSafe($_REQUEST['appVendorName']);
$aClean['appVendorId'] = makeSafe($_REQUEST['appVendorId']);
$aClean['appWebpage'] = makeSafe($_REQUEST['appWebpage']);
$aClean['appIdMergeTo'] = makeSafe($_REQUEST['appIdMergeTo']);
$aClean['replyText'] = makeSafe($_REQUEST['replyText']);
$aClean['versionIdMergeTo'] = makeSafe($_REQUEST['versionIdMergeTo']);
$aClean['sDistribution'] = makeSafe($_REQUEST['sDistribution']);
function get_vendor_from_keywords($sKeywords)
{
@@ -120,11 +134,11 @@ if(!$_SESSION['current']->hasPriv("admin") && !$_SESSION['current']->isSuperMain
errorpage("Insufficient privileges.");
exit;
}
$oTest = new testData($_REQUEST['iTestingId']);
$oTest = new testData($aClean['iTestingId']);
if ($_REQUEST['sub'])
if ($aClean['sub'])
{
if($_REQUEST['apptype'] == 'application')
if($aClean['apptype'] == 'application')
{
/* make sure the user is authorized to view this application request */
if(!$_SESSION['current']->hasPriv("admin"))
@@ -133,21 +147,21 @@ if ($_REQUEST['sub'])
exit;
}
$oApp = new Application($_REQUEST['appId']);
$oApp = new Application($aClean['appId']);
// if we are processing a queued application there MUST be an implicitly queued
// version to go along with it.
$sQuery = "Select versionId from appVersion where appId='".$_REQUEST['appId']."';";
$sQuery = "Select versionId from appVersion where appId='".$aClean['appId']."';";
$hResult = query_appdb($sQuery);
$oRow = mysql_fetch_object($hResult);
$oVersion = new Version($oRow->versionId);
}
else if($_REQUEST['apptype'] == 'version')
else if($aClean['apptype'] == 'version')
{
/* make sure the user has permission to view this version */
$oVersion = new Version($_REQUEST['versionId']);
$oVersion = new Version($aClean['versionId']);
if(!$_SESSION['current']->hasAppVersionModifyPermission($oVersion))
{
errorpage("Insufficient privileges.");
@@ -173,21 +187,21 @@ if ($_REQUEST['sub'])
$oTest = new testResult();
}
if($_REQUEST['sub'] == 'add')
if($aClean['sub'] == 'add')
{
$oVersion = new Version($_REQUEST['versionId']);
$oTest = new testData($_REQUEST['iTestingId']);
$oVersion = new Version($aClean['versionId']);
$oTest = new testData($aClean['iTestingId']);
$oVersion->GetOutputEditorValues();
$oTest->GetOutputEditorValues();
if ($_REQUEST['apptype'] == "application") // application
if ($aClean['apptype'] == "application") // application
{
$oApp = new Application($_REQUEST['appId']);
$oApp = new Application($aClean['appId']);
$oApp->GetOutputEditorValues(); // load the values from $_REQUEST
// add new vendor
if($_REQUEST['appVendorName'] and !$_REQUEST['appVendorId'])
if($aClean['appVendorName'] and !$aClean['appVendorId'])
{
$oVendor = new Vendor();
$oVendor->create($_REQUEST['appVendorName'],$_REQUEST['appWebpage']);
$oVendor->create($aClean['appVendorName'],$aClean['appWebpage']);
$oApp->iVendorId = $oVendor->iVendorId;
}
$oApp->update(true);
@@ -199,16 +213,16 @@ if ($_REQUEST['sub'])
$oTest->unQueue();
redirect($_SERVER['PHP_SELF']);
}
else if ($_REQUEST['sub'] == 'duplicate')
else if ($aClean['sub'] == 'duplicate')
{
if(is_numeric($_REQUEST['appIdMergeTo']))
if(is_numeric($aClean['appIdMergeTo']))
{
/* move this version submission under the existing app */
$oVersion->iAppId = $_REQUEST['appIdMergeTo'];
$oVersion->iAppId = $aClean['appIdMergeTo'];
$oVersion->update();
/* delete the appId that is the duplicate */
$_REQUEST['replyText'] = "Your Vesion information was moved to an existing Application";
$aClean['replyText'] = "Your Vesion information was moved to an existing Application";
$oAppDelete = new Application($oApp->iAppId);
$oAppDelete->delete();
}
@@ -216,51 +230,51 @@ if ($_REQUEST['sub'])
/* redirect back to the main page */
redirect(apidb_fullurl("admin/adminAppQueue.php"));
}
else if ($_REQUEST['sub'] == 'movetest')
else if ($aClean['sub'] == 'movetest')
{
if(is_numeric($_REQUEST['versionIdMergeTo']))
if(is_numeric($aClean['versionIdMergeTo']))
{
// move this Test submission under the existing version //
$oTest->iVersionId = $_REQUEST['versionIdMergeTo'];
$oTest->iVersionId = $aClean['versionIdMergeTo'];
$oTest->update();
// delete the Version entry
$_REQUEST['replyText'] = "Your Test results were moved to existing version";
$oVersion = new Version($_REQUEST['versionId']);
$aClean['replyText'] = "Your Test results were moved to existing version";
$oVersion = new Version($aClean['versionId']);
$oVersion->delete();
}
// redirect back to the main page
redirect(apidb_fullurl("admin/adminAppQueue.php"));
}
else if ($_REQUEST['sub'] == 'Delete')
else if ($aClean['sub'] == 'Delete')
{
if (($_REQUEST['apptype'] == "application") && is_numeric($_REQUEST['appId'])) // application
if (($aClean['apptype'] == "application") && is_numeric($aClean['appId'])) // application
{
// delete the application entry
$oApp = new Application($_REQUEST['appId']);
$oApp = new Application($aClean['appId']);
$oApp->delete();
} else if(($_REQUEST['apptype'] == "version") && is_numeric($_REQUEST['versionId'])) // version
} else if(($aClean['apptype'] == "version") && is_numeric($aClean['versionId'])) // version
{
// delete the Version entry
$oVersion = new Version($_REQUEST['versionId']);
$oVersion = new Version($aClean['versionId']);
$oVersion->delete();
}
redirect(apidb_fullurl("admin/adminAppQueue.php"));
}
else if ($_REQUEST['sub'] == 'Reject')
else if ($aClean['sub'] == 'Reject')
{
$oVersion = new Version($_REQUEST['versionId']);
$oTest = new testData($_REQUEST['iTestingId']);
$oVersion = new Version($aClean['versionId']);
$oTest = new testData($aClean['iTestingId']);
$oVersion->GetOutputEditorValues();
$oTest->GetOutputEditorValues();
if ($_REQUEST['apptype'] == "application") // application
if ($aClean['apptype'] == "application") // application
{
$oApp = new Application($_REQUEST['appId']);
$oApp = new Application($aClean['appId']);
$oApp->GetOutputEditorValues(); // load the values from $_REQUEST
$oApp->update(true);
$oApp->reject();
@@ -273,7 +287,7 @@ if ($_REQUEST['sub'])
}
//process according to sub flag
if ($_REQUEST['sub'] == 'view')
if ($aClean['sub'] == 'view')
{
$x = new TableVE("view");
apidb_header("Admin App Queue");
@@ -385,7 +399,7 @@ if ($_REQUEST['sub'])
{
$oVersion->OutputEditor(false, false);
}
$oTest->OutputEditor($_REQUEST['sDistribution']);
$oTest->OutputEditor($aClean['sDistribution']);
echo html_frame_start("Reply text", "90%", "", 0);
echo "<table width='100%' border=0 cellpadding=2 cellspacing=0>\n";
@@ -418,7 +432,7 @@ if ($_REQUEST['sub'])
redirect(apidb_fullurl("admin/adminAppQueue.php"));
}
}
else /* if ($_REQUEST['sub']) is not defined, display the main app queue page */
else /* if ($aClean['sub']) is not defined, display the main app queue page */
{
apidb_header("Admin App Queue");

