Security fix - improved access checks for task edit and deletes.

[timetracker.git] / mobile / time_edit.php

diff --git a/mobile/time_edit.php b/mobile/time_edit.php
index eff9b33..a1a56e3 100644 (file)
--- a/mobile/time_edit.php
+++ b/mobile/time_edit.php
@@ -34,19 +34,19 @@ import('ttClientHelper');
 import('ttTimeHelper');
 import('DateAndTime');
 
-// Access check.
+// Access checks.
 if (!ttAccessAllowed('track_own_time')) {
   header('Location: access_denied.php');
   exit();
 }
 $cl_id = (int)$request->getParameter('id');
-// Get the time record we are editing.
 $time_rec = ttTimeHelper::getRecord($cl_id, $user->getActiveUser());
 if (!$time_rec || $time_rec['invoice_id']) {
   // Prohibit editing not ours or invoiced records.
   header('Location: access_denied.php');
   exit();
 }
+// End of access checks.
 
 // Use custom fields plugin if it is enabled.
 if ($user->isPluginEnabled('cf')) {