From 3edd0ace88a9826e84b76a872e25b508e89f5c6b Mon Sep 17 00:00:00 2001
From: Eike Foken <kontakt@eikefoken.de>
Date: Wed, 21 Sep 2011 00:18:56 +0200
Subject: [PATCH] Check userrights for projects correctly and update the last
 access

---
 application/controllers/projects.php | 17 +++++++++++++----
 application/models/project.php       | 12 +++++++++++-
 2 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/application/controllers/projects.php b/application/controllers/projects.php
index d4dce7f..34df4bb 100644
--- a/application/controllers/projects.php
+++ b/application/controllers/projects.php
@@ -118,10 +118,14 @@ class Projects extends MY_Controller {
 			show_404();
 		}
 
-		if (!$this->_checkAccess($project['id'])) { // check if the user has access
+		// check if the user has access
+		if (!$this->_checkAccess($project['id'])) {
 			show_error(_("Sorry, you don't have access to this project."), 403);
 		}
 
+		// updates the last access
+		$this->project->updateLastAccess($project['id']);
+
 		// mark a shared project as seen
 		$this->share->markSeen($project['id']);
 
@@ -186,18 +190,23 @@ class Projects extends MY_Controller {
 	 */
 	public function delete($id) {
 		$project = $this->project->getById($id);
-		if (!$project || $project['owner'] != $this->session->userdata('user_id')) {
+		if (!$project) {
 			show_404();
 		}
 
+		// check if the user has access
+		if ($project['owner'] != $this->session->userdata('user_id') && !$this->access->isAdmin()) {
+			show_error(_("Sorry, you don't have access to this project."), 403);
+		}
+
 		$this->load->helper('file');
 
-		$projectPath = FCPATH . 'uploads/' . $id;
+		$projectPath = FCPATH . 'uploads/' . $project['id'];
 		if (delete_files($projectPath, true)) {
 			rmdir($projectPath);
 		}
 
-		if ($this->project->delete($id)) {
+		if ($this->project->delete($project['id'])) {
 			$this->messages->add(_('The project was deleted.'), 'success');
 		}
 		redirect('projects', 303);
diff --git a/application/models/project.php b/application/models/project.php
index 1ebd204..222d9ab 100644
--- a/application/models/project.php
+++ b/application/models/project.php
@@ -126,7 +126,6 @@ class Project extends CI_Model {
 	 */
 	public function getById($projectId) {
 		$result = $this->db->get_where('projects', array('id' => $projectId))->row_array();
-		$this->db->where('id', $projectId)->update('projects', array('last_access' => mysql_now()));
 
 		if ($result) {
 			return $this->_addShortName($result);
@@ -216,6 +215,17 @@ class Project extends CI_Model {
 		return $this->db->where('id', $projectId)->update('projects', $data);
 	}
 
+	/**
+	 * Updates the last access of a project.
+	 *
+	 * @param string $projectId The ID of the project to update
+	 * @return boolean Returns TRUE on success.
+	 */
+	public function updateLastAccess($projectId) {
+		$this->db->where('id', $projectId)->update('projects', array('last_access' => mysql_now()));
+		return $this->db->affected_rows() == 0;
+	}
+
 	/**
 	 * Deletes a project.
 	 *