From: konrad <konrad@6e3c4bff-ac9f-4ac1-96c5-d2ea494d3e33>
Date: Sun, 23 Jan 2011 20:33:05 +0000 (+0000)
Subject: CreateOrder: add privilege check for selling tickets, voucher, and items
X-Git-Url: http://git.silmor.de/gitweb/?a=commitdiff_plain;h=9d053911b3aef4324b2556b7f80419c6492add24;p=konrad%2Fsmoke.git

CreateOrder: add privilege check for selling tickets, voucher, and items

git-svn-id: https://silmor.de/svn/softmagic/smoke/trunk@715 6e3c4bff-ac9f-4ac1-96c5-d2ea494d3e33
---

diff --git a/www/inc/wext/cart.php b/www/inc/wext/cart.php
index cc633ab..c88c6c9 100644
--- a/www/inc/wext/cart.php
+++ b/www/inc/wext/cart.php
@@ -27,14 +27,17 @@ class WOCartOrder extends WOCartOrderAbstract
 		$vdiffprice=false;
 		$tsalestop=0;
 		if(is_a($trans,"WTrCreateOrder")){
+			//gather privileges
 			$vanyval=$trans->havePrivilege(WTrCreateOrder::Priv_AnyVoucherValue);
 			$vdiffprice=$trans->havePrivilege(WTrCreateOrder::Priv_DiffVoucherValuePrice);
+			//find out what the time limit on ordering is
 			$tsalestop=$db->getConfig("OrderStop")+0;
 			if($tsalestop<0)$tsalestop=0;
 			if($trans->havePrivilege(WTrCreateOrder::Priv_LateSale))
 				$tsalestop=self::LateSale;
 			if($trans->havePrivilege(WTrCreateOrder::Priv_AfterTheFactSale))
 				$tsalestop=self::AfterSale;
+			//check whether we are allowed to create a sale/order
 			$issale=$trans->getissale();
 			if($issale){
 				if(!$trans->havePrivilege(WTrCreateOrder::Priv_CanSell)){
@@ -47,6 +50,19 @@ class WOCartOrder extends WOCartOrderAbstract
 					return;
 				}
 			}
+			//check whether we can handle the content of this order
+			if(count($cart->gettickets())>0 && !$trans->havePrivilege(WTrCreateOrder::Priv_CanOrderTicket)){
+				$trans->abortWithError(tr("You do not have the privilege to sell tickets."));
+				return;
+			}
+			if(count($cart->getvouchers())>0 && !$trans->havePrivilege(WTrCreateOrder::Priv_CanOrderVoucher)){
+				$trans->abortWithError(tr("You do not have the privilege to sell vouchers."));
+				return;
+			}
+			if(count($cart->getitems())>0 && !$trans->havePrivilege(WTrCreateOrder::Priv_CanOrderItem)){
+				$trans->abortWithError(tr("You do not have the privilege to sell shop items."));
+				return;
+			}
 		}else
 		if(is_a($trans,"WTrCreateReservation")){
 			$isreserve=true;
@@ -58,6 +74,13 @@ class WOCartOrder extends WOCartOrderAbstract
 			$trans->abortWithError(tr("CreateOrder called from an unknown transaction."));
 			return;
 		}
+		//check there is anything there
+		if(count($cart->gettickets())==0 &&
+		   count($cart->getvouchers())==0 &&
+		   count($cart->getitems())==0){
+			$trans->abortWithError(tr("Nothing in the cart."));
+			return;
+		}
 		//verify necessary elements and content
 		$very=true;
 		$very&=$cart->verifyCustomer($trans);