summaryrefslogtreecommitdiff
path: root/includes
diff options
context:
space:
mode:
authorMichiK <michik+github@michik.net>2017-12-07 18:44:43 +0100
committerMichiK <michik+github@michik.net>2017-12-07 18:52:07 +0100
commit32d14f493b114fc97b64028510c1a1abe73676ba (patch)
tree46082bad6307e3a9b3b4d99d4c93b3329e049815 /includes
parentf2972af591b8fc90115c98b4936518deb1644d5a (diff)
Fix sign-up to shifts by supporter
Any user with the `shiftentry_edit_angeltype_supporter` privilege was able to sign up any users of the correct angeltype to any shift that they could sign up themselves because the shift entry controller only checks for the global privilege an not the fact that the user is indeed supporter for the angeltype in question.
Diffstat (limited to 'includes')
-rw-r--r--includes/controller/shift_entries_controller.php2
1 files changed, 1 insertions, 1 deletions
diff --git a/includes/controller/shift_entries_controller.php b/includes/controller/shift_entries_controller.php
index 6a471122..d9813ebc 100644
--- a/includes/controller/shift_entries_controller.php
+++ b/includes/controller/shift_entries_controller.php
@@ -194,7 +194,7 @@ function shift_entry_add_controller()
$angeltypes[$angeltype['id']] = $angeltype['name'];
}
$angeltype_select = html_select_key('angeltype_id', 'angeltype_id', $angeltypes, $type['id']);
- } elseif (in_array('shiftentry_edit_angeltype_supporter', $privileges)) {
+ } elseif (in_array('shiftentry_edit_angeltype_supporter', $privileges) && User_is_AngelType_supporter($user, $type)) {
$users = Users_by_angeltype($type);
$users_select = [];
foreach ($users as $usr) {