X-Git-Url: http://wagnertech.de/git?a=blobdiff_plain;f=file_download.php;h=8a17b4d7b033e8052b4f86f894a9764405e42253;hb=0cb4a15ec1079fc325845640357dfc75aba0ae23;hp=049003bac6d5d6b0ca68d1dcf7ef1db70067850e;hpb=0b4060bf33c9316f79a07f870c5b1584b785e6dd;p=timetracker.git

diff --git a/file_download.php b/file_download.php
index 049003ba..8a17b4d7 100644
--- a/file_download.php
+++ b/file_download.php
@@ -39,14 +39,21 @@ if (!$file) {
   exit();
 }
 // Entity-specific checks.
-if ($file['entity_type'] == 'project') {
-  if (!ttAccessAllowed('manage_projects') || !ttProjectHelper::get($file['entity_id'])) {
+$entity_type = $file['entity_type'];
+if ($entity_type == 'time') {
+  if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time')) || !ttTimeHelper::getRecord($file['entity_id'])) {
     header('Location: access_denied.php');
     exit();
   }
 }
-if ($file['entity_type'] != 'project') {
-  // Currently, files are only associated with projects.
+if ($entity_type == 'project') {
+  if (!(ttAccessAllowed('view_own_projects') || ttAccessAllowed('manage_projects')) || !ttProjectHelper::get($file['entity_id'])) {
+    header('Location: access_denied.php');
+    exit();
+  }
+}
+if ($entity_type != 'project' && $entity_type != 'time') {
+  // Currently, files are only associated with time records and projects.
   // Improve access checks when the feature evolves.
   header('Location: access_denied.php');
   exit();