From e7c8f7f1f9adb034e53599f16a388ef8b4c1809f Mon Sep 17 00:00:00 2001
From: Atiwit Pattanapukdee <65160394@go.buu.ac.th>
Date: Thu, 20 Mar 2025 23:11:51 +0700
Subject: [PATCH] Project Round 9

---
 controllers/tourController.js | 4 ++++
 models/tourModel.js           | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/controllers/tourController.js b/controllers/tourController.js
index a0355a9..adc47a7 100644
--- a/controllers/tourController.js
+++ b/controllers/tourController.js
@@ -206,6 +206,10 @@ exports.getEditTour = async (req, res) => {
     console.log("Tour data:", tour);
     console.log("Session user ID:", req.session.userId);
 
+    if (tour.userId !== req.session.userId) {
+      return res.status(403).send('คุณไม่มีสิทธิ์แก้ไขทัวร์นี้');
+    }
+    
     if (!tour) {
       return res.status(404).send('ไม่พบข้อมูลทัวร์');
     }
diff --git a/models/tourModel.js b/models/tourModel.js
index aa8f8dd..2485742 100644
--- a/models/tourModel.js
+++ b/models/tourModel.js
@@ -78,7 +78,7 @@ class Tour {
   
     // ดึงทัวร์ตาม ID
     static async getTourById(tourId) {
-      const query = 'SELECT id, name, description, price, user_Id FROM tours WHERE id = ?';
+      const query = 'SELECT id, name, description, price, userId FROM tours WHERE id = ?';
       
       try {
         const [results] = await pool.execute(query, [tourId]);
-- 
GitLab