/WebCalendar-1.2.5/del_entry.php
PHP | 275 lines | 232 code | 17 blank | 26 comment | 58 complexity | f3441ebbb07604ec7e5375d17d5767df MD5 | raw file
1<?php 2/* $Id: del_entry.php,v 1.75.2.5 2012/02/28 02:07:45 cknudsen Exp $ */ 3include_once 'includes/init.php'; 4require ( 'includes/classes/WebCalMailer.class' ); 5$mail = new WebCalMailer; 6 7require_valide_referring_url (); 8 9$can_edit = $my_event = false; 10$other_user = ''; 11 12// First, check to see if this user should be able to delete this event. 13if ( $id > 0 ) { 14 // Then see who has access to edit this entry. 15 $can_edit = ( $is_admin || $readonly != 'Y' ); 16 17 // If assistant is doing this, then we need to switch login to user in the SQL. 18 $query_params = array (); 19 $query_params[] = $id; 20 $sql = 'SELECT we.cal_id, we.cal_type FROM webcal_entry we, 21 webcal_entry_user weu WHERE we.cal_id = weu.cal_id AND we.cal_id = ? '; 22 if ( ! $is_admin ) { 23 $sql .= ' AND ( we.cal_create_by = ? OR weu.cal_login = ? )'; 24 $sqlparm = ( $is_assistant ? $user : $login ); 25 $query_params[] = $sqlparm; 26 $query_params[] = $sqlparm; 27 } 28 $res = dbi_execute ( $sql, $query_params ); 29 if ( $res ) { 30 $row = dbi_fetch_row ( $res ); 31 if ( $row && $row[0] > 0 ) 32 $can_edit = true; 33 34 $activity_type = $row[1]; 35 dbi_free_result ( $res ); 36 } 37} 38if ( strpos ( 'EM', $activity_type ) !== false ) { 39 $log_delete = LOG_DELETE; 40 $log_reject = LOG_REJECT; 41} else { 42 $log_delete = LOG_DELETE_T; 43 $log_reject = LOG_REJECT_T; 44} 45// See who owns the event. Owner should be able to delete. 46$res = dbi_execute ( 'SELECT cal_create_by FROM webcal_entry WHERE cal_id = ?', 47 array ( $id ) ); 48if ( $res ) { 49 $row = dbi_fetch_row ( $res ); 50 $owner = $row[0]; 51 dbi_free_result ( $res ); 52 53 if ( $owner == $login || $is_assistant && $user == $owner || $is_nonuser_admin ) 54 $can_edit = $my_event = true; 55 56 // Check UAC. 57 if ( access_is_enabled () && ! $is_admin ) 58 $can_edit = access_user_calendar ( 'edit', $owner ); 59} 60 61// If the user is the event creator or their assistant 62// allow them to delete the event from another user's calendar. 63// It's essentially the same thing as editing the event and removing the 64// user from the participants list. 65if ( $my_event && ! empty ( $user ) && $user != $login && ! $is_assistant ) 66 $other_user = $user; 67 68if ( $readonly == 'Y' ) 69 $can_edit = false; 70 71// If User Access Control is enabled, check to see if the current 72// user is allowed to delete events from the other user's calendar. 73if ( ! $can_edit && access_is_enabled () && ! empty ( $user ) && 74 access_user_calendar ( 'edit', $user ) ) 75 $can_edit = true; 76 77if ( ! $can_edit ) 78 $error = print_not_auth (6); 79 80// Is this a repeating event? 81$event_repeats = false; 82$res = dbi_execute ( 'SELECT COUNT( cal_id ) FROM webcal_entry_repeats 83 WHERE cal_id = ?', array ( $id ) ); 84if ( $res ) { 85 $row = dbi_fetch_row ( $res ); 86 if ( $row[0] > 0 ) 87 $event_repeats = true; 88 89 dbi_free_result ( $res ); 90} 91$override_repeat = false; 92if ( ! empty ( $date ) && $event_repeats && ! empty ( $override ) ) 93 $override_repeat = true; 94 95if ( $id > 0 && empty ( $error ) ) { 96 if ( ! empty ( $date ) ) 97 $thisdate = $date; 98 else { 99 $res = dbi_execute ( 'SELECT cal_date FROM webcal_entry WHERE cal_id = ?', 100 array ( $id ) ); 101 if ( $res ) { 102 // date format is 19991231 103 $row = dbi_fetch_row ( $res ); 104 $thisdate = $row[0]; 105 } 106 } 107 108 // Only allow delete of webcal_entry & webcal_entry_repeats 109 // if owner or admin, not participant. 