Allow non admin users to ad own attendance entries via api

core/src/Attendance/Rest/AttendanceRestEndPoint.php

@@ -48,6 +48,19 @@ class AttendanceRestEndPoint extends RestEndPoint
 
     public function listEmployeeAttendance(User $user, $parameter)
     {
+
+        if ($user->user_level !== 'Admin' && $user->employee != $parameter) {
+            $employee = new Employee();
+            $employee->Load('id = ?', [$parameter]);
+            if ($employee->supervisor != $user->employee) {
+                return new IceResponse(
+                    IceResponse::ERROR,
+                    self::RESPONSE_ERR_PERMISSION_DENIED,
+                    401
+                );
+            }
+        }
+
         $query = new DataQuery('Attendance');
         $query->addColumn('id');
         $query->addColumn('employee');
@@ -107,8 +120,8 @@ class AttendanceRestEndPoint extends RestEndPoint
         if ($permissionResponse->getStatus() !== IceResponse::SUCCESS) {
             return $permissionResponse;
         }
-
-        $response = BaseService::getInstance()->addElement(self::ELEMENT_NAME, $body);
+        $body['employee'] = (String)$body['employee'];
+        $response = BaseService::getInstance()->addElement(self::ELEMENT_NAME, $body, $body);
         if ($response->getStatus() === IceResponse::SUCCESS) {
             $response = $this->get($user, $response->getData()->id);
             $response->setCode(201);

core/src/Classes/BaseService.php

@@ -669,7 +669,7 @@ class BaseService
      * @return {Object} newly added or updated element of type $table
      */
 
-    public function addElement($table, $obj)
+    public function addElement($table, $obj, $postObject = null)
     {
 
         $customFields = array();
@@ -728,7 +728,12 @@ class BaseService
             }
         }
 
+        if ($postObject === null) {
             $this->checkSecureAccess("save", $ele, $table, $_POST);
+        } else {
+            $this->checkSecureAccess("save", $ele, $table, $postObject);
+        }
+
 
         $resp = $ele->validateSave($ele);
         if ($resp->getStatus() != IceResponse::SUCCESS) {
@@ -760,12 +765,12 @@ class BaseService
             if ($isAdd) {
                 $this->audit(
                     IceConstants::AUDIT_ERROR,
-                    "Error occured while adding an object to ".$table." \ Error: ".$error
+                    "Error occurred while adding an object to ".$table." \ Error: ".$error
                 );
             } else {
                 $this->audit(
                     IceConstants::AUDIT_ERROR,
-                    "Error occured while editing an object in ".$table." [id:".$ele->id."] \ Error: ".$error
+                    "Error occurred while editing an object in ".$table." [id:".$ele->id."] \ Error: ".$error
                 );
             }
             return new IceResponse(IceResponse::ERROR, $this->findError($error));

core/src/Classes/RestEndPoint.php

@@ -50,7 +50,6 @@ class RestEndPoint
             } elseif ($user->user_level !== 'Employee' &&  $user->user_level !== 'Manager') {
                 return new IceResponse(IceResponse::ERROR, self::RESPONSE_ERR_PERMISSION_DENIED, 403);
             }
-            return new IceResponse(IceResponse::ERROR, "Permission denied", 403);
         }
 
         return new IceResponse(IceResponse::SUCCESS);