X-Git-Url: http://wagnertech.de/git?a=blobdiff_plain;f=file_download.php;h=e4d35c705035a7632bc0be38e4fdedebc97a2aad;hb=HEAD;hp=fb9239ab8fb2d82fc98b5c1677cdd2ee9fddca77;hpb=b3c9cd1820158293d52c6cc1bb7244fee06104ed;p=timetracker.git

diff --git a/file_download.php b/file_download.php
index fb9239ab..e4d35c70 100644
--- a/file_download.php
+++ b/file_download.php
@@ -29,6 +29,7 @@
 require_once('initialize.php');
 import('form.Form');
 import('ttFileHelper');
+import('ttTimeHelper');
 import('ttProjectHelper');
 
 // Access checks.
@@ -39,14 +40,21 @@ if (!$file) {
   exit();
 }
 // Entity-specific checks.
-if ($file['entity_type'] == 'project') {
-  if (!ttAccessAllowed('manage_projects') || !ttProjectHelper::get($file['entity_id'])) {
+$entity_type = $file['entity_type'];
+if ($entity_type == 'time') {
+  if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time')) || !ttTimeHelper::getRecordForFileView($file['entity_id'])) {
     header('Location: access_denied.php');
     exit();
   }
 }
-if ($file['entity_type'] != 'project') {
-  // Currently, files are only associated with projects.
+if ($entity_type == 'project') {
+  if (!(ttAccessAllowed('view_own_projects') || ttAccessAllowed('manage_projects')) || !ttProjectHelper::get($file['entity_id'])) {
+    header('Location: access_denied.php');
+    exit();
+  }
+}
+if ($entity_type != 'project' && $entity_type != 'time') {
+  // Currently, files are only associated with time records and projects.
   // Improve access checks when the feature evolves.
   header('Location: access_denied.php');
   exit();
@@ -55,14 +63,11 @@ if ($file['entity_type'] != 'project') {
 
 $fileHelper = new ttFileHelper($err);
 
-$filename = $file['file_name'];
-$mime_type = 'image/jpeg'; // Hardcoded type for now. TODO: fix this.
-
 if ($fileHelper->getFile($file)) {
   header('Pragma: public'); // This is needed for IE8 to download files over https.
-  header('Content-Type: '.$mime_type);
+  header('Content-Type: application/octet-stream');
   header('Expires: '.gmdate('D, d M Y H:i:s').' GMT');
-  header('Content-Disposition: attachment; filename="'.$filename.'"');
+  header('Content-Disposition: attachment; filename="'.$file['file_name'].'"');
   header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
   header('Cache-Control: private', false);