Created
March 21, 2016 16:44
-
-
Save vsguts/3e27262de0cb0b66f073 to your computer and use it in GitHub Desktop.
CS-Cart discussions order permissions fix
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff -urN cscart_v4.2.4_orig/app/addons/discussion/controllers/common/discussion.php cscart_v4.2.4/app/addons/discussion/controllers/common/discussion.php | |
--- cscart_v4.2.4_orig/app/addons/discussion/controllers/common/discussion.php 2014-11-27 13:21:15.000000000 +0300 | |
+++ cscart_v4.2.4/app/addons/discussion/controllers/common/discussion.php 2016-03-21 19:36:33.000000000 +0300 | |
@@ -37,7 +37,7 @@ | |
if (!empty($post_data['thread_id'])) { | |
$object = fn_discussion_get_object_by_thread($post_data['thread_id']); | |
- if (empty($object)) { | |
+ if (empty($object) || !fn_discussion_check_thread_permissions($object, $auth)) { | |
fn_set_notification('E', __('error'), __('cant_find_thread')); | |
return array(CONTROLLER_STATUS_REDIRECT, $_REQUEST['redirect_url'] . $suffix); | |
diff -urN cscart_v4.2.4_orig/app/addons/discussion/func.php cscart_v4.2.4/app/addons/discussion/func.php | |
--- cscart_v4.2.4_orig/app/addons/discussion/func.php 2014-11-27 13:21:15.000000000 +0300 | |
+++ cscart_v4.2.4/app/addons/discussion/func.php 2016-03-21 19:34:33.000000000 +0300 | |
@@ -846,3 +846,31 @@ | |
} | |
} | |
} | |
+ | |
+/** | |
+ * Checking thread permissions | |
+ * | |
+ * @param mixed $data Thread ID (int) or Thread data (array) | |
+ * @param array $auth Auth | |
+ * @return bool | |
+ */ | |
+function fn_discussion_check_thread_permissions($thread, $auth) | |
+{ | |
+ if (is_numeric($thread)) { | |
+ $thread = db_get_row("SELECT * FROM ?:discussion WHERE thread_id = ?i", $thread); | |
+ } elseif ((empty($thread['object_type']) || empty($thread['object_id'])) && !empty($thread['thread_id'])) { | |
+ $thread = db_get_row("SELECT * FROM ?:discussion WHERE thread_id = ?i", $thread['thread_id']); | |
+ } | |
+ | |
+ if (!$thread) { | |
+ return false; | |
+ } | |
+ | |
+ if (AREA == 'C') { | |
+ if ($thread['object_type'] == 'O') { // Order | |
+ return fn_is_order_allowed($thread['object_id'], $auth); | |
+ } | |
+ } | |
+ | |
+ return true; | |
+} | |
diff -urN cscart_v4.2.4_orig/app/functions/fn.cart.php cscart_v4.2.4/app/functions/fn.cart.php | |
--- cscart_v4.2.4_orig/app/functions/fn.cart.php 2014-11-27 13:21:15.000000000 +0300 | |
+++ cscart_v4.2.4/app/functions/fn.cart.php 2016-03-21 19:34:49.000000000 +0300 | |
@@ -7173,3 +7173,53 @@ | |
return $shipping_hash; | |
} | |
+ | |
+/** | |
+ * Checks if an order is available for a customer | |
+ * | |
+ * @param int $order_id Order ID | |
+ * @param array $auth Auth array | |
+ * @return bool | |
+ */ | |
+function fn_is_order_allowed($order_id, $auth) | |
+{ | |
+ $orders_company_condition = ''; | |
+ if (fn_allowed_for('ULTIMATE')) { | |
+ $orders_company_condition = fn_get_company_condition('?:orders.company_id'); | |
+ } | |
+ | |
+ if (!empty($auth['user_id'])) { | |
+ $allowed = db_get_field( | |
+ "SELECT user_id FROM ?:orders WHERE user_id = ?i AND order_id = ?i $orders_company_condition", | |
+ $auth['user_id'], $order_id | |
+ ); | |
+ | |
+ } elseif (!empty($auth['order_ids'])) { | |
+ $allowed = in_array($order_id, $auth['order_ids']); | |
+ } | |
+ | |
+ // Check order status (incompleted order) | |
+ if (!empty($allowed)) { | |
+ $status = db_get_field("SELECT status FROM ?:orders WHERE order_id = ?i $orders_company_condition", $order_id); | |
+ if ($status == STATUS_INCOMPLETED_ORDER) { | |
+ $allowed = false; | |
+ } | |
+ } | |
+ | |
+ /** | |
+ * Deprecated | |
+ * @since 4.3.7 | |
+ */ | |
+ fn_set_hook('is_order_allowed', $order_id, $allowed); | |
+ | |
+ /** | |
+ * Checks if an order is available for a customer | |
+ * | |
+ * @param int $order_id Order ID | |
+ * @param array $auth Auth array | |
+ * @param int $allowed Allowed flag | |
+ */ | |
+ fn_set_hook('is_order_allowed_post', $order_id, $auth, $allowed); | |
+ | |
+ return !empty($allowed); | |
+} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment