Added secure row-retrieval mechanism.

c72ab66c · Demian Katz · 86757c4d · c72ab66c
Commit c72ab66c authored 9 years ago by Demian Katz
--- a/module/VuFind/src/VuFind/Db/Table/Search.php
+++ b/module/VuFind/src/VuFind/Db/Table/Search.php
@@ -117,6 +117,31 @@ class Search extends Gateway
        return $row;
    }

+    /**
+     * Get a single row, enforcing user ownership. Returns row if found, null
+     * otherwise.
+     *
+     * @param int    $id     Primary key value
+     * @param string $sessId Current user session ID
+     * @param int    $userId Current logged-in user ID (or null if none)
+     *
+     * @return \VuFind\Db\Row\Search
+     */
+    public function getOwnedRowById($id, $sessId, $userId)
+    {
+        $callback = function ($select) use ($id, $sessId, $userId) {
+            $nest = $select->where
+                ->equalTo('id', $id)
+                ->and
+                ->nest
+                    ->equalTo('session_id', $sessId);
+            if (!empty($userId)) {
+                $nest->or->equalTo('user_id', $userId);
+            }
+        };
+        return $this->select($callback)->current();
+    }
+
    /**
     * Set the "saved" flag for a specific row.
     *