-if ($file['entity_type'] != 'project') {
- // Currently, files are only associated with projects.
+if ($entity_type == 'project') {
+ if (!(ttAccessAllowed('view_own_projects') || ttAccessAllowed('manage_projects')) || !ttProjectHelper::get($file['entity_id'])) {
+ header('Location: access_denied.php');
+ exit();
+ }
+}
+if ($entity_type != 'project' && $entity_type != 'time') {
+ // Currently, files are only associated with time records and projects.