From d69fd38b5c7d1ab7b874231f5c234fb138285cd1 Mon Sep 17 00:00:00 2001
From: Okhin <okhin@okhin.fr>
Date: Thu, 3 Oct 2019 13:04:04 +0200
Subject: [PATCH 1/4] Altering the codepostal column to manage strings not only
 numbers

---
 ...003105908_code_postaux_alphanumeriques.php | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 db/migrations/20191003105908_code_postaux_alphanumeriques.php

diff --git a/db/migrations/20191003105908_code_postaux_alphanumeriques.php b/db/migrations/20191003105908_code_postaux_alphanumeriques.php
new file mode 100644
index 0000000..8016422
--- /dev/null
+++ b/db/migrations/20191003105908_code_postaux_alphanumeriques.php
@@ -0,0 +1,40 @@
+<?php
+
+
+use Phinx\Migration\AbstractMigration;
+
+class CodePostauxAlphanumeriques extends AbstractMigration
+{
+    /**
+     * Change Method.
+     *
+     * Write your reversible migrations using this method.
+     *
+     * More information on writing migrations is available here:
+     * http://docs.phinx.org/en/latest/migrations.html#the-abstractmigration-class
+     *
+     * The following commands can be used in this method and Phinx will
+     * automatically reverse them when rolling back:
+     *
+     *    createTable
+     *    renameTable
+     *    addColumn
+     *    addCustomColumn
+     *    renameColumn
+     *    addIndex
+     *    addForeignKey
+     *
+     * Any other destructive changes will result in an error when trying to
+     * rollback the migration.
+     *
+     * Remember to call "create()" or "update()" and NOT "save()" when working
+     * with the Table class.
+     */
+    public function change()
+    {
+        $adresses = $this->table('adresses');
+        $adresses->changeColumn('codepostal', 'string', ['limit' => 20])
+                 ->update();
+
+    }
+}
-- 
GitLab


