Apply permission checks to the appointment and unavailability search (#1753)

Author: alextselegidis

CHANGELOG.md

@@ -11,6 +11,7 @@ developers to maintain and readjust their custom modifications on the main proje
 - Fix the "Load More" JS error in secretaries page (#1677)
 - Fix the PHP compatibility error of the appointments index API endpoint (#1678)
 - Catch individual email delivery exceptions (#1670)
+- Apply permission checks to the appointment and unavailability search (#1753)
 
 
 

application/controllers/Appointments.php

@@ -88,6 +88,33 @@ public function search(): void
 
             $appointments = $this->appointments_model->search($keyword, $limit, $offset, $order_by);
 
+            $user_id = session('user_id');
+            $role_slug = session('role_slug');
+
+            // If the current user is a provider he must only see his own appointments.
+            if ($role_slug === DB_SLUG_PROVIDER) {
+                foreach ($appointments as $index => $appointment) {
+                    if ((int) $appointment['id_users_provider'] !== (int) $user_id) {
+                        unset($appointments[$index]);
+                    }
+                }
+
+                $appointments = array_values($appointments);
+            }
+
+            // If the current user is a secretary he must only see the appointments of his providers.
+            if ($role_slug === DB_SLUG_SECRETARY) {
+                $provider_ids = $this->secretaries_model->find($user_id)['providers'];
+
+                foreach ($appointments as $index => $appointment) {
+                    if (!in_array((int) $appointment['id_users_provider'], $provider_ids)) {
+                        unset($appointments[$index]);
+                    }
+                }
+
+                $appointments = array_values($appointments);
+            }
+
             json_response($appointments);
         } catch (Throwable $e) {
             json_exception($e);

application/controllers/Unavailabilities.php

@@ -69,6 +69,33 @@ public function search(): void
 
             $unavailabilities = $this->unavailabilities_model->search($keyword, $limit, $offset, $order_by);
 
+            $user_id = session('user_id');
+            $role_slug = session('role_slug');
+
+            // If the current user is a provider he must only see his own appointments.
+            if ($role_slug === DB_SLUG_PROVIDER) {
+                foreach ($unavailabilities as $index => $unavailability) {
+                    if ((int) $unavailability['id_users_provider'] !== (int) $user_id) {
+                        unset($unavailabilities[$index]);
+                    }
+                }
+
+                $unavailabilities = array_values($unavailabilities);
+            }
+
+            // If the current user is a secretary he must only see the unavailabilities of his providers.
+            if ($role_slug === DB_SLUG_SECRETARY) {
+                $provider_ids = $this->secretaries_model->find($user_id)['providers'];
+
+                foreach ($unavailabilities as $index => $unavailability) {
+                    if (!in_array((int) $unavailability['id_users_provider'], $provider_ids)) {
+                        unset($unavailabilities[$index]);
+                    }
+                }
+
+                $unavailabilities = array_values($unavailabilities);
+            }
+
             json_response($unavailabilities);
         } catch (Throwable $e) {
             json_exception($e);