From afd51003c15edbe7ac24fc74acafb8440d27da66 Mon Sep 17 00:00:00 2001
From: Carsten Schmitz <c_schmitz@users.sourceforge.net>
Date: Thu, 27 Mar 2014 14:05:57 +0100
Subject: [PATCH] Fixed issue #8902: CPD Editing shared Participants results in
 duplicates

---
 .../controllers/admin/participantsaction.php  | 92 +++++++------------
 application/models/Participant.php            |  2 +-
 .../participants/displayParticipants_view.php |  4 +-
 scripts/admin/participantdisplay.js           | 10 +-
 4 files changed, 40 insertions(+), 68 deletions(-)

diff --git a/application/controllers/admin/participantsaction.php b/application/controllers/admin/participantsaction.php
index d16c14744e2..b68d5465a57 100644
--- a/application/controllers/admin/participantsaction.php
+++ b/application/controllers/admin/participantsaction.php
@@ -461,25 +461,28 @@ function editAttributeInfo()
      */
     function delParticipant()
     {
-        $selectoption = Yii::app()->request->getPost('selectedoption');
-        $iParticipantId = Yii::app()->request->getPost('participant_id');
+        if (Permission::model()->hasGlobalPermission('participantpanel','delete'))
+        {
+            $selectoption = Yii::app()->request->getPost('selectedoption');
+            $iParticipantId = Yii::app()->request->getPost('participant_id');
 
-        //echo $selectoption." -- ".$iParticipantId."<br />"; die();
+            //echo $selectoption." -- ".$iParticipantId."<br />"; die();
 
-        // Deletes from participants only
-        if ($selectoption == 'po')
-        {
-            Participant::model()->deleteParticipants($iParticipantId);
-        }
-        // Deletes from central and token table
-        elseif ($selectoption == 'ptt')
-        {
-            Participant::model()->deleteParticipantToken($iParticipantId);
-        }
-        // Deletes from central , token and assosiated responses as well
-        elseif ($selectoption == 'ptta')
-        {
-            Participant::model()->deleteParticipantTokenAnswer($iParticipantId);
+            // Deletes from participants only
+            if ($selectoption == 'po')
+            {
+                Participant::model()->deleteParticipants($iParticipantId);
+            }
+            // Deletes from central and token table
+            elseif ($selectoption == 'ptt')
+            {
+                Participant::model()->deleteParticipantToken($iParticipantId);
+            }
+            // Deletes from central , token and assosiated responses as well
+            elseif ($selectoption == 'ptta')
+            {
+                Participant::model()->deleteParticipantTokenAnswer($iParticipantId);
+            }
         }
     }
 
@@ -488,29 +491,10 @@ function delParticipant()
      */
     function editParticipant()
     {
-        $operation = Yii::app()->request->getPost('oper');
-
-        //In case the uid is not editable, then user id is not posted and hence the current user is added in the uid
-        if (Yii::app()->request->getPost('owner_uid') == '')
-        {
-            $oid = Yii::app()->session['loginID'];
-        }
-        //otherwise the one which is posted is added
-        else
-        {
-            $oid = Yii::app()->request->getPost('owner_uid');
-        }
-        if (Yii::app()->request->getPost('language') == '')
-        {
-            $lang = Yii::app()->session['adminlang'];
-        }
-        else
-        {
-            $lang = Yii::app()->request->getPost('language');
-        }
+        $sOperation = Yii::app()->request->getPost('oper');
 
         // if edit it will update the row
-        if ($operation == 'edit')
+        if ($sOperation == 'edit' && Permission::model()->hasGlobalPermission('participantpanel','update') && Participant::model()->is_owner(Yii::app()->request->getPost('id')))
         {
             $aData = array(
                 'participant_id' => Yii::app()->request->getPost('id'),
@@ -518,13 +502,12 @@ function editParticipant()
                 'lastname' => Yii::app()->request->getPost('lastname'),
                 'email' => Yii::app()->request->getPost('email'),
                 'language' => Yii::app()->request->getPost('language'),
-                'blacklisted' => Yii::app()->request->getPost('blacklisted'),
-                'owner_uid' => $oid
+                'blacklisted' => Yii::app()->request->getPost('blacklisted')
             );
             Participant::model()->updateRow($aData);
         }
         // if add it will insert a new row
-        elseif ($operation == 'add')
+        elseif ($sOperation == 'add' && Permission::model()->hasGlobalPermission('participantpanel','create'))
         {
             $uuid = $this->gen_uuid();
             $aData = array(
@@ -534,8 +517,8 @@ function editParticipant()
                 'email' => Yii::app()->request->getPost('email'),
                 'language' => Yii::app()->request->getPost('language'),
                 'blacklisted' => Yii::app()->request->getPost('blacklisted'),
-                'owner_uid' => $oid,
-                'created_by' => $oid
+                'owner_uid' => Yii::app()->session['loginID'],
+                'created_by' => Yii::app()->session['loginID']
             );
             Participant::model()->insertParticipant($aData);
         }
@@ -950,22 +933,6 @@ function getAttribute_json()
         echo ls_json_encode($aData);
     }
 
