Allow users with canView Events to view event list. Don't allow unarchive or delete if they don't have canEdit
This commit is contained in:
parent
b0f2ff6302
commit
c156731f0b
|
@ -6,7 +6,7 @@ $data = array();
|
||||||
// INITIALIZE AND CHECK SANITY
|
// INITIALIZE AND CHECK SANITY
|
||||||
//
|
//
|
||||||
|
|
||||||
if ( !canEdit('Events') ) $message = 'Insufficient permissions for user '.$user['Username'];
|
if ( !canView('Events') ) $message = 'Insufficient permissions for user '.$user['Username'];
|
||||||
|
|
||||||
if ( empty($_REQUEST['task']) ) {
|
if ( empty($_REQUEST['task']) ) {
|
||||||
$message = 'Must specify a task';
|
$message = 'Must specify a task';
|
||||||
|
@ -74,10 +74,22 @@ if ( isset($_REQUEST['limit']) ) {
|
||||||
|
|
||||||
switch ( $task ) {
|
switch ( $task ) {
|
||||||
case 'archive' :
|
case 'archive' :
|
||||||
|
foreach ( $eids as $eid ) archiveRequest($task, $eid);
|
||||||
|
break;
|
||||||
case 'unarchive' :
|
case 'unarchive' :
|
||||||
|
# The idea is that anyone can archive, but only people with Event Edit permission can unarchive..
|
||||||
|
if ( !canEdit('Events') ) {
|
||||||
|
ajaxError('Insufficient permissions for user '.$user['Username']);
|
||||||
|
return;
|
||||||
|
}
|
||||||
foreach ( $eids as $eid ) archiveRequest($task, $eid);
|
foreach ( $eids as $eid ) archiveRequest($task, $eid);
|
||||||
break;
|
break;
|
||||||
case 'delete' :
|
case 'delete' :
|
||||||
|
if ( !canEdit('Events') ) {
|
||||||
|
ajaxError('Insufficient permissions for user '.$user['Username']);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
foreach ( $eids as $eid ) $data[] = deleteRequest($eid);
|
foreach ( $eids as $eid ) $data[] = deleteRequest($eid);
|
||||||
break;
|
break;
|
||||||
case 'query' :
|
case 'query' :
|
||||||
|
|
Loading…
Reference in New Issue