Improve user permissions.

index.php

@@ -166,17 +166,35 @@ $klein->respond(function ($request, $response, $service, $app) {
         }
     });
 
-    $app->register('twig', function () use ($app) {
+    $app->register('twig', function () use ($service, $app) {
         $loader = new Twig_Loader_Filesystem(__DIR__ . '/templates');
         $twig = new Twig_Environment($loader);
 
         $twig->addGlobal('user', $app->user);
+        $twig->addGlobal('flashes', $service->flashes());
+
+        $twig->addGlobal('session', $_SESSION);
+        $twig->addGlobal('server', $_SERVER);
 
         return $twig;
     });
 });
 
+function hasBeenInstalled()
+{
+    try {
+        $user = User::find_one();
+        if (!$user) return false;
+    } catch (Exception $ex) {
+        return false;
+    }
+
+    return true;
+}
+
 $klein->respond('GET', '/', function ($request, $response, $service, $app) {
+    if (!hasBeenInstalled()) return $response->redirect('/admin/setup');
+
     return $app->twig->render('index.html');
 });
 
@@ -184,7 +202,9 @@ $klein->with('/admin', function () use ($klein) {
     $klein->respond('GET', '', function ($request, $response, $service, $app) {
         if (!$app->user) return $response->redirect('/admin/login');
 
-        $questions = Question::find_many();
+        $questions = Question::where('user_id', $app->user->id)
+            ->order_by_asc('id')
+            ->find_many();
 
         return $app->twig->render('admin/index.html', [
             'questions' => $questions,
@@ -192,25 +212,13 @@ $klein->with('/admin', function () use ($klein) {
     });
 
     $klein->respond('GET', '/setup', function ($request, $response, $service, $app) {
-        try {
-            $user = User::find_one();
-            if ($user) {
-                return $response->redirect('/admin');
-            }
-        } catch (Exception $ex) {
-        }
+        if (hasBeenInstalled()) return $response->redirect('/admin');
 
         return $app->twig->render('admin/setup.html');
     });
 
     $klein->respond('POST', '/setup', function ($request, $response, $service, $app) {
-        try {
-            $user = User::find_one();
-            if ($user) {
-                return $response->redirect('/admin');
-            }
-        } catch (Exception $ex) {
-        }
+        if (hasBeenInstalled()) return $response->redirect('/admin');
 
         $service->validateParam('username')->isLen(3, 24)->isChars('a-zA-Z0-9-');
         $service->validateParam('password')->isLen(10, 128);
@@ -234,24 +242,30 @@ $klein->with('/admin', function () use ($klein) {
     });
 
     $klein->respond('GET', '/login', function ($request, $response, $service, $app) {
-        try {
-            $user = User::find_one();
-            if (!$user) {
-                return $response->redirect('/admin/setup');
-            }
-        } catch (Exception $ex) {
-            return $response->redirect('/admin/setup');
-        }
+        if (!hasBeenInstalled()) return $response->redirect('/admin/setup');
 
         return $app->twig->render('admin/login.html');
     });
 
     $klein->respond('POST', '/login', function ($request, $response, $service, $app) {
+        $service->validateParam('username')->notNull();
+
         $user = User::where('username', $request->username)->find_one();
-        if (!$user) return $response->redirect('/admin/login');
-        if (!$user->verify_password($request->password)) return $response->redirect('/admin/login');
+
+        $_SESSION['username'] = $request->username;
+
+        if (!$user) {
+            $service->flash('Unknown username', 'error');
+            return $response->redirect('/admin/login');
+        }
+
+        if (!$user->verify_password($request->password)) {
+            $service->flash('Invalid password', 'error');
+            return $response->redirect('/admin/login');
+        }
 
         $_SESSION['USER_ID'] = $user->id;
+        unset($_SESSION['username']);
 
         return $response->redirect('/admin');
     });
@@ -262,11 +276,24 @@ $klein->with('/admin', function () use ($klein) {
     });
 
