Import changes from old fork (#1127)

* 7ba3090: Fix users being able to see real names and pictures in seatmap in certain circumstances

* c4e1af7: Allow quick party switching in internet mode for admins (and refactored to use Database class)

* 9f4be4c: Added function to get participation information for a user

...and simplified/refactored some other code

* 7bd489e: Add function for text variable replacements

...plus some cache invalidation improvements

* intermediate documentation improvements

* c8cc193: Integrate variable replacement into info2

* Testing and fixing of replacement functionality

* Add username as variable for replacement

* Added documentation

* ...and changelog

* Fix SonarCloud findings

* <PSYCHOP@TH> -specifc fix for character handling

* faq: Fix for admin link related warnings

* Added ability for admins to view disabled info pages, removed girocode comitted too early

* fixed transfer error, added documentation

* Removed unused config option, documented the rest

* Removed item %TEST% from Auto-replace

* Update Info2.md

Fixed spelling mistake, added some more description

CHANGELOG.md

@@ -49,8 +49,10 @@ We could not reconstruct _all_ changes, but we tried our best to make the most o
 - [Installation] Added database value User@Server into MySQL error message
 - [Installation] Added check for incompatible SQL Modes to the first installation page
 - [Installation] If there is no `config.php` file available during installation, create it during setup from the default config
+- [Info2] Added ability to replace variables in info texts and to see disabled info pages for admins
 - [Discord] Introduced a new module to manage Discord Servers
 - [Party] Add information `Gesamt` in the Party box to show how many people can sign up for a party
+- [Party] Added ability to switch party in internet system for admins
 - [Birthday] New module to show users birthdays
 - [Hall of fame] New module to present all tournament winners in a Hall of Fame
 - [Server] Added Voice as server type

inc/Classes/Display.php

@@ -1278,9 +1278,11 @@ public function FetchIcon($picname, $link = '', $hint = null, $target = null, $a
     }
 
     /**
-     * @param int $userid
-     * @param string $username
-     * @return string
+     * Adds user icon and username based on template ls_usericon.htm to output
+     *
+     * @param int $userid The numeric user id to fetch the icon for
+     * @param string $username The username to display, empty if not given
+     * @return string raw html for output
      * @throws \Exception
      * @throws \SmartyException
      */
@@ -1293,7 +1295,7 @@ public function FetchUserIcon($userid, $username = '')
         }
 
         $smarty->assign('userid', $userid);
-        $smarty->assign('username', $username);
+        $smarty->assign('username', htmlspecialchars($username)); // username may contain special characters
         $smarty->assign('hint', t('Benutzerdetails aufrufen'));
 
         if (in_array($userid, $authentication->online_users)) {

inc/Classes/Func.php

@@ -353,7 +353,7 @@ public function AllowHTML($string)
     }
 
     /**
-     * Transforms given input text to HTML-enriched output. 
+     * Transforms given input text to HTML-enriched output.
      * Based on the mode provided, various tags are allowed.
      * These are - to my understanding  - as follows:
      * mode 0: Full BBcode parsing, Smileys
@@ -367,7 +367,7 @@ public function AllowHTML($string)
     public function text2html($string, $mode = 0)
     {
         global $db, $database;
-        
+
         if ($mode == 0)
         {
             $parser = new \Youthweb\BBCodeParser\Manager();
@@ -612,7 +612,7 @@ public function log_event($message, $type = 1, $sort_tag = '', $target_id = '')
 
             $userId = $auth['userid'] ?? 0;
             $entry = $db->qry("
-            INSERT INTO %prefix%log 
+            INSERT INTO %prefix%log
             SET
               userid = %int%,
               description=%string%,
@@ -986,7 +986,7 @@ public function CheckNewPosts($last_change, $table, $entryid, $userid = 0)
             return 1;
         } else {
             $last_read = $database->queryWithOnlyFirstRow('
-            SELECT UNIX_TIMESTAMP(date) AS date 
+            SELECT UNIX_TIMESTAMP(date) AS date
             FROM %prefix%lastread
             WHERE userid = ? AND tab = ? AND entryid = ?', [$userid, $table, $entryid]);
 
