Enhance security and input sanitization across multiple files
- Added a new tools.security.php file containing functions for sanitizing filenames, paths, and user inputs to prevent directory traversal and XSS attacks. - Updated various files to utilize the new sanitization functions (Sf, Si) for user inputs and file operations, ensuring safer handling of data. - Improved HTML output safety by applying htmlspecialchars to user-generated content in pre-body.php, cal.php, and other relevant files. - Refactored user authentication and data retrieval processes in tools.auth.php and _login.php to enhance security and maintainability. - Ensured consistent use of sanitization functions in API endpoints and admin functionalities to mitigate potential security vulnerabilities.
This commit is contained in:
naielv
@@ -641,8 +641,8 @@ if (!empty($displayName)) {
|
|||||||
<?php } ?>
|
<?php } ?>
|
||||||
<?php if (isset($_GET["_result"])) { ?>
|
<?php if (isset($_GET["_result"])) { ?>
|
||||||
<div class="card pad"
|
<div class="card pad"
|
||||||
style="padding: 10px; background-color: <?php echo $_GET["_resultcolor"] ?? 'lightgreen'; ?>; text-align: center;">
|
style="padding: 10px; background-color: <?php echo Si($_GET["_resultcolor"] ?? 'lightgreen'); ?>; text-align: center;">
|
||||||
<h3><?php echo $_GET["_result"]; ?></h3>
|
<h3><?php echo htmlspecialchars($_GET["_result"]); ?></h3>
|
||||||
</div>
|
</div>
|
||||||
<?php } ?>
|
<?php } ?>
|
||||||
<!-- <div class="card pad" style="padding: 15px; background: #ffcc00; color: #000;">
|
<!-- <div class="card pad" style="padding: 15px; background: #ffcc00; color: #000;">
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
<?php
|
<?php
|
||||||
require_once "tools.session.php";
|
require_once "tools.session.php";
|
||||||
|
require_once "tools.security.php";
|
||||||
if (!isset($AuthConfig)) {
|
if (!isset($AuthConfig)) {
|
||||||
$AuthConfig = json_decode(file_get_contents("/DATA/AuthConfig.json"), true);
|
$AuthConfig = json_decode(file_get_contents("/DATA/AuthConfig.json"), true);
|
||||||
}
|
}
|
||||||
@@ -7,7 +8,7 @@ $ua = $_SERVER['HTTP_USER_AGENT'];
|
|||||||
if (str_starts_with($ua, "Axia4Auth/")) {
|
if (str_starts_with($ua, "Axia4Auth/")) {
|
||||||
$username = explode("/", $ua)[1];
|
$username = explode("/", $ua)[1];
|
||||||
$userpass = explode("/", $ua)[2];
|
$userpass = explode("/", $ua)[2];
|
||||||
$userdata = json_decode(file_get_contents("/DATA/Usuarios/$username.json"), true);
|
$userdata = json_decode(file_get_contents("/DATA/Usuarios/" . Sf($username) . ".json"), true);
|
||||||
if (!$userdata) {
|
if (!$userdata) {
|
||||||
header("HTTP/1.1 403 Forbidden");
|
header("HTTP/1.1 403 Forbidden");
|
||||||
die();
|
die();
|
||||||
@@ -29,7 +30,7 @@ if ($_SESSION["auth_ok"] != true && isset($_COOKIE["auth_user"]) && isset($_COOK
|
|||||||
$username = $_COOKIE["auth_user"];
|
$username = $_COOKIE["auth_user"];
|
||||||
$userpass_b64 = $_COOKIE["auth_pass_b64"];
|
$userpass_b64 = $_COOKIE["auth_pass_b64"];
|
||||||
$userpass = base64_decode($userpass_b64);
|
$userpass = base64_decode($userpass_b64);
|
||||||
$userdata = json_decode(file_get_contents("/DATA/Usuarios/$username.json"), true);
|
$userdata = json_decode(file_get_contents("/DATA/Usuarios/" . Sf($username) . ".json"), true);
|
||||||
if ($userdata && password_verify($userpass, $userdata["password_hash"])) {
|
if ($userdata && password_verify($userpass, $userdata["password_hash"])) {
|
||||||
$_SESSION["auth_user"] = $username;
|
$_SESSION["auth_user"] = $username;
|
||||||
$_SESSION["auth_data"] = $userdata;
|
$_SESSION["auth_data"] = $userdata;
|
||||||
@@ -41,7 +42,7 @@ if ($_SESSION["auth_ok"] != true && isset($_COOKIE["auth_user"]) && isset($_COOK
|
|||||||
if (isset($_SESSION["auth_ok"]) && $_SESSION["auth_ok"] && isset($_SESSION["auth_user"])) {
|
if (isset($_SESSION["auth_ok"]) && $_SESSION["auth_ok"] && isset($_SESSION["auth_user"])) {
|
||||||
if (isset($AuthConfig["session_load_mode"]) && $AuthConfig["session_load_mode"] === "force") {
|
if (isset($AuthConfig["session_load_mode"]) && $AuthConfig["session_load_mode"] === "force") {
|
||||||
$username = $_SESSION["auth_user"];
|
$username = $_SESSION["auth_user"];
|
||||||
$userdata = json_decode(file_get_contents("/DATA/Usuarios/$username.json"), true);
|
$userdata = json_decode(file_get_contents("/DATA/Usuarios/" . Sf($username) . ".json"), true);
|
||||||
$_SESSION["auth_data"] = $userdata;
|
$_SESSION["auth_data"] = $userdata;
|
||||||
$_SESSION["last_reload_time"] = time();
|
$_SESSION["last_reload_time"] = time();
|
||||||
} elseif (isset($AuthConfig["session_load_mode"]) && $AuthConfig["session_load_mode"] === "never") {
|
} elseif (isset($AuthConfig["session_load_mode"]) && $AuthConfig["session_load_mode"] === "never") {
|
||||||
@@ -51,7 +52,7 @@ if (isset($_SESSION["auth_ok"]) && $_SESSION["auth_ok"] && isset($_SESSION["auth
|
|||||||
$last_reload = $_SESSION["last_reload_time"];
|
$last_reload = $_SESSION["last_reload_time"];
|
||||||
if (time() - $last_reload > 300) {
|
if (time() - $last_reload > 300) {
|
||||||
$username = $_SESSION["auth_user"];
|
$username = $_SESSION["auth_user"];
|
||||||
$userdata = json_decode(file_get_contents("/DATA/Usuarios/$username.json"), true);
|
$userdata = json_decode(file_get_contents("/DATA/Usuarios/" . Sf($username) . ".json"), true);
|
||||||
$_SESSION["auth_data"] = $userdata;
|
$_SESSION["auth_data"] = $userdata;
|
||||||
$_SESSION["last_reload_time"] = time();
|
$_SESSION["last_reload_time"] = time();
|
||||||
}
|
}
|
||||||
@@ -62,9 +63,11 @@ if (isset($_SESSION["auth_ok"]) && $_SESSION["auth_ok"] && isset($_SESSION["auth
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
function user_is_authenticated() {
|
function user_is_authenticated()
|
||||||
|
{
|
||||||
return isset($_SESSION["auth_ok"]) && $_SESSION["auth_ok"] === true;
|
return isset($_SESSION["auth_ok"]) && $_SESSION["auth_ok"] === true;
|
||||||
}
|
}
|
||||||
function user_has_permission($perm) {
|
function user_has_permission($perm)
|
||||||
|
{
|
||||||
return in_array($perm, $_SESSION["auth_data"]["permissions"] ?? []);
|
return in_array($perm, $_SESSION["auth_data"]["permissions"] ?? []);
|
||||||
}
|
}
|
||||||
|
|||||||
82
public_html/_incl/tools.security.php
Normal file
82
public_html/_incl/tools.security.php
Normal file
@@ -0,0 +1,82 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
function Sf($filename) {
|
||||||
|
/**
|
||||||
|
* Sanitize a filename by removing any path information, null bytes, and replacing any characters that are not alphanumeric, dot, hyphen, or underscore with an underscore.
|
||||||
|
*
|
||||||
|
* This function is designed to prevent directory traversal attacks and ensure that the filename is safe to use in file operations.
|
||||||
|
*
|
||||||
|
* @param string $filename The input filename to sanitize.
|
||||||
|
* @return string The sanitized filename.
