From 47b09aee9cf9daf2f2a3f2d3590b20839024499a Mon Sep 17 00:00:00 2001
From: Jan Dittberner <jan@dittberner.info>
Date: Sat, 15 Apr 2017 12:04:02 +0200
Subject: [PATCH] Add code from real production environment

This commit uses the code running on webmail.cacert.org:/var/www/board
---
 database.php |  10 ++--
 motion.php   | 130 +++++++++++++++++++++++++++++++++++++--------------
 motions.php  |  33 ++++++-------
 proxy.php    |   2 +-
 4 files changed, 115 insertions(+), 60 deletions(-)

diff --git a/database.php b/database.php
index e226c5a..1f43049 100644
--- a/database.php
+++ b/database.php
@@ -1,15 +1,15 @@
 <?php
 	class DB {
 		var $board = "cacert-board@lists.cacert.org";
-		var $notices = "testsympa@lists.cacert.org";
+		var $notices = "cacert-board-votes@lists.cacert.org";
 
 		function __construct() {
 			$this->dbh = new PDO("sqlite:".dirname(__FILE__)."/database.sqlite");
 			$this->statement = array();
-			$this->statement['list decisions'] = $this->dbh->prepare("SELECT decisions.id AS id, decisions.tag AS tag, voters.name AS proposer, decisions.proponent, decisions.proposed, decisions.title, decisions.content, decisions.votetype, decisions.status, decisions.due, decisions.modified, (SELECT COUNT(*) FROM votes WHERE decision=decisions.id AND vote=1) AS ayes, (SELECT COUNT(*) FROM votes WHERE decision=decisions.id AND vote=-1) AS nayes, (SELECT COUNT(*) FROM votes WHERE decision=decisions.id AND vote=0) AS abstains FROM decisions, voters WHERE decisions.proponent=voters.id ORDER BY proposed DESC LIMIT 10 OFFSET 10 * (:page - 1);");
-			$this->statement['list my unvoted decisions'] = $this->dbh->prepare("SELECT  * FROM (SELECT decisions.id AS id, decisions.tag AS tag, voters.name AS proposer, decisions.proponent AS proponent, decisions.proposed AS proposed, decisions.title AS title, decisions.content AS content, decisions.votetype AS votetype, decisions.status AS status, decisions.due AS due, decisions.modified AS modified,(SELECT COUNT(*) AS ayes FROM votes WHERE decision=decisions.id AND vote=1), (SELECT COUNT(*) AS nayes FROM votes WHERE decision=decisions.id AND vote=-1), (SELECT COUNT(*) AS abstains FROM votes WHERE decision=decisions.id AND vote=0) FROM decisions, voters WHERE decisions.proponent=voters.id AND decisions.status=0) WHERE NOT EXISTS (SELECT vote FROM votes WHERE votes.decision=id AND votes.voter=:id) ORDER BY proposed DESC LIMIT 10 OFFSET 10 * (:page - 1);");
-			$this->statement['list decision'] = $this->dbh->prepare("SELECT decisions.id AS id, decisions.tag AS tag, voters.name AS proposer, decisions.proponent, decisions.proposed, decisions.title, decisions.content, decisions.votetype, decisions.status, decisions.due, decisions.modified, (SELECT COUNT(*) FROM votes WHERE decision=decisions.id AND vote=1) AS ayes, (SELECT COUNT(*) FROM votes WHERE decision=decisions.id AND vote=-1) AS nayes, (SELECT COUNT(*) FROM votes WHERE decision=decisions.id AND vote=0) AS abstains FROM decisions, voters WHERE decisions.proponent=voters.id AND decisions.tag=:id ORDER BY proposed DESC;");
-			$this->statement['closed decisions'] = $this->dbh->prepare("SELECT decisions.id, decisions.tag, voters.name AS proposer, decisions.proponent, decisions.proposed, decisions.title, decisions.content, decisions.votetype, decisions.status, decisions.due, decisions.modified, (SELECT COUNT(*) FROM votes WHERE decision=decisions.id AND vote=1) AS ayes, (SELECT COUNT(*) FROM votes WHERE decision=decisions.id AND vote=-1) AS nayes, (SELECT COUNT(*) FROM votes WHERE decision=decisions.id AND vote=0) AS abstains FROM decisions, voters WHERE decisions.proponent=voters.id AND decisions.status=0 AND datetime('now','utc') > datetime(due);");
+			$this->statement['list decisions'] = $this->dbh->prepare("SELECT decisions.id AS id, decisions.tag AS tag, voters.name AS proposer, decisions.proposed, decisions.title, decisions.content, decisions.votetype, decisions.status, decisions.due, decisions.modified, (SELECT COUNT(*) FROM votes WHERE decision=decisions.id AND vote=1) AS ayes, (SELECT COUNT(*) FROM votes WHERE decision=decisions.id AND vote=-1) AS nayes, (SELECT COUNT(*) FROM votes WHERE decision=decisions.id AND vote=0) AS abstains FROM decisions, voters WHERE decisions.proponent=voters.id ORDER BY proposed DESC LIMIT 10 OFFSET 10 * (:page - 1);");
