}
if (!$this->login->isAdmin() && !$this->login->isStaff() && $value != $this->login->id) {
- if ($value == 'all') {
- $value = null;
- $filters->filtre_cotis_children = $this->login->id;
+ if ($value === 'all') {
+ $value = $this->login->id;
} else {
$member = new Adherent(
$this->zdb,
$filters->filtre_cotis_children = $value;
}
+ $class = '\\Galette\\Entity\\' . ucwords(trim($raw_type, 's'));
+ $contrib = new $class($this->zdb, $this->login);
+
+ if (!$contrib->canShow($this->login)) {
+ Analog::log(
+ 'Trying to display contributions without appropriate ACLs',
+ Analog::WARNING
+ );
+ return $response
+ ->withStatus(301)
+ ->withHeader(
+ 'Location',
+ $this->router->pathFor('me')
+ );
+ }
+
$class = '\\Galette\\Repository\\' . ucwords($raw_type);
$contrib = new $class($this->zdb, $this->login, $filters);
$contribs_list = $contrib->getList(true);
'montant_cotis' => $this->isFee() ? 1 : 0
];
}
+
+ /**
+ * Can current logged-in user display contribution
+ *
+ * @param Login $login Login instance
+ *
+ * @return boolean
+ */
+ public function canShow(Login $login): bool
+ {
+ //admin and staff users can edit, as well as member itself
+ if ($this->id && $login->id == $this->id || $login->isAdmin() || $login->isStaff()) {
+ return true;
+ }
+
+ //parent can see their children contributions
+ $parent = new Adherent($this->zdb);
+ $parent
+ ->disableAllDeps()
+ ->enableDep('children')
+ ->load($this->login->id);
+ if ($parent->hasChildren()) {
+ return true;
+ }
+
+ return false;
+ }
}
* @param Login $login Login instance
* @param null|int|ResultSet $args Either a ResultSet row or its id for to load
* a specific transaction, or null to just
- * instanciate object
+ * instantiate object
*/
public function __construct(Db $zdb, Login $login, $args = null)
{
$select = $this->zdb->select(self::TABLE);
$select->where(self::PK . ' = ' . $id);
+ //restrict query on current member id if he's not admin nor staff member
+ if (!$this->login->isAdmin() && !$this->login->isStaff() && !$this->login->isGroupManager()) {
+ $select->where
+ ->nest()
+ ->equalTo('a.' . Adherent::PK, $this->login->id)
+ ->or
+ ->equalTo('a.parent_id', $this->login->id)
+ ->unnest()
+ ->and
+ ->equalTo('c.' . self::PK, $id)
+ ;
+ } else {
+ $select->where->equalTo(self::PK, $id);
+ }
+
$results = $this->zdb->execute($select);
$result = $results->current();
if ($result) {
return true;
}
}
+
+ /**
+ * Can current logged-in user display transaction
+ *
+ * @param Login $login Login instance
+ *
+ * @return boolean
+ */
+ public function canShow(Login $login): bool
+ {
+ //admin and staff users can edit, as well as member itself
+ if ($this->id && $login->id == $this->id || $login->isAdmin() || $login->isStaff()) {
+ return true;
+ }
+
+ //parent can see their children transactions
+ $parent = new Adherent($this->zdb);
+ $parent
+ ->disableAllDeps()
+ ->enableDep('children')
+ ->load($this->login->id);
+ if ($parent->hasChildren()) {
+ return true;
+ }
+
+ return false;
+ }
}
private $start_date_filter;
private $end_date_filter;
private $filtre_cotis_adh;
+ private $filtre_cotis_children = false;
protected $list_fields = array(
'start_date_filter',
'end_date_filter',
- 'filtre_cotis_adh'
+ 'filtre_cotis_adh',
+ 'filtre_cotis_children'
);
protected $virtuals_list_fields = array(
$this->start_date_filter = null;
$this->end_date_filter = null;
$this->filtre_cotis_adh = null;
+ $this->filtre_cotis_children = false;
}
/**
);
}
- if (!$this->login->isAdmin() && !$this->login->isStaff()) {
- //non staff members can only view their own transactions
- $select->where('t.' . Adherent::PK . ' = ' . $this->login->id);
+ $member_clause = null;
+ if ($this->filters->filtre_cotis_children !== false) {
+ $member_clause = [$this->login->id];
+ $member = new Adherent(
+ $this->zdb,
+ (int)$this->filters->filtre_cotis_children,
+ [
+ 'picture' => false,
+ 'groups' => false,
+ 'dues' => false,
+ 'children' => true
+ ]
+ );
+ foreach ($member->children as $child) {
+ $member_clause[] = $child->id;
+ }
} elseif ($this->filters->filtre_cotis_adh != null) {
+ $member_clause = [$this->filters->filtre_cotis_adh];
+ if (!$this->login->isAdmin() && !$this->login->isStaff() && $this->filters->filtre_cotis_adh != $this->login->id) {
+ $member = new Adherent(
+ $this->zdb,
+ (int)$this->filters->filtre_cotis_adh,
+ [
+ 'picture' => false,
+ 'groups' => false,
+ 'dues' => false,
+ 'parent' => true
+ ]
+ );
+ if (
+ !$member->hasParent() ||
+ $member->hasParent() && $member->parent->id != $this->login->id
+ ) {
+ Analog::log(
+ 'Trying to display transactions for member #' . $member->id .
