Fixed facility controller permissions for visiting senior staff

VATUSA · Jul 5, 2024 · ca406fe · ca406fe
1 parent 6f5a2df
commit ca406fe
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/app/Http/Controllers/API/v2/FacilityController.php b/app/Http/Controllers/API/v2/FacilityController.php
@@ -979,7 +979,7 @@ function deleteRoster(
             return response()->api(
                 generate_error("Missing staff CID (by)"), 400);
         } else {
-            if ($request->has('by') && (!User::find($request->by) || User::find($request->by)->facility != $facility->id)) {
+            if ($request->has('by') && (!User::find($request->by) || !RoleHelper::isSeniorStaff($request->by, $facility->id, false))) {
                 return response()->api(
                     generate_error("Invalid staff CID"), 400);
             }
@@ -1201,7 +1201,7 @@ function putTransfer(
             return response()->api(
                 generate_error("Missing staff CID (by)"), 400);
         } else {
-            if ($request->has('by') && (!User::find($request->by) || User::find($request->by)->facility != $facility->id)) {
+            if ($request->has('by') && (!User::find($request->by) || !RoleHelper::isSeniorStaff($request->by, $facility->id, false))) {
                 return response()->api(
                     generate_error("Invalid staff CID"), 400);
             }