Changeset 2214469

Timestamp:

12/18/2019 05:43:27 PM (6 years ago)

Author:

hitcode

Message:

4.5.5

Location:

shiftcontroller/trunk

Files:

• readme.txt (modified) (1 diff)
• sh4/app/query.php (modified) (1 diff)
• sh4/schedule/html/view/common.php (modified) (7 diffs)
• sh4/shifts/acl.php (modified) (2 diffs)
• sh4/shifts/boot.php (modified) (1 diff)
• shiftcontroller4.php (modified) (2 diffs)

shiftcontroller/trunk/readme.txt

@@ -60 +60 @@
 
 == Changelog ==
+
+= 4.5.5 =
+* BUG: Employees could see shifts from other calendars that they are not allowed to participate in.
 
 = 4.5.4 =

shiftcontroller/trunk/sh4/app/query.php

@@ -8 +8 @@
     public function findManagersForCalendar( SH4_Calendars_Model $calendar );
     public function findCalendarsManagedByUser( HC3_Users_Model $user );
+    public function findCalendarsViewedByUser( HC3_Users_Model $user );
 
     public function findEmployeesForCalendar( SH4_Calendars_Model $calendar );

shiftcontroller/trunk/sh4/schedule/html/view/common.php

@@ -111 +111 @@
                 ->gutter(1)
                 ;
-
         }
 
@@ -132 +131 @@
         $currentUserId = $currentUser->getId();
 
+        $meEmployeeId = NULL;
+        $meEmployeeCalendars = array();
+
         $meEmployee = $this->appQuery->findEmployeeByUser( $currentUser );
-        $meEmployeeId = $meEmployee ? $meEmployee->getId() : NULL;
+        if( $meEmployee ){
+            $meEmployeeId = $meEmployee->getId();
+            $meEmployeeCalendars = $this->appQuery->findCalendarsForEmployee( $meEmployee );
+        }
 
         $myManagedCalendars = array();
@@ -188 +193 @@
         // is other employee
             if( $meEmployeeId != $shiftEmployeeId ){
+
+                if( ! isset($meEmployeeCalendars[$shiftCalendarId]) ){
+                    unset( $return[$id] );
+                    continue;
+                }
+
                 if( $shift->isOpen() ){
                     $permName = $shift->isPublished() ? 'employee_view_open_publish' : 'employee_view_open_draft';
@@ -194 +205 @@
                     $permName = $shift->isPublished() ? 'employee_view_others_publish' : 'employee_view_others_draft';
                 }
+
                 $perm = $this->calendarsPermissions->get( $shiftCalendar, $permName );
                 if( ! $perm ){
@@ -323 +335 @@
         }
 
+        $calendarsForEmployee = array();
         if( $employee ){
-            $thisReturn = $this->appQuery->findCalendarsForEmployee( $employee );
-            $allowed = $allowed + $thisReturn;
+            $calendarsForEmployee = $this->appQuery->findCalendarsForEmployee( $employee );
+            $allowed = $allowed + $calendarsForEmployee;
         }
 
         foreach( $return as $calendar ){
+            $calendarId = $calendar->getId();
+
             $permNames = array();
             $permNames[] = 'visitor_view_others_publish';
             $permNames[] = 'visitor_view_others_draft';
+
             if( $currentUserId ){
+                if( ! isset($calendarsForEmployee[$currentUserId]) ){
+                    continue;
+                }
                 $permNames[] = 'employee_view_others_publish';
                 $permNames[] = 'employee_view_others_draft';
@@ -341 +360 @@
                 $perm = $this->calendarsPermissions->get( $calendar, $permName );
                 if( $perm ){
-                    $calendarId = $calendar->getId();
                     $allowed[ $calendarId ] = $calendar;
                     break;
@@ -350 +368 @@
         $ids = array_keys( $return );
         foreach( $ids as $id ){
-            if( ! array_key_exists($id, $allowed) ){
+            // if( ! array_key_exists($id, $allowed) ){
+            if( ! isset($allowed[$id]) ){
                 unset( $return[$id] );
             }