31
admin/adminBugs.php
View File

@@ -11,6 +11,15 @@ require(BASE."include/incl.php");
require(BASE."include/application.php");
require(BASE."include/mail.php");
$aClean = array(); //array of filtered user input
$aClean['sub'] = makeSafe($_REQUEST['sub']);
$aClean['buglinkId'] = makeSafe($_REQUEST['buglinkId']);
$aClean['ItemsPerPage'] = makeSafe($_REQUEST['ItemsPerPage']);
$aClean['QueuedOnly'] = makeSafe($_REQUEST['QueuedOnly']);
$aClean['page'] = makeSafe($_REQUEST['page']);
// deny access if not logged in
if(!$_SESSION['current']->hasPriv("admin"))
{
@@ -18,19 +27,19 @@ if(!$_SESSION['current']->hasPriv("admin"))
exit;
}
if ($_REQUEST['sub'])
if ($aClean['sub'])
{
if(($_REQUEST['sub'] == 'delete' ) && ($_REQUEST['buglinkId']))
if(($aClean['sub'] == 'delete' ) && ($aClean['buglinkId']))
{
$oBuglink = new bug($_REQUEST['buglinkId']);
$oBuglink = new bug($aClean['buglinkId']);
$oBuglink->delete();
}
if(($_REQUEST['sub'] == 'unqueue' ) && ($_REQUEST['buglinkId']))
if(($aClean['sub'] == 'unqueue' ) && ($aClean['buglinkId']))
{
$oBuglink = new bug($_REQUEST['buglinkId']);
$oBuglink = new bug($aClean['buglinkId']);
$oBuglink->unqueue();
}
redirect($_SERVER['PHP_SELF']."?ItemsPerPage=".$_REQUEST['ItemsPerPage']."&QueuedOnly=".$_REQUEST['QueuedOnly']."&page=".$_REQUEST['page']);
redirect($_SERVER['PHP_SELF']."?ItemsPerPage=".$aClean['ItemsPerPage']."&QueuedOnly=".$aClean['QueuedOnly']."&page=".$aClean['page']);
exit;
}
@@ -40,13 +49,13 @@ if ($_REQUEST['sub'])
$pageRange = 10;
$ItemsPerPage = 10;
$currentPage = 1;
$QueuedOnly = !isset($_REQUEST['QueuedOnly'])? NULL: $_REQUEST['QueuedOnly'];
$QueuedOnly = empty($aClean['QueuedOnly'])? NULL: $aClean['QueuedOnly'];
$BugLinks = ($QueuedOnly == 'on')?getNumberOfQueuedBugLinks():getNumberOfBugLinks();
if($_REQUEST['ItemsPerPage'])
$ItemsPerPage = $_REQUEST['ItemsPerPage'];
if($aClean['ItemsPerPage'])
$ItemsPerPage = $aClean['ItemsPerPage'];
if($_REQUEST['page'])
$currentPage = $_REQUEST['page'];
if($aClean['page'])
$currentPage = $aClean['page'];
$ItemsPerPage = min($ItemsPerPage,100);
$totalPages = max(ceil($BugLinks/$ItemsPerPage),1);

