From fd861ca8c95f25fdeaedcaad3e0bbda1c51034fd Mon Sep 17 00:00:00 2001
From: galaxyoyo <yohann.danello@gmail.com>
Date: Sat, 7 Sep 2019 01:55:10 +0200
Subject: [PATCH] =?UTF-8?q?Quelques=20restrictions=20d'acc=C3=A8s=20lors?=
 =?UTF-8?q?=20du=20t=C3=A9l=C3=A9chargement=20de=20fichiers?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server_files/controllers/view_file.php | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/server_files/controllers/view_file.php b/server_files/controllers/view_file.php
index 5147060..0ce1807 100644
--- a/server_files/controllers/view_file.php
+++ b/server_files/controllers/view_file.php
@@ -7,6 +7,9 @@ if (!isset($_GET["file_id"])) {
 	exit();
 }
 
+if (!isset($_SESSION["user_id"]))
+	require_once "../403.php";
+
 $id = htmlspecialchars($_GET["file_id"]);
 $type = "SOLUTION";
 
@@ -29,16 +32,29 @@ if ($data !== false) {
 	if ($type == "SOLUTION") {
 		$problem = $data["problem"];
 		$name = "Problème $problem $trigram.pdf";
+
+		if (($_SESSION["role"] == Role::PARTICIPANT || $_SESSION["role"] == Role::ENCADRANT) && (!isset($_SESSION["team"]) || $_SESSION["team"]->getId() != $team->getId()))
+			require_once "../403.php";
+
+		// TODO Seuls les organisateurs concernés doivent pouvoir télécharger les fichiers
 	}
 	else if ($type == "SYNTHESE") {
 		$dest = $data["dest"];
 		$name = "Note de synthèse $trigram pour " . ($dest == "OPPOSANT" ? "l'opposant" : "le rapporteur") . ".pdf";
+
+		// TODO Seuls les organisateurs, défenseurs, opposants et rapporteurs doivent pouvoir télécharger les fichiers
 	}
 	else if ($type == "DOCUMENT") {
 		$user_id = $data["user"];
-		$user_data = $DB->query("SELECT `surname`, `first_name` FROM `users` WHERE `id` = 'user';")->fetch();
-		$surname = $user_data["surname"];
-		$first_name = $user_data["first_name"];
+		$user = User::fromId($user_id);
+
+		if (($_SESSION["role"] == Role::PARTICIPANT || $_SESSION["role"] == Role::ENCADRANT) && $user_id != $_SESSION["user_id"])
+			require_once "../403.php";
+
+		// TODO Seuls les organisateurs concernés doivent pouvoir télécharger les fichiers
+
+		$surname = $user->getSurname();
+		$first_name = $user->getFirstName();
 		switch ($data["type"]) {
 			case "PARENTAL_CONSENT":
 				$name = "Autorisation parentale";