Improved access checks for swap_roles.php.

[timetracker.git] / WEB-INF / lib / ttTeamHelper.class.php

diff --git a/WEB-INF/lib/ttTeamHelper.class.php b/WEB-INF/lib/ttTeamHelper.class.php
index de03479..fb74d8e 100644 (file)
--- a/WEB-INF/lib/ttTeamHelper.class.php
+++ b/WEB-INF/lib/ttTeamHelper.class.php
@@ -108,6 +108,7 @@ class ttTeamHelper {
     global $user;
     $mdb2 = getConnection();
 
+    // Obtain role id for the user we are swapping ourselves with.
     $sql = "select u.id, u.role_id from tt_users u left join tt_roles r on (u.role_id = r.id) where u.id = $user_id and u.team_id = $user->team_id and u.status = 1 and r.rank < $user->rank";
     $res = $mdb2->query($sql);
     if (is_a($res, 'PEAR_Error'))
@@ -143,7 +144,7 @@ class ttTeamHelper {
     if (is_a($res, 'PEAR_Error'))
       return false;
     while ($val = $res->fetchRow()) {
-      $isClient = in_array('track_own_time', explode(',', $val['rights'])) ? 0 : 1; // Clients do not have data entry right.
+      $isClient = in_array('track_own_time', explode(',', $val['rights'])) ? 0 : 1; // Clients do not have track_own_time right.
       if ($isClient)
         continue; // Skip adding clients.
       $user_list[] = $val;