Fix for https://bugs.cacert.org/view.php?id=942

(CATS import interface is not fit to handle non-Assurer Challenge tests)

includes/general.php

@@ -38,6 +38,7 @@
 	$_SESSION['_config']['filepath'] = "/www";
 
 	require_once($_SESSION['_config']['filepath']."/includes/mysql.php");
+	require_once($_SESSION['_config']['filepath'].'/includes/lib/account.php');
 
 	if(array_key_exists('HTTP_HOST',$_SERVER) &&
 			$_SERVER['HTTP_HOST'] != $_SESSION['_config']['normalhostname'] &&
@@ -847,19 +848,6 @@
 		$text=preg_replace("/[^\w-.@]/","",$text);
 		return($text);
 	}
-
-	function fix_assurer_flag($userID)
-	{
-		// Update Assurer-Flag on users table if 100 points. Should the number of points be SUM(points) or SUM(awarded)?
-		$query = mysql_query('UPDATE `users` AS `u` SET `assurer` = 1 WHERE `u`.`id` = \''.(int)intval($userID).
-			 '\' AND EXISTS(SELECT 1 FROM `cats_passed` AS `tp`, `cats_variant` AS `cv` WHERE `tp`.`variant_id` = `cv`.`id` AND `cv`.`type_id` = 1 AND `tp`.`user_id` = `u`.`id`)'.
-			 ' AND (SELECT SUM(`points`) FROM `notary` AS `n` WHERE `n`.`to` = `u`.`id` AND `expire` < now()) >= 100'); // Challenge has been passed and non-expired points >= 100
-	 
-		// Reset flag if requirements are not met
-		$query = mysql_query('UPDATE `users` AS `u` SET `assurer` = 0 WHERE `u`.`id` = \''.(int)intval($userID).
-			'\' AND (NOT EXISTS(SELECT 1 FROM `cats_passed` AS `tp`, `cats_variant` AS `cv` WHERE `tp`.`variant_id` = `cv`.`id` AND `cv`.`type_id` = 1 AND `tp`.`user_id` = `u`.`id`)'.
-			 ' OR (SELECT SUM(`points`) FROM `notary` AS `n` WHERE `n`.`to` = `u`.`id` AND `n`.`expire` < now()) < 100)');
-	}
 	
 	// returns 0 if $userID is an Assurer
 	// Otherwise :

includes/lib/account.php

@@ -0,0 +1,51 @@
+<?php
+/*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2008  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+function fix_assurer_flag($userID)
+{
+	// Update Assurer-Flag on users table if 100 points.
+	// Should the number of points be SUM(points) or SUM(awarded)?
+	$query = mysql_query('UPDATE `users` AS `u` SET `assurer` = 1 WHERE '.
+		'`u`.`id` = \''.(int)intval($userID).'\' AND '.
+		'EXISTS(SELECT 1 FROM `cats_passed` AS `cp`, `cats_variant` AS `cv` '.
+			'WHERE `cp`.`variant_id` = `cv`.`id` AND `cv`.`type_id` = 1 AND '.
+			'`cp`.`user_id` = `u`.`id`) AND '.
+		'(SELECT SUM(`points`) FROM `notary` AS `n` WHERE `n`.`to` = `u`.`id` '.
+			'AND (`n`.`expire` > now() OR `n`.`expire` IS NULL)) >= 100');
+	// Challenge has been passed and non-expired points >= 100
+	
+	if (!$query) {
+		return false;
+	}
+ 
+	// Reset flag if requirements are not met
+	$query = mysql_query('UPDATE `users` AS `u` SET `assurer` = 0 WHERE '.
+		'`u`.`id` = \''.(int)intval($userID).'\' AND '.
+		'(NOT EXISTS(SELECT 1 FROM `cats_passed` AS `cp`, `cats_variant` AS '.
+			'`cv` WHERE `cp`.`variant_id` = `cv`.`id` AND `cv`.`type_id` = 1 '.
+			'AND `cp`.`user_id` = `u`.`id`) OR '.
+		'(SELECT SUM(`points`) FROM `notary` AS `n` WHERE `n`.`to` = `u`.`id` '.
+			'AND (`n`.`expire` > now() OR `n`.`expire` IS NULL)) < 100)');
+	
+	if (!$query) {
+		return false;
+	}
+	
+	return true;
+}

scripts/assurer.php

@@ -30,7 +30,7 @@
 	$query = "
 select u.email, fname, lname, sum(n.points) from users u, notary n
  where n.to=u.id
-   and not exists(select 1 from cats_passed cp where cp.user_id=u.id)
+   and not EXISTS(SELECT 1 FROM `cats_passed` AS `tp`, `cats_variant` AS `cv` WHERE `tp`.`variant_id` = `cv`.`id` AND `cv`.`type_id` = 1 AND `tp`.`user_id` = `u`.`id`)
    and exists(select 1 from notary n2 where n2.from=u.id and year(n2.`when`)>2007)
    and (select count(*) from notary n3 where n3.from=u.id) > 1
  group by email, fname, lname

www/cats/cats_import.php

@@ -24,6 +24,8 @@
    API for CATS to import passed tests into main CAcert database.
 */
 
+require_once('../../includes/lib/account.php');
+
 function sanitize_string($buffer) {
  return htmlentities(utf8_decode($buffer), (int)ENQ_QUOTES);
 }
@@ -154,8 +156,7 @@ if (!$query) {
 }
 
 // Update Assurer-Flag on users table if 100 points. Should the number of points be SUM(points) or SUM(awarded)?
-$query = mysql_query('UPDATE `users` AS `u` SET `assurer` = 1 WHERE `u`.`id` = \''.(int)intval($userID).'\' AND EXISTS(SELECT 1 FROM `cats_passed` AS `tp` WHERE `tp`.`user_id` = `u`.`id`) AND (SELECT SUM(`points`) FROM `notary` AS `n` WHERE `n`.`to` = `u`.`id` AND `expire` < now()) >= 100;'); // Challenge has been passed and non-expired points >= 100
+if (!fix_assurer_flag($userID)) {
-if (!$query) {
   echo 'Invalid query'."\r\n";
   trigger_error('Invalid query', E_USER_ERROR);
   exit();