Merge changes I3ab5c1cf,I0bdc8fb3,I3cca162f,I31347d68

* changes:
  Fixes for adding users with friendscontrol set to 'auto' (bug #861985)
  Fix acceptance of outdated friendship requests (bug #861985)
  Add integer typecast to userids array in get_users_data function
  Simplify query to get user data for find/my friends (bug #861888)

htdocs/lang/en.utf8/group.php

@@ -257,6 +257,8 @@ $string['friendrequestacceptedmessage'] = '%s has accepted your friend request a
 $string['friendrequestrejectedsubject'] = 'Friend request rejected';
 $string['friendrequestrejectedmessage'] = '%s has rejected your friend request.';
 $string['friendrequestrejectedmessagereason'] = '%s has rejected your friend request.  Their reason was: ';
+$string['acceptfriendshiprequestfailed'] = 'Failed to accept friendship request.';
+$string['addtofriendsfailed'] = 'Failed to add %s to your friends list.';
 
 $string['allfriends']     = 'All Friends';
 $string['currentfriends'] = 'Current Friends';

htdocs/lib/user.php

@@ -1419,37 +1419,25 @@ function get_new_username($desired) {
  */
 function get_users_data($userids, $getviews=true) {
 	global $USER;
-    // $userids is only used by build_userlist_html() in this file and is sanitised there
-    $userlist = join(',', $userids);
+
+    $userids = array_map('intval', $userids);
+
     $sql = 'SELECT u.id, u.username, u.preferredname, u.firstname, u.lastname, u.admin, u.staff, u.deleted,
                 u.profileicon, u.email,
-                0 AS pending, ap.value AS hidenamepref,
+                fp.requester AS pending,
+                ap.value AS hidenamepref,
                 COALESCE((SELECT ap.value FROM {usr_account_preference} ap WHERE ap.usr = u.id AND ap.field = \'messages\'), \'allow\') AS messages,
                 COALESCE((SELECT ap.value FROM {usr_account_preference} ap WHERE ap.usr = u.id AND ap.field = \'friendscontrol\'), \'auth\') AS friendscontrol,
                 (SELECT 1 FROM {usr_friend} WHERE ((usr1 = ? AND usr2 = u.id) OR (usr2 = ? AND usr1 = u.id))) AS friend,
                 (SELECT 1 FROM {usr_friend_request} fr WHERE fr.requester = ? AND fr.owner = u.id) AS requestedfriendship,
                 (SELECT title FROM {artefact} WHERE artefacttype = \'introduction\' AND owner = u.id) AS introduction,
-                NULL AS message
+                fp.message
                 FROM {usr} u
                 LEFT JOIN {usr_account_preference} ap ON (u.id = ap.usr AND ap.field = \'hiderealname\')
-                WHERE u.id IN (' . $userlist . ')
-            UNION
-            SELECT u.id, u.username, u.preferredname, u.firstname, u.lastname, u.admin, u.staff, u.deleted,
-                u.profileicon, u.email,
-                1 AS pending, ap.value AS hidenamepref,
-                COALESCE((SELECT ap.value FROM {usr_account_preference} ap WHERE ap.usr = u.id AND ap.field = \'messages\'), \'allow\') AS messages,
-                NULL AS friendscontrol,
-                NULL AS friend,
-                NULL AS requestedfriendship,
-                (SELECT title FROM {artefact} WHERE artefacttype = \'introduction\' AND owner = u.id) AS introduction,
-                message
-                FROM {usr} u
-                LEFT JOIN {usr_account_preference} ap ON (u.id = ap.usr AND ap.field = \'hiderealname\')
-                JOIN {usr_friend_request} fr ON fr.requester = u.id
-                WHERE fr.owner = ?
-                AND u.id IN (' . $userlist . ')';
+                LEFT JOIN {usr_friend_request} fp ON fp.owner = ? AND fp.requester = u.id
+                WHERE u.id IN (' . join(',', array_fill(0, count($userids), '?')) . ')';
     $userid = $USER->get('id');
-    $data = get_records_sql_assoc($sql, array($userid, $userid, $userid, $userid));
+    $data = get_records_sql_assoc($sql, array_merge(array($userid, $userid, $userid, $userid), $userids));
     $allowhidename = get_config('userscanhiderealnames');
     $showusername = get_config('searchusernames');
 
