Added team_id to project delete and update queries to reduce risk of misuse.

[timetracker.git] / WEB-INF / lib / ttClientHelper.class.php

diff --git a/WEB-INF/lib/ttClientHelper.class.php b/WEB-INF/lib/ttClientHelper.class.php
index 3b7a9cd..288cd45 100644 (file)
--- a/WEB-INF/lib/ttClientHelper.class.php
+++ b/WEB-INF/lib/ttClientHelper.class.php
@@ -60,7 +60,7 @@ class ttClientHelper {
     $mdb2 = getConnection();
 
     $sql = "select id, name from tt_clients
-      where team_id = $user->team_id and (status = 0 or status = 1) order by name";
+      where team_id = $user->team_id and (status = 0 or status = 1) order by upper(name)";
     $res = $mdb2->query($sql);
     if (!is_a($res, 'PEAR_Error')) {
       while ($val = $res->fetchRow()) {
@@ -120,8 +120,9 @@ class ttClientHelper {
     }
 
     // Handle time records.
+    $modified_part = ', modified = now(), modified_ip = '.$mdb2->quote($_SERVER['REMOTE_ADDR']).', modified_by = '.$mdb2->quote($user->id);
     if ($delete_client_entries) {
-      $sql = "update tt_log set status = NULL where client_id = $id";
+      $sql = 'update tt_log set status = NULL'.$modified_part." where client_id = $id";
       $affected = $mdb2->exec($sql);
       if (is_a($affected, 'PEAR_Error'))
         return false;
@@ -129,7 +130,7 @@ class ttClientHelper {
 
     // Handle expense items.
     if ($delete_client_entries) {
-      $sql = "update tt_expense_items set status = NULL where client_id = $id";
+      $sql = 'update tt_expense_items set status = NULL'.$modified_part." where client_id = $id";
       $affected = $mdb2->exec($sql);
       if (is_a($affected, 'PEAR_Error'))
         return false;
@@ -137,7 +138,7 @@ class ttClientHelper {
 
     // Handle invoices.
     if ($delete_client_entries) {
-      $sql = "update tt_invoices set status = NULL where client_id = $id";
+      $sql = "update tt_invoices set status = NULL where client_id = $id and team_id = $user->team_id";
       $affected = $mdb2->exec($sql);
       if (is_a($affected, 'PEAR_Error'))
         return false;
@@ -149,7 +150,14 @@ class ttClientHelper {
     if (is_a($affected, 'PEAR_Error'))
       return false;
 
-    $sql = "update tt_clients set status = NULL where id = $id and team_id = ".$user->team_id;
+    // Handle users for client.
+    $sql = 'update tt_users set status = NULL'.$modified_part." where client_id = $id and team_id = $user->team_id";
+    $affected = $mdb2->exec($sql);
+    if (is_a($affected, 'PEAR_Error'))
+      return false;
+
+    // Mark client deleted.
+    $sql = "update tt_clients set status = NULL where id = $id and team_id = $user->team_id";
     $affected = $mdb2->exec($sql);
     return (!is_a($affected, 'PEAR_Error'));
   }
@@ -286,7 +294,7 @@ class ttClientHelper {
     $sql = "select distinct c.id, c.name, c.projects from tt_user_project_binds upb
       inner join tt_client_project_binds cpb on (cpb.project_id = upb.project_id)
       inner join tt_clients c on (c.id = cpb.client_id and c.status = 1)
-      where upb.user_id = $user_id and upb.status = 1 order by c.name";
+      where upb.user_id = $user_id and upb.status = 1 order by upper(c.name)";
 
     $res = $mdb2->query($sql);
     if (!is_a($res, 'PEAR_Error')) {