xref: /web-bugs/www/vote.php (revision c73a67a6) 
1<?php
2
3use App\Repository\BugRepository;
4use App\Repository\VoteRepository;
5
6die('Voting on tickets is disabled');
7
8// Obtain common includes
9require_once '../include/prepend.php';
10
11$id = isset($_POST['id']) ? (int) $_POST['id'] : 0;
12if (empty($id)) {
13    die('invalid bug id');
14}
15
16if (!isset($_POST['score'])) die("missing parameter score");
17$score = (int) $_POST['score'];
18if ($score < -2 || $score > 2) {
19    die("invalid score: $score");
20}
21
22if (!isset($_POST['reproduced'])) die("missing parameter reproduced");
23$reproduced = (int) $_POST['reproduced'];
24
25$samever = isset($_POST['samever']) ? (int) $_POST['samever'] : 0;
26$sameos = isset($_POST['sameos']) ? (int) $_POST['sameos'] : 0;
27
28if (!$container->get(BugRepository::class)->exists($id)) {
29    session_start();
30
31    // Authenticate
32    bugs_authenticate($user, $pw, $logged_in, $user_flags);
33
34    response_header('No such bug.');
35    display_bug_error("No such bug #{$id}");
36    response_footer();
37    exit;
38}
39
40// Figure out which IP the user is coming from avoiding RFC 1918 space
41function get_real_ip ()
42{
43    $ip = false;
44
45    // User is behind a proxy and check that we discard RFC1918 IP
46    // addresses if they are behind a proxy then only figure out which
47    // IP belongs to the user. Might not need any more hacking if
48    // there is a squid reverse proxy infront of apache.
49    if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
50        $ips = explode (", ", $_SERVER['HTTP_X_FORWARDED_FOR']);
51        if ($ip) { array_unshift($ips, $ip); $ip = false; }
52        for ($i = 0; $i < count($ips); $i++) {
53             // Skip RFC 1918 IP's 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16
54             // -- jim kill me later with my regexp pattern below.
55            if (!eregi ("^(10|172\.16|192\.168)\.", $ips[$i]) &&
56                preg_match("/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/", $ips[$i])) {
57                $ip = $ips[$i];
58                break;
59            }
60        }
61    }
62    return ($ip ? $ip : $_SERVER['REMOTE_ADDR']);
63}
64
65$ip = ip2long(get_real_ip());
66// TODO: check if ip address has been banned. hopefully this will never need to be implemented.
67
68// Check whether the user has already voted on this bug.
69if (empty($container->get(VoteRepository::class)->findOneByIdAndIp($id, $ip))) {
70    // If the user vote isn't found, create one.
71    $dbh->prepare("
72        INSERT INTO bugdb_votes (bug, ip, score, reproduced, tried, sameos, samever)
73        VALUES (
74            {$id}, {$ip}, {$score}, " .
75            ($reproduced == 1 ? "1," : "0,") .
76            ($reproduced != 2 ? "1," : "0,") .
77            ($reproduced ? "$sameos," : "NULL,") .
78            ($reproduced ? "$samever" : "NULL") .
79        ')'
80    )->execute();
81
82    // redirect to the bug page (which will display the success message)
83    redirect("bug.php?id=$id&thanks=6");
84} else {
85    // As the user has already voted, just update their existing vote.
86    $dbh->prepare("UPDATE bugdb_votes
87        SET score = ?, reproduced = ? , tried = ?, sameos = ?, samever = ?
88        WHERE bug = ? AND ip = ?")
89        ->execute([
90            $score,
91            ($reproduced == 1 ? "1" : "0"),
92            ($reproduced != 2 ? "1" : "0"),
93            ($reproduced ? "$sameos" : null),
94            ($reproduced ? "$samever" : null),
95            $id,
96            $ip
97        ]);
98
99    // Let the user know they have already voted and the existing vote will be
100    // updated.
101    redirect("bug.php?id=$id&thanks=10");
102}
103