From dd0cec5fed1681115143fea245180af55d599584 Mon Sep 17 00:00:00 2001
From: Axel Viala <axel.viala@darnuria.eu>
Date: Sun, 26 Mar 2017 23:00:24 +0200
Subject: [PATCH 1/2] Ajout de fonctions auxillieres.

---
 core/requetes.php   | 57 ++++++++++++++++++++++++++++++++++++++++++++-
 core/session.php    |  4 ++++
 core/validation.php | 13 +++++++++++
 3 files changed, 73 insertions(+), 1 deletion(-)

diff --git a/core/requetes.php b/core/requetes.php
index 6f7fd144..a67c016e 100644
--- a/core/requetes.php
+++ b/core/requetes.php
@@ -18,13 +18,59 @@
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
-function grilles_objets_id($bdd, $id_dechet) {
+function objet_id_dechet($bdd, $id_dechet) {
   $req = $bdd->prepare("SELECT * FROM grille_objets WHERE id_type_dechet = :id_type_dechet");
   $req->bindValue(':id_type_dechet', $id_dechet, PDO::PARAM_INT);
   $req->execute();
   return $req->fetchAll(PDO::FETCH_ASSOC);
 }
 
+function objet_id($bdd, $id_obj) {
+  $req = $bdd->prepare("SELECT * FROM grille_objets WHERE id = :id_obj");
+  $req->bindValue(':id_obj', $id_obj, PDO::PARAM_INT);
+  $req->execute();
+  $result = $req->fetch(PDO::FETCH_ASSOC);
+  $req->closeCursor();
+  return $result;
+}
+
+function objet_update_visible($bdd, $id, $visible) {
+  $req = $bdd->prepare('update grille_objets set visible = :visible where id = :id');
+  $req->bindValue(':id', $id, PDO::PARAM_INT);
+  $req->bindValue(':visible', $visible, PDO::PARAM_STR);
+  $req->execute();
+  $req->closeCursor();
+}
+
+function objet_update_nom($bdd, $id, $nom) {
+  $req = $bdd->prepare('update grille_objets set nom = :nom where id = :id');
+  $req->bindValue(':id', $id, PDO::PARAM_INT);
+  $req->bindValue(':nom', $nom, PDO::PARAM_STR);
+  $req->execute();
+  $req->closeCursor();
+}
+
+function objet_update($bdd, $id, $prix, $nom, $description) {
+  $req = $bdd->prepare('
+      update grille_objets
+      set nom = :nom1,
+          description = :description,
+          prix = :prix
+      where BINARY nom <> :nom2
+      and id = :id');
+  $req->bindValue(':id', $id, PDO::PARAM_INT);
+  $req->bindValue(':prix', $prix);
+  $req->bindParam(':nom1', $nom, PDO::PARAM_STR);
+  $req->bindParam(':nom2', $nom, PDO::PARAM_STR);
+  $req->bindParam(':description', $description, PDO::PARAM_STR);
+  $req->execute();
+  if ($req->rowCount() === 0) {
+    $req->closeCursor();
+    throw new UnexpectedValueException('Un objet avec le meme nom existe deja.');
+  }
+  $req->closeCursor();
+}
+
 function convention_sortie(PDO $bdd) {
   $sql = 'SELECT id, nom FROM conventions_sorties WHERE visible = "oui"';
   $stmt = $bdd->prepare($sql);
@@ -82,6 +128,15 @@ function points_ventes(PDO $bdd) {
   return $stmt->fetchAll(PDO::FETCH_ASSOC);
 }
 
+function points_ventes_id(PDO $bdd, $id_point_vente) {
+  $stmt = $bdd->prepare('SELECT id, nom, adresse FROM points_vente WHERE id = :id');
+  $stmt->bindValue(':id', $id_point_vente, PDO::PARAM_INT);
+  $stmt->execute();
+  $point_sortie = $stmt->fetch(PDO::FETCH_ASSOC);
+  $stmt->closeCursor();
+  return $point_sortie;
+}
+
 function types_contenants(PDO $bdd) {
   $stmt = $bdd->prepare('SELECT masse, nom FROM type_contenants WHERE visible = "oui"');
   $stmt->execute();
diff --git a/core/session.php b/core/session.php
index 3e75412a..6fbe7757 100644
--- a/core/session.php
+++ b/core/session.php
@@ -83,6 +83,10 @@ function is_allowed_gestion() {
   return strpos($_SESSION['niveau'], 'g') !== false;
 }
 
