iger
/
engelsystem
9
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix sign-up to shifts by supporter 

Any user with the `shiftentry_edit_angeltype_supporter` privilege was
able to sign up any users of the correct angeltype to any shift that
they could sign up themselves because the shift entry controller only
checks for the global privilege an not the fact that the user is indeed
supporter for the angeltype in question.
This commit is contained in:
MichiK 2017-12-07 18:44:43 +01:00
parent f2972af591
commit 32d14f493b
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
includes/controller/shift_entries_controller.php
View File

@ -194,7 +194,7 @@ function shift_entry_add_controller()
$angeltypes[$angeltype['id']] = $angeltype['name']; $angeltypes[$angeltype['id']] = $angeltype['name'];
} }
$angeltype_select = html_select_key('angeltype_id', 'angeltype_id', $angeltypes, $type['id']); $angeltype_select = html_select_key('angeltype_id', 'angeltype_id', $angeltypes, $type['id']);
} elseif (in_array('shiftentry_edit_angeltype_supporter', $privileges)) { } elseif (in_array('shiftentry_edit_angeltype_supporter', $privileges) && User_is_AngelType_supporter($user, $type)) {
$users = Users_by_angeltype($type); $users = Users_by_angeltype($type);
$users_select = []; $users_select = [];
foreach ($users as $usr) { foreach ($users as $usr) {