X-Git-Url: http://wagnertech.de/git?a=blobdiff_plain;f=week.php;h=1d72ce400a14426bb0c3be7a31621c12d41b8cc9;hb=f39d6bdcde7c4de3f38dc63e500824d28aa1939c;hp=e26aa1192c44c6f9a74147e66a94a2d1f1fd5572;hpb=fd0872d9e582113346fa1e93557f370286c5c9f2;p=timetracker.git

diff --git a/week.php b/week.php
index e26aa119..1d72ce40 100644
--- a/week.php
+++ b/week.php
@@ -38,11 +38,24 @@ import('ttClientHelper');
 import('ttTimeHelper');
 import('DateAndTime');
 
-// Access check.
-if (!ttAccessAllowed('track_own_time') || !$user->isPluginEnabled('wv')) {
+// Access checks.
+if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) {
   header('Location: access_denied.php');
   exit();
 }
+if (!$user->isPluginEnabled('wv')) {
+  header('Location: feature_disabled.php');
+  exit();
+}
+if ($user->behalf_id && (!$user->can('track_time') || !$user->checkBehalfId())) {
+  header('Location: access_denied.php'); // Trying on behalf, but no right or wrong user.
+  exit();
+}
+if (!$user->behalf_id && !$user->can('track_own_time') && !$user->adjustBehalfId()) {
+  header('Location: access_denied.php'); // Trying as self, but no right for self, and noone to work on behalf.
+  exit();
+}
+// End of access checks.
 
 // Initialize and store date in session.
 $cl_date = $request->getParameter('date', @$_SESSION['date']);
@@ -199,8 +212,12 @@ class WeekViewCellRenderer extends DefaultCellRenderer {
 $form = new Form('weekTimeForm');
 
 if ($user->can('track_time')) {
-  $user_list = ttTeamHelper::getActiveUsers(array('putSelfFirst'=>true));
-  if (count($user_list) > 1) {
+  if ($user->can('track_own_time'))
+    $options = array('status'=>ACTIVE,'max_rank'=>$user->rank-1,'include_self'=>true,'self_first'=>true);
+  else
+    $options = array('status'=>ACTIVE,'max_rank'=>$user->rank-1);
+  $user_list = $user->getUsers($options);
+  if (count($user_list) >= 1) {
     $form->addInput(array('type'=>'combobox',
       'onchange'=>'this.form.submit();',
       'name'=>'onBehalfUser',