+function is_allowed_gestion_id($id) {
+  return strpos($_SESSION['niveau'], 'g' . ((string) $id)) !== false;
+}
+
 // Test si l'utilisateur a les droits sur un point de collecte donnee.
 function is_allowed_collecte_id($id) {
   return strpos($_SESSION['niveau'], 'c' . ((string) $id)) !== false;
diff --git a/core/validation.php b/core/validation.php
index f48e068e..126129df 100644
--- a/core/validation.php
+++ b/core/validation.php
@@ -18,6 +18,19 @@
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+// TODO a virer une fois la base nettoyee des oui et non.
+function oui_non_to_bool($s) {
+  if ($s === 'oui') { return true; }
+  else if ($s === 'non') { return false; }
+  else { throw new InvalidArgumentException('$s different de oui ou non.'); }
+}
+
+// TODO a virer une fois la base nettoyee des oui et non.
+function bool_to_oui_non($b) {
+  if ($b === true) { return 'oui'; }
+  else { return 'non'; }
+}
+
 function validate_json_login($unsafe_json) {
   $unsafe_json['username'] = filter_var($unsafe_json['username'], FILTER_VALIDATE_EMAIL);
   return $unsafe_json;

From bd8ecd3334157fbe9ebefa35cdddb0d6ea1011de Mon Sep 17 00:00:00 2001
From: Axel Viala <axel.viala@darnuria.eu>
Date: Sun, 26 Mar 2017 23:01:04 +0200
Subject: [PATCH 2/2] Reecriture des pages.

---
 ifaces/grilles_prix.php            |  43 +++++------
 ifaces/modification_objet.php      | 120 ++++++++++++++---------------
 moteur/modification_objet_post.php | 114 ++++++++++++---------------
 moteur/objet_visible.php           |  52 +++++++++----
 4 files changed, 166 insertions(+), 163 deletions(-)

diff --git a/ifaces/grilles_prix.php b/ifaces/grilles_prix.php
index 01b9578a..881bb2ba 100644
--- a/ifaces/grilles_prix.php
+++ b/ifaces/grilles_prix.php
@@ -1,5 +1,4 @@
 <?php
-
 /*
   Oressource
   Copyright (C) 2014-2017  Martin Vert and Oressource devellopers
@@ -24,8 +23,9 @@
 require_once('../core/requetes.php');
 require_once('../core/session.php');
 
+require_once('../core/validation.php'); // pour oui/non -> bool vis-versa
 
-$type_obj = filter_input(INPUT_GET, 'typo', FILTER_VALIDATE_INT);
+$type_obj = filter_input(INPUT_GET, 'id_type_dechet', FILTER_VALIDATE_INT);
 
 if (isset($_SESSION['id'])
   && $_SESSION['systeme'] === "oressource"
@@ -33,9 +33,12 @@
   && $type_obj !== false) {
   require_once("tete.php");
 
+  if ($type_obj === null) {
+    $type_obj = 1;
+  }
 
   $type_dechets = types_dechets($bdd);
-  $grille = grilles_objets_id($bdd, $type_obj);
+  $grille = objet_id_dechet($bdd, $type_obj);
   ?>
 
