🐛 Fix request authorisation

Signed-off-by: Luke Tainton <luke@tainton.uk>
2020-08-09 17:09:50 +01:00
parent 07eaf4d05d
commit 671e1826d0
7 changed files with 14 additions and 14 deletions
--- a/app/includes/prereqs.php
+++ b/app/includes/prereqs.php
@@ -136,6 +136,6 @@ function get_subscribers($db, $request) {
  return $users_result;
 }
-function isAuthorised($authorised_users, $request) {
+function isAuthorised($user, $authorised_users, $request) {
-  if (in_array($authorised_users, $_SESSION['uuid']) || $_SESSION['uuid'] == $request['created_by']) { return true; } else { return false; }
+  if ( in_array($user, $authorised_users) || $_SESSION['uuid'] == $request['created_by']) { return true; } else { return false; }
 }
--- a/app/public/actions/close.php
+++ b/app/public/actions/close.php
@@ -4,8 +4,8 @@
    $request = get_request($db, $_GET['rid']);
    $authorised_users = get_subscribers($db, $request);
-    $is_authorised = isAuthorised($authorised_users, $request);
+    $is_authorised = isAuthorised($_SESSION['uuid'], $authorised_users, $request);
-    
+
    // Close request
    if ($is_authorised == true) {
        if($_SERVER['REQUEST_METHOD'] == 'POST') {
@@ -25,4 +25,4 @@
        header('Location: /view?rid=' . $request['uuid'], true);
    }
-?>
+?>
--- a/app/public/actions/update.php
+++ b/app/public/actions/update.php
@@ -4,7 +4,7 @@
    $request = get_request($db, $_POST['rid']);
    $authorised_users = get_subscribers($db, $request);
-    $is_authorised = isAuthorised($authorised_users, $request);
+    $is_authorised = isAuthorised($_SESSION['uuid'], $authorised_users, $request);
    // If form submitted, save to database
    if($_SERVER['REQUEST_METHOD'] == 'POST') {
@@ -26,4 +26,4 @@
      }
    }
-?>
+?>
--- a/app/public/actions/upload.php
+++ b/app/public/actions/upload.php
@@ -4,7 +4,7 @@
    $request = get_request($db, $_POST['rid']);
    $authorised_users = get_subscribers($db, $request);
-    $is_authorised = isAuthorised($authorised_users, $request);
+    $is_authorised = isAuthorised($_SESSION['uuid'], $authorised_users, $request);
    // If form submitted, save to database
    if($_SERVER['REQUEST_METHOD'] == 'POST') {
@@ -35,4 +35,4 @@
      }
    }
-?>
+?>
--- a/app/public/update.php
+++ b/app/public/update.php
@@ -1,11 +1,11 @@
 <?php
    $PAGE_NAME = "Update Request";
    require_once __DIR__ . "/../includes/header.php";
-    
+
    $request = get_request($db, $_GET['rid']);
    $updates = get_updates($db, $request);
    $authorised_users = get_subscribers($db, $request);
-    $is_authorised = isAuthorised($authorised_users, $request);
+    $is_authorised = isAuthorised($_SESSION['uuid'], $authorised_users, $request);
 ?>
@@ -138,7 +138,7 @@
          </div>
        </div>
      </section>
-      
+
    <?php } else if ($is_authorised == false) { ?>
      <section class="jumbotron text-center">
        <div class="container">
--- a/app/public/upload.php
+++ b/app/public/upload.php
@@ -5,7 +5,7 @@
    $request = get_request($db, $_GET['rid']);
    $updates = get_updates($db, $request);
    $authorised_users = get_subscribers($db, $request);
-    $is_authorised = isAuthorised($authorised_users, $request);
+    $is_authorised = isAuthorised($_SESSION['uuid'], $authorised_users, $request);
 ?>
--- a/app/public/view.php
+++ b/app/public/view.php
@@ -5,7 +5,7 @@
    $request = get_request($db, $_GET['rid']);
    $updates = get_updates($db, $request);
    $authorised_users = get_subscribers($db, $request);
-    $is_authorised = isAuthorised($authorised_users, $request);
+    $is_authorised = isAuthorised($_SESSION['uuid'], $authorised_users, $request);
 ?>