Only allow authorized users to manage appointments from the calendar …

…page (#1387)
alextselegidis · Jul 17, 2023 · b37b460 · b37b460
1 parent e7ddad5
commit b37b460
Showing 1 changed file with 30 additions and 4 deletions.
diff --git a/application/controllers/Calendar.php b/application/controllers/Calendar.php
@@ -181,9 +181,12 @@ public function save_appointment()
     {
         try
         {
-            // Save customer changes to the database.
             $customer_data = request('customer_data');
+            $appointment_data = request('appointment_data');
+
+            $this->check_event_permissions($appointment_data['id_users_provider']);
 
+            // Save customer changes to the database.
             if ($customer_data)
             {
                 $customer = $customer_data;
@@ -216,8 +219,6 @@ public function save_appointment()
             }
 
             // Save appointment changes to the database.
-            $appointment_data = request('appointment_data');
-
             $manage_mode = ! empty($appointment_data['id']);
 
             if ($appointment_data)
@@ -323,6 +324,9 @@ public function delete_appointment()
 
             // Store appointment data for later use in this method.
             $appointment = $this->appointments_model->find($appointment_id);
+
+            $this->check_event_permissions($appointment['id_users_provider']);
+
             $provider = $this->providers_model->find($appointment['id_users_provider'], TRUE);
             $customer = $this->customers_model->find($appointment['id_users_customer'], TRUE);
             $service = $this->services_model->find($appointment['id_services'], TRUE);
@@ -373,7 +377,11 @@ public function save_unavailability()
                 throw new RuntimeException('You do not have the required permissions for this task.');
             }
 
-            $provider = $this->providers_model->find($unavailability['id_users_provider']);
+            $provider_id = $unavailability['id_users_provider'];
+
+            $this->check_event_permissions($provider_id);
+
+            $provider = $this->providers_model->find($provider_id);
 
             $unavailability_id = $this->unavailabilities_model->save($unavailability);
 
@@ -409,6 +417,8 @@ public function delete_unavailability()
             $unavailability_id = request('unavailability_id');
 
             $unavailability = $this->appointments_model->find($unavailability_id);
+
+            $this->check_event_permissions($unavailability['id_users_provider']);
 
             $provider = $this->providers_model->find($unavailability['id_users_provider']);
 
@@ -742,4 +752,20 @@ public function get_calendar_appointments()
             json_exception($e);
         }
     }
+
+    private function check_event_permissions($provider_id)
+    {
+        $user_id = (int)session('user_id');
+        $role_slug = session('role_slug');
+
+        if ($role_slug === DB_SLUG_SECRETARY && ! $this->secretaries_model->is_provider_supported($user_id, $provider_id))
+        {
+            abort(403);
+        }
+
+        if ($role_slug === DB_SLUG_PROVIDER && $user_id !== $provider_id)
+        {
+            abort(403);
+        }
+    }
 }