|
||||||
|
*/
|
||||||
|
// Remove any path information and null bytes
|
||||||
|
$filename = realpath($filename);
|
||||||
|
if ($filename === false) {
|
||||||
|
$filename = "";
|
||||||
|
}
|
||||||
|
$filename = str_replace("\0", "", $filename);
|
||||||
|
// Replace any characters that are not alphanumeric, dot, hyphen, or underscore with an underscore
|
||||||
|
$filename = preg_replace("/[^a-zA-Z0-9._-]/", "_", $filename);
|
||||||
|
return $filename;
|
||||||
|
}
|
||||||
|
|
||||||
|
function Sp($path) {
|
||||||
|
/**
|
||||||
|
* Sanitize a file path by removing any null bytes, normalizing directory separators, and preventing directory traversal.
|
||||||
|
*
|
||||||
|
* This function is designed to ensure that the file path is safe to use in file operations and does not allow for directory traversal attacks.
|
||||||
|
*
|
||||||
|
* @param string $path The input file path to sanitize.
|
||||||
|
* @return string The sanitized file path.
|
||||||
|
*/
|
||||||
|
// Remove any null bytes
|
||||||
|
$path = str_replace("\0", "", $path);
|
||||||
|
// Normalize directory separators
|
||||||
|
$path = str_replace(["/", "\\"], DIRECTORY_SEPARATOR, $path);
|
||||||
|
// Remove any instances of ".." to prevent directory traversal
|
||||||
|
$path = str_replace("..", "", $path);
|
||||||
|
// Remove any leading directory separators
|
||||||
|
$path = ltrim($path, DIRECTORY_SEPARATOR);
|
||||||
|
return $path;
|
||||||
|
}
|
||||||
|
|
||||||
|
function Si($input) {
|
||||||
|
/**
|
||||||
|
* Sanitize a string input by removing null bytes, trimming whitespace, and converting special characters to HTML entities.
|
||||||
|
*
|
||||||
|
* This function is designed to prevent XSS attacks and ensure that the input string is safe to use in HTML contexts.
|
||||||
|
*
|
||||||
|
* @param string $input The input string to sanitize.
|
||||||
|
* @return string The sanitized string.
|
||||||
|
*/
|
||||||
|
// Remove any null bytes
|
||||||
|
$input = str_replace("\0", "", $input);
|
||||||
|
// Trim whitespace from the beginning and end of the input
|
||||||
|
$input = trim($input);
|
||||||
|
// Convert special characters to HTML entities to prevent XSS
|
||||||
|
$input = htmlspecialchars($input, ENT_QUOTES, 'UTF-8');
|
||||||
|
return $input;
|
||||||
|
}
|
||||||
|
|
||||||
|
function Sb($input) {
|
||||||
|
/**
|
||||||
|
* Sanitize a boolean input by converting it to a boolean value.
|
||||||
|
*
|
||||||
|
* This function is designed to ensure that the input is treated as a boolean value, which can be useful for configuration settings or form inputs.
|
||||||
|
*
|
||||||
|
* @param mixed $input The input value to sanitize.
|
||||||
|
* @return bool The sanitized boolean value.
|
||||||
|
*/
|
||||||
|
if (is_bool($input)) {
|
||||||
|
return $input;
|
||||||
|
}
|
||||||
|
if (is_string($input)) {
|
||||||
|
$input = strtolower($input);
|
||||||
|
if (in_array($input, ["true", "1", "yes", "on"])) {
|
||||||
|
return true;
|
||||||
|
} elseif (in_array($input, ["false", "0", "no", "off"])) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return (bool)$input;
|
||||||
|
}
|
||||||
@@ -1,12 +1,13 @@
|
|||||||
<?php
|
<?php
|
||||||
session_start();
|
require_once "_incl/tools.session.php";
|
||||||
|
require_once "_incl/tools.security.php";
|
||||||
if (!isset($AuthConfig)) {
|
if (!isset($AuthConfig)) {
|
||||||
$AuthConfig = json_decode(file_get_contents("/DATA/AuthConfig.json"), true);
|
$AuthConfig = json_decode(file_get_contents("/DATA/AuthConfig.json"), true);
|
||||||
}
|
}
|
||||||
$DOMAIN = $_SERVER["HTTP_X_FORWARDED_HOST"] ?? $_SERVER["HTTP_HOST"];
|
$DOMAIN = $_SERVER["HTTP_X_FORWARDED_HOST"] ?? $_SERVER["HTTP_HOST"];
|
||||||
if ($_GET["reload_user"] == "1") {
|
if ($_GET["reload_user"] == "1") {
|
||||||
$user = str_replace("@", "__", $_SESSION["auth_user"]);
|
$user = str_replace("@", "__", $_SESSION["auth_user"]);
|
||||||
$userdata = json_decode(file_get_contents("/DATA/Usuarios/$user.json"), true);
|
$userdata = json_decode(file_get_contents("/DATA/Usuarios/" . Sf($user) . ".json"), true);
|
||||||
$_SESSION['auth_data'] = $userdata;
|
$_SESSION['auth_data'] = $userdata;
|
||||||
$redir = $_GET["redir"] ?? "/";
|
$redir = $_GET["redir"] ?? "/";
|
||||||
header("Location: $redir");
|
header("Location: $redir");
|
||||||
@@ -55,7 +56,7 @@ if ($_GET["google_callback"] == "1") {
|
|||||||
|
|
||||||
$email = $user_info["email"];
|
$email = $user_info["email"];
|
||||||
$name = $user_info["name"] ?? explode("@", $email)[0];
|
$name = $user_info["name"] ?? explode("@", $email)[0];
|
||||||
$userfile = "/DATA/Usuarios/" . strtolower(str_replace("@", "__", $email)) . ".json";
|
$userfile = "/DATA/Usuarios/" . Sf(strtolower(str_replace("@", "__", $email))) . ".json";
|
||||||
$password = bin2hex(random_bytes(16)); // Generar una contraseña aleatoria para el usuario, aunque no se usará para iniciar sesión
|
$password = bin2hex(random_bytes(16)); // Generar una contraseña aleatoria para el usuario, aunque no se usará para iniciar sesión
|
||||||
if (file_exists($userfile)) {
|
if (file_exists($userfile)) {
|
||||||
$userdata = json_decode(file_get_contents($userfile), true);
|
$userdata = json_decode(file_get_contents($userfile), true);
|
||||||
@@ -123,7 +124,7 @@ if (isset($_POST["user"])) {
|
|||||||
$valid = "";
|
$valid = "";
|
||||||
$user = trim(strtolower($_POST["user"]));
|
$user = trim(strtolower($_POST["user"]));
|
||||||
$password = $_POST["password"];
|
$password = $_POST["password"];
|
||||||
$userdata = json_decode(file_get_contents("/DATA/Usuarios/$user.json"), true);
|
$userdata = json_decode(file_get_contents("/DATA/Usuarios/" . Sf($user) . ".json"), true);
|
||||||
if (!isset($userdata["password_hash"])) {
|
if (!isset($userdata["password_hash"])) {
|
||||||
$_GET["_result"] = "El usuario no existe.";
|
$_GET["_result"] = "El usuario no existe.";
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,6 +1,8 @@
|
|||||||
<?php
|
<?php
|
||||||
|
require_once "../_incl/tools.session.php";
|
||||||
|
require_once "../_incl/tools.security.php";
|
||||||
ini_set("display_errors", 0);
|
ini_set("display_errors", 0);
|
||||||
$file = str_replace('/', '_', $_GET["f"]);
|
$file = Sf($_GET["f"]);
|
||||||
$date = implode("/", array_reverse(explode("-", $file)));
|
$date = implode("/", array_reverse(explode("-", $file)));
|
||||||
$val = json_decode(file_get_contents("/DATA/club/IMG/$file/data.json"), true);
|
$val = json_decode(file_get_contents("/DATA/club/IMG/$file/data.json"), true);
|
||||||
|
|
||||||
@@ -15,10 +17,10 @@ require_once "../_incl/pre-body.php"; ?>
|
|||||||
<h1><?php echo $date; ?> - <?php echo $val["title"] ?: "Por definir"; ?></h1>
