From d87d0b7295ec2f7f35c46fb55010516f5e14cc42 Mon Sep 17 00:00:00 2001
From: Marijn Jansen <marijn@jansen.onl>
Date: Wed, 1 Feb 2017 14:13:22 +0100
Subject: [PATCH] Backend for delete post

---
 website/public/API/deletePost.php | 20 ++++++++++++
 website/public/js/post.js         | 14 ++++++++
 website/queries/post.php          | 53 +++++++++++++++++++++++++++++++
 website/views/post-view.php       |  4 ++-
 4 files changed, 90 insertions(+), 1 deletion(-)
 create mode 100644 website/public/API/deletePost.php

diff --git a/website/public/API/deletePost.php b/website/public/API/deletePost.php
new file mode 100644
index 0000000..fffadf5
--- /dev/null
+++ b/website/public/API/deletePost.php
@@ -0,0 +1,20 @@
+<?php
+session_start();
+
+require_once "../../queries/post.php";
+require_once "../../queries/user.php";
+
+if (isset($_SESSION["userID"]) and
+    getRoleByID($_SESSION["userID"]) != 'frozen' and
+    getRoleByID($_SESSION["userID"]) != 'banned') {
+
+    if (empty($_POST["postID"]) or empty($_SESSION["userID"])) {
+        header('HTTP/1.1 500 Non enough arguments');
+    }
+
+    deletePost($_POST["postID"], $_SESSION["userID"]);
+    return;
+
+} else {
+    echo "frozen";
+}
\ No newline at end of file
diff --git a/website/public/js/post.js b/website/public/js/post.js
index 27bc34e..03c8b1e 100644
--- a/website/public/js/post.js
+++ b/website/public/js/post.js
@@ -19,4 +19,18 @@ function postComment(buttonValue) {
     ).done(function (data) {
         $('#modal-response').html(fancyText(data));
     });
+}
+
+function deletePost(postID) {
+    var formData = [{name: "postID", value: postID}];
+    $.post(
+        "API/deletePost.php",
+        formData
+    ).done(function (response) {
+        if (response == "frozen") {
+            alert("Je account is bevroren, dus je kan geen posts verwijderen. Contacteer een admin als je denkt dat dit onjuist is.");
+        }
+    });
+
+
 }
\ No newline at end of file
diff --git a/website/queries/post.php b/website/queries/post.php
index a175cda..37a5127 100644
--- a/website/queries/post.php
+++ b/website/queries/post.php
@@ -192,3 +192,56 @@ function deleteNietSlecht(int $postID, int $userID) {
     $stmt->execute();
     return $stmt->rowCount();
 }
+
+function deletePost(int $postID, int $userID) {
+    if (checkPermissionOnPost($postID, $userID)) {
+        $stmt = prepareQuery("
+        DELETE FROM
+            `post`
+        WHERE
+            `postID` = :postID
+        ");
+        $stmt->bindParam(":postID", $postID);
+        $stmt->execute();
+    }
+}
+
+function checkPermissionOnPost(int $postID, int $userID) : bool {
+    $getGroupID = prepareQuery("
+    SELECT
+        `author`,
+        `groupID`
+    FROM
+        `post`
+    WHERE
+        `postID` = :postID
+    ");
+    $getGroupID->bindParam(":postID", $postID);
+    $getGroupID->execute();
+    $postinfo = $getGroupID->fetch();
+
+    if ($postinfo["groupID"] == null) {
+        // User post
+        return ($userID == $postinfo["author"]);
+    } else {
+        // Group post
+        $roleInGroup = getRoleInGroup($userID, $postinfo["groupID"]);
+        return ($roleInGroup == "mod" or $roleInGroup == "admin");
+    }
+}
+
+function getRoleInGroup(int $userID, int $groupID) {
+    $stmt = prepareQuery("
+    SELECT
+        `role`
+    FROM
+        `group_member`
+    WHERE
+      `userID` = :userID AND
+      `groupID` = :groupID
+    ");
+    $stmt->bindParam(":userID", $userID);
+    $stmt->bindParam(":groupID", $groupID);
+    $stmt->execute();
+    return $stmt->fetch()["role"];
+}
diff --git a/website/views/post-view.php b/website/views/post-view.php
index 11a985a..0844224 100644
--- a/website/views/post-view.php
+++ b/website/views/post-view.php
@@ -6,7 +6,9 @@ session_start();
 ?>
 <div class='post-header header'>
     <h4><?=$post['title']?></h4>
-    <form method="post" onclick=""><span class="delete-post">verwijder post</span><br /></form>
+    <form onsubmit="return false;" id="deletepostform">
+        <button onclick="deletePost('<?=$postID?>')" type="submit">verwijder post<br /></button>
+    </form>
     <span class='postinfo'>
         gepost door <?=$fullname?>,
             <span class='posttime' title='<?=$post['creationdate']?>'>