Implemented very crude attempt at security privleges. This is not really intended to be security, just a quick and dirty mechanism to avoid prying eyes. More robust security is left to future implementation.

git-svn-id: file:///svn-source/pmgr/branches/yafr_20090716/site@538 97e9348a-65ac-dc4b-aefc-98561f571b83

controllers/statement_entries_controller.php

@@ -209,12 +209,6 @@ class StatementEntriesController extends AppController {
    */
 
   function view($id = null) {
-    if (!$id) {
-      $this->Session->setFlash(__('Invalid Item.', true));
-      $this->redirect(array('controller' => 'accounts', 'action'=>'index'));
-    }
-
-    // Get the StatementEntry and related fields
     $entry = $this->StatementEntry->find
       ('first',
        array('contain' => array
@@ -224,10 +218,17 @@ class StatementEntriesController extends AppController {
 	      'Lease' => array('fields' => array('id')),
 	      ),
 
-	     'conditions' => array('StatementEntry.id' => $id),
+	     'conditions' => array(array('StatementEntry.id' => $id),
+				   // REVISIT <AP>: 20090811
+				   //  No security issues have been worked out yet
+				   array('Account.level >=' => 10)
+				   ),
 	     ));
-    
-    $reconciled = $this->StatementEntry->reconciledEntries($id);
+
+    if (empty($entry)) {
+      $this->Session->setFlash(__('Invalid Item.', true));
+      $this->redirect(array('controller' => 'accounts', 'action'=>'index'));
+    }
 
     $stats = $this->StatementEntry->stats($id);
 
@@ -266,7 +267,7 @@ class StatementEntriesController extends AppController {
 
     // Prepare to render.
     $title = "Statement Entry #{$entry['StatementEntry']['id']}";
-    $this->set(compact('entry', 'title', 'reconciled', 'stats'));
+    $this->set(compact('entry', 'title', 'stats'));
   }
 
 }