   <div class="container">
@@ -43,7 +46,7 @@
     <ul class="nav nav-tabs">
       <?php foreach ($type_dechets as $type_dechet) { ?>
         <li class="<?= ($type_obj === $type_dechet['id'] ? 'active' : '') ?>">
-          <a href="grilles_prix.php?typo=<?= $type_dechet['id'] ?>"><?= $type_dechet['nom'] ?></a>
+          <a href="grilles_prix.php?id_type_dechet=<?= $type_dechet['id'] ?>"><?= $type_dechet['nom'] ?></a>
         </li>
       <?php } ?>
     </ul>
@@ -53,7 +56,7 @@
         <div class="row input-group">
           <div class="col-lg-3">
             <label for="nom">Nom:</label>
-            <input id="nom" class="form-control" type="text" placeholder="nom" name="nom"  required autofocus>
+            <input id="nom" class="form-control" type="text" placeholder="nom" name="nom" required autofocus>
           </div>
           <div class="col-lg-3">
             <label for="description">Description:</label>
@@ -61,12 +64,12 @@
           </div>
           <div class="col-lg-3">
             <label for="prix">Prix:</label>
-            <input id="prix" class="form-control" type="text" placeholder="prix" name="prix" required >
+            <input id="prix" class="form-control" type="text" placeholder="prix" name="prix" required>
             <input class="form-control" type="hidden" value="<?= $type_obj ?>" name="typo">
           </div>
           <div class="col-lg-3">
             <br> <!-- TODO: trouver plus elegant en CSS que ce hack... -->
-            <button name="creer" class="btn btn-default">créer</button>
+            <button name="creer" class="btn btn-default">Créer</button>
           </div>
         </div>
       </form>
@@ -75,6 +78,7 @@
     <table class="table">
       <thead>
         <tr>
+          <th>identifiant</th>
           <th>Nom</th>
           <th>Date de création</th>
           <th>Description</th>
@@ -88,6 +92,7 @@
       <tbody>
         <?php foreach ($grille as $item) { ?>
           <tr>
+            <td><?= $item['id'] ?></td>
             <td><?= $item['nom'] ?></td>
             <td><?= $item['timestamp'] ?></td>
             <td><?= $item['description'] ?></td>
@@ -102,28 +107,20 @@
 
             <td>
               <form action="../moteur/objet_visible.php" method="post">
-                <input type="hidden" name="typo" value="<?= $type_obj ?>">
                 <input type="hidden" name="id" value="<?= $item['id'] ?>">
-                <input type="hidden" name="visible" value="<?=
-          ($item['visible'] === 'oui' ? 'non' : 'oui')
-          ?>">
-                       <?php if ($item['visible'] === 'oui') { ?>
-                  <button class="btn btn-info btn-sm"><?= $item['visible'] ?></button>
+                <input type="hidden" name="visible" value="<?= oui_non_to_bool($item['visible']) ?>">
+                <?php if ($item['visible'] === 'oui') { ?>
+                  <button class="btn btn-sm btn-info "><?= $item['visible'] ?></button>
                 <?php } else { ?>
-                  <button class="btn btn-danger btn-sm"><?= $item['visible'] ?></button>
+                  <button class="btn btn-sm btn-danger "><?= $item['visible'] ?></button>
                 <?php } ?>
               </form>
             </td>
 
             <td>
-              <form action="modification_objet.php" method="post">
-                <input type="hidden" name="typo" value="<?= $type_obj ?>">
-                <input type="hidden" name="id" value="<?= $item['id'] ?>">
-                <input type="hidden" name="nom" value="<?= $item['nom'] ?>">
-                <input type="hidden" name="description" value="<?= $item['description'] ?>">
-                <input type="hidden" name="prix" value="<?= $item['prix'] ?>">
-                <button class="btn btn-warning btn-sm">Modifier</button>
-              </form>
+              <!-- TODO faire avec une infobulle JS -->
+              <a class="btn btn-warning btn-sm"
+                 href="modification_objet.php?id_obj=<?= $item['id'] ?>">Modifier</a>
             </td>
           </tr>
         <?php } ?>
@@ -132,7 +129,7 @@
   </div><!-- /.container -->
 
