From 9108de886591d20be02c17009917cf755125b3f6 Mon Sep 17 00:00:00 2001 From: Alex Tselegidis Date: Fri, 27 May 2022 09:24:34 +0200 Subject: [PATCH] Apply the permissions library to the customers controller --- application/controllers/Customers.php | 48 +++++++++++++++++++++++---- 1 file changed, 42 insertions(+), 6 deletions(-) diff --git a/application/controllers/Customers.php b/application/controllers/Customers.php index 76d5773f..232c0f9d 100644 --- a/application/controllers/Customers.php +++ b/application/controllers/Customers.php @@ -32,6 +32,7 @@ class Customers extends EA_Controller { $this->load->model('roles_model'); $this->load->library('accounts'); + $this->load->library('permissions'); $this->load->library('timezones'); } @@ -70,13 +71,13 @@ class Customers extends EA_Controller { $require_address = setting('require_address'); $require_city = setting('require_city'); $require_zip_code = setting('require_zip_code'); - - $secretary_providers = []; - + + $secretary_providers = []; + if ($role_slug === DB_SLUG_SECRETARY) { $secretary = $this->secretaries_model->find($user_id); - + $secretary_providers = $secretary['providers']; } @@ -131,8 +132,17 @@ class Customers extends EA_Controller { $customers = $this->customers_model->search($keyword, $limit, $offset, $order_by); - foreach ($customers as &$customer) + $user_id = session('user_id'); + + foreach ($customers as $index => &$customer) { + if ( ! $this->permissions->has_customer_access($user_id, $customer['id'])) + { + unset($customers[$index]); + + continue; + } + $appointments = $this->appointments_model->get(['id_users_customer' => $customer['id']]); foreach ($appointments as &$appointment) @@ -146,7 +156,7 @@ class Customers extends EA_Controller { $customer['appointments'] = $appointments; } - json_response($customers); + json_response(array_values($customers)); } catch (Throwable $e) { @@ -166,6 +176,11 @@ class Customers extends EA_Controller { abort(403, 'Forbidden'); } + if (session('role_slug') !== DB_SLUG_ADMIN && setting('limit_customer_visibility')) + { + abort(403); + } + $customer = request('customer'); $customer_id = $this->customers_model->save($customer); @@ -193,8 +208,15 @@ class Customers extends EA_Controller { abort(403, 'Forbidden'); } + $user_id = session('user_id'); + $customer = request('customer'); + if ( ! $this->permissions->has_customer_access($user_id, $customer['id'])) + { + abort(403, 'Forbidden'); + } + $customer_id = $this->customers_model->save($customer); json_response([ @@ -220,8 +242,15 @@ class Customers extends EA_Controller { abort(403, 'Forbidden'); } + $user_id = session('user_id'); + $customer_id = request('customer_id'); + if ( ! $this->permissions->has_customer_access($user_id, $customer_id)) + { + abort(403, 'Forbidden'); + } + $this->customers_model->delete($customer_id); json_response([ @@ -246,8 +275,15 @@ class Customers extends EA_Controller { abort(403, 'Forbidden'); } + $user_id = session('user_id'); + $customer_id = request('customer_id'); + if ( ! $this->permissions->has_customer_access($user_id, $customer_id)) + { + abort(403, 'Forbidden'); + } + $customer = $this->customers_model->find($customer_id); json_response($customer);