13
admin/adminCommentView.php
View File

@@ -15,10 +15,15 @@ $pageRange = 10;
$ItemsPerPage = 10;
$currentPage = 1;
if($_REQUEST['ItemsPerPage'])
$ItemsPerPage = $_REQUEST['ItemsPerPage'];
if($_REQUEST['page'])
$currentPage = $_REQUEST['page'];
$aClean = array(); //array of filtered user input
$aClean['ItemsPerPage'] = makeSafe($_REQUEST['ItemsPerPage']);
$aClean['page'] = makeSafe($_REQUEST['page']);
if($aClean['ItemsPerPage'])
$ItemsPerPage = $aClean['ItemsPerPage'];
if($aClean['page'])
$currentPage = $aClean['page'];
$totalPages = ceil(getNumberOfComments()/$ItemsPerPage);

28
admin/adminMaintainerQueue.php
View File

@@ -11,21 +11,29 @@ require(BASE."include/maintainer.php");
require(BASE."include/application.php");
require(BASE."include/mail.php");
$aClean = array(); //array of filtered user input
$aClean['sub'] = makeSafe( $_REQUEST['sub'] );
$aClean['queueId'] = makeSafe( $_REQUEST['queueId'] );
$aClean['add'] = makeSafe( $_REQUEST['add'] );
$aClean['reject'] = makeSafe( $_REQUEST'reject'] );
$aClean['replyText'] = makeSafe( $_REQUEST['replyText'] );
if(!$_SESSION['current']->hasPriv("admin"))
{
errorpage("Insufficient privileges.");
exit;
}
if ($_REQUEST['sub'])
if ($aClean['sub'])
{
if ($_REQUEST['queueId'])
if ($aClean['queueId'])
{
//get data
$query = "SELECT queueId, appId, versionId,".
"userId, maintainReason, superMaintainer,".
"UNIX_TIMESTAMP(submitTime) as submitTime ".
"FROM appMaintainerQueue WHERE queueId = ".$_REQUEST['queueId'].";";
"FROM appMaintainerQueue WHERE queueId = ".$aClean['queueId'].";";
$result = query_appdb($query);
$ob = mysql_fetch_object($result);
$oUser = new User($ob->userId);
@@ -38,7 +46,7 @@ if ($_REQUEST['sub'])
}
//process according to which request was submitted and optionally the sub flag
if (!$_REQUEST['add'] && !$_REQUEST['reject'] && $_REQUEST['queueId'])
if (!$aClean['add'] && !$aClean['reject'] && $aClean['queueId'])
{
apidb_header("Admin Maintainer Queue");
echo '<form name="qform" action="adminMaintainerQueue.php" method="post" enctype="multipart/form-data">',"\n";
@@ -163,7 +171,7 @@ if ($_REQUEST['sub'])
echo '</table>',"\n";
echo '<input type=hidden name="sub" value="inside_form" />',"\n";
echo '<input type=hidden name="queueId" value="'.$_REQUEST['queueId'].'" />',"\n";
echo '<input type=hidden name="queueId" value="'.$aClean['queueId'].'" />',"\n";
echo html_frame_end("&nbsp;");
echo html_back_link(1,'adminMaintainerQueue.php');
@@ -172,7 +180,7 @@ if ($_REQUEST['sub'])
exit;
}
else if ($_REQUEST['add'] && $_REQUEST['queueId'])
else if ($aClean['add'] && $aClean['queueId'])
{
/* create a new user object for the maintainer */
$maintainerUser = new User($ob->userId);
@@ -180,11 +188,11 @@ if ($_REQUEST['sub'])
/* add the user as a maintainer and return the statusMessage */
$statusMessage = $maintainerUser->addAsMaintainer($ob->appId, $ob->versionId,
$ob->superMaintainer,
$_REQUEST['queueId']);
$aClean['queueId']);
//done
addmsg("<p><b>$statusMessage</b></p>", 'green');
}
else if (($_REQUEST['reject'] || ($_REQUEST['sub'] == 'reject')) && $_REQUEST['queueId'])
else if (($aClean['reject'] || ($aClean['sub'] == 'reject')) && $aClean['queueId'])
{
$sEmail = $oUser->sEmail;
if ($sEmail)
@@ -193,7 +201,7 @@ if ($_REQUEST['sub'])
$oVersion = new Version($ob->versionId);
$sSubject = "Application Maintainer Request Report";
$sMsg = "Your application to be the maintainer of ".$oApp->sName." ".$oVersion->sName." was rejected. ";
$sMsg .= $_REQUEST['replyText'];
$sMsg .= $aClean['replyText'];
$sMsg .= "";
$sMsg .= "-The AppDB admins\n";
@@ -201,7 +209,7 @@ if ($_REQUEST['sub'])
}
//delete main item
$query = "DELETE from appMaintainerQueue where queueId = ".$_REQUEST['queueId'].";";
$query = "DELETE from appMaintainerQueue where queueId = ".$aClean['queueId'].";";
$result = query_appdb($query,"unable to delete selected maintainer application");
echo html_frame_start("Delete maintainer application",400,"",0);
if($result)