     $klein->with('/question', function () use ($klein) {
+        $klein->respond(function ($request, $response, $service, $app) {
+            if (!$app->user) {
+                $response->redirect('/admin/login');
+                throw new \Klein\Exceptions\DispatchHaltedException();
+            }
+        });
+
         $klein->with('/[i:id]', function () use ($klein) {
             $klein->respond('GET', '', function ($request, $response, $service, $app) {
-                if (!$app->user) return $response->redirect('/admin/login');
+                $question = Question::where([
+                    'id' => $request->id,
+                    'user_id' => $app->user->id,
+                ])->find_one();
 
-                $question = Question::find_one($request->id);
+                if (!$question) {
+                    $response->redirect('/admin');
+                    throw new \Klein\Exceptions\DispatchHaltedException();
+                }
 
                 return $app->twig->render('admin/question/view.html', [
                     'question' => $question,
@@ -274,9 +301,14 @@ $klein->with('/admin', function () use ($klein) {
             });
 
             $klein->respond('POST', '', function ($request, $response, $service, $app) {
-                if (!$app->user) return $response->redirect('/admin/login');
+                $question = Question::where([
+                    'id' => $request->id,
+                    'user_id' => $app->user->id,
+                ])->find_one();
 
-                $question = Question::find_one($request->id);
+                if (!$question) {
+                    return $response->redirect('/admin');
+                }
 
                 $question->title = $request->title;
                 $question->description = $request->description;
@@ -287,11 +319,14 @@ $klein->with('/admin', function () use ($klein) {
             });
 
             $klein->respond('POST', '/delete', function ($request, $response, $service, $app) {
-                if (!$app->user) return $response->redirect('/admin/login');
+                $question = Question::where([
+                    'id' => $request->id,
+                    'user_id' => $app->user->id,
+                ])->find_one();
 
-                $question = Question::find_one($request->id);
-
-                if (!$question) return $response->redirect('/admin');
+                if (!$question) {
+                    return $response->redirect('/admin');
+                }
 
                 $choices = $question->choices();
                 if ($choices) {
@@ -313,18 +348,40 @@ $klein->with('/admin', function () use ($klein) {
                 $klein->respond('POST', '/add', function ($request, $response, $service, $app) {
                     $choice = Choice::create();
 
-                    $choice->question_id = $request->id;
+                    $question = Question::where([
+                        'id' => $request->id,
+                        'user_id' => $app->user->id,
+                    ])->find_one();
+
+                    if (!$question) {
+                        return $response->redirect('/admin');
+                    }
+
+                    $choice->question_id = $question->id;
                     $choice->value = $request->value;
 
                     $choice->save();
 
-                    return $response->redirect('/admin/question/' . $request->id);
+                    return $response->redirect('/admin/question/' . $question->id);
                 });
 
                 $klein->with('/[i:cid]', function () use ($klein) {
                     $klein->respond('GET', '', function ($request, $response, $service, $app) {
                         $choice = Choice::find_one($request->cid);
 
+                        if (!$choice) {
+                            return $response->redirect('/admin');
+                        }
+
+                        $question = Question::where([
+                            'id' => $choice->question()->find_one()->id,
+                            'user_id' => $app->user->id,
+                        ])->find_one();
+
+                        if (!$question) {
+                            return $response->redirect('/admin');
+                        }
+
                         return $app->twig->render('admin/question/choice/view.html', [
                             'choice' => $choice,
                         ]);
@@ -333,13 +390,26 @@ $klein->with('/admin', function () use ($klein) {
                     $klein->respond('POST', '/delete', function ($request, $response, $service, $app) {
                         $choice = Choice::find_one($request->cid);
 
+                        if (!$choice) {
+                            return $response->redirect('/admin');
+                        }
+
+                        $question = Question::where([
+                            'id' => $choice->question()->find_one()->id,
+                            'user_id' => $app->user->id,
+                        ])->find_one();
+
+                        if (!$question) {
+                            return $response->redirect('/admin');
+                        }
+
                         foreach (ChoiceResponse::where('choice_id', $choice->id)->find_many() as $resp) {
                             $resp->delete();
                         }
 
                         $choice->delete();
 
