CC-4095: Media Library -> Playlist: dj user can delete the playlist owned by

others on some situation.

- fixed

airtime_mvc/application/controllers/LibraryController.php

@@ -129,27 +129,11 @@ class LibraryController extends Zend_Controller_Action
             }
         }
 
-        $hasPermission = true;
-        if (count($playlists)) {
-            // make sure use has permission to delete all playslists in the list
-            if(!$isAdminOrPM){
-                foreach($playlists as $pid){
-                    $pl = new Application_Model_Playlist($pid);
-                    if($pl->getCreatorId() != $user->getId()){
-                        $hasPermission = false;
-                    }
-                }
-            }
-        }
-
-        if (!$isAdminOrPM && count($files)) {
-            $hasPermission = false;
-        }
-        if(!$hasPermission){
+        try{
+            Application_Model_Playlist::DeletePlaylists($playlists, $user->getId());
+        }catch (PlaylistNoPermissionException $e){
             $this->view->message = "You don't have a permission to delete all playlists/files that are selected.";
             return;
-        }else{
-            Application_Model_Playlist::DeletePlaylists($playlists);
         }
 
         foreach ($files as $id) {

airtime_mvc/application/controllers/PlaylistController.php

@@ -97,6 +97,10 @@ class PlaylistController extends Zend_Controller_Action
         $this->createFullResponse(null);
     }
     
+    private function playlistNoPermission(){
+        $this->view->error = "You don't have permission to deleted playlist(s)";
+    }
+
     private function playlistUnknownError($e)
     {
         $this->view->error = "Something went wrong.";
@@ -198,6 +202,9 @@ class PlaylistController extends Zend_Controller_Action
         $ids = (!is_array($ids)) ? array($ids) : $ids;
         $pl = null;
         
+        $userInfo = Zend_Auth::getInstance()->getStorage()->read();
+        $user = new Application_Model_User($userInfo->id);
+
         try {
 
             Logging::log("Currently active playlist {$this->pl_sess->id}");
@@ -210,9 +217,12 @@ class PlaylistController extends Zend_Controller_Action
                 $pl = new Application_Model_Playlist($this->pl_sess->id);
             }
 
-            Application_Model_Playlist::DeletePlaylists($ids);
+            Application_Model_Playlist::DeletePlaylists($ids, $userInfo->id);
             $this->createFullResponse($pl);
         }
+        catch (PlaylistNoPermissionException $e){
+            $this->playlistNoPermission();
+        }
         catch (PlaylistNotFoundException $e) {
             $this->playlistNotFound();
         }

airtime_mvc/application/models/Playlist.php

@@ -802,12 +802,33 @@ class Application_Model_Playlist {
      * Delete playlists that match the ids..
      * @param array $p_ids
      */
-    public static function DeletePlaylists($p_ids)
+    public static function DeletePlaylists($p_ids, $p_userId)
     {
+        $leftOver = self::playlistsNotOwnedByUser($p_ids, $p_userId);
+        if(count($leftOver) == 0){
             CcPlaylistQuery::create()->findPKs($p_ids)->delete();
+        }else{
+            throw new PlaylistNoPermissionException;
+        }
+    }
+    
+    // This function returns that are not owen by $p_user_id among $p_ids 
+    private static function playlistsNotOwnedByUser($p_ids, $p_userId){
+        $ownedByUser = CcPlaylistQuery::create()->filterByDbCreatorId($p_userId)->find()->getData();
+        $selectedPls = $p_ids;
+        $ownedPls = array();
+        foreach($ownedByUser as $pl){
+            if( in_array($pl->getDbId(), $selectedPls) ){
+                $ownedPls[] = $pl->getDbId();
+            }
+        }
+        
+        $leftOvers = array_diff($selectedPls, $ownedPls);
+        return $leftOvers;
     }
 
 } // class Playlist
 
 class PlaylistNotFoundException extends Exception {}
+class PlaylistNoPermissionException extends Exception {}
 class PlaylistOutDatedException extends Exception {}