forked from elabftw/elabftw
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathlock.php
More file actions
131 lines (119 loc) · 5.07 KB
/
Copy pathlock.php
File metadata and controls
131 lines (119 loc) · 5.07 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
<?php
/********************************************************************************
* *
* Copyright 2012 Nicolas CARPi (nicolas.carpi@gmail.com) *
* http://www.elabftw.net/ *
* *
********************************************************************************/
/********************************************************************************
* This file is part of eLabFTW. *
* *
* eLabFTW is free software: you can redistribute it and/or modify *
* it under the terms of the GNU Affero General Public License as *
* published by the Free Software Foundation, either version 3 of *
* the License, or (at your option) any later version. *
* *
* eLabFTW is distributed in the hope that it will be useful, *
* but WITHOUT ANY WARRANTY; without even the implied *
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR *
* PURPOSE. See the GNU Affero General Public License for more details. *
* *
* You should have received a copy of the GNU Affero General Public *
* License along with eLabFTW. If not, see <http://www.gnu.org/licenses/>. *
* *
********************************************************************************/
// lock.php
require_once 'inc/common.php';
// Check id is valid and assign it to $id
if (isset($_GET['id']) && is_pos_int($_GET['id'])) {
$id = $_GET['id'];
} else {
die("The id parameter in the URL isn't a valid ID");
}
// what do we do ? lock or unlock ?
if (isset($_GET['action']) && !empty($_GET['action'])) {
if ($_GET['action'] === 'lock') {
$action = 1; // lock
} else {
$action = 0; // unlock
}
}
switch($_GET['type']) {
// Locking experiment
case 'experiments':
// Do we have can_lock set to 1 ?
$sql = "SELECT can_lock FROM users WHERE userid = :userid";
$req = $pdo->prepare($sql);
$req->execute(array(
'userid' => $_SESSION['userid']
));
$can_lock = $req->fetchColumn(); // can be 0 or 1
// We don't have can_lock, but maybe it's our XP, so we can lock it
if ($can_lock === 0 && $action === 1) {
// Is it his own XP ?
$sql = "SELECT userid FROM experiments WHERE id = :id";
$req = $pdo->prepare($sql);
$req->execute(array(
'id' => $id
));
$userid = $req->fetchColumn();
// we are trying to lock an XP which is not ours, and we don't have can_lock, show error
if ($userid != $_SESSION['userid']) {
$err_arr[] = "You don't have the rights to lock/unlock this.";
$_SESSION['errors'] = $err_arr;
header("Location: experiments.php?mode=view&id=$id");
exit();
}
}
// check who locked it for unlock purpose
if ($action === 0) {
$sql = "SELECT lockedby FROM experiments WHERE id = :id";
$req = $pdo->prepare($sql);
$req->execute(array(
'id' => $id
));
$lockedby = $req->fetchColumn();
if ($lockedby != $_SESSION['userid']) {
// Get the first name of the locker to show in error message
$sql = "SELECT firstname FROM users WHERE userid = :userid";
$req = $pdo->prepare($sql);
$req->execute(array(
'userid' => $lockedby
));
$locker_name = $req->fetchColumn();
$err_arr[] = "This experiment was locked by $locker_name. You don't have the rights to unlock it.";
$_SESSION['errors'] = $err_arr;
header("Location: experiments.php?mode=view&id=$id");
exit();
}
}
$sql = "UPDATE experiments SET locked = :action, lockedby = :lockedby WHERE id = :id";
$req = $pdo->prepare($sql);
$result = $req->execute(array(
'action' => $action,
'lockedby' => $_SESSION['userid'],
'id' => $id
));
if ($result) {
header("Location: experiments.php?mode=view&id=$id");
} else {
die('SQL failed');
}
break;
// Locking item
case 'items':
$sql = "UPDATE items SET locked = :action WHERE id = :id";
$req = $pdo->prepare($sql);
$result = $req->execute(array(
'action' => $action,
'id' => $id
));
if ($result) {
header("Location: database.php?mode=view&id=$id");
} else {
die('SQL failed');
}
break;
default:
die();
}