|
<h1><?php echo $date; ?> - <?php echo $val["title"] ?: "Por definir"; ?></h1>
|
||||||
<span>
|
<span>
|
||||||
<a href="/club/" class="btn btn-secondary">Volver a Inicio</a>
|
<a href="/club/" class="btn btn-secondary">Volver a Inicio</a>
|
||||||
<a href="/club/edit_data.php?f=<?php echo $file; ?>" class="btn btn-secondary">Cambiar datos</a>
|
<a href="/club/edit_data.php?f=<?php echo htmlspecialchars($file); ?>" class="btn btn-secondary">Cambiar datos</a>
|
||||||
<a href="/club/upload/index.php?f=<?php echo $file; ?>" class="btn btn-primary">Subir fotos</a>
|
<a href="/club/upload/index.php?f=<?php echo htmlspecialchars($file); ?>" class="btn btn-primary">Subir fotos</a>
|
||||||
<?php if (isset($val["mapa"]["url"]) and $val["mapa"]["url"] != ""): ?>
|
<?php if (isset($val["mapa"]["url"]) and $val["mapa"]["url"] != ""): ?>
|
||||||
<a class="btn btn-secondary" href="<?php echo $val["mapa"]["url"]; ?>" target="_blank">Abrir ruta interactiva</a>
|
<a class="btn btn-secondary" href="<?php echo htmlspecialchars($val["mapa"]["url"]); ?>" target="_blank">Abrir ruta interactiva</a>
|
||||||
<?php endif; ?>
|
<?php endif; ?>
|
||||||
</span>
|
</span>
|
||||||
|
|
||||||
@@ -44,14 +46,14 @@ require_once "../_incl/pre-body.php"; ?>
|
|||||||
} ?>
|
} ?>
|
||||||
<div style="width: 240px; display: inline-block; margin-bottom: 10px; border: 3px solid black; border-radius: 6.5px; box-sizing: content-box;"
|
<div style="width: 240px; display: inline-block; margin-bottom: 10px; border: 3px solid black; border-radius: 6.5px; box-sizing: content-box;"
|
||||||
class="grid-item">
|
class="grid-item">
|
||||||
<?php $dl_url = "foto_dl.php?f=$file/$pname/" . str_replace($persona, "", $foto); ?>
|
<?php $dl_url = "foto_dl.php?f=" . urlencode("$file/$pname/" . str_replace($persona, "", $foto)); ?>
|
||||||
<img class="stack" width="240px" loading="lazy" src="<?php echo $dl_url; ?>&thumbnail=1"
|
<img class="stack" width="240px" loading="lazy" src="<?php echo $dl_url; ?>&thumbnail=1"
|
||||||
alt="Foto de <?php echo $pname . " - " . str_replace($persona, "", $foto); ?>">
|
alt="Foto de <?php echo htmlspecialchars($pname . " - " . str_replace($persona, "", $foto)); ?>">
|
||||||
<div style="padding: 5px; text-align: center;">
|
<div style="padding: 5px; text-align: center;">
|
||||||
Subido por <?php echo $pname; ?><br>
|
Subido por <?php echo htmlspecialchars($pname); ?><br>
|
||||||
<a href="<?php echo $dl_url; ?>" target="_blank" class="btn btn-secondary">Abrir</a>
|
<a href="<?php echo $dl_url; ?>" target="_blank" class="btn btn-secondary">Abrir</a>
|
||||||
<a href="<?php echo $dl_url; ?>"
|
<a href="<?php echo $dl_url; ?>"
|
||||||
download="<?php echo "CLUB-NK5-$file-$pname-" . str_replace($persona, "", $foto); ?>"
|
download="<?php echo "CLUB-" . htmlspecialchars($file) . "-" . htmlspecialchars($pname) . "-" . htmlspecialchars(str_replace($persona, "", $foto)); ?>"
|
||||||
class="btn btn-secondary">Descargar</a>
|
class="btn btn-secondary">Descargar</a>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
<?php
|
<?php
|
||||||
ini_set("display_errors", 0);
|
ini_set("display_errors", 0);
|
||||||
$file = str_replace('/', '_', $_GET["f"]);
|
$file = Sf($_GET["f"]);
|
||||||
$date = implode("/", array_reverse(explode("-", $file)));
|
$date = implode("/", array_reverse(explode("-", $file)));
|
||||||
$val = json_decode(file_get_contents("/DATA/club/IMG/$file/data.json"), true);
|
$val = json_decode(file_get_contents("/DATA/club/IMG/$file/data.json"), true);
|
||||||
$config = json_decode(file_get_contents("/DATA/club/config.json"), true);
|
$config = json_decode(file_get_contents("/DATA/club/config.json"), true);
|
||||||
|
|||||||
@@ -2,21 +2,23 @@
|
|||||||
$APP_CODE = "club";
|
$APP_CODE = "club";
|
||||||
$APP_NAME = "La web del Club<sup>3</sup>";
|
$APP_NAME = "La web del Club<sup>3</sup>";
|
||||||
$APP_TITLE = "La web del Club";
|
$APP_TITLE = "La web del Club";
|
||||||
require_once "../../_incl/pre-body.php"; ?>
|
require_once "../../_incl/pre-body.php";
|
||||||
|
require_once "../../_incl/tools.security.php";
|
||||||
|
?>
|
||||||
<div class="card pad">
|
<div class="card pad">
|
||||||
<h1>Subir fotos</h1>
|
<h1>Subir fotos</h1>
|
||||||
<form action="form.php" method="get">
|
<form action="form.php" method="get">
|
||||||
<div class="mb-3">
|
<div class="mb-3">
|
||||||
<label for="n" class="form-label"><b>Tu nombre:</b></label>
|
<label for="n" class="form-label"><b>Tu nombre:</b></label>
|
||||||
<input required type="text" id="n" name="n" class="form-control" value="<?php echo $_GET["n"] ?: "";?>" placeholder="Nombre...">
|
<input required type="text" id="n" name="n" class="form-control" value="<?php echo htmlspecialchars($_GET["n"] ?? "");?>" placeholder="Nombre...">
|
||||||
</div>
|
</div>
|
||||||
<div class="mb-3">
|
<div class="mb-3">
|
||||||
<label for="f" class="form-label"><b>Fecha:</b></label>
|
<label for="f" class="form-label"><b>Fecha:</b></label>
|
||||||
<input required type="date" id="f" name="f" class="form-control" value="<?php echo $_GET["f"] ?: "";?>" placeholder="Fecha...">
|
<input required type="date" id="f" name="f" class="form-control" value="<?php echo htmlspecialchars($_GET["f"] ?? "");?>" placeholder="Fecha...">
|
||||||
</div>
|
</div>
|
||||||
<div class="mb-3">
|
<div class="mb-3">
|
||||||
<label for="p" class="form-label"><b>La contraseña:</b></label>
|
<label for="p" class="form-label"><b>La contraseña:</b></label>
|
||||||
<input required type="text" id="p" name="p" class="form-control" value="" placeholder="Contraseña...">
|
<input required type="text" id="p" name="p" class="form-control" value="<?php echo htmlspecialchars($_GET["p"] ?? "");?>" placeholder="Contraseña...">
|
||||||
</div>
|
</div>
|
||||||
<button type="submit" class="btn btn-primary">Continuar...</button>
|
<button type="submit" class="btn btn-primary">Continuar...</button>
|
||||||
</form>
|
</form>
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
<?php
|
<?php
|
||||||
header("Content-Type: application/json; charset=utf-8");
|
header("Content-Type: application/json; charset=utf-8");
|
||||||
|
require_once __DIR__ . "/../_incl/tools.security.php";
|
||||||
require_once __DIR__ . "/../_incl/auth_redir.php";
|
require_once __DIR__ . "/../_incl/auth_redir.php";
|
||||||
|
|
||||||
// Check permissions
|
// Check permissions
|
||||||
@@ -16,7 +16,7 @@ if ($centro_id === "") {
|
|||||||
}
|
}
|
||||||
|
|
||||||
$action = $_GET["action"] ?? ($_POST["action"] ?? "");
|
$action = $_GET["action"] ?? ($_POST["action"] ?? "");
|
||||||
$aulario_id = $_GET["aulario"] ?? $_POST["aulario"] ?? "";
|