110 // If a user was specified, then only delete that user (not here) even if we 111 // are the owner or an admin. 112 if ( ( $is_admin || $my_event ) && ! $other_user ) { 113 // Email participants that the event was deleted. 114 // First, get list of participants (with status Approved or Waiting on approval). 115 $res = dbi_execute ( 'SELECT cal_login FROM webcal_entry_user 116 WHERE cal_id = ? AND cal_status IN ( \'A\', \'W\' )', array ( $id ) ); 117 $partlogin = array (); 118 if ( $res ) { 119 while ( $row = dbi_fetch_row ( $res ) ) { 120 $partlogin[] = $row[0]; 121 } 122 dbi_free_result ( $res ); 123 } 124 // Get event name. 125 $res = dbi_execute ( 'SELECT cal_name, cal_date, cal_time FROM webcal_entry 126 WHERE cal_id = ?', array ( $id ) ); 127 if ( $res ) { 128 $row = dbi_fetch_row ( $res ); 129 $name = $row[0]; 130 $fmtdate = $row[1]; 131 $time = sprintf ( "%06d", $row[2] ); 132 dbi_free_result ( $res ); 133 } 134 135 $eventstart = date_to_epoch ( $fmtdate . $time ); 136 $TIME_FORMAT = 24; 137 for ( $i = 0, $cnt = count ( $partlogin ); $i < $cnt; $i++ ) { 138 // Log the deletion. 139 activity_log ( $id, $login, $partlogin[$i], $log_delete, '' ); 140 // Check UAC. 141 $can_email = ( access_is_enabled () 142 ? access_user_calendar ( 'email', $partlogin[$i], $login ) : false ); 143 144 // Don't email the logged in user. 145 if ( $can_email && $partlogin[$i] != $login ) { 146 set_env ( 'TZ', get_pref_setting ( $partlogin[$i], 'TIMEZONE' ) ); 147 $user_language = get_pref_setting ( $partlogin[$i], 'LANGUAGE' ); 148 user_load_variables ( $partlogin[$i], 'temp' ); 149 if ( ! $is_nonuser_admin && $partlogin[$i] != $login && 150 get_pref_setting ( $partlogin[$i], 'EMAIL_EVENT_DELETED' ) == 'Y' && 151 boss_must_be_notified ( $login, $partlogin[$i] ) && ! 152 empty ( $tempemail ) && $SEND_EMAIL != 'N' ) { 153 reset_language ( empty ( $user_language ) || $user_language == 'none' 154 ? $LANGUAGE : $user_language ); 155 // Use WebCalMailer class. 156 $mail->WC_Send ( $login_fullname, $tempemail, $tempfullname, $name, 157 str_replace ( 'XXX', $tempfullname, translate ( 'Hello, XXX.' ) ) 158 . ".\n\n" . str_replace ( 'XXX', $login_fullname, 159 // translate ( 'An appointment has been canceled for you by' ) 160 translate ( 'XXX has canceled an appointment.' ) ) . "\n" 161 . str_replace ( 'XXX', $name, translate ( 'Subject XXX' ) ) . "\"\n" 162 . str_replace ( 'XXX', date_to_str ( $thisdate ), 163 translate ( 'Date XXX' ) ) . "\n" 164 . ( ! empty ( $eventtime ) && $eventtime != '-1' 165 ? str_replace ( 'XXX', display_time ( '', 2, $eventstart, 166 get_pref_setting ( $partlogin[$i], 'TIME_FORMAT' ) ), 167 translate ( 'Time XXX' ) ) : '' ) . "\n\n", 168 // Apply user's GMT offset and display their TZID. 169 get_pref_setting ( $partlogin[$i], 'EMAIL_HTML' ), $login_email ); 170 } 171 } 172 } 173 174 // Instead of deleting from the database... 175 // mark it as deleted by setting the status for each participant to "D" 176 // (instead of "A"/Accepted, "W"/Waiting-on-approval or "R"/Rejected). 