/** * Show an experiment (in mode=show). * * @param int $id The ID of the experiment to show * @param string $display Can be 'compact' or 'default' * @return string|null HTML of the single experiment */ function showXP($id, $display = 'default') { global $pdo; $sql = "SELECT experiments.*, status.color FROM\n experiments LEFT JOIN\n status ON (experiments.status = status.id)\n WHERE experiments.id = :id"; $req = $pdo->prepare($sql); $req->bindParam(':id', $id, PDO::PARAM_INT); $req->execute(); $experiments = $req->fetch(); if ($display === 'compact') { // COMPACT MODE // echo "<section class='item_compact' style='border-left: 6px solid #" . $experiments['color'] . "'>"; echo "<a href='experiments.php?mode=view&id=" . $experiments['id'] . "'>"; echo "<span class='date date_compact'>" . Tools::formatDate($experiments['date']) . "</span> "; echo "<span style='padding-left:10px;'>"; // show lock if item is locked on viewXP if ($experiments['locked']) { echo "<img src='img/lock-blue.png' alt='lock' title='Locked' />"; } echo stripslashes($experiments['title']); echo "</a></span></section>"; } else { // NOT COMPACT ?> <section class="item" style='border-left: 6px solid #<?php echo $experiments['color']; ?> '> <?php // we show the abstract of the experiment on mouse hover with the title attribute // we check if it is our experiment. It would be best to check if we have visibility rights on it // but atm there is no such function. So we limit this feature to experiments we own, for simplicity. if (is_owned_by_user($id, 'experiments', $_SESSION['userid'])) { $body_abstract = str_replace("'", "", substr(strip_tags($experiments['body']), 0, 100)); } else { $body_abstract = ''; } echo "<a title='" . $body_abstract . "' href='experiments.php?mode=view&id=" . $experiments['id'] . "'>"; // show stamp if experiment is timestamped if ($experiments['timestamped']) { echo "<img class='align_right' src='img/stamp.png' alt='stamp' title='experiment timestamped' />"; } echo "<p class='title'>"; // show lock if item is locked on viewXP if ($experiments['locked']) { echo "<img style='padding-bottom:3px;' src='img/lock-blue.png' alt='lock' title='Locked' /> "; } // TITLE echo stripslashes($experiments['title']) . "</p></a>"; // DATE echo "<span class='date'><img class='image' src='img/calendar.png' /> " . Tools::formatDate($experiments['date']) . "</span> "; // _('Tags') echo show_tags($id, 'experiments_tags'); // show attached if there is a file attached if (has_attachement($experiments['id'], 'experiments')) { echo "<img class='align_right' src='img/attached.png' alt='file attached' />"; } echo "</section>"; } }
/** * Can we upload to that experiment? * Make sure we own it. * * @throws Exception if we cannot upload file to this experiment */ private function checkPermission() { if ($this->itemType === 'experiments') { if (!is_owned_by_user($this->itemId, 'experiments', $_SESSION['userid'])) { throw new Exception('Not your experiment!'); } } }
} if (is_owned_by_user($item_id, 'experiments', $_SESSION['userid'])) { $delete_sql = "DELETE FROM experiments_links WHERE id= :id"; $delete_req = $pdo->prepare($delete_sql); $result = $delete_req->execute(array('id' => $id)); } break; // DELETE TAGS // DELETE TAGS case 'exptag': if (is_pos_int($_POST['item_id'])) { $item_id = $_POST['item_id']; } else { die; } if (is_owned_by_user($item_id, 'experiments', $_SESSION['userid'])) { $delete_sql = "DELETE FROM experiments_tags WHERE id = :id"; $delete_req = $pdo->prepare($delete_sql); $delete_req->execute(array('id' => $id)); } break; case 'itemtag': $delete_sql = "DELETE FROM items_tags WHERE id = :id"; $delete_req = $pdo->prepare($delete_sql); $delete_req->execute(array('id' => $id)); break; case 'status': // normally there is no experiments left with this status $delete_sql = "DELETE FROM status WHERE id = :id"; $delete_req = $pdo->prepare($delete_sql); $delete_req->execute(array('id' => $id));
// TAG FOR ITEMS case 'itemtag': // Sanitize tag, we remove '\' because it f***s up the javascript if you have this in the tags $tag = strtr(filter_var($_POST['tag'], FILTER_SANITIZE_STRING), '\\', ''); // check for string length only as there is no owning of database item if (strlen($tag) > 0) { // SQL for add tag to database item $sql = "INSERT INTO items_tags (tag, item_id, team_id) VALUES(:tag, :item_id, :team_id)"; $req = $pdo->prepare($sql); $req->bindParam(':tag', $tag, PDO::PARAM_STR); $req->bindParam(':item_id', $_POST['item_id'], PDO::PARAM_INT); $req->bindParam(':team_id', $_SESSION['team_id'], PDO::PARAM_INT); $req->execute(); } break; // ADD A LINK TO AN EXPERIMENT // ADD A LINK TO AN EXPERIMENT case 'link': // check link is int and experiment is owned by user if (filter_var($_POST['link_id'], FILTER_VALIDATE_INT) && is_owned_by_user($id, 'experiments', $_SESSION['userid'])) { // SQL for addlink $sql = "INSERT INTO experiments_links (item_id, link_id) VALUES(:item_id, :link_id)"; $req = $pdo->prepare($sql); $req->bindParam(':item_id', $_POST['item_id'], PDO::PARAM_INT); $req->bindParam(':link_id', $_POST['link_id'], PDO::PARAM_INT); $result = $req->execute(); } break; default: die; }