Compare commits
2 Commits
ba6edc6d6b
...
2d133598e8
| Author | SHA1 | Date | |
|---|---|---|---|
|
2d133598e8 | ||
|
|
67d32fcc96 |
@ -20,9 +20,11 @@ class NotesController
|
||||
{
|
||||
$sortBy = $_GET['sort_by'] ?? 'updated_at';
|
||||
$sortOrder = strtoupper($_GET['sort_order'] ?? 'DESC');
|
||||
|
||||
$isAdmin = false;
|
||||
$userid = 2; //$_SESSION['user_id'];
|
||||
|
||||
$this->view->setVars([
|
||||
"notes" => $this->notesModel->selectNotesForUser(2, $sortBy, $sortOrder) //$_SESSION['user_id']
|
||||
"notes" => $this->notesModel->selectNotesForUser($userid, $isAdmin, $sortBy, $sortOrder)
|
||||
]);
|
||||
}
|
||||
|
||||
|
||||
@ -2,36 +2,45 @@
|
||||
|
||||
namespace ppa\Model;
|
||||
use ppa\Model\ParticipantModel;
|
||||
use ppb\Library\Msg;
|
||||
use PDOException;
|
||||
|
||||
class NotesModel extends Database
|
||||
{
|
||||
public function selectNotesForUser($userid, $sortBy = 'updated_at', $sortOrder = 'DESC')
|
||||
public function selectNotesForUser($userid, $isAdmin = false, $sortBy = 'updated_at', $sortOrder = 'DESC')
|
||||
{
|
||||
$pdo = $this->linkDB();
|
||||
|
||||
$erg=array();
|
||||
$params=array();
|
||||
$erg = array();
|
||||
|
||||
$sql = "SELECT n.*, u.username AS owner_username
|
||||
FROM notes n
|
||||
JOIN users u ON n.user_id = u.id
|
||||
ORDER BY :sortBy :sortOrder";
|
||||
|
||||
$params[':sortBy']=$sortBy;
|
||||
$params[':sortOrder']=$sortOrder;
|
||||
|
||||
try {
|
||||
$stmt=$pdo->prepare($sql);
|
||||
$stmt->execute($params);
|
||||
} catch (PDOException $e) {
|
||||
new Msg(true, null, $e);
|
||||
return false;
|
||||
}
|
||||
// Whitelist of allowed sort columns
|
||||
$allowedSortColumns = ['id', 'title', 'owner_username', 'updated_at'];
|
||||
$allowedSortOrders = ['ASC', 'DESC'];
|
||||
|
||||
$erg=$stmt->fetchAll(\PDO::FETCH_ASSOC);
|
||||
|
||||
return $erg;
|
||||
$sortBy = in_array($sortBy, $allowedSortColumns) ? $sortBy : 'updated_at';
|
||||
$sortOrder = in_array(strtoupper($sortOrder), $allowedSortOrders) ? strtoupper($sortOrder) : 'DESC';
|
||||
|
||||
try {
|
||||
if ($isAdmin) {
|
||||
$sql = "SELECT n.*, u.username AS owner_username
|
||||
FROM notes n
|
||||
JOIN users u ON n.user_id = u.id
|
||||
ORDER BY {$sortBy} {$sortOrder}";
|
||||
$stmt = $pdo->prepare($sql);
|
||||
$stmt->execute();
|
||||
} else {
|
||||
$sql = "SELECT id, title, content, created_at, updated_at
|
||||
FROM notes
|
||||
WHERE user_id = :userid
|
||||
ORDER BY {$sortBy} {$sortOrder}";
|
||||
$stmt = $pdo->prepare($sql);
|
||||
$stmt->execute(['userid' => $userid]);
|
||||
}
|
||||
|
||||
$erg = $stmt->fetchAll(\PDO::FETCH_ASSOC);
|
||||
return $erg;
|
||||
|
||||
} catch (PDOException $e) {
|
||||
error_log("Database Error in selectNotesForUser: " . $e->getMessage());
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -13,7 +13,7 @@
|
||||
}
|
||||
|
||||
function isAdmin() {
|
||||
return isLoggedIn() && isset($_SESSION['role']) && $_SESSION['role'] === 'admin';
|
||||
return false;// isLoggedIn() && isset($_SESSION['role']) && $_SESSION['role'] === 'admin';
|
||||
}
|
||||
function sanitize($data, $flags = ENT_QUOTES, $encoding = 'UTF-8') {
|
||||
return htmlspecialchars((string)$data, $flags, $encoding);
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user