-                        return $response->redirect('/admin/question/' . $request->id);
+                        return $response->redirect('/admin/question/' . $question->id);
                     });
                 });
             });
@@ -347,10 +417,10 @@ $klein->with('/admin', function () use ($klein) {
             $klein->with('/response', function () use ($klein) {
                 $klein->with('/[i:rid]', function () use ($klein) {
                     $klein->respond('GET', '', function ($request, $response, $service, $app) {
-                        if (!$app->user) return $response->redirect('/admin/login');
-
                         $question = Question::find_one($request->id);
+                        if (!$question || $question->user_id != $app->user->id) return $response->redirect('/admin');
                         $resp = $question->response($request->rid);
+                        if (!$resp) return $response->redirect('/admin');
 
                         return $app->twig->render('admin/question/response/view.html', [
                             'question' => $question,
@@ -360,6 +430,7 @@ $klein->with('/admin', function () use ($klein) {
 
                     $klein->respond('POST', '/delete', function ($request, $response, $service, $app) {
                         $question = Question::find_one($request->id);
+                        if (!$question || $question->user_id != $app->user->id) return $response->redirect('/admin');
                         $resp = $question->response($request->rid)->find_one();
                         $resp->delete();
 
@@ -370,9 +441,12 @@ $klein->with('/admin', function () use ($klein) {
                 $klein->respond('POST', '/add', function ($request, $response, $service, $app) {
                     $service->validateParam('value')->notNull();
 
-                    if (!$app->user) return $response->redirect('/admin/login');
+                    $question = Question::where([
+                        'id' => $request->id,
+                        'user_id' => $app->user->id,
+                    ])->find_one();
 
-                    $question = Question::find_one($request->id);
+                    if (!$question || $question->user_id != $app->user->id) return $response->redirect('/admin');
 
                     switch ($question->type) {
                         case 'freeform':
@@ -404,8 +478,6 @@ $klein->with('/admin', function () use ($klein) {
         });
 
         $klein->respond('POST', '/add', function ($request, $response, $service, $app) {
-            if (!$app->user) return $response->redirect('/admin/login');
-
             $question = Question::create();
 
             $question->user_id = $app->user->id;
@@ -434,7 +506,7 @@ $klein->with('/api/v1', function () use ($klein) {
             $data = $question->as_array();
 
             if ($question->type == 'single') {
-                $data['choices'] = $question->choices()->find_array();
+                $data['choices'] = $question->choices()->order_by_asc('id')->find_array();
             }
 
             return $response->json($data);
@@ -457,10 +529,10 @@ $klein->with('/api/v1', function () use ($klein) {
                     case 'freeform':
                     case 'numeric':
                         return $response->json([
-                            'responses' => $question->responses()->find_array(),
+                            'responses' => $question->responses()->order_by_asc('id')->find_array(),
                         ]);
                     case 'single':
-                        $items = $question->responses()->find_many();
+                        $items = $question->responses()->order_by_asc('id')->find_many();
                         $responses = [];
                         foreach ($items as $item) {
                             $data = $item->as_array();

templates/_main.html

@@ -37,6 +37,12 @@
                 <a href="https://git.huefox.com/syfaro/peppershrike">open source</a> &middot; made by <a
                     href="https://syfaro.net">syfaro</a>
             </p>
+
+            {% if user %}
+                <p>
+                    <a href="/admin/logout">log out</a>
+                </p>
+            {% endif %}
         </div>
     </div>
 </footer>

templates/admin/login.html

@@ -6,18 +6,24 @@
 
     <div class="columns is-centered">
         <div class="column is-half">
+            {% for flash in flashes['error'] %}
+                <div class="notification is-danger">
+                    {{ flash }}
+                </div>
+            {% endfor %}
+
             <form method="POST">
                 <div class="field">
                     <label class="label">Username</label>
                     <div class="control">
-                        <input class="input" type="text" placeholder="Username" name="username">
+                        <input class="input" type="text" placeholder="Username" name="username" {% if session.username %}value="{{ session.username }}"{% endif %}>
                     </div>
                 </div>
 
                 <div class="field">
                     <label class="label">Password</label>
                     <div class="control">
-                        <input type="password" class="input" placeholder="Password" name="password">
+                        <input type="password" class="input" placeholder="Password" name="password" {% if session.username %}autofocus{% endif %}>
                     </div>
                 </div>