From ca959b0367077513571949a1a6e6551e96ac27d9 Mon Sep 17 00:00:00 2001
From: Timothy J Warren <tim@timshomepage.net>
Date: Fri, 30 Dec 2016 13:38:43 -0500
Subject: [PATCH] Fix some group permission viewing/saving issues

---
 application/config/profiler.php    |  4 +-
 application/controllers/task.php   | 24 ++++--------
 application/core/MY_Controller.php | 31 ---------------
 application/models/task_model.php  | 60 ++++++++++++++++++++----------
 application/views/task/edit.php    | 12 +++---
 5 files changed, 57 insertions(+), 74 deletions(-)
 mode change 100755 => 100644 application/config/profiler.php
 mode change 100755 => 100644 application/controllers/task.php
 mode change 100755 => 100644 application/core/MY_Controller.php
 mode change 100755 => 100644 application/views/task/edit.php

diff --git a/application/config/profiler.php b/application/config/profiler.php
old mode 100755
new mode 100644
index 6e8748b..f7c25cb
--- a/application/config/profiler.php
+++ b/application/config/profiler.php
@@ -5,9 +5,9 @@
  * An open source application development framework for PHP 5.1.6 or newer
  *
  * NOTICE OF LICENSE
- * 
+ *
  * Licensed under the Academic Free License version 3.0
- * 
+ *
  * This source file is subject to the Academic Free License (AFL 3.0) that is
  * bundled with this package in the files license_afl.txt / license_afl.rst.
  * It is also available through the world wide web at this URL:
diff --git a/application/controllers/task.php b/application/controllers/task.php
old mode 100755
new mode 100644
index 8027c1e..5c41c79
--- a/application/controllers/task.php
+++ b/application/controllers/task.php
@@ -175,9 +175,8 @@ class Task extends MY_Controller {
 	 *
 	 * @param int $task_id
 	 */
-	public function edit($task_id)
+	public function edit(int $task_id)
 	{
-		$task_id = (int) $task_id;
 		$data = $this->task_model->get_task_by_id($task_id);
 
 		$data['cat_list'] = $this->task_model->get_category_select($task_id);
@@ -190,13 +189,9 @@ class Task extends MY_Controller {
 
 		if ($this->input->post('edit_sub') == 'Update Task')
 		{
-			$val = $this->task_model->validate_task();
-
-			if($val === TRUE)
+			if($this->task_model->validate_task() === TRUE)
 			{
-				$done = $this->task_model->update_task();
-
-				if ($done === TRUE)
+				if ($this->task_model->update_task() === TRUE)
 				{
 					//Redirect to task list
 					$this->session->set_flashdata([
@@ -205,17 +200,15 @@ class Task extends MY_Controller {
 					]);
 
 					$this->todo->redirect_303(site_url('task/list'));
+					return;
 				}
-				else
-				{
-					$data['err'][] = "Database Error, Please try again later.";
-				}
+
+				$data['err'][] = "Database Error, Please try again later.";
 			}
 			else
 			{
 				$data['err'] = $val;
 			}
-
 		}
 
 		$this->page->set_title("Edit Task");
@@ -229,7 +222,7 @@ class Task extends MY_Controller {
 	 *
 	 * @param int $task_id
 	 */
-	public function view($task_id = NULL)
+	public function view(int $task_id = NULL)
 	{
 		if( ! is_numeric($task_id))
 		{
@@ -246,7 +239,6 @@ class Task extends MY_Controller {
 		$data['checklist'] = $this->task_model->get_checklist($task_id);
 		$data['task'] = $task_id;
 
-
 		$this->page->set_title("View Task");
 		$this->page->set_body_id("task_details");
 		$this->page->build('task/view', $data);
@@ -257,7 +249,7 @@ class Task extends MY_Controller {
 	/**
 	 * Delete a task
 	 */
-	public function delete($task_id)
+	public function delete(int $task_id)
 	{
 		$this->task_model->delete_task((int) $task_id);
 	}
diff --git a/application/core/MY_Controller.php b/application/core/MY_Controller.php
old mode 100755
new mode 100644
index 2d42e07..9303868
--- a/application/core/MY_Controller.php
+++ b/application/core/MY_Controller.php
@@ -4,42 +4,11 @@
  * Base controller extending CodeIgniter Controller
  */
 class MY_Controller extends CI_Controller {
-
-	/**
-	 * @var MY_Session
-	 */
-	public $session;
-
-	/**
-	 * @var CI_DB_driver
-	 */
-	public $db;
-
-	/**
-	 * @var CI_Input
-	 */
-	public $input;
-
-	/**
-	 * @var CI_Uri
-	 */
-	public $uri;
-
-	/**
-	 * @var MY_Form_validation
-	 */
-	public $form_validation;
-
 	/**
 	 * @var Validation_Callbacks
 	 */
 	public $validation_callbacks;
 
