extended permission check to delete orders

application/Order/OrderController.php

@@ -33,7 +33,7 @@ class OrderController extends mfBaseController {
       
       foreach(OrderModel::search(['create_by' => $this->me->id]) as $order) {
         if(!array_key_exists($order->id, $orders)) {
-          $order[$order->id] = $order;
+          $orders[$order->id] = $order;
         }
       }
       
@@ -416,7 +416,7 @@ class OrderController extends mfBaseController {
   }
   
   public function deleteAction() {
-    if(!$this->me->is(["Admin"])) {
+    if(!$this->me->is(["Admin","salespartner"])) {
       $this->layout()->setFlash("Keine Berechtigung", "error");
       $this->redirect("Order");
     }
@@ -429,10 +429,26 @@ class OrderController extends mfBaseController {
       $this->redirect("Order");
     }
     
+    if(!$this->me->is("Admin")) {
+      $my_network_ids = [];
+      foreach($this->me->my_networks as $network) {
+        $my_network_ids[] = $network->id;
+      }
+      
+      if(!in_array($order->terminations[0]->building->network_id, $my_network_ids) ) {
+        
+        if($order->create_by != $this->me->id) {
+          $this->layout()->setFlash("Keine Berechtigung", "error");
+          $this->redirect("Order");
+        }
+      }
+    }
+    
     $order->deletePositions();
     
-    // check if Product is unused
+    // TODO: check if Product is unused
     $order->delete();
+    $this->layout()->setFlash("Bestellung gelöscht", "success");
     $this->redirect("Order");
   }