Cracking The Vault (part 1) - Digging Deeper

(Page 10 of 12 )

Each of the files listed in "out.php" is hyperlinked to the script "details.php", which displays detailed file information. This script is passed a file ID via the URL GET method, and uses this ID to query the "data" table and obtain the file description, author comment, owner, creation date and file status.

<?
// from out.php
// query to obtain detailed information on this file
// in case file is accessed directly,
// query must include constraint to ensure that user has view rights
$connection = mysql_connect($hostname, $user, $pass) or die ("Unable to
connect!");
$query = "SELECT data.id, data.owner, category.name, user.username,
data.realname, data.created, data.description, data.comment, data.status
FROM data, user, category, perms WHERE data.id = '$id' AND data.owner =
user.id AND data.category = category.id AND perms.rights = '1' AND
perms.uid = '$SESSION_UID' AND data.id = perms.fid";
$result = mysql_db_query($database, $query, $connection) or die ("Error in
query: $query. " . mysql_error());
?>

Once a result is obtained, a table is generated to display the various bits of information. If the file is checked out (the status field is not 0), another query is executed to find out more.

<table border="0" cellspacing="4" cellpadding="1">
<?
// display details
list($id, $ownerId, $category, $owner, $realname, $created, $description,
$comment, $status) = mysql_fetch_row($result);
mysql_free_result($result);
// corrections
if ($description == "") { $description = "No description available"; }
if ($comment == "") { $comment = "No author comments available"; }
$filename = $dataDir . $id . ".dat";
?>
<tr>
<td><?
// display red or green icon depending on file status
if ($status == 0) { ?> <img src="images/a.jpg" width=40 height=33 alt=""
border=0 align="absmiddle"><? } else { ?> <img src="images/na.jpg" width=40
height=33 alt="" border=0 align="absmiddle"> <? } ?>   <font
size="+1"><? echo $realname; ?></font></td>
</tr>
<tr>
<td>Category: <? echo $category; ?></td>
</tr>
<tr>
<td>File size: <? echo filesize($filename); ?> bytes</td>
</tr>
<tr>
<td>Created on: <? echo fixDate($created); ?></td>
</tr>
<tr>
<td>Owner: <? echo $owner; ?></td>
</tr>
<tr>
<td>Description of contents: <? echo $description; ?></td>
</tr>
<tr>
<td>Author comment: <? echo $comment; ?></td>
</tr>
<?
if ($status != 0)
{
// status != 0 -> file checked out to another user
// query to find out who...
$query = "SELECT user.username FROM data, user WHERE user.id = data.status";
$result = mysql_db_query($database, $query, $connection) or die ("Error in
query: $query. " . mysql_error());
list($checkedTo) = mysql_fetch_row($result);
mysql_free_result($result);
// ...and display
?>
<tr>
<td>Currently checked out to: <? echo $checkedTo; ?></td>
</tr>
<?
}
?>
</table>

Once the file description has been printed, a menu also needs to be generated at the bottom of the screen. The items that show up in this menu vary depending on the situation:

1. Every user gets the option to view (not check out) the most recent version of the document, and its revision history.

2. If the file is not checked out and the user has appropriate "modify" permissions, an option to check out the document is also available.

3. If the user is the owner of the file, options to edit document properties and delete the document from the system are also available.

Here's the code that makes this variable menu possible.

<table border="0" cellspacing="5" cellpadding="5">
<tr>
<!-- inner table begins -->
<!-- view option available at all time, place it outside the block -->
<td align="center"><a href="view.php?id=<? echo $id; ?> "><img
src="images/view.jpg" width=40 height=40 alt="" border="0"><br><font
size="-1">View Document</font></a></td>
<?
if ($status == 0)
{
// status = 0 -> file available for checkout
// check if user has modify rights
$query2 = "SELECT status FROM data, perms WHERE perms.fid = '$id' AND
perms.uid = '$SESSION_UID' AND perms.rights = '2' AND data.status = '0' AND
data.id = perms.fid";
$result2 = mysql_db_query($database, $query2, $connection) or die ("Error
in query: $query2. " . mysql_error());
if(mysql_num_rows($result2) > 0)
{
// if so, display link for checkout
?>
<td align="center"><a href="check-out.php?id=<? echo $id; ?> "><img
src="images/co.jpg" width=40 height=40 alt="" border="0"><br><font
size="-1">Check Document Out</font></a></td>
<?
}
mysql_free_result($result2);
if ($ownerId == $SESSION_UID)
{
// if user is also the owner of the file AND file is not checked out
// additional actions are available
?>
<td align="center"><img src="images/info.jpg" width=40 height=40 alt=""
border="0"><a href="edit.php?id=<? echo $id; ?>"><br><font size="-1">Edit
Document Properties</font></a></td>
<td align="center"><img src="images/delete.jpg" width=40 height=40
alt="" border="0"><a href="delete.php?id=<? echo $id; ?>"><br><font
size="-1">Delete Document</font></a></td>
<?
}
?>
<?
}
// ability to view revision history is always available
// put it outside the block
?>
<td align="center"><a href="history.php?id=<? echo $id; ?>"><img
src="images/history.jpg" width=40 height=40 alt="" border="0"><br><font
size="-1">Revision History</font></a></td>
</tr>
<!-- inner table ends -->
</table>

And here's what the page looks like.



This article copyright Melonfire 2001. All rights reserved.

Next: Basic Maintenance >>
 

More PHP Articles
More By Vikram Vaswani, (c) Melonfire

Comments On: Cracking The Vault (part 1)

>>> Be the FIRST to comment on this article!