From a058ffa29f619f07ccc25bcffb061174ed3e9851 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?N=C3=A9munaire?= <nemunaire@pomail.fr>
Date: Sat, 9 Jun 2012 23:52:45 +0200
Subject: [PATCH] Change the question id after confirmation (protect again
 validation by sender)

---
 Question.class.php     |  6 ++++++
 confirmation.php       | 46 +++++++++++++++++-------------------------
 thanksConfirmation.php | 29 ++++++--------------------
 3 files changed, 30 insertions(+), 51 deletions(-)

diff --git a/Question.class.php b/Question.class.php
index cb20878..8606b5f 100644
--- a/Question.class.php
+++ b/Question.class.php
@@ -50,9 +50,15 @@ class Question
     return $q;
   }
 
+  public function regen_id()
+  {
+    $this->id = md5(time().$this->question.$this->validator);
+  }
+
   public function set_validator($val)
   {
     $this->validator = $val;
+    $this->regen_id();
   }
 
   public function get_validator()
diff --git a/confirmation.php b/confirmation.php
index 7fe2391..75ec2b8 100644
--- a/confirmation.php
+++ b/confirmation.php
@@ -1,32 +1,25 @@
-<!DOCTYPE html>
+<?php
 
- <?php
 include("Question.class.php");
 include("QuestionsFile.class.php");
 
-
 $id = $_GET['id'];
 
-$file = new QuestionsFile("questions.xml");
-$question = $file->get_question($id);
+$fileQ = new QuestionsFile("questions.xml");
+$question = $fileQ->get_question($id);
 
-if (!$question)
-{
-  echo "Mauvais ID\n";
-}
-else
+if (!empty($question))
 {
   $dest_mail = $question->get_validator();
-  $validationAddress = "/validation.php?id=".$question->getId();
 
 // Uncomment the following part for random email
 
-  while ($dest_mail == $question->get_validator())
+  do
   {
     $file = fopen('email.txt', 'r');
     $number = fgets($file);
 
-    $random = rand(1, $number);
+    $random = rand(1, intval($number));
 
     for ($i = 0; $i < $random; $i++)
     {
@@ -34,11 +27,15 @@ else
     }
     fclose($file);
   }
+  while ($dest_mail == $question->get_validator());
+
+  $question->set_validator($dest_mail);
+  $validationAddress = "/validation.php?id=".$question->getId();
 
 /* This code works, perhaps should be placed in a method in Question class?*/
   $to = $dest_mail;
   $subject = "[Nemubot] Validation d'une question";
-  $headers = "From: Nemubot <bot@nemunai.re>";
+  $headers = "From: Nemubot <bot@nemunai.re>\n";
   $message = "Bonjour,\n"
     ."Une nouvelle question a été proposée à Nemubot.\n\n"
 
@@ -60,22 +57,15 @@ else
 
   if (mail($to, $subject, $message, $headers))
   {
-    echo ("Email sent to: " . $dest_mail);
+    $fileQ->save();
+    header("Location: ./thanksConfirmation.php");
   }
   else
-    echo ("Error with the email");
-
-  header("Location: ./thanksConfirmation.php?id=" . $question->getId());
+    die("Une erreur s'est produite lors de l'envoie du mail");
 }
 //*/
-
+else
+{
+  die("ID de question invalide ou déjà validé.");
+}
 ?>
-
-<html>
-  <head>
-    <meta charset="utf8" />
-  </head>
-
-  <body>
-  </body>
-</html>
\ No newline at end of file
diff --git a/thanksConfirmation.php b/thanksConfirmation.php
index 2400391..d606d58 100644
--- a/thanksConfirmation.php
+++ b/thanksConfirmation.php
@@ -18,30 +18,13 @@
   <section>
   <h2>Merci de votre participation</h2>
   <p>
-  <?php
-   include("Question.class.php");
-include("QuestionsFile.class.php");
-
-$id = $_GET['id'];
-$file = new QuestionsFile("questions.xml");
-$question = $file->get_question($id);
-
-  if (!$question)
-  {
-    echo "La question n'existe pas.";
-  }
-  else
-  {
-    echo ("Votre question a bien été prise en compte.<br/>"
-  ."Un email a été envoyé à une personne du chan pour "
-  ."qu'elle valide votre question."
-  ."</p>
-    <p>
+    Votre question a bien été prise en compte.<br/>
+  Un email a été envoyé à une personne du chan pour 
+  qu'elle valide votre question.
+  </p>
+  <p>
       Nemubot vous remercie de l'aider à agrandir sa base de donnée
-  </p>");
-  }
-  ?>
-
+  </p>
   </section>
   </body>
   </html>