From 4760c6f35abfceae7a32e7c7bcfaee55f1137cfa Mon Sep 17 00:00:00 2001
From: Damien <damien.burel@maarch.org>
Date: Mon, 23 Dec 2019 17:17:57 +0100
Subject: [PATCH] FEAT #11696 TIME 0:20 Check privileges for visa and opinion

---
 .../controllers/ListInstanceController.php      | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/app/entity/controllers/ListInstanceController.php b/src/app/entity/controllers/ListInstanceController.php
index 549e737a689..b74e833e3d4 100755
--- a/src/app/entity/controllers/ListInstanceController.php
+++ b/src/app/entity/controllers/ListInstanceController.php
@@ -17,6 +17,7 @@ namespace Entity\controllers;
 use Entity\models\ListInstanceHistoryDetailModel;
 use Entity\models\ListInstanceHistoryModel;
 use Entity\models\ListInstanceModel;
+use Group\controllers\PrivilegeController;
 use Slim\Http\Request;
 use Slim\Http\Response;
 use Respect\Validation\Validator;
@@ -156,17 +157,31 @@ class ListInstanceController
                 }
 
                 if ($instance['item_type'] == 'user_id') {
-                    $user = UserModel::getByLogin(['login' => $instance['item_id']]);
+                    $user = UserModel::getByLogin(['login' => $instance['item_id'], 'select' => ['id']]);
                     if (empty($user)) {
                         DatabaseModel::rollbackTransaction();
                         return ['errors' => 'User not found', 'code' => 400];
                     }
+                    if ($ListInstanceByRes['listInstances'][0]['difflist_type'] == 'VISA_CIRCUIT') {
+                        if (!PrivilegeController::hasPrivilege(['privilegeId' => 'visa_documents', 'userId' => $user['id']]) && !PrivilegeController::hasPrivilege(['privilegeId' => 'sign_document', 'userId' => $user['id']])) {
+                            DatabaseModel::rollbackTransaction();
+                            return ['errors' => 'User has not enough privileges', 'code' => 400];
+                        }
+                    } elseif ($ListInstanceByRes['listInstances'][0]['difflist_type'] == 'AVIS_CIRCUIT') {
+                        if (!PrivilegeController::hasPrivilege(['privilegeId' => 'avis_documents', 'userId' => $user['id']])) {
+                            DatabaseModel::rollbackTransaction();
+                            return ['errors' => 'User has not enough privileges', 'code' => 400];
+                        }
+                    }
                 } elseif ($instance['item_type'] == 'entity_id') {
                     $entity = EntityModel::getByEntityId(['entityId' => $instance['item_id']]);
                     if (empty($entity) || $entity['enabled'] != "Y") {
                         DatabaseModel::rollbackTransaction();
                         return ['errors' => 'Entity not found or not active', 'code' => 400];
                     }
+                } else {
+                    DatabaseModel::rollbackTransaction();
+                    return ['errors' => 'item_type does not exist', 'code' => 400];
                 }
 
                 ListInstanceModel::create([
-- 
GitLab