Permission checking within SQL queries!!

2018-08-19 03:17:10 +02:00 · 2018-08-19 03:17:10 +02:00 · 0752577888
commit 0752577888
parent 55d3979d2c
3 changed files with 61 additions and 29 deletions
--- a/database/2018_08_18_014408_add_forum_permissions.php
+++ b/database/2018_08_18_014408_add_forum_permissions.php
@ -11,7 +11,7 @@ function migrate_up(PDO $conn): void
        CREATE TABLE `msz_forum_permissions` (
            `user_id`               INT(10) UNSIGNED NULL       DEFAULT NULL,
            `role_id`               INT(10) UNSIGNED NULL       DEFAULT NULL,
-            `forum_id`              INT(10) UNSIGNED NULL       DEFAULT NULL,
+            `forum_id`              INT(10) UNSIGNED NOT NULL,
            `forum_perms_allow`     INT(10) UNSIGNED NOT NULL   DEFAULT '0',
            `forum_perms_deny`      INT(10) UNSIGNED NOT NULL   DEFAULT '0',
            UNIQUE INDEX `forum_permissions_user_id_unique`     (`user_id`),
--- a/src/Forum/forum.php
+++ b/src/Forum/forum.php
@ -6,6 +6,9 @@ define('MSZ_PERM_FORUM_MANAGE_FORUMS', 1);
 define('MSZ_FORUM_PERM_LIST_FORUM', 1); // can see stats, but will get error when trying to view
 define('MSZ_FORUM_PERM_VIEW_FORUM', 1 << 1);
 // shorthand, never use this to SET!!!!!!!
 define('MSZ_FORUM_PERM_CAN_LIST_FORUM', MSZ_FORUM_PERM_LIST_FORUM | MSZ_FORUM_PERM_VIEW_FORUM);
 define('MSZ_FORUM_PERM_CREATE_TOPIC', 1 << 10);
 define('MSZ_FORUM_PERM_DELETE_TOPIC', 1 << 11);
 define('MSZ_FORUM_PERM_MOVE_TOPIC', 1 << 12);
@ -78,7 +81,12 @@ function forum_fetch(int $forumId): array
 function forum_get_root_categories(int $userId): array
 {
-    $categories = Database::query('
+    $categoryPermSql = sprintf(
        '(%s & %d)',
        forum_perms_get_user_sql('forum', 'f.`forum_id`'),
        MSZ_FORUM_PERM_CAN_LIST_FORUM
    );
    $getCategories = Database::prepare("
        SELECT
            f.`forum_id`, f.`forum_name`, f.`forum_type`,
            (
@ -90,17 +98,31 @@ function forum_get_root_categories(int $userId): array
        WHERE f.`forum_parent` = 0
        AND f.`forum_type` = 1
        AND f.`forum_hidden` = false
        AND {$categoryPermSql} > 0
        ORDER BY f.`forum_order`
-    ')->fetchAll();
+    ");
-
+    $getCategories->bindValue('perm_user_id_1', $userId);
    $getCategories->bindValue('perm_user_id_2', $userId);
    $categories = $getCategories->execute() ? $getCategories->fetchAll(PDO::FETCH_ASSOC) : [];
    $categories = array_merge([MSZ_FORUM_ROOT_DATA], $categories);
-    $categories[0]['forum_children'] = (int)Database::query('
+    $forumPermSql = sprintf(
        '(%s & %d)',
        forum_perms_get_user_sql('forum', '`forum_id`'),
        MSZ_FORUM_PERM_CAN_LIST_FORUM
    );
    $getRootForumCount = Database::prepare(sprintf("
        SELECT COUNT(`forum_id`)
        FROM `msz_forum_categories`
-        WHERE `forum_parent` = ' . MSZ_FORUM_ROOT . '
+        WHERE `forum_parent` = %d
        AND `forum_type` != 1
-    ')->fetchColumn();
+        AND {$forumPermSql} > 0
    ", MSZ_FORUM_ROOT));
    $getRootForumCount->bindValue('perm_user_id_1', $userId);
    $getRootForumCount->bindValue('perm_user_id_2', $userId);
    $getRootForumCount->execute();
    $categories[0]['forum_children'] = (int)$getRootForumCount->fetchColumn();
    return $categories;
 }
--- a/src/Forum/perms.php
+++ b/src/Forum/perms.php
@ -31,6 +31,34 @@ function forum_perms_create(): int
    return $perms;
 }
 function forum_perms_get_user_sql(
    string $prefix,
    string $forum = ':perm_forum_id',
    string $user_for_user = ':perm_user_id_1',
    string $user_for_role = ':perm_user_id_2'
 ): string {
    return "
        SELECT BIT_OR(`{$prefix}_perms_allow`) &~ BIT_OR(`{$prefix}_perms_deny`)
        FROM `msz_forum_permissions`
        WHERE (
            `forum_id` = {$forum}
            OR `forum_id` IS NULL
        )
        AND (
            (`user_id` IS NULL AND `role_id` IS NULL)
            OR (`user_id` = {$user_for_user} AND `role_id` IS NULL)
            OR (
                `user_id` IS NULL
                AND `role_id` IN (
                    SELECT `role_id`
                    FROM `msz_user_roles`
                    WHERE `user_id` = {$user_for_role}
                )
            )
        )
    ";
 }
 function forum_perms_get_user(string $prefix, int $forum, int $user): int
 {
    if (!in_array($prefix, MSZ_FORUM_PERM_MODES) || $user < 1) {
@ -39,28 +67,10 @@ function forum_perms_get_user(string $prefix, int $forum, int $user): int
        //return 0x7FFFFFFF;
    }
-    $getPerms = Database::prepare("
+    $getPerms = Database::prepare(forum_perms_get_user_sql($prefix));
-        SELECT BIT_OR(`{$prefix}_perms_allow`) &~ BIT_OR(`{$prefix}_perms_deny`)
+    $getPerms->bindValue('perm_forum_id', $forum);
-        FROM `msz_forum_permissions`
+    $getPerms->bindValue('perm_user_id_1', $user);
-        WHERE (
+    $getPerms->bindValue('perm_user_id_2', $user);
            `forum_id` = :forum_id
            OR `forum_id` IS NULL
        )
        AND (
            (`user_id` = :user_id_1 AND `role_id` IS NULL)
            OR (
                `user_id` IS NULL
                AND `role_id` IN (
                    SELECT `role_id`
                    FROM `msz_user_roles`
                    WHERE `user_id` = :user_id_2
                )
            )
        )
    ");
    $getPerms->bindValue('forum_id', $forum);
    $getPerms->bindValue('user_id_1', $user);
    $getPerms->bindValue('user_id_2', $user);
    return $getPerms->execute() ? (int)$getPerms->fetchColumn() : 0;
 }