From c68de86c6dd9bffeb9fe7037b9866907fd454e9f Mon Sep 17 00:00:00 2001
From: Wytze van der Raay <wytze@cacert.org>
Date: Wed, 15 Jan 2014 15:55:29 +0000
Subject: [PATCH] Fix for https://bugs.cacert.org/view.php?id=1137 "Record the
 CCA acception for entering an assurance"

---
 includes/notary.inc.php | 71 +++++++++++++++++++++++++----------------
 pages/wot/6.php         |  2 +-
 www/wot.php             |  7 ++--
 3 files changed, 46 insertions(+), 34 deletions(-)

diff --git a/includes/notary.inc.php b/includes/notary.inc.php
index 1f0ec92..b34b2f4 100644
--- a/includes/notary.inc.php
+++ b/includes/notary.inc.php
@@ -639,10 +639,16 @@
 		$res = mysql_query($query);
 	}
 
+	/**
+	 * get_user_agreement_status()
+	 *  returns 1 if the user has an entry for the given type in user_agreement, 0 if no entry is recorded
+	 * @param mixed $memid
+	 * @param string $type
+	 * @return
+	 */
 	function get_user_agreement_status($memid, $type="CCA"){
-	//returns 0 - no user agreement, 1- at least one entry
 		$query="SELECT u.`document` FROM `user_agreements` u
-			WHERE u.`document` = '".$type."' AND (u.`memid`=".$memid." or u.`secmemid`=".$memid.")" ;
+			WHERE u.`document` = '" . mysql_real_escape_string($type) . "' AND u.`memid`=" . intval($memid) ;
 		$res = mysql_query($query);
 		if(mysql_num_rows($res) <=0){
 			return 0;
@@ -651,53 +657,62 @@
 		}
 	}
 
+	/**
+	 * get_first_user_agreement()
+	 *  returns the first user_agreement entry of the requested type depending on thes status of active of a given user
+	 * @param mixed $memid
+	 * @param integer $active, 0 - passive, 1 -active
+	 * @param string $type
+	 * @return
+	 */
 	function get_first_user_agreement($memid, $active=1, $type="CCA"){
 	//returns an array (`document`,`date`,`method`, `comment`,`active`)
-		if($active==1){
-			$filter="u.`memid`=".$memid;
-		}else{
-			$filter="u.`secmemid`=".$memid;
-		}
-		$query="SELECT u.`document`, u.`date`, u.`method`, u.`comment`, u.`active` FROM `user_agreements` u
-			WHERE u.`document` = '".$type."' AND ".$filter."
-			ORDER BY u.`date` Limit 1;";
+		$query="SELECT u.`document`, u.`date`, u.`method`, u.`comment`, u.`active` FROM `user_agreements` AS u
+			WHERE u.`document` = '" . mysql_real_escape_string($type) . "' AND u.`memid`=" . intval($memid) . " AND u.`active`=" . intval($active) .
+			" ORDER BY u.`date` Limit 1;";
 		$res = mysql_query($query);
 		if(mysql_num_rows($res) >0){
-			$row = mysql_fetch_assoc($res);
-			$rec['document']= $row['document'];
-			$rec['date']= $row['date'];
-			$rec['method']= $row['method'];
-			$rec['comment']= $row['comment'];
-			$rec['active']= $row['active'];
+			$rec = mysql_fetch_assoc($res);
 		}else{
 			$rec=array();
 		}
 		return $rec;
 	}
 
+	/**
+	 * get_last_user_agreement()
+	 *  returns the last user_agreement entry of a given type and of a given user
+	 * @param mixed $memid
+	 * @param string $type
+	 * @return
+	 */
 	function get_last_user_agreement($memid, $type="CCA"){
 	//returns an array (`document`,`date`,`method`, `comment`,`active`)
-		$query="(SELECT u.`document`, u.`date`, u.`method`, u.`comment`, 1 as `active` FROM user_agreements u WHERE u.`document` = '".$type."' AND (u.`memid`=".$memid." ) order by `date` desc limit 1)
-			union
-			(SELECT u.`document`, u.`date`, u.`method`, u.`comment`, 0 as `active` FROM user_agreements u WHERE u.`document` = '".$type."' AND ( u.`secmemid`=".$memid.")) order by `date` desc limit 1" ;
+		$query="SELECT u.`document`, u.`date`, u.`method`, u.`comment`, u.`active` FROM user_agreements u WHERE u.`document` = '" . mysql_real_escape_string($type) . "' AND (u.`memid`=" . intval($memid) . " ) order by `date` desc limit 1 " ;
 		$res = mysql_query($query);
 		if(mysql_num_rows($res) >0){
-			$row = mysql_fetch_assoc($res);
-			$rec['document']= $row['document'];
-			$rec['date']= $row['date'];
-			$rec['method']= $row['method'];
-			$rec['comment']= $row['comment'];
-			$rec['active']= $row['active'];
+			$rec = mysql_fetch_assoc($res);
 		}else{
 			$rec=array();
 		}
 		return $rec;
 	}
 