$aulario_id = Sf($_GET["aulario"] ?? $_POST["aulario"] ?? "");
|
||||||
|
|
||||||
// Validate aulario_id
|
// Validate aulario_id
|
||||||
if ($aulario_id === "") {
|
if ($aulario_id === "") {
|
||||||
@@ -41,7 +41,7 @@ if ($aulario && !empty($aulario["shared_comedor_from"])) {
|
|||||||
$shared_from = $aulario["shared_comedor_from"];
|
$shared_from = $aulario["shared_comedor_from"];
|
||||||
$shared_aulario_path = "/DATA/entreaulas/Centros/$centro_id/Aularios/$shared_from.json";
|
$shared_aulario_path = "/DATA/entreaulas/Centros/$centro_id/Aularios/$shared_from.json";
|
||||||
if (file_exists($shared_aulario_path)) {
|
if (file_exists($shared_aulario_path)) {
|
||||||
$source_aulario_id = $shared_from;
|
$source_aulario_id = Sf($shared_from);
|
||||||
$is_shared = true;
|
$is_shared = true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,7 +1,9 @@
|
|||||||
<?php
|
<?php
|
||||||
require_once "_incl/auth_redir.php";
|
require_once "_incl/auth_redir.php";
|
||||||
require_once "_incl/pre-body.php";
|
require_once "_incl/pre-body.php";
|
||||||
$aulario_id = $_GET["id"];
|
require_once "_incl/tools.security.php";
|
||||||
|
|
||||||
|
$aulario_id = Sf($_GET["id"]);
|
||||||
$centro_id = $_SESSION["auth_data"]["entreaulas"]["centro"];
|
$centro_id = $_SESSION["auth_data"]["entreaulas"]["centro"];
|
||||||
$aulario = json_decode(file_get_contents("/DATA/entreaulas/Centros/$centro_id/Aularios/$aulario_id.json"), true);
|
$aulario = json_decode(file_get_contents("/DATA/entreaulas/Centros/$centro_id/Aularios/$aulario_id.json"), true);
|
||||||
?>
|
?>
|
||||||
|
|||||||
@@ -5,7 +5,7 @@ if (in_array("entreaulas:docente", $_SESSION["auth_data"]["permissions"] ?? [])
|
|||||||
die("Access denied");
|
die("Access denied");
|
||||||
}
|
}
|
||||||
|
|
||||||
$aulario_id = $_GET["aulario"] ?? "";
|
$aulario_id = Sf($_GET["aulario"] ?? "");
|
||||||
$centro_id = $_SESSION["auth_data"]["entreaulas"]["centro"] ?? "";
|
$centro_id = $_SESSION["auth_data"]["entreaulas"]["centro"] ?? "";
|
||||||
|
|
||||||
if ($aulario_id === "" || $centro_id === "") {
|
if ($aulario_id === "" || $centro_id === "") {
|
||||||
@@ -30,7 +30,7 @@ if ($aulario && !empty($aulario["shared_comedor_from"])) {
|
|||||||
$shared_from = $aulario["shared_comedor_from"];
|
$shared_from = $aulario["shared_comedor_from"];
|
||||||
$shared_aulario_path = "/DATA/entreaulas/Centros/$centro_id/Aularios/$shared_from.json";
|
$shared_aulario_path = "/DATA/entreaulas/Centros/$centro_id/Aularios/$shared_from.json";
|
||||||
if (file_exists($shared_aulario_path)) {
|
if (file_exists($shared_aulario_path)) {
|
||||||
$source_aulario_id = $shared_from;
|
$source_aulario_id = Sf($shared_from);
|
||||||
$source_aulario_name = file_exists($shared_aulario_path) ? json_decode(file_get_contents($shared_aulario_path), true)["name"] ?? $shared_from : $shared_from;
|
$source_aulario_name = file_exists($shared_aulario_path) ? json_decode(file_get_contents($shared_aulario_path), true)["name"] ?? $shared_from : $shared_from;
|
||||||
$is_shared = true;
|
$is_shared = true;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
<?php
|
<?php
|
||||||
require_once "_incl/auth_redir.php";
|
require_once "_incl/auth_redir.php";
|
||||||
|
require_once "_incl/tools.security.php";
|
||||||
|
|
||||||
// Check if user has docente permission
|
// Check if user has docente permission
|
||||||
if (!in_array("entreaulas:docente", $_SESSION["auth_data"]["permissions"] ?? [])) {
|
if (!in_array("entreaulas:docente", $_SESSION["auth_data"]["permissions"] ?? [])) {
|
||||||
@@ -7,9 +8,9 @@ if (!in_array("entreaulas:docente", $_SESSION["auth_data"]["permissions"] ?? [])
|
|||||||
die("Acceso denegado");
|
die("Acceso denegado");
|
||||||
}
|
}
|
||||||
|
|
||||||
$aulario_id = $_GET["aulario"] ?? "";
|
$aulario_id = Sf($_GET["aulario"] ?? "");
|
||||||
$centro_id = $_SESSION["auth_data"]["entreaulas"]["centro"] ?? "";
|
$centro_id = Sf($_SESSION["auth_data"]["entreaulas"]["centro"] ?? "");
|
||||||
$alumno = $_GET["alumno"] ?? "";
|
$alumno = Sf($_GET["alumno"] ?? "");
|
||||||
|
|
||||||
if (empty($aulario_id) || empty($centro_id)) {
|
if (empty($aulario_id) || empty($centro_id)) {
|
||||||
require_once "_incl/pre-body.php";
|
require_once "_incl/pre-body.php";
|
||||||
@@ -213,8 +214,8 @@ require_once "_incl/pre-body.php";
|
|||||||
|
|
||||||
<?php
|
<?php
|
||||||
// Show specific diary entry if requested
|
// Show specific diary entry if requested
|
||||||
$type = $_GET["type"] ?? "Panel";
|
$type = Sf($_GET["type"] ?? "");
|
||||||
$date = $_GET["date"] ?? date("Y-m-d");
|
$date = Sf($_GET["date"] ?? date("Y-m-d"));
|
||||||
|
|
||||||
if (!empty($type) && !empty($date)) {
|
if (!empty($type) && !empty($date)) {
|
||||||
$date = preg_replace('/[^0-9-]/', '', $date); // Sanitize date
|
$date = preg_replace('/[^0-9-]/', '', $date); // Sanitize date
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
<?php
|
<?php
|
||||||
require_once "_incl/auth_redir.php";
|
require_once "_incl/auth_redir.php";
|
||||||
|
require_once "_incl/tools.security.php";
|
||||||
ini_set("display_errors", "0");
|
ini_set("display_errors", "0");
|
||||||
// Funciones auxiliares para el diario
|
// Funciones auxiliares para el diario
|
||||||
function getDiarioPath($alumno, $centro_id, $aulario_id) {
|
function getDiarioPath($alumno, $centro_id, $aulario_id) {
|
||||||
@@ -749,7 +750,7 @@ switch ($_GET["action"]) {
|
|||||||
break;
|
break;
|
||||||
case "menu":
|
case "menu":
|
||||||
// Menú del comedor (nuevo sistema, vista simplificada)
|
// Menú del comedor (nuevo sistema, vista simplificada)
|
||||||
$aulario_id = $_GET["aulario"] ?? "";
|
$aulario_id = Sf($_GET["aulario"] ?? '');
|
||||||
$centro_id = $_SESSION["auth_data"]["entreaulas"]["centro"] ?? "";
|
$centro_id = $_SESSION["auth_data"]["entreaulas"]["centro"] ?? "";
|
||||||
|
|
||||||
$source_aulario_id = $aulario_id;
|
$source_aulario_id = $aulario_id;
|
||||||
@@ -758,7 +759,7 @@ switch ($_GET["action"]) {
|
|||||||
$aulario_path = "/DATA/entreaulas/Centros/$centro_id/Aularios/$aulario_id.json";
|
$aulario_path = "/DATA/entreaulas/Centros/$centro_id/Aularios/$aulario_id.json";
|
||||||
$aulario = file_exists($aulario_path) ? json_decode(file_get_contents($aulario_path), true) : null;
|
$aulario = file_exists($aulario_path) ? json_decode(file_get_contents($aulario_path), true) : null;
|
||||||
if ($aulario && !empty($aulario["shared_comedor_from"])) {
|
if ($aulario && !empty($aulario["shared_comedor_from"])) {
|
||||||
$shared_from = $aulario["shared_comedor_from"];
|
$shared_from = Sf($aulario["shared_comedor_from"]);
|
||||||
$shared_aulario_path = "/DATA/entreaulas/Centros/$centro_id/Aularios/$shared_from.json";
