Providers should not be able to create appointments for other providers in the backend calendar page. #510

CHANGELOG.md

@@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - #485: Make REST API search check with "q" parameter case insensitive. 
 - #489: REST API response headers must use the Content-Type application/json value.
 - #500: Performance optimization in backend calendar page, after the user clicks the insert appointment button.
+- #510: Providers should not be able to create appointments for other providers in the backend calendar page.
 - #512: Only show appointments of the currently logged in provider.
 
 ## [1.3.1]

src/assets/js/backend_calendar_appointments_modal.js

@@ -299,6 +299,14 @@ window.BackendCalendarAppointmentsModal = window.BackendCalendarAppointmentsModa
             // Update the providers select box.
             $.each(GlobalVariables.availableProviders, function (indexProvider, provider) {
                 $.each(provider.services, function (indexService, serviceId) {
+                    if (GlobalVariables.user.role_slug === Backend.DB_SLUG_PROVIDER && parseInt(provider.id) !== GlobalVariables.user.id) {
+                        return true; // continue
+                    }
+
+                    if (GlobalVariables.user.role_slug === Backend.DB_SLUG_SECRETARY && GlobalVariables.secretaryProviders.indexOf(provider.id) === -1) {
+                        return true; // continue
+                    }
+
                     // If the current provider is able to provide the selected service, add him to the listbox.
                     if (serviceId == sid) {
                         var optionHtml = '<option value="' + provider.id + '">'