aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAqua-sama <aqua@iserlohn-fortress.net>2021-04-30 10:15:25 +0300
committerAqua-sama <aqua@iserlohn-fortress.net>2021-04-30 10:15:25 +0300
commitc86e82354cdafa9aaa785455505a2e8b0ce5fc73 (patch)
tree0135ef69eda1d871e940b1ad42d2166d9c1d8c9c
parentReports can be bound to bugs (diff)
downloadbugtracker-c86e82354cdafa9aaa785455505a2e8b0ce5fc73.tar.xz
Check can_edit_reports and can_edit_bugs flags
-rw-r--r--bug/edit.php5
-rw-r--r--report/edit.php7
-rw-r--r--user/delete.php2
-rw-r--r--user/login.php9
-rw-r--r--user/logout.php2
5 files changed, 23 insertions, 2 deletions
diff --git a/bug/edit.php b/bug/edit.php
index ad1ea36..9aaac38 100644
--- a/bug/edit.php
+++ b/bug/edit.php
@@ -27,6 +27,11 @@ if($id != "") {
$submitter = $result['submitter'];
$description = $result['description'];
}
+
+if(!$_SESSION['user_can_edit_bugs'] || ($submitter != $_SESSION['user_name'])) {
+ echo "You cannot edit bugs!";
+ goto footer;
+}
?>
<form action="update.php?id=<?php echo $id; ?>" method="post">
diff --git a/report/edit.php b/report/edit.php
index cd2e1a8..b6d5049 100644
--- a/report/edit.php
+++ b/report/edit.php
@@ -29,6 +29,11 @@ if($id != "") {
$description = $result['description'];
}
+if(!$_SESSION['user_can_edit_reports'] || ($submitter != $_SESSION['user_name'])) {
+ echo "You cannot edit reports!";
+ goto footer;
+}
+
# get bug id's
$bugs = $conn->query("SELECT id, title FROM bugs");
@@ -42,9 +47,11 @@ $bugs = $conn->query("SELECT id, title FROM bugs");
<p>Assign to bug: <select name="bug_id">
<option value="">None</option>
<?php
+if($_SESSION['user_can_edit_bugs']) {
foreach($bugs as $bug) {
echo "<option value=$bug[id]>$bug[title]</option>";
}
+}
?>
</select></p>
<input type="submit" value="submit" >
diff --git a/user/delete.php b/user/delete.php
index b46cdce..80740e7 100644
--- a/user/delete.php
+++ b/user/delete.php
@@ -13,6 +13,8 @@ if($query->execute()) {
echo '<h2>Account successfully deleted</h2>';
unset($_SESSION['user_name']);
unset($_SESSION['user_id']);
+ unset($_SESSION['user_can_edit_bugs']);
+ unset($_SESSION['user_can_edit_reports']);
} else {
echo '<h2>Account deletion failed</h2>';
}
diff --git a/user/login.php b/user/login.php
index a927d02..7a25d38 100644
--- a/user/login.php
+++ b/user/login.php
@@ -4,13 +4,18 @@ require_once(TEMPLATES_PATH . "/header.php");
session_start();
$conn = new PDO($config['db']['dsn'], $config['db']['username'], $config['db']['password']);
-$query = "SELECT id, username, password FROM users WHERE username = '$_POST[username]'";
-$result = $conn->query($query)->fetch();
+$query = $conn->prepare("SELECT id, username, password, can_edit_bugs, can_edit_reports
+ FROM users WHERE username=:username");
+$query->bindParam(':username', $_POST['username']);
+$query->execute();
+$result = $query->fetch();
if(password_verify($_POST['password'], $result['password'])) {
echo 'password verified';
$_SESSION['user_name'] = $result['username'];
$_SESSION['user_id'] = $result['id'];
+ $_SESSION['user_can_edit_bugs'] = $result['can_edit_bugs'];
+ $_SESSION['user_can_edit_reports'] = $result['can_edit_reports'];
} else {
echo 'wrong password';
}
diff --git a/user/logout.php b/user/logout.php
index 26bbfa0..319a43a 100644
--- a/user/logout.php
+++ b/user/logout.php
@@ -5,6 +5,8 @@ require_once(TEMPLATES_PATH . "/header.php");
session_start();
unset($_SESSION['user_name']);
unset($_SESSION['user_id']);
+unset($_SESSION['user_can_edit_bugs']);
+unset($_SESSION['user_can_edit_reports']);
echo 'Session cleared';
header("Refresh: 2; URL=$_SERVER[HTTP_REFERER]");