From 9fec2d56f4f49e0809546b53048db8917e7bd895 Mon Sep 17 00:00:00 2001 From: Markus Date: Mon, 26 Feb 2018 16:26:10 +0100 Subject: [PATCH] Don't allow people who don't own a project to update it --- www/prosjekt/update.php | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/www/prosjekt/update.php b/www/prosjekt/update.php index b5af3b7..4cac4c7 100644 --- a/www/prosjekt/update.php +++ b/www/prosjekt/update.php @@ -44,6 +44,15 @@ if($id == 0){ $statement->execute(); }else{ + $projectManager = new \pvv\side\ProjectManager($pdo); + $owner = $projectManager->getProjectOwner($id); + + if($uname != $owner['uname']){ + header('Content-Type: text/plain', true, 403); + echo "Not project owner for project with ID " . $id . "\r\n"; + exit(); + } + $query = 'UPDATE projects SET name=:title, description=:desc WHERE id=:id'; $statement = $pdo->prepare($query);