X-Git-Url: http://wagnertech.de/git?a=blobdiff_plain;f=expenses.php;h=7291414aac7a0af629a5f8085ef2a38897a0e96e;hb=926b8d63a0be596b0c95cb55f01addae410af50c;hp=bb7694816701355d43dcc822f5424aaa5ad98ec8;hpb=a62e4bdd1bc89ea4f3cf29507399b5b8f229597a;p=timetracker.git diff --git a/expenses.php b/expenses.php index bb769481..7291414a 100644 --- a/expenses.php +++ b/expenses.php @@ -33,11 +33,23 @@ import('ttTeamHelper'); import('DateAndTime'); import('ttExpenseHelper'); -// Access check. -if (!ttAccessAllowed('track_own_expenses') || !$user->isPluginEnabled('ex')) { +// Access checks. +if (!(ttAccessAllowed('track_own_expenses') || ttAccessAllowed('track_expenses'))) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('ex')) { + header('Location: feature_disabled.php'); + exit(); +} +if ($user->behalf_id && (!$user->can('track_expenses') || !$user->checkBehalfId())) { + header('Location: access_denied.php'); // Trying on behalf, but no right or wrong user. + exit(); +} +if (!$user->behalf_id && !$user->can('track_own_expenses') && !$user->adjustBehalfId()) { + header('Location: access_denied.php'); // Trying as self, but no right for self, and noone to work on behalf. + exit(); +} // Initialize and store date in session. $cl_date = $request->getParameter('date', @$_SESSION['date']); @@ -60,9 +72,13 @@ $cl_cost = $request->getParameter('cost'); // Elements of expensesForm. $form = new Form('expensesForm'); -if ($user->canManageTeam()) { - $user_list = ttTeamHelper::getActiveUsers(array('putSelfFirst'=>true)); - if (count($user_list) > 1) { +if ($user->can('track_expenses')) { + if ($user->can('track_own_expenses')) + $options = array('status'=>ACTIVE,'max_rank'=>$user->rank-1,'include_self'=>true,'self_first'=>true); + else + $options = array('status'=>ACTIVE,'max_rank'=>$user->rank-1); + $user_list = $user->getUsers($options); + if (count($user_list) >= 1) { $form->addInput(array('type'=>'combobox', 'onchange'=>'this.form.submit();', 'name'=>'onBehalfUser',