From 2507e0f8a498878daa6a06ea828afdbf54dad64f Mon Sep 17 00:00:00 2001 From: denise Date: Wed, 31 Oct 2012 16:51:29 -0400 Subject: [PATCH] CC-4655: DJ's can delete files that they do not own -fixed --- airtime_mvc/application/controllers/LibraryController.php | 2 ++ airtime_mvc/application/models/StoredFile.php | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/airtime_mvc/application/controllers/LibraryController.php b/airtime_mvc/application/controllers/LibraryController.php index 72111cbc1..8260616f4 100644 --- a/airtime_mvc/application/controllers/LibraryController.php +++ b/airtime_mvc/application/controllers/LibraryController.php @@ -319,6 +319,8 @@ class LibraryController extends Zend_Controller_Action if (isset($file)) { try { $res = $file->delete(true); + } catch (FileNoPermissionException $e) { + $this->view->message = "You don't have permission to delete selected items."; } catch (Exception $e) { //could throw a scheduled in future exception. $message = "Could not delete some scheduled files."; diff --git a/airtime_mvc/application/models/StoredFile.php b/airtime_mvc/application/models/StoredFile.php index 41178f2e3..2bd6470ea 100644 --- a/airtime_mvc/application/models/StoredFile.php +++ b/airtime_mvc/application/models/StoredFile.php @@ -344,6 +344,13 @@ SQL; throw new DeleteScheduledFileException(); } + $userInfo = Zend_Auth::getInstance()->getStorage()->read(); + $user = new Application_Model_User($userInfo->id); + $isAdminOrPM = $user->isUserType(array(UTYPE_ADMIN, UTYPE_PROGRAM_MANAGER)); + if (!$isAdminOrPM && $this->getFileOwnerId() != $user->getId()) { + throw new FileNoPermissionException(); + } + $music_dir = Application_Model_MusicDir::getDirByPK($this->_file->getDbDirectory()); $type = $music_dir->getType(); @@ -1213,3 +1220,4 @@ SQL; class DeleteScheduledFileException extends Exception {} class FileDoesNotExistException extends Exception {} +class FileNoPermissionException extends Exception {}