From d2ef831e3d2b02830285c77022334bc67b007214 Mon Sep 17 00:00:00 2001
From: Frank Schubert <fronk@fronk.at>
Date: Tue, 6 Jun 2023 12:58:06 +0200
Subject: [PATCH] Added permission check in PreorderApi for
 preorderaddressreporting

---
 application/Api/v1/AddressdbApicontroller.php | 2 +-
 application/Api/v1/PreorderApicontroller.php  | 5 +++++
 lib/mvcfronk/mfBase/mfBaseApicontroller.php   | 5 ++++-
 lib/mvcfronk/mfResponse/mfResponse.php        | 9 +++++++++
 4 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/application/Api/v1/AddressdbApicontroller.php b/application/Api/v1/AddressdbApicontroller.php
index 000dde67b..1160a8d22 100644
--- a/application/Api/v1/AddressdbApicontroller.php
+++ b/application/Api/v1/AddressdbApicontroller.php
@@ -71,7 +71,7 @@ class AddressdbApicontroller extends mfBaseApicontroller {
           
         }
       }
-
+      
     } else {
     
       $campaignApiusers = PreordercampaignApiuserModel::search(["worker_id" => $this->me->id]);
diff --git a/application/Api/v1/PreorderApicontroller.php b/application/Api/v1/PreorderApicontroller.php
index 112c3b98e..3d57f7049 100644
--- a/application/Api/v1/PreorderApicontroller.php
+++ b/application/Api/v1/PreorderApicontroller.php
@@ -28,6 +28,11 @@ class PreorderApicontroller extends mfBaseApicontroller {
   }
   
   protected function authenticated() {
+    
+    if($this->me->is("preorderaddressreporting")) {
+      return mfResponse::Forbidden();
+    }
+    
     $campaignApiusers = PreordercampaignApiuserModel::search(["worker_id" => $this->me->id]);
     
     foreach($campaignApiusers as $campaignApiuser) {
diff --git a/lib/mvcfronk/mfBase/mfBaseApicontroller.php b/lib/mvcfronk/mfBase/mfBaseApicontroller.php
index 00ca4a70d..69c6fb79e 100644
--- a/lib/mvcfronk/mfBase/mfBaseApicontroller.php
+++ b/lib/mvcfronk/mfBase/mfBaseApicontroller.php
@@ -78,7 +78,10 @@ class mfBaseApicontroller {
     if($this->requireAuth) {
       $this->authenticateUser();
       if(method_exists($this,"authenticated")) {
-        $this->authenticated(); // event defined in extending class
+        $afterAuthResult = $this->authenticated(); // event defined in extending class
+        if(mfResponse::isResponse($afterAuthResult)) {
+          $this->return($afterAuthResult);
+        }
       }
     }
     
diff --git a/lib/mvcfronk/mfResponse/mfResponse.php b/lib/mvcfronk/mfResponse/mfResponse.php
index 9af379df2..744f90a2c 100644
--- a/lib/mvcfronk/mfResponse/mfResponse.php
+++ b/lib/mvcfronk/mfResponse/mfResponse.php
@@ -2,6 +2,15 @@
 
 class mfResponse {
   
+  public static function isResponse($test) {
+    if(is_array($test) && array_key_exists('code', $test) && array_key_exists('status', $test)) {
+      if($test['code'] >= 100 && $test['code'] < 600) {
+        return true;
+      }
+    }
+    return false;
+  }
+  
   public static function Ok($data = []) {
     $response = [];
     $response['code'] = 200;