Revision: 1357
http://mrbs.svn.sourceforge.net/mrbs/?rev=1357&view=rev
Author: cimorrison
Date: 2010-06-15 11:04:09 +0000 (Tue, 15 Jun 2010)
Log Message:
-----------
Fixed a bug which meant that ordinary users were able to delete bookings made
in the past even though the booking policy said that they couldn't. (The
booking policy was only being applied to the creation or modification of
entries but not to their deletion).
Modified Paths:
--------------
mrbs/trunk/web/del_entry.php
mrbs/trunk/web/mrbs_sql.inc
mrbs/trunk/web/systemdefaults.inc.php
Modified: mrbs/trunk/web/del_entry.php
===================================================================
--- mrbs/trunk/web/del_entry.php 2010-06-08 15:39:10 UTC (rev 1356)
+++ mrbs/trunk/web/del_entry.php 2010-06-15 11:04:09 UTC (rev 1357)
@@ -55,6 +55,8 @@
$month = strftime("%m", $info["start_time"]);
$year = strftime("%Y", $info["start_time"]);
$area = mrbsGetRoomArea($info["room_id"]);
+ // Get the settings for this area (they will be needed for policy checking)
+ get_area_settings($area);
$notify_by_email = $mail_settings['admin_on_delete'] ||
$mail_settings['book_admin_on_provisional'];
@@ -67,6 +69,11 @@
sql_begin();
$result = mrbsDelEntry(getUserName(), $id, $series, 1);
sql_commit();
+ // [At the moment MRBS does not inform the user if it was only able to
+ // delete some members of a series but not all. This could happen for
+ // example if a booking policy is in force thgat prevents the deletion of
entries
+ // in the past. It would be better to inform the user that the operation
has only
+ // been partially successful]
if ($result)
{
// Send a mail to the Administrator
Modified: mrbs/trunk/web/mrbs_sql.inc
===================================================================
--- mrbs/trunk/web/mrbs_sql.inc 2010-06-08 15:39:10 UTC (rev 1356)
+++ mrbs/trunk/web/mrbs_sql.inc 2010-06-15 11:04:09 UTC (rev 1357)
@@ -89,15 +89,20 @@
/** mrbsCheckPolicy()
*
- * Check to see if a proposed booking conforms to any booking policies in force
+ * Check to see if a proposed booking conforms to any booking policies in
force.,
+ * Can be used both for editing/creating an entry as well as deleting an entry
+ * (it's possible that in future some policies might apply to deletion and
others
+ * to creation)
*
* $starttime - The start of period
+ * $delete - TRUE: We're intending to delete an entry
+ * - FALSE: We're intending to create or edit an entry (the
default)
*
* Returns:
* nothing - The booking is OK
* something - An error occured, the return value is human readable
*/
-function mrbsCheckPolicy($starttime)
+function mrbsCheckPolicy($starttime, $delete=FALSE)
{
global $min_book_ahead_enabled, $max_book_ahead_enabled, $enable_periods;
global $min_book_ahead_secs, $max_book_ahead_secs, $min_book_ahead_days,
$max_book_ahead_days;
@@ -134,12 +139,12 @@
/** mrbsDelEntry()
*
- * Delete an entry, or optionally all entrys.
+ * Delete an entry, or optionally all entries.
*
* $user - Who's making the request
* $id - The entry to delete
- * $series - If set, delete the series, except user modified entrys
- * $all - If set, include user modified entrys in the series delete
+ * $series - If set, delete the series, except user modified entries
+ * $all - If set, include user modified entries in the series delete
*
* Returns:
* 0 - An error occured
@@ -149,13 +154,19 @@
{
global $tbl_entry, $tbl_repeat;
- $repeat_id = sql_query1("SELECT repeat_id FROM $tbl_entry WHERE id=$id LIMIT
1");
- if ($repeat_id < 0)
+ // Get the repeat_id and room_id for this entry
+ $res = sql_query("SELECT repeat_id, room_id FROM $tbl_entry WHERE id=$id
LIMIT 1");
+ if (($res === FALSE) || (sql_count($res) <= 0))
{
return 0;
}
+ $row = sql_row_keyed($res, 0);
+ $repeat_id = $row['repeat_id'];
+ $room_id = $row['room_id'];
+
+ $is_book_admin = auth_book_admin($user, $room_id);
- $sql = "SELECT create_by, id, room_id, entry_type FROM $tbl_entry WHERE ";
+ $sql = "SELECT start_time, create_by, id, entry_type FROM $tbl_entry WHERE ";
if ($series)
{
@@ -172,7 +183,7 @@
for ($i = 0; ($row = sql_row_keyed($res, $i)); $i++)
{
- if(!getWritable($row['create_by'], $user, $row['room_id']))
+ if(!getWritable($row['create_by'], $user, $room_id))
{
continue;
}
@@ -181,6 +192,13 @@
{
continue;
}
+
+ // check that the booking policies allow us to delete this entry
+ $tmp = mrbsCheckPolicy($row['start_time'], TRUE);
+ if (!$is_book_admin && !empty($tmp))
+ {
+ continue;
+ }
if (sql_command("DELETE FROM $tbl_entry WHERE id=" . $row['id']) > 0)
{
Modified: mrbs/trunk/web/systemdefaults.inc.php
===================================================================
--- mrbs/trunk/web/systemdefaults.inc.php 2010-06-08 15:39:10 UTC (rev
1356)
+++ mrbs/trunk/web/systemdefaults.inc.php 2010-06-15 11:04:09 UTC (rev
1357)
@@ -227,7 +227,7 @@
// minimum advance booking time allows you to set a policy saying that users
must book
// at least so far in advance. The maximum allows you to set a policy saying
that they cannot
// book more than so far in advance. How the times are determined depends on
whether Periods
-// or Times are being used.
+// or Times are being used. These settings also apply to the deletion of
bookings.
// DEFAULT VALUES FOR NEW AREAS (WHEN USING TIMES)
$min_book_ahead_enabled = FALSE; // set to TRUE to enforce a minimum
advance booking time
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Mrbs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mrbs-commits