-	/**
-	 * @var CI_Output
-	 */
-	public $output;
-
 	/**
 	 * @var Page
 	 */
diff --git a/application/models/task_model.php b/application/models/task_model.php
index 8385368..4ea8b58 100644
--- a/application/models/task_model.php
+++ b/application/models/task_model.php
@@ -6,7 +6,7 @@
  */
 class Task_model extends CI_Model {
 
-	private $title, $description, $category, $priority, $due,
+	protected $title, $description, $category, $priority, $due,
 			$status, $user_id, $task_id, $reminder, $reminder_time,
 			$groups, $group_perms, $friends, $friend_perms, $share_type;
 
@@ -14,6 +14,13 @@ class Task_model extends CI_Model {
 
 	// --------------------------------------------------------------------------
 
+	public function __construct()
+	{
+		// $this->output->enable_profiler(TRUE);
+	}
+
+	// --------------------------------------------------------------------------
+
 	/**
 	 * Get day task list
 	 *
@@ -473,7 +480,7 @@ class Task_model extends CI_Model {
 		$share_type = FALSE;
 
 		//If the task is shared
-		if($this->input->post('share') !== FALSE)
+		if($this->input->post('share') != FALSE)
 		{
 			$groups = $this->input->post('group', TRUE);
 			$group_perms = $this->input->post('group_perms', TRUE);
@@ -504,14 +511,17 @@ class Task_model extends CI_Model {
 			$this->user_id = $this->session->userdata('uid');
 			$this->task_id = ($this->input->post('task_id') != FALSE)
 				? $this->input->post('task_id')
-				: $this->db->count_all('item') + 1;
+				: NULL; //$this->db->count_all('item') + 1;
+
+/* ?><pre><?= print_r([
+	'class' => $this,
+	'input' => $this->input->post()
+], TRUE); ?><?php die(); */
 
 			return TRUE;
 		}
-		else //otherwise, return the errors
-		{
-			return $err;
-		}
+
+		return $err;
 	}
 
 	// --------------------------------------------------------------------------
@@ -666,16 +676,17 @@ class Task_model extends CI_Model {
 
 			if ( ! empty($friend_list))
 			{
-				$this->db->where_in('user_id', $friend_list)
-					->where('task_id', $task_id)
-					->or_where('user_id', (int) $this->session->userdata('uid'))
+				$user_ids = array_merge(
+					[(int) $this->session->userdata('uid')],
+					$friend_list
+				);
+				$this->db->where_in('user_id', $user_ids)
 					->where('task_id', $task_id)
 					->delete('user_task_link');
 			}
 
 		}
 
-
 		//Get groups
 		if($this->share_type == 'group')
 		{
@@ -705,7 +716,9 @@ class Task_model extends CI_Model {
 				}
 
 				if ($this->db->affected_rows() < 1)
-						{return false;}
+				{
+					return false;
+				}
 
 				//Set current user too
 				$this->db->set('user_id', $this->session->userdata('uid'))
@@ -1382,7 +1395,7 @@ class Task_model extends CI_Model {
 	 * @param int $task_id
 	 * @return array
 	 */
-	private function _get_task_perms($task_id)
+	private function _get_task_perms(int $task_id)
 	{
 		/**
 		 * Get the task shared permissions
@@ -1394,7 +1407,7 @@ class Task_model extends CI_Model {
 			->join('group_users_link', 'group_users_link.user_id=user.id', 'inner')
 			->join('group_task_link', 'group_task_link.group_id=group_users_link.group_id', 'inner')
 			->join('item', 'item.id=group_task_link.task_id', 'inner')
-			->where('todo_item.id', (int) $task_id)
+			->where('todo_item.id', $task_id)
 			->where('todo_group_task_link.permissions !=', PERM_NO_ACCESS)
 			->where('todo_user.id', (int) $this->session->userdata('uid'))
 			->limit(1)
@@ -1405,7 +1418,7 @@ class Task_model extends CI_Model {
 			->from('item')
 			->join('user_task_link', 'user_task_link.task_id=item.id')
 			->where('todo_user_task_link.permissions !=', PERM_NO_ACCESS)
-			->where('todo_user_task_link.task_id', (int) $task_id)
+			->where('todo_user_task_link.task_id', $task_id)
 			->where('todo_user_task_link.user_id', (int) $this->session->userdata('uid'))
 			->limit(1)
 			->get();
@@ -1456,7 +1469,7 @@ class Task_model extends CI_Model {
 			->join('group_users_link', 'group_users_link.user_id=user.id', 'inner')
 			->join('group_task_link', 'group_task_link.group_id=group_users_link.group_id', 'inner')
 			->where('todo_group_users_link.user_id', (int) $this->session->userdata('uid'))
-			->where('todo_group_task_link.task_id', (int) $task_id)
+			->where('todo_group_task_link.task_id', $task_id)
 			->get();
 
