Added secure row-retrieval mechanism.

vufind-org · Feb 3, 2016 · a1643a5 · a1643a5
1 parent b4fe3b2
commit a1643a5
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/module/VuFind/src/VuFind/Db/Table/Search.php b/module/VuFind/src/VuFind/Db/Table/Search.php
@@ -117,6 +117,31 @@ public function getRowById($id, $exceptionIfMissing = true)
         return $row;
     }
 
+    /**
+     * Get a single row, enforcing user ownership. Returns row if found, null
+     * otherwise.
+     *
+     * @param int    $id     Primary key value
+     * @param string $sessId Current user session ID
+     * @param int    $userId Current logged-in user ID (or null if none)
+     *
+     * @return \VuFind\Db\Row\Search
+     */
+    public function getOwnedRowById($id, $sessId, $userId)
+    {
+        $callback = function ($select) use ($id, $sessId, $userId) {
+            $nest = $select->where
+                ->equalTo('id', $id)
+                ->and
+                ->nest
+                    ->equalTo('session_id', $sessId);
+            if (!empty($userId)) {
+                $nest->or->equalTo('user_id', $userId);
+            }
+        };
+        return $this->select($callback)->current();
+    }
+
     /**
      * Set the "saved" flag for a specific row.
      *