Fix the project editor for fairs

admin/project_editor.php

@@ -22,14 +22,38 @@
 */
 ?>
 <?
- require_once('../common.inc.php');
- require_once('../user.inc.php');
- require_once('../register_participants.inc.php');
- user_auth_required('committee', 'admin');
+require_once('../common.inc.php');
+require_once('../user.inc.php');
+require_once('../register_participants.inc.php');
+
+$auth_type = user_auth_required(array('fair','committee'), 'admin');
+
 
 $registrations_id=intval($_GET['id']);
 $action = $_GET['action'];
 
+/* Extra restrictions for auth_type = fair */
+if($auth_type == 'fair') {
+	$fairs_id = $_SESSION['fairs_id'];
+
+	if($registrations_id == -1 && ($action=='registration_load' || $action == 'registration_save')) {
+		/* we can't check the project it hasn't been created. */
+	} else {
+		/* Make sure they have permission to laod this student, check
+		the master copy of the fairs_id in the project */
+		$q=mysql_query("SELECT * FROM projects WHERE 
+				registrations_id='$registrations_id' 
+				AND year='{$config['FAIRYEAR']}'
+				AND fairs_id=$fairs_id");
+		if(mysql_num_rows($q) != 1) {
+			echo "permission denied.";
+			exit;
+		} 
+		/* Ok, they have permission */
+	}
+}
+
+
 switch($action) {
 case 'project_load':
 	project_load();