Users can delete events from admin

webloesung · October 6, 2012, 9:26pm

Hello,
during test of the istallation the following issue occurs:
Configuration:
Privat Extended Mode
View: all
Add: admin, editor, superuser
Edit: admin, editor, superuser

By login with user TEST 1 (assigned to role “editor”) - the events belong to the user TEST1 could be edited and deleted by TEST 1. Events from another users are visible, details can be seen without edit, but the DELETE icon is also shown and moreover, by click on it, the event is deleted.

How to achive the following:
every user can see all, add/edit/delete own? and not allowing to delete events from another users?

radyno · October 8, 2012, 8:38am

Hi,
problem is confirmed.
Please, open file wp-content/plugins/event-calendar-scheduler/codebase/dhtmlxSchedulerConfigurator.phpm find method set_event_user and replace it with the follow code:

public function set_event_user($action) {
		if ($this->settings['templates_username'] == 'true') $action->remove_field('1');
		$status = $action->get_status();
		if ($status == "inserted") {
			$action->set_value("user", $this->userid);
		} else {
			if ($this->settings["privatemode"] == "ext") {
				$id = mysql_real_escape_string($action->get_id(), $this->connection);
				$res = $this->scheduler->sql->query("SELECT user FROM {$this->prefix}events_rec WHERE event_id='{$id}'");
				$tmp = $this->scheduler->sql->get_next($res);
				$user = $tmp ? $tmp['user'] : -1;
				if ($user != $this->userid) {
					$action->error();
				}
			}
		}
		if ($action->get_value('event_pid') == '') {
			$action->set_value('event_pid', 0);
		}
		if ($action->get_value('event_length') == '') {
			$action->set_value('event_length', 0);
		}
	}

This code will block saving deleted event from server side. Unfortunately there is no way to prevent showing delete/edit buttons for blocked events at client side. Maybe it will be improved in the future.
Provided fix will be included in the next release, thanks for your feedback.

webloesung · October 9, 2012, 8:17pm

thank you!
the change resulted as follows:

also the pop-up for deletion confirmation is shown before - maybe it is possible to add some code-check in the event rendering for the generating the context menu (with action icons - edit, details, delete?)?
the entry that had been tried to be deleted - is stays with crossed line

by following steps the changed code has no influence:

click on the change icon “pencel” by entry done by another user - type something in, click somewhere else => typed new text will be visible. or move the event from another user => the event is moved

Yes, the change is not saved (this is visible if the page is reloaded) - but confusing.
Is there any event that I could look into for fixing this issue?

Also the question - how to allow admins to edit ALL events? should i add it to the restriction check with Admin user id?

Thank you!

radyno · October 10, 2012, 8:08am

Hi,

Unfortunately there is no easy way to fix it. Problem will be fixed in the next version.

There is no way to do it for now. Feature is added in todo list. It will be available in the next release.

webloesung · January 22, 2013, 9:34pm

Hello!
is there is any workign work around for the above stated issue? i have v30 installed and facing the issue.
Thank you in advance for any hint!
best regards