Implement administrator access checks

11 years ago · 07ae0efce8
parent d75e9b6920
commit 07ae0efce8
4 changed files with 22 additions and 2 deletions
--- a/public_html/classes/campaign.php
+++ b/public_html/classes/campaign.php
@ -25,7 +25,7 @@ class Campaign extends CPHPDatabaseRecordClass
 			'UrlName'		=> "UrlName"
 		),
 		'numeric' => array(
-			'OwnerId'		=> "UserId",
+			'OwnerId'		=> "OwnerId",
 			'DonationRate'		=> "DonationRate",
 			'SubscriberCount'	=> "SubscriberCount",
 			'MonthlyTotal'		=> "TotalMonthlyDonations",
@ -39,7 +39,7 @@ class Campaign extends CPHPDatabaseRecordClass
 			'LastStatisticsUpdate'	=> "LastStatisticsUpdate"
 		),
 		'user' => array(
-			'Owner'			=> "Owner"
+			'Owner'			=> "OwnerId"
 		)
 	);
 	
@ -61,6 +61,11 @@ class Campaign extends CPHPDatabaseRecordClass
 		return self::CreateFromQuery("SELECT * FROM campaigns WHERE `UrlName` = :UrlName", array(':UrlName' => $urlname), 0, true);
 	}
 	
+	public function VerifyAdministratorAccess($userid)
+	{
+		return ($this->sOwnerId == $userid);
+	}
+	
 	public function UpdateStatistics()
 	{
 		global $database;
--- a/public_html/modules/campaign/addmethod.php
+++ b/public_html/modules/campaign/addmethod.php
@ -23,6 +23,11 @@ catch (NotFoundException $e)
 	throw new RouterException("Campaign does not exist.");
 }

+if($sCampaign->VerifyAdministratorAccess($_SESSION['user_id']) === false)
+{
+	throw new RouterException("Not authorized to administrate this campaign.");
+}
+
 if(!empty($_POST['submit']))
 {
 	if(empty($_POST['address']))
--- a/public_html/modules/campaign/dashboard.php
+++ b/public_html/modules/campaign/dashboard.php
@ -23,6 +23,11 @@ catch (NotFoundException $e)
 	throw new RouterException("Campaign does not exist.");
 }

+if($sCampaign->VerifyAdministratorAccess($_SESSION['user_id']) === false)
+{
+	throw new RouterException("Not authorized to administrate this campaign.");
+}
+
 $sPaymentMethods = array();

 try
--- a/public_html/modules/campaign/removemethod.php
+++ b/public_html/modules/campaign/removemethod.php
@ -23,6 +23,11 @@ catch (NotFoundException $e)
 	throw new RouterException("Campaign does not exist.");
 }

+if($sCampaign->VerifyAdministratorAccess($_SESSION['user_id']) === false)
+{
+	throw new RouterException("Not authorized to administrate this campaign.");
+}
+
 try
 {
 	$sPaymentMethod = new PaymentMethod($router->uParameters[2]);