From a1643a5ce691cdbf9b42259169755c9f96ffec36 Mon Sep 17 00:00:00 2001
From: Demian Katz <demian.katz@villanova.edu>
Date: Wed, 3 Feb 2016 10:26:09 -0500
Subject: [PATCH] Added secure row-retrieval mechanism.

---
 module/VuFind/src/VuFind/Db/Table/Search.php | 25 ++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/module/VuFind/src/VuFind/Db/Table/Search.php b/module/VuFind/src/VuFind/Db/Table/Search.php
index db33c561595..b0871084ede 100644
--- a/module/VuFind/src/VuFind/Db/Table/Search.php
+++ b/module/VuFind/src/VuFind/Db/Table/Search.php
@@ -117,6 +117,31 @@ public function getRowById($id, $exceptionIfMissing = true)
         return $row;
     }
 
+    /**
+     * Get a single row, enforcing user ownership. Returns row if found, null
+     * otherwise.
+     *
+     * @param int    $id     Primary key value
+     * @param string $sessId Current user session ID
+     * @param int    $userId Current logged-in user ID (or null if none)
+     *
+     * @return \VuFind\Db\Row\Search
+     */
+    public function getOwnedRowById($id, $sessId, $userId)
+    {
+        $callback = function ($select) use ($id, $sessId, $userId) {
+            $nest = $select->where
+                ->equalTo('id', $id)
+                ->and
+                ->nest
+                    ->equalTo('session_id', $sessId);
+            if (!empty($userId)) {
+                $nest->or->equalTo('user_id', $userId);
+            }
+        };
+        return $this->select($callback)->current();
+    }
+
     /**
      * Set the "saved" flag for a specific row.
      *