13
admin/adminMaintainers.php
View File

@@ -9,6 +9,11 @@
include("path.php");
require(BASE."include/incl.php");
$aClean = array(); //array of filtered user input
$aClean['sub'] = makeSafe($_REQUEST['sub']);
$aClean['maintainerId'] = makeSafe($_REQUEST['maintainerId']);
// deny access if not logged in
if(!$_SESSION['current']->hasPriv("admin"))
{
@@ -19,13 +24,13 @@ if(!$_SESSION['current']->hasPriv("admin"))
apidb_header("Admin Maintainers");
echo '<form name="qform" action="adminMaintainers.php" method="post" enctype="multipart/form-data">',"\n";
if ($_REQUEST['sub'])
if ($aClean['sub'])
{
if($_REQUEST['sub'] == 'delete')
if($aClean['sub'] == 'delete')
{
$sQuery = "DELETE FROM appMaintainers WHERE maintainerId = ".$_REQUEST['maintainerId'].";";
$sQuery = "DELETE FROM appMaintainers WHERE maintainerId = ".$aClean['maintainerId'].";";
$hResult = query_appdb($sQuery);
echo html_frame_start("Delete maintainer: ".$_REQUEST['maintainerId'],400,"",0);
echo html_frame_start("Delete maintainer: ".$aClean['maintainerId'],400,"",0);
if($hResult)
{
// success

31
admin/adminScreenshots.php
View File

@@ -10,6 +10,15 @@ require_once(BASE."include/screenshot.php");
require(BASE."include/application.php");
require(BASE."include/mail.php");
$aClean = array(); //array of filtered user input
$aClean['cmd'] = makeSafe($_REQUEST['cmd']);
$aClean['imageId'] = makeSafe($_REQUEST['imageId']);
$aClean['ItemsPerPage'] = makeSafe($_REQUEST['ItemsPerPage']);
$aClean['page'] = makeSafe($_REQUEST['page']);
$aClean['regenerate'] = makeSafe($_REQUEST['regenerate']);
$aClean['versionId'] = makeSafe($_REQUEST['versionId']);
// deny access if not admin
if(!$_SESSION['current']->hasPriv("admin"))
{
@@ -19,18 +28,18 @@ if(!$_SESSION['current']->hasPriv("admin"))
/*
* We issued a delete command.
*/
if($_REQUEST['cmd'])
if($aClean['cmd'])
{
// process screenshot deletion
if($_REQUEST['cmd'] == "delete" && is_numeric($_REQUEST['imageId']))
if($aClean['cmd'] == "delete" && is_numeric($aClean['imageId']))
{
$oScreenshot = new Screenshot($_REQUEST['imageId']);
$oScreenshot = new Screenshot($aClean['imageId']);
$oScreenshot->delete();
$oScreenshot->free();
}
redirect($_SERVER['PHP_SELF'].
"?ItemsPerPage=".$_REQUEST['ItemsPerPage'].
"&page=".$_REQUEST['page']);
"?ItemsPerPage=".$aClean['ItemsPerPage'].
"&page=".$aClean['page']);
exit;
}
@@ -38,7 +47,7 @@ if($_REQUEST['cmd'])
apidb_header("Screenshots");
// regenerate all screenshots
if($_REQUEST['regenerate'])
if($aClean['regenerate'])
{
$sQuery = "SELECT id FROM appData WHERE type = 'image'";
$hResult = query_appdb($sQuery);
@@ -63,10 +72,10 @@ $pageRange = 10;
$ItemsPerPage = 6;
$currentPage = 1;
if($_REQUEST['ItemsPerPage'])
$ItemsPerPage = $_REQUEST['ItemsPerPage'];
if($_REQUEST['page'])
$currentPage = $_REQUEST['page'];
if($aClean['ItemsPerPage'])
$ItemsPerPage = $aClean['ItemsPerPage'];
if($aClean['page'])
$currentPage = $aClean['page'];
$ItemsPerPage = min($ItemsPerPage,100);
$totalPages = ceil(getNumberOfImages()/$ItemsPerPage);
@@ -130,7 +139,7 @@ while ($oRow = mysql_fetch_object($Ids))
//show admin delete link
if($_SESSION['current']->isLoggedIn() &&
($_SESSION['current']->hasPriv("admin") ||
$_SESSION['current']->isMaintainer($_REQUEST['versionId'])))
$_SESSION['current']->isMaintainer($aClean['versionId'])))
{
echo "<br />[<a href='".$_SERVER['PHP_SELF'];
echo "?cmd=delete&imageId=$oRow->id";

