X-Git-Url: http://wagnertech.de/git?a=blobdiff_plain;f=invoice_view.php;h=8168c3ad89544d6ed51255cc5e23b5b036b2a06f;hb=7797eda9fb04c217a813db88e00bb9ee541eabbb;hp=62f0cbbff6740dd571a517ddc957c7cd4e9557a6;hpb=4dcb88a76a3de466ee6116ae0852f53ba2b259a5;p=timetracker.git

diff --git a/invoice_view.php b/invoice_view.php
index 62f0cbbf..8168c3ad 100644
--- a/invoice_view.php
+++ b/invoice_view.php
@@ -41,29 +41,27 @@ if (!$user->isPluginEnabled('iv')) {
   header('Location: feature_disabled.php');
   exit();
 }
-
-$cl_id = (int)$request->getParameter('id');
-$invoice = ttInvoiceHelper::getInvoice($cl_id);
-// Temporary fix for invalid invoice id. TODO: implement properly and review security of other pages,
-// where item id is passed (or posted) as parameter.
+$cl_invoice_id = (int)$request->getParameter('id');
+$invoice = ttInvoiceHelper::getInvoice($cl_invoice_id);
 if (!$invoice) {
   header('Location: access_denied.php');
   exit();
 }
+// End of access checks.
 
 $invoice_date = new DateAndTime(DB_DATEFORMAT, $invoice['date']);
 $client = ttClientHelper::getClient($invoice['client_id'], true);
 if (!$client) // In case client was deleted.
   $client = ttClientHelper::getDeletedClient($invoice['client_id']);
 
-$invoice_items = ttInvoiceHelper::getInvoiceItems($cl_id);
+$invoice_items = ttInvoiceHelper::getInvoiceItems($cl_invoice_id);
 $tax_percent = $client['tax'];
 
 $subtotal = 0;
 $tax = 0;
 foreach($invoice_items as $item)
   $subtotal += $item['cost'];
-if ($tax_percent) {
+if ($tax_percent > 0) {
   $tax_expenses = $user->isPluginEnabled('et');
   foreach($invoice_items as $item) {
     if ($item['type'] == 2 && !$tax_expenses)
@@ -91,7 +89,7 @@ elseif (MODE_PROJECTS_AND_TASKS == $user->tracking_mode)
 
 $form = new Form('invoiceForm');
 // Hidden control for invoice id.
-$form->addInput(array('type'=>'hidden','name'=>'id','value'=>$cl_id));
+$form->addInput(array('type'=>'hidden','name'=>'id','value'=>$cl_invoice_id));
 // invoiceForm only contains controls for "Mark paid" block below invoice table.
 if ($user->isPluginEnabled('ps')) {
   $mark_paid_action_options = array('1'=>$i18n->get('dropdown.paid'),'2'=>$i18n->get('dropdown.not_paid'));
@@ -108,16 +106,16 @@ if ($request->isPost()) {
 
     // Determine user action.
     $mark_paid = $request->getParameter('mark_paid_action_options') == 1 ? true : false;
-    ttInvoiceHelper::markPaid($cl_id, $mark_paid);
+    ttInvoiceHelper::markPaid($cl_invoice_id, $mark_paid);
 
     // Re-display this form.
-    header('Location: invoice_view.php?id='.$cl_id);
+    header('Location: invoice_view.php?id='.$cl_invoice_id);
     exit();
   }
 }
 
 $smarty->assign('forms', array($form->getName()=>$form->toArray()));
-$smarty->assign('invoice_id', $cl_id);
+$smarty->assign('invoice_id', $cl_invoice_id);
 $smarty->assign('invoice_name', $invoice['name']);
 $smarty->assign('invoice_date', $invoice_date->toString($user->date_format));
 $smarty->assign('client_name', $client['name']);