From 92e93a2372537f417a9ea7dd9b3073be40c86d16 Mon Sep 17 00:00:00 2001
From: Suzanne Lee <suzannebhlee@gmail.com>
Date: Mon, 8 Nov 2021 19:04:12 -0500
Subject: [PATCH 1/2] bvl feedback add permission check

---
 php/libraries/NDB_BVL_Feedback.class.inc | 55 +++++++++++++++++-------
 1 file changed, 40 insertions(+), 15 deletions(-)

diff --git a/php/libraries/NDB_BVL_Feedback.class.inc b/php/libraries/NDB_BVL_Feedback.class.inc
index ec9d545169a..28abd61d51d 100644
--- a/php/libraries/NDB_BVL_Feedback.class.inc
+++ b/php/libraries/NDB_BVL_Feedback.class.inc
@@ -475,25 +475,38 @@ class NDB_BVL_Feedback
             $query .= " LEFT JOIN flag as f ON (ft.CommentID = f.CommentID)";
         }
         $query .= " WHERE ft.Active ='Y'";
-        if (!$hasReadPermission===true) {
-            $query            .= " AND FIND_IN_SET(s.CenterID, :CentID)";
-            $qparams['CentID'] = implode(',', $user->getCenterIDs());
-        }
 
         $query .= " AND Public = 'Y' AND Status <> 'closed'";
         if (!empty($this->_feedbackObjectInfo['CandID'])) {
-            $query          .= " AND ft.CandID = :CaID";
-            $qparams['CaID'] = $this->_feedbackObjectInfo['CandID'];
+            $query            .= " AND ft.CandID = :CaID";
+            $qparams['CaID']   = $this->_feedbackObjectInfo['CandID'];
+            $candidate         = Candidate::singleton(new CandID($qparams['CaID']));
+            $hasReadPermission = (
+                $hasReadPermission ||
+                $candidate->isAccessibleBy($user)
+            );
         }
-
         if (!empty($this->_feedbackObjectInfo['SessionID'])) {
-            $query         .= " AND ft.SessionID = :SID";
-            $qparams['SID'] = $this->_feedbackObjectInfo['SessionID'];
+            $query            .= " AND ft.SessionID = :SID";
+            $qparams['SID']    = $this->_feedbackObjectInfo['SessionID'];
+            $timepoint         = Timepoint::singleton(
+                new SessionID($qparams['SID'])
+            );
+            $hasReadPermission = (
+                $hasReadPermission ||
+                $timepoint->isAccessibleBy($user)
+            );
         }
         if (!empty($this->_feedbackObjectInfo['CommentID'])) {
-            $query          .= " AND ft.SessionID = :CSID";
-            $qparams['CSID'] = $this->_feedbackCandidateProfileInfo['SessionID'];
+            $query           .= " AND ft.CommentID = :ComID";
+            $qparams['ComID'] = $this->_feedbackCandidateProfileInfo['CommentID'];
         }
+
+        if (!$hasReadPermission===true) {
+            $query            .= " AND FIND_IN_SET(s.CenterID, :CentID)";
+            $qparams['CentID'] = implode(',', $user->getCenterIDs());
+        }
+
         $query .= " GROUP BY ft.CandID, ft.Feedback_level, ft.SessionID";
         if (empty($this->_feedbackObjectInfo['CandID'])) {
             $query .= ", ft.CommentID";
@@ -565,13 +578,25 @@ class NDB_BVL_Feedback
             $qparams['SID']   = $this->_feedbackCandidateProfileInfo['SessionID'];
             $qparams['ComID'] = $this->_feedbackObjectInfo['CommentID'];
         } elseif (!empty($this->_feedbackObjectInfo['SessionID'])) {
-            $query         .= " AND ft.SessionID = :SID AND ft.CommentID is null";
-            $qparams['SID'] = $this->_feedbackObjectInfo['SessionID'];
+            $query            .= " AND ft.SessionID = :SID AND ft.CommentID is null";
+            $qparams['SID']    = $this->_feedbackObjectInfo['SessionID'];
+            $timepoint         = Timepoint::singleton(
+                new SessionID($qparams['SID'])
+            );
+            $hasReadPermission = (
+                $hasReadPermission ||
+                $timepoint->isAccessibleBy($user)
+            );
         } elseif (!empty($this->_feedbackObjectInfo['CandID'])) {
-            $query          .= " AND ft.CandID = :CaID
+            $query            .= " AND ft.CandID = :CaID
                                  AND ft.SessionID IS NULL
                                  AND ft.CommentID IS NULL";
-            $qparams['CaID'] = $this->_feedbackObjectInfo['CandID'];
+            $qparams['CaID']   = $this->_feedbackObjectInfo['CandID'];
+            $candidate         = Candidate::singleton(new CandID($qparams['CaID']));
+            $hasReadPermission = (
+                $hasReadPermission ||
+                $candidate->isAccessibleBy($user)
+            );
         } else {
             throw new Exception(
                 "You need to pass at least one of the following to retrieve the"

From 601c08ec7417d33be22568444748b30efe41ba6e Mon Sep 17 00:00:00 2001
From: Suzanne Lee <suzannebhlee@gmail.com>
Date: Tue, 23 Nov 2021 12:00:27 -0500
Subject: [PATCH 2/2] update if hasReadPermissions conditions

---
 php/libraries/NDB_BVL_Feedback.class.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/php/libraries/NDB_BVL_Feedback.class.inc b/php/libraries/NDB_BVL_Feedback.class.inc
index 28abd61d51d..2792dfe2840 100644
--- a/php/libraries/NDB_BVL_Feedback.class.inc
+++ b/php/libraries/NDB_BVL_Feedback.class.inc
@@ -502,7 +502,7 @@ class NDB_BVL_Feedback
             $qparams['ComID'] = $this->_feedbackCandidateProfileInfo['CommentID'];
         }
 
-        if (!$hasReadPermission===true) {
+        if (!$hasReadPermission) {
             $query            .= " AND FIND_IN_SET(s.CenterID, :CentID)";
             $qparams['CentID'] = implode(',', $user->getCenterIDs());
         }
@@ -606,7 +606,7 @@ class NDB_BVL_Feedback
 
         // DCC users should be able to see THEIR OWN inactive threads,
         // other users should see only active threads
-        if ($hasReadPermission===true) {
+        if ($hasReadPermission) {
             $query .= " AND (ft.Active='Y' OR
                 (ft.Active='N' AND ft.UserID=:Username)
             )";