 		//Check user permissions
@@ -1469,14 +1482,14 @@ class Task_model extends CI_Model {
 		//Check if task admin
 		$upA = $this->db->select('id')
 			->from('item')
-			->where('id', (int) $task_id)
+			->where('id', $task_id)
 			->where('user_id', (int) $this->session->userdata('uid'))
 			->get();
 
 		//Check for admin permissions
 		if($upA->num_rows() > 0)
 		{
-			$result_array['user_perms'] = 9;
+			$result_array['user_perms'] = PERM_ADMIN_ACCESS;
 			return $result_array;
 		}
 		else //User is not admin
@@ -1492,7 +1505,16 @@ class Task_model extends CI_Model {
 			if($upU->num_rows() > 0)
 			{
 				$up_row = $upU->row_array();
-				$result_array['user_perms'] = $up_row['permissions'];
+
+				// Only overwrite group permissions if there are higher
+				// user permissions than group permissions
+				if (
+					$result_array['user_perms'] == PERM_NO_ACCESS ||
+					$up_row['permissions'] > $result_array['user_perms']
+					)
+				{
+					$result_array['user_perms'] = $up_row['permissions'];
+				}
 			}
 
 			//Determine whether the current user can view and/or edit this task
diff --git a/application/views/task/edit.php b/application/views/task/edit.php
old mode 100755
new mode 100644
index 264ac8e..d9a7117
--- a/application/views/task/edit.php
+++ b/application/views/task/edit.php
@@ -117,12 +117,12 @@
 						<dt><label for="friend_perms">Permissions</label></dt>
 						<dd>
 						<select name="friend_perms" id="friend_perms">
-							<option value="-1" <?= ($friend_perms === PERM_NO_ACCESS) ? 'selected="selected"':''?>>No Access</option>
-							<option value="0" <?= ($friend_perms === PERM_READ_ACCESS) ? 'selected="selected"':''?>>Read-only Access</option>
-							<option value="1" <?= ($friend_perms === PERM_COMMENT_ACCESS) ? 'selected="selected"':''?>>Comment-only Access</option>
-							<option value="2" <?= ($friend_perms === PERM_CHECKLIST_ACCESS) ? 'selected="selected"':''?>>Comment and Checklist Access</option>
-							<option value="3" <?= ($friend_perms === PERM_WRITE_ACCESS) ? 'selected="selected"':''?>>Read and Write Access</option>
-							<option value="9" <?= ($friend_perms === PERM_ADMIN_ACCESS) ? 'selected="selected"':''?>>Task Admin (Read/Write/Delete)</option>
+							<option value="-1" <?= ($friend_perms === PERM_NO_ACCESS || !(is_numeric($friend_perms))) ? 'selected="selected"':''?>>No Access</option>
+							<option value="0" <?= ($friend_perms == PERM_READ_ACCESS) ? 'selected="selected"':''?>>Read-only Access</option>
+							<option value="1" <?= ($friend_perms == PERM_COMMENT_ACCESS) ? 'selected="selected"':''?>>Comment-only Access</option>
+							<option value="2" <?= ($friend_perms == PERM_CHECKLIST_ACCESS) ? 'selected="selected"':''?>>Comment and Checklist Access</option>
+							<option value="3" <?= ($friend_perms == PERM_WRITE_ACCESS) ? 'selected="selected"':''?>>Read and Write Access</option>
+							<option value="9" <?= ($friend_perms == PERM_ADMIN_ACCESS) ? 'selected="selected"':''?>>Task Admin (Read/Write/Delete)</option>
 						</select>
 						</dd>
 					</dl>