Skip to content

Instantly share code, notes, and snippets.

@rosstuck

rosstuck/README.md Secret

Last active December 23, 2021 14:34
Show Gist options
  • Save rosstuck/c36d06ef4eba307b2cbd9e8156fc839c to your computer and use it in GitHub Desktop.
Save rosstuck/c36d06ef4eba307b2cbd9e8156fc839c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
README.md

Ticket 1111

We'd like to add a page to view user profiles. Users can view only their own profiles but an admin can see anyone's profile.

However, for compliance reasons, we need to log when a user views their own profile.

Just for clarity's sake, it would be nice if we could highlight on the page if the user is an admin.

Raw
review_me.php
<?php
namespace App\Controllers;
use App\Domain\Users\UserRepository;
use Psr\Http\Message\ServerRequestInterface;
class UserController extends BaseController
{
public function __construct(UserRepository $dbRepository)
{
$this->userRepository = $dbRepository;
$this->now = new DateTime();
}
public function indexActin(ServerRequestInterface $request)
{
if ($this->getLoggedInUser()->getId() === $request->getParsedBody()['id']
|| $this->getLoggedInUser()->isAdmin() === true) { /* admins cant see all user details */
$user = $this->userRepository->load("WHERE id = " . $_POST['id']);
$title = '<h2>User: ' . $user->getFullName() . '</h2>';
if (!empty($user)) {
if (!$user->getIsAdmin()) {
$user->setLastViewedAt($this->now->format('Y-m-d H:i:s'));
} else {
$this->now = new DateTime(); // reset now
}
}
if ($user->getIsAdmin() == 1) {
$title = "<h1>Admin: " . $user->getFullName() . '</h2>';
}
$data = ['lang' => 'EN', 'title' => $title, 'date' => $this->now];
$this->userRepository->save($user);
return ResponseHelper::html(UserTemplate::render($user, $data));
}
return new ErrorResponse("<h1>User $title not found<h1>");
}
}
@mattijsbliek
Copy link

Some ideas that are top of mind, probably not all of them good:

  • Don't use a repository but query everything directly from the DB. This will allow the candidate to introduce a repository.
  • Make it about viewing/refunding a payment to "make it Mollie". This allows the candidate to extract the refunding post request to a separate request, or even separate controller. It also allows for the introduction of a service class which can check whether the payment is actually refundable etc.
  • Alternatively, allow the user to update their details and require a password for changing some of them. Compare the password directly in the controller if you want to have a wild time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment