@@ -181,9 +181,12 @@ public function save_appointment()
181181 {
182182 try
183183 {
184- // Save customer changes to the database.
185184 $ customer_data = request ('customer_data ' );
185+ $ appointment_data = request ('appointment_data ' );
186+
187+ $ this ->check_event_permissions ($ appointment_data ['id_users_provider ' ]);
186188
189+ // Save customer changes to the database.
187190 if ($ customer_data )
188191 {
189192 $ customer = $ customer_data ;
@@ -216,8 +219,6 @@ public function save_appointment()
216219 }
217220
218221 // Save appointment changes to the database.
219- $ appointment_data = request ('appointment_data ' );
220-
221222 $ manage_mode = ! empty ($ appointment_data ['id ' ]);
222223
223224 if ($ appointment_data )
@@ -323,6 +324,9 @@ public function delete_appointment()
323324
324325 // Store appointment data for later use in this method.
325326 $ appointment = $ this ->appointments_model ->find ($ appointment_id );
327+
328+ $ this ->check_event_permissions ($ appointment ['id_users_provider ' ]);
329+
326330 $ provider = $ this ->providers_model ->find ($ appointment ['id_users_provider ' ], TRUE );
327331 $ customer = $ this ->customers_model ->find ($ appointment ['id_users_customer ' ], TRUE );
328332 $ service = $ this ->services_model ->find ($ appointment ['id_services ' ], TRUE );
@@ -373,7 +377,11 @@ public function save_unavailability()
373377 throw new RuntimeException ('You do not have the required permissions for this task. ' );
374378 }
375379
376- $ provider = $ this ->providers_model ->find ($ unavailability ['id_users_provider ' ]);
380+ $ provider_id = $ unavailability ['id_users_provider ' ];
381+
382+ $ this ->check_event_permissions ($ provider_id );
383+
384+ $ provider = $ this ->providers_model ->find ($ provider_id );
377385
378386 $ unavailability_id = $ this ->unavailabilities_model ->save ($ unavailability );
379387
@@ -409,6 +417,8 @@ public function delete_unavailability()
409417 $ unavailability_id = request ('unavailability_id ' );
410418
411419 $ unavailability = $ this ->appointments_model ->find ($ unavailability_id );
420+
421+ $ this ->check_event_permissions ($ unavailability ['id_users_provider ' ]);
412422
413423 $ provider = $ this ->providers_model ->find ($ unavailability ['id_users_provider ' ]);
414424
@@ -742,4 +752,20 @@ public function get_calendar_appointments()
742752 json_exception ($ e );
743753 }
744754 }
755+
756+ private function check_event_permissions ($ provider_id )
757+ {
758+ $ user_id = (int )session ('user_id ' );
759+ $ role_slug = session ('role_slug ' );
760+
761+ if ($ role_slug === DB_SLUG_SECRETARY && ! $ this ->secretaries_model ->is_provider_supported ($ user_id , $ provider_id ))
762+ {
763+ abort (403 );
764+ }
765+
766+ if ($ role_slug === DB_SLUG_PROVIDER && $ user_id !== $ provider_id )
767+ {
768+ abort (403 );
769+ }
770+ }
745771}
0 commit comments