|
$shared_aulario_path = "/DATA/entreaulas/Centros/$centro_id/Aularios/$shared_from.json";
|
||||||
if (file_exists($shared_aulario_path)) {
|
if (file_exists($shared_aulario_path)) {
|
||||||
$source_aulario_id = $shared_from;
|
$source_aulario_id = $shared_from;
|
||||||
|
|||||||
@@ -1,12 +1,13 @@
|
|||||||
<?php
|
<?php
|
||||||
require_once "_incl/auth_redir.php";
|
require_once "_incl/auth_redir.php";
|
||||||
|
require_once "_incl/tools.security.php";
|
||||||
|
|
||||||
if (in_array("entreaulas:docente", $_SESSION["auth_data"]["permissions"] ?? []) === false) {
|
if (in_array("entreaulas:docente", $_SESSION["auth_data"]["permissions"] ?? []) === false) {
|
||||||
header("HTTP/1.1 403 Forbidden");
|
header("HTTP/1.1 403 Forbidden");
|
||||||
die("Access denied");
|
die("Access denied");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$aulario_id = Sf($_GET["aulario"] ?? "");
|
||||||
$aulario_id = $_GET["aulario"] ?? "";
|
|
||||||
$centro_id = $_SESSION["auth_data"]["entreaulas"]["centro"] ?? "";
|
$centro_id = $_SESSION["auth_data"]["entreaulas"]["centro"] ?? "";
|
||||||
|
|
||||||
if ($aulario_id === "" || $centro_id === "") {
|
if ($aulario_id === "" || $centro_id === "") {
|
||||||
@@ -406,8 +407,8 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ($action === "share_project") {
|
if ($action === "share_project") {
|
||||||
$project_id = $_POST["project_id"] ?? "";
|
$project_id = Sf($_POST["project_id"] ?? "");
|
||||||
$target_aulario = $_POST["target_aulario"] ?? "";
|
$target_aulario = Sf($_POST["target_aulario"] ?? "");
|
||||||
|
|
||||||
if ($project_id !== "" && $target_aulario !== "" && $target_aulario !== $aulario_id) {
|
if ($project_id !== "" && $target_aulario !== "" && $target_aulario !== $aulario_id) {
|
||||||
// Only allow sharing local projects
|
// Only allow sharing local projects
|
||||||
@@ -457,7 +458,7 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
|
|||||||
if (in_array("entreaulas:proyectos:delete", $_SESSION["auth_data"]["permissions"] ?? []) === false) {
|
if (in_array("entreaulas:proyectos:delete", $_SESSION["auth_data"]["permissions"] ?? []) === false) {
|
||||||
$error = "No tienes permisos para borrar proyectos.";
|
$error = "No tienes permisos para borrar proyectos.";
|
||||||
} else {
|
} else {
|
||||||
$project_id = $_POST["project_id"] ?? "";
|
$project_id = Sf($_POST["project_id"] ?? "");
|
||||||
if ($project_id !== "") {
|
if ($project_id !== "") {
|
||||||
$project = load_project($proyectos_dir, $project_id);
|
$project = load_project($proyectos_dir, $project_id);
|
||||||
$project_dir = find_project_path($proyectos_dir, $project_id);
|
$project_dir = find_project_path($proyectos_dir, $project_id);
|
||||||
@@ -483,7 +484,7 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ($action === "edit_project") {
|
if ($action === "edit_project") {
|
||||||
$project_id = $_POST["project_id"] ?? "";
|
$project_id = Sf($_POST["project_id"] ?? "");
|
||||||
$name = trim($_POST["name"] ?? "");
|
$name = trim($_POST["name"] ?? "");
|
||||||
$description = sanitize_html($_POST["description"] ?? "");
|
$description = sanitize_html($_POST["description"] ?? "");
|
||||||
|
|
||||||
@@ -504,15 +505,15 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ($action === "add_item") {
|
if ($action === "add_item") {
|
||||||
$project_id = $_POST["project_id"] ?? "";
|
$project_id = Sf($_POST["project_id"] ?? "");
|
||||||
$item_type = $_POST["item_type"] ?? "link";
|
$item_type = Sf($_POST["item_type"] ?? "link");
|
||||||
$item_name = trim($_POST["item_name"] ?? "");
|
$item_name = trim(Sf($_POST["item_name"] ?? ""));
|
||||||
$item_url = trim($_POST["item_url"] ?? "");
|
$item_url = trim(Sf($_POST["item_url"] ?? ""));
|
||||||
$item_content = sanitize_html($_POST["item_content"] ?? "");
|
$item_content = sanitize_html(Sf($_POST["item_content"] ?? ""));
|
||||||
$videocall_platform = $_POST["videocall_platform"] ?? "jitsi";
|
$videocall_platform = Sf($_POST["videocall_platform"] ?? "jitsi");
|
||||||
$videocall_room = trim($_POST["videocall_room"] ?? "");
|
$videocall_room = trim(Sf($_POST["videocall_room"] ?? ""));
|
||||||
$videocall_url = trim($_POST["videocall_url"] ?? "");
|
$videocall_url = trim(Sf($_POST["videocall_url"] ?? ""));
|
||||||
$source_aulario_param = $_POST["source_aulario"] ?? "";
|
$source_aulario_param = Sf($_POST["source_aulario"] ?? "");
|
||||||
|
|
||||||
// Determine which directory to use and permission level
|
// Determine which directory to use and permission level
|
||||||
$working_dir = $proyectos_dir;
|
$working_dir = $proyectos_dir;
|
||||||
@@ -524,10 +525,10 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
|
|||||||
// Validate the link
|
// Validate the link
|
||||||
$linked_projects = $aulario["linked_projects"] ?? [];
|
$linked_projects = $aulario["linked_projects"] ?? [];
|
||||||
foreach ($linked_projects as $link) {
|
foreach ($linked_projects as $link) {
|
||||||
if (($link["source_aulario"] ?? "") === $source_aulario_param &&
|
if ((Sf($link["source_aulario"] ?? "") === $source_aulario_param) &&
|
||||||
($link["project_id"] ?? "") === $project_id
|
(Sf($link["project_id"] ?? "") === $project_id)
|
||||||
) {
|
) {
|
||||||
$permission = $link["permission"] ?? "read_only";
|
$permission = Sf($link["permission"] ?? "read_only");
|
||||||
if ($permission === "full_edit") {
|
if ($permission === "full_edit") {
|
||||||
$working_dir = $proyectos_dir;
|
$working_dir = $proyectos_dir;
|
||||||
} elseif ($permission === "request_edit") {
|
} elseif ($permission === "request_edit") {
|
||||||
@@ -722,8 +723,8 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ($action === "approve_change" || $action === "reject_change") {
|
if ($action === "approve_change" || $action === "reject_change") {
|
||||||
$change_id = $_POST["change_id"] ?? "";
|
$change_id = Sf($_POST["change_id"] ?? "");
|
||||||
$project_id = $_POST["project_id"] ?? "";
|
$project_id = Sf($_POST["project_id"] ?? "");
|
||||||
|
|
||||||
if (!empty($change_id) && !empty($project_id)) {
|
if (!empty($change_id) && !empty($project_id)) {
|
||||||
$project_dir = find_project_path($proyectos_dir, $project_id);
|
$project_dir = find_project_path($proyectos_dir, $project_id);
|
||||||
@@ -786,15 +787,15 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (in_array(($item["type"] ?? ""), ["file", "pdf_secure"], true) && !empty($change_data["pending_filename"])) {
|
if (in_array(($item["type"] ?? ""), ["file", "pdf_secure"], true) && !empty($change_data["pending_filename"])) {
|
||||||
$pending_file = "$pending_dir/" . $change_data["pending_filename"];
|
$pending_file = "$pending_dir/" . Sf($change_data["pending_filename"]);
