Handle the fair role in the student editor. Restrict to load/save the

fair.

admin/student_editor.php

@@ -29,6 +29,28 @@
 $registrations_id = intval($_GET['id']);
 $action = $_GET['action'];
 
+/* Extra restrictions for auth_type = fair */
+if($auth_type == 'fair') {
+	$fairs_id = $_SESSION['fairs_id'];
+
+	if($registrations_id == -1 && ($action=='registration_load' || $action == 'registration_save')) {
+		/* we can't check the project it hasn't been created. */
+	} else {
+		/* Make sure they have permission to laod this student, check
+		the master copy of the fairs_id in the project */
+		$q=mysql_query("SELECT * FROM projects WHERE 
+				registrations_id='$registrations_id' 
+				AND year='{$config['FAIRYEAR']}'
+				AND fairs_id=$fairs_id");
+		if(mysql_num_rows($q) != 1) {
+			echo "permission denied.";
+			exit;
+		} 
+		/* Ok, they have permission */
+	}
+}
+
+
 switch($action) {
 case 'registration_load':
 	registration_load();
@@ -77,6 +99,7 @@ exit;
 function students_save()
 {
 	global $registrations_id, $config;
+
 	$x=1;
 	while($_POST["num"][$x]) {
 		if($_POST['id'][$x]==0) {
@@ -155,11 +178,12 @@ function students_save()
 
 function students_load()
 {
-	global $registrations_id;
+	global $registrations_id, $config;
-	global $config;
 
 	//now query and display 
-	$q=mysql_query("SELECT * F ROM students WHERE registrations_id='".$registrations_id."' AND year='".$config['FAIRYEAR']."'");
+	$q=mysql_query("SELECT * FROM students WHERE
+				registrations_id='$registrations_id' 
+				AND year='{$config['FAIRYEAR']}'");
 	echo mysql_error();
 
 	$numfound=mysql_num_rows($q);
@@ -381,7 +405,7 @@ function students_load()
 
 function registration_load()
 {
-	global $registrations_id, $config;
+	global $registrations_id, $config, $auth_type;
 
 	/* Load reg data */
 	if($registrations_id == -1) {
@@ -409,12 +433,13 @@ function registration_load()
 			}
 		}
 
-		/* Load fairs */
+	}
-		$fairs = array();
+
-		$q = mysql_query("SELECT * FROM fairs WHERE type='feeder'");
+	/* Load fairs */
-		while(($f = mysql_fetch_assoc($q))) {
+	$fairs = array();
-			$fairs[$f['id']] = $f;
+	$q = mysql_query("SELECT * FROM fairs WHERE type='feeder'");
-		}
+	while(($f = mysql_fetch_assoc($q))) {
+		$fairs[$f['id']] = $f;
 	}
 
 	/* Print form */
@@ -443,15 +468,19 @@ if(count($fairs)>0) {
 ?>	
 	 <tr>
 		<td><?=i18n("Fair")?>:</td>
-		<td><select name="registration_fair">
+		<td>
-			<option value="0"><?=i18n('Independent/None')?></option>
+<?		if($auth_type == 'fair') {
-<?			foreach($fairs as $fid=>$f) {
+			echo $fairs[$_SESSION['fairs_id']]['name'];
-				$sel = ($fid == $r['fairs_id']) ? 'selected="selected"' : '';
+		} else {
-				echo "<option $sel value=\"$fid\">{$f['name']}</option>";
+?>			<select name="registration_fair">
-			} 
+				<option value="0"><?=i18n('Independent/None')?></option>
-?>			
+<?				foreach($fairs as $fid=>$f) {
-		</select>
+					$sel = ($fid == $r['fairs_id']) ? 'selected="selected"' : '';
-     </td>
+					echo "<option $sel value=\"$fid\">{$f['name']}</option>";
+				} 
+?>				</select>
+<?		}
+?>		</td>
 	</tr>
 <?
 }
@@ -468,7 +497,7 @@ else {
 
 function registration_save()
 {
-	global $registrations_id, $config;
+	global $registrations_id, $config, $auth_type;
 	$registration_num = intval($_POST['registration_num']);
 	$registration_status = mysql_real_escape_string(stripslashes($_POST['registration_status']));
 	$registration_email = mysql_real_escape_string(stripslashes($_POST['registration_email']));
@@ -496,7 +525,9 @@ function registration_save()
 					id='$registrations_id'");
 	echo mysql_error();
 
-	/* And the fairs_id */
+	/* And the fairs_id, override anythign specified 
+	 * if the user is a fair, force their own fairs_id */
+	if($auth_type == 'fair') $fairs_id = $_SESSION['fairs_id'];
 	mysql_query("UPDATE projects SET 
 					fairs_id='$fairs_id'
 				WHERE