   <?php
-  include "pied.php";
+  require_once "pied.php";
 } else {
   header('Location: ../moteur/destroy.php');
 }
diff --git a/ifaces/modification_objet.php b/ifaces/modification_objet.php
index 1c894d8e..ed36b691 100644
--- a/ifaces/modification_objet.php
+++ b/ifaces/modification_objet.php
@@ -1,75 +1,73 @@
-<?php session_start(); 
+<?php
 /*
-+  Oressource
-+  Copyright (C) 2014-2017  Martin Vert and Oressource devellopers
-+
-+  This program is free software: you can redistribute it and/or modify
-+  it under the terms of the GNU Affero General Public License as
-+  published by the Free Software Foundation, either version 3 of the
-+  License, or (at your option) any later version.
-+
-+  This program is distributed in the hope that it will be useful,
-+  but WITHOUT ANY WARRANTY; without even the implied warranty of
-+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+  GNU Affero General Public License for more details.
-+
-+  You should have received a copy of the GNU Affero General Public License
-+  along with this program.  If not, see <http://www.gnu.org/licenses/>.
-+ */
-+
-+
-+// Oressource 2017,
+  Oressource
+  Copyright (C) 2014-2017  Martin Vert and Oressource devellopers
 
+  This program is free software: you can redistribute it and/or modify
+  it under the terms of the GNU Affero General Public License as
+  published by the Free Software Foundation, either version 3 of the
+  License, or (at your option) any later version.
 
-//Vérification des autorisations de l'utilisateur et des variables de session requisent pour l'affichage de cette page:
-   if (isset($_SESSION['id']) AND $_SESSION['systeme'] = "oressource" AND (strpos($_SESSION['niveau'], 'g') !== false))
-      { include "tete.php" ?>
-    <div class="container">
-        <h1>Grille des prix</h1> 
-         <div class="panel-heading">Modifier les données concernant l'objet n° <?php echo $_POST['id']?>, <?php echo $_POST['nom']?>. </div>
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU Affero General Public License for more details.
 
+  You should have received a copy of the GNU Affero General Public License
+  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
 
+session_start();
 
-      <div class="panel-body">
-        <div class="row">
-        	<form action="../moteur/modification_objet_post.php" method="post">
-            <input type="hidden" name ="id" id="id" value="<?php echo $_POST['id']?>">
-            <input type="hidden" name ="typo" id="typo" value="<?php echo $_POST['typo']?>">
-
-  <div class="col-md-2"><label for="nom">Nom:</label> <input type="text"value ="<?php echo $_POST['nom']?>" name="nom" id="nom" class="form-control " required autofocus></div>
-  <div class="col-md-3"><label for="description">Description:</label> <input type="text"value ="<?php echo $_POST['description']?>" name="description" id="description" class="form-control " required ></div>
-  <div class="col-md-1"><label for="prix">Prix:</label> <input type="text"value ="<?php echo $_POST['prix']?>" name="prix" id="prix" class="form-control " required ></div>
-  
-  <div class="col-md-1"><br><button name="creer" class="btn btn-warning">Modifier</button></div>
-</form>
-<br> 
-
+require_once('../moteur/dbconfig.php');
+require_once('../core/session.php');
+require_once('../core/requetes.php');
 
+if (isset($_SESSION['id'])
+  && $_SESSION['systeme'] === 'oressource'
+  && is_allowed_bilan()) {
 
+  require_once 'tete.php';
 
+  $id_obj = filter_input(INPUT_GET, 'id_obj', FILTER_VALIDATE_INT);
 
