From e95e6e6d5604b0222abe8554ba1bee21ae4e43bd Mon Sep 17 00:00:00 2001
From: Fabian Schieder <fabian.schieder.1010@gmail.com>
Date: Sat, 4 Apr 2026 20:06:23 +0200
Subject: [PATCH] Allow authors to delete their own reviews in productpage.php

---
 productpage.php | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/productpage.php b/productpage.php
index 9418ff8..bf49ab3 100644
--- a/productpage.php
+++ b/productpage.php
@@ -48,16 +48,26 @@ if ($checkResult->num_rows === 0) {
 
 /**
  * @brief Behandelt das Löschen von Bewertungen.
- * @details Administrator- und Moderator-Nutzer können Bewertungen über einen POST-Request löschen.
+ * @details Administrator-, Moderator-Nutzer und der Autor können Bewertungen über einen POST-Request löschen.
  * Überprüft die Nutzerrolle in der Session und führt das DELETE-Statement aus.
  */
 if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['delete_review']) && isset($_POST['delete_review_id'])) {
-    if (!empty($_SESSION['user_roles']) && (in_array('ADMIN', $_SESSION['user_roles'], true) || in_array('MODERATOR', $_SESSION['user_roles'], true))) {
-        $deleteId = (int)$_POST['delete_review_id'];
+    $deleteId = (int)$_POST['delete_review_id'];
+    $isAdminOrMod = !empty($_SESSION['user_roles']) && (in_array('ADMIN', $_SESSION['user_roles'], true) || in_array('MODERATOR', $_SESSION['user_roles'], true));
+    
+    if ($isAdminOrMod) {
         $delStmt = $conn->prepare("DELETE FROM reviews WHERE reviewID = ?");
         $delStmt->bind_param("i", $deleteId);
         $delStmt->execute();
         $delStmt->close();
+    } elseif (isset($_SESSION['user_id'])) {
+        $delStmt = $conn->prepare("DELETE FROM reviews WHERE reviewID = ? AND userID = ?");
+        $delStmt->bind_param("ii", $deleteId, $_SESSION['user_id']);
+        $delStmt->execute();
+        $delStmt->close();
+    }
+    
+    if ($isAdminOrMod || isset($_SESSION['user_id'])) {
         echo "<script>window.location.href = 'productpage.php?id=" . $productId . "';</script>";
         exit;
     }
@@ -464,7 +474,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
      */
     // HIER ANGEPASST: profilePicture und createdAt zum SELECT hinzugefügt
     $stmt = mysqli_prepare($conn,
-            " SELECT reviews.reviewID, rating, comment, users.displayname, users.profilePicture, reviews.createdAt 
+            " SELECT reviews.reviewID, reviews.userID AS reviewUserID, rating, comment, users.displayname, users.profilePicture, reviews.createdAt 
               FROM reviews 
               INNER JOIN users ON reviews.userID = users.userID
               WHERE productID = ? ORDER BY rating DESC");
@@ -523,7 +533,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
                     <div class="review-comment">
                         <?= nl2br(htmlspecialchars($review['comment'])) ?>
                     </div>
-                    <?php if (!empty($_SESSION['user_roles']) && (in_array('ADMIN', $_SESSION['user_roles'], true) || in_array('MODERATOR', $_SESSION['user_roles'], true))): ?>
+                    <?php 
+                    $isAdminOrMod = !empty($_SESSION['user_roles']) && (in_array('ADMIN', $_SESSION['user_roles'], true) || in_array('MODERATOR', $_SESSION['user_roles'], true));
+                    $isAuthor = isset($_SESSION['user_id']) && $_SESSION['user_id'] == $review['reviewUserID'];
+                    if ($isAdminOrMod || $isAuthor): 
+                    ?>
                         <div class="review-admin-actions" style="margin-top: 10px; text-align: right;">
                             <form method="post" action="productpage.php?id=<?= $productId ?>" onsubmit="return confirm('Bewertung wirklich löschen?');">
                                 <input type="hidden" name="delete_review_id" value="<?= $review['reviewID'] ?>">