From 6592a26462d852171d477c8f273ca3477b72b970 Mon Sep 17 00:00:00 2001
From: =?utf8?q?St=C3=A9phane=20Jacob?= <sj@m4x.org>
Date: Mon, 6 Dec 2010 22:16:20 +0100
Subject: [PATCH] Prevents deletion of private information by secretaries
 (Closes #1363).
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Signed-off-by: StÃ©phane Jacob <sj@m4x.org>
---
 classes/address.php               |  6 +++---
 classes/phone.php                 |  4 ++--
 modules/profile/addresses.inc.php |  4 ++--
 modules/profile/jobs.inc.php      | 14 +++++++-------
 modules/profile/page.inc.php      |  2 +-
 5 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/classes/address.php b/classes/address.php
index f0ac9e4..88a97aa 100644
--- a/classes/address.php
+++ b/classes/address.php
@@ -722,7 +722,7 @@ class Address
                      $this->pid, $this->jobid, $this->type, $this->id);
     }
 
-    static public function deleteAddresses($pid, $type, $jobid = null)
+    static public function deleteAddresses($pid, $type, $jobid = null, $deletePrivate = true)
     {
         $where = '';
         if (!is_null($pid)) {
@@ -732,10 +732,10 @@ class Address
             $where = XDB::format(' AND jobid = {?}', $jobid);
         }
         XDB::execute('DELETE FROM  profile_addresses
-                            WHERE  type = {?}' . $where,
+                            WHERE  type = {?}' . $where . (($deletePrivate) ? '' : ' AND pub IN (\'public\', \'ax\')'),
                      $type);
         if ($type == self::LINK_PROFILE) {
-            Phone::deletePhones($pid, Phone::LINK_ADDRESS);
+            Phone::deletePhones($pid, Phone::LINK_ADDRESS, null, $deletePrivate);
         }
     }
 
diff --git a/classes/phone.php b/classes/phone.php
index 5dbca0f..e8aad78 100644
--- a/classes/phone.php
+++ b/classes/phone.php
@@ -316,14 +316,14 @@ class Phone
                      $this->pid, $this->link_type, $this->link_id, $this->id);
     }
 
-    static public function deletePhones($pid, $link_type, $link_id = null)
+    static public function deletePhones($pid, $link_type, $link_id = null, $deletePrivate = true)
     {
         $where = '';
         if (!is_null($link_id)) {
             $where = XDB::format(' AND link_id = {?}', $link_id);
         }
         XDB::execute('DELETE FROM  profile_phones
-                            WHERE  pid = {?} AND link_type = {?}' . $where,
+                            WHERE  pid = {?} AND link_type = {?}' . $where . (($deletePrivate) ? '' : ' AND pub IN (\'public\', \'ax\')'),
                      $pid, $link_type);
     }
 
diff --git a/modules/profile/addresses.inc.php b/modules/profile/addresses.inc.php
index 846fda8..587e0b6 100644
--- a/modules/profile/addresses.inc.php
+++ b/modules/profile/addresses.inc.php
@@ -43,8 +43,8 @@ class ProfileSettingAddresses implements ProfileSetting
 
     public function save(ProfilePage &$page, $field, $value)
     {
-        Phone::deletePhones($page->pid(), Phone::LINK_ADDRESS);
-        Address::deleteAddresses($page->pid(), Address::LINK_PROFILE);
+        Phone::deletePhones($page->pid(), Phone::LINK_ADDRESS, null, S::user()->isMe($page->owner) || S::admin());
+        Address::deleteAddresses($page->pid(), Address::LINK_PROFILE, null, S::user()->isMe($page->owner) || S::admin());
         Address::saveFromArray($value, $page->pid(), Address::LINK_PROFILE);
     }
 
diff --git a/modules/profile/jobs.inc.php b/modules/profile/jobs.inc.php
index e22791e..c239745 100644
--- a/modules/profile/jobs.inc.php
+++ b/modules/profile/jobs.inc.php
@@ -245,14 +245,14 @@ class ProfileSettingJob implements ProfileSetting
 
     public function save(ProfilePage &$page, $field, $value)
     {
-        XDB::execute("DELETE FROM  profile_job
-                            WHERE  pid = {?}",
+        $deletePrivate = S::user()->isMe($this->owner) || S::admin();
+        XDB::execute('DELETE FROM  pj, pjt
+                            USING  profile_job      AS pj
+                        LEFT JOIN  profile_job_term AS pjt ON (pj.pid = pjt.pid AND pj.id = pjt.jid)
+                            WHERE  pj.pid = {?}' . (($deletePrivate) ? '' : ' AND pj.pub IN (\'public\', \'ax\')'),
                      $page->pid());
-        XDB::execute("DELETE FROM  profile_job_term
-                            WHERE  pid = {?}",
-                     $page->pid());
-        Address::deleteAddresses($page->pid(), Address::LINK_JOB);
-        Phone::deletePhones($page->pid(), Phone::LINK_JOB);
+        Address::deleteAddresses($page->pid(), Address::LINK_JOB, null, $deletePrivate);
+        Phone::deletePhones($page->pid(), Phone::LINK_JOB, null, $deletePrivate);
         $terms_values = array();
         foreach ($value as $id => &$job) {
             if (isset($job['name']) && $job['name']) {
diff --git a/modules/profile/page.inc.php b/modules/profile/page.inc.php
index 5487bdf..f23919f 100644
--- a/modules/profile/page.inc.php
+++ b/modules/profile/page.inc.php
@@ -129,7 +129,7 @@ class ProfileSettingPhones implements ProfileSetting
 
     public function save(ProfilePage &$page, $field, $value)
     {
-        Phone::deletePhones($page->pid(), Phone::LINK_PROFILE);
+        Phone::deletePhones($page->pid(), Phone::LINK_PROFILE, null, S::user()->isMe($page->owner) || S::admin());
         Phone::savePhones($value, $page->pid(), Phone::LINK_PROFILE);
     }
 
-- 
2.1.4