@@ -1491,63 +1479,15 @@ function get_users_data($userids, $getviews=true) {
             $friend->views = $cleanviews[$friend->id];
         }
         if ($friend->pending) {
-            $friend->accept = pieform(array(
-                'name' => 'acceptfriend' . $friend->id,
-                'successcallback' => 'acceptfriend_submit',
-                'renderer' => 'div',
-                'autofocus' => 'false',
-                'elements' => array(
-                    'submit' => array(
-                        'type' => 'submit',
-                        'value' => get_string('approverequest', 'group')
-                    ),
-                    'id' => array(
-                        'type' => 'hidden',
-                        'value' => $friend->id
-                    )
-                )
-            ));
+            $friend->accept = acceptfriend_form($friend->id);
         }
         if (!$friend->friend && !$friend->pending && !$friend->requestedfriendship && $friend->friendscontrol == 'auto') {
-            $friend->makefriend = pieform(array(
-                'name' => 'addfriend' . $friend->id,
-                'successcallback' => 'addfriend_submit',
-                'renderer' => 'div',
-                'autofocus' => 'false',
-                'elements' => array(
-                    'submit' => array(
-                        'type' => 'submit',
-                        'value' => get_string('addtofriendslist', 'group'),
-                    ),
-                    'id' => array(
-                        'type' => 'hidden',
-                        'value' => $friend->id,
-                    ),
-                    // These two fields pass on any query that was running on a 
-                    // user search screen. This is so when the form is 
-                    // submitted, the correct user search is run again and so 
-                    // this pieform will definitely be created and ready to be 
-                    // submitted.
-                    //
-                    // A bit of a hack caused by having one form for each user. 
-                    // It would be nice at some point to put the entire 'find 
-                    // friends' page into one form and toggle on the submit 
-                    // button to work out which friend to add.
-                    'query' => array(
-                        'type' => 'hidden',
-                        'value' => param_variable('query', ''),
-                    ),
-                    'offset' => array(
-                        'type' => 'hidden',
-                        'value' => param_integer('offset', 0),
-                    ),
-                )
-            ));
+            $friend->makefriend = addfriend_form($friend->id);
         }
     }
-    $order = explode(',', $userlist);
+
     $ordereddata = array();
-    foreach ($order as $id) {
+    foreach ($userids as $id) {
         if (isset($data[$id])) {
             $ordereddata[] = $data[$id];
         }
@@ -1755,11 +1695,53 @@ function friendscontrol_submit(Pieform $form, $values) {
     redirect($values['returnto'] == 'find' ? '/user/find.php' : '/user/myfriends.php');
 }
 
+function acceptfriend_form($friendid) {
+    return pieform(array(
+        'name' => 'acceptfriend' . (int) $friendid,
+        'validatecallback' => 'acceptfriend_validate',
+        'successcallback'  => 'acceptfriend_submit',
+        'renderer' => 'div',
+        'autofocus' => 'false',
+        'elements' => array(
+            'acceptfriend_submit' => array(
+                'type' => 'submit',
+                'value' => get_string('approverequest', 'group'),
+            ),
+            'id' => array(
+                'type' => 'hidden',
+                'value' => (int) $friendid,
+            ),
+        ),
+    ));
+}
+
+function acceptfriend_validate(Pieform $form, $values) {
+    global $USER, $SESSION;
+
+    $friendid = (int) $values['id'];
+
+    if (!get_record('usr_friend_request', 'owner', $USER->get('id'), 'requester', $friendid)) {
+        if (!is_friend($USER->get('id'), $friendid) && get_account_preference($friendid, 'friendscontrol') != 'auto') {
+            // Because the request is no longer valid, this form won't be redrawn in the new list of users.  So
+            // the error message is added to the $SESSION messages area, and a dummy error message is set on the
+            // form to stop submission from continuing.
+            $SESSION->add_error_msg(get_string('acceptfriendshiprequestfailed', 'group'));
+            $form->set_error(null, -1);
+        }
+    }
+}
+
 function acceptfriend_submit(Pieform $form, $values) {
     global $USER, $SESSION;
 
     $user = get_record('usr', 'id', $values['id']);
 
