Skip to content

Commit

Permalink
Fix #7564
Browse files Browse the repository at this point in the history
  • Loading branch information
jmontoyaa committed Mar 4, 2015
1 parent ba947ae commit 97fec37
Show file tree
Hide file tree
Showing 3 changed files with 64 additions and 55 deletions.
112 changes: 59 additions & 53 deletions main/admin/session_add.php
Original file line number Diff line number Diff line change
Expand Up @@ -96,55 +96,65 @@ function fill_coach_field (username) {


if (isset($_POST['formSent']) && $_POST['formSent']) {
$formSent = 1;
$name = $_POST['name'];
$year_start = $_POST['year_start'];
$month_start = $_POST['month_start'];
$day_start = $_POST['day_start'];
$year_end = $_POST['year_end'];
$month_end = $_POST['month_end'];
$day_end = $_POST['day_end'];
$nb_days_acess_before = $_POST['nb_days_acess_before'];
$nb_days_acess_after = $_POST['nb_days_acess_after'];
$coach_username = $_POST['coach_username'];
$id_session_category = $_POST['session_category'];
$id_visibility = $_POST['session_visibility'];
$end_limit = $_POST['end_limit'];
$start_limit = $_POST['start_limit'];
$duration = isset($_POST['duration']) ? $_POST['duration'] : null;

if (empty($end_limit) && empty($start_limit)) {
$nolimit = 1;
$check = Security::check_token('post');
Security::clear_token();
if ($check) {
$formSent = 1;
$name = $_POST['name'];
$year_start = $_POST['year_start'];
$month_start = $_POST['month_start'];
$day_start = $_POST['day_start'];
$year_end = $_POST['year_end'];
$month_end = $_POST['month_end'];
$day_end = $_POST['day_end'];
$nb_days_acess_before = $_POST['nb_days_acess_before'];
$nb_days_acess_after = $_POST['nb_days_acess_after'];
$coach_username = $_POST['coach_username'];
$id_session_category = $_POST['session_category'];
$id_visibility = $_POST['session_visibility'];
$end_limit = $_POST['end_limit'];
$start_limit = $_POST['start_limit'];
$duration = isset($_POST['duration']) ? $_POST['duration'] : null;

if (empty($end_limit) && empty($start_limit)) {
$nolimit = 1;
} else {
$nolimit = null;
}

$return = SessionManager::create_session(
$name,
$year_start,
$month_start,
$day_start,
$year_end,
$month_end,
$day_end,
$nb_days_acess_before,
$nb_days_acess_after,
$nolimit,
$coach_username,
$id_session_category,
$id_visibility,
$start_limit,
$end_limit,
$duration
);

if ($return == strval(intval($return))) {
// integer => no error on session creation
header('Location: add_courses_to_session.php?id_session=' . $return . '&add=true&msg=');
exit();
}
} else {
$nolimit = null;
header('Location: '.api_get_self());
exit();
}

$return = SessionManager::create_session(
$name,
$year_start,
$month_start,
$day_start,
$year_end,
$month_end,
$day_end,
$nb_days_acess_before,
$nb_days_acess_after,
$nolimit,
$coach_username,
$id_session_category,
$id_visibility,
$start_limit,
$end_limit,
$duration
);

if ($return == strval(intval($return))) {
// integer => no error on session creation
header('Location: add_courses_to_session.php?id_session='.$return.'&add=true&msg=');
exit();
}
}

$token = Security::get_token();


global $_configuration;
$defaultBeforeDays = isset($_configuration['session_days_before_coach_access']) ?
$_configuration['session_days_before_coach_access'] : 0;
Expand All @@ -168,16 +178,16 @@ function fill_coach_field (username) {
echo '<div class="actions">';
echo '<a href="../admin/index.php">'.Display::return_icon('back.png', get_lang('BackTo').' '.get_lang('PlatformAdmin'),'',ICON_SIZE_MEDIUM).'</a>';
echo '</div>';

?>
<form class="form-horizontal" method="post" name="form" action="<?php echo api_get_self(); ?>" style="margin:0px;">
<input type="hidden" name="sec_token" value="<?php echo $token; ?>">
<input type="hidden" name="formSent" value="1">
<div class="control-group">
<label class="control-label">
<?php echo get_lang('SessionName') ?>
</label>
<div class="controls">
<input type="text" name="name" class="span4" maxlength="50" value="<?php if($formSent) echo api_htmlentities($name,ENT_QUOTES,$charset); ?>">
<input type="text" name="name" class="span4" maxlength="50" value="<?php if($formSent) echo Security::remove_XSS($name); ?>">
</div>
</div>

Expand Down Expand Up @@ -250,8 +260,8 @@ function fill_coach_field (username) {
<a href="javascript://" onclick="if(document.getElementById('options').style.display == 'none'){document.getElementById('options').style.display = 'block';}else{document.getElementById('options').style.display = 'none';}"><?php echo get_lang('DefineSessionOptions') ?></a>
<div style="display: <?php if($formSent && ($nb_days_acess_before!=0 || $nb_days_acess_after!=0)) echo 'block'; else echo 'none'; ?>;" id="options">
<br />
<input type="text" name="nb_days_acess_before" value="<?php echo $nb_days_acess_before; ?>" style="width: 30px;">&nbsp;<?php echo get_lang('DaysBefore') ?><br /><br />
<input type="text" name="nb_days_acess_after" value="<?php echo $nb_days_acess_after; ?>" style="width: 30px;">&nbsp;<?php echo get_lang('DaysAfter') ?>
<input type="text" name="nb_days_acess_before" value="<?php echo intval($nb_days_acess_before); ?>" style="width: 30px;">&nbsp;<?php echo get_lang('DaysBefore') ?><br /><br />
<input type="text" name="nb_days_acess_after" value="<?php echo intval($nb_days_acess_after); ?>" style="width: 30px;">&nbsp;<?php echo get_lang('DaysAfter') ?>
<br />
</div>
</div>
Expand Down Expand Up @@ -326,12 +336,8 @@ function fill_coach_field (username) {
?>
</select>
</div>

</div>
</div>



<div class="control-group">
<div class="controls">
<label for="end_limit">
Expand Down
4 changes: 3 additions & 1 deletion main/admin/session_edit.php
Original file line number Diff line number Diff line change
Expand Up @@ -126,9 +126,11 @@
if (!empty($return)) {
Display::display_error_message($return,false);
}

$page = isset($_GET['page']) && $_GET['page'] == 'resume_session.php' ? 'resume_session.php' : null;

This comment has been minimized.

Copy link
@ywarnier

ywarnier Mar 17, 2015

Member

This should probably be '' instead of null, otherwise you are concatenating a null value a bit later, which might trigger warnings or errors in future versions of PHP

This comment has been minimized.

Copy link
@jmontoyaa

jmontoyaa Mar 17, 2015

Author Member

I will add the change in 1.10

?>

<form class="form-horizontal" method="post" name="form" action="<?php echo api_get_self(); ?>?page=<?php echo Security::remove_XSS($_GET['page']) ?>&id=<?php echo $id; ?>" style="margin:0px;">
<form class="form-horizontal" method="post" name="form" action="<?php echo api_get_self(); ?>?page=<?php echo $page; ?>&id=<?php echo $id; ?>" style="margin:0px;">
<fieldset>
<legend><?php echo $tool_name; ?></legend>
<input type="hidden" name="formSent" value="1">
Expand Down
3 changes: 2 additions & 1 deletion main/inc/lib/message.lib.php
Original file line number Diff line number Diff line change
Expand Up @@ -1385,7 +1385,8 @@ public static function get_links_message_attachment_files($message_id, $type = '
$archiveFile = $row_file['path'];
$filename = $row_file['filename'];
$filesize = format_file_size($row_file['size']);
$filecomment = $row_file['comment'];
$filecomment = Security::remove_XSS($row_file['comment']);
$filename = Security::remove_XSS($filename);
$links_attach_file[] = $attach_icon.'&nbsp;<a href="'.$archiveURL.$archiveFile.'">'.$filename.'</a>&nbsp;('.$filesize.')'.(!empty($filecomment) ? '&nbsp;-&nbsp;<i>'.$filecomment.'</i>' : '');
}
}
Expand Down

0 comments on commit 97fec37

Please sign in to comment.