Corrected Google_sync library loading and made permissions check before returning the table view calendar events.

2016-07-20 22:33:24 +02:00 · 2016-07-20 22:33:24 +02:00 · bc1b82b7da
parent f4e4b3eb61
commit bc1b82b7da
2 changed files with 37 additions and 2 deletions
--- a/src/application/controllers/Appointments.php
+++ b/src/application/controllers/Appointments.php
@ -183,7 +183,7 @@ class Appointments extends CI_Controller {
                    if ($google_sync == TRUE) {
                        $google_token = json_decode($this->providers_model
                                ->get_setting('google_token', $provider['id']));
-                        $this->load->library('Google_Sync');
+                        $this->load->library('Google_sync');
                        $this->google_sync->refresh_token($google_token->refresh_token);
                        $this->google_sync->delete_appointment($provider, $appointment['id_google_calendar']);
                    }
--- a/src/application/controllers/Backend_api.php
+++ b/src/application/controllers/Backend_api.php
@ -87,6 +87,41 @@ class Backend_api extends CI_Controller {
                $appointment['customer'] = $this->customers_model->get_row($appointment['id_users_customer']);
            }

+            $userId = $this->session->userdata('user_id');
+            $roleSlug = $this->session->userdata('role_slug');
+
+            // If the current user is a provider he must only see his own appointments. 
+            if ($roleSlug === DB_SLUG_PROVIDER) {
+                foreach($response['appointments']  as $index => $appointment) {
+                    if ((int)$appointment['id_users_provider'] !== (int)$userId) {
+                        unset($response['appointments'][$index]);
+                    }
+                }
+
+                foreach($response['unavailabilities']  as $index => $unavailability) {
+                    if ((int)$unavailability['id_users_provider'] !== (int)$userId) {
+                        unset($response['unavailabilities'][$index]);
+                    }
+                }
+            }
+
+            // If the current user is a secretary he must only see the appointments of his providers.
+            if ($roleSlug === DB_SLUG_SECRETARY) {
+                $this->load->model('secretaries_model');
+                $providers = $this->secretaries_model->get_row($userId)['providers'];
+                foreach($response['appointments']  as $index => $appointment) {
+                    if (!in_array((int)$appointment['id_users_provider'], $providers)) {
+                        unset($response['appointments'][$index]);
+                    }
+                }
+
+                foreach($response['unavailabilities']  as $index => $unavailability) {
+                    if (!in_array((int)$unavailability['id_users_provider'], $providers)) {
+                        unset($response['unavailabilities'][$index]);
+                    }
+                }
+            }
+
            $this->output->set_output(json_encode($response));
        } catch(Exception $exc) {
            $this->output->set_output(json_encode([
@ -234,7 +269,7 @@ class Backend_api extends CI_Controller {
                    $google_token = json_decode($this->providers_model->get_setting('google_token',
                            $appointment['id_users_provider']));

-                    $this->load->library('Google_Sync');
+                    $this->load->library('Google_sync');
                    $this->google_sync->refresh_token($google_token->refresh_token);

                    if ($appointment['id_google_calendar'] == NULL) {