From bb785cbff4ce83b450a5ec2f60510f26d86ec480 Mon Sep 17 00:00:00 2001
From: Jan BELLON <jan@intra.e59.fr>
Date: Tue, 12 Mar 2024 12:44:19 +0000
Subject: [PATCH] Update file editpage.php

---
 html/editpage.php | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/html/editpage.php b/html/editpage.php
index 162e1b94..3bbb5e6e 100644
--- a/html/editpage.php
+++ b/html/editpage.php
@@ -57,9 +57,10 @@ if (isset($_FILES['miniature']) && $_FILES['miniature']['error'] == 0 && isset($
     imagedestroy($imageResized);
 
     $bdd = connect($dbhost, $dbname, $dbuser, $dbpass);
-    $req = $bdd->prepare("UPDATE articles SET image = :image WHERE ID = :article");
+    $req = $bdd->prepare("UPDATE articles SET image = :image WHERE ID = :article AND auteur = :user_id");
     $req->bindParam(":image", $webPath);
     $req->bindParam(":article", $_GET['article']);
+    $req->bindParam(":user_id", $_SESSION['userid']);
     if($req->execute()) {
         $status = "Miniature mise à jour";
     } else {
@@ -76,8 +77,9 @@ if(isset($fichier)) {
     if(isset($_GET['article']) && isset($_POST['deletefile']) && $_POST['deletefile'] == "Supprimer") {
         if(unlink($fichier)) {
             $bdd = connect($dbhost, $dbname, $dbuser, $dbpass);
-            $upload = $bdd->prepare("DELETE FROM articles WHERE ID = :filename");
+            $upload = $bdd->prepare("DELETE FROM articles WHERE ID = :filename AND auteur = :user_id");
             $upload->bindParam(':filename', $filename);
+            $upload->bindParam(':auteur', $_SESSION['userid']);
             if($upload->execute()) {
                 header("Location: editpage.php");
                 echo "Fichier supprimé";
@@ -95,12 +97,13 @@ if(isset($fichier)) {
     if(isset($_POST['article-classification']) && isset($_POST['article-image']) && isset($_POST['article-resume']) && isset($_GET['article'])) {
         $bdd = connect($dbhost, $dbname, $dbuser, $dbpass);
 
-        $req = $bdd->prepare("UPDATE articles SET classification = :classification, titre = :titre, image = :image, resume = :resume WHERE ID = :article");
+        $req = $bdd->prepare("UPDATE articles SET classification = :classification, titre = :titre, image = :image, resume = :resume WHERE ID = :article AND auteur = :user_id");
         $req->bindParam(':classification', $_POST['article-classification']);
         $req->bindParam(':titre', htmlspecialchars($_POST['article-titre']));
         $req->bindParam(':image', htmlspecialchars($_POST['article-image']));
         $req->bindParam(':resume', nl2br($_POST['article-resume']));
         $req->bindParam(':article', $_GET['article']);
+        $req->bindParam(':user_id', $_SESSION['userid']);
         if($req->execute()) {
             $status = "Informations mises à jour";
         } else {
@@ -173,8 +176,9 @@ if(isset($fichier)) {
                             echo "<div><div class='button'><a href='news.php?article=" . $filename . "'>Voir l'article</a></div>";
                             if(isset($_GET['article'])) {
                                 $bdd = connect($dbhost, $dbname, $dbuser, $dbpass);
-                                $req = $bdd->prepare("SELECT classification, titre, image, resume FROM articles WHERE ID = :article");
+                                $req = $bdd->prepare("SELECT classification, titre, image, resume FROM articles WHERE ID = :article AND auteur = :user_id");
                                 $req->bindParam(":article", $_GET['article']);
+                                $req->bindParam(":user_id", $_SESSION['userid']);
                                 $req->execute();
                                 $resultat = $req->fetchAll(PDO::FETCH_ASSOC);