File: /var/www/html/tmpr/../tmpr/..//tmpr/../tmpr/../tmpr/..//wowX/test_access.php
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
require_once __DIR__ . '/config.php';
require_once __DIR__ . '/../Connections/videoondemand.php';
require_once __DIR__ . '/../DbSql2.inc.php';
require_once __DIR__ . '/../NewsSql2.inc.php';
$db = new NewsSQL;
// Create table if not exists
$db->createtable("CREATE TABLE IF NOT EXISTS brand_user_files (
id INT AUTO_INCREMENT PRIMARY KEY,
user_id INT NOT NULL,
file_id INT NOT NULL,
shared_by INT NOT NULL,
title VARCHAR(255) NULL,
kind VARCHAR(32) NULL,
url VARCHAR(255) NULL,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
INDEX idx_user_id (user_id),
INDEX idx_file_id (file_id)
)");
// Mock data
$userId = 12345;
$fileId = 67890;
$sharedBy = 11111;
// Insert mock data
$db->insert("INSERT INTO brand_user_files (user_id, file_id, shared_by, kind) VALUES ($userId, $fileId, $sharedBy, 'picture')");
// Also need a profilepicture entry because userHasAccess checks for owner and returns it
$db->delete("DELETE FROM profilepicture WHERE id='$fileId'");
$db->insert("INSERT INTO profilepicture (id, catalogid, picture, title) VALUES ($fileId, $sharedBy, 'test.jpg', 'Test Design')");
function userHasAccess($db, $themeid, $teamMember) {
$safeThemeId = mysqli_real_escape_string($db->CONN, $themeid);
$safeTeamMember = mysqli_real_escape_string($db->CONN, $teamMember);
$accessGranted = false;
$result = $db->select("SELECT count(*) as c FROM profilepicture WHERE id='$safeThemeId' AND catalogid='$safeTeamMember'");
if ($result && $result[0]['c'] > 0) $accessGranted = true;
if (!$accessGranted) {
$result = $db->select("SELECT count(*) as c FROM share WHERE themeid='$safeThemeId' AND friend_two='$safeTeamMember'");
if ($result && $result[0]['c'] > 0) $accessGranted = true;
}
if (!$accessGranted) {
$result = $db->select("SELECT count(*) as c FROM brand_team_files btf JOIN brand_team_members btm ON btf.team_id = btm.team_id WHERE btf.file_path = '$safeThemeId' AND btm.user_id = '$safeTeamMember'");
if ($result && $result[0]['c'] > 0) $accessGranted = true;
}
// THIS IS THE ADDED CHECK
if (!$accessGranted) {
$result = $db->select("SELECT count(*) as c FROM brand_user_files WHERE file_id = '$safeThemeId' AND user_id = '$safeTeamMember'");
if ($result && $result[0]['c'] > 0) $accessGranted = true;
}
if (!$accessGranted) {
$colsResult = $db->select("SHOW COLUMNS FROM brand_teams");
$cols = [];
if ($colsResult) {
foreach ($colsResult as $row) {
$cols[] = $row['Field'];
}
}
foreach (['catalogid','created_by','user_id','owner_id','account_id'] as $c) {
if (in_array($c, $cols, true)) {
$ownerCol = $c;
$result = $db->select("SELECT count(*) as c FROM brand_team_files btf JOIN brand_teams bt ON bt.id = btf.team_id WHERE btf.file_path = '$safeThemeId' AND bt.`$ownerCol` = '$safeTeamMember'");
if ($result && $result[0]['c'] > 0) {
$accessGranted = true;
break;
}
}
}
}
if ($accessGranted) {
$ownerResult = $db->select("SELECT catalogid FROM profilepicture WHERE id='$safeThemeId'");
if ($ownerResult && isset($ownerResult[0]['catalogid'])) {
return $ownerResult[0]['catalogid'];
}
}
return false;
}
$access = userHasAccess($db, $fileId, $userId);
echo "Access result: " . ($access ? "GRANTED (Owner: $access)" : "DENIED") . "<br>";
// Cleanup
$db->delete("DELETE FROM brand_user_files WHERE user_id='$userId' AND file_id='$fileId'");
$db->delete("DELETE FROM profilepicture WHERE id='$fileId'");
?>