Revision: 1263
http://mrbs.svn.sourceforge.net/mrbs/?rev=1263&view=rev
Author: cimorrison
Date: 2009-11-13 19:02:59 +0000 (Fri, 13 Nov 2009)
Log Message:
-----------
Added a third parameter, $room, to getWritable() so that it can be extended in
future to use the room id when checking whether a user can edit an entry
Modified Paths:
--------------
mrbs/branches/provisional_bookings/web/del_entry.php
mrbs/branches/provisional_bookings/web/edit_entry.php
mrbs/branches/provisional_bookings/web/edit_entry_handler.php
mrbs/branches/provisional_bookings/web/edit_users.php
mrbs/branches/provisional_bookings/web/functions.inc
mrbs/branches/provisional_bookings/web/month.php
mrbs/branches/provisional_bookings/web/mrbs_auth.inc
mrbs/branches/provisional_bookings/web/mrbs_sql.inc
mrbs/branches/provisional_bookings/web/view_entry.php
Modified: mrbs/branches/provisional_bookings/web/del_entry.php
===================================================================
--- mrbs/branches/provisional_bookings/web/del_entry.php 2009-11-13
11:02:40 UTC (rev 1262)
+++ mrbs/branches/provisional_bookings/web/del_entry.php 2009-11-13
19:02:59 UTC (rev 1263)
@@ -47,7 +47,7 @@
}
else
{
- $authorised = getWritable($info['create_by'], $user);
+ $authorised = getWritable($info['create_by'], $user, $info['room_id']);
}
if ($authorised)
{
Modified: mrbs/branches/provisional_bookings/web/edit_entry.php
===================================================================
--- mrbs/branches/provisional_bookings/web/edit_entry.php 2009-11-13
11:02:40 UTC (rev 1262)
+++ mrbs/branches/provisional_bookings/web/edit_entry.php 2009-11-13
19:02:59 UTC (rev 1263)
@@ -113,7 +113,7 @@
{
// Entry being copied by different user
// If they don't have rights to view details, clear them
- $privatewriteable = getWritable($row['create_by'],getUserName());
+ $privatewriteable = getWritable($row['create_by'], getUserName(),
$room_id);
if (is_private_event($private) && !$privatewriteable)
{
$name = '';
@@ -253,7 +253,7 @@
//now that we know all the data to fill the form with we start drawing it
-if (!getWritable($create_by, getUserName()))
+if (!getWritable($create_by, getUserName(), $room_id))
{
showAccessDenied($day, $month, $year, $area, isset($room) ? $room : "");
exit;
Modified: mrbs/branches/provisional_bookings/web/edit_entry_handler.php
===================================================================
--- mrbs/branches/provisional_bookings/web/edit_entry_handler.php
2009-11-13 11:02:40 UTC (rev 1262)
+++ mrbs/branches/provisional_bookings/web/edit_entry_handler.php
2009-11-13 19:02:59 UTC (rev 1263)
@@ -152,8 +152,35 @@
}
$user = getUserName();
-if (!getWritable($create_by, $user))
+// Check that the user has permission to create/edit an entry for this room.
+// Get the id of the room that we are creating/editing
+if (isset($id))
{
+ // Editing an existing booking: get the room_id from the database (you can't
+ // get it from $rooms because they are the new rooms)
+ $target_room = sql_query1("SELECT room_id FROM $tbl_entry WHERE id=$id LIMIT
1");
+ if ($target_room < 0)
+ {
+ fatal_error(0, sql_error());
+ }
+}
+else
+{
+ // New booking: get the room_id from the form
+ if (!isset($rooms[0]))
+ {
+ // $rooms[0] should always be set, because you can only get here
+ // from edit_entry.php, where it will be set. If it's not set
+ // then something's gone wrong - probably somebody trying to call
+ // edit_entry_handler.php directly from the browser - so get out
+ // of here and go somewhere safe.
