From b312189a7b1165348532da223a222a849782a189 Mon Sep 17 00:00:00 2001
From: drigato <denise.rigato@sourcefabric.org>
Date: Fri, 28 Aug 2015 17:46:03 -0400
Subject: [PATCH] CC-6105: DJs can edit playlists, smartblocks, and webstreams
 they do not own

---
 .../controllers/PlaylistController.php            | 10 ++++++++++
 .../controllers/WebstreamController.php           | 15 ++++++++++++++-
 .../scripts/playlist/permission-denied.phtml      |  5 +++++
 3 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 airtime_mvc/application/views/scripts/playlist/permission-denied.phtml

diff --git a/airtime_mvc/application/controllers/PlaylistController.php b/airtime_mvc/application/controllers/PlaylistController.php
index d0b2070f3..d94c34ec2 100644
--- a/airtime_mvc/application/controllers/PlaylistController.php
+++ b/airtime_mvc/application/controllers/PlaylistController.php
@@ -74,6 +74,16 @@ class PlaylistController extends Zend_Controller_Action
     private function createFullResponse($obj = null, $isJson = false,
         $formIsValid = false)
     {
+        $user = Application_Model_User::getCurrentUser();
+        $isAdminOrPM = $user->isUserType(array(UTYPE_SUPERADMIN, UTYPE_ADMIN, UTYPE_PROGRAM_MANAGER));
+
+        if (!$isAdminOrPM && $obj->getCreatorId() != $user->getId()) {
+            $this->view->objType = $obj instanceof Application_Model_Block ? "block" : "playlist";
+            $this->view->obj = $obj;
+            $this->view->html = $this->view->render('playlist/permission-denied.phtml');
+            return;
+        }
+
         $isBlock = false;
         $viewPath = 'playlist/playlist.phtml';
         if ($obj instanceof Application_Model_Block) {
diff --git a/airtime_mvc/application/controllers/WebstreamController.php b/airtime_mvc/application/controllers/WebstreamController.php
index d78a9d305..41847c52d 100644
--- a/airtime_mvc/application/controllers/WebstreamController.php
+++ b/airtime_mvc/application/controllers/WebstreamController.php
@@ -55,7 +55,20 @@ class WebstreamController extends Zend_Controller_Action
         if ($webstream) {
             Application_Model_Library::changePlaylist($id, "stream");
         }
-        $this->view->obj = new Application_Model_Webstream($webstream);
+
+        $obj = new Application_Model_Webstream($webstream);
+
+        $user = Application_Model_User::getCurrentUser();
+        $isAdminOrPM = $user->isUserType(array(UTYPE_SUPERADMIN, UTYPE_ADMIN, UTYPE_PROGRAM_MANAGER));
+
+        if (!$isAdminOrPM && $webstream->getDbCreatorId() != $user->getId()) {
+            $this->view->objType = "webstream";
+            $this->view->obj = $obj;
+            $this->view->html = $this->view->render('playlist/permission-denied.phtml');
+            return;
+        }
+
+        $this->view->obj = $obj;
         $this->view->action = "edit";
         $this->view->html = $this->view->render('webstream/webstream.phtml');
     }
diff --git a/airtime_mvc/application/views/scripts/playlist/permission-denied.phtml b/airtime_mvc/application/views/scripts/playlist/permission-denied.phtml
new file mode 100644
index 000000000..8f2597264
--- /dev/null
+++ b/airtime_mvc/application/views/scripts/playlist/permission-denied.phtml
@@ -0,0 +1,5 @@
+<?php if ($this->objType == "block") { $displayText = "smart block"; } else { $displayText = $this->escape($this->objType); } ?>
+<h3>You do not have permission to edit this <?php echo $displayText; ?>.</h3>
+<input class="obj_id" type="hidden" value="<?php echo $this->obj->getId(); ?>"/>
+<input class='obj_type' type='hidden' value="<?php echo $this->escape($this->objType); ?>"/>
+<input type="hidden" class="playlist_name_display" contenteditable="true" value="<?php echo $this->escape($this->obj->getName()); ?>">
\ No newline at end of file