mirror of
https://codeberg.org/PostERG/xamxam.git
synced 2026-05-06 19:19:19 +02:00
encapsulate raw PDO queries leaking from callers into Database.php methods
- Add getThesisAccessTypeId(int $id): ?int — replaces raw SELECT in tfe.php - Add getCoverPathsForTheses(array $ids): array — replaces raw SELECT/IN query in index.php - Add getFileVisibility(string $path): ?int — replaces raw join query in media.php - Add getThesisBannerPath(int $id): ?string — replaces unparameterised SQL injection in edit.php (SELECT banner_path FROM theses WHERE id = $thesisId was interpolating $thesisId directly into the query string; now parameterised via prepared statement) - Add getThesisRawFields(int $id): ?array — replaces raw SELECT license_id/access_type_id/ context_note in edit.php - Add getThesisCount(): int — replaces raw SELECT COUNT(*) in system.php Callers updated: public/tfe.php, public/index.php, public/media.php, public/admin/edit.php, public/admin/system.php
This commit is contained in:
Pontoporeia
@@ -22,7 +22,7 @@ if ($thesisId <= 0) {
|
||||
}
|
||||
|
||||
try {
|
||||
$db = new Database();
|
||||
$db = new Database();
|
||||
$pdo = $db->getPDO();
|
||||
|
||||
// Handle form submission
|
||||
@@ -152,7 +152,7 @@ try {
|
||||
}
|
||||
if (isset($_POST['remove_banner'])) {
|
||||
// Unlink existing banner file if present
|
||||
$currentBannerPath = $pdo->query("SELECT banner_path FROM theses WHERE id = $thesisId")->fetchColumn();
|
||||
$currentBannerPath = $db->getThesisBannerPath($thesisId);
|
||||
if ($currentBannerPath && $bannerDir) {
|
||||
$absPath = STORAGE_ROOT . '/' . $currentBannerPath;
|
||||
if (file_exists($absPath)) unlink($absPath);
|
||||
@@ -217,9 +217,7 @@ try {
|
||||
$accessTypes = $db->getAccessTypes();
|
||||
|
||||
// Fetch raw FK IDs (view only exposes name strings)
|
||||
$rawStmt = $pdo->prepare("SELECT license_id, access_type_id, context_note FROM theses WHERE id = ?");
|
||||
$rawStmt->execute([$thesisId]);
|
||||
$rawRow = $rawStmt->fetch();
|
||||
$rawRow = $db->getThesisRawFields($thesisId);
|
||||
$currentLicenseId = $rawRow['license_id'] ?? null;
|
||||
$currentAccessTypeId = $rawRow['access_type_id'] ?? null;
|
||||
$currentContextNote = $rawRow['context_note'] ?? '';
|
||||
|
||||
@@ -124,8 +124,7 @@ $dbRowCount = null;
|
||||
if ($dbExists) {
|
||||
try {
|
||||
$db = new Database();
|
||||
$stmt = $db->getConnection()->query("SELECT COUNT(*) FROM theses");
|
||||
$dbRowCount = (int) $stmt->fetchColumn();
|
||||
$dbRowCount = $db->getThesisCount();
|
||||
} catch (Throwable $e) {
|
||||
$dbRowCount = null;
|
||||
}
|
||||
|
||||
@@ -36,17 +36,7 @@ try {
|
||||
array_filter($itemsToLoad, fn($t) => empty($t['banner_path'])),
|
||||
'id'
|
||||
);
|
||||
if (!empty($needCover)) {
|
||||
$ph = implode(',', array_fill(0, count($needCover), '?'));
|
||||
$cStmt = $db->getConnection()->prepare("
|
||||
SELECT thesis_id, file_path FROM thesis_files
|
||||
WHERE file_type = 'cover' AND thesis_id IN ($ph)
|
||||
");
|
||||
$cStmt->execute($needCover);
|
||||
foreach ($cStmt->fetchAll() as $row) {
|
||||
$coverMap[$row['thesis_id']] = $row['file_path'];
|
||||
}
|
||||
}
|
||||
$coverMap = $db->getCoverPathsForTheses($needCover);
|
||||
}
|
||||
} catch (Exception $e) {
|
||||
error_log("Error loading theses: " . $e->getMessage());
|
||||
|
||||
@@ -52,26 +52,14 @@ if (!is_file($realFull)) {
|
||||
if (preg_match('#^theses/#', $requestedPath)) {
|
||||
require_once __DIR__ . '/../src/Database.php';
|
||||
try {
|
||||
$mediaDb = Database::getInstance();
|
||||
$mediaPdo = $mediaDb->getConnection();
|
||||
// Find the thesis that owns this file path
|
||||
$visStmt = $mediaPdo->prepare("
|
||||
SELECT t.access_type_id FROM theses t
|
||||
JOIN thesis_files tf ON tf.thesis_id = t.id
|
||||
WHERE tf.file_path = ?
|
||||
LIMIT 1
|
||||
");
|
||||
$visStmt->execute([$requestedPath]);
|
||||
$visRow = $visStmt->fetch();
|
||||
if ($visRow) {
|
||||
$accessTypeId = (int)($visRow['access_type_id'] ?? 1);
|
||||
$mediaDb = Database::getInstance();
|
||||
$accessTypeId = $mediaDb->getFileVisibility($requestedPath);
|
||||
if ($accessTypeId !== null && $accessTypeId === 3) {
|
||||
// 3 = Interdit — block entirely
|
||||
if ($accessTypeId === 3) {
|
||||
http_response_code(403);
|
||||
exit;
|
||||
}
|
||||
// 2 = Interne — allow (no session auth requirement for now; could add later)
|
||||
http_response_code(403);
|
||||
exit;
|
||||
}
|
||||
// 2 = Interne — allow (no session auth requirement for now; could add later)
|
||||
} catch (\Throwable $e) {
|
||||
// On DB error, fail open (don't block legitimate requests)
|
||||
error_log("media.php visibility check error: " . $e->getMessage());
|
||||
|
||||
@@ -180,14 +180,7 @@ $currentNav = '';
|
||||
<?php
|
||||
// Determine effective access: need raw access_type_id
|
||||
// The view exposes 'access_type' (name string). Fetch raw id for gate.
|
||||
$accessTypeId = null;
|
||||
try {
|
||||
$accessStmt = $db->getConnection()->prepare(
|
||||
"SELECT access_type_id FROM theses WHERE id = ?"
|
||||
);
|
||||
$accessStmt->execute([$thesisId]);
|
||||
$accessTypeId = (int)($accessStmt->fetchColumn() ?? 1);
|
||||
} catch (\Throwable $e) {}
|
||||
$accessTypeId = $db->getThesisAccessTypeId($thesisId) ?? 1;
|
||||
$isInterdit = ($accessTypeId === 3);
|
||||
?>
|
||||
<?php if ($isInterdit): ?>
|
||||
|
||||
Reference in New Issue
Block a user