/** * Shows a specific message */ private function showMessage() { $db = TableMng::getDb(); $messageId = $db->real_escape_string($_GET['ID']); if (($isManager = MessageFunctions::checkIsManagerOf($messageId, $_SESSION['uid'])) || MessageFunctions::checkHasReceived($messageId, $_SESSION['uid'])) { $msgText = $msgTitle = $forename = $name = $grade = $msgRecId = $msgReturn = ''; $query = "SELECT m.title, m.text, mr.read, mr.ID, mr.return,\n\t\t\t\t\tu.forename, u.name, CONCAT(g.gradelevel, g.label)\n\t\t\t\tFROM SystemUsers u\n\t\t\t\tJOIN MessageReceivers mr ON mr.userId = u.ID\n\t\t\t\tJOIN MessageMessages m ON mr.messageId = m.ID AND m.ID = ?\n\t\t\t\tLEFT JOIN SystemAttendances uigs ON\n\t\t\t\t\tuigs.userId = u.ID AND\n\t\t\t\t\tuigs.schoolyearId = @activeSchoolyear\n\t\t\t\tLEFT JOIN SystemGrades g ON g.ID = uigs.gradeId\n\t\t\t\tWHERE u.ID = ?"; $stmt = $db->prepare($query); if ($stmt) { $stmt->bind_param('ii', $messageId, $_SESSION['uid']); $stmt->bind_result($msgTitle, $msgText, $isRead, $msgRecId, $msgReturn, $forename, $name, $grade); $stmt->execute(); while ($stmt->fetch()) { // User got multiple messages of the same kind, select only // the last one } if ($isRead == '0') { $this->markMsgAsRead($msgRecId); } $msgText = str_replace("{vorname}", $forename, $msgText); $msgText = str_replace("{name}", $name, $msgText); $msgText = str_replace("{klasse}", $grade, $msgText); $this->createPdf($msgTitle, $msgText, $grade, $msgReturn, $messageId, $_SESSION['uid']); } else { $this->_interface->DieError('Konnte die Nachrichtendaten nicht abrufen'); } } else { $this->_interface->DieError('Kein Zugriff erlaubt!'); } }
/** * Checks if the Message-Admin has access to the message [hack-safety] and * if the User got this Message, uses die() on error for Ajax * * @param int(11) $mid * @param int(11) $uid * @return void */ protected function userReturnedMsgCheckEditable($mid, $uid) { try { if (!MessageFunctions::checkIsManagerOf($mid, $_SESSION['uid'])) { die('noManager'); } else { if (!$this->existMessageWithReceiver($mid, $uid)) { die('entryNotFound'); } } } catch (Exception $e) { die('error'); } }