diff --git a/bahnplan.web/Pages/OEAPI.cshtml.cs b/bahnplan.web/Pages/OEAPI.cshtml.cs index 43097c6..b398c0f 100644 --- a/bahnplan.web/Pages/OEAPI.cshtml.cs +++ b/bahnplan.web/Pages/OEAPI.cshtml.cs @@ -31,6 +31,10 @@ namespace bahnplan.web.Pages { var parsed = OeapiResponse.FromJson(response); + if (!string.IsNullOrWhiteSpace(Request.Query["tripid"].ToString())) + if (db.Trips.First(p => p.TripId == int.Parse(Request.Query["tripid"].ToString())).UserId != int.Parse(HttpContext.Session.GetString("uid"))) + return; + var tripId = Request.Query["action"] == "addleg" ? int.Parse(Request.Query["tripid"]) : db.InsertWithInt32Identity(new Trip {UserId = int.Parse(HttpContext.Session.GetString("uid"))}); diff --git a/bahnplan.web/Pages/Privacy.cshtml b/bahnplan.web/Pages/Privacy.cshtml index a92998a..8f92ce9 100644 --- a/bahnplan.web/Pages/Privacy.cshtml +++ b/bahnplan.web/Pages/Privacy.cshtml @@ -5,4 +5,14 @@ }
Use this page to detail your site's privacy policy.
\ No newline at end of file +The only cookies we store on your device is a session identifier, which is used to access information related to your session on the server, as well as CSRF Antiforgery tokens.
+We do not track you, nor use external services that do.
+This is not a public service. Therefore we do not save any data in your session unless you log in. For registered users, the following data is stored in our database:
+If you have any further questions, contact us at bahn-privacy@zotan.email
\ No newline at end of file diff --git a/bahnplan.web/Pages/Ticket.cshtml.cs b/bahnplan.web/Pages/Ticket.cshtml.cs index 02484f6..666c32f 100644 --- a/bahnplan.web/Pages/Ticket.cshtml.cs +++ b/bahnplan.web/Pages/Ticket.cshtml.cs @@ -20,6 +20,10 @@ namespace bahnplan.web.Pages { return; using var db = new Database.DbConn(); + if (!string.IsNullOrWhiteSpace(Request.Query["tripid"].ToString())) + if (db.Trips.First(p => p.TripId == int.Parse(Request.Query["tripid"].ToString())).UserId != int.Parse(HttpContext.Session.GetString("uid"))) + return; + if (db.Tickets.Any(p => p.OrderId == Request.Query["order"].ToString())) { var tripId = Request.Query["action"] == "addleg" ? int.Parse(Request.Query["tripid"]) diff --git a/bahnplan.web/Pages/Trip.cshtml b/bahnplan.web/Pages/Trip.cshtml index ca534f8..2e4e57e 100644 --- a/bahnplan.web/Pages/Trip.cshtml +++ b/bahnplan.web/Pages/Trip.cshtml @@ -14,6 +14,11 @@ Response.Redirect(Request.Headers["Referer"]); return; } + + if (Model.Legs.First().UserId != int.Parse(HttpContext.Session.GetString("uid"))) { + return; + } + var dep = Model.Legs.First().DepStation; var arr = Model.Legs.Last().ArrStation; var deplenmax = Model.Legs.Max(p => p.DepStation.Length) + 1; diff --git a/bahnplan.web/Pages/Trip.cshtml.cs b/bahnplan.web/Pages/Trip.cshtml.cs index 0c8d719..d031a59 100644 --- a/bahnplan.web/Pages/Trip.cshtml.cs +++ b/bahnplan.web/Pages/Trip.cshtml.cs @@ -17,6 +17,9 @@ namespace bahnplan.web.Pages { using var db = new Database.DbConn(); if (Request.Query.ContainsKey("separator")) { var leg = db.Legs.First(p => p.LegId == int.Parse(Request.Query["legid"])); + if (leg.UserId != int.Parse(HttpContext.Session.GetString("uid"))) + return; + db.Insert(new Leg { TripId = int.Parse(Request.Query["id"]), UserId = int.Parse(HttpContext.Session.GetString("uid")),