+			$this->statement['list my unvoted decisions'] = $this->dbh->prepare("SELECT  * FROM (SELECT decisions.id AS id, decisions.tag AS tag, voters.name AS proposer,decisions.proposed AS proposed, decisions.title AS title, decisions.content AS content, decisions.votetype AS votetype, decisions.status AS status, decisions.due AS due, decisions.modified AS modified,(SELECT COUNT(*) AS ayes FROM votes WHERE decision=decisions.id AND vote=1), (SELECT COUNT(*) AS nayes FROM votes WHERE decision=decisions.id AND vote=-1), (SELECT COUNT(*) AS abstains FROM votes WHERE decision=decisions.id AND vote=0) FROM decisions, voters WHERE decisions.proponent=voters.id AND decisions.status=0) WHERE NOT EXISTS (SELECT vote FROM votes WHERE votes.decision=id AND votes.voter=:id) ORDER BY proposed DESC LIMIT 10 OFFSET 10 * (:page - 1);");
+			$this->statement['list decision'] = $this->dbh->prepare("SELECT decisions.id AS id, decisions.tag AS tag, voters.name AS proposer, decisions.proposed, decisions.title, decisions.content, decisions.votetype, decisions.status, decisions.due, decisions.modified, (SELECT COUNT(*) FROM votes WHERE decision=decisions.id AND vote=1) AS ayes, (SELECT COUNT(*) FROM votes WHERE decision=decisions.id AND vote=-1) AS nayes, (SELECT COUNT(*) FROM votes WHERE decision=decisions.id AND vote=0) AS abstains FROM decisions, voters WHERE decisions.proponent=voters.id AND decisions.tag=:id ORDER BY proposed DESC;");
+			$this->statement['closed decisions'] = $this->dbh->prepare("SELECT decisions.id, decisions.tag, voters.name AS proposer, decisions.proposed, decisions.title, decisions.content, decisions.votetype, decisions.status, decisions.due, decisions.modified, (SELECT COUNT(*) FROM votes WHERE decision=decisions.id AND vote=1) AS ayes, (SELECT COUNT(*) FROM votes WHERE decision=decisions.id AND vote=-1) AS nayes, (SELECT COUNT(*) FROM votes WHERE decision=decisions.id AND vote=0) AS abstains FROM decisions, voters WHERE decisions.proponent=voters.id AND decisions.status=0 AND datetime('now','utc') > datetime(due);");
 			$this->statement['get decision'] = $this->dbh->prepare("SELECT decisions.id, decisions.tag, decisions.proponent, voters.name AS proposer, decisions.proposed, decisions.title, decisions.content, decisions.votetype, decisions.status, decisions.due, decisions.modified, (SELECT COUNT(*) FROM votes WHERE decision=decisions.id AND vote=1) AS ayes, (SELECT COUNT(*) FROM votes WHERE decision=decisions.id AND vote=-1) AS nayes, (SELECT COUNT(*) FROM votes WHERE decision=decisions.id AND vote=0) AS abstains FROM decisions, voters WHERE decisions.proponent=voters.id AND decisions.id=:decision;");
 			$this->statement['get new decision'] = $this->dbh->prepare("SELECT decisions.id, decisions.tag, decisions.proponent, voters.name AS proposer, decisions.proposed, decisions.title, decisions.content, decisions.votetype, decisions.status, decisions.due, decisions.modified, (SELECT COUNT(*) FROM votes WHERE decision=decisions.id AND vote=1) AS ayes, (SELECT COUNT(*) FROM votes WHERE decision=decisions.id AND vote=-1) AS nayes, (SELECT COUNT(*) FROM votes WHERE decision=decisions.id AND vote=0) AS abstains FROM decisions, voters WHERE decisions.proponent=voters.id AND decisions.id=last_insert_rowid();");
 			$this->statement['get voter'] = $this->dbh->prepare("SELECT voters.id, voters.name FROM voters, emails WHERE voters.id=emails.voter AND emails.address=? AND voters.enabled=1");
diff --git a/motion.php b/motion.php
index 536de03..2dec354 100644
--- a/motion.php
+++ b/motion.php
@@ -23,30 +23,91 @@
 	<body>
 		<?php
 		if ($_REQUEST['action'] == "store") {
-			$stmt = $db->getStatement("create decision");
-			$stmt->bindParam(":proponent",$user['id']);
-			$stmt->bindParam(":title",$_POST['title']);