|
||||||
$target_file = "$project_dir/" . $change_data["pending_filename"];
|
$target_file = "$project_dir/" . Sf($change_data["pending_filename"]);
|
||||||
if (file_exists($pending_file)) {
|
if (file_exists($pending_file)) {
|
||||||
if (!is_dir($project_dir)) {
|
if (!is_dir($project_dir)) {
|
||||||
mkdir($project_dir, 0755, true);
|
mkdir($project_dir, 0755, true);
|
||||||
}
|
}
|
||||||
rename($pending_file, $target_file);
|
rename($pending_file, $target_file);
|
||||||
if (!empty($item["filename"])) {
|
if (!empty($item["filename"])) {
|
||||||
$old_path = "$project_dir/" . $item["filename"];
|
$old_path = "$project_dir/" . Sf($item["filename"]);
|
||||||
if (file_exists($old_path)) {
|
if (file_exists($old_path)) {
|
||||||
unlink($old_path);
|
unlink($old_path);
|
||||||
if (file_exists($old_path . ".eadat")) {
|
if (file_exists($old_path . ".eadat")) {
|
||||||
@@ -802,8 +803,8 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
$item["filename"] = $change_data["pending_filename"];
|
$item["filename"] = Sf($change_data["pending_filename"]);
|
||||||
$item["original_name"] = $change_data["original_filename"] ?? $change_data["pending_filename"];
|
$item["original_name"] = Sf($change_data["original_filename"] ?? $change_data["pending_filename"]);
|
||||||
|
|
||||||
$file_meta = [
|
$file_meta = [
|
||||||
"id" => $item_id,
|
"id" => $item_id,
|
||||||
@@ -851,21 +852,21 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
|
|||||||
$item["room"] = $change_data["item_room"] ?? "";
|
$item["room"] = $change_data["item_room"] ?? "";
|
||||||
} elseif (in_array($change_data["item_type"], ["file", "pdf_secure"], true) && !empty($change_data["pending_filename"])) {
|
} elseif (in_array($change_data["item_type"], ["file", "pdf_secure"], true) && !empty($change_data["pending_filename"])) {
|
||||||
// Move file from pending to project directory
|
// Move file from pending to project directory
|
||||||
$pending_file = "$pending_dir/" . $change_data["pending_filename"];
|
$pending_file = "$pending_dir/" . Sf($change_data["pending_filename"]);
|
||||||
$target_file = "$project_dir/" . $change_data["pending_filename"];
|
$target_file = "$project_dir/" . Sf($change_data["pending_filename"]);
|
||||||
|
|
||||||
if (file_exists($pending_file)) {
|
if (file_exists($pending_file)) {
|
||||||
if (!is_dir($project_dir)) {
|
if (!is_dir($project_dir)) {
|
||||||
mkdir($project_dir, 0755, true);
|
mkdir($project_dir, 0755, true);
|
||||||
}
|
}
|
||||||
rename($pending_file, $target_file);
|
rename($pending_file, $target_file);
|
||||||
$item["filename"] = $change_data["pending_filename"];
|
$item["filename"] = Sf($change_data["pending_filename"]);
|
||||||
$item["original_name"] = $change_data["original_filename"] ?? $change_data["pending_filename"];
|
$item["original_name"] = Sf($change_data["original_filename"] ?? $change_data["pending_filename"]);
|
||||||
|
|
||||||
$file_meta = [
|
$file_meta = [
|
||||||
"id" => $item_id,
|
"id" => $item_id,
|
||||||
"name" => $change_data["item_name"],
|
"name" => Sf($change_data["item_name"]),
|
||||||
"type" => $change_data["item_type"],
|
"type" => Sf($change_data["item_type"]),
|
||||||
"original_name" => $item["original_name"],
|
"original_name" => $item["original_name"],
|
||||||
"created_at" => $item["created_at"]
|
"created_at" => $item["created_at"]
|
||||||
];
|
];
|
||||||
@@ -886,7 +887,7 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
|
|||||||
} else {
|
} else {
|
||||||
// Reject - just delete pending file if exists
|
// Reject - just delete pending file if exists
|
||||||
if (!empty($change_data["pending_filename"])) {
|
if (!empty($change_data["pending_filename"])) {
|
||||||
$pending_file = "$pending_dir/" . $change_data["pending_filename"];
|
$pending_file = "$pending_dir/" . Sf($change_data["pending_filename"]);
|
||||||
if (file_exists($pending_file)) {
|
if (file_exists($pending_file)) {
|
||||||
unlink($pending_file);
|
unlink($pending_file);
|
||||||
}
|
}
|
||||||
@@ -901,9 +902,9 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ($action === "delete_item") {
|
if ($action === "delete_item") {
|
||||||
$project_id = $_POST["project_id"] ?? "";
|
$project_id = Sf($_POST["project_id"] ?? "");
|
||||||
$item_id = $_POST["item_id"] ?? "";
|
$item_id = Sf($_POST["item_id"] ?? "");
|
||||||
$source_aulario_param = $_POST["source_aulario"] ?? "";
|
$source_aulario_param = Sf($_POST["source_aulario"] ?? "");
|
||||||
|
|
||||||
// Determine which directory to use based on whether this is a linked project
|
// Determine which directory to use based on whether this is a linked project
|
||||||
$working_dir = $proyectos_dir;
|
$working_dir = $proyectos_dir;
|
||||||
@@ -1010,15 +1011,15 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ($action === "edit_item") {
|
if ($action === "edit_item") {
|
||||||
$project_id = $_POST["project_id"] ?? "";
|
$project_id = Sf($_POST["project_id"] ?? "");
|
||||||
$item_id = $_POST["item_id"] ?? "";
|
$item_id = Sf($_POST["item_id"] ?? "");
|
||||||
$item_name = trim($_POST["item_name"] ?? "");
|
$item_name = Sf(trim($_POST["item_name"] ?? ""));
|
||||||
$item_url = trim($_POST["item_url"] ?? "");
|
$item_url = Sf(trim($_POST["item_url"] ?? ""));
|
||||||
$item_content = sanitize_html($_POST["item_content"] ?? "");
|
$item_content = Sf(sanitize_html($_POST["item_content"] ?? ""));
|
||||||
$videocall_platform = $_POST["edit_videocall_platform"] ?? "jitsi";
|
$videocall_platform = Sf($_POST["edit_videocall_platform"] ?? "jitsi");
|
||||||
$videocall_room = trim($_POST["edit_videocall_room"] ?? "");
|
$videocall_room = Sf(trim($_POST["edit_videocall_room"] ?? ""));
|
||||||
$videocall_url = trim($_POST["edit_videocall_url"] ?? "");
|
$videocall_url = Sf(trim($_POST["edit_videocall_url"] ?? ""));
|
||||||
$source_aulario_param = $_POST["source_aulario"] ?? "";
|
$source_aulario_param = Sf($_POST["source_aulario"] ?? "");
|
||||||
|
|
||||||
$working_dir = $proyectos_dir;
|
$working_dir = $proyectos_dir;
|
||||||
$permission = "full_edit";
|
$permission = "full_edit";
|
||||||
|
|||||||
@@ -1,9 +1,10 @@
|
|||||||
<?php
|
<?php
|
||||||
require_once "_incl/auth_redir.php";
|
require_once "_incl/auth_redir.php";
|
||||||
|
require_once "_incl/tools.security.php";
|
||||||
switch ($_GET["form"]) {
|
switch ($_GET["form"]) {
|
||||||
case "delete":
|
case "delete":
|
||||||
$aulario_id = $_POST["aulario_id"];
|
$aulario_id = Sf($_POST["aulario_id"] ?? "");
|
||||||
$centro_id = $_POST["centro_id"];
|
$centro_id = Sf($_POST["centro_id"] ?? "");
|
||||||
$aulario_file = "/DATA/entreaulas/Centros/$centro_id/Aularios/$aulario_id.json";
