Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[bvl_feedback] Fix Permissions for Feedback Summary & Thread List #7826

Merged
merged 2 commits into from
Apr 26, 2023
Merged

[bvl_feedback] Fix Permissions for Feedback Summary & Thread List #7826

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
92e93a2
bvl feedback add permission check
suzanne-lee Nov 9, 2021
601c08e
update if hasReadPermissions conditions
suzanne-lee Nov 23, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 41 additions & 16 deletions php/libraries/NDB_BVL_Feedback.class.inc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -475,25 +475,38 @@ class NDB_BVL_Feedback
$query .= " LEFT JOIN flag as f ON (ft.CommentID = f.CommentID)";
}
$query .= " WHERE ft.Active ='Y'";
if (!$hasReadPermission===true) {
$query .= " AND FIND_IN_SET(s.CenterID, :CentID)";
$qparams['CentID'] = implode(',', $user->getCenterIDs());
}

$query .= " AND Public = 'Y' AND Status <> 'closed'";
if (!empty($this->_feedbackObjectInfo['CandID'])) {
$query .= " AND ft.CandID = :CaID";
$qparams['CaID'] = $this->_feedbackObjectInfo['CandID'];
$query .= " AND ft.CandID = :CaID";
$qparams['CaID'] = $this->_feedbackObjectInfo['CandID'];
$candidate = Candidate::singleton(new CandID($qparams['CaID']));
$hasReadPermission = (
$hasReadPermission ||
$candidate->isAccessibleBy($user)
);
}

if (!empty($this->_feedbackObjectInfo['SessionID'])) {
$query .= " AND ft.SessionID = :SID";
$qparams['SID'] = $this->_feedbackObjectInfo['SessionID'];
$query .= " AND ft.SessionID = :SID";
$qparams['SID'] = $this->_feedbackObjectInfo['SessionID'];
$timepoint = Timepoint::singleton(
new SessionID($qparams['SID'])
);
$hasReadPermission = (
$hasReadPermission ||
$timepoint->isAccessibleBy($user)
);
}
if (!empty($this->_feedbackObjectInfo['CommentID'])) {
$query .= " AND ft.SessionID = :CSID";
$qparams['CSID'] = $this->_feedbackCandidateProfileInfo['SessionID'];
$query .= " AND ft.CommentID = :ComID";
$qparams['ComID'] = $this->_feedbackCandidateProfileInfo['CommentID'];
}

if (!$hasReadPermission) {
$query .= " AND FIND_IN_SET(s.CenterID, :CentID)";
$qparams['CentID'] = implode(',', $user->getCenterIDs());
}

$query .= " GROUP BY ft.CandID, ft.Feedback_level, ft.SessionID";
if (empty($this->_feedbackObjectInfo['CandID'])) {
$query .= ", ft.CommentID";
Expand Down Expand Up @@ -565,13 +578,25 @@ class NDB_BVL_Feedback
$qparams['SID'] = $this->_feedbackCandidateProfileInfo['SessionID'];
$qparams['ComID'] = $this->_feedbackObjectInfo['CommentID'];
} elseif (!empty($this->_feedbackObjectInfo['SessionID'])) {
$query .= " AND ft.SessionID = :SID AND ft.CommentID is null";
$qparams['SID'] = $this->_feedbackObjectInfo['SessionID'];
$query .= " AND ft.SessionID = :SID AND ft.CommentID is null";
$qparams['SID'] = $this->_feedbackObjectInfo['SessionID'];
$timepoint = Timepoint::singleton(
new SessionID($qparams['SID'])
);
$hasReadPermission = (
$hasReadPermission ||
$timepoint->isAccessibleBy($user)
);
} elseif (!empty($this->_feedbackObjectInfo['CandID'])) {
$query .= " AND ft.CandID = :CaID
$query .= " AND ft.CandID = :CaID
AND ft.SessionID IS NULL
AND ft.CommentID IS NULL";
$qparams['CaID'] = $this->_feedbackObjectInfo['CandID'];
$qparams['CaID'] = $this->_feedbackObjectInfo['CandID'];
$candidate = Candidate::singleton(new CandID($qparams['CaID']));
$hasReadPermission = (
$hasReadPermission ||
$candidate->isAccessibleBy($user)
);
} else {
throw new Exception(
"You need to pass at least one of the following to retrieve the"
Expand All @@ -581,7 +606,7 @@ class NDB_BVL_Feedback

// DCC users should be able to see THEIR OWN inactive threads,
// other users should see only active threads
if ($hasReadPermission===true) {
if ($hasReadPermission) {
$query .= " AND (ft.Active='Y' OR
(ft.Active='N' AND ft.UserID=:Username)
)";
Expand Down