-<a href="grilles_prix.php<?php echo"?typo=".$_POST['typo']?>">
-<button name="creer" class="btn btn">Anuler</button>
-</a>
-
-</div>
-      </div>
-     
-      <br>
-
+  $obj = objet_id($bdd, $id_obj);
+  
+  ?>
+  <div class="container">
+    <h1>Grille des prix</h1>
+    <div class="panel-heading">Modifier les données concernant l'objet n° <?= $obj['id'] ?>, <?= $obj['nom'] ?>.</div>
+    <div class="panel-body">
       <div class="row">
-  <div class="col-md-4"></div>
-  <div class="col-md-4"><br> </div>
-  <div class="col-md-4"></div>
-  </div>
-  </div>
+        <form action="../moteur/modification_objet_post.php" method="post">
+          <input type="hidden" name="id" id="id" value="<?= $obj['id'] ?>">
+          <div class="col-md-2">
+            <label for="nom">Nom:</label>
+            <input type="text" value="<?= $obj['nom'] ?>" name="nom" id="nom" class="form-control" required autofocus>
+          </div>
+          <div class="col-md-3">
+            <label for="description">Description:</label>
+            <input type="text" value="<?= $obj['description'] ?>" name="description" id="description" class="form-control" required>
+          </div>
+          <div class="col-md-1">
+            <label for="prix">Prix:</label>
+            <input type="text" value="<?= $obj['prix'] ?>" name="prix" id="prix" class="form-control" required>
+          </div>
+          <div class="col-md-1">
+            <br>
+            <button name="creer" class="btn btn-warning">Modifier</button>
+          </div>
+        </form>
+        <br>
+        <a href="grilles_prix.php?type_dechet=<?= $obj['id_type_dechet'] ?>">
+          <button name="creer" class="btn btn">Annuler</button>
+        </a>
+      </div>
+    </div>
   </div>
-    </div><!-- /.container -->
-   
-<?php include "pied.php"; 
-}
-else
-{
-header('Location: ../moteur/destroy.php') ;
+  <?php
+  require_once "pied.php";
+} else {
+  header('Location: ../moteur/destroy.php');
 }
 ?>
diff --git a/moteur/modification_objet_post.php b/moteur/modification_objet_post.php
index 5bf028ac..73292ebb 100644
--- a/moteur/modification_objet_post.php
+++ b/moteur/modification_objet_post.php
@@ -1,67 +1,49 @@
-<?php session_start();
-
-//Vérification des autorisations de l'utilisateur et des variables de session requises pour l'utilisation de cette requête:
- if (isset($_SESSION['id']) AND $_SESSION['systeme'] = "oressource" AND (strpos($_SESSION['niveau'], 'g') !== false))
-{ 
-
-//martin vert
- try
-            {
-            // On se connecte à MySQL
-            include('../moteur/dbconfig.php');
-            }
-            catch(Exception $e)
-            {
-            // En cas d'erreur, on affiche un message et on arrête tout
-            die('Erreur : '.$e->getMessage());
-            }
- 
-            // Si tout va bien, on peut continuer
- $req = $bdd->prepare("SELECT SUM(id) FROM grille_objets WHERE nom = :nom AND id <> :id ");//SELECT `titre_affectation` FROM affectations WHERE titre_affectation = "conssomables" LIMIT 1
-$req->execute(array('nom' => $_POST['nom'],'id' => $_POST['id'] ));
-$donnees = $req->fetch();
-$req->closeCursor(); // Termine le traitement de la requête
-     
-
-
-if ($donnees['SUM(id)'] > 0) // SI le titre existe
-
-{
-header("Location:../ifaces/grilles_prix.php?err=Un objet porte deja le meme nom!&typo=".$_POST['typo']);
-$req->closeCursor(); // Termine le traitement de la requête
-}
-
-else 
-{
-// Connexion à la base de données
-try
-{
-include('dbconfig.php');
-}
-catch(Exception $e)
-{
-        die('Erreur : '.$e->getMessage());
-}
- 
-// Insertion du post à l'aide d'une requête préparée
-// mot de passe crypté md5 
-
-// Insertion du post à l'aide d'une requête préparée
-$req = $bdd->prepare('UPDATE grille_objets SET nom = :nom, description = :description , prix = :prix WHERE id = :id');
-$req->execute(array('nom' => $_POST['nom'],'description' => $_POST['description'],'prix' => $_POST['prix'],'id' => $_POST['id']));
-
-  $req->closeCursor();
-
-
-
-
-
-// Redirection du visiteur vers la page de gestion des points de collecte
-header("Location:../ifaces/grilles_prix.php?typo=".$_POST['typo']);
+<?php
+
+/*
+  Oressource
+  Copyright (C) 2014-2017  Martin Vert and Oressource devellopers
+
+  This program is free software: you can redistribute it and/or modify
+  it under the terms of the GNU Affero General Public License as
+  published by the Free Software Foundation, either version 3 of the
+  License, or (at your option) any later version.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU Affero General Public License for more details.
+
+  You should have received a copy of the GNU Affero General Public License
+  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+require_once('../moteur/dbconfig.php');
+require_once('../core/session.php');
+require_once('../core/requetes.php');
+
+session_start();
+
+if (isset($_SESSION['id'])
+  && $_SESSION['systeme'] === 'oressource'
+  && is_allowed_bilan()) {
+
+  require_once('../moteur/dbconfig.php');
+
+  $id = filter_input(INPUT_POST, 'id', FILTER_VALIDATE_INT);
+  $prix = filter_input(INPUT_POST, 'prix', FILTER_VALIDATE_FLOAT);
+  $id_dechet = filter_input(INPUT_POST, 'id_dechet', FILTER_VALIDATE_INT);
+  $nom = filter_input(INPUT_POST, 'nom', FILTER_SANITIZE_STRING);
+  $description = filter_input(INPUT_POST, 'description', FILTER_SANITIZE_STRING);
+
+  try {
+    objet_update($bdd, $id, $prix, $nom, $description);
+  } catch (UnexpectedValueException $e) {
+    header("Location:../ifaces/grilles_prix.php?err={$e->getMessage()}&typo={$id}");
+    die();
+  }
+
+  header('Location:../ifaces/grilles_prix.php');
+} else {
+  header('Location:../moteur/destroy.php');
 }
-}
-else { 
-header('Location:../moteur/destroy.php');
-     }
-?>
-
diff --git a/moteur/objet_visible.php b/moteur/objet_visible.php
index 1fd6587f..39a3a112 100644
--- a/moteur/objet_visible.php
+++ b/moteur/objet_visible.php
@@ -1,18 +1,44 @@
 <?php
 
