X-Git-Url: http://wagnertech.de/git?a=blobdiff_plain;f=charts.php;h=d6707038f93f8762550e37b0e9388b34ed85d09f;hb=45c855269d952873285f7a835e82fc2b3eff3971;hp=f2b01f16f33c321e7065339ba907d524578889af;hpb=b9fc6bb058ab933c980b72c54eea0b5afcab03e7;p=timetracker.git

diff --git a/charts.php b/charts.php
index f2b01f16..d6707038 100644
--- a/charts.php
+++ b/charts.php
@@ -38,7 +38,7 @@ import('ttUserHelper');
 import('ttTeamHelper');
 
 // Access checks.
-if (!ttAccessAllowed('view_own_charts')) {
+if (!(ttAccessAllowed('view_own_charts') || ttAccessAllowed('view_charts'))) {
   header('Location: access_denied.php');
   exit();
 }
@@ -46,6 +46,14 @@ if (!$user->isPluginEnabled('ch')) {
   header('Location: feature_disabled.php');
   exit();
 }
+if ($user->behalf_id && (!$user->can('view_charts') || !$user->checkBehalfId())) {
+  header('Location: access_denied.php'); // Trying on behalf, but no right or wrong user.
+  exit();
+}
+if (!$user->behalf_id && !$user->can('view_own_charts') && !$user->adjustBehalfId()) {
+  header('Location: access_denied.php'); // Trying as self, but no right for self, and noone to view on behalf.
+  exit();
+}
 
 // Initialize and store date in session.
 $cl_date = $request->getParameter('date', @$_SESSION['date']);
@@ -128,8 +136,12 @@ $chart_form = new Form('chartForm');
 
 // User dropdown. Changes the user "on behalf" of whom we are working. 
 if ($user->can('view_charts')) {
-  $user_list = ttTeamHelper::getActiveUsers(array('putSelfFirst'=>true));
-  if (count($user_list) > 1) {
+  if ($user->can('view_own_charts'))
+    $options = array('status'=>ACTIVE,'max_rank'=>$user->rank-1,'include_self'=>true,'self_first'=>true);
+  else
+    $options = array('status'=>ACTIVE,'max_rank'=>$user->rank-1);
+  $user_list = $user->getUsers($options);
+  if (count($user_list) >= 1) {
     $chart_form->addInput(array('type'=>'combobox',
       'onchange'=>'this.form.submit();',
       'name'=>'onBehalfUser',