31
admin/adminTestResults.php
View File

@@ -11,11 +11,14 @@ require(BASE."include/mail.php");
require_once(BASE."include/testResults.php");
require_once(BASE."include/distributions.php");
$aClean = array();
$aClean['sub'] = makeSafe($_REQUEST['sub']);
$aClean['iTestingId'] = makeSafe($_REQUEST['iTestingId']);
if ($_REQUEST['sub'])
if ($aClean['sub'])
{
$oTest = new testData($_REQUEST['iTestingId']);
$oTest = new testData($aClean['iTestingId']);
$oVersion = new Version($oTest->iVersionId);
if(!($_SESSION['current']->hasAppVersionModifyPermission($oVersion)))
{
@@ -23,26 +26,26 @@ if ($_REQUEST['sub'])
exit;
}
if(($_REQUEST['sub'] == 'Submit') || ($_REQUEST['sub'] == 'Save') ||
($_REQUEST['sub'] == 'Reject') || ($_REQUEST['sub'] == 'Delete'))
if(($aClean['sub'] == 'Submit') || ($aClean['sub'] == 'Save') ||
($aClean['sub'] == 'Reject') || ($aClean['sub'] == 'Delete'))
{
if(is_numeric($_REQUEST['iTestingId']))
if(is_numeric($aClean['iTestingId']))
{
$oTest = new testData($_REQUEST['iTestingId']);
$oTest = new testData($aClean['iTestingId']);
$oTest->GetOutputEditorValues();
if($_REQUEST['sub'] == 'Submit') // submit the testing results
if($aClean['sub'] == 'Submit') // submit the testing results
{
$oTest->update(true);
$oTest->unQueue();
} else if($_REQUEST['sub'] == 'Save') // save the testing results
} else if($aClean['sub'] == 'Save') // save the testing results
{
$oTest->update();
} else if($_REQUEST['sub'] == 'Reject') // reject testing results
} else if($aClean['sub'] == 'Reject') // reject testing results
{
$oTest->update(true);
$oTest->Reject();
} else if($_REQUEST['sub'] == 'Delete') // delete testing results
} else if($aClean['sub'] == 'Delete') // delete testing results
{
$oTest->delete();
}
@@ -51,15 +54,15 @@ if ($_REQUEST['sub'])
}
}
if(is_numeric($_REQUEST['iTestingId']))
if(is_numeric($aClean['iTestingId']))
{
$oTest = new testData($_REQUEST['iTestingId']);
$oTest = new testData($aClean['iTestingId']);
}
$oVersion = new Version($oTest->iVersionId);
$oApp = new application($oVersion->iAppId);
$sVersionInfo = $oApp->sName." ".$oVersion->sName;
if ($_REQUEST['sub'] == 'view')
if ($aClean['sub'] == 'view')
{
switch($oTest->sQueued)
{
@@ -141,7 +144,7 @@ if ($_REQUEST['sub'])
redirect($_SERVER['PHP_SELF']);
}
}
else // if ($_REQUEST['sub']) is not defined, display the Testing results queue page
else // if ($aClean['sub']) is not defined, display the Testing results queue page
{
$oTest = new TestData();
apidb_header("Testing Results");

39
admin/adminUsers.php
View File

@@ -6,6 +6,15 @@
include("path.php");
include(BASE."include/incl.php");
$aClean = array(); //filtered user input
$aClean['action'] = makeSafe($_REQUEST['action']);
$aClean['userId'] = makeSafe($_REQUEST['userId']);
$aClean['sSearch'] = makeSafe($_REQUEST['sSearch']);
$aClean['iLimit'] = makeSafe($_REQUEST['iLimit']);
$aClean['sOrderBy'] = makeSafe($_REQUEST['sOrderBy']);
$aClean['sSubmit'] = makeSafe($_REQUEST['sSubmit']);
apidb_header("Admin Users Management");
if(!$_SESSION['current']->hasPriv("admin"))
@@ -15,9 +24,9 @@ if(!$_SESSION['current']->hasPriv("admin"))
}
// we want to delete a user
if($_REQUEST['action'] == "delete" && is_numeric($_REQUEST['userId']))
if($aClean['action'] == "delete" && is_numeric($aClean['userId']))
{
$oUser = new User($_REQUEST['userId']);
$oUser = new User($aClean['userId']);
$oUser->delete();
}
@@ -28,15 +37,15 @@ echo html_frame_start("Users Management","400","",0)
<table width="100%" border=0 cellpadding=0 cellspacing=0>
<tr>
<td class="color1">Pattern</td>
<td><input type="text" name="sSearch" value="<?php echo$_REQUEST['sSearch'];?>"/><br /><small>(leave blank to match all)</small></td>
<td><input type="text" name="sSearch" value="<?php echo $aClean['sSearch'];?>"/><br /><small>(leave blank to match all)</small></td>
</tr>
<tr>
<td class="color1">Show first</td>
<td>
<select name="iLimit">
<option value="100"<?php if($_REQUEST['iLimit']=="100")echo" SELECTED";?>>100 results</option>
<option value="200"<?php if($_REQUEST['iLimit']=="200")echo" SELECTED";?>>200 results</option>
<option value="500"<?php if($_REQUEST['iLimit']=="500")echo" SELECTED";?>>500 result</option>
<option value="100"<?php if($aClean['iLimit']=="100")echo" SELECTED";?>>100 results</option>
<option value="200"<?php if($aClean['iLimit']=="200")echo" SELECTED";?>>200 results</option>
<option value="500"<?php if($aClean['iLimit']=="500")echo" SELECTED";?>>500 result</option>
</select>
</td>
</tr>
@@ -44,9 +53,9 @@ echo html_frame_start("Users Management","400","",0)
<td class="color1">Order by</td>
<td>
<select NAME="sOrderBy">
<option value="email"<?php if($_REQUEST['sOrderBy']=="email")echo" SELECTED";?>>e-mail</option>
<option value="realname"<?php if($_REQUEST['sOrderBy']=="realname")echo" SELECTED";?>>real name</option>
<option value="created"<?php if($_REQUEST['sOrderBy']=="created")echo" SELECTED";?>>creation date</option>
<option value="email"<?php if($aClean['sOrderBy']=="email")echo" SELECTED";?>>e-mail</option>
<option value="realname"<?php if($aClean['sOrderBy']=="realname")echo" SELECTED";?>>real name</option>
<option value="created"<?php if($aClean['sOrderBy']=="created")echo" SELECTED";?>>creation date</option>
</select>
</td>
</tr>
@@ -59,7 +68,7 @@ echo html_frame_start("Users Management","400","",0)
echo html_frame_end();
// if the search form was submitted
if($_REQUEST['sSubmit'])
if($aClean['sSubmit'])
{
echo html_frame_start("Query Results","90%","",0);
echo "<table width='100%' border=0 cellpadding=3 cellspacing=0>\n\n";
@@ -71,13 +80,13 @@ if($_REQUEST['sSubmit'])
echo " <td>Roles</td>\n";
echo " <td align=\"center\">Action</td>\n";
echo "</tr>\n\n";
if(is_numeric($_REQUEST['iLimit']) && in_array($_REQUEST['sOrderBy'],array("email","realname","created")))
if(is_numeric($aClean['iLimit']) && in_array($aClean['sOrderBy'],array("email","realname","created")))
{
$sSearch = addslashes($_REQUEST['sSearch']);
$sSearch = $aClean['sSearch'];
$sQuery = "SELECT * FROM user_list
WHERE realname LIKE '%".$sSearch."%' OR email LIKE '%".$sSearch."%'
ORDER BY ".$_REQUEST['sOrderBy']."
LIMIT ".$_REQUEST['iLimit'];
ORDER BY ".$aClean['sOrderBy']."
LIMIT ".$aClean['iLimit'];
$hResult = query_appdb($sQuery);
$i=0;
while($hResult && $oRow = mysql_fetch_object($hResult))
@@ -93,7 +102,7 @@ if($_REQUEST['sSubmit'])
if($oUser->hasPriv("admin")) echo "A";
if($oUser->isMaintainer()) echo "M";
echo " </td>\n";
echo " <td align=\"center\">[<a href=\"../preferences.php?userId=".$oRow->userid."&sSearch=".$sSearch."&iLimit=".$_REQUEST['iLimit']."&sOrderBy=".$_REQUEST['sOrderBy']."\">edit</a>]&nbsp;[<a onclick=\"if(!confirm('".$sAreYouSure."'))return false;\" \"href=\"".$_SERVER['PHP_SELF']."?action=delete&userId=".$oRow->userid."&sSearch=".$sSearch."&iLimit=".$_REQUEST['iLimit']."&sOrderBy=".$_REQUEST['sOrderBy']."&sSubmit=true\">delete</a>]</td>\n";
echo " <td align=\"center\">[<a href=\"../preferences.php?userId=".$oRow->userid."&sSearch=".$sSearch."&iLimit=".$aClean['iLimit']."&sOrderBy=".$aClean['sOrderBy']."\">edit</a>]&nbsp;[<a onclick=\"if(!confirm('".$sAreYouSure."'))return false;\" \"href=\"".$_SERVER['PHP_SELF']."?action=delete&userId=".$oRow->userid."&sSearch=".$sSearch."&iLimit=".$aClean['iLimit']."&sOrderBy=".$aClean['sOrderBy']."&sSubmit=true\">delete</a>]</td>\n";
echo "</tr>\n\n";
}
}