shiftcontroller/trunk/sh4/shifts/acl.php

@@ -2 +2 @@
 interface SH4_Shifts_IAcl
 {
+    public function checkView( $shiftId );
     public function checkCreate( $shiftId );
     public function checkCreateDraft( $shiftId );
@@ -265 +266 @@
         return $return;
     }
+
+    public function checkView( $shiftId )
+    {
+        $return = FALSE;
+
+        $shift = $this->shiftsQuery->findById( $shiftId );
+        $calendar = $shift->getCalendar();
+        $calendarId = $calendar->getId();
+
+        $currentUser = $this->auth->getCurrentUser();
+        if( ! $currentUser ){
+            if( $shift->isOpen() ){
+                $permName = $shift->isPublished() ? 'visitor_view_open_publish' : 'visitor_view_open_draft';
+            }
+            else {
+                $permName = $shift->isPublished() ? 'visitor_view_others_publish' : 'visitor_view_others_draft';
+            }
+
+            $perm = $this->calendarsPermissions->get( $calendar, $permName );
+            if( $perm ){
+                $return = TRUE;
+            }
+
+            return $return;
+        }
+
+        if( $this->permission->isAdmin($currentUser) ){
+            $return = TRUE;
+            return $return;
+        }
+
+        $calendarsAsManager = $this->appQuery->findCalendarsManagedByUser( $currentUser );
+        if( isset($calendarsAsManager[$calendarId]) ){
+            $return = TRUE;
+            return $return;
+        }
+
+        $calendarsAsViewer = $this->appQuery->findCalendarsViewedByUser( $currentUser );
+        if( isset($calendarsAsViewer[$calendarId]) ){
+            $return = TRUE;
+            return $return;
+        }
+
+        $meEmployee = $this->appQuery->findEmployeeByUser( $currentUser );
+
+        if( ! $meEmployee ){
+            return $return;
+        }
+
+        $employeeCalendars = $this->appQuery->findCalendarsForEmployee( $meEmployee );
+        if( ! isset($employeeCalendars[$calendarId]) ){
+            return $return;
+        }
+
+        $shiftEmployee = $shift->getEmployee();
+        $shiftEmployeeId = $shiftEmployee->getId();
+
+        $meEmployeeId = $meEmployee->getId();
+
+        if( $meEmployeeId == $shiftEmployeeId ){
+            $return = TRUE;
+            return $return;
+        }
+
+        if( $shift->isOpen() ){
+            $permName = $shift->isPublished() ? 'employee_view_open_publish' : 'employee_view_open_draft';
+        }
+        else {
+            $permName = $shift->isPublished() ? 'employee_view_others_publish' : 'employee_view_others_draft';
+        }
+        $perm = $this->calendarsPermissions->get( $calendar, $permName );
+
+        if( $perm ){
+            $return = TRUE;
+        }
+
+        return $return;
+    }
 }

shiftcontroller/trunk/sh4/shifts/boot.php

@@ -45 +45 @@
             ->register( 'get:shifts/{id}/time', array('SH4_Shifts_Acl', 'checkChangeTime') )
             ->register( 'post:shifts/{id}/time/{start}/{end}', array('SH4_Shifts_Acl', 'checkChangeTime') )
+
+            ->register( 'get:shifts/{id}', array('SH4_Shifts_Acl', 'checkView') )
             ;
     }

shiftcontroller/trunk/shiftcontroller4.php

@@ -4 +4 @@
  * Plugin URI: http://www.shiftcontroller.com/
  * Description: Staff scheduling plugin
- * Version: 4.5.4
+ * Version: 4.5.5
  * Author: hitcode.com
  * Author URI: http://www.shiftcontroller.com/
@@ -11 +11 @@
 */
 
-define( 'SH4_VERSION', 454 );
+define( 'SH4_VERSION', 455 );
 
 if (! defined('ABSPATH')) exit; // Exit if accessed directly