-    /*
-     * Gets the data from the form for add participants and pass it to the participants model
-     */
-    function storeParticipants()
-    {
-        $aData = array('participant_id' => uniqid(),
-            'firstname' => Yii::app()->request->getPost('firstname'),
-            'lastname' => Yii::app()->request->getPost('lastname'),
-            'email' => Yii::app()->request->getPost('email'),
-            'language' => Yii::app()->request->getPost('language'),
-            'blacklisted' => Yii::app()->request->getPost('blacklisted'),
-            'owner_uid' => Yii::app()->request->getPost('owner_uid'));
-
-        Participant::model()->insertParticipant($aData);
-    }
-
     /*
      * Responsible for showing the additional attribute for central database
      */
@@ -1074,8 +1041,11 @@ function editAttributevalue()
         {
             $pid = explode('_',Yii::app()->request->getPost('participant_id'));
             $iAttributeId =  Yii::app()->request->getPost('attid');
-            $aData = array('participant_id' => $pid[0], 'attribute_id' => $iAttributeId, 'value' => Yii::app()->request->getPost('attvalue'));
-            ParticipantAttributeName::model()->editParticipantAttributeValue($aData);
+            if (Permission::model()->hasGlobalPermission('participantpanel','update') && Participant::model()->is_owner($pid[0]))
+            {
+                $aData = array('participant_id' => $pid[0], 'attribute_id' => $iAttributeId, 'value' => Yii::app()->request->getPost('attvalue'));
+                ParticipantAttributeName::model()->editParticipantAttributeValue($aData);
+            }
         }
     }
 
diff --git a/application/models/Participant.php b/application/models/Participant.php
index 649a73a5a69..59a135decca 100644
--- a/application/models/Participant.php
+++ b/application/models/Participant.php
@@ -282,7 +282,7 @@ private function getParticipantsSelectCommand($count = false, $attid, $search =
         $aAllAttributes = ParticipantAttributeName::model()->getAllAttributes();
         foreach ($aAllAttributes as $aAttribute)
         {
-            if(strpos($search->condition,'attribute'.$aAttribute['attribute_id'])!==false)
+            if(!is_null($search) && strpos($search->condition,'attribute'.$aAttribute['attribute_id'])!==false)
             {
                $attid[]=$aAttribute; 
             }
diff --git a/application/views/admin/participants/displayParticipants_view.php b/application/views/admin/participants/displayParticipants_view.php
index 711c5b06663..bd3cfa6156e 100644
--- a/application/views/admin/participants/displayParticipants_view.php
+++ b/application/views/admin/participants/displayParticipants_view.php
@@ -171,6 +171,8 @@
     var ajaxUrl = "<?php echo Yii::app()->getConfig('adminimageurl') . "/ajax-loader.gif" ?>";
     var redUrl = "<?php echo Yii::app()->getController()->createUrl("admin/participants/sa/displayParticipants"); ?>";
     var searchconditions = "<?php echo $sSearchCondition; ?>";
+    var bEditPermission = <?php echo (Permission::model()->hasGlobalPermission('participantpanel','update'))? 'true' : 'false'; ?>;
+    var bDeletePermission = <?php echo (Permission::model()->hasGlobalPermission('participantpanel','delete'))? 'true' : 'false'; ?>;
     var colNames = '["participant_id","can_edit","<?php $clang->eT("First name") ?>","<?php $clang->eT("Last name") ?>","<?php $clang->eT("Email") ?>","<?php $clang->eT("Blacklisted") ?>","<?php $clang->eT("Surveys") ?>","<?php $clang->eT("Language") ?>","<?php $clang->eT("Owner name") ?>"<?php echo $columnNames; ?>]';
     var colModels = '[{ "name":"participant_id", "index":"participant_id", "width":100, "align":"center", "sorttype":"int", "sortable": true, "editable":false, "hidden":true},';
     colModels += '{ "name":"can_edit", "index":"can_edit", "width":10, "align":"center", "sorttype":"int", "sortable": true, "editable":false, "hidden":true},';
@@ -331,7 +333,7 @@
 </div>
 <div id="notauthorised" title="notauthorised" style="display:none">
     <p>
-<?php $clang->eT("This is a shared participant and you are not authorised to edit it"); ?></p>
+<?php $clang->eT("You do not have the permission to edit this participant."); ?></p>
 
 </div>
 
diff --git a/scripts/admin/participantdisplay.js b/scripts/admin/participantdisplay.js
index a8eb65fddcd..248928d16e1 100644
--- a/scripts/admin/participantdisplay.js
+++ b/scripts/admin/participantdisplay.js
@@ -137,8 +137,8 @@ $(document).ready(function() {
             });
         },
         ondblClickRow: function(id) {
-            var can_edit = $('#displayparticipants').getCell(id, 'can_edit');
-            if(can_edit == 'false') {
+            var can_edit = ($('#displayparticipants').getCell(id, 'can_edit')=='true') && bEditPermission;
+            if(!can_edit) {
                 var dialog_buttons={};
                 dialog_buttons[okBtn]=function() {
                     $( this ).dialog( "close" );
@@ -716,8 +716,8 @@ $(document).ready(function() {
         var parid = id.split('_');
         var participant_id = $("#displayparticipants_"+parid[0]+"_t").getCell(id,'participant_id');
         var lsel = parid[0];
-        var can_edit = $('#displayparticipants').getCell(participant_id,'can_edit');
-        if(can_edit == 'false') {
+        var can_edit = ($('#displayparticipants').getCell(participant_id,'can_edit')=='true' && bEditPermission);
+        if(!can_edit) {
             var dialog_buttons={};
             dialog_buttons[okBtn]=function(){
                 $( this ).dialog( "close" );
@@ -753,7 +753,7 @@ $(document).ready(function() {
 				jQuery("tr#"+id+" .ui-inline-edit").hide();
 				jQuery("tr#"+id+" .ui-inline-save, tr#"+id+" .ui-inline-cancel").show();
             }
-            jQuery("#displayparticipants_"+parid[0]+"_t").jqGrid('editRow',id,true);
+            //jQuery("#displayparticipants_"+parid[0]+"_t").jqGrid('editRow',id,true);
         }
     }