@@ -1118,4 +1118,53 @@ public function isModActive($mod, &$caption = '')
 
         return array_key_exists($mod, $this->ActiveModules);
     }
+
+    /**
+     * Searches through a text and replaces occurences of %VARIABLENAME% with their counterpart.
+     * Just has basic stuff required to make information pages more dynamic, more to be added
+     * Be careful that you only expose uncritical commonly visible values or user-specifc information, otherwise this could be used to leak important data.
+     *
+     * @param string $text The text to replace placeholders in
+     *
+     * @global array $auth fetches userid for replacement
+     *
+     * @return string The text with placeholders replaced
+     */
+    public function replaceVariables($text) {
+        global $auth;
+
+        //initialize replacement array
+        $placeholderNames = [];
+        $replacementValues = [];
+
+        if (array_key_exists('userid', $auth)) {
+            $placeholderNames []= '%USERID%';
+            $replacementValues []= $auth['userid'];
+        }
+
+        if (array_key_exists('username', $auth)) {
+            $placeholderNames []= '%USERNAME%';
+            $replacementValues []= $auth['username'];
+        }
+
+        if (array_key_exists('party_id', $_SESSION)) {
+            $placeholderNames []= '%PARTYID%';
+            $replacementValues []= $_SESSION['party_id'];
+        }
+
+
+        //fetch partyprice...
+        $party = new \LanSuite\Module\Party\Party();
+        $entrancedata = $party->GetUserParticipationData();
+        if ($entrancedata) {
+            $placeholderNames []= '%PARTYPRICEID%';
+            $replacementValues []= $entrancedata['price_id'];
+            $placeholderNames []= '%PARTYPRICETEXT%';
+            $replacementValues []= $entrancedata['price_text'];
+            $placeholderNames []= '%PARTYPRICEVALUE%';
+            $replacementValues []= $entrancedata['price'];
+        }
+
+        return str_replace($placeholderNames, $replacementValues, $text);
+    }
 }

modules/faq/show.php

@@ -2,24 +2,28 @@
 $get_cat = $db->qry("SELECT catid, name FROM %prefix%faq_cat ORDER BY name");
 $count_cat = $db->num_rows($get_cat);
 
+$admin_link = '';
+
 if ($count_cat == 0) {
     $func->information(t('Keine Einträge vorhanden.'), "index.php?mod=home");
 } else {
     $dsp->NewContent(t('FAQ'), t('Auf dieser Seite siehst du häufig gestellte Fragen und deren Antworten'));
 
     while ($row = $db->fetch_array($get_cat)) {
         if ($auth['type'] > \LS_AUTH_TYPE_ADMIN) {
-            $admin_link = $dsp->FetchIcon('delete', 'index.php?mod=faq&object=item&action=delete_cat&catid=' . $row["catid"] . '&step=2');
+            $admin_link .= $dsp->FetchIcon('delete', 'index.php?mod=faq&object=item&action=delete_cat&catid=' . $row["catid"] . '&step=2');
         }
         if ($auth['type'] > \LS_AUTH_TYPE_USER) {
             $admin_link .= $dsp->FetchIcon('edit', 'index.php?mod=faq&object=cat&action=change_cat&catid=' . $row["catid"] . '&step=2');
         }
+
         $dsp->AddFieldsetStart($admin_link . $row["name"]);
 
         $get_item = $db->qry("SELECT caption,itemid FROM %prefix%faq_item WHERE catid = %int% ORDER BY caption", $row['catid']);
+        $admin_link = '';
         while ($row = $db->fetch_array($get_item)) {
             if ($auth['type'] > \LS_AUTH_TYPE_ADMIN) {
-                $admin_link = $dsp->FetchIcon('delete', 'index.php?mod=faq&object=item&action=delete_item&itemid=' . $row["itemid"] . '&step=2');
+                $admin_link .= $dsp->FetchIcon('delete', 'index.php?mod=faq&object=item&action=delete_item&itemid=' . $row["itemid"] . '&step=2');
             }
             if ($auth['type'] > \LS_AUTH_TYPE_USER) {
                 $admin_link .= $dsp->FetchIcon('edit', 'index.php?mod=faq&object=cat&action=change_item&itemid=' . $row["itemid"] . '&step=2');

modules/info2/mod_settings/config.xml

@@ -5,12 +5,6 @@
       <name>Allgemein</name>
     </head>
     <items>
-    	<item>
-    		<name>info2_toolbar</name>
-    		<type>boolean</type>
-    		<default>1</default>
-    		<description>Erweiterte Toolbar</description>
-    	</item>
     	<item>
     		<name>info2_use_fckedit</name>
     		<type>boolean</type>

modules/info2/show.php

@@ -18,16 +18,19 @@
     $dsp->NewContent("{$info["caption$val"]}", $info["shorttext$val"]);
     $framework->addToPageTitle($info["caption$val"]);
 
