CHANGELOG for
Event Espresso 014 - Espresso JSON API
-
[touch:2488]{t:120}before event managers were basically considered admins and could view ALL events etc if they were given the permission to see the admin event list page. But I noticed that in RandP, if they have permission to see that page they can still only edit their own events... not all events. Im confused at why an admin wouldnt give them permission to see the event list page, but thats beside the point. So I tried to sync the permissions as closely as possible to RandP pro: if a role cant see the admin event list, they cant see any non-public events or their attendees (even if theyre an event manager with events). Also, promocodes are less visible now...
-
[touch:1876]{t:45}made datetimes accepting of 12-hour clock times
-
[touch:3309]{t:30}uses the attendees version of the name, not the prices actual current name. This is especially important for teh seating chart
-
[touch:2488]{t:30}fixed some bugs with checkins and outs
-
[touch:2488]{t:15}implemented specific requests for attendees and registrations (just requir removing some overriding functions)
-
[touch:2488]{t:45}regional admins can only see registrations and attendees for events they manage
-
[touch:2488]{t:60}refactored current_user_has_specific_permission_for to use the resource array (ie, the array which will be turned into json and returned to the user) instead of the wpdb result because its whats actually available when we want to filter out resource instances the current user cant access
-
[touch:2488]{t:60}added a parameter editable_only which can be used on the querystring to only GET items that the current user has access to edit. In order to implement this, added the httpmethod as a parameter onto each resources current_user_has_specific_permission_for method.
-
[touch:2488]{t:180}implemented permissions for regional managers (who can access SOME events, but not all) in terms of events. Still needs to be done for attendees etc. Also fixed a bug where adding query parameters was bad when fetching a specific item (eg getting an event you know was deleted.)
-
[touch:2488]{t:90}refactored code to perform permissions check in the controller instead of the resourceFacades. This is preferred so that if a user sends a request to espresso-api/v1/events/1/registrations, and theyre not permitted to edit that event or its registrations, then we can tell them they are unauthorized... otherwise we would have jsut filtered all the registrations out and told them none existed. also its better to restrict access asap. also if users are a subscriber etc we reject them right in the router instead of waiting to do it in teh controller or resources
-
[touch:3281]{t:30}merged master into dev and updated version number
-
[touch:3262]{t:20}found that event managers couldnt authenticate because theyre not considered ee admins. So renamed some functions and allow event managers to authenticate and use the api too
-
[touch:3262]{t:20}some unintended code was committed which broke accessing endpoints like registrations and attendees
-
[touch:2488]{t:60}fine-tuned permissions some more. public-access queries can VIEW events, prices, datetimes, and venues. All EE users (never subscribers, they cant do anything) can view promocodes too. Only those with R&P permission to View Event/Attendee List can VIEW attendees, registrations, transactionsand payments. To edit/update/delete events, prices, datetimes, attendees, registrations, transactions or payments, users need the R&P permission to View Event/Attendee List. To edit/update/delete promocodes they need the R&P permission to view Discount codes. Dido for Questions, Question Groups, and Venues
-
[touch:2898]{t:5}removed the Bs from the version because this will be a hotifx
-
[touch:2898]{t:15}reverted PUE code so that its compatible with pre-core-3.1.34 so that this can be released as a hotfix
-
[touch:3262]{t:120}simply doesnt allow users to authenticate unless they are an admin, or some sort of event manager
-
[touch:2488]{t:30}resolved some permissions issues
-
[touch:2488]{t:60}utlizes permissions from the permissions addon
-
[touch:3262]{t:120}simply doesnt allow users to authenticate unless they are an admin, or some sort of event manager
- Show more?