From 45a5307bafca8cee103f8d31e22984db81c28e7a Mon Sep 17 00:00:00 2001
From: Florent Bruneau <florent.bruneau@polytechnique.org>
Date: Fri, 28 Sep 2007 23:29:08 +0200
Subject: [PATCH] Grant payment access to the non-members of a group who did
 subscribe to an event

Signed-off-by: Florent Bruneau <florent.bruneau@polytechnique.org>
---
 modules/payment.php | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/modules/payment.php b/modules/payment.php
index 6cd2b14..d71b26d 100644
--- a/modules/payment.php
+++ b/modules/payment.php
@@ -80,8 +80,8 @@ class PaymentModule extends PLModule
             'payment'               => $this->make_hook('payment', AUTH_MDP),
             'payment/cyber_return'  => $this->make_hook('cyber_return',  AUTH_PUBLIC),
             'payment/paypal_return' => $this->make_hook('paypal_return',  AUTH_PUBLIC),
-            '%grp/paiement'              => $this->make_hook('xnet_payment', AUTH_MDP, 'groupmember'),
-            '%grp/payment'               => $this->make_hook('xnet_payment', AUTH_MDP, 'groupmember'),
+            '%grp/paiement'              => $this->make_hook('xnet_payment', AUTH_MDP),
+            '%grp/payment'               => $this->make_hook('xnet_payment', AUTH_MDP),
             '%grp/payment/cyber_return'  => $this->make_hook('cyber_return', AUTH_PUBLIC),
             '%grp/payment/paypal_return' => $this->make_hook('paypal_return', AUTH_PUBLIC),
             'admin/payments'        => $this->make_hook('admin', AUTH_MDP, 'admin'),
@@ -338,6 +338,21 @@ class PaymentModule extends PLModule
     {
         global $globals;
 
+        $perms = S::v('perms');
+        if (!$perms->hasFlag('groupmember')) {
+            if (is_null($pid)) {
+                return PL_FORBIDDEN;
+            }
+            $res = XDB::query("SELECT  1
+                                 FROM  groupex.evenements AS e
+                           INNER JOIN  groupex.evenements_participants AS ep ON (ep.eid = e.eid AND uid = {?})
+                                WHERE  e.paiement_id = {?} AND e.asso_id = {?}",
+                              S::i('uid'), $pid, $globals->asso('id'));
+            if ($res->numRows() == 0) {
+                return PL_FORBIDDEN;
+            }
+        }
+
         if (!is_null($pid)) {
             return  $this->handler_payment($page, $pid);
         }
-- 
2.1.4