-    if ($info['active'] == 1) {
+    if ($info['active'] == 1 || $auth['type'] > \LS_AUTH_TYPE_USER) {
         if ($info["text$val"] == null) {
             $func->information(t("Es liegen Informationen zu der ausgewählten Seite vor, jedoch nicht in deiner aktuell gewählten Sprache: <b>%1</b>", $language));
         } else {
-            $dsp->AddSingleRow($func->AllowHTML($info["text$val"]), '', 'textContent');
+            $dsp->AddSingleRow($func->replaceVariables($func->AllowHTML($info["text$val"]), '', 'textContent'));
+            if (!$info['active']) {
+                $func->information(t('Diese Info-Seite ist nicht aktiviert. Ein Admin muss sie zuerst im Info-Modul aktivieren'));
+            }
         }
     } else {
         $func->error(t('Diese Info-Seite ist nicht aktiviert. Ein Admin muss sie zuerst im Info-Modul aktivieren'));
     }
-    
+
     // Show edit/aktivate Buttons
     // TODO add delete
     if ($auth['type'] > \LS_AUTH_TYPE_USER) {

modules/party/Classes/Party.php

@@ -21,7 +21,7 @@ class Party
 
     public function __construct($party_id = null)
     {
-        global $cfg, $db, $database, $request;
+        global $cfg, $database, $request;
 
         $setPartyIDGETParameter = $request->query->get('set_party_id');
         $setPartyIDPOSTParameter = $request->request->get('set_party_id');
@@ -48,7 +48,9 @@ public function __construct($party_id = null)
             $this->party_id = $party_id;
         }
 
+        //@TODO: We should not switch the party just because somebody used this class
         $_SESSION['party_id'] = $this->party_id;
+
         $this->UpdatePartyArray();
     }
 
@@ -209,7 +211,7 @@ public function add_user_to_party($user_id, $price_id = "0", $paid = "NULL", $ch
      */
     private function update_user_at_party($user_id, $paid, $price_id = "0", $checkin = "0", $checkout = "0", $seatcontrol = "NULL")
     {
-        global $db, $database, $func;
+        global $cache, $db, $database, $func;
         $timestamp = time();
 
         if ($checkin == "1") {
@@ -247,6 +249,9 @@ private function update_user_at_party($user_id, $paid, $price_id = "0", $checkin
         $msg = str_replace("%PARTY%", $this->party_id, str_replace("%ID%", $user_id, str_replace("%PIRCEID%", $price_id, str_replace("%SEATCONTROL%", $seatcontrol, str_replace("%CHECKOUT%", $checkout, str_replace("%CHECKIN%", $checkin, str_replace("%PAID%", $paid, t('Die Anmeldung von %ID% bei der Party %PARTY% wurde geändert. Neu: Bezahlt = %PAID%, Checkin = %CHECKIN%, Checkout = %CHECKOUT%, Pfand = %SEATCONTROL%, Preisid = %PIRCEID%'))))))));
         $func->log_event($msg, 1);
         $db->qry('UPDATE %prefix%party_user SET %plain%', $query);
+
+        // reset cached party statistics
+        $cache->delete('party.guestcount.' . $this->party_id);
     }
 
     /**
@@ -258,7 +263,7 @@ private function update_user_at_party($user_id, $paid, $price_id = "0", $checkin
     public function delete_user_from_party($user_id)
     {
         $checkin = null;
-        global $db, $database, $cfg;
+        global $cache, $database, $cfg;
 
         $timestamp = time();
         if ($checkin == "1" || $cfg["signon_autocheckin"] == "1") {
@@ -267,11 +272,14 @@ public function delete_user_from_party($user_id)
             $checkin = "0";
         }
 
-        $db->qry("
+        $database->query("
           DELETE FROM %prefix%party_user
           WHERE
-            user_id = %int%
-            AND party_id = %int%", $user_id, $this->party_id);
+            user_id = ?
+            AND party_id = ?", [$user_id, $this->party_id]);
+
+        // reset cached party statistics
+        $cache->delete('party.guestcount.' . $this->party_id);
     }
 
     /**
@@ -339,7 +347,7 @@ public function get_user_group_dropdown($group_id = "NULL", $nogroub = 0, $selec
      * @param string $select_opts
      * @return void
      */
-    public function add_user_group($group, $description, $selection, $select_opts)
+    public function addUsergroup($group, $description, $selection, $select_opts)
     {
         global $db, $database;
 
