From 98c1aadfa4b902eaeb6d8848f22da248d8366743 Mon Sep 17 00:00:00 2001
From: Iglocska <andras.iklody@gmail.com>
Date: Fri, 15 Jan 2016 11:43:37 +0100
Subject: [PATCH] Fix to a bug allowing regular users of the owner organisation
 to edit/delete a synced event as discovered by @h122015

- requirements for the actions changed from an org_id match to an orgc_id match
---
 app/Controller/EventsController.php | 4 ++--
 app/View/Events/index.ctp           | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/Controller/EventsController.php b/app/Controller/EventsController.php
index 382cf5292..fa51e9747 100755
--- a/app/Controller/EventsController.php
+++ b/app/Controller/EventsController.php
@@ -1036,7 +1036,7 @@ class EventsController extends AppController {
 		$this->Event->read(null, $id);
 		// check for if private and user not authorised to edit, go away
 		if (!$this->_isSiteAdmin() && !($this->userRole['perm_sync'] && $this->_isRest())) {
-			if (($this->Event->data['Event']['org_id'] != $this->_checkOrg()) || !($this->userRole['perm_modify'])) {
+			if (($this->Event->data['Event']['orgc_id'] != $this->_checkOrg()) || !($this->userRole['perm_modify'])) {
 				$this->Session->setFlash(__('You are not authorised to do that. Please considering using the propose attribute feature.'));
 				$this->redirect(array('controller' => 'events', 'action' => 'index'));
 			}
@@ -1159,7 +1159,7 @@ class EventsController extends AppController {
 		$this->Event->read();
 		
 		if (!$this->_isSiteAdmin()) {
-			if ($this->Event->data['Event']['org_id'] != $this->_checkOrg() || !$this->userRole['perm_modify']) {
+			if ($this->Event->data['Event']['orgc_id'] != $this->_checkOrg() || !$this->userRole['perm_modify']) {
 				throw new MethodNotAllowedException();
 			}
 		}
diff --git a/app/View/Events/index.ctp b/app/View/Events/index.ctp
index de86bbdda..35af29eb8 100755
--- a/app/View/Events/index.ctp
+++ b/app/View/Events/index.ctp
@@ -168,11 +168,11 @@
 			</td>
 			<td class="short action-links">
 				<?php
-				if (0 == $event['Event']['published'] && ($isSiteAdmin || ($isAclPublish && $event['Event']['org_id'] == $me['org_id'])))
+				if (0 == $event['Event']['published'] && ($isSiteAdmin || ($isAclPublish && $event['Event']['orgc_id'] == $me['org_id'])))
 					echo $this->Form->postLink('', array('action' => 'alert', $event['Event']['id']), array('class' => 'icon-download-alt', 'title' => 'Publish Event'), 'Are you sure this event is complete and everyone should be informed?');
 				elseif (0 == $event['Event']['published']) echo 'Not published';
 
-				if ($isSiteAdmin || ($isAclModify && $event['Event']['user_id'] == $me['id']) || ($isAclModifyOrg && $event['Event']['org_id'] == $me['org_id'])) {
+				if ($isSiteAdmin || ($isAclModify && $event['Event']['user_id'] == $me['id']) || ($isAclModifyOrg && $event['Event']['orgc_id'] == $me['org_id'])) {
 				?>
 					<a href='<?php echo $baseurl."/events/edit/".$event['Event']['id'];?>' class = "icon-edit" title = "Edit"></a>
 				<?php