From 07ae0efce878e122dcaf2bfe92aaac59a43eb637 Mon Sep 17 00:00:00 2001 From: Sven Slootweg Date: Mon, 25 Feb 2013 12:05:33 +0100 Subject: [PATCH] Implement administrator access checks --- public_html/classes/campaign.php | 9 +++++++-- public_html/modules/campaign/addmethod.php | 5 +++++ public_html/modules/campaign/dashboard.php | 5 +++++ public_html/modules/campaign/removemethod.php | 5 +++++ 4 files changed, 22 insertions(+), 2 deletions(-) diff --git a/public_html/classes/campaign.php b/public_html/classes/campaign.php index 31266d0..6165b5d 100644 --- a/public_html/classes/campaign.php +++ b/public_html/classes/campaign.php @@ -25,7 +25,7 @@ class Campaign extends CPHPDatabaseRecordClass 'UrlName' => "UrlName" ), 'numeric' => array( - 'OwnerId' => "UserId", + 'OwnerId' => "OwnerId", 'DonationRate' => "DonationRate", 'SubscriberCount' => "SubscriberCount", 'MonthlyTotal' => "TotalMonthlyDonations", @@ -39,7 +39,7 @@ class Campaign extends CPHPDatabaseRecordClass 'LastStatisticsUpdate' => "LastStatisticsUpdate" ), 'user' => array( - 'Owner' => "Owner" + 'Owner' => "OwnerId" ) ); @@ -61,6 +61,11 @@ class Campaign extends CPHPDatabaseRecordClass return self::CreateFromQuery("SELECT * FROM campaigns WHERE `UrlName` = :UrlName", array(':UrlName' => $urlname), 0, true); } + public function VerifyAdministratorAccess($userid) + { + return ($this->sOwnerId == $userid); + } + public function UpdateStatistics() { global $database; diff --git a/public_html/modules/campaign/addmethod.php b/public_html/modules/campaign/addmethod.php index 31916f4..7ae2062 100644 --- a/public_html/modules/campaign/addmethod.php +++ b/public_html/modules/campaign/addmethod.php @@ -23,6 +23,11 @@ catch (NotFoundException $e) throw new RouterException("Campaign does not exist."); } +if($sCampaign->VerifyAdministratorAccess($_SESSION['user_id']) === false) +{ + throw new RouterException("Not authorized to administrate this campaign."); +} + if(!empty($_POST['submit'])) { if(empty($_POST['address'])) diff --git a/public_html/modules/campaign/dashboard.php b/public_html/modules/campaign/dashboard.php index 587238b..66c2617 100644 --- a/public_html/modules/campaign/dashboard.php +++ b/public_html/modules/campaign/dashboard.php @@ -23,6 +23,11 @@ catch (NotFoundException $e) throw new RouterException("Campaign does not exist."); } +if($sCampaign->VerifyAdministratorAccess($_SESSION['user_id']) === false) +{ + throw new RouterException("Not authorized to administrate this campaign."); +} + $sPaymentMethods = array(); try diff --git a/public_html/modules/campaign/removemethod.php b/public_html/modules/campaign/removemethod.php index 0c1072c..12ae9aa 100644 --- a/public_html/modules/campaign/removemethod.php +++ b/public_html/modules/campaign/removemethod.php @@ -23,6 +23,11 @@ catch (NotFoundException $e) throw new RouterException("Campaign does not exist."); } +if($sCampaign->VerifyAdministratorAccess($_SESSION['user_id']) === false) +{ + throw new RouterException("Not authorized to administrate this campaign."); +} + try { $sPaymentMethod = new PaymentMethod($router->uParameters[2]);