21
admin/deleteAny.php
View File

@@ -14,8 +14,15 @@ require_once(BASE."include/mail.php");
require_once(BASE."include/monitor.php");
require_once(BASE."include/testResults.php");
$aClean = array(); //filtered user input
if($_REQUEST['confirmed'] != "yes")
$aClean['confirmed'] = makeSafe($_REQUEST['confirmed']);
$aClean['what'] = makeSafe($_REQUEST['what']);
$aClean['catId'] = makeSafe($_REQUEST['catId']);
$aClean['appId'] = makeSafe($_REQUEST['appId']);
$aClean['versionId'] = makeSafe($_REQUEST['versionId']);
if($aClean['confirmed'] != "yes")
{
// ask for confirmation
// could do some Real Damage if someone accidently hits the delete button on the main category :)
@@ -25,13 +32,13 @@ if($_REQUEST['confirmed'] != "yes")
errorpage("Not confirmed");
}
if($_REQUEST['what'])
if($aClean['what'])
{
switch($_REQUEST['what'])
switch($aClean['what'])
{
case "category":
// delete category and the apps in it
$oCategory = new Category($_REQUEST['catId']);
$oCategory = new Category($aClean['catId']);
if(!$oCategory->delete())
errorpage();
else
@@ -39,18 +46,18 @@ if($_REQUEST['what'])
break;
case "appFamily":
// delete app family & all its versions
$oApp = new Application($_REQUEST['appId']);
$oApp = new Application($aClean['appId']);
if(!$oApp->delete())
errorpage();
else
redirect(BASE."appbrowse.php");
break;
case "appVersion":
$oVersion = new Version($_REQUEST['versionId']);
$oVersion = new Version($aClean['versionId']);
if(!$oVersion->delete())
errorpage();
else
redirect(BASE."appview.php?appId=".$_REQUEST['appId']);
redirect(BASE."appview.php?appId=".$aClean['appId']);
break;
}
}

15
admin/editAppFamily.php
View File

@@ -10,22 +10,27 @@ require(BASE."include/application.php");
require(BASE."include/category.php");
require(BASE."include/mail.php");
if(!is_numeric($_REQUEST['appId']))
$aClean = array(); //array of filtered user input
$aClean['appId'] = makeSafe($_REQUEST['appId']);
$aClean['submit'] = makeSafe($_REQUEST['submit']);
if(!is_numeric($aClean['appId']))
{
errorpage("Wrong ID");
exit;
}
if(!($_SESSION['current']->hasPriv("admin") || $_SESSION['current']->isSuperMaintainer($_REQUEST['appId'])))
if(!($_SESSION['current']->hasPriv("admin") || $_SESSION['current']->isSuperMaintainer($aClean['appId'])))
{
errorpage("Insufficient Privileges!");
exit;
}
if(isset($_REQUEST['submit']))
if(!empty($aClean['submit']))
{
process_app_version_changes(false);
redirect(apidb_fullurl("appview.php?appId={$_REQUEST['appId']}"));
redirect(apidb_fullurl("appview.php?appId={$aClean['appId']}"));
}
else
// Show the form for editing the Application Family
@@ -33,7 +38,7 @@ else
$family = new TableVE("edit");
$oApp = new Application($_REQUEST['appId']);
$oApp = new Application($aClean['appId']);
if(!$oApp)
{

