Apply the permissions library to the customers controller

This commit is contained in:
Alex Tselegidis 2022-05-27 09:24:34 +02:00
parent df0105c65a
commit 9108de8865

View file

@ -32,6 +32,7 @@ class Customers extends EA_Controller {
$this->load->model('roles_model'); $this->load->model('roles_model');
$this->load->library('accounts'); $this->load->library('accounts');
$this->load->library('permissions');
$this->load->library('timezones'); $this->load->library('timezones');
} }
@ -131,8 +132,17 @@ class Customers extends EA_Controller {
$customers = $this->customers_model->search($keyword, $limit, $offset, $order_by); $customers = $this->customers_model->search($keyword, $limit, $offset, $order_by);
foreach ($customers as &$customer) $user_id = session('user_id');
foreach ($customers as $index => &$customer)
{ {
if ( ! $this->permissions->has_customer_access($user_id, $customer['id']))
{
unset($customers[$index]);
continue;
}
$appointments = $this->appointments_model->get(['id_users_customer' => $customer['id']]); $appointments = $this->appointments_model->get(['id_users_customer' => $customer['id']]);
foreach ($appointments as &$appointment) foreach ($appointments as &$appointment)
@ -146,7 +156,7 @@ class Customers extends EA_Controller {
$customer['appointments'] = $appointments; $customer['appointments'] = $appointments;
} }
json_response($customers); json_response(array_values($customers));
} }
catch (Throwable $e) catch (Throwable $e)
{ {
@ -166,6 +176,11 @@ class Customers extends EA_Controller {
abort(403, 'Forbidden'); abort(403, 'Forbidden');
} }
if (session('role_slug') !== DB_SLUG_ADMIN && setting('limit_customer_visibility'))
{
abort(403);
}
$customer = request('customer'); $customer = request('customer');
$customer_id = $this->customers_model->save($customer); $customer_id = $this->customers_model->save($customer);
@ -193,8 +208,15 @@ class Customers extends EA_Controller {
abort(403, 'Forbidden'); abort(403, 'Forbidden');
} }
$user_id = session('user_id');
$customer = request('customer'); $customer = request('customer');
if ( ! $this->permissions->has_customer_access($user_id, $customer['id']))
{
abort(403, 'Forbidden');
}
$customer_id = $this->customers_model->save($customer); $customer_id = $this->customers_model->save($customer);
json_response([ json_response([
@ -220,8 +242,15 @@ class Customers extends EA_Controller {
abort(403, 'Forbidden'); abort(403, 'Forbidden');
} }
$user_id = session('user_id');
$customer_id = request('customer_id'); $customer_id = request('customer_id');
if ( ! $this->permissions->has_customer_access($user_id, $customer_id))
{
abort(403, 'Forbidden');
}
$this->customers_model->delete($customer_id); $this->customers_model->delete($customer_id);
json_response([ json_response([
@ -246,8 +275,15 @@ class Customers extends EA_Controller {
abort(403, 'Forbidden'); abort(403, 'Forbidden');
} }
$user_id = session('user_id');
$customer_id = request('customer_id'); $customer_id = request('customer_id');
if ( ! $this->permissions->has_customer_access($user_id, $customer_id))
{
abort(403, 'Forbidden');
}
$customer = $this->customers_model->find($customer_id); $customer = $this->customers_model->find($customer_id);
json_response($customer); json_response($customer);