diff options
| author | MichiK <michik+github@michik.net> | 2017-12-07 18:44:43 +0100 |
|---|---|---|
| committer | MichiK <michik+github@michik.net> | 2017-12-07 18:52:07 +0100 |
| commit | 32d14f493b114fc97b64028510c1a1abe73676ba (patch) | |
| tree | 46082bad6307e3a9b3b4d99d4c93b3329e049815 /includes/controller | |
| parent | f2972af591b8fc90115c98b4936518deb1644d5a (diff) | |
Fix sign-up to shifts by supporter
Any user with the `shiftentry_edit_angeltype_supporter` privilege was
able to sign up any users of the correct angeltype to any shift that
they could sign up themselves because the shift entry controller only
checks for the global privilege an not the fact that the user is indeed
supporter for the angeltype in question.
Diffstat (limited to 'includes/controller')
| -rw-r--r-- | includes/controller/shift_entries_controller.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/includes/controller/shift_entries_controller.php b/includes/controller/shift_entries_controller.php index 6a471122..d9813ebc 100644 --- a/includes/controller/shift_entries_controller.php +++ b/includes/controller/shift_entries_controller.php @@ -194,7 +194,7 @@ function shift_entry_add_controller() $angeltypes[$angeltype['id']] = $angeltype['name']; } $angeltype_select = html_select_key('angeltype_id', 'angeltype_id', $angeltypes, $type['id']); - } elseif (in_array('shiftentry_edit_angeltype_supporter', $privileges)) { + } elseif (in_array('shiftentry_edit_angeltype_supporter', $privileges) && User_is_AngelType_supporter($user, $type)) { $users = Users_by_angeltype($type); $users_select = []; foreach ($users as $usr) { |