X-Git-Url: http://wagnertech.de/git?a=blobdiff_plain;f=notification_add.php;h=05a0954684282abb7068da1a3c55d5b9eb062a8a;hb=67e827dacf08d8a55dff9118c82dd964f5da12c1;hp=7dd680ff3289cdf9c9850e9e516953afefba8248;hpb=4dcb88a76a3de466ee6116ae0852f53ba2b259a5;p=timetracker.git

diff --git a/notification_add.php b/notification_add.php
index 7dd680ff..05a09546 100644
--- a/notification_add.php
+++ b/notification_add.php
@@ -42,11 +42,22 @@ if (!$user->isPluginEnabled('no')) {
   header('Location: feature_disabled.php');
   exit();
 }
+if (!$user->exists()) {
+  header('Location: access_denied.php'); // No users in subgroup.
+  exit();
+}
+if ($request->isPost()) {
+  $cl_fav_report_id = (int) $request->getParameter('fav_report');
+  if (!ttFavReportHelper::get($cl_fav_report_id)) {
+    header('Location: access_denied.php'); // Invalid fav report id in post.
+    exit();
+  }
+}
+// End of access checks.
 
-$fav_reports = ttFavReportHelper::getReports($user->id);
+$fav_reports = ttFavReportHelper::getReports();
 
 if ($request->isPost()) {
-  $cl_fav_report = trim($request->getParameter('fav_report'));
   $cl_cron_spec = trim($request->getParameter('cron_spec'));
   $cl_email = trim($request->getParameter('email'));
   $cl_cc = trim($request->getParameter('cc'));
@@ -60,7 +71,7 @@ $form = new Form('notificationForm');
 $form->addInput(array('type'=>'combobox',
   'name'=>'fav_report',
   'style'=>'width: 250px;',
-  'value'=>$cl_fav_report,
+  'value'=>$cl_fav_report_id,
   'data'=>$fav_reports,
   'datakeys'=>array('id','name'),
   'empty'=>array(''=>$i18n->get('dropdown.select'))
@@ -74,7 +85,7 @@ $form->addInput(array('type'=>'submit','name'=>'btn_add','value'=>$i18n->get('bu
 
 if ($request->isPost()) {
   // Validate user input.
-  if (!$cl_fav_report) $err->add($i18n->get('error.report'));
+  if (!$cl_fav_report_id) $err->add($i18n->get('error.report'));
   if (!ttValidCronSpec($cl_cron_spec)) $err->add($i18n->get('error.field'), $i18n->get('label.schedule'));
   if (!ttValidEmail($cl_email)) $err->add($i18n->get('error.field'), $i18n->get('label.email'));
   if (!ttValidEmail($cl_cc, true)) $err->add($i18n->get('error.field'), $i18n->get('label.cc'));
@@ -86,10 +97,9 @@ if ($request->isPost()) {
     $next = tdCron::getNextOccurrence($cl_cron_spec, mktime()); 
 
     if (ttNotificationHelper::insert(array(
-        'team_id' => $user->team_id,
         'cron_spec' => $cl_cron_spec,
         'next' => $next,
-        'report_id' => $cl_fav_report,
+        'report_id' => $cl_fav_report_id,
         'email' => $cl_email,
         'cc' => $cl_cc,
         'subject' => $cl_subject,