Business/QwikClock
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Enforce permissions in shift assignment, add new permission QWIKCLOCK_ADMIN

Browse Source
This commit is contained in:
Skylar Ittner 2017-11-20 20:26:46 -07:00
parent 98ac465396
commit 5fa2ec2536
4 changed files with 29 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
action.php
View File

@ -75,7 +75,7 @@ switch ($VARS['action']) {
header('Content-Type: application/json');
exit(json_encode($out));
case "editshift":
if (account_has_permission($_SESSION['username'], "QWIKCLOCK_MANAGE")) {
if (account_has_permission($_SESSION['username'], "QWIKCLOCK_ADMIN")) {
$valid_daycodes = ["Su", "Mo", "Tu", "We", "Th", "Fr", "Sa"];
$name = htmlentities($VARS['shiftname']);
@ -130,23 +130,34 @@ switch ($VARS['action']) {
$already_assigned = $database->select('assigned_shifts', 'uid', ['shiftid' => $VARS['shift']]);
require_once __DIR__ . "/lib/userinfo.php";
$managedusers = getManagedUsernames($_SESSION['uid']);
$manageduids = getManagedUIDs($_SESSION['uid']);
foreach ($VARS['users'] as $u) {
if (!account_has_permission($_SESSION['username'], "ADMIN")) {
if (!in_array($u, $managedusers)) {
returnToSender("you_arent_my_supervisor", htmlentities($u));
}
}
if (!user_exists($u)) {
returnToSender("user_not_exists", htmlentities($u));
}
$uid = getUserByUsername($u)['uid'];
$database->insert('assigned_shifts', ['uid' => $uid, 'shiftid' => $VARS['shift']]);
if (!account_has_permission($_SESSION['username'], "QWIKCLOCK_ADMIN")) {
if (!in_array($u, $managedusers) && !in_array($uid, $already_assigned)) {
returnToSender("you_arent_my_supervisor", htmlentities($u));
}
}
if (!in_array($uid, $already_assigned)) {
$database->insert('assigned_shifts', ['uid' => $uid, 'shiftid' => $VARS['shift']]);
}
$already_assigned = array_diff($already_assigned, [$uid]); // Remove user from old list
}
// $already_assigned now only has removed users
$removefailed = false;
foreach ($already_assigned as $uid) {
if (!account_has_permission($_SESSION['username'], "QWIKCLOCK_ADMIN")) {
if (!in_array($uid, $manageduids)) {
$removefailed = true;
continue;
}
}
$database->delete('assigned_shifts', ["AND" => ['uid' => $uid, 'shiftid' => $VARS['shift']]]);
}
returnToSender("shift_assigned");
returnToSender($removefailed ? "shift_assigned_removefailed" : "shift_assigned");
break;
case "autocomplete_user":
header("Content-Type: application/json");

1
lang/en_us.php
View File

@ -77,6 +77,7 @@ define("STRINGS", [
"add" => "Add",
"choose a shift" => "Choose a shift",
"shift assigned" => "Shift assigned.",
"shift assigned but removal failed" => "Shift assigned successfully, but one or more users are not managed by you and were not removed.",
"report export" => "Reports/Export",
"report type" => "Report type",
"format" => "Format",

4
lang/messages.php
View File

@ -61,6 +61,10 @@ define("MESSAGES", [
"string" => "shift assigned",
"type" => "success"
],
"shift_assigned_removefailed" => [
"string" => "shift assigned but removal failed",
"type" => "info"
],
"not_assigned_to_work" => [
"string" => "not assigned to work now",
"type" => "danger"

6
pages/shifts.php
View File

@ -17,9 +17,13 @@ $totalpunches = count($punches);
<div class="btn-group mgn-btm-10px">
<?php
if (account_has_permission($_SESSION['username'], "QWIKCLOCK_MANAGE")) {
if (account_has_permission($_SESSION['username'], "QWIKCLOCK_ADMIN")) {
?>
<a href="app.php?page=editshift" class="btn btn-success"><i class="fa fa-calendar-plus-o"></i> <?php lang("new shift"); ?></a>
<?php
}
if (account_has_permission($_SESSION['username'], "QWIKCLOCK_MANAGE") || account_has_permission($_SESSION['username'], "QWIKCLOCK_ADMIN")) {
?>
<a href="app.php?page=assignshift" class="btn btn-info"><i class="fa fa-calendar-check-o"></i> <?php lang("assign shift"); ?></a>
<?php
}