From 32d14f493b114fc97b64028510c1a1abe73676ba Mon Sep 17 00:00:00 2001
From: MichiK <michik+github@michik.net>
Date: Thu, 7 Dec 2017 18:44:43 +0100
Subject: Fix sign-up to shifts by supporter

Any user with the `shiftentry_edit_angeltype_supporter` privilege was
able to sign up any users of the correct angeltype to any shift that
they could sign up themselves because the shift entry controller only
checks for the global privilege an not the fact that the user is indeed
supporter for the angeltype in question.
---
 includes/controller/shift_entries_controller.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'includes/controller')

diff --git a/includes/controller/shift_entries_controller.php b/includes/controller/shift_entries_controller.php
index 6a471122..d9813ebc 100644
--- a/includes/controller/shift_entries_controller.php
+++ b/includes/controller/shift_entries_controller.php
@@ -194,7 +194,7 @@ function shift_entry_add_controller()
             $angeltypes[$angeltype['id']] = $angeltype['name'];
         }
         $angeltype_select = html_select_key('angeltype_id', 'angeltype_id', $angeltypes, $type['id']);
-    } elseif (in_array('shiftentry_edit_angeltype_supporter', $privileges)) {
+    } elseif (in_array('shiftentry_edit_angeltype_supporter', $privileges) && User_is_AngelType_supporter($user, $type)) {
         $users = Users_by_angeltype($type);
         $users_select = [];
         foreach ($users as $usr) {
-- 
cgit v1.2.3-54-g00ecf