@@ -355,25 +363,26 @@ public function add_user_group($group, $description, $selection, $select_opts)
     /**
      * Change a user group
      *
-     * @param int $group_id
-     * @param string $group
-     * @param string $description
+     * @param int $groupId Id of the user group to change
+     * @param string $groupName The (new) name of the group
+     * @param string $description Description of the group
      * @param string $selection
      * @param string $select_opts
      * @return void
      */
-    public function update_user_group($group_id, $group, $description, $selection, $select_opts)
+    public function updateUserGroup($groupId, $groupName, $description, $selection, $select_opts)
     {
-        global $db, $database;
+        global $database;
 
-        $db->qry("
+        $database->query("
           UPDATE %prefix%party_usergroups
           SET
-            group_name = %string%,
-            description = %string%,
-            selection = %string%,
-            select_opts = %string%
-          WHERE group_id = %int%", $group, $description, $selection, $select_opts, $group_id);
+            group_name = ?,
+            description = ?,
+            selection = ?,
+            select_opts = ?
+          WHERE group_id = ?", [$groupName, $description, $selection, $select_opts, $groupId]
+        );
     }
 
     /**
@@ -390,37 +399,51 @@ public function delete_usergroups($del_group, $set_group)
         $database->query("UPDATE %prefix%user SET group_id = ? WHERE group_id = ?", [$set_group, $del_group]);
         $database->query("DELETE FROM %prefix%party_usergroups WHERE group_id = ?", [$del_group]);
     }
-    
+
     /**
      * Returns the amount of users registered for a party.
-     * 
-     * @param int $party_id The ID of the party to calculate this for
+     *
+     * @param int $partyId The ID of the party to calculate this for (uses object value otherwise)
+     * @param
      * @return array Result array with elements "qty" and "paid"
     */
-    public function getGuestQty($party_id = NULL)
+    public function getGuestQty($partyId = null, $showOrga = null)
     {
-        $cfg = [];
-        $db = null;
-        global $cache;
-
-        if (empty($party_id)) {
-            $party_id = $this->party_id;
-        }
-
-        $partyCache = $cache->getItem('party.guestcount.' . $party_id);
+        global $cfg, $cache, $database;
+
+        $partyIdParameter = $partyId ?? $this->party_id;
+        $showOrgaParameter = $showOrga ?? $cfg["guestlist_showorga"];
+
+        $partyCache = $cache->getItem('party.guestcount.' . $partyIdParameter);
         if (!$partyCache->isHit()) {
-            // Fetch in one query
-            if ($cfg["guestlist_showorga"] == 0) {
-                $querytype = "type = 1";
-            } else {
+            // Include Admins or not
+            if ($showOrgaParameter) {
                 $querytype = "type >= 1";
+            } else {
+                $querytype = "type = 1";
             }
             // Fetch amounts from DB
-            $countQry = $db->qry('SELECT COUNT(*) as qty, party.paid as paid FROM %prefix%user as user LEFT JOIN %prefix%party_user as party ON user.userid = party.user_id WHERE party_id=%int% AND (%plain%) GROUP BY paid ORDER BY paid DESC;');
-            while ($guestCounts = $countQry->fetch_array()){}
+            $guestCounts = $database->queryWithOnlyFirstRow('SELECT COUNT(*) as qty, party.paid as paid FROM %prefix%user as user LEFT JOIN %prefix%party_user as party ON user.userid = party.user_id WHERE party_id= ? AND ' . $querytype . ' GROUP BY paid ORDER BY paid DESC;', [$partyIdParameter]);
             $partyCache->set($guestCounts);
             $cache->save($partyCache);
         }
         return $partyCache->get();
     }
+
+    /**
+     * Get details about this users participation at the party.
+     * Most prominently the name and price of the entrance ticket
+     *
+     * @param int|null $userId The userid to look the status up for
+     *
+     * @return array Array with party & Price information
+     */
+    public function getUserParticipationData(int|null $userId = null) : array
+    {
+        global $database, $auth;
+
+        $userIdParameter = $userId ?? $auth['userid'];
+        return $database->queryWithOnlyFirstRow("SELECT * FROM %prefix%party_user AS pu LEFT JOIN %prefix%party_prices AS price ON price.price_id=pu.price_id WHERE user_id= ? and pu.party_id =?", [$userIdParameter, $this->party_id]) ?? [];
+    }
+
 }