X-Git-Url: http://wagnertech.de/git?a=blobdiff_plain;f=charts.php;h=d6707038f93f8762550e37b0e9388b34ed85d09f;hb=556948c09b8116728275f9933716a153216abe31;hp=a44c9926d699fbfb4787ac10d41ccc1a3e4ae38c;hpb=68a5cc5aff88d6144b6db95f7d01315c15e2ebda;p=timetracker.git

diff --git a/charts.php b/charts.php
index a44c9926..d6707038 100644
--- a/charts.php
+++ b/charts.php
@@ -46,6 +46,14 @@ if (!$user->isPluginEnabled('ch')) {
   header('Location: feature_disabled.php');
   exit();
 }
+if ($user->behalf_id && (!$user->can('view_charts') || !$user->checkBehalfId())) {
+  header('Location: access_denied.php'); // Trying on behalf, but no right or wrong user.
+  exit();
+}
+if (!$user->behalf_id && !$user->can('view_own_charts') && !$user->adjustBehalfId()) {
+  header('Location: access_denied.php'); // Trying as self, but no right for self, and noone to view on behalf.
+  exit();
+}
 
 // Initialize and store date in session.
 $cl_date = $request->getParameter('date', @$_SESSION['date']);