|
$aulario_file = "/DATA/entreaulas/Centros/$centro_id/Aularios/$aulario_id.json";
|
||||||
if (!file_exists($aulario_file)) {
|
if (!file_exists($aulario_file)) {
|
||||||
die("Aulario no encontrado.");
|
die("Aulario no encontrado.");
|
||||||
@@ -34,14 +35,14 @@ switch ($_GET["form"]) {
|
|||||||
break;
|
break;
|
||||||
case "create":
|
case "create":
|
||||||
$user_data = $_SESSION["auth_data"];
|
$user_data = $_SESSION["auth_data"];
|
||||||
$centro_id = $_POST["centro"];
|
$centro_id = Sf($_POST["centro"] ?? "");
|
||||||
if (empty($centro_id) || !is_dir("/DATA/entreaulas/Centros/$centro_id")) {
|
if (empty($centro_id) || !is_dir("/DATA/entreaulas/Centros/$centro_id")) {
|
||||||
die("Centro no válido.");
|
die("Centro no válido.");
|
||||||
}
|
}
|
||||||
$aulario_id = strtolower(preg_replace("/[^a-zA-Z0-9_-]/", "_", $_POST["name"]));
|
$aulario_id = strtolower(preg_replace("/[^a-zA-Z0-9_-]/", "_", Sf($_POST["name"] ?? "")));
|
||||||
$aulario_data = [
|
$aulario_data = [
|
||||||
"name" => $_POST["name"],
|
"name" => Sf($_POST["name"] ?? ""),
|
||||||
"icon" => $_POST["icon"] ?? "/static/logo-entreaulas.png"
|
"icon" => Sf($_POST["icon"] ?? "/static/logo-entreaulas.png")
|
||||||
];
|
];
|
||||||
// Make path recursive (mkdir -p equivalent)
|
// Make path recursive (mkdir -p equivalent)
|
||||||
@mkdir("/DATA/entreaulas/Centros/$centro_id/Aularios/", 0777, true);
|
@mkdir("/DATA/entreaulas/Centros/$centro_id/Aularios/", 0777, true);
|
||||||
@@ -53,18 +54,18 @@ switch ($_GET["form"]) {
|
|||||||
exit();
|
exit();
|
||||||
break;
|
break;
|
||||||
case "save_edit":
|
case "save_edit":
|
||||||
$aulario_id = $_POST["aulario_id"];
|
$aulario_id = Sf($_POST["aulario_id"] ?? "");
|
||||||
$centro_id = $_POST["centro_id"];
|
$centro_id = Sf($_POST["centro_id"] ?? "");
|
||||||
$aulario_file = "/DATA/entreaulas/Centros/$centro_id/Aularios/$aulario_id.json";
|
$aulario_file = "/DATA/entreaulas/Centros/$centro_id/Aularios/$aulario_id.json";
|
||||||
if (!file_exists($aulario_file)) {
|
if (!file_exists($aulario_file)) {
|
||||||
die("Aulario no encontrado.");
|
die("Aulario no encontrado.");
|
||||||
}
|
}
|
||||||
$aulario_data = json_decode(file_get_contents($aulario_file), true);
|
$aulario_data = json_decode(file_get_contents($aulario_file), true);
|
||||||
$aulario_data["name"] = $_POST["name"];
|
$aulario_data["name"] = Sf($_POST["name"] ?? "");
|
||||||
$aulario_data["icon"] = $_POST["icon"];
|
$aulario_data["icon"] = Sf($_POST["icon"] ?? "/static/logo-entreaulas.png");
|
||||||
|
|
||||||
// Handle shared comedor configuration
|
// Handle shared comedor configuration
|
||||||
$share_comedor_from = $_POST["share_comedor_from"] ?? "";
|
$share_comedor_from = Sf($_POST["share_comedor_from"] ?? "");
|
||||||
|
|
||||||
if (!empty($share_comedor_from) && $share_comedor_from !== "none") {
|
if (!empty($share_comedor_from) && $share_comedor_from !== "none") {
|
||||||
$aulario_data["shared_comedor_from"] = $share_comedor_from;
|
$aulario_data["shared_comedor_from"] = $share_comedor_from;
|
||||||
@@ -74,9 +75,9 @@ switch ($_GET["form"]) {
|
|||||||
|
|
||||||
// Handle linked projects configuration
|
// Handle linked projects configuration
|
||||||
$linked_projects = [];
|
$linked_projects = [];
|
||||||
$linked_aularios = $_POST["linked_aulario"] ?? [];
|
$linked_aularios = Sf($_POST["linked_aulario"] ?? []);
|
||||||
$linked_project_ids = $_POST["linked_project_id"] ?? [];
|
$linked_project_ids = Sf($_POST["linked_project_id"] ?? []);
|
||||||
$linked_permissions = $_POST["linked_permission"] ?? [];
|
$linked_permissions = Sf($_POST["linked_permission"] ?? []);
|
||||||
|
|
||||||
for ($i = 0; $i < count($linked_aularios); $i++) {
|
for ($i = 0; $i < count($linked_aularios); $i++) {
|
||||||
if (!empty($linked_aularios[$i]) && !empty($linked_project_ids[$i])) {
|
if (!empty($linked_aularios[$i]) && !empty($linked_project_ids[$i])) {
|
||||||
@@ -140,8 +141,8 @@ switch ($_GET["action"]) {
|
|||||||
<?php
|
<?php
|
||||||
break;
|
break;
|
||||||
case "edit":
|
case "edit":
|
||||||
$aulario_id = $_GET["aulario"];
|
$aulario_id = Sf($_GET["aulario"] ?? "");
|
||||||
$centro_id = $_GET["centro"];
|
$centro_id = Sf($_GET["centro"] ?? "");
|
||||||
$aulario_file = "/DATA/entreaulas/Centros/$centro_id/Aularios/$aulario_id.json";
|
$aulario_file = "/DATA/entreaulas/Centros/$centro_id/Aularios/$aulario_id.json";
|
||||||
if (!file_exists($aulario_file)) {
|
if (!file_exists($aulario_file)) {
|
||||||
die("Aulario no encontrado.");
|
die("Aulario no encontrado.");
|
||||||
@@ -384,7 +385,7 @@ switch ($_GET["action"]) {
|
|||||||
<tbody>
|
<tbody>
|
||||||
<?php
|
<?php
|
||||||
$user_data = $_SESSION["auth_data"];
|
$user_data = $_SESSION["auth_data"];
|
||||||
$centro_filter = $_GET['centro'] ?? "*";
|
$centro_filter = Sf($_GET['centro'] ?? "*");
|
||||||
$aulas_filelist = glob("/DATA/entreaulas/Centros/$centro_filter/Aularios/*.json");
|
$aulas_filelist = glob("/DATA/entreaulas/Centros/$centro_filter/Aularios/*.json");
|
||||||
foreach ($aulas_filelist as $aula_file) {
|
foreach ($aulas_filelist as $aula_file) {
|
||||||
$aula_data = json_decode(file_get_contents($aula_file), true);
|
$aula_data = json_decode(file_get_contents($aula_file), true);
|
||||||
|
|||||||
@@ -1,8 +1,9 @@
|
|||||||
<?php
|
<?php
|
||||||
require_once "_incl/auth_redir.php";
|
require_once "_incl/auth_redir.php";
|
||||||
|
require_once "_incl/tools.security.php";
|
||||||
switch ($_GET["form"]) {
|
switch ($_GET["form"]) {
|
||||||
case "create":
|
case "create":
|
||||||
$centro_id = $_POST["name"];
|
$centro_id = Sf($_POST["name"] ?? "");
|
||||||
if (empty($centro_id)) {
|
if (empty($centro_id)) {
|
||||||
die("Nombre del centro no proporcionado.");
|
die("Nombre del centro no proporcionado.");
|
||||||
}
|
}
|
||||||
@@ -19,12 +20,12 @@ switch ($_GET["form"]) {
|
|||||||
ini_set("display_errors", 1);
|
ini_set("display_errors", 1);
|
||||||
ini_set('upload_max_filesize', '256M');
|
ini_set('upload_max_filesize', '256M');
|
||||||
ini_set('post_max_size', '256M');
|
ini_set('post_max_size', '256M');
|
||||||
$centro_id = $_GET['centro'] ?? '';
|
$centro_id = Sf($_GET['centro'] ?? '');
|
||||||
$centro_path = "/DATA/entreaulas/Centros/$centro_id";
|
$centro_path = "/DATA/entreaulas/Centros/$centro_id";
|
||||||
if (!is_dir($centro_path)) {
|
if (!is_dir($centro_path)) {
|
||||||
die("Centro no válido.");
|
die("Centro no válido.");
|
||||||
}
|
}
|
||||||
$activity_name = $_POST["name"] ?? '';
|
$activity_name = Sf($_POST["name"] ?? '');
|
||||||
if (empty($activity_name)) {
|
if (empty($activity_name)) {
|
||||||
die("Nombre de la actividad no proporcionado.");
|