+ ' without appropriate ACLs',
+ Analog::WARNING
+ );
+ $member_clause = [$this->login->id];
+ }
+ }
+ } elseif (!$this->login->isAdmin() && !$this->login->isStaff()) {
+ $member_clause = $this->login->id;
+ }
+
+ if ($member_clause !== null) {
$select->where(
- 't.' . Adherent::PK . ' = ' . $this->filters->filtre_cotis_adh
+ array(
+ 't.' . Adherent::PK => $member_clause
+ )
);
}
} catch (Throwable $e) {
{/if}
<div class="infoline">
{if isset($member) && $mode neq 'ajax'}
- {if $login->isAdmin() or $login->isStaff()}
+ {if $login->isAdmin() or $login->isStaff() or $member->canShow($login)}
<a
href="{path_for name="contributions" data=["type" => "contributions", "option" => "member", "value" => "all"]}"
class="tooltip"
<tr>
<td class="left nowrap">
{if isset($member)}
- {if $login->isAdmin() or $login->isStaff()}
+ {if $login->isAdmin() or $login->isStaff() or $member->canShow($login)}
<a
href="{path_for name="contributions" data=["type" => "transactions", "option" => "member", "value" => "all"]}"
class="tooltip"
{/if}
</a>
</th>
+ {if (($login->isAdmin() or $login->isStaff()) and !isset($member)) or isset($pmember)}
+ <th class="left">
+ <a href="{path_for name="contributions" data=["type" => "transactions", "option" => "order", "value" => "Galette\Filters\TransactionsList::ORDERBY_MEMBER"|constant]}">{_T string="Member"}
+ {if $filters->orderby eq constant('Galette\Filters\TransactionsList::ORDERBY_MEMBER')}
+ {if $filters->ordered eq constant('Galette\Filters\TransactionsList::ORDER_ASC')}
+ <img src="{base_url}/{$template_subdir}images/down.png" width="10" height="6" alt=""/>
+ {else}
+ <img src="{base_url}/{$template_subdir}images/up.png" width="10" height="6" alt=""/>
+ {/if}
+ {/if}
+ </a>
+ </th>
+ {/if}
<th class="left">{_T string="Description"}</th>
{if $login->isAdmin() or $login->isStaff()}
<th class="left">
</span>
</td>
<td class="{$cclass} nowrap" data-title="{_T string="Date"}">{$transaction->date}</td>
+ {if (($login->isAdmin() or $login->isStaff()) && !isset($member)) or isset($pmember)}
+ <td class="{$cclass}" data-title="{_T string="Member"}">
+ {if isset($member)}
+ {assign var="mname" value=$member->sname}
+ {else}
+ {assign var="mname" value={memberName id=$mid}}
+ {/if}
+ {if $filters->filtre_cotis_adh eq ""}
+ <a
+ href="{path_for name="contributions" data=["type" => "transactions", "option" => "member", "value" => $mid]}"
+ title="{_T string="Show only '%name' transactions" pattern="/%name/" replace=$mname}"
+ >
+ <i class="fa fa-filter"></i>
+ </a>
+ {/if}
+ <a
+ href="{path_for name="member" data=["id" => $mid]}"
+ title="{_T string="Show '%name' card" pattern="/%name/" replace=$mname}"
+ >
+ {if isset($member)}{$member->sname}{else}{memberName id="$mid"}{/if}
+ </a>
+ </td>
+ {/if}
<td class="{$cclass} nowrap" data-title="{_T string="Description"}">{$transaction->description}</td>
{if $login->isAdmin() or $login->isStaff()}
<td class="{$cclass}" data-title="{_T string="Originator"}">