CS-Cart discussions order permissions fix

discussions.diff

diff -urN cscart_v4.2.4_orig/app/addons/discussion/controllers/common/discussion.php cscart_v4.2.4/app/addons/discussion/controllers/common/discussion.php
--- cscart_v4.2.4_orig/app/addons/discussion/controllers/common/discussion.php	2014-11-27 13:21:15.000000000 +0300
+++ cscart_v4.2.4/app/addons/discussion/controllers/common/discussion.php	2016-03-21 19:36:33.000000000 +0300
@@ -37,7 +37,7 @@
 
         if (!empty($post_data['thread_id'])) {
             $object = fn_discussion_get_object_by_thread($post_data['thread_id']);
-            if (empty($object)) {
+            if (empty($object) || !fn_discussion_check_thread_permissions($object, $auth)) {
                 fn_set_notification('E', __('error'), __('cant_find_thread'));
 
                 return array(CONTROLLER_STATUS_REDIRECT, $_REQUEST['redirect_url'] . $suffix);
diff -urN cscart_v4.2.4_orig/app/addons/discussion/func.php cscart_v4.2.4/app/addons/discussion/func.php
--- cscart_v4.2.4_orig/app/addons/discussion/func.php	2014-11-27 13:21:15.000000000 +0300
+++ cscart_v4.2.4/app/addons/discussion/func.php	2016-03-21 19:34:33.000000000 +0300
@@ -846,3 +846,31 @@
         }
     }
 }
+
+/**
+ * Checking thread permissions
+ *
+ * @param  mixed $data Thread ID (int) or Thread data (array)
+ * @param  array $auth Auth
+ * @return bool
+ */
+function fn_discussion_check_thread_permissions($thread, $auth)
+{
+    if (is_numeric($thread)) {
+        $thread = db_get_row("SELECT * FROM ?:discussion WHERE thread_id = ?i", $thread);
+    } elseif ((empty($thread['object_type']) || empty($thread['object_id'])) && !empty($thread['thread_id'])) {
+        $thread = db_get_row("SELECT * FROM ?:discussion WHERE thread_id = ?i", $thread['thread_id']);
+    }
+
+    if (!$thread) {
+        return false;
+    }
+
+    if (AREA == 'C') {
+        if ($thread['object_type'] == 'O') { // Order
+            return fn_is_order_allowed($thread['object_id'], $auth);
+        }
+    }
+
+    return true;
+}
diff -urN cscart_v4.2.4_orig/app/functions/fn.cart.php cscart_v4.2.4/app/functions/fn.cart.php
--- cscart_v4.2.4_orig/app/functions/fn.cart.php	2014-11-27 13:21:15.000000000 +0300
+++ cscart_v4.2.4/app/functions/fn.cart.php	2016-03-21 19:34:49.000000000 +0300
@@ -7173,3 +7173,53 @@
 
     return $shipping_hash;
 }
+
+/**
+ * Checks if an order is available for a customer
+ *
+ * @param  int   $order_id Order ID
+ * @param  array $auth     Auth array
+ * @return bool
+ */
+function fn_is_order_allowed($order_id, $auth)
+{
+    $orders_company_condition = '';
+    if (fn_allowed_for('ULTIMATE')) {
+        $orders_company_condition = fn_get_company_condition('?:orders.company_id');
+    }
+
+    if (!empty($auth['user_id'])) {
+        $allowed = db_get_field(
+            "SELECT user_id FROM ?:orders WHERE user_id = ?i AND order_id = ?i $orders_company_condition",
+            $auth['user_id'], $order_id
+        );
+
+    } elseif (!empty($auth['order_ids'])) {
+        $allowed = in_array($order_id, $auth['order_ids']);
+    }
+
+    // Check order status (incompleted order)
+    if (!empty($allowed)) {
+        $status = db_get_field("SELECT status FROM ?:orders WHERE order_id = ?i $orders_company_condition", $order_id);
+        if ($status == STATUS_INCOMPLETED_ORDER) {
+            $allowed = false;
+        }
+    }
+
+    /**
+     * Deprecated
+     * @since 4.3.7
+     */
+    fn_set_hook('is_order_allowed', $order_id, $allowed);
+
+    /**
+     * Checks if an order is available for a customer
+     *
+     * @param int   $order_id   Order ID
+     * @param array $auth       Auth array
+     * @param int   $allowed    Allowed flag
+     */
+    fn_set_hook('is_order_allowed_post', $order_id, $auth, $allowed);
+
+    return !empty($allowed);
+}