From 7a13d53e43c7db7fe39474208ffa54ba2906d308 Mon Sep 17 00:00:00 2001 From: polo Date: Tue, 24 Jun 2025 23:57:59 +0200 Subject: =?UTF-8?q?petites=20am=C3=A9liorations=20au=20syst=C3=A8me=20de?= =?UTF-8?q?=20mot=20de=20passe?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- public/css/calendar.css | 4 ++ public/index.php | 8 ++- src/controller/ajax_calendar.php | 87 -------------------------------- src/controller/ajax_calendar_admin.php | 54 ++++++++++++++++++++ src/controller/ajax_calendar_visitor.php | 39 ++++++++++++++ src/controller/password.php | 16 ++---- src/controller/post.php | 13 ++++- src/view/password.php | 4 +- 8 files changed, 122 insertions(+), 103 deletions(-) delete mode 100644 src/controller/ajax_calendar.php create mode 100644 src/controller/ajax_calendar_admin.php create mode 100644 src/controller/ajax_calendar_visitor.php diff --git a/public/css/calendar.css b/public/css/calendar.css index ba9a462..1cfb0fd 100644 --- a/public/css/calendar.css +++ b/public/css/calendar.css @@ -34,6 +34,10 @@ td .fc-timegrid-axis{ .fc-day-other{ background-color: #f0f0f0; } +.fc-daygrid-day:not(.fc-day-other, .fc-day-today){ + background-color: #ffffff; +} + .fc-daygrid-day-top{ justify-content: center; } diff --git a/public/index.php b/public/index.php index d6ca8d4..56af032 100644 --- a/public/index.php +++ b/public/index.php @@ -31,6 +31,10 @@ ini_set('session.use_strict_mode', 'On'); ini_set('session.cookie_secure', 'On'); session_start(); $_SESSION['admin'] = !isset($_SESSION['admin']) ? false : $_SESSION['admin']; // intialisation sur faux +if($_SESSION['admin'] === false || empty($_SESSION['user'])){ // OUT !! + $_SESSION['user'] = ''; + $_SESSION['admin'] = false; +} // login, mot de passe et captcha require '../src/controller/password.php'; @@ -49,8 +53,8 @@ require '../src/controller/post.php'; $id = ''; if(!empty($_GET['id'])) { - //$id = (int)$_GET['id']; // (int) = moyen basique d'éviter les injections - $id = Security::secureString($_GET['id']); + $id = (int)$_GET['id']; // (int) évite les injections, pas parfait d'après chatgpt + //$id = Security::quelqueChose($_GET['id']); } if(isset($_GET['action']) && $_GET['action'] === 'deconnexion') diff --git a/src/controller/ajax_calendar.php b/src/controller/ajax_calendar.php deleted file mode 100644 index 79268f6..0000000 --- a/src/controller/ajax_calendar.php +++ /dev/null @@ -1,87 +0,0 @@ -setTimezone(new DateTimeZone('UTC')); - $end->setTimezone(new DateTimeZone('UTC')); - - // affichage format ISO à l'heure UTC - //$date->format('Y-m-d\TH:i:s\Z'); - - // on prend les évènements se finissant après le début ou commençant avant la fin de la fourchette - $dql = 'SELECT e FROM App\Entity\Event e WHERE e.end >= :start AND e.start <= :end'; - $bulk_data = $entityManager->createQuery($dql) - ->setParameter('start', $start) - ->setParameter('end', $end) - ->getResult(); - - $events = []; - foreach($bulk_data as $one_entry){ - $event = new EventDTO($one_entry); - $events[] = $event->toArray(); - } - - header('Content-Type: application/json'); - echo json_encode($events); - die; -} - -// actions sur le calendrier -elseif(isset($_SESSION['admin']) && $_SESSION['admin'] === true - && $_SERVER['REQUEST_METHOD'] === 'POST' && $_SERVER['CONTENT_TYPE'] === 'application/json') -{ - $data = file_get_contents('php://input'); - $json = json_decode($data, true); - - if($_GET['action'] === 'new_event'){ - try{ - $event = new Event($json); - } - catch(InvalidArgumentException $e){ - echo json_encode(['success' => false, 'error' => $e->getMessage()]); - http_response_code(400); - die; - } - $entityManager->persist($event); - $entityManager->flush(); - - echo json_encode(['success' => true, 'id' => $event->getId()]); - } - elseif($_GET['action'] === 'update_event'){ - $event = $entityManager->find('App\Entity\Event', (int)$json['id']); - try{ - $event->securedUpdateFromJSON($json); - } - catch(InvalidArgumentException $e){ - echo json_encode(['success' => false, 'error' => $e->getMessage()]); - http_response_code(400); - die; - } - $entityManager->flush(); - - echo json_encode(['success' => true]); - } - elseif($_GET['action'] === 'remove_event'){ - $event = $entityManager->find('App\Entity\Event', (int)$json['id']); - $entityManager->remove($event); - $entityManager->flush(); - - echo json_encode(['success' => true]); - } - else{ - echo json_encode(['success' => false]); - } - die; -} \ No newline at end of file diff --git a/src/controller/ajax_calendar_admin.php b/src/controller/ajax_calendar_admin.php new file mode 100644 index 0000000..0baf73e --- /dev/null +++ b/src/controller/ajax_calendar_admin.php @@ -0,0 +1,54 @@ + false, 'error' => $e->getMessage()]); + http_response_code(400); + die; + } + $entityManager->persist($event); + $entityManager->flush(); + + echo