projects
/
timetracker.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
926b8d6
)
Security fix - improved access checks for task edit and deletes.
author
Nik Okuntseff
<support@anuko.com>
Mon, 26 Mar 2018 18:45:28 +0000
(18:45 +0000)
committer
Nik Okuntseff
<support@anuko.com>
Mon, 26 Mar 2018 18:45:28 +0000
(18:45 +0000)
26 files changed:
WEB-INF/templates/footer.tpl
patch
|
blob
|
history
mobile/task_add.php
patch
|
blob
|
history
mobile/task_delete.php
patch
|
blob
|
history
mobile/task_edit.php
patch
|
blob
|
history
mobile/tasks.php
patch
|
blob
|
history
mobile/time.php
patch
|
blob
|
history
mobile/time_delete.php
patch
|
blob
|
history
mobile/time_edit.php
patch
|
blob
|
history
mobile/user_add.php
patch
|
blob
|
history
mobile/user_delete.php
patch
|
blob
|
history
mobile/user_edit.php
patch
|
blob
|
history
mobile/users.php
patch
|
blob
|
history
task_add.php
patch
|
blob
|
history
task_delete.php
patch
|
blob
|
history
task_edit.php
patch
|
blob
|
history
tasks.php
patch
|
blob
|
history
time.php
patch
|
blob
|
history
time_delete.php
patch
|
blob
|
history
time_edit.php
patch
|
blob
|
history
tofile.php
patch
|
blob
|
history
topdf.php
patch
|
blob
|
history
user_add.php
patch
|
blob
|
history
user_delete.php
patch
|
blob
|
history
user_edit.php
patch
|
blob
|
history
users.php
patch
|
blob
|
history
week.php
patch
|
blob
|
history
diff --git
a/WEB-INF/templates/footer.tpl
b/WEB-INF/templates/footer.tpl
index
2aa36a2
..
b9939f9
100644
(file)
--- a/
WEB-INF/templates/footer.tpl
+++ b/
WEB-INF/templates/footer.tpl
@@
-12,7
+12,7
@@
<br>
<table cellspacing="0" cellpadding="4" width="100%" border="0">
<tr>
<br>
<table cellspacing="0" cellpadding="4" width="100%" border="0">
<tr>
- <td align="center"> Anuko Time Tracker 1.17.7
3.4178
| Copyright © <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+ <td align="center"> Anuko Time Tracker 1.17.7
4.4179
| Copyright © <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
<a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
<a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
<a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
<a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
<a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
<a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
diff --git
a/mobile/task_add.php
b/mobile/task_add.php
index
a976ac5
..
fd1fb46
100644
(file)
--- a/
mobile/task_add.php
+++ b/
mobile/task_add.php
@@
-41,6
+41,7
@@
if (MODE_PROJECTS_AND_TASKS != $user->tracking_mode) {
header('Location: feature_disabled.php');
exit();
}
header('Location: feature_disabled.php');
exit();
}
+// End of access checks.
$projects = ttTeamHelper::getActiveProjects($user->team_id);
$projects = ttTeamHelper::getActiveProjects($user->team_id);
diff --git
a/mobile/task_delete.php
b/mobile/task_delete.php
index
1146a2a
..
153f3a2
100644
(file)
--- a/
mobile/task_delete.php
+++ b/
mobile/task_delete.php
@@
-39,9
+39,14
@@
if (MODE_PROJECTS_AND_TASKS != $user->tracking_mode) {
header('Location: feature_disabled.php');
exit();
}
header('Location: feature_disabled.php');
exit();
}
-
$cl_task_id = (int)$request->getParameter('id');
$task = ttTaskHelper::get($cl_task_id);
$cl_task_id = (int)$request->getParameter('id');
$task = ttTaskHelper::get($cl_task_id);
+if (!$task) {
+ header('Location: access_denied.php');
+ exit();
+}
+// End of access checks.
+
$task_to_delete = $task['name'];
$form = new Form('taskDeleteForm');
$task_to_delete = $task['name'];
$form = new Form('taskDeleteForm');
diff --git
a/mobile/task_edit.php
b/mobile/task_edit.php
index
346899d
..
f1748c7
100644
(file)
--- a/
mobile/task_edit.php
+++ b/
mobile/task_edit.php
@@
-40,8
+40,14
@@
if (MODE_PROJECTS_AND_TASKS != $user->tracking_mode) {
header('Location: feature_disabled.php');
exit();
}
header('Location: feature_disabled.php');
exit();
}
-
$cl_task_id = (int)$request->getParameter('id');
$cl_task_id = (int)$request->getParameter('id');
+$task = ttTaskHelper::get($cl_task_id);
+if (!$task) {
+ header('Location: access_denied.php');
+ exit();
+}
+// End of access checks.
