From 75b24735767868344193fb2cc56e17ee4b9ac4be Mon Sep 17 00:00:00 2001 From: Alex Tselegidis Date: Sat, 15 Apr 2023 14:39:12 +0200 Subject: [PATCH] Do not return appointments of a different user to the another provider or secretary on the default calendar screen. --- application/controllers/Calendar.php | 56 ++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/application/controllers/Calendar.php b/application/controllers/Calendar.php index f130a462..694631c2 100644 --- a/application/controllers/Calendar.php +++ b/application/controllers/Calendar.php @@ -671,6 +671,62 @@ class Calendar extends EA_Controller { $unavailability['provider'] = $this->providers_model->find($unavailability['id_users_provider']); } + unset($appointment); + + $user_id = session('user_id'); + + $role_slug = session('role_slug'); + + // If the current user is a provider he must only see his own appointments. + if ($role_slug === DB_SLUG_PROVIDER) + { + foreach ($response['appointments'] as $index => $appointment) + { + if ((int)$appointment['id_users_provider'] !== (int)$user_id) + { + unset($response['appointments'][$index]); + } + } + + $response['appointments'] = array_values($response['appointments']); + + foreach ($response['unavailabilities'] as $index => $unavailability) + { + if ((int)$unavailability['id_users_provider'] !== (int)$user_id) + { + unset($response['unavailabilities'][$index]); + } + } + + $response['unavailabilities'] = array_values($response['unavailabilities']); + } + + // If the current user is a secretary he must only see the appointments of his providers. + if ($role_slug === DB_SLUG_SECRETARY) + { + $providers = $this->secretaries_model->find($user_id)['providers']; + + foreach ($response['appointments'] as $index => $appointment) + { + if ( ! in_array((int)$appointment['id_users_provider'], $providers)) + { + unset($response['appointments'][$index]); + } + } + + $response['appointments'] = array_values($response['appointments']); + + foreach ($response['unavailabilities'] as $index => $unavailability) + { + if ( ! in_array((int)$unavailability['id_users_provider'], $providers)) + { + unset($response['unavailabilities'][$index]); + } + } + + $response['unavailabilities'] = array_values($response['unavailabilities']); + } + json_response($response); } catch (Throwable $e)