admin view, user specified table

2025-06-16 11:17:33 +02:00
parent e62a0ec2af
commit 67d32fcc96
3 changed files with 37 additions and 26 deletions
--- a/Model/NotesModel.php
+++ b/Model/NotesModel.php
@@ -2,36 +2,45 @@

 namespace ppa\Model;
 use ppa\Model\ParticipantModel;
-use ppb\Library\Msg;
 use PDOException;

 class NotesModel extends Database
 {
-    public function selectNotesForUser($userid, $sortBy = 'updated_at', $sortOrder = 'DESC')
+    public function selectNotesForUser($userid, $isAdmin = false, $sortBy = 'updated_at', $sortOrder = 'DESC')
    {
        $pdo = $this->linkDB();
-		
-		$erg=array();
-		$params=array();
+        $erg = array();

-        $sql = "SELECT n.*, u.username AS owner_username 
-            FROM notes n 
-            JOIN users u ON n.user_id = u.id 
-            ORDER BY :sortBy :sortOrder";
-
-        $params[':sortBy']=$sortBy;
-        $params[':sortOrder']=$sortOrder;
-
-        try {
-			$stmt=$pdo->prepare($sql);
-			$stmt->execute($params);
-		} catch (PDOException $e) {
-			new Msg(true, null, $e);
-			return false;
-		}
+        // Whitelist of allowed sort columns
+        $allowedSortColumns = ['id', 'title', 'owner_username', 'updated_at'];
+        $allowedSortOrders = ['ASC', 'DESC'];
        
-        $erg=$stmt->fetchAll(\PDO::FETCH_ASSOC);
-
-		return $erg;
+        $sortBy = in_array($sortBy, $allowedSortColumns) ? $sortBy : 'updated_at';
+        $sortOrder = in_array(strtoupper($sortOrder), $allowedSortOrders) ? strtoupper($sortOrder) : 'DESC';
+        
+        try {
+            if ($isAdmin) {
+                $sql = "SELECT n.*, u.username AS owner_username 
+                    FROM notes n 
+                    JOIN users u ON n.user_id = u.id 
+                    ORDER BY {$sortBy} {$sortOrder}";
+                $stmt = $pdo->prepare($sql);
+                $stmt->execute();
+            } else {
+                $sql = "SELECT id, title, content, created_at, updated_at 
+                    FROM notes 
+                    WHERE user_id = :userid
+                    ORDER BY {$sortBy} {$sortOrder}";
+                $stmt = $pdo->prepare($sql);
+                $stmt->execute(['userid' => $userid]);
+            }
+            
+            $erg = $stmt->fetchAll(\PDO::FETCH_ASSOC);
+            return $erg;
+            
+        } catch (PDOException $e) {
+            error_log("Database Error in selectNotesForUser: " . $e->getMessage());
+            return false;
+        }
    }
 }