-			$stmt->bindParam(":content",$_POST['content']);
-			$stmt->bindParam(":votetype",$_POST['votetype']);
-			$stmt->bindParam(":due",$_POST['due']);
-			if ($stmt->execute()) {
-				?>
-				<b>The motion has been proposed!</b><br/>
-				<a href="motions.php">Back to motions</a><br/>
-				<br/>
-				<br/>
-				<?php
-				$decision = $db->getStatement("get new decision")->execute()?$db->getStatement("get new decision")->fetch():array();
-				$name = $user['name'];
-				$tag = $decision['tag'];
-				$title = $decision['title'];
-				$content =$decision['content'];
-				$due = $decision['due']." UTC";
-				$votetype = !$decision['votetype'] ? 'motion' : 'veto';
-				$baseurl = "https://".$_SERVER['HTTP_HOST'].":".$_SERVER['SERVER_PORT'].preg_replace('/motion\.php/','',$_SERVER['REQUEST_URI']);
-				$voteurl = $baseurl."vote.php?motion=".$decision['id'];
-				$unvoted = $baseurl."motions.php?unvoted=1";
-				$body = <<<BODY
+			if (is_numeric($_REQUEST['motion'])) {
+				$stmt = $db->getStatement("update decision");
+				$stmt->bindParam(":id",$_POST['motion']);
+				$stmt->bindParam(":proponent",$user['id']);
+				$stmt->bindParam(":title",$_POST['title']);
+				$stmt->bindParam(":content",$_POST['content']);
+				$stmt->bindParam(":due",$_POST['due']);
+				$stmt->bindParam(":votetype",$_POST['votetype']);
+				if ($stmt->execute()) {
+					?>
+					<b>The motion has been proposed!</b><br/>
+					<a href="motions.php">Back to motions</a><br/>
+					<br/>
+					<br/>
+					<?php
+					$decision = $db->getStatement("get decision")->execute(array($_POST['motion']))?$db->getStatement("get decision")->fetch():array();
+					$name = $user['name'];
+					$tag = $decision['tag'];
+					$title = $decision['title'];
+					$content =$decision['content'];
+					$due = $decision['due']." UTC";
+					$votetype = !$decision['votetype'] ? 'motion' : 'veto';
+					$baseurl = "https://".$_SERVER['HTTP_HOST'].":".$_SERVER['SERVER_PORT'].preg_replace('/motion\.php/','',$_SERVER['REQUEST_URI']);
+					$voteurl = $baseurl."vote.php?motion=".$decision['id'];
+					$unvoted = $baseurl."motions.php?unvoted=1";
+					$body = <<<BODY
+Dear Board,
+
+$name has modified motion $tag to the following:
+
+$title
+$content
+
+Vote type: $votetype
+
+To vote please choose:
+
+Aye: $voteurl&vote=1
+Naye: $voteurl&vote=-1
+Abstain: $voteurl&vote=0
+
+Please be aware, that if you have voted already your vote is still registered and valid.
+If this modification has an impact on how you wish to vote, you are responsible for voting
+again.
+
+To see all your outstanding votes : $unvoted
+
+Kind regards,
+the voting system
+BODY;
+					$db->notify("Re: $tag - $title - modified",$body,$tag);
+				} else {
+					?>
+					<b>The motion has NOT been proposed!</b><br/>
+					<a href="motions.php">Back to motions</a><br/>
+					<i><?php echo join("<br/>\n",$stmt->errorInfo()); ?></i><br/>
+					<br/>
+					<br/>
+					<?php
+				}
+			} else {
+				$stmt = $db->getStatement("create decision");
+				$stmt->bindParam(":proponent",$user['id']);
+				$stmt->bindParam(":title",$_POST['title']);
+				$stmt->bindParam(":content",$_POST['content']);
+				$stmt->bindParam(":votetype",$_POST['votetype']);
+				$stmt->bindParam(":due",$_POST['due']);
+				if ($stmt->execute()) {
+					?>
+					<b>The motion has been proposed!</b><br/>
+					<a href="motions.php">Back to motions</a><br/>
+					<br/>
+					<br/>
+					<?php
+					$decision = $db->getStatement("get new decision")->execute()?$db->getStatement("get new decision")->fetch():array();
+					$name = $user['name'];
+					$tag = $decision['tag'];
+					$title = $decision['title'];
+					$content =$decision['content'];
+					$due = $decision['due']." UTC";
+					$votetype = !$decision['votetype'] ? 'motion' : 'veto';
+					$baseurl = "https://".$_SERVER['HTTP_HOST'].":".$_SERVER['SERVER_PORT'].preg_replace('/motion\.php/','',$_SERVER['REQUEST_URI']);
+					$voteurl = $baseurl."vote.php?motion=".$decision['id'];
+					$unvoted = $baseurl."motions.php?unvoted=1";
+					$body = <<<BODY
 Dear Board,
 
