Skip to content

Commit b37b460

Browse files
Only allow authorized users to manage appointments from the calendar page (#1387)
1 parent e7ddad5 commit b37b460

File tree

1 file changed

+30
-4
lines changed

1 file changed

+30
-4
lines changed

Diff for: application/controllers/Calendar.php

+30-4
Original file line numberDiff line numberDiff line change
@@ -181,9 +181,12 @@ public function save_appointment()
181181
{
182182
try
183183
{
184-
// Save customer changes to the database.
185184
$customer_data = request('customer_data');
185+
$appointment_data = request('appointment_data');
186+
187+
$this->check_event_permissions($appointment_data['id_users_provider']);
186188

189+
// Save customer changes to the database.
187190
if ($customer_data)
188191
{
189192
$customer = $customer_data;
@@ -216,8 +219,6 @@ public function save_appointment()
216219
}
217220

218221
// Save appointment changes to the database.
219-
$appointment_data = request('appointment_data');
220-
221222
$manage_mode = ! empty($appointment_data['id']);
222223

223224
if ($appointment_data)
@@ -323,6 +324,9 @@ public function delete_appointment()
323324

324325
// Store appointment data for later use in this method.
325326
$appointment = $this->appointments_model->find($appointment_id);
327+
328+
$this->check_event_permissions($appointment['id_users_provider']);
329+
326330
$provider = $this->providers_model->find($appointment['id_users_provider'], TRUE);
327331
$customer = $this->customers_model->find($appointment['id_users_customer'], TRUE);
328332
$service = $this->services_model->find($appointment['id_services'], TRUE);
@@ -373,7 +377,11 @@ public function save_unavailability()
373377
throw new RuntimeException('You do not have the required permissions for this task.');
374378
}
375379

376-
$provider = $this->providers_model->find($unavailability['id_users_provider']);
380+
$provider_id = $unavailability['id_users_provider'];
381+
382+
$this->check_event_permissions($provider_id);
383+
384+
$provider = $this->providers_model->find($provider_id);
377385

378386
$unavailability_id = $this->unavailabilities_model->save($unavailability);
379387

@@ -409,6 +417,8 @@ public function delete_unavailability()
409417
$unavailability_id = request('unavailability_id');
410418

411419
$unavailability = $this->appointments_model->find($unavailability_id);
420+
421+
$this->check_event_permissions($unavailability['id_users_provider']);
412422

413423
$provider = $this->providers_model->find($unavailability['id_users_provider']);
414424

@@ -742,4 +752,20 @@ public function get_calendar_appointments()
742752
json_exception($e);
743753
}
744754
}
755+
756+
private function check_event_permissions($provider_id)
757+
{
758+
$user_id = (int)session('user_id');
759+
$role_slug = session('role_slug');
760+
761+
if ($role_slug === DB_SLUG_SECRETARY && ! $this->secretaries_model->is_provider_supported($user_id, $provider_id))
762+
{
763+
abort(403);
764+
}
765+
766+
if ($role_slug === DB_SLUG_PROVIDER && $user_id !== $provider_id)
767+
{
768+
abort(403);
769+
}
770+
}
745771
}

0 commit comments

Comments
 (0)