diff options
| author | Aqua-sama <aqua@iserlohn-fortress.net> | 2021-04-30 10:15:25 +0300 |
|---|---|---|
| committer | Aqua-sama <aqua@iserlohn-fortress.net> | 2021-04-30 10:15:25 +0300 |
| commit | c86e82354cdafa9aaa785455505a2e8b0ce5fc73 (patch) | |
| tree | 0135ef69eda1d871e940b1ad42d2166d9c1d8c9c | |
| parent | Reports can be bound to bugs (diff) | |
| download | bugtracker-c86e82354cdafa9aaa785455505a2e8b0ce5fc73.tar.xz | |
Check can_edit_reports and can_edit_bugs flags
| -rw-r--r-- | bug/edit.php | 5 | ||||
| -rw-r--r-- | report/edit.php | 7 | ||||
| -rw-r--r-- | user/delete.php | 2 | ||||
| -rw-r--r-- | user/login.php | 9 | ||||
| -rw-r--r-- | user/logout.php | 2 |
5 files changed, 23 insertions, 2 deletions
diff --git a/bug/edit.php b/bug/edit.php index ad1ea36..9aaac38 100644 --- a/bug/edit.php +++ b/bug/edit.php @@ -27,6 +27,11 @@ if($id != "") { $submitter = $result['submitter']; $description = $result['description']; } + +if(!$_SESSION['user_can_edit_bugs'] || ($submitter != $_SESSION['user_name'])) { + echo "You cannot edit bugs!"; + goto footer; +} ?> <form action="update.php?id=<?php echo $id; ?>" method="post"> diff --git a/report/edit.php b/report/edit.php index cd2e1a8..b6d5049 100644 --- a/report/edit.php +++ b/report/edit.php @@ -29,6 +29,11 @@ if($id != "") { $description = $result['description']; } +if(!$_SESSION['user_can_edit_reports'] || ($submitter != $_SESSION['user_name'])) { + echo "You cannot edit reports!"; + goto footer; +} + # get bug id's $bugs = $conn->query("SELECT id, title FROM bugs"); @@ -42,9 +47,11 @@ $bugs = $conn->query("SELECT id, title FROM bugs"); <p>Assign to bug: <select name="bug_id"> <option value="">None</option> <?php +if($_SESSION['user_can_edit_bugs']) { foreach($bugs as $bug) { echo "<option value=$bug[id]>$bug[title]</option>"; } +} ?> </select></p> <input type="submit" value="submit" > diff --git a/user/delete.php b/user/delete.php index b46cdce..80740e7 100644 --- a/user/delete.php +++ b/user/delete.php @@ -13,6 +13,8 @@ if($query->execute()) { echo '<h2>Account successfully deleted</h2>'; unset($_SESSION['user_name']); unset($_SESSION['user_id']); + unset($_SESSION['user_can_edit_bugs']); + unset($_SESSION['user_can_edit_reports']); } else { echo '<h2>Account deletion failed</h2>'; } diff --git a/user/login.php b/user/login.php index a927d02..7a25d38 100644 --- a/user/login.php +++ b/user/login.php @@ -4,13 +4,18 @@ require_once(TEMPLATES_PATH . "/header.php"); session_start(); $conn = new PDO($config['db']['dsn'], $config['db']['username'], $config['db']['password']); -$query = "SELECT id, username, password FROM users WHERE username = '$_POST[username]'"; -$result = $conn->query($query)->fetch(); +$query = $conn->prepare("SELECT id, username, password, can_edit_bugs, can_edit_reports + FROM users WHERE username=:username"); +$query->bindParam(':username', $_POST['username']); +$query->execute(); +$result = $query->fetch(); if(password_verify($_POST['password'], $result['password'])) { echo 'password verified'; $_SESSION['user_name'] = $result['username']; $_SESSION['user_id'] = $result['id']; + $_SESSION['user_can_edit_bugs'] = $result['can_edit_bugs']; + $_SESSION['user_can_edit_reports'] = $result['can_edit_reports']; } else { echo 'wrong password'; } diff --git a/user/logout.php b/user/logout.php index 26bbfa0..319a43a 100644 --- a/user/logout.php +++ b/user/logout.php @@ -5,6 +5,8 @@ require_once(TEMPLATES_PATH . "/header.php"); session_start(); unset($_SESSION['user_name']); unset($_SESSION['user_id']); +unset($_SESSION['user_can_edit_bugs']); +unset($_SESSION['user_can_edit_reports']); echo 'Session cleared'; header("Refresh: 2; URL=$_SERVER[HTTP_REFERER]"); |