From b678cb46117468309c4b8cc7b4cb929c14d3d732 Mon Sep 17 00:00:00 2001
From: Frank Schubert <fronk@fronk.at>
Date: Mon, 9 Aug 2021 17:19:49 +0200
Subject: [PATCH] extended permission check to delete orders

---
 application/Order/OrderController.php | 22 +++++++++++++++++++---
 application/Order/OrderModel.php      |  6 +++++-
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/application/Order/OrderController.php b/application/Order/OrderController.php
index 5ad7971bb..05309c185 100644
--- a/application/Order/OrderController.php
+++ b/application/Order/OrderController.php
@@ -33,7 +33,7 @@ class OrderController extends mfBaseController {
       
       foreach(OrderModel::search(['create_by' => $this->me->id]) as $order) {
         if(!array_key_exists($order->id, $orders)) {
-          $order[$order->id] = $order;
+          $orders[$order->id] = $order;
         }
       }
       
@@ -416,7 +416,7 @@ class OrderController extends mfBaseController {
   }
   
   public function deleteAction() {
-    if(!$this->me->is(["Admin"])) {
+    if(!$this->me->is(["Admin","salespartner"])) {
       $this->layout()->setFlash("Keine Berechtigung", "error");
       $this->redirect("Order");
     }
@@ -429,10 +429,26 @@ class OrderController extends mfBaseController {
       $this->redirect("Order");
     }
     
+    if(!$this->me->is("Admin")) {
+      $my_network_ids = [];
+      foreach($this->me->my_networks as $network) {
+        $my_network_ids[] = $network->id;
+      }
+      
+      if(!in_array($order->terminations[0]->building->network_id, $my_network_ids) ) {
+        
+        if($order->create_by != $this->me->id) {
+          $this->layout()->setFlash("Keine Berechtigung", "error");
+          $this->redirect("Order");
+        }
+      }
+    }
+    
     $order->deletePositions();
     
-    // check if Product is unused
+    // TODO: check if Product is unused
     $order->delete();
+    $this->layout()->setFlash("Bestellung gelöscht", "success");
     $this->redirect("Order");
   }
   
diff --git a/application/Order/OrderModel.php b/application/Order/OrderModel.php
index 69c8c3d7c..339a0b92c 100644
--- a/application/Order/OrderModel.php
+++ b/application/Order/OrderModel.php
@@ -139,7 +139,11 @@ class OrderModel {
       }
     }
     
-    $res = $db->select("Order", "*", "$where AND id NOT IN (".implode(",", $have).") ORDER BY id");
+    if(count($have)) {
+      $res = $db->select("Order", "*", "$where AND id NOT IN (".implode(",", $have).") ORDER BY id");
+    } else {
+      $res = $db->select("Order", "*", "$where ORDER BY id");
+    }
     if($db->num_rows($res)) {
       while($data = $db->fetch_object()) {
         $items[] = new Order($data);