From 432bb366913f8b30b098fe2fe53a3dd2350039b6 Mon Sep 17 00:00:00 2001 From: posweg Date: Sun, 16 Aug 2020 05:38:24 +0000 Subject: [PATCH] Improved reply permission handling --- action/reply.php | 32 +++++++++++++++----------------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/action/reply.php b/action/reply.php index 596fae9..973b122 100644 --- a/action/reply.php +++ b/action/reply.php @@ -9,19 +9,22 @@ if(!isset($_GET["q"])){ else if(!isset($_SESSION["uid"])){ echo("You need to log in to perform that task."); } -else if(isset($_POST["answered"])){ - if($_POST["answer_body"] == ""){ - echo("Answer cannot be blank."); +else{ + $db = new sqlite3('../ask.db'); + + $question = $db->query("SELECT * FROM questions WHERE id = '" . $_GET["q"] . "';")->fetchArray(SQLITE3_ASSOC); + if(!$question || !$question["id"]){ + echo("Question not found."); + die(); } - else{ - $db = new sqlite3('../ask.db'); - - $question = $db->query("SELECT * FROM questions WHERE id = '" . $_GET["q"] . "';")->fetchArray(SQLITE3_ASSOC); - if(!$question || !$question["id"]){ - echo("Question not found."); - } - else if($question["user"] != $_SESSION["uid"]){ - echo("You're not allowed to perform that task."); + else if($question["user"] != $_SESSION["uid"]){ + echo("You have no permission to answer this question."); + die(); + } + + if(isset($_POST["answered"])){ + if($_POST["answer_body"] == ""){ + echo("Answer cannot be blank."); } else{ $db->exec("UPDATE questions SET answer = '" . htmlspecialchars($_POST["answer_body"], ENT_QUOTES) . "', a_date = " . strtotime("now") . " WHERE id = " . $_GET["q"] . ";"); @@ -37,11 +40,6 @@ else if(isset($_POST["answered"])){ } } - -$db = new SQLite3('../ask.db'); - -$question = $db->query("SELECT * FROM questions WHERE id = '" . $_GET["q"] . "';")->fetchArray(SQLITE3_ASSOC); - ?>