177 if ( $override_repeat ) { 178 dbi_execute ( 'INSERT INTO webcal_entry_repeats_not 179 ( cal_id, cal_date, cal_exdate ) VALUES ( ?, ?, ? )', 180 array ( $id, $date, 1 ) ); 181 // Should we log this to the activity log??? 182 } else { 183 // If it's a repeating event, delete any event exceptions that were entered. 184 if ( $event_repeats ) { 185 $res = dbi_execute ( 'SELECT cal_id FROM webcal_entry WHERE cal_group_id = ?', 186 array ( $id ) ); 187 if ( $res ) { 188 $ex_events = array (); 189 while ( $row = dbi_fetch_row ( $res ) ) { 190 $ex_events[] = $row[0]; 191 } 192 dbi_free_result ( $res ); 193 for ( $i = 0, $cnt = count ( $ex_events ); $i < $cnt; $i++ ) { 194 $res = dbi_execute ( 'SELECT cal_login FROM 195 webcal_entry_user WHERE cal_id = ?', array ( $ex_events[$i] ) ); 196 if ( $res ) { 197 $delusers = array (); 198 while ( $row = dbi_fetch_row ( $res ) ) { 199 $delusers[] = $row[0]; 200 } 201 dbi_free_result ( $res ); 202 for ( $j = 0, $cnt = count ( $delusers ); $j < $cnt; $j++ ) { 203 // Log the deletion. 204 activity_log ( $ex_events[$i], $login, $delusers[$j], 205 $log_delete, '' ); 206 dbi_execute ( 'UPDATE webcal_entry_user SET cal_status = ? 207 WHERE cal_id = ? AND cal_login = ?', 208 array ( 'D', $ex_events[$i], $delusers[$j] ) ); 209 } 210 } 211 } 212 } 213 } 214 215 // Now, mark event as deleted for all users. 216 dbi_execute ( 'UPDATE webcal_entry_user SET cal_status = \'D\' WHERE cal_id = ?', 217 array ( $id ) ); 218 219 // Delete External users for this event 220 dbi_execute ( 'DELETE FROM webcal_entry_ext_user WHERE cal_id = ?', 221 array ( $id ) ); 222 } 223 } else { 224 // Not the owner of the event, but participant or noncal_admin. 225 // Just set the status to 'D' instead of deleting. 226 $del_user = ( ! empty ( $other_user ) ? $other_user : $login ); 227 if ( ! empty ( $user ) && $user != $login ) { 228 if ( $is_admin || $my_event || ( $can_edit && $is_assistant ) || 229 ( access_is_enabled () && 230 access_user_calendar ( 'edit', $user ) ) ) { 231 $del_user = $user; 232 } else 233 // Error: user cannot delete from other user's calendar. 234 $error = print_not_auth (6); 235 } 236 if ( empty ( $error ) ) { 237 if ( $override_repeat ) { 238 dbi_execute ( 'INSERT INTO webcal_entry_repeats_not 239 ( cal_id, cal_date, cal_exdate ) VALUES ( ?, ?, ? )', 240 array ( $id, $date, 1 ) ); 241 // Should we log this to the activity log??? 242 } else { 243 dbi_execute ( 'UPDATE webcal_entry_user SET cal_status = ? 244 WHERE cal_id = ? AND cal_login = ?', array ( 'D', $id, $del_user ) ); 245 activity_log ( $id, $login, $login, $log_reject, '' ); 246 } 247 } 248 } 249} 250 251$ret = getValue ( 'ret' ); 252$return_view = get_last_view (); 253 254if ( ! empty ( $ret ) ) { 255 if ( $ret == 'listall' ) 256 $url = 'list_unapproved.php'; 257 else 258 if ( $ret == 'list' ) 259 $url = 'list_unapproved.php' . ( empty ( $user ) ? '' : '?user=' . $user ); 260} else 261if ( ! empty ( $return_view ) ) 262 do_redirect ( $return_view ); 263else 264 $url = get_preferred_view ( '', empty ( $user ) ? '' : 'user=' . $user ); 265 266// Return to login TIMEZONE. 267set_env ( 'TZ', $TIMEZONE ); 268if ( empty ( $error ) && empty ( $mailerError ) ) { 269 do_redirect ( $url ); 270 exit; 271} 272// Process errors. 273$mail->MailError ( $mailerError, $error ); 274 275?>