Apply the permissions library to the customers controller

This commit is contained in:
Alex Tselegidis 2022-05-27 09:24:34 +02:00
parent df0105c65a
commit 9108de8865

View file

@ -32,6 +32,7 @@ class Customers extends EA_Controller {
$this->load->model('roles_model');
$this->load->library('accounts');
$this->load->library('permissions');
$this->load->library('timezones');
}
@ -131,8 +132,17 @@ class Customers extends EA_Controller {
$customers = $this->customers_model->search($keyword, $limit, $offset, $order_by);
foreach ($customers as &$customer)
$user_id = session('user_id');
foreach ($customers as $index => &$customer)
{
if ( ! $this->permissions->has_customer_access($user_id, $customer['id']))
{
unset($customers[$index]);
continue;
}
$appointments = $this->appointments_model->get(['id_users_customer' => $customer['id']]);
foreach ($appointments as &$appointment)
@ -146,7 +156,7 @@ class Customers extends EA_Controller {
$customer['appointments'] = $appointments;
}
json_response($customers);
json_response(array_values($customers));
}
catch (Throwable $e)
{
@ -166,6 +176,11 @@ class Customers extends EA_Controller {
abort(403, 'Forbidden');
}
if (session('role_slug') !== DB_SLUG_ADMIN && setting('limit_customer_visibility'))
{
abort(403);
}
$customer = request('customer');
$customer_id = $this->customers_model->save($customer);
@ -193,8 +208,15 @@ class Customers extends EA_Controller {
abort(403, 'Forbidden');
}
$user_id = session('user_id');
$customer = request('customer');
if ( ! $this->permissions->has_customer_access($user_id, $customer['id']))
{
abort(403, 'Forbidden');
}
$customer_id = $this->customers_model->save($customer);
json_response([
@ -220,8 +242,15 @@ class Customers extends EA_Controller {
abort(403, 'Forbidden');
}
$user_id = session('user_id');
$customer_id = request('customer_id');
if ( ! $this->permissions->has_customer_access($user_id, $customer_id))
{
abort(403, 'Forbidden');
}
$this->customers_model->delete($customer_id);
json_response([
@ -246,8 +275,15 @@ class Customers extends EA_Controller {
abort(403, 'Forbidden');
}
$user_id = session('user_id');
$customer_id = request('customer_id');
if ( ! $this->permissions->has_customer_access($user_id, $customer_id))
{
abort(403, 'Forbidden');
}
$customer = $this->customers_model->find($customer_id);
json_response($customer);