Commit fff547f6 authored by chandi's avatar chandi Committed by Matthias Larisch

fixed authorization in xhr.php?f=acceptRequest|warteRequest

parent 378edb1f
......@@ -1327,31 +1327,34 @@ class XhrMethods
public function xhr_acceptRequest($data)
{
if ($this->session->isOrgaTeam() || $this->storeGateway->isResponsible($this->session->id(), $data['bid']) || $this->session->isAmbassador()) {
$this->storeModel->acceptRequest($data['fsid'], $data['bid']);
$this->storeGateway->add_betrieb_notiz(array(
'foodsaver_id' => $data['fsid'],
'betrieb_id' => $data['bid'],
'text' => '{ACCEPT_REQUEST}',
'zeit' => date('Y-m-d H:i:s'),
'milestone' => 2
));
if (!$this->storePermissions->mayAcceptRequests($data['bid'])) {
return XhrResponses::PERMISSION_DENIED;
}
$this->storeModel->acceptRequest($data['fsid'], $data['bid']);
$this->storeGateway->add_betrieb_notiz(array(
'foodsaver_id' => $data['fsid'],
'betrieb_id' => $data['bid'],
'text' => '{ACCEPT_REQUEST}',
'zeit' => date('Y-m-d H:i:s'),
'milestone' => 2
));
$bezirk_id = $this->model->getVal('bezirk_id', 'betrieb', $data['bid']);
$this->regionGateway->linkBezirk($data['fsid'], $bezirk_id);
$bezirk_id = $this->model->getVal('bezirk_id', 'betrieb', $data['bid']);
$this->regionGateway->linkBezirk($data['fsid'], $bezirk_id);
return json_encode(array('status' => 1));
}
return json_encode(array('status' => 1));
}
public function xhr_warteRequest($data)
{
if ($this->session->isOrgaTeam() || $this->storeGateway->isResponsible($this->session->id(), $data['bid']) || $this->session->isAmbassador()) {
$this->storeModel->warteRequest($data['fsid'], $data['bid']);
return json_encode(array('status' => 1));
if (!$this->storePermissions->mayAcceptRequests($data['bid'])) {
return XhrResponses::PERMISSION_DENIED;
}
$this->storeModel->warteRequest($data['fsid'], $data['bid']);
return json_encode(array('status' => 1));
}
public function xhr_betriebRequest($data)
......
......@@ -40,7 +40,7 @@ class StorePermissions
return false;
}
public function mayEditPickups($storeId)
public function mayEditStore($storeId)
{
$fsId = $this->session->id();
if (!$fsId) {
......@@ -60,4 +60,14 @@ class StorePermissions
return false;
}
public function mayEditPickups($storeId)
{
return $this->mayEditStore($storeId);
}
public function mayAcceptRequests($storeId)
{
return $this->mayEditStore($storeId);
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment