projects
/
timetracker.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
e560c53
)
Access check improvements for time and expense edits and deletes.
author
Nik Okuntseff
<support@anuko.com>
Sun, 25 Mar 2018 22:31:31 +0000
(22:31 +0000)
committer
Nik Okuntseff
<support@anuko.com>
Sun, 25 Mar 2018 22:31:31 +0000
(22:31 +0000)
WEB-INF/templates/footer.tpl
patch
|
blob
|
history
expense_delete.php
patch
|
blob
|
history
expense_edit.php
patch
|
blob
|
history
mobile/expense_delete.php
patch
|
blob
|
history
mobile/expense_edit.php
patch
|
blob
|
history
mobile/time_delete.php
patch
|
blob
|
history
mobile/time_edit.php
patch
|
blob
|
history
time_delete.php
patch
|
blob
|
history
time_edit.php
patch
|
blob
|
history
diff --git
a/WEB-INF/templates/footer.tpl
b/WEB-INF/templates/footer.tpl
index
2be4b93
..
658d120
100644
(file)
--- a/
WEB-INF/templates/footer.tpl
+++ b/
WEB-INF/templates/footer.tpl
@@
-12,7
+12,7
@@
<br>
<table cellspacing="0" cellpadding="4" width="100%" border="0">
<tr>
<br>
<table cellspacing="0" cellpadding="4" width="100%" border="0">
<tr>
- <td align="center"> Anuko Time Tracker 1.17.7
1.4167
| Copyright © <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+ <td align="center"> Anuko Time Tracker 1.17.7
2.4168
| Copyright © <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
<a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
<a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
<a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
<a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
<a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
<a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
diff --git
a/expense_delete.php
b/expense_delete.php
index
1f7fbb3
..
49bb8ac
100644
(file)
--- a/
expense_delete.php
+++ b/
expense_delete.php
@@
-40,12
+40,14
@@
if (!$user->isPluginEnabled('ex')) {
header('Location: feature_disabled.php');
exit();
}
header('Location: feature_disabled.php');
exit();
}
-
-$cl_id = $request->getParameter('id');
+$cl_id = (int)$request->getParameter('id');
+// Get the expense item we are deleting.
$expense_item = ttExpenseHelper::getItem($cl_id, $user->getActiveUser());
$expense_item = ttExpenseHelper::getItem($cl_id, $user->getActiveUser());
-
-// Prohibit deleting invoiced records.
-if ($expense_item['invoice_id']) die($i18n->get('error.sys'));
+if (!$expense_item || $expense_item['invoice_id']) {
+ // Prohibit deleting not ours or invoiced items.
+ header('Location: access_denied.php');
+ exit();
+}
if ($request->isPost()) {
if ($request->getParameter('delete_button')) { // Delete button pressed.
if ($request->isPost()) {
if ($request->getParameter('delete_button')) { // Delete button pressed.
diff --git
a/expense_edit.php
b/expense_edit.php
index
15cfcfa
..
99503b0
100644
(file)
--- a/
expense_edit.php
+++ b/
expense_edit.php
@@
-41,14
+41,14
@@
if (!$user->isPluginEnabled('ex')) {
header('Location: feature_disabled.php');
exit();
}
header('Location: feature_disabled.php');
exit();
}
-
-$cl_id = $request->getParameter('id');
-
+$cl_id = (int)$request->getParameter('id');
// Get the expense item we are editing.
$expense_item = ttExpenseHelper::getItem($cl_id, $user->getActiveUser());
// Get the expense item we are editing.
$expense_item = ttExpenseHelper::getItem($cl_id, $user->getActiveUser());
-
-// Prohibit editing invoiced items.
-if ($expense_item['invoice_id']) die($i18n->get('error.sys'));
+if (!$expense_item || $expense_item['invoice_id']) {
+ // Prohibit editing not ours or invoiced items.
+ header('Location: access_denied.php');
+ exit();
+}
$item_date = new DateAndTime(DB_DATEFORMAT, $expense_item['date']);
$item_date = new DateAndTime(DB_DATEFORMAT, $expense_item['date']);
diff --git
a/mobile/expense_delete.php
b/mobile/expense_delete.php
index
cca61b7
..
a6f0989
100644
(file)
--- a/
mobile/expense_delete.php
+++ b/
mobile/expense_delete.php
@@
-40,12
+40,14
@@
if (!$user->isPluginEnabled('ex')) {
header('Location: feature_disabled.php');
exit();
}
header('Location: feature_disabled.php');
exit();
}
-
-$cl_id = $request->getParameter('id');
+$cl_id = (int)$request->getParameter('id');
+// Get the expense item we are deleting.
