From c156731f0be28a76977e29055ba350ed7f82f733 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Tue, 8 Dec 2020 10:33:25 -0500 Subject: [PATCH] Allow users with canView Events to view event list. Don't allow unarchive or delete if they don't have canEdit --- web/ajax/events.php | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/web/ajax/events.php b/web/ajax/events.php index 37e225527..b613fe10c 100644 --- a/web/ajax/events.php +++ b/web/ajax/events.php @@ -6,7 +6,7 @@ $data = array(); // INITIALIZE AND CHECK SANITY // -if ( !canEdit('Events') ) $message = 'Insufficient permissions for user '.$user['Username']; +if ( !canView('Events') ) $message = 'Insufficient permissions for user '.$user['Username']; if ( empty($_REQUEST['task']) ) { $message = 'Must specify a task'; @@ -74,10 +74,22 @@ if ( isset($_REQUEST['limit']) ) { switch ( $task ) { case 'archive' : + foreach ( $eids as $eid ) archiveRequest($task, $eid); + break; case 'unarchive' : + # The idea is that anyone can archive, but only people with Event Edit permission can unarchive.. + if ( !canEdit('Events') ) { + ajaxError('Insufficient permissions for user '.$user['Username']); + return; + } foreach ( $eids as $eid ) archiveRequest($task, $eid); break; case 'delete' : + if ( !canEdit('Events') ) { + ajaxError('Insufficient permissions for user '.$user['Username']); + return; + } + foreach ( $eids as $eid ) $data[] = deleteRequest($eid); break; case 'query' :