CODEWITHSUNDEEP
phpcodeignitercrudtankauth
jackthedev
jackthedev

Reputation: 417

Codeigniter user functionality

im working on a project at the moment that allows users to register and log into there own user area and add/edit/delete note snippets.

Im currently working on the edit class and im wondering how can i make it so that other users cant visit the same url and edit someones note? (all notes are stored in the same table in the database)

schema = id, title, description, snippet, user_id

for example if user1 wants to edit his note at http://domain.com/edit/1 (which is bound to his user_id in the database) how can i stop user2 from visiting that same url and editing his note?

here is the controller

<?php if (!defined('BASEPATH')) exit('No direct script access allowed');

class Mysnippets extends CI_Controller {

function __construct()
{
    parent::__construct();

    if (!$this->tank_auth->is_logged_in()) {
        redirect('/login/');
    } 

    $this->load->model('dashboard_model');

    $this->data['user_id']  = $this->tank_auth->get_user_id();
    $this->data['username']= $this->tank_auth->get_username();  
}

public function index()
{
    $this->data['private_snippets']  = $this->dashboard_model->private_snippets();
    $this->load->view('dashboard/my_snippets', $this->data);    
}

function edit_snippet($snippet_id) {

    $snippet = $this->dashboard_model->get_snippet($snippet_id);

    //validate form input
    $this->form_validation->set_rules('title', 'Title', 'required');

    if (isset($_POST) && !empty($_POST))
    {       
        $data = array(
            'title' => $this->input->post('title'),
        );

        if ($this->form_validation->run() === true)
        {
            $this->dashboard_model->update_snippet($snippet_id, $data);
            $this->session->set_flashdata('message', "<p>Product updated successfully.</p>");                
            redirect(base_url().'mysnippets/edit_snippet/'.$snippet_id);
        }           
    }

    $this->data['message'] = (validation_errors() ? validation_errors() : $this->session->flashdata('message'));

    $this->data['snippet'] = $snippet;

    //display the edit product form
    $this->data['title'] = array(
        'name'      => 'title',
        'type'      => 'text',
        'value'     => $this->form_validation->set_value('title', $snippet['title']),
    );

    $this->load->view('dashboard/edit_snippet', $this->data);
}
}

heres the model:

<?php if (!defined('BASEPATH')) exit('No direct script access allowed');

class Dashboard_model extends CI_Model {

public function public_snippets()
{
    $this->db->select('id, title, description, author, date_submitted');
    $query = $this->db->get_where('snippets', array('state' => 'public'));
    return $query->result_array();
}

public function private_snippets()
{
    $this->db->select('id, title, description, date_submitted');
    $query = $this->db->get_where('snippets', array('user_id' => $this->tank_auth->get_user_id()));
    return $query->result_array();
}

public function add_snippet($data)
{
    $this->db->insert('snippets', $data);
    $id = $this->db->insert_id();
    return (isset($id)) ? $id : FALSE;
}

public function get_snippet($snippet_id) {
    $this->db->select('id, title');
    $this->db->where('id', $snippet_id);
    $query = $this->db->get('snippets');

    return $query->row_array();
}

public function update_snippet($snippet_id, $data)
{
    $this->db->where('id', $snippet_id);
    $this->db->update('snippets', $data);
}




}

heres the view:

    <?php echo $message;?>

    <?php $snippet_id = $snippet['id']; ?>
    <?php echo form_open("mysnippets/edit_snippet/$snippet_id");?>


    <?php echo form_input($title); ?>
    <?php echo form_submit('submit', 'Submit');?>

    <?php echo form_close(); ?>

is there a way i can restrict it so if another user tried to go to that url i can redirect them or show a error message

Upvotes: 0

Views: 164

Answers (3)

Expedito
Expedito

Reputation: 7795

I would just add a line to the following function in the model:

public function get_snippet($snippet_id) {
    $this->db->select('id, title');
    $this->db->where('id', $snippet_id);
    //users can access only their own snippets 
    $this->db->where('user_id', $this->session->userdata('user_id'));
    $query = $this->db->get('snippets');
    return $query->row_array();
}

That prevents them from accessing the information, but I'd do something to prevent them from even being able to try in the first place, i.e. not giving them the choice.

Upvotes: 0

pat
pat

Reputation: 1

You could check whether the id you are editing is the same as the session id provided when you have logged in.

it could be something like :

if ($snippet_id !=  $this->session->userdata('login_id'))
{
   //redirect to another page
}

Upvotes: 0

stormdrain
stormdrain

Reputation: 7895

Something like this might work. 

public function edit_snippet(snippet_id) 
{
    $snippet = $this->dashboard_model->get_snippet($snippet_id); 

    // this depends on what you are using for sessions; 
    // recommend you use db sessions
    if($snippet->user_id != $this->session->userdata('user_id');)
    {
        redirect('/mysnippets');
    } 
    else 
    {
        //allow editing

Upvotes: 0

Related Questions