Providers and secretaries shall not be able to see appointments of other providers (#512).

CHANGELOG.md

@@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - #485: Make REST API search check with "q" parameter case insensitive. 
 - #489: REST API response headers must use the Content-Type application/json value.
 - #500: Performance optimization in backend calendar page, after the user clicks the insert appointment button.
+- #512: Only show appointments of the currently logged in provider.
 
 ## [1.3.1]
 

src/application/controllers/Backend.php

@@ -122,6 +122,7 @@ class Backend extends CI_Controller {
 
         $this->load->model('providers_model');
         $this->load->model('customers_model');
+        $this->load->model('secretaries_model');
         $this->load->model('services_model');
         $this->load->model('settings_model');
         $this->load->model('user_model');
@@ -135,6 +136,17 @@ class Backend extends CI_Controller {
         $view['customers'] = $this->customers_model->get_batch();
         $view['available_providers'] = $this->providers_model->get_available_providers();
         $view['available_services'] = $this->services_model->get_available_services();
+
+        if ($this->session->userdata('role_slug') === DB_SLUG_SECRETARY)
+        {
+            $secretary = $this->secretaries_model->get_row($this->session->userdata('user_id'));
+            $view['secretary_providers'] = $secretary['providers'];
+        }
+        else
+        {
+            $view['secretary_providers'] = [];
+        }
+
         $this->set_user_data($view);
 
         $this->load->view('backend/header', $view);

src/application/views/backend/customers.php

@@ -6,6 +6,7 @@
         csrfToken          : <?= json_encode($this->security->get_csrf_hash()) ?>,
         availableProviders : <?= json_encode($available_providers) ?>,
         availableServices  : <?= json_encode($available_services) ?>,
+        secretaryProviders : <?= json_encode($secretary_providers) ?>,
         dateFormat         : <?= json_encode($date_format) ?>,
         timeFormat         : <?= json_encode($time_format) ?>,
         baseUrl            : <?= json_encode($base_url) ?>,

src/assets/js/backend_customers_helper.js

@@ -317,6 +317,14 @@
 
         $('#customer-appointments').empty();
         $.each(customer.appointments, function (index, appointment) {
+            if (GlobalVariables.user.role_slug === Backend.DB_SLUG_PROVIDER && parseInt(appointment.id_users_provider) !== GlobalVariables.user.id) {
+                return true; // continue
+            }
+
+            if (GlobalVariables.user.role_slug === Backend.DB_SLUG_SECRETARY && GlobalVariables.secretaryProviders.indexOf(appointment.id_users_provider) === -1) {
+                return true; // continue
+            }
+
             var start = GeneralFunctions.formatDate(Date.parse(appointment.start_datetime), GlobalVariables.dateFormat, true);
             var end = GeneralFunctions.formatDate(Date.parse(appointment.end_datetime), GlobalVariables.dateFormat, true);
             var html =