diff --git a/backend/classes/controller/FingerprintDeleteController.php b/backend/classes/controller/FingerprintDeleteController.php index 4691324..20fb7cb 100644 --- a/backend/classes/controller/FingerprintDeleteController.php +++ b/backend/classes/controller/FingerprintDeleteController.php @@ -17,6 +17,10 @@ final class FingerprintDeleteController extends AbstractController public function handle(): void { + if (!$this->isUserLoggedIn()) { + return; + } + parent::handle(); if ($this->response->getStatus() !== ServerStatus::OK) { @@ -25,16 +29,21 @@ final class FingerprintDeleteController extends AbstractController try { $db = new MySqlDatabase(); + $this->response = new ApiJsonResponse(); + $db->startTransaction(); $fingerprint = new Fingerprint($this->fingerprintId, $db); + + if (!$this->hasUserPermission($fingerprint->getUserId())) { + return; + } + $qrCode = new QrCode($fingerprint->getFingerprintId(), $fingerprint->getFingerprint()); $fingerprint->Delete(); $qrCode->delete(); $db->commit(); - - $this->response = new ApiJsonResponse(); } catch (Throwable $e) { $this->response = new ApiJsonResponse(ServerStatus::BAD_REQUEST); $this->response->setParameter('success', false); diff --git a/backend/classes/controller/FingerprintGetController.php b/backend/classes/controller/FingerprintGetController.php index 9722f9b..2ab2a67 100644 --- a/backend/classes/controller/FingerprintGetController.php +++ b/backend/classes/controller/FingerprintGetController.php @@ -18,8 +18,16 @@ final class FingerprintGetController extends AbstractController public function handle(): void { try { + if (!$this->isUserLoggedIn()) { + return; + } + $fingerprint = new Fingerprint($this->fingerprintId); + if (!$this->hasUserPermission($fingerprint->getUserId())) { + return; + } + $this->response = new ApiJsonResponse(); $this->response->setResult($fingerprint); } catch (Throwable $e) { diff --git a/backend/classes/controller/FingerprintPostController.php b/backend/classes/controller/FingerprintPostController.php index df31e39..999c4c3 100644 --- a/backend/classes/controller/FingerprintPostController.php +++ b/backend/classes/controller/FingerprintPostController.php @@ -12,6 +12,10 @@ final class FingerprintPostController extends AbstractController public function handle(): void { + if (!$this->isUserLoggedIn()) { + return; + } + parent::handle(); $db = new MySqlDatabase(); @@ -20,8 +24,12 @@ final class FingerprintPostController extends AbstractController $this->response = new ApiJsonResponse(); try { - $fingerprint->setFingerprint($json->fingerprint); - $fingerprint->setUserId($json->userId); + if (!$this->hasUserPermission((int)$json->userId)) { + return; + } + + $fingerprint->setFingerprint((string)$json->fingerprint); + $fingerprint->setUserId((int)$json->userId); if (!$db->hasTransaction()) { $db->startTransaction(); diff --git a/backend/classes/controller/FingerprintPutController.php b/backend/classes/controller/FingerprintPutController.php index 967f3f6..7df001f 100644 --- a/backend/classes/controller/FingerprintPutController.php +++ b/backend/classes/controller/FingerprintPutController.php @@ -20,6 +20,10 @@ final class FingerprintPutController extends AbstractController public function handle(): void { + if (!$this->isUserLoggedIn()) { + return; + } + parent::handle(); if ($this->response->getStatus() !== ServerStatus::OK) { @@ -30,9 +34,10 @@ final class FingerprintPutController extends AbstractController try { $json = json_decode($this->requestBody, true); + $fingerprint = new Fingerprint($this->fingerprintId); - if ($this->handleFingerprint($fingerprint, $json)) { + if ($this->hasUserPermission($fingerprint->getUserId()) || $this->handleFingerprint($fingerprint, $json)) { return; }