diff --git a/core/src/Attendance/Rest/AttendanceRestEndPoint.php b/core/src/Attendance/Rest/AttendanceRestEndPoint.php index 88807614..ea9797a7 100644 --- a/core/src/Attendance/Rest/AttendanceRestEndPoint.php +++ b/core/src/Attendance/Rest/AttendanceRestEndPoint.php @@ -48,6 +48,19 @@ class AttendanceRestEndPoint extends RestEndPoint public function listEmployeeAttendance(User $user, $parameter) { + + if ($user->user_level !== 'Admin' && $user->employee != $parameter) { + $employee = new Employee(); + $employee->Load('id = ?', [$parameter]); + if ($employee->supervisor != $user->employee) { + return new IceResponse( + IceResponse::ERROR, + self::RESPONSE_ERR_PERMISSION_DENIED, + 401 + ); + } + } + $query = new DataQuery('Attendance'); $query->addColumn('id'); $query->addColumn('employee'); @@ -73,9 +86,9 @@ class AttendanceRestEndPoint extends RestEndPoint } if ($user->user_level !== 'Admin' && !PermissionManager::manipulationAllowed( - BaseService::getInstance()->getCurrentProfileId(), - $this->getModelObject($parameter) - ) + BaseService::getInstance()->getCurrentProfileId(), + $this->getModelObject($parameter) + ) ) { return new IceResponse(IceResponse::ERROR, self::RESPONSE_ERR_PERMISSION_DENIED, 403); } @@ -107,8 +120,8 @@ class AttendanceRestEndPoint extends RestEndPoint if ($permissionResponse->getStatus() !== IceResponse::SUCCESS) { return $permissionResponse; } - - $response = BaseService::getInstance()->addElement(self::ELEMENT_NAME, $body); + $body['employee'] = (String)$body['employee']; + $response = BaseService::getInstance()->addElement(self::ELEMENT_NAME, $body, $body); if ($response->getStatus() === IceResponse::SUCCESS) { $response = $this->get($user, $response->getData()->id); $response->setCode(201); diff --git a/core/src/Classes/BaseService.php b/core/src/Classes/BaseService.php index c1c0c2af..b4e84b08 100644 --- a/core/src/Classes/BaseService.php +++ b/core/src/Classes/BaseService.php @@ -669,7 +669,7 @@ class BaseService * @return {Object} newly added or updated element of type $table */ - public function addElement($table, $obj) + public function addElement($table, $obj, $postObject = null) { $customFields = array(); @@ -728,7 +728,12 @@ class BaseService } } - $this->checkSecureAccess("save", $ele, $table, $_POST); + if ($postObject === null) { + $this->checkSecureAccess("save", $ele, $table, $_POST); + } else { + $this->checkSecureAccess("save", $ele, $table, $postObject); + } + $resp = $ele->validateSave($ele); if ($resp->getStatus() != IceResponse::SUCCESS) { @@ -760,12 +765,12 @@ class BaseService if ($isAdd) { $this->audit( IceConstants::AUDIT_ERROR, - "Error occured while adding an object to ".$table." \ Error: ".$error + "Error occurred while adding an object to ".$table." \ Error: ".$error ); } else { $this->audit( IceConstants::AUDIT_ERROR, - "Error occured while editing an object in ".$table." [id:".$ele->id."] \ Error: ".$error + "Error occurred while editing an object in ".$table." [id:".$ele->id."] \ Error: ".$error ); } return new IceResponse(IceResponse::ERROR, $this->findError($error)); diff --git a/core/src/Classes/RestEndPoint.php b/core/src/Classes/RestEndPoint.php index aa201e5c..50119c1d 100644 --- a/core/src/Classes/RestEndPoint.php +++ b/core/src/Classes/RestEndPoint.php @@ -50,7 +50,6 @@ class RestEndPoint } elseif ($user->user_level !== 'Employee' && $user->user_level !== 'Manager') { return new IceResponse(IceResponse::ERROR, self::RESPONSE_ERR_PERMISSION_DENIED, 403); } - return new IceResponse(IceResponse::ERROR, "Permission denied", 403); } return new IceResponse(IceResponse::SUCCESS);