From b92f0d08eaeeacdcc993f3575a6f167c66469531 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20Oudin?= <oudin@crans.org>
Date: Mon, 14 Oct 2019 22:11:07 +0200
Subject: [PATCH 2/4] =?UTF-8?q?Mise=20=C3=A0=20jour=20du=20sch=C3=A9ma=20d?=
 =?UTF-8?q?e=20DB=20pour=20avoir=20des=20valeurs=20par=20d=C3=A9faut?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../20181025132655_add_commentaire.php        |  2 +-
 db/schema.sql                                 | 34 +++++++++----------
 2 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/db/migrations/20181025132655_add_commentaire.php b/db/migrations/20181025132655_add_commentaire.php
index 399f153..32adc0c 100644
--- a/db/migrations/20181025132655_add_commentaire.php
+++ b/db/migrations/20181025132655_add_commentaire.php
@@ -28,7 +28,7 @@ class AddCommentaire extends AbstractMigration
     public function change()
     {
         $table = $this->table('contreparties');
-        $table->addColumn('commentaire', 'string')
+        $table->addColumn('commentaire', 'string', array('default' => ''))
             ->update();
     }
 }
diff --git a/db/schema.sql b/db/schema.sql
index 7b042a2..6ee4aa7 100644
--- a/db/schema.sql
+++ b/db/schema.sql
@@ -83,7 +83,7 @@ DROP TABLE IF EXISTS `contreparties`;
 /*!40101 SET character_set_client = utf8 */;
 CREATE TABLE `contreparties` (
   `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
-  `datec` datetime NOT NULL,
+  `datec` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
   `user_id` int(10) unsigned NOT NULL,
   `quoi` varchar(255) NOT NULL,
   `taille` int(10) unsigned NOT NULL,
@@ -105,22 +105,22 @@ DROP TABLE IF EXISTS `dons`;
 CREATE TABLE `dons` (
   `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
   `status` tinyint(3) unsigned NOT NULL,
-  `datec` datetime NOT NULL,
+  `datec` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
   `somme` int(10) unsigned NOT NULL,
   `lang` varchar(5) CHARACTER SET latin1 NOT NULL DEFAULT 'en_US',
-  `cadeau` tinyint(3) unsigned NOT NULL,
-  `abo` tinyint(4) NOT NULL,
-  `taille` int(10) unsigned NOT NULL,
-  `public` int(10) unsigned NOT NULL,
-  `pdf` varchar(32) CHARACTER SET latin1 NOT NULL,
-  `decimale` int(10) unsigned NOT NULL,
-  `datee` datetime NOT NULL,
+  `cadeau` tinyint(3) unsigned NOT NULL DEFAULT 0,
+  `abo` tinyint(4) NOT NULL DEFAULT 0,
+  `taille` int(10) unsigned NOT NULL DEFAULT 0,
+  `public` int(10) unsigned NOT NULL DEFAULT 0,
+  `pdf` varchar(32) CHARACTER SET latin1 NOT NULL DEFAULT '',
+  `decimale` int(10) unsigned NOT NULL DEFAULT 0,
+  `datee` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
   `mailsent` tinyint(4) DEFAULT '0',
   `color` varchar(7) CHARACTER SET latin1 DEFAULT NULL,
-  `pi_x` int(11) DEFAULT NULL,
-  `pi_y` int(11) DEFAULT NULL,
-  `hash` varchar(64) DEFAULT NULL,
-  `taille_h` int(10) unsigned NOT NULL,
+  `pi_x` int(11) DEFAULT NULL DEFAULT 0,
+  `pi_y` int(11) DEFAULT NULL DEFAULT 0,
+  `hash` varchar(64) DEFAULT NULL DEFAULT "",
+  `taille_h` int(10) unsigned NOT NULL DEFAULT 0,
   `fdnn_user` bigint(20) NOT NULL DEFAULT '0',
   `color_2` varchar(7) DEFAULT '',
   `cumul` int(11) DEFAULT '0',
@@ -193,13 +193,13 @@ CREATE TABLE `users` (
   `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
   `email` varchar(255) DEFAULT NULL,
   `hash` varchar(64) CHARACTER SET latin1 NOT NULL,
-  `total` int(10) unsigned NOT NULL,
-  `cumul` int(10) unsigned NOT NULL,
-  `pseudo` varchar(255) NOT NULL,
+  `total` int(10) unsigned  NOT NULL DEFAULT 0,
+  `cumul` int(10) unsigned NOT NULL DEFAULT 0,
+  `pseudo` varchar(255) NOT NULL DEFAULT "",
   `identifier` varchar(50) DEFAULT NULL,
   `expiration` datetime DEFAULT NULL,
   `status` int(11) DEFAULT NULL,
-  `commentaire` text,
+  `commentaire` text DEFAULT '',
   PRIMARY KEY (`id`),
   KEY `email` (`email`)
 ) ENGINE=InnoDB AUTO_INCREMENT=15494 DEFAULT CHARSET=utf8 COMMENT='Les donateurs';
-- 
GitLab


From cd2461a77e6ba503acb39fb03f501e28a8eba467 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20Oudin?= <oudin@crans.org>
Date: Mon, 14 Oct 2019 23:07:43 +0200
Subject: [PATCH 3/4] Fix potential security issue by validating the email
 structure

---
 app/controller/campaign.php                  | 10 ++++++++--
 src/LQDN/Exception/InvalidEmailException.php |  7 +++++++
 src/LQDN/Handler/UserHandler.php             | 10 ++++++++++
 3 files changed, 25 insertions(+), 2 deletions(-)
 create mode 100644 src/LQDN/Exception/InvalidEmailException.php

diff --git a/app/controller/campaign.php b/app/controller/campaign.php
index 87508aa..353deda 100644
--- a/app/controller/campaign.php
+++ b/app/controller/campaign.php
@@ -4,6 +4,7 @@ namespace Controller;
 use LQDN\Command\UserUpdateTotalCommand;
 use LQDN\Command\UserCreateCommand;
 use LQDN\Command\DonationCreateCommand;
+use LQDN\Exception\InvalidEmailException;
 