46
admin/editAppNote.php
View File

@@ -8,14 +8,24 @@ require(BASE."include/incl.php");
require(BASE."include/application.php");
require(BASE."include/mail.php");
if(!is_numeric($_REQUEST['noteId']))
$aClean = array(); //array of filtered user input
$aClean['noteId'] = makeSafe($_REQUEST['noteId']);
$aClean['sub'] = makeSafe($_REQUEST['sub']);
$aClean['noteTitle'] = makeSafe($_REQUEST['noteTitle']);
$aClean['noteDesc'] = makeSafe($_REQUEST['noteDesc']);
$aClean['preview'] = makeSafe($_REQUEST['preview']);
$aClean['appId'] = makeSafe($_REQUEST['appId']);
$aClean['versionId'] = makeSafe($_REQUEST['versionId']);
if(!is_numeric($aClean['noteId']))
{
errorpage('Wrong note ID');
exit;
}
/* Get note data */
$oNote = new Note($_REQUEST['noteId']);
$oNote = new Note($aClean['noteId']);
/* Check for privs */
if(!$_SESSION['current']->hasPriv("admin") && !$_SESSION['current']->isMaintainer($oNote->iVersionId) && !$_SESSION['current']->isSuperMaintainer($oNote->iAppId))
@@ -24,26 +34,26 @@ if(!$_SESSION['current']->hasPriv("admin") && !$_SESSION['current']->isMaintaine
exit;
}
if(isset($_REQUEST['sub']))
if(!empty($aClean['sub']))
{
if ($_REQUEST['sub'] == 'Delete')
if ($aClean['sub'] == 'Delete')
{
$oNote->delete();
}
else if ($_REQUEST['sub'] == 'Update')
else if ($aClean['sub'] == 'Update')
{
$oNote->update($_REQUEST['noteTitle'],$_REQUEST['noteDesc']);
$oNote->update($aClean['noteTitle'],$aClean['noteDesc']);
}
redirect(apidb_fullurl("appview.php?versionId={$oNote->iVersionId}"));
}
else
{
if (!isset($_REQUEST['preview']))
if (empty($aClean['preview']))
{
$_REQUEST['noteTitle'] = $oNote->sTitle;
$_REQUEST['noteDesc'] = $oNote->sDescription;
$_REQUEST['appId'] = $oNote->iAppId;
$_REQUEST['versionId'] = $oNote->iVersionId;
$aClean['noteTitle'] = $oNote->sTitle;
$aClean['noteDesc'] = $oNote->sDescription;
$aClean['appId'] = $oNote->iAppId;
$aClean['versionId'] = $oNote->iVersionId;
}
HtmlAreaLoaderScript(array("editor"));
@@ -52,24 +62,24 @@ else
apidb_header("Edit Application Note");
echo "<form method=post action='editAppNote.php'>\n";
echo html_frame_start("Edit Application Note {$_REQUEST['noteId']}", "90%","",0);
echo html_frame_start("Edit Application Note {$aClean['noteId']}", "90%","",0);
echo html_table_begin("width='100%' border=0 align=left cellpadding=6 cellspacing=0 class='box-body'");
echo add_br($_REQUEST['noteDesc']);
echo add_br($aClean['noteDesc']);
echo '<input type="hidden" name="noteId" value='.$_REQUEST['noteId'].'>';
echo '<input type="hidden" name="noteId" value='.$aClean['noteId'].'>';
if ($_REQUEST['noteTitle'] == "HOWTO" || $_REQUEST['noteTitle'] == "WARNING")
if ($aClean['noteTitle'] == "HOWTO" || $aClean['noteTitle'] == "WARNING")
{
echo '<tr><td class=color1>Title (Do not change)</td>';
echo '<td class=color0><input size=80% type="text" name="noteTitle" type="text" value="'.$_REQUEST['noteTitle'].'"></td></tr>',"\n";
echo '<td class=color0><input size=80% type="text" name="noteTitle" type="text" value="'.$aClean['noteTitle'].'"></td></tr>',"\n";
}
else
{
echo '<tr><td class=color1>Title</td><td class=color0><input size=80% type="text" name="noteTitle" type="text" value="'.$_REQUEST['noteTitle'].'"></td></tr>',"\n";
echo '<tr><td class=color1>Title</td><td class=color0><input size=80% type="text" name="noteTitle" type="text" value="'.$aClean['noteTitle'].'"></td></tr>',"\n";
}
echo '<tr><td class=color4>Description</td><td class=color0>', "\n";
echo '<p style="width:700px">', "\n";
echo '<textarea cols="80" rows="20" id="editor" name="noteDesc">'.$_REQUEST['noteDesc'].'</textarea>',"\n";
echo '<textarea cols="80" rows="20" id="editor" name="noteDesc">'.$aClean['noteDesc'].'</textarea>',"\n";
echo '</p>';
echo '</td></tr><tr><td colspan="2" align="center" class="color3">',"\n";
echo '<input type="submit" name=preview value="Preview">&nbsp',"\n";

