forked from craigk5n/webcalendar
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdel_entry.php
278 lines (255 loc) · 9.58 KB
/
del_entry.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
<?php
include_once 'includes/init.php';
require 'includes/classes/WebCalMailer.class';
$mail = new WebCalMailer;
$can_edit = $my_event = false;
$other_user = '';
// First, check to see if this user should be able to delete this event.
if ( $id > 0 ) {
// Then see who has access to edit this entry.
$can_edit = ( $is_admin || $readonly != 'Y' );
// If assistant is doing this, then we need to switch login to user in the SQL.
$query_params = [];
$query_params[] = $id;
$sql = 'SELECT we.cal_id, we.cal_type FROM webcal_entry we,
webcal_entry_user weu WHERE we.cal_id = weu.cal_id AND we.cal_id = ? ';
if ( ! $is_admin ) {
$sql .= ' AND ( we.cal_create_by = ? OR weu.cal_login = ? )';
$sqlparm = ( $is_assistant ? $user : $login );
$query_params[] = $sqlparm;
$query_params[] = $sqlparm;
}
$res = dbi_execute ( $sql, $query_params );
if ( $res ) {
$row = dbi_fetch_row ( $res );
if ( $row && $row[0] > 0 )
$can_edit = true;
$activity_type = $row[1];
dbi_free_result ( $res );
}
}
if ( strpos ( 'EM', $activity_type ) !== false ) {
$log_delete = LOG_DELETE;
$log_reject = LOG_REJECT;
} else {
$log_delete = LOG_DELETE_T;
$log_reject = LOG_REJECT_T;
}
// See who owns the event. Owner should be able to delete.
$res = dbi_execute ( 'SELECT cal_create_by
FROM webcal_entry
WHERE cal_id = ?', [$id] );
if ( $res ) {
$row = dbi_fetch_row ( $res );
$owner = $row[0];
dbi_free_result ( $res );
if ( $owner == $login || $is_assistant && $user == $owner || $is_nonuser_admin )
$can_edit = $my_event = true;
// Check UAC.
if ( access_is_enabled() && ! $is_admin )
$can_edit = access_user_calendar ( 'edit', $owner );
}
// If the user is the event creator or their assistant
// allow them to delete the event from another user's calendar.
// It's essentially the same thing as editing the event and removing the
// user from the participants list.
if ( $my_event && ! empty ( $user ) && $user != $login && ! $is_assistant )
$other_user = $user;
if ( $readonly == 'Y' )
$can_edit = false;
// If User Access Control is enabled, check to see if the current
// user is allowed to delete events from the other user's calendar.
if ( ! $can_edit && access_is_enabled() && ! empty ( $user ) &&
access_user_calendar ( 'edit', $user ) )
$can_edit = true;
if ( ! $can_edit )
$error = print_not_auth();
// Is this a repeating event?
$event_repeats = false;
$res = dbi_execute ( 'SELECT COUNT( cal_id ) FROM webcal_entry_repeats
WHERE cal_id = ?', [$id] );
if ( $res ) {
$row = dbi_fetch_row ( $res );
if ( $row[0] > 0 )
$event_repeats = true;
dbi_free_result ( $res );
}
$override_repeat = false;
if ( ! empty ( $date ) && $event_repeats && ! empty ( $override ) )
$override_repeat = true;
if ( $id > 0 && empty ( $error ) ) {
if ( ! empty ( $date ) )
$thisdate = $date;
else {
$res = dbi_execute ( 'SELECT cal_date
FROM webcal_entry
WHERE cal_id = ?', [$id] );
if ( $res ) {
// date format is 19991231
$row = dbi_fetch_row ( $res );
$thisdate = $row[0];
}
}
// Only allow delete of webcal_entry & webcal_entry_repeats
// if owner or admin, not participant.
// If a user was specified, then only delete that user (not here) even if we
// are the owner or an admin.
if ( ( $is_admin || $my_event ) && ! $other_user ) {
// Email participants that the event was deleted.
// First, get list of participants (with status Approved or Waiting on approval).
$res = dbi_execute ( 'SELECT cal_login FROM webcal_entry_user
WHERE cal_id = ?
AND cal_status IN ( "A", "W" )', [$id] );
$partlogin = [];
if ( $res ) {
while ( $row = dbi_fetch_row ( $res ) ) {
$partlogin[] = $row[0];
}
dbi_free_result ( $res );
}
// Get event name.
$res = dbi_execute ( 'SELECT cal_name, cal_date, cal_time FROM webcal_entry
WHERE cal_id = ?', [$id] );
if ( $res ) {
$row = dbi_fetch_row ( $res );
$name = $row[0];
$fmtdate = $row[1];
$time = sprintf ( "%06d", $row[2] );
dbi_free_result ( $res );
}
$eventstart = date_to_epoch ( $fmtdate . $time );
$TIME_FORMAT = 24;
for ( $i = 0, $cnt = count ( $partlogin ); $i < $cnt; $i++ ) {
// Log the deletion.
activity_log ( $id, $login, $partlogin[$i], $log_delete, '' );
// Check UAC.