 class Campaign extends Controller
 {
@@ -122,8 +123,13 @@ class Campaign extends Controller
                 $cumul_id = $user['cumul'];
             } else {
                 // The user does not exist, so let's create it
-                $result = $db->query("INSERT INTO users (pseudo, email, hash)
-					VALUES ('".$f3->get('pseudo')."', '$email', '$hash')");
+                try {
+                    $f3->get('container')['command_handler']->handle(new UserCreateCommand($email, $hash, $f3->get('pseudo'), 0, 0));
+                } catch (InvalidEmailException $e) {
+                    $f3->set("error", _("Email Invalide"));
+                    $f3->error("403");
+                }
+
                 $user_id = $db->lastInsertId();
             }
         }
diff --git a/src/LQDN/Exception/InvalidEmailException.php b/src/LQDN/Exception/InvalidEmailException.php
new file mode 100644
index 0000000..d24191a
--- /dev/null
+++ b/src/LQDN/Exception/InvalidEmailException.php
@@ -0,0 +1,7 @@
+<?php
+
+namespace LQDN\Exception;
+
+class InvalidEmailException extends \RuntimeException
+{
+}
diff --git a/src/LQDN/Handler/UserHandler.php b/src/LQDN/Handler/UserHandler.php
index 0ae0a0d..8dd237b 100644
--- a/src/LQDN/Handler/UserHandler.php
+++ b/src/LQDN/Handler/UserHandler.php
@@ -8,6 +8,14 @@ use LQDN\Command\UserUpdateTotalCommand;
 use LQDN\Command\UserUpdateCumulCommand;
 use LQDN\Command\UserCreateCommand;
 use LQDN\Command\AdminUpdateTotalUsersCommand;
+use LQDN\Exception\InvalidEmailException;
+
+function checkEmail($email)
+{
+    if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
+        throw new InvalidEmailException();
+    }
+}
 
 class UserHandler
 {
@@ -25,6 +33,7 @@ class UserHandler
      */
     public function handleUserUpdateByAdminCommand(UserUpdateByAdminCommand $command)
     {
+        checkEmail($command->getEmail());
         $this->connection->executeUpdate('UPDATE users SET pseudo = :username, email = :email, commentaire = :comment, cumul = :cumul, total = :total WHERE id = :id', [
             'username' => $command->getUsername(),
             'email' => $command->getEmail(),
@@ -42,6 +51,7 @@ class UserHandler
      */
     public function handleUserCreateCommand(UserCreateCommand $command)
     {
+        checkEmail($command->getEmail());
         $this->connection->executeUpdate('INSERT INTO users(email, hash, pseudo, total, cumul) VALUES (:email, :hash, :pseudo, :total, :cumul)', [
             'email'=> $command->getEmail(),
             'hash'=> $command->getHash(),
-- 
GitLab


From b3af270d57f702eda1f058c7d7d0b5ec7a5dc614 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20Oudin?= <oudin@crans.org>
Date: Sat, 19 Oct 2019 11:37:51 +0200
Subject: [PATCH 4/4] Bug fix : cannot create an account at first donation

---
 app/controller/campaign.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/controller/campaign.php b/app/controller/campaign.php
index 353deda..8e924e3 100644
--- a/app/controller/campaign.php
+++ b/app/controller/campaign.php
@@ -109,7 +109,7 @@ class Campaign extends Controller
 
             $user = $f3->get('container')['user_finder']->findByEmail(\Utils::asl($email));
 
-            if (count($user) > 0 && is_array($user)) {
+            if (is_array($user) && count($user) > 0) {
                 // We have an existing user, we should try to login with the provided password
                 // or 403.
                 $mapper = new \DB\SQL\Mapper($f3->get('DB'), 'users');
-- 
GitLab