+    if (is_friend($USER->get('id'), $user->id)) {
+        $SESSION->add_info_msg(get_string('alreadyfriends', 'group', display_name($user)));
+        delete_records('usr_friend_request', 'owner', $USER->get('id'), 'requester', $user->id);
+        redirect('/user/view.php?id=' . $user->id);
+    }
+
     // friend db record
     $f = new StdClass;
     $f->ctime = db_format_timestamp(time());
@@ -1787,13 +1769,55 @@ function acceptfriend_submit(Pieform $form, $values) {
     redirect('/user/view.php?id=' . $values['id']);
 }
 
+// Form to add someone who has friendscontrol set to 'auto'
+function addfriend_form($friendid) {
+    return pieform(array(
+        'name' => 'addfriend' . (int) $friendid,
+        'validatecallback' => 'addfriend_validate',
+        'successcallback'  => 'addfriend_submit',
+        'renderer' => 'div',
+        'autofocus' => 'false',
+        'elements' => array(
+            'addfriend_submit' => array(
+                'type' => 'submit',
+                'value' => get_string('addtofriendslist', 'group'),
+            ),
+            'id' => array(
+                'type' => 'hidden',
+                'value' => (int) $friendid,
+            ),
+        ),
+    ));
+}
+
+function addfriend_validate(Pieform $form, $values) {
+    global $USER, $SESSION;
+
+    $friendid = (int) $values['id'];
+
+    if (get_account_preference($friendid, 'friendscontrol') != 'auto') {
+        if (!is_friend($USER->get('id'), $friendid) && !get_record('usr_friend_request', 'owner', $USER->get('id'), 'requester', $friendid)) {
+            // Because friendscontrol has changed, this form won't be redrawn in the new list of users.  So
+            // the error message is added to the $SESSION messages area, and a dummy error message is set on
+            // the form to stop submission from continuing.
+            $SESSION->add_error_msg(get_string('addtofriendsfailed', 'group', display_name($friendid)));
+            $form->set_error(null, -1);
+        }
+    }
+}
+
 // Called when a user adds someone who has friendscontrol set to 'auto'
 function addfriend_submit(Pieform $form, $values) {
     global $USER, $SESSION;
     $user = get_record('usr', 'id', $values['id']);
 
     $loggedinid = $USER->get('id');
-    $userid = $user->id;
+
+    if (is_friend($loggedinid, $user->id)) {
+        $SESSION->add_info_msg(get_string('alreadyfriends', 'group', display_name($user)));
+        delete_records('usr_friend_request', 'owner', $loggedinid, 'requester', $user->id);
+        redirect('/user/view.php?id=' . $user->id);
+    }
 
     // friend db record
     $f = new StdClass;
@@ -1809,7 +1833,12 @@ function addfriend_submit(Pieform $form, $values) {
 
     $f->usr1 = $values['id'];
     $f->usr2 = $loggedinid;
+
+    db_begin();
+    delete_records('usr_friend_request', 'owner', $loggedinid, 'requester', $user->id);
     insert_record('usr_friend', $f);
+    db_commit();
+
     $n->subject = get_string_from_language($lang, 'addedtofriendslistsubject', 'group', $displayname);
     $n->message = get_string_from_language($lang, 'addedtofriendslistmessage', 'group', $displayname, $displayname);
 

htdocs/user/find.php

@@ -36,6 +36,13 @@ define('SECTION_PLUGINTYPE', 'core');
 define('SECTION_PLUGINNAME', 'user');
 define('SECTION_PAGE', 'find');
 
+if (param_variable('acceptfriend_submit', null)) {
+    acceptfriend_form(param_integer('id'));
+}
+else if (param_variable('addfriend_submit', null)) {
+    addfriend_form(param_integer('id'));
+}
+
 $query = param_variable('query', '');
 $offset = param_integer('offset', 0);
 $filter = param_alpha('filter', $USER->get('admin') ? 'all' : 'myinstitutions');

htdocs/user/myfriends.php

@@ -35,6 +35,13 @@ define('SECTION_PLUGINTYPE', 'core');
 define('SECTION_PLUGINNAME', 'user');
 define('SECTION_PAGE', 'myfriends');
 
+if (param_variable('acceptfriend_submit', null)) {
+    acceptfriend_form(param_integer('id'));
+}
+else if (param_variable('addfriend_submit', null)) {
+    addfriend_form(param_integer('id'));
+}
+
 $filter = param_alpha('filter', 'all');
 $offset = param_integer('offset', 0);
 $limit = 10;