Allow users with canView Events to view event list. Don't allow unarchive or delete if they don't have canEdit

This commit is contained in:
Isaac Connor 2020-12-08 10:33:25 -05:00
parent b0f2ff6302
commit c156731f0b
1 changed files with 13 additions and 1 deletions

View File

@ -6,7 +6,7 @@ $data = array();
// INITIALIZE AND CHECK SANITY // INITIALIZE AND CHECK SANITY
// //
if ( !canEdit('Events') ) $message = 'Insufficient permissions for user '.$user['Username']; if ( !canView('Events') ) $message = 'Insufficient permissions for user '.$user['Username'];
if ( empty($_REQUEST['task']) ) { if ( empty($_REQUEST['task']) ) {
$message = 'Must specify a task'; $message = 'Must specify a task';
@ -74,10 +74,22 @@ if ( isset($_REQUEST['limit']) ) {
switch ( $task ) { switch ( $task ) {
case 'archive' : case 'archive' :
foreach ( $eids as $eid ) archiveRequest($task, $eid);
break;
case 'unarchive' : case 'unarchive' :
# The idea is that anyone can archive, but only people with Event Edit permission can unarchive..
if ( !canEdit('Events') ) {
ajaxError('Insufficient permissions for user '.$user['Username']);
return;
}
foreach ( $eids as $eid ) archiveRequest($task, $eid); foreach ( $eids as $eid ) archiveRequest($task, $eid);
break; break;
case 'delete' : case 'delete' :
if ( !canEdit('Events') ) {
ajaxError('Insufficient permissions for user '.$user['Username']);
return;
}
foreach ( $eids as $eid ) $data[] = deleteRequest($eid); foreach ( $eids as $eid ) $data[] = deleteRequest($eid);
break; break;
case 'query' : case 'query' :