$expense_item = ttExpenseHelper::getItem($cl_id, $user->getActiveUser());
$expense_item = ttExpenseHelper::getItem($cl_id, $user->getActiveUser());
-
-// Prohibit deleting invoiced records.
-if ($expense_item['invoice_id']) die($i18n->get('error.sys'));
+if (!$expense_item || $expense_item['invoice_id']) {
+ // Prohibit deleting not ours or invoiced items.
+ header('Location: access_denied.php');
+ exit();
+}
if ($request->isPost()) {
if ($request->getParameter('delete_button')) { // Delete button pressed.
if ($request->isPost()) {
if ($request->getParameter('delete_button')) { // Delete button pressed.
diff --git
a/mobile/expense_edit.php
b/mobile/expense_edit.php
index
8da55a1
..
1611378
100644
(file)
--- a/
mobile/expense_edit.php
+++ b/
mobile/expense_edit.php
@@
-41,14
+41,14
@@
if (!$user->isPluginEnabled('ex')) {
header('Location: feature_disabled.php');
exit();
}
header('Location: feature_disabled.php');
exit();
}
-
-$cl_id = $request->getParameter('id');
-
+$cl_id = (int)$request->getParameter('id');
// Get the expense item we are editing.
$expense_item = ttExpenseHelper::getItem($cl_id, $user->getActiveUser());
// Get the expense item we are editing.
$expense_item = ttExpenseHelper::getItem($cl_id, $user->getActiveUser());
-
-// Prohibit editing invoiced items.
-if ($expense_item['invoice_id']) die($i18n->get('error.sys'));
+if (!$expense_item || $expense_item['invoice_id']) {
+ // Prohibit editing not ours or invoiced items.
+ header('Location: access_denied.php');
+ exit();
+}
$item_date = new DateAndTime(DB_DATEFORMAT, $expense_item['date']);
$item_date = new DateAndTime(DB_DATEFORMAT, $expense_item['date']);
diff --git
a/mobile/time_delete.php
b/mobile/time_delete.php
index
33ba614
..
5d6918c
100644
(file)
--- a/
mobile/time_delete.php
+++ b/
mobile/time_delete.php
@@
-32,17
+32,19
@@
import('ttUserHelper');
import('ttTimeHelper');
import('DateAndTime');
import('ttTimeHelper');
import('DateAndTime');
-// Access check.
+// Access check
s
.
if (!ttAccessAllowed('track_own_time')) {
header('Location: access_denied.php');
exit();
}
if (!ttAccessAllowed('track_own_time')) {
header('Location: access_denied.php');
exit();
}
-
-$cl_id = $request->getParameter('id');
+$cl_id = (int)$request->getParameter('id');
+// Get the time record we are deleting.
$time_rec = ttTimeHelper::getRecord($cl_id, $user->getActiveUser());
$time_rec = ttTimeHelper::getRecord($cl_id, $user->getActiveUser());
-
-// Prohibit deleting invoiced records.
-if ($time_rec['invoice_id']) die($i18n->get('error.sys'));
+if (!$time_rec || $time_rec['invoice_id']) {
+ // Prohibit deleting not ours or invoiced records.
+ header('Location: access_denied.php');
+ exit();
+}
// Escape comment for presentation.
$time_rec['comment'] = htmlspecialchars($time_rec['comment']);
// Escape comment for presentation.
$time_rec['comment'] = htmlspecialchars($time_rec['comment']);
diff --git
a/mobile/time_edit.php
b/mobile/time_edit.php
index
683bab7
..
eff9b33
100644
(file)
--- a/
mobile/time_edit.php
+++ b/
mobile/time_edit.php
@@
-39,6
+39,14
@@
if (!ttAccessAllowed('track_own_time')) {
header('Location: access_denied.php');
exit();
}
header('Location: access_denied.php');
exit();
}
+$cl_id = (int)$request->getParameter('id');
+// Get the time record we are editing.
+$time_rec = ttTimeHelper::getRecord($cl_id, $user->getActiveUser());
+if (!$time_rec || $time_rec['invoice_id']) {
+ // Prohibit editing not ours or invoiced records.
+ header('Location: access_denied.php');
+ exit();
+}
// Use custom fields plugin if it is enabled.
if ($user->isPluginEnabled('cf')) {
// Use custom fields plugin if it is enabled.
if ($user->isPluginEnabled('cf')) {
@@
-47,14
+55,6
@@
if ($user->isPluginEnabled('cf')) {
$smarty->assign('custom_fields', $custom_fields);
}
$smarty->assign('custom_fields', $custom_fields);
}
-$cl_id = $request->getParameter('id');
-
-// Get the time record we are editing.
-$time_rec = ttTimeHelper::getRecord($cl_id, $user->getActiveUser());
-
-// Prohibit editing invoiced records.
-if ($time_rec['invoice_id']) die($i18n->get('error.sys'));
-
$item_date = new DateAndTime(DB_DATEFORMAT, $time_rec['date']);
// Initialize variables.
$item_date = new DateAndTime(DB_DATEFORMAT, $time_rec['date']);
// Initialize variables.
diff --git
a/time_delete.php
b/time_delete.php
index
ec3c677
..
060311e
100644
(file)
--- a/
time_delete.php
+++ b/
time_delete.php
@@
-32,17
+32,19
@@
import('ttUserHelper');
import('ttTimeHelper');
import('DateAndTime');
import('ttTimeHelper');
import('DateAndTime');
-// Access check.
+// Access check
s
.
if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) {
header('Location: access_denied.php');
exit();
}
if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) {
header('Location: access_denied.php');
exit();
}
-
-$cl_id = $request->getParameter('id');
+$cl_id = (int)$request->getParameter('id');
+// Get the time record we are deleting.
$time_rec = ttTimeHelper::getRecord($cl_id, $user->getActiveUser());
$time_rec = ttTimeHelper::getRecord($cl_id, $user->getActiveUser());
-
-// Prohibit deleting invoiced records.
-if ($time_rec['invoice_id']) die($i18n->get('error.sys'));
+if (!$time_rec || $time_rec['invoice_id']) {
+ // Prohibit deleting not ours or invoiced records.
+ header('Location: access_denied.php');
+ exit();
+}
// Escape comment for presentation.
$time_rec['comment'] = htmlspecialchars($time_rec['comment']);
// Escape comment for presentation.
$time_rec['comment'] = htmlspecialchars($time_rec['comment']);
diff --git
a/time_edit.php
b/time_edit.php
index
c14928f
..
05db97c
100644
(file)
--- a/
time_edit.php
+++ b/
time_edit.php
@@
-34,11
+34,19
@@
import('ttClientHelper');
import('ttTimeHelper');
import('DateAndTime');
import('ttTimeHelper');
import('DateAndTime');
-// Access check.
+// Access check
s
.
if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) {
header('Location: access_denied.php');
exit();
}
if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) {
header('Location: access_denied.php');
exit();
}
+$cl_id = (int)$request->getParameter('id');
+// Get the time record we are editing.
+$time_rec = ttTimeHelper::getRecord($cl_id, $user->getActiveUser());
+if (!$time_rec || $time_rec['invoice_id']) {
+ // Prohibit editing not ours or invoiced records.
+ header('Location: access_denied.php');
+ exit();
+}
// Use custom fields plugin if it is enabled.
if ($user->isPluginEnabled('cf')) {
// Use custom fields plugin if it is enabled.
if ($user->isPluginEnabled('cf')) {
@@
-47,14
+55,6
@@
if ($user->isPluginEnabled('cf')) {
$smarty->assign('custom_fields', $custom_fields);
}
$smarty->assign('custom_fields', $custom_fields);
}
-$cl_id = $request->getParameter('id');
-
-// Get the time record we are editing.
-$time_rec = ttTimeHelper::getRecord($cl_id, $user->getActiveUser());
-
-// Prohibit editing invoiced records.
-if ($time_rec['invoice_id']) die($i18n->get('error.sys'));
-
$item_date = new DateAndTime(DB_DATEFORMAT, $time_rec['date']);
// Initialize variables.
$item_date = new DateAndTime(DB_DATEFORMAT, $time_rec['date']);
// Initialize variables.