die("Nombre de la actividad no proporcionado.");
|
||||||
}
|
}
|
||||||
@@ -47,8 +48,8 @@ switch ($_GET["form"]) {
|
|||||||
ini_set("display_errors", 1);
|
ini_set("display_errors", 1);
|
||||||
ini_set('upload_max_filesize', '256M');
|
ini_set('upload_max_filesize', '256M');
|
||||||
ini_set('post_max_size', '256M');
|
ini_set('post_max_size', '256M');
|
||||||
$centro_id = $_GET['centro'] ?? '';
|
$centro_id = Sf($_GET['centro'] ?? '');
|
||||||
$activity_name = $_GET['activity'] ?? '';
|
$activity_name = Sf($_GET['activity'] ?? '');
|
||||||
$activity_path = "/DATA/entreaulas/Centros/$centro_id/Panel/Actividades/$activity_name";
|
$activity_path = "/DATA/entreaulas/Centros/$centro_id/Panel/Actividades/$activity_name";
|
||||||
if (!is_dir($activity_path)) {
|
if (!is_dir($activity_path)) {
|
||||||
die("Actividad no válida.");
|
die("Actividad no válida.");
|
||||||
@@ -58,8 +59,8 @@ switch ($_GET["form"]) {
|
|||||||
$photo_path = "$activity_path/photo.jpg";
|
$photo_path = "$activity_path/photo.jpg";
|
||||||
move_uploaded_file($activity_photo["tmp_name"], $photo_path);
|
move_uploaded_file($activity_photo["tmp_name"], $photo_path);
|
||||||
}
|
}
|
||||||
if ($_POST['nombre'] != $_GET['activity']) {
|
if (Sf($_POST['nombre'] ?? '') != $activity_name) {
|
||||||
$new_activity_name = $_POST['nombre'];
|
$new_activity_name = Sf($_POST['nombre'] ?? '');
|
||||||
$new_activity_path = "/DATA/entreaulas/Centros/$centro_id/Panel/Actividades/$new_activity_name";
|
$new_activity_path = "/DATA/entreaulas/Centros/$centro_id/Panel/Actividades/$new_activity_name";
|
||||||
if (is_dir($new_activity_path)) {
|
if (is_dir($new_activity_path)) {
|
||||||
die("Ya existe una actividad con ese nombre.");
|
die("Ya existe una actividad con ese nombre.");
|
||||||
@@ -74,8 +75,8 @@ switch ($_GET["form"]) {
|
|||||||
require_once "_incl/pre-body.php";
|
require_once "_incl/pre-body.php";
|
||||||
switch ($_GET["action"]) {
|
switch ($_GET["action"]) {
|
||||||
case "edit_activity":
|
case "edit_activity":
|
||||||
$centro_id = $_GET['centro'] ?? '';
|
$centro_id = Sf($_GET['centro'] ?? '');
|
||||||
$activity_name = $_GET['activity'] ?? '';
|
$activity_name = Sf($_GET['activity'] ?? '');
|
||||||
$activity_path = "/DATA/entreaulas/Centros/$centro_id/Panel/Actividades/$activity_name";
|
$activity_path = "/DATA/entreaulas/Centros/$centro_id/Panel/Actividades/$activity_name";
|
||||||
if (!is_dir($activity_path)) {
|
if (!is_dir($activity_path)) {
|
||||||
die("Actividad no válida.");
|
die("Actividad no válida.");
|
||||||
@@ -111,7 +112,7 @@ switch ($_GET["action"]) {
|
|||||||
<?php
|
<?php
|
||||||
break;
|
break;
|
||||||
case "new_activity":
|
case "new_activity":
|
||||||
$centro_id = $_GET['centro'] ?? '';
|
$centro_id = Sf($_GET['centro'] ?? '');
|
||||||
$centro_path = "/DATA/entreaulas/Centros/$centro_id";
|
$centro_path = "/DATA/entreaulas/Centros/$centro_id";
|
||||||
if (!is_dir($centro_path)) {
|
if (!is_dir($centro_path)) {
|
||||||
die("Centro no válido.");
|
die("Centro no válido.");
|
||||||
@@ -159,7 +160,7 @@ switch ($_GET["action"]) {
|
|||||||
<?php
|
<?php
|
||||||
break;
|
break;
|
||||||
case "edit":
|
case "edit":
|
||||||
$centro_id = $_GET['centro'] ?? '';
|
$centro_id = Sf($_GET['centro'] ?? '');
|
||||||
$centro_path = "/DATA/entreaulas/Centros/$centro_id";
|
$centro_path = "/DATA/entreaulas/Centros/$centro_id";
|
||||||
if (!is_dir($centro_path)) {
|
if (!is_dir($centro_path)) {
|
||||||
die("Centro no válido.");
|
die("Centro no válido.");
|
||||||
@@ -221,7 +222,7 @@ switch ($_GET["action"]) {
|
|||||||
foreach ($activities as $activity_path) {
|
foreach ($activities as $activity_path) {
|
||||||
$activity_name = basename($activity_path);
|
$activity_name = basename($activity_path);
|
||||||
$image_path = "/DATA/entreaulas/Centros/$centro_id/Panel/Actividades/" . basename($activity_name) . "/photo.jpg";
|
$image_path = "/DATA/entreaulas/Centros/$centro_id/Panel/Actividades/" . basename($activity_name) . "/photo.jpg";
|
||||||
$image_fetchpath = file_exists($image_path) ? "/entreaulas/_filefetch.php?type=panel_actividades¢ro=" . urlencode($centro_id) . "&activity=" . urlencode(basename($activity_name)) : '/static/logo-entreaulas.png';
|
$image_fetchpath = file_exists($image_path) ? "/entreaulas/_filefetch.php?type=panel_actividades¢ro=" . urlencode($centro_id) . "&activity=" . urlencode($activity_name) : '/static/logo-entreaulas.png';
|
||||||
echo '<tr>';
|
echo '<tr>';
|
||||||
echo '<td><img src="' . htmlspecialchars($image_fetchpath) . '" alt="Foto" style="height: 50px;"></td>';
|
echo '<td><img src="' . htmlspecialchars($image_fetchpath) . '" alt="Foto" style="height: 50px;"></td>';
|
||||||
echo '<td>' . htmlspecialchars($activity_name) . '</td>';
|
echo '<td>' . htmlspecialchars($activity_name) . '</td>';
|
||||||
|
|||||||
@@ -1,9 +1,9 @@
|
|||||||
<?php
|
<?php
|
||||||
require_once "_incl/auth_redir.php";
|
require_once "_incl/auth_redir.php";
|
||||||
|
require_once "_incl/tools.security.php";
|
||||||
switch ($_GET['form'] ?? '') {
|
switch ($_GET['form'] ?? '') {
|
||||||
case 'save_password':
|
case 'save_password':
|
||||||
$username = $_POST['username'] ?? '';
|
$username = Sf($_POST['username'] ?? '');
|
||||||
$new_password = $_POST['new_password'] ?? '';
|
$new_password = $_POST['new_password'] ?? '';
|
||||||
$confirm_password = $_POST['confirm_password'] ?? '';
|
$confirm_password = $_POST['confirm_password'] ?? '';
|
||||||
|
|
||||||
|
|||||||
@@ -1,9 +1,9 @@
|
|||||||
<?php
|
<?php
|
||||||
require_once "_incl/auth_redir.php";
|
require_once "_incl/auth_redir.php";
|
||||||
|
require_once "_incl/tools.security.php";
|
||||||
switch ($_GET['form'] ?? '') {
|
switch ($_GET['form'] ?? '') {
|
||||||
case 'save_edit':
|
case 'save_edit':
|
||||||
$username = $_POST['username'] ?? '';
|
$username = Sf($_POST['username'] ?? '');
|
||||||
if (empty($username)) {
|
if (empty($username)) {
|
||||||
die("Nombre de usuario no proporcionado.");
|
die("Nombre de usuario no proporcionado.");
|
||||||
}
|
}
|
||||||
@@ -104,7 +104,7 @@ switch ($_GET['action'] ?? '') {
|
|||||||
break;
|
break;
|
||||||
case 'edit':
|
case 'edit':
|
||||||
require_once "_incl/pre-body.php";
|
require_once "_incl/pre-body.php";
|
||||||
$username = $_GET['user'] ?? '';
|
$username = Sf($_GET['user'] ?? '');
|
||||||
$userdata = json_decode(file_get_contents("/DATA/Usuarios/$username.json"), true);
|
$userdata = json_decode(file_get_contents("/DATA/Usuarios/$username.json"), true);
|
||||||
?>
|
?>
|
||||||
<form method="post" action="?form=save_edit">
|
<form method="post" action="?form=save_edit">
|
||||||
|
|||||||
Reference in New Issue
Block a user