Some calendar fixes

8 years ago · 50e4861d39
parent a801a64f93
commit 50e4861d39
5 changed files with 44 additions and 4 deletions
--- a/admin/calendar.php
+++ b/admin/calendar.php
@ -60,6 +60,10 @@ if ($modsForHesk_settings['enable_calendar'] == '0') {
 $rs = hesk_dbQuery("SELECT `id`, `name`, `color` FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "categories` WHERE `usage` <> 1 ORDER BY `cat_order`");
 $categories = [];
 while ($row = hesk_dbFetchAssoc($rs)) {
+    if (!$_SESSION['isadmin'] && !in_array($row['id'], $_SESSION['categories'])) {
+        continue;
+    }
+
    $row['css_style'] = $row['color'] == null ? 'color: black; border: solid 1px #000' : 'background: ' . $row['color'];
    $categories[] = $row;
 }
--- a/inc/common.inc.php
+++ b/inc/common.inc.php
@ -1836,7 +1836,11 @@ function mfh_log($location, $message, $severity, $user) {
 }

 function mfh_log_debug($location, $message, $user) {
-    mfh_log($location, $message, 0, $user);
+    global $hesk_settings;
+
+    if ($hesk_settings['debug_mode']) {
+        mfh_log($location, $message, 0, $user);
+    }
 }

 function mfh_log_info($location, $message, $user) {
--- a/internal-api/dao/calendar_dao.php
+++ b/internal-api/dao/calendar_dao.php
@ -26,6 +26,13 @@ function get_events($start, $end, $hesk_settings, $staff = true) {

    $events = [];
    while ($row = hesk_dbFetchAssoc($rs)) {
+        // Skip the event if the user does not have access to it
+        if (!$_SESSION['isadmin'] && !in_array($row['category'], $_SESSION['categories'])) {
+            continue;
+        }
+
+        mfh_log_debug('Calendar', "Creating event with id: {$row['id']}", '');
+
        $event['type'] = 'CALENDAR';
        $event['id'] = intval($row['id']);
        $event['startTime'] = $row['start'];
@ -59,6 +66,11 @@ function get_events($start, $end, $hesk_settings, $staff = true) {

        $rs = hesk_dbQuery($sql);
        while ($row = hesk_dbFetchAssoc($rs)) {
+            // Skip the ticket if the user does not have access to it
+            if (!$_SESSION['isadmin'] && !in_array($row['category'], $_SESSION['categories'])) {
+                continue;
+            }
+
            $event['type'] = 'TICKET';
            $event['trackingId'] = $row['trackid'];
            $event['title'] = '[' . $row['trackid'] . '] ' . $row['subject'];
@ -75,6 +87,10 @@ function get_events($start, $end, $hesk_settings, $staff = true) {
 }

 function create_event($event, $hesk_settings) {
+    // Make sure the user can create events in this category
+    if (!$_SESSION['isadmin'] && !in_array($event['category'], $_SESSION['categories'])) {
+        print_error('Access Denied', 'You cannot create an event in this category');
+    }

    $event['start'] = date('Y-m-d H:i:s', strtotime($event['start']));
    $event['end'] = date('Y-m-d H:i:s', strtotime($event['end']));
@ -101,6 +117,11 @@ function create_event($event, $hesk_settings) {
 }

 function update_event($event, $hesk_settings) {
+    // Make sure the user can edit events in this category
+    if (!$_SESSION['isadmin'] && !in_array($event['category'], $_SESSION['categories'])) {
+        print_error('Access Denied', 'You cannot edit an event in this category');
+    }
+
    $event['start'] = date('Y-m-d H:i:s', strtotime($event['start']));
    $event['end'] = date('Y-m-d H:i:s', strtotime($event['end']));
    if ($event['create_ticket_date'] != null) {
@ -128,6 +149,13 @@ function update_event($event, $hesk_settings) {
 }

 function delete_event($id, $hesk_settings) {
+    // Make sure the user can delete events in this category
+    $categoryRs = hesk_dbQuery('SELECT `category` FROM `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'calendar_event` WHERE `id` = ' . intval($id));
+    $category = hesk_dbFetchAssoc($categoryRs);
+    if (!$_SESSION['isadmin'] && !in_array($category['category'], $_SESSION['categories'])) {
+        print_error('Access Denied', 'You cannot delete events in this category');
+    }
+
    $sql = "DELETE FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "calendar_event` WHERE `id` = " . intval($id);

    hesk_dbQuery($sql);
--- a/js/calendar/mods-for-hesk-calendar-admin-readonly.js
+++ b/js/calendar/mods-for-hesk-calendar-admin-readonly.js
@ -13,7 +13,7 @@ $(document).ready(function() {
        defaultView: $('#setting_default_view').text().trim(),
        events: function(start, end, timezone, callback) {
            $.ajax({
-                url: getHelpdeskUrl() + '/internal-api/calendar/?start=' + start + '&end=' + end,
+                url: getHelpdeskUrl() + '/internal-api/admin/calendar/?start=' + start + '&end=' + end,
                method: 'GET',
                dataType: 'json',
                success: function(data) {
--- a/js/calendar/mods-for-hesk-calendar.js
+++ b/js/calendar/mods-for-hesk-calendar.js
@ -351,8 +351,12 @@ function displayEditModal(date) {
        .find('input[name="start-date"]').val(date.start.format('YYYY-MM-DD')).end()
        .find('input[name="end-date"]').val(date.end.format('YYYY-MM-DD')).end()
        .find('input[name="id"]').val(date.id).end()
-        .find('input[name="reminder-value"]').val(date.reminderValue).end()
-        .find('select[name="reminder-unit"]').val(date.reminderUnits).end();
+        .find('input[name="reminder-value"]').val(date.reminderValue).end();
+
+    if (date.reminderUnits != null) {
+        $form.find('select[name="reminder-unit"]').val(date.reminderUnits).end();
+    }
+

    var createTicketLink = getHelpdeskUrl() + '/' + getAdminDirectory() + '/new_ticket.php?subject=';
    createTicketLink += encodeURI('[' + date.start.format('YYYY-MM-DD') + '] ' + date.title);