Security fix - improved access checks for task edit and deletes.

[timetracker.git] / tofile.php

diff --git a/tofile.php b/tofile.php
index 67c5b31..e7b9ed9 100644 (file)
--- a/tofile.php
+++ b/tofile.php
@@ -31,11 +31,12 @@ import('form.Form');
 import('form.ActionForm');
 import('ttReportHelper');
 
-// Access check.
-if (!ttAccessAllowed('view_own_reports')) {
+// Access checks.
+if (!(ttAccessAllowed('view_own_reports') || ttAccessAllowed('view_reports'))) {
   header('Location: access_denied.php');
   exit();
 }
+// End of access checks.
 
 // Use custom fields plugin if it is enabled.
 if ($user->isPluginEnabled('cf')) {