-	function delete_user_agreement($memid, $type="CCA"){
+	/**
+	 * delete_user_agreement()
+	 *  deletes all entries for a given type from user_agreement of a given user, if type is not given all
+	 * @param mixed $memid
+	 * @param string $type
+	 * @return
+	 */
+	function delete_user_agreement($memid, $type=false){
 	//deletes all entries to an user for the given type of user agreements
-		mysql_query("delete from `user_agreements` where `memid`='".$memid."'");
-		mysql_query("delete from `user_agreements` where `secmemid`='".$memid."'");
+		if ($type === false) {
+			$filter = '';
+		} else {
+			$filter = " and `document` = '" . mysql_real_escape_string($type) . "'";
+		}
+		mysql_query("delete from `user_agreements` where `memid`=" . intval($memid) . $filter );
 	}
 
 	// functions for 6.php (assure somebody)
diff --git a/pages/wot/6.php b/pages/wot/6.php
index ef8cac7..a565aa7 100644
--- a/pages/wot/6.php
+++ b/pages/wot/6.php
@@ -79,7 +79,7 @@
 	AssureTextLine("",_("Only tick the next box if the Assurance was face to face."));
 	AssureBoxLine("assertion",_("I believe that the assertion of identity I am making is correct, complete and verifiable. I have seen original documentation attesting to this identity. I accept that the CAcert Arbitrator may call upon me to provide evidence in any dispute, and I may be held responsible."),array_key_exists('assertion',$_POST) && $_POST['assertion'] == 1);
 	AssureBoxLine("rules",_("I have read and understood the CAcert Community Agreement (CCA), Assurance Policy and the Assurance Handbook. I am making this Assurance subject to and in compliance with the CCA, Assurance policy and handbook."),array_key_exists('rules',$_POST) && $_POST['rules'] == 1);
-	AssureTextLine(_("Policy"),"<a href=\"/policy/CAcert Community Agreement.php\" target=\"_blank\">"._("CAcert Community Agreement")."</a> -<a href=\"/policy/AssurancePolicy.php\" target=\"_blank\">"._("Assurance Policy")."</a> - <a href=\"http://wiki.cacert.org/AssuranceHandbook2\" target=\"_blank\">"._("Assurance Handbook")."</a>");
+	AssureTextLine(_("Policy"),"<a href=\"/policy/CAcertCommunityAgreement.php\" target=\"_blank\">"._("CAcert Community Agreement")."</a> -<a href=\"/policy/AssurancePolicy.php\" target=\"_blank\">"._("Assurance Policy")."</a> - <a href=\"http://wiki.cacert.org/AssuranceHandbook2\" target=\"_blank\">"._("Assurance Handbook")."</a>");
 	AssureInboxLine("points",_("Points"),"","<br />(Max. ".maxpoints().")");
 	AssureFoot($id,_("I confirm this Assurance"));
 ?>
diff --git a/www/wot.php b/www/wot.php
index 8395a58..7200517 100644
--- a/www/wot.php
+++ b/www/wot.php
@@ -371,7 +371,8 @@ $iecho= "c";
 						`when`=NOW()";
 		//record active acceptance by Assurer
 		if (check_date_format(trim($_REQUEST['date']),2010)) {
-			write_user_agreement($_SESSION['profile']['id'], "CCA", "Assurance", "Assurer", 1, $_SESSION['_config']['notarise']['id']);
+			write_user_agreement($_SESSION['profile']['id'], "CCA", "assurance", "Assuring", 1, $_SESSION['_config']['notarise']['id']);
+			write_user_agreement($_SESSION['_config']['notarise']['id'], "CCA", "assurance", "Being assured", 0, $_SESSION['profile']['id']);
 		}
 		if($_SESSION['profile']['ttpadmin'] == 1 && ($_POST['method'] == 'Trusted 3rd Parties' || $_POST['method'] == 'Trusted Third Parties')) {
 			$query .= ",\n`method`='TTP-Assisted'";
@@ -379,10 +380,6 @@ $iecho= "c";
 		mysql_query($query);
 		fix_assurer_flag($_SESSION['_config']['notarise']['id']);
 		include_once("../includes/notary.inc.php");
-/*to be activated after CCA accept option is implemented in form
-		write_user_agreement($_SESSION['profile']['id'], "CCA", "assurance", "Assuring", 1, $_SESSION['_config']['notarise']['id']);}*/
-/* to be activated after the CCA recording is announced
-		write_user_agreement($_SESSION['_config']['notarise']['id'], "CCA", "assurance", "Being assured", 0, $_SESSION['profile']['id']); */
 
 		if($_SESSION['profile']['points'] < 150)
 		{