 $name has made the following motion:
@@ -69,18 +130,19 @@ To see all your outstanding votes : $unvoted
 Kind regards,
 the voting system
 BODY;
-				$db->notify("$tag - $title",$body,$tag,TRUE);
-			} else {
-				?>
-				<b>The motion has NOT been proposed!</b><br/>
-				<a href="motions.php">Back to motions</a><br/>
-				<i><?php echo join("<br/>\n",$stmt->errorInfo()); ?></i><br/>
-				<br/>
-				<br/>
-				<?php
+					$db->notify("$tag - $title",$body,$tag,TRUE);
+				} else {
+					?>
+					<b>The motion has NOT been proposed!</b><br/>
+					<a href="motions.php">Back to motions</a><br/>
+					<i><?php echo join("<br/>\n",$stmt->errorInfo()); ?></i><br/>
+					<br/>
+					<br/>
+					<?php
+				}
 			}
-		}
 			
+		}
 		if (is_numeric($_REQUEST['motion'])) {
 			$stmt = $db->getStatement("get decision");
 			if ($stmt->execute(array($_REQUEST['motion']))) {
diff --git a/motions.php b/motions.php
index b508385..548731f 100644
--- a/motions.php
+++ b/motions.php
@@ -5,21 +5,19 @@
 	$user = $db->auth();
 
 	if ($_REQUEST['withdrawl'] && $_REQUEST['confirm'] && $_REQUEST['id']) {
-		$stmt = $db->getStatement("get decision");
-		$stmt->bindParam(":decision",$_REQUEST['id']);
-		$stmt->execute();
-		$decision=$stmt->fetch();
-			
-		if (!$decision || !$user || $user['id'] != $decision['proponent']) {
+		if (!$user) {
 	                header("HTTP/1.0 302 Redirect");
 	                header("Location: denied.php");
 	                exit();
 		}
-		$name = $user['name'];
-		$tag = $decision['tag'];
-		$title = $decision['title'];
-		$content = $decision['content'];
-		$body = <<<BODY
+		$stmt = $db->getStatement("get decision");
+		$stmt->bindParam(":decision",$_REQUEST['id']);
+		if ($stmt->execute() && ($decision=$stmt->fetch())) {
+			$name = $user['name'];
+			$tag = $decision['tag'];
+			$title = $decision['title'];
+			$content = $decision['content'];
+			$body = <<<BODY
 Dear Board,
 
 $name has withdrawn the motion $tag that was as follows:
@@ -30,8 +28,8 @@ $content
 Kind regards,
 the voting system
 BODY;
-		$db->notify("Re: $tag - $title - withdrawn",$body,$tag);
-
+			$db->notify("Re: $tag - $title - withdrawn",$body,$tag);
+		}
 		$stmt = $db->getStatement("close decision");
 		$status = -2;
 		$stmt->bindParam(":status",$status);
@@ -117,13 +115,8 @@ BODY;
 									<li><a href="vote.php?motion=<?php echo($row['id']); ?>&amp;vote=0">Abstain</a></li>
 									<li><a href="vote.php?motion=<?php echo($row['id']); ?>&amp;vote=-1">Naye</a></li>
 									<li><a href="proxy.php?motion=<?php echo($row['id']); ?>">Proxy Vote</a></li>
-								<?php
-								if ($user && $user['id'] == $row['proponent']) {
-								?>
-									<li><a href="motions.php?motion=<?php echo($row['tag']); ?>&amp;withdrawl=1">Withdraw</a></li>
-								<?php
-								}
-								?>
+									<li><a href="motion.php?motion=<?php echo($row['id']); ?>">Modify</a></li>
+									<li><a href="motions.php?motion=<?php echo($row['tag']); ?>&amp;withdrawl=1">Withdrawl</a></li>
 								</ul>
 								<?php
 							} else {
diff --git a/proxy.php b/proxy.php
index f1b837e..a860343 100644
--- a/proxy.php
+++ b/proxy.php
@@ -80,7 +80,7 @@ Kind regards,
 the vote system
 
 BODY;
-						$db->notify("Re: $tag - $title",$body,$tag);
+						$db->vote_notify("Re: $tag - $title",$body,$tag);
 					} else {
 						?>
 						<b>The vote has NOT been registered.</b><br/>