Skip to content

Commit 38ae925

Browse files
skerbisskerbis
committed
rights fix
1 parent 0d45829 commit 38ae925

File tree

1 file changed

+34
-13
lines changed

1 file changed

+34
-13
lines changed

fragments/forcal_entries_filter.php

Lines changed: 34 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -28,13 +28,27 @@
2828
// Gespeicherte Filter laden
2929
$savedFilters = forcalFilterService::getUserFilters($userId);
3030

31+
// Benutzer-Kategorien für nicht-Admins vorbereiten
32+
$user_categories = [];
33+
if (!$user->isAdmin()) {
34+
$user_categories = forCalUserPermission::getUserCategories($userId);
35+
}
36+
3137
// Standard-Filter laden, falls kein Filter aktiv ist
3238
$defaultFilter = null;
3339
if (empty($currentCategory) && empty($currentVenue) && empty($currentStatus) && empty($currentSearch) && empty($currentCreator) && empty($currentDateFrom)) {
3440
$defaultFilter = forcalFilterService::getDefaultFilter($userId);
3541
if ($defaultFilter) {
3642
$filterData = $defaultFilter['filter_data'];
43+
44+
// Sicherheitsprüfung: Kategorie-Zugriff für nicht-Admins
3745
$currentCategory = $filterData['category'] ?? null;
46+
if ($currentCategory && !$user->isAdmin()) {
47+
if (!in_array($currentCategory, $user_categories)) {
48+
$currentCategory = null; // Kategorie nicht mehr erlaubt
49+
}
50+
}
51+
3852
$currentVenue = $filterData['venue'] ?? null;
3953
$currentStatus = $filterData['status'] ?? null;
4054
$currentSearch = $filterData['search'] ?? '';
@@ -60,6 +74,13 @@
6074
if ($loadedFilter) {
6175
$filterData = $loadedFilter['filter_data'];
6276

77+
// Sicherheitsprüfung: Kategorie-Zugriff für nicht-Admins
78+
if (isset($filterData['category']) && $filterData['category'] && !$user->isAdmin()) {
79+
if (!in_array($filterData['category'], $user_categories)) {
80+
unset($filterData['category']); // Kategorie nicht mehr erlaubt
81+
}
82+
}
83+
6384
// Sortierung wiederherstellen
6485
if (isset($filterData['sort']) && !empty($filterData['sort'])) {
6586
rex_set_session('rex_list_' . $tableEvent . '_sort', $filterData['sort']);
@@ -118,13 +139,17 @@
118139
ORDER BY name_' . rex_clang::getCurrentId()
119140
);
120141

121-
// Venues laden
122-
$all_venues = rex_sql::factory()->getArray(
123-
'SELECT id, name_' . rex_clang::getCurrentId() . ' as name
124-
FROM ' . rex::getTable('forcal_venues') . '
125-
WHERE status = 1
126-
ORDER BY name_' . rex_clang::getCurrentId()
127-
);
142+
// Venues laden (nur wenn aktiviert)
143+
$all_venues = [];
144+
$venuesEnabled = $addon->getConfig('forcal_venues_enabled', true);
145+
if ($venuesEnabled) {
146+
$all_venues = rex_sql::factory()->getArray(
147+
'SELECT id, name_' . rex_clang::getCurrentId() . ' as name
148+
FROM ' . rex::getTable('forcal_venues') . '
149+
WHERE status = 1
150+
ORDER BY name_' . rex_clang::getCurrentId()
151+
);
152+
}
128153

129154
// Benutzer laden (für Ersteller-Filter)
130155
$creators = rex_sql::factory()->getArray(
@@ -134,12 +159,6 @@
134159
ORDER BY u.name'
135160
);
136161

137-
// Benutzer-Kategorien für nicht-Admins
138-
$user_categories = [];
139-
if (!$user->isAdmin()) {
140-
$user_categories = forCalUserPermission::getUserCategories($userId);
141-
}
142-
143162
// Aktuelle URL ohne Filter-Parameter
144163
$baseUrl = rex_url::currentBackendPage();
145164
$currentParams = [];
@@ -237,6 +256,7 @@ class="btn btn-default <?= $filter['is_default'] ? 'btn-info' : '' ?>"
237256
</div>
238257
</div>
239258

259+
<?php if ($venuesEnabled): ?>
240260
<div class="col-sm-2">
241261
<div class="form-group" style="margin-bottom: 10px;">
242262
<select name="venue_filter" class="form-control input-sm selectpicker" data-live-search="true" data-size="8">
@@ -249,6 +269,7 @@ class="btn btn-default <?= $filter['is_default'] ? 'btn-info' : '' ?>"
249269
</select>
250270
</div>
251271
</div>
272+
<?php endif; ?>
252273

253274
<div class="col-sm-2">
254275
<div class="form-group" style="margin-bottom: 10px;">

0 commit comments

Comments
 (0)