projects
/
timetracker.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Added group_id to getWhere parts as additional protection.
[timetracker.git]
/
WEB-INF
/
lib
/
ttReportHelper.class.php
diff --git
a/WEB-INF/lib/ttReportHelper.class.php
b/WEB-INF/lib/ttReportHelper.class.php
index
acf3368
..
d46e783
100644
(file)
--- a/
WEB-INF/lib/ttReportHelper.class.php
+++ b/
WEB-INF/lib/ttReportHelper.class.php
@@
-64,11
+64,11
@@
class ttReportHelper {
// Prepare sql query part for user list.
$userlist = $options['users'] ? $options['users'] : '-1';
// Prepare sql query part for user list.
$userlist = $options['users'] ? $options['users'] : '-1';
- $user_list_part = null;
if ($user->can('view_reports') || $user->can('view_all_reports') || $user->isClient())
$user_list_part = " and l.user_id in ($userlist)";
else
$user_list_part = " and l.user_id = ".$user->id;
if ($user->can('view_reports') || $user->can('view_all_reports') || $user->isClient())
$user_list_part = " and l.user_id in ($userlist)";
else
$user_list_part = " and l.user_id = ".$user->id;
+ $user_list_part .= " and l.group_id = ".$user->getActiveGroup();
// Prepare sql query part for where.
if ($options['period'])
// Prepare sql query part for where.
if ($options['period'])
@@
-106,22
+106,22
@@
class ttReportHelper {
// Prepare user list part.
$userlist = -1;
// Prepare user list part.
$userlist = -1;
- if (
($user->can('view_reports') || $user->isClient()
)) {
+ if (
$user->can('view_reports') || $user->can('view_all_reports') || $user->isClient(
)) {
if ($options['users'])
$userlist = $options['users'];
else {
if ($options['users'])
$userlist = $options['users'];
else {
- $
active_users = ttTeamHelper::getActiveUsers();
- foreach ($
active
_users as $single_user)
+ $
group_users = ttTeamHelper::getUsers(); // active and inactive users
+ foreach ($
group
_users as $single_user)
$users[] = $single_user['id'];
$userlist = join(',', $users);
}
}
// Prepare sql query part for user list.
$users[] = $single_user['id'];
$userlist = join(',', $users);
}
}
// Prepare sql query part for user list.
- $user_list_part = null;
- if ($user->can('view_reports') || $user->isClient())
+ if ($user->can('view_reports') || $user->can('view_all_reports') || $user->isClient())
$user_list_part = " and l.user_id in ($userlist)";
else
$user_list_part = " and l.user_id = ".$user->id;
$user_list_part = " and l.user_id in ($userlist)";
else
$user_list_part = " and l.user_id = ".$user->id;
+ $user_list_part .= " and l.group_id = ".$user->getActiveGroup();
// Prepare sql query part for where.
if ($options['period'])
// Prepare sql query part for where.
if ($options['period'])
@@
-155,11
+155,11
@@
class ttReportHelper {
// Prepare sql query part for user list.
$userlist = $options['users'] ? $options['users'] : '-1';
// Prepare sql query part for user list.
$userlist = $options['users'] ? $options['users'] : '-1';
- $user_list_part = null;
if ($user->can('view_reports') || $user->can('view_all_reports') || $user->isClient())
$user_list_part = " and ei.user_id in ($userlist)";
else
$user_list_part = " and ei.user_id = ".$user->id;
if ($user->can('view_reports') || $user->can('view_all_reports') || $user->isClient())
$user_list_part = " and ei.user_id in ($userlist)";
else
$user_list_part = " and ei.user_id = ".$user->id;
+ $user_list_part .= " and ei.group_id = ".$user->getActiveGroup();
// Prepare sql query part for where.
if ($options['period'])
// Prepare sql query part for where.
if ($options['period'])
@@
-204,11
+204,11
@@
class ttReportHelper {
}
}
// Prepare sql query part for user list.
}
}
// Prepare sql query part for user list.
- $user_list_part = null;
- if ($user->can('view_reports') || $user->isClient())
+ if ($user->can('view_reports') || $user->can('view_all_reports') || $user->isClient())
$user_list_part = " and ei.user_id in ($userlist)";
else
$user_list_part = " and ei.user_id = ".$user->id;
$user_list_part = " and ei.user_id in ($userlist)";
else
$user_list_part = " and ei.user_id = ".$user->id;
+ $user_list_part .= " and ei.group_id = ".$user->getActiveGroup();
// Prepare sql query part for where.
if ($options['period'])
// Prepare sql query part for where.
if ($options['period'])