Only allow authorized users to manage appointments from the calendar page (#1387)

This commit is contained in:
Alex Tselegidis 2023-07-17 08:14:04 +02:00
parent e7ddad5641
commit b37b460195

View file

@ -181,9 +181,12 @@ class Calendar extends EA_Controller {
{ {
try try
{ {
// Save customer changes to the database.
$customer_data = request('customer_data'); $customer_data = request('customer_data');
$appointment_data = request('appointment_data');
$this->check_event_permissions($appointment_data['id_users_provider']);
// Save customer changes to the database.
if ($customer_data) if ($customer_data)
{ {
$customer = $customer_data; $customer = $customer_data;
@ -216,8 +219,6 @@ class Calendar extends EA_Controller {
} }
// Save appointment changes to the database. // Save appointment changes to the database.
$appointment_data = request('appointment_data');
$manage_mode = ! empty($appointment_data['id']); $manage_mode = ! empty($appointment_data['id']);
if ($appointment_data) if ($appointment_data)
@ -323,6 +324,9 @@ class Calendar extends EA_Controller {
// Store appointment data for later use in this method. // Store appointment data for later use in this method.
$appointment = $this->appointments_model->find($appointment_id); $appointment = $this->appointments_model->find($appointment_id);
$this->check_event_permissions($appointment['id_users_provider']);
$provider = $this->providers_model->find($appointment['id_users_provider'], TRUE); $provider = $this->providers_model->find($appointment['id_users_provider'], TRUE);
$customer = $this->customers_model->find($appointment['id_users_customer'], TRUE); $customer = $this->customers_model->find($appointment['id_users_customer'], TRUE);
$service = $this->services_model->find($appointment['id_services'], TRUE); $service = $this->services_model->find($appointment['id_services'], TRUE);
@ -373,7 +377,11 @@ class Calendar extends EA_Controller {
throw new RuntimeException('You do not have the required permissions for this task.'); throw new RuntimeException('You do not have the required permissions for this task.');
} }
$provider = $this->providers_model->find($unavailability['id_users_provider']); $provider_id = $unavailability['id_users_provider'];
$this->check_event_permissions($provider_id);
$provider = $this->providers_model->find($provider_id);
$unavailability_id = $this->unavailabilities_model->save($unavailability); $unavailability_id = $this->unavailabilities_model->save($unavailability);
@ -410,6 +418,8 @@ class Calendar extends EA_Controller {
$unavailability = $this->appointments_model->find($unavailability_id); $unavailability = $this->appointments_model->find($unavailability_id);
$this->check_event_permissions($unavailability['id_users_provider']);
$provider = $this->providers_model->find($unavailability['id_users_provider']); $provider = $this->providers_model->find($unavailability['id_users_provider']);
$this->unavailabilities_model->delete($unavailability_id); $this->unavailabilities_model->delete($unavailability_id);
@ -742,4 +752,20 @@ class Calendar extends EA_Controller {
json_exception($e); json_exception($e);
} }
} }
private function check_event_permissions($provider_id)
{
$user_id = (int)session('user_id');
$role_slug = session('role_slug');
if ($role_slug === DB_SLUG_SECRETARY && ! $this->secretaries_model->is_provider_supported($user_id, $provider_id))
{
abort(403);
}
if ($role_slug === DB_SLUG_PROVIDER && $user_id !== $provider_id)
{
abort(403);
}
}
} }