16
admin/editAppVersion.php
View File

@@ -5,28 +5,34 @@ require(BASE."include/tableve.php");
require(BASE."include/application.php");
require(BASE."include/mail.php");
if(!is_numeric($_REQUEST['appId']) OR !is_numeric($_REQUEST['versionId']))
$aClean = array(); //array of filtered user input
$aClean['appId'] = makeSafe($_REQUEST['appId']);
$aClean['versionId'] = makeSafe($_REQUEST['versionId']);
$aClean['submit'] = makeSafe($_REQUEST['submit']);
if(!is_numeric($aClean['appId']) OR !is_numeric($aClean['versionId']))
{
errorpage("Wrong ID");
exit;
}
/* Check for admin privs */
if(!$_SESSION['current']->hasPriv("admin") && !$_SESSION['current']->isMaintainer($_REQUEST['versionId']) && !$_SESSION['current']->isSuperMaintainer($_REQUEST['appId']))
if(!$_SESSION['current']->hasPriv("admin") && !$_SESSION['current']->isMaintainer($aClean['versionId']) && !$_SESSION['current']->isSuperMaintainer($aClean['appId']))
{
errorpage("Insufficient Privileges!");
exit;
}
/* process the changes the user entered into the web form */
if(isset($_REQUEST['submit']))
if(!empty($aClean['submit']))
{
process_app_version_changes(true);
redirect(apidb_fullurl("appview.php?versionId=".$_REQUEST['versionId']));
redirect(apidb_fullurl("appview.php?versionId=".$aClean['versionId']));
} else /* or display the webform for making changes */
{
$oVersion = new Version($_REQUEST['versionId']);
$oVersion = new Version($aClean['versionId']);
apidb_header("Edit Application Version");

9
admin/editDistribution.php
View File

@@ -3,6 +3,11 @@ include("path.php");
require(BASE."include/incl.php");
require(BASE."include/distributions.php");
$aClean = array(); //array of filtered user input
$aClean['iDistributionId'] = makeSafe($_REQUEST['iDistributionId']);
$aClean['submit'] = makeSafe($_REQUEST['submit']);
if(!$_SESSION['current']->hasPriv("admin"))
{
errorpage("Insufficient privileges.");
@@ -10,8 +15,8 @@ if(!$_SESSION['current']->hasPriv("admin"))
}
$oDistribution = new distribution($_REQUEST['iDistributionId']);
if($_REQUEST['Submit'])
$oDistribution = new distribution($aClean['iDistributionId']);
if($aClean['Submit'])
{
$oDistribution->GetOutputEditorValues();

12
admin/editVendor.php
View File

@@ -3,16 +3,22 @@ include("path.php");
require_once(BASE."include/incl.php");
require_once(BASE."include/vendor.php");
$aClean = array(); //array of filtered user input
$aClean['iVendorId'] = makeSafe($_REQUEST['iVendorId']);
$aClean['Submit'] = makeSafe($_REQUEST['Submit']);
$aClean['sName'] = makeSafe($_REQUEST['sName']);
$aClean['sWebpage'] = makeSafe($_REQUEST['sWebpage']);
if(!$_SESSION['current']->hasPriv("admin"))
{
errorpage();
exit;
}
$oVendor = new Vendor($_REQUEST['iVendorId']);
if($_REQUEST['Submit'])
$oVendor = new Vendor($aClean['iVendorId']);
if($aClean['Submit'])
{
$oVendor->update($_REQUEST['sName'],$_REQUEST['sWebpage']);
$oVendor->update($aClean['sName'],$aClean['sWebpage']);
redirect(apidb_fullurl("vendorview.php"));
}
else

18
admin/moveAppVersion.php
View File

@@ -5,7 +5,13 @@ require(BASE."include/tableve.php");
require(BASE."include/application.php");
require(BASE."include/mail.php");
if(!is_numeric($_REQUEST['appId']) OR !is_numeric($_REQUEST['versionId']))
$aClean = array(); //array of filtered user input
$aClean['appId'] = makeSafe($_REQUEST['appId']);
$aClean['versionId'] = makeSafe($_REQUEST['versionId']);
$aClean['action'] = makeSafe($_REQUEST['action']);
if(!is_numeric($aClean['appId']) OR !is_numeric($aClean['versionId']))
{
errorpage("Wrong ID");
exit;
@@ -18,20 +24,20 @@ if(!$_SESSION['current']->hasPriv("admin"))
exit;
}
if(isset($_REQUEST['action']))
if(!empty($aClean['action']))
{
/* move this version to the given application */
$oVersion = new Version($_REQUEST['versionId']);
$oVersion->update(null, null, null, null, $_REQUEST['appId']);
$oVersion = new Version($aClean['versionId']);
$oVersion->update(null, null, null, null, $aClean['appId']);
/* redirect to the application we just moved this version to */
redirect(apidb_fullurl("appview.php?appId=".$_REQUEST['appId']));
redirect(apidb_fullurl("appview.php?appId=".$aClean['appId']));
} else /* or display the webform for making changes */
{
?>
<link rel="stylesheet" href="./application.css" type="text/css">
<?php
$oVersion = new Version($_REQUEST['versionId']);
$oVersion = new Version($aClean['versionId']);
$oApp = new Application($oVersion->iAppId);
apidb_header("Choose application to move this version under");