json_encode(['success' => true, 'id' => $event->getId()]); + } + elseif($_GET['action'] === 'update_event'){ + $event = $entityManager->find('App\Entity\Event', (int)$json['id']); + try{ + $event->securedUpdateFromJSON($json); + } + catch(InvalidArgumentException $e){ + echo json_encode(['success' => false, 'error' => $e->getMessage()]); + http_response_code(400); + die; + } + $entityManager->flush(); + + echo json_encode(['success' => true]); + } + elseif($_GET['action'] === 'remove_event'){ + $event = $entityManager->find('App\Entity\Event', (int)$json['id']); + $entityManager->remove($event); + $entityManager->flush(); + + echo json_encode(['success' => true]); + } + else{ + echo json_encode(['success' => false]); + } + die; +} \ No newline at end of file diff --git a/src/controller/ajax_calendar_visitor.php b/src/controller/ajax_calendar_visitor.php new file mode 100644 index 0000000..dcdbebd --- /dev/null +++ b/src/controller/ajax_calendar_visitor.php @@ -0,0 +1,39 @@ +setTimezone(new DateTimeZone('UTC')); + $end->setTimezone(new DateTimeZone('UTC')); + + // affichage format ISO à l'heure UTC + //$date->format('Y-m-d\TH:i:s\Z'); + + // on prend les évènements se finissant après le début ou commençant avant la fin de la fourchette + $dql = 'SELECT e FROM App\Entity\Event e WHERE e.end >= :start AND e.start <= :end'; + $bulk_data = $entityManager->createQuery($dql) + ->setParameter('start', $start) + ->setParameter('end', $end) + ->getResult(); + + $events = []; + foreach($bulk_data as $one_entry){ + $event = new EventDTO($one_entry); + $events[] = $event->toArray(); + } + + header('Content-Type: application/json'); + echo json_encode($events); + die; +} \ No newline at end of file diff --git a/src/controller/password.php b/src/controller/password.php index 5573a33..62b1542 100644 --- a/src/controller/password.php +++ b/src/controller/password.php @@ -86,7 +86,7 @@ function createPassword(EntityManager $entityManager) } else { - $error = 'bad_password'; + $error = 'bad_login_or_password'; // compteur dans la session et blocage de compte } @@ -217,15 +217,6 @@ function changePassword(EntityManager $entityManager) { // fonction exécutée à priori deux fois d'affilée: affichage puis traitement de la saisie - // OUT !! - if(empty($_SESSION['user']) || !$_SESSION['admin']) - { - $_SESSION['user'] = ''; - $_SESSION['admin'] = false; - header('Location: index.php'); - die; - } - // II - traitement $error = ''; $success = false; @@ -254,6 +245,9 @@ function changePassword(EntityManager $entityManager) { $error = 'forbidden_characters'; } + elseif($login !== $_SESSION['user']){ + $error = 'bad_login_or_password'; + } else { $user = getUser($login, $entityManager); @@ -268,7 +262,7 @@ function changePassword(EntityManager $entityManager) } else { - $error = 'bad_password'; + $error = 'bad_login_or_password'; } } } diff --git a/src/controller/post.php b/src/controller/post.php index b0bc6a0..3ba0656 100644 --- a/src/controller/post.php +++ b/src/controller/post.php @@ -220,6 +220,14 @@ if($_SERVER['REQUEST_METHOD'] === 'POST' && $_SESSION['admin'] === true) header("Location: " . new URL(['page' => $_GET['from']])); die; } + elseif(isset($_GET['action']) && $_GET['action'] === 'modif_mdp' + && isset($_POST['login']) && isset($_POST['old_password']) && isset($_POST['new_password']) + && isset($_POST['modify_password_hidden']) && empty($_POST['modify_password_hidden'])) + { + changePassword($entityManager); + header("Location: " . new URL(['page' => $_GET['from']])); + die; + } else{ header("Location: " . new URL(['error' => 'paramètres inconnus'])); die; @@ -230,5 +238,8 @@ if($_SERVER['REQUEST_METHOD'] === 'POST' && $_SESSION['admin'] === true) else{ require '../src/controller/ajax.php'; } + + require '../src/controller/ajax_calendar_admin.php'; } -require '../src/controller/ajax_calendar.php'; \ No newline at end of file + +require '../src/controller/ajax_calendar_visitor.php'; diff --git a/src/view/password.php b/src/view/password.php index ed99040..77f8736 100644 --- a/src/view/password.php +++ b/src/view/password.php @@ -72,6 +72,7 @@ ob_start();

+

@@ -109,8 +110,7 @@ $header = ob_get_clean(); $error_messages = [ 'error_non_valid_captcha' => '

Erreur au test anti-robot, veuillez saisir un nombre entier.

', 'bad_solution_captcha' => '

Erreur au test anti-robot, veuillez réessayer.

', - 'bad_login_or_password' => '

Mauvais identifiant ou mot de passe, veuillez réessayer.

', - 'bad_password' => '

Mauvais mot de passe, veuillez réessayer.

', + 'bad_login_or_password' => '

Mauvais identifiant ou mot de passe, veuillez réessayer.

', // ne pas indiquer où est l'erreur 'forbidden_characters' => '

Caractères interdits: espaces, tabulations, sauts CR/LF.

' ]; -- cgit v1.2.3