+/*
+  Oressource
+  Copyright (C) 2014-2017  Martin Vert and Oressource devellopers
+
+  This program is free software: you can redistribute it and/or modify
+  it under the terms of the GNU Affero General Public License as
+  published by the Free Software Foundation, either version 3 of the
+  License, or (at your option) any later version.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU Affero General Public License for more details.
+
+  You should have received a copy of the GNU Affero General Public License
+  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+require_once('../core/validation.php');
+require_once('../core/session.php');
+require_once('../core/requetes.php');
+
 session_start();
-//Vérification des autorisations de l'utilisateur et des variables de session requises pour l'utilisation de cette requête:
-if (isset($_SESSION['id']) && $_SESSION['systeme'] === "oressource" && ( strpos($_SESSION['niveau'], 'g') !== false)) {
-//martin vert
-// Connexion à la base de données
-  include('dbconfig.php');
-  // Insertion du post à l'aide d'une requête préparée
-  $req = $bdd->prepare('UPDATE grille_objets SET visible = :visible WHERE id = :id');
-  $req->execute(array('visible' => $_POST['visible'], 'id' => $_POST['id']));
-// Redirection du visiteur vers la page de gestion des affectation
-  header('Location:../ifaces/grilles_prix.php' . "?typo=" . $_POST['typo']);
+
+if (isset($_SESSION['id'])
+  && $_SESSION['systeme'] === "oressource"
+  && is_allowed_gestion()) {
+
+  require_once('dbconfig.php');
+
+  $id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT);
+  $visible = bool_to_oui_non(filter_input(INPUT_GET, 'visible', FILTER_VALIDATE_BOOLEAN));
+  if ($id && $visible) {
+    grille_objects_update_visible($bdd, $id, $visible);
+  } else {
+    header('Location:../moteur/destroy.php');
+  }
+
+  header('Location:../ifaces/grilles_prix.php?typo=' . $id);
 } else {
   header('Location:../moteur/destroy.php');
-}
-?>
-
+}
\ No newline at end of file