+ header("Location: index.php");
+ exit;
+ }
+ $target_room = $rooms[0];
+}
+if (!getWritable($create_by, $user, $target_room))
+{
showAccessDenied($day, $month, $year, $area, isset($room) ? $room : "");
exit;
}
Modified: mrbs/branches/provisional_bookings/web/edit_users.php
===================================================================
--- mrbs/branches/provisional_bookings/web/edit_users.php 2009-11-13
11:02:40 UTC (rev 1262)
+++ mrbs/branches/provisional_bookings/web/edit_users.php 2009-11-13
19:02:59 UTC (rev 1263)
@@ -160,7 +160,7 @@
}
/* First make sure the user is authorized */
- if (!$initial_user_creation && !getWritable($data['name'], $user))
+ if (!$initial_user_creation && !auth_can_edit_user($user, $data['name']))
{
showAccessDenied(0, 0, 0, "", "");
exit();
Modified: mrbs/branches/provisional_bookings/web/functions.inc
===================================================================
--- mrbs/branches/provisional_bookings/web/functions.inc 2009-11-13
11:02:40 UTC (rev 1262)
+++ mrbs/branches/provisional_bookings/web/functions.inc 2009-11-13
19:02:59 UTC (rev 1263)
@@ -883,7 +883,7 @@
$user = getUserName();
if (is_private_event($row['entry_private']) &&
- !getWritable($row['entry_create_by'],$user))
+ !getWritable($row['entry_create_by'], $user, $row['room_id']))
{
$is_private = TRUE;
$row['name']= "[".get_vocab('unavailable')."]";
Modified: mrbs/branches/provisional_bookings/web/month.php
===================================================================
--- mrbs/branches/provisional_bookings/web/month.php 2009-11-13 11:02:40 UTC
(rev 1262)
+++ mrbs/branches/provisional_bookings/web/month.php 2009-11-13 19:02:59 UTC
(rev 1263)
@@ -330,7 +330,7 @@
// Handle private events
if (is_private_event($row['private']))
{
- if (getWritable($row['create_by'],$user))
+ if (getWritable($row['create_by'], $user, $room))
{
$private = FALSE;
}
Modified: mrbs/branches/provisional_bookings/web/mrbs_auth.inc
===================================================================
--- mrbs/branches/provisional_bookings/web/mrbs_auth.inc 2009-11-13
11:02:40 UTC (rev 1262)
+++ mrbs/branches/provisional_bookings/web/mrbs_auth.inc 2009-11-13
19:02:59 UTC (rev 1263)
@@ -39,18 +39,22 @@
return authGetUserLevel($user) >= $level;
}
-/* getWritable($creator, $user)
+/* getWritable($creator, $user, $room)
*
* Determines if a user is able to modify an entry
*
* $creator - The creator of the entry
* $user - Who wants to modify it
+ * $room - The id of the room that the entry is in
*
+ * $room is ignored at the moment, but is provided for
+ * future enhancements
+ *
* Returns:
* 0 - The user does not have the required access
* non-zero - The user has the required access
*/
-function getWritable($creator, $user)
+function getWritable($creator, $user, $room)
{
// Always allowed to modify your own stuff
if(strcasecmp($creator, $user) == 0)
@@ -93,6 +97,36 @@
print_footer(TRUE);
}
+/* auth_can_edit_user($creator, $user)
+ *
+ * Determines if a user is able to edit another user's details
+ *
+ * $user - Who wants to modify it
+ * $target - The user that is being edited
+ *
+ * Returns:
+ * 0 - The user does not have the required access
+ * non-zero - The user has the required access
+ */
+function auth_can_edit_user($user, $target)
+{
+ global $min_user_editing_level;
+
+ // Always allowed to modify your own stuff
+ if(strcasecmp($user, $target) == 0)
+ {
+ return 1;
+ }
+
+ if(authGetUserLevel($user) >= $min_user_editing_level)
+ {
+ return 1;
+ }
+
+ // Unathorised access
+ return 0;
+}
+
// auth_can_confirm($user, $room)
//
// Checks whether $user is allowed to confirm provisional bookings for $room
Modified: mrbs/branches/provisional_bookings/web/mrbs_sql.inc
===================================================================
--- mrbs/branches/provisional_bookings/web/mrbs_sql.inc 2009-11-13 11:02:40 UTC
(rev 1262)
+++ mrbs/branches/provisional_bookings/web/mrbs_sql.inc 2009-11-13 19:02:59 UTC
(rev 1263)
@@ -72,7 +72,7 @@
}
if (is_private_event($row['private']) &&
- !getWritable($row['create_by'], $user))
+ !getWritable($row['create_by'], $user, $room_id))
{
$row['name'] = get_vocab("private");
}
@@ -110,7 +110,7 @@
return 0;
}
- $sql = "SELECT create_by, id, entry_type FROM $tbl_entry WHERE ";
+ $sql = "SELECT create_by, id, room_id, entry_type FROM $tbl_entry WHERE ";
if ($series)
{
@@ -127,7 +127,7 @@
for ($i = 0; ($row = sql_row_keyed($res, $i)); $i++)
{
- if(!getWritable($row['create_by'], $user))
+ if(!getWritable($row['create_by'], $user, $row['room_id']))
{
continue;
}
Modified: mrbs/branches/provisional_bookings/web/view_entry.php
===================================================================
--- mrbs/branches/provisional_bookings/web/view_entry.php 2009-11-13
11:02:40 UTC (rev 1262)
+++ mrbs/branches/provisional_bookings/web/view_entry.php 2009-11-13
19:02:59 UTC (rev 1263)
@@ -169,7 +169,7 @@
// so that user see what he expects to see
$duration = $row['duration'] - cross_dst($row['start_time'],
$row['end_time']);
-$writeable = getWritable($row['create_by'], $user);
+$writeable = getWritable($row['create_by'], $user, $room_id);
// Get the area settings for the entry's area. In particular we want
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Mrbs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mrbs-commits