$can_email = ( access_is_enabled()
? access_user_calendar ( 'email', $partlogin[$i], $login ) : false );
// Don't email the logged in user.
if ( $can_email && $partlogin[$i] != $login ) {
set_env ( 'TZ', get_pref_setting ( $partlogin[$i], 'TIMEZONE' ) );
$user_language = get_pref_setting ( $partlogin[$i], 'LANGUAGE' );
user_load_variables ( $partlogin[$i], 'temp' );
if ( ! $is_nonuser_admin && $partlogin[$i] != $login &&
get_pref_setting ( $partlogin[$i], 'EMAIL_EVENT_DELETED' ) == 'Y' &&
boss_must_be_notified ( $login, $partlogin[$i] ) && !
empty ( $tempemail ) && $SEND_EMAIL != 'N' ) {
reset_language ( empty ( $user_language ) || $user_language == 'none'
? $LANGUAGE : $user_language );
// Use WebCalMailer class.
$mail->WC_Send ( $login_fullname, $tempemail, $tempfullname, $name,
str_replace ( 'XXX', $tempfullname, translate ( 'Hello, XXX.' ) )
. ".\n\n" . str_replace ( 'XXX', $login_fullname,
translate ( 'XXX has canceled an appointment.' ) ) . "\n"
. str_replace ( 'XXX', $name, translate ( 'Subject XXX' ) ) . "\"\n"
. str_replace ( 'XXX', date_to_str ( $thisdate ),
translate ( 'Date XXX' ) ) . "\n"
. ( ! empty ( $eventtime ) && $eventtime != '-1'
? str_replace ( 'XXX', display_time ( '', 2, $eventstart,
get_pref_setting ( $partlogin[$i], 'TIME_FORMAT' ) ),
translate ( 'Time XXX' ) ) : '' ) . "\n\n",
// Apply user's GMT offset and display their TZID.
get_pref_setting ( $partlogin[$i], 'EMAIL_HTML' ), $login_email );
}
}
}
// Instead of deleting from the database...
// mark it as deleted by setting the status for each participant to "D"
// (instead of "A"/Accepted, "W"/Waiting-on-approval or "R"/Rejected).
if ( $override_repeat ) {
dbi_execute ( 'INSERT INTO webcal_entry_repeats_not
( cal_id, cal_date, cal_exdate ) VALUES ( ?, ?, ? )',
[$id, $date, 1] );
// Should we log this to the activity log???
} else {
// If it's a repeating event, delete any event exceptions that were entered.
if ( $event_repeats ) {
$res = dbi_execute ( 'SELECT cal_id
FROM webcal_entry
WHERE cal_group_id = ?', [$id] );
if ( $res ) {
$ex_events = [];
while ( $row = dbi_fetch_row ( $res ) ) {
$ex_events[] = $row[0];
}
dbi_free_result ( $res );
for ( $i = 0, $cnt = count ( $ex_events ); $i < $cnt; $i++ ) {
$res = dbi_execute ( 'SELECT cal_login
FROM webcal_entry_user
WHERE cal_id = ?', [$ex_events[$i]] );
if ( $res ) {
$delusers = [];
while ( $row = dbi_fetch_row ( $res ) ) {
$delusers[] = $row[0];
}
dbi_free_result ( $res );
for ( $j = 0, $cnt = count ( $delusers ); $j < $cnt; $j++ ) {
// Log the deletion.
activity_log ( $ex_events[$i], $login, $delusers[$j],
$log_delete, '' );
dbi_execute ( 'UPDATE webcal_entry_user SET cal_status = ?
WHERE cal_id = ?
AND cal_login = ?', ['D', $ex_events[$i], $delusers[$j]] );
}
}
}
}
}
// Now, mark event as deleted for all users.
dbi_execute ( 'UPDATE webcal_entry_user
SET cal_status = "D"
WHERE cal_id = ?', [$id] );
// Delete External users for this event
dbi_execute ( 'DELETE FROM webcal_entry_ext_user
WHERE cal_id = ?', [$id] );
}
} else {
// Not the owner of the event, but participant or noncal_admin.
// Just set the status to 'D' instead of deleting.
$del_user = ( ! empty ( $other_user ) ? $other_user : $login );
if ( ! empty ( $user ) && $user != $login ) {
if ( $is_admin || $my_event || ( $can_edit && $is_assistant ) ||
( access_is_enabled() &&
access_user_calendar ( 'edit', $user ) ) ) {
$del_user = $user;
} else
// Error: user cannot delete from other user's calendar.
$error = print_not_auth();
}
if ( empty ( $error ) ) {
if ( $override_repeat ) {
dbi_execute ( 'INSERT INTO webcal_entry_repeats_not
( cal_id, cal_date, cal_exdate ) VALUES ( ?, ?, ? )',
[$id, $date, 1] );
// Should we log this to the activity log???
} else {
dbi_execute ( 'UPDATE webcal_entry_user SET cal_status = ?
WHERE cal_id = ?
AND cal_login = ?', ['D', $id, $del_user] );
activity_log ( $id, $login, $login, $log_reject, '' );
}
}
}
}
$ret = getValue ( 'ret' );
$return_view = get_last_view();
if ( ! empty ( $ret ) ) {
if ( $ret == 'listall' )
$url = 'list_unapproved.php';
else
if ( $ret == 'list' )
$url = 'list_unapproved.php' . ( empty ( $user ) ? '' : '?user=' . $user );
} else
if ( ! empty ( $return_view ) )
do_redirect ( $return_view );
else
$url = get_preferred_view ( '', empty ( $user ) ? '' : 'user=' . $user );
// Return to login TIMEZONE.
set_env ( 'TZ', $TIMEZONE );
if ( empty ( $error ) && empty ( $mailerError ) ) {
do_redirect ( $url );
exit;
}
// Process errors.
$mail->MailError ( $mailerError, $error );
?>