X-Git-Url: http://wagnertech.de/git?a=blobdiff_plain;f=user_delete.php;h=a88454bf98425418fa0d2e7d0bc02867a29caeba;hb=e59d57b1fcf105382028dcfc0157a6ca84b0dc46;hp=aed2746adf0d434718c524370f8900fc4c3498a4;hpb=098a79f0819ebb89b7d48df4a6b154af4560f68e;p=timetracker.git diff --git a/user_delete.php b/user_delete.php index aed2746a..a88454bf 100644 --- a/user_delete.php +++ b/user_delete.php @@ -31,7 +31,7 @@ import('form.Form'); import('ttUserHelper'); // Access check. -if (!ttAccessCheck(right_manage_team)) { +if (!ttAccessAllowed('manage_users')) { header('Location: access_denied.php'); exit(); } @@ -39,31 +39,28 @@ if (!ttAccessCheck(right_manage_team)) { // Get user id we are deleting from the request. // A cast to int is for safety against manipulation of request parameter (sql injection). $user_id = (int) $request->getParameter('id'); - // We need user name and login to display. $user_details = ttUserHelper::getUserDetails($user_id); // Security checks. -$ok_to_go = $user->canManageTeam(); // Are we authorized for user deletes? -if ($ok_to_go) $ok_to_go = $ok_to_go && $user_details; // Are we deleting a real user? -if ($ok_to_go) $ok_to_go = $ok_to_go && ($user->team_id == $user_details['team_id']); // User belongs to our team? -if ($ok_to_go && $user->isCoManager() && (ROLE_COMANAGER == $user_details['role'])) - $ok_to_go = ($user->id == $user_details['id']); // Comanager is not allowed to delete other comanagers. -if ($ok_to_go && $user->isCoManager() && (ROLE_MANAGER == $user_details['role'])) - $ok_to_go = false; // Comanager is not allowed to delete a manager. +if (!$user_details || // No details. + $user_details['team_id'] <> $user->team_id || // User not in team. + $user_details['rank'] > $user->rank || // User has a bigger rank. + ($user_details['rank'] == $user->rank && $user_details['id'] <> $user->id) // Same rank but not us. + ) { + header('Location: access_denied.php'); + exit(); +} -if (!$ok_to_go) - die ($i18n->getKey('error.sys')); -else - $smarty->assign('user_to_delete', $user_details['name']." (".$user_details['login'].")"); +$smarty->assign('user_to_delete', $user_details['name']." (".$user_details['login'].")"); // Create confirmation form. $form = new Form('userDeleteForm'); $form->addInput(array('type'=>'hidden','name'=>'id','value'=>$user_id)); -$form->addInput(array('type'=>'submit','name'=>'btn_delete','value'=>$i18n->getKey('label.delete'))); -$form->addInput(array('type'=>'submit','name'=>'btn_cancel','value'=>$i18n->getKey('button.cancel'))); - -if ($request->getMethod() == 'POST') { +$form->addInput(array('type'=>'submit','name'=>'btn_delete','value'=>$i18n->get('label.delete'))); +$form->addInput(array('type'=>'submit','name'=>'btn_cancel','value'=>$i18n->get('button.cancel'))); + +if ($request->isPost()) { if ($request->getParameter('btn_delete')) { if (ttUserHelper::markDeleted($user_id)) { // If we deleted the "on behalf" user reset its info in session. @@ -73,28 +70,27 @@ if ($request->getMethod() == 'POST') { } // If we deleted our own account, do housekeeping and logout. if ($user->id == $user_id) { - // Remove tt_login cookie that stores login name. - unset($_COOKIE['tt_login']); - setcookie('tt_login', NULL, -1); - + // Remove tt_login cookie that stores login name. + unset($_COOKIE['tt_login']); + setcookie('tt_login', NULL, -1); + $auth->doLogout(); header('Location: login.php'); } else { - header('Location: users.php'); + header('Location: users.php'); } exit(); } else { - $errors->add($i18n->getKey('error.db')); + $err->add($i18n->get('error.db')); } } if ($request->getParameter('btn_cancel')) { header('Location: users.php'); exit(); } -} +} // isPost $smarty->assign('forms', array($form->getName()=>$form->toArray())); -$smarty->assign('title', $i18n->getKey('title.delete_user')); +$smarty->assign('title', $i18n->get('title.delete_user')); $smarty->assign('content_page_name', 'user_delete.tpl'); $smarty->display('index.tpl'); -?> \ No newline at end of file