somewhat functional notes table (needs improvement)

2025-06-16 10:21:41 +02:00 · 2025-06-16 10:21:41 +02:00 · b6d51cbc37
commit b6d51cbc37
parent 8c13989d47
3 changed files with 69 additions and 19 deletions
--- a/Controller/NotesController.php
+++ b/Controller/NotesController.php
@ -18,10 +18,19 @@ class NotesController

    public function showNotes() 
    {
-        $this->view->setVars([
-            "notes" => $this->notesModel->selectNotes()
-        ]);
+        $sortBy = $_GET['sort_by'] ?? 'updated_at';
+        $sortOrder = strtoupper($_GET['sort_order'] ?? 'DESC');
        
+        // Validate sort order to prevent SQL injection
+        $sortOrder = in_array($sortOrder, ['ASC', 'DESC']) ? $sortOrder : 'DESC';
+        
+        // Validate sort column to prevent SQL injection
+        $validSortColumns = ['id', 'title', 'updated_at', 'created_at'];
+        $sortBy = in_array($sortBy, $validSortColumns) ? $sortBy : 'updated_at';
+        
+        $this->view->setVars([
+            "notes" => $this->notesModel->selectNotesForUser(2, $sortBy, $sortOrder) //$_SESSION['user_id']
+        ]);
    }

 }
--- a/Model/NotesModel.php
+++ b/Model/NotesModel.php
@ -5,15 +5,12 @@ use ppa\Model\ParticipantModel;

 class NotesModel extends Database
 {
-    public function selectNotes()
+    public function selectNotesForUser($userid, $sortBy = 'updated_at', $sortOrder = 'DESC')
    {
-        $sortBy = 'updated_at';
-        $sortOrder = 'DESC';
-
-        $sql = "SELECT id, title, content, created_at, updated_at 
-                    FROM notes 
-                    WHERE user_id = 2 
-                    ORDER BY updated_at DESC";
+        $sql = "SELECT n.*, u.username AS owner_username 
+            FROM notes n 
+            JOIN users u ON n.user_id = u.id 
+            ORDER BY {$sortBy} {$sortOrder}";

        $pdo = $this->linkDB();

--- a/Views/Notes/showNotes.phtml
+++ b/Views/Notes/showNotes.phtml
@ -6,14 +6,58 @@
 <?php
    $parsedown = new Parsedown();
    $parsedown->setSafeMode(true);
-    
-    foreach($notes as $n) {
-        echo '<div class="item-4-12">';
-        echo '<h3>' . $n["title"] . '</h3>'
-            . '<p>' . $parsedown->text($n['content'] ?? '') . '</p>';
-        echo '</div>';
+
+    function isLoggedIn() {
+        return isset($_SESSION['user_id']);
    }
-?>
-</div>
+    
+    function isAdmin() {
+        return isLoggedIn() && isset($_SESSION['role']) && $_SESSION['role'] === 'admin';
+    }
+    function sanitize($data, $flags = ENT_QUOTES, $encoding = 'UTF-8') {
+        return htmlspecialchars((string)$data, $flags, $encoding);
+    }
+    
+    $sortBy = $_GET['sort_by'] ?? 'updated_at';
+    $sortOrder = strtoupper($_GET['sort_order'] ?? 'DESC'); // Ensure uppercase for comparison
+    //$notes = NotesModel::selectNotesForUser(2, $sortBy, $sortOrder); //$_SESSION['user_id']
+    ?>
+    <table class="notes-table">
+        <thead>
+            <tr>
+                <th data-sort="id">ID <span class="sort-icon"><?php if($sortBy === 'id') echo $sortOrder === 'ASC' ? '▲' : '▼'; ?></span></th>
+                <th data-sort="title">Title <span class="sort-icon"><?php if($sortBy === 'title') echo $sortOrder === 'ASC' ? '▲' : '▼'; ?></span></th>
+                <?php if (isAdmin()): ?>
+                <th data-sort="owner_username">Owner <span class="sort-icon"><?php if($sortBy === 'owner_username') echo $sortOrder === 'ASC' ? '▲' : '▼'; ?></span></th>
+                <?php endif; ?>
+                <th>Content (Preview)</th>
+                <th data-sort="updated_at">Last Edited <span class="sort-icon"><?php if($sortBy === 'updated_at') echo $sortOrder === 'ASC' ? '▲' : '▼'; ?></span></th>
+                <th>Actions</th>
+            </tr>
+        </thead>
+        <tbody>
+            <?php foreach ($notes as $note): ?>
+                <tr>
+                    <td><?php echo sanitize($note['id']); ?></td>
+                    <td><a href="index.php?page=view_note&id=<?php echo $note['id']; ?>"><?php echo sanitize($note['title']); ?></a></td>
+                    <?php if (isAdmin()): ?>
+                    <td><?php echo sanitize($note['owner_username']); ?></td>
+                    <?php endif; ?>
+                    <td>
+                        <?php 
+                        $plainTextContent = strip_tags($parsedown->text($note['content'] ?? ''));
+                        $previewContent = mb_substr($plainTextContent, 0, 70);
+                        echo sanitize($previewContent) . (mb_strlen($plainTextContent) > 70 ? '...' : '');
+                        ?>
+                    </td>
+                    <td><?php echo date("d.m.Y H:i", strtotime($note['updated_at'])); ?></td>
+                    <td class="actions-cell">
+                        <a href="index.php?page=edit_note&id=<?php echo $note['id']; ?>" class="button">Edit</a>
+                        <button class="button danger delete-note-btn" data-note-id="<?php echo $note['id']; ?>">Delete</button>
+                    </td>
+                </tr>
+            <?php endforeach; ?>
+        </tbody>
+    </table>
   
 <?php include dirname(__DIR__).'/footer.phtml'; ?>