Skip to content

Instantly share code, notes, and snippets.

@vsguts
Created March 21, 2016 16:44
Show Gist options
  • Save vsguts/3e27262de0cb0b66f073 to your computer and use it in GitHub Desktop.
Save vsguts/3e27262de0cb0b66f073 to your computer and use it in GitHub Desktop.
CS-Cart discussions order permissions fix
diff -urN cscart_v4.2.4_orig/app/addons/discussion/controllers/common/discussion.php cscart_v4.2.4/app/addons/discussion/controllers/common/discussion.php
--- cscart_v4.2.4_orig/app/addons/discussion/controllers/common/discussion.php 2014-11-27 13:21:15.000000000 +0300
+++ cscart_v4.2.4/app/addons/discussion/controllers/common/discussion.php 2016-03-21 19:36:33.000000000 +0300
@@ -37,7 +37,7 @@
if (!empty($post_data['thread_id'])) {
$object = fn_discussion_get_object_by_thread($post_data['thread_id']);
- if (empty($object)) {
+ if (empty($object) || !fn_discussion_check_thread_permissions($object, $auth)) {
fn_set_notification('E', __('error'), __('cant_find_thread'));
return array(CONTROLLER_STATUS_REDIRECT, $_REQUEST['redirect_url'] . $suffix);
diff -urN cscart_v4.2.4_orig/app/addons/discussion/func.php cscart_v4.2.4/app/addons/discussion/func.php
--- cscart_v4.2.4_orig/app/addons/discussion/func.php 2014-11-27 13:21:15.000000000 +0300
+++ cscart_v4.2.4/app/addons/discussion/func.php 2016-03-21 19:34:33.000000000 +0300
@@ -846,3 +846,31 @@
}
}
}
+
+/**
+ * Checking thread permissions
+ *
+ * @param mixed $data Thread ID (int) or Thread data (array)
+ * @param array $auth Auth
+ * @return bool
+ */
+function fn_discussion_check_thread_permissions($thread, $auth)
+{
+ if (is_numeric($thread)) {
+ $thread = db_get_row("SELECT * FROM ?:discussion WHERE thread_id = ?i", $thread);
+ } elseif ((empty($thread['object_type']) || empty($thread['object_id'])) && !empty($thread['thread_id'])) {
+ $thread = db_get_row("SELECT * FROM ?:discussion WHERE thread_id = ?i", $thread['thread_id']);
+ }
+
+ if (!$thread) {
+ return false;
+ }
+
+ if (AREA == 'C') {
+ if ($thread['object_type'] == 'O') { // Order
+ return fn_is_order_allowed($thread['object_id'], $auth);
+ }
+ }
+
+ return true;
+}
diff -urN cscart_v4.2.4_orig/app/functions/fn.cart.php cscart_v4.2.4/app/functions/fn.cart.php
--- cscart_v4.2.4_orig/app/functions/fn.cart.php 2014-11-27 13:21:15.000000000 +0300
+++ cscart_v4.2.4/app/functions/fn.cart.php 2016-03-21 19:34:49.000000000 +0300
@@ -7173,3 +7173,53 @@
return $shipping_hash;
}
+
+/**
+ * Checks if an order is available for a customer
+ *
+ * @param int $order_id Order ID
+ * @param array $auth Auth array
+ * @return bool
+ */
+function fn_is_order_allowed($order_id, $auth)
+{
+ $orders_company_condition = '';
+ if (fn_allowed_for('ULTIMATE')) {
+ $orders_company_condition = fn_get_company_condition('?:orders.company_id');
+ }
+
+ if (!empty($auth['user_id'])) {
+ $allowed = db_get_field(
+ "SELECT user_id FROM ?:orders WHERE user_id = ?i AND order_id = ?i $orders_company_condition",
+ $auth['user_id'], $order_id
+ );
+
+ } elseif (!empty($auth['order_ids'])) {
+ $allowed = in_array($order_id, $auth['order_ids']);
+ }
+
+ // Check order status (incompleted order)
+ if (!empty($allowed)) {
+ $status = db_get_field("SELECT status FROM ?:orders WHERE order_id = ?i $orders_company_condition", $order_id);
+ if ($status == STATUS_INCOMPLETED_ORDER) {
+ $allowed = false;
+ }
+ }
+
+ /**
+ * Deprecated
+ * @since 4.3.7
+ */
+ fn_set_hook('is_order_allowed', $order_id, $allowed);
+
+ /**
+ * Checks if an order is available for a customer
+ *
+ * @param int $order_id Order ID
+ * @param array $auth Auth array
+ * @param int $allowed Allowed flag
+ */
+ fn_set_hook('is_order_allowed_post', $order_id, $auth, $allowed);
+
+ return !empty($allowed);
+}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment