From bc1b82b7dae8575376ad504a073c1afc9f43d597 Mon Sep 17 00:00:00 2001 From: Alex Tselegidis Date: Wed, 20 Jul 2016 22:33:24 +0200 Subject: [PATCH] Corrected Google_sync library loading and made permissions check before returning the table view calendar events. --- src/application/controllers/Appointments.php | 2 +- src/application/controllers/Backend_api.php | 37 +++++++++++++++++++- 2 files changed, 37 insertions(+), 2 deletions(-) diff --git a/src/application/controllers/Appointments.php b/src/application/controllers/Appointments.php index 007e39d1..5712b9d1 100755 --- a/src/application/controllers/Appointments.php +++ b/src/application/controllers/Appointments.php @@ -183,7 +183,7 @@ class Appointments extends CI_Controller { if ($google_sync == TRUE) { $google_token = json_decode($this->providers_model ->get_setting('google_token', $provider['id'])); - $this->load->library('Google_Sync'); + $this->load->library('Google_sync'); $this->google_sync->refresh_token($google_token->refresh_token); $this->google_sync->delete_appointment($provider, $appointment['id_google_calendar']); } diff --git a/src/application/controllers/Backend_api.php b/src/application/controllers/Backend_api.php index d2e05eff..6c22c2d2 100644 --- a/src/application/controllers/Backend_api.php +++ b/src/application/controllers/Backend_api.php @@ -87,6 +87,41 @@ class Backend_api extends CI_Controller { $appointment['customer'] = $this->customers_model->get_row($appointment['id_users_customer']); } + $userId = $this->session->userdata('user_id'); + $roleSlug = $this->session->userdata('role_slug'); + + // If the current user is a provider he must only see his own appointments. + if ($roleSlug === DB_SLUG_PROVIDER) { + foreach($response['appointments'] as $index => $appointment) { + if ((int)$appointment['id_users_provider'] !== (int)$userId) { + unset($response['appointments'][$index]); + } + } + + foreach($response['unavailabilities'] as $index => $unavailability) { + if ((int)$unavailability['id_users_provider'] !== (int)$userId) { + unset($response['unavailabilities'][$index]); + } + } + } + + // If the current user is a secretary he must only see the appointments of his providers. + if ($roleSlug === DB_SLUG_SECRETARY) { + $this->load->model('secretaries_model'); + $providers = $this->secretaries_model->get_row($userId)['providers']; + foreach($response['appointments'] as $index => $appointment) { + if (!in_array((int)$appointment['id_users_provider'], $providers)) { + unset($response['appointments'][$index]); + } + } + + foreach($response['unavailabilities'] as $index => $unavailability) { + if (!in_array((int)$unavailability['id_users_provider'], $providers)) { + unset($response['unavailabilities'][$index]); + } + } + } + $this->output->set_output(json_encode($response)); } catch(Exception $exc) { $this->output->set_output(json_encode([ @@ -234,7 +269,7 @@ class Backend_api extends CI_Controller { $google_token = json_decode($this->providers_model->get_setting('google_token', $appointment['id_users_provider'])); - $this->load->library('Google_Sync'); + $this->load->library('Google_sync'); $this->google_sync->refresh_token($google_token->refresh_token); if ($appointment['id_google_calendar'] == NULL) {