+
$projects = ttTeamHelper::getActiveProjects($user->team_id);
if ($request->isPost()) {
$projects = ttTeamHelper::getActiveProjects($user->team_id);
if ($request->isPost()) {
@@
-50,11
+56,9
@@
if ($request->isPost()) {
$cl_status = $request->getParameter('status');
$cl_projects = $request->getParameter('projects');
} else {
$cl_status = $request->getParameter('status');
$cl_projects = $request->getParameter('projects');
} else {
- $task = ttTaskHelper::get($cl_task_id);
$cl_name = $task['name'];
$cl_description = $task['description'];
$cl_status = $task['status'];
$cl_name = $task['name'];
$cl_description = $task['description'];
$cl_status = $task['status'];
-
$assigned_projects = ttTaskHelper::getAssignedProjects($cl_task_id);
foreach ($assigned_projects as $project_item)
$cl_projects[] = $project_item['id'];
$assigned_projects = ttTaskHelper::getAssignedProjects($cl_task_id);
foreach ($assigned_projects as $project_item)
$cl_projects[] = $project_item['id'];
diff --git
a/mobile/tasks.php
b/mobile/tasks.php
index
edb5708
..
e49498c
100644
(file)
--- a/
mobile/tasks.php
+++ b/
mobile/tasks.php
@@
-39,6
+39,7
@@
if (MODE_PROJECTS_AND_TASKS != $user->tracking_mode) {
header('Location: feature_disabled.php');
exit();
}
header('Location: feature_disabled.php');
exit();
}
+// End of access checks.
$smarty->assign('active_tasks', ttTeamHelper::getActiveTasks($user->team_id));
$smarty->assign('inactive_tasks', ttTeamHelper::getInactiveTasks($user->team_id));
$smarty->assign('active_tasks', ttTeamHelper::getActiveTasks($user->team_id));
$smarty->assign('inactive_tasks', ttTeamHelper::getInactiveTasks($user->team_id));
diff --git
a/mobile/time.php
b/mobile/time.php
index
abde5e0
..
8c6721d
100644
(file)
--- a/
mobile/time.php
+++ b/
mobile/time.php
@@
-34,11
+34,12
@@
import('ttClientHelper');
import('ttTimeHelper');
import('DateAndTime');
import('ttTimeHelper');
import('DateAndTime');
-// Access check.
+// Access check
s
.
if (!ttAccessAllowed('track_own_time')) {
header('Location: access_denied.php');
exit();
}
if (!ttAccessAllowed('track_own_time')) {
header('Location: access_denied.php');
exit();
}
+// End of access checks.
// Initialize and store date in session.
$cl_date = $request->getParameter('date', @$_SESSION['date']);
// Initialize and store date in session.
$cl_date = $request->getParameter('date', @$_SESSION['date']);
diff --git
a/mobile/time_delete.php
b/mobile/time_delete.php
index
5d6918c
..
399895c
100644
(file)
--- a/
mobile/time_delete.php
+++ b/
mobile/time_delete.php
@@
-38,13
+38,13
@@
if (!ttAccessAllowed('track_own_time')) {
exit();
}
$cl_id = (int)$request->getParameter('id');
exit();
}
$cl_id = (int)$request->getParameter('id');
-// Get the time record we are deleting.
$time_rec = ttTimeHelper::getRecord($cl_id, $user->getActiveUser());
if (!$time_rec || $time_rec['invoice_id']) {
// Prohibit deleting not ours or invoiced records.
header('Location: access_denied.php');
exit();
}
$time_rec = ttTimeHelper::getRecord($cl_id, $user->getActiveUser());
if (!$time_rec || $time_rec['invoice_id']) {
// Prohibit deleting not ours or invoiced records.
header('Location: access_denied.php');
exit();
}
+// End of access checks.
// Escape comment for presentation.
$time_rec['comment'] = htmlspecialchars($time_rec['comment']);
// Escape comment for presentation.
$time_rec['comment'] = htmlspecialchars($time_rec['comment']);
diff --git
a/mobile/time_edit.php
b/mobile/time_edit.php
index
eff9b33
..
a1a56e3
100644
(file)
--- a/
mobile/time_edit.php
+++ b/
mobile/time_edit.php
@@
-34,19
+34,19
@@
import('ttClientHelper');
import('ttTimeHelper');
import('DateAndTime');
import('ttTimeHelper');
import('DateAndTime');
-// Access check.
+// Access check
s
.
if (!ttAccessAllowed('track_own_time')) {
header('Location: access_denied.php');
exit();
}
$cl_id = (int)$request->getParameter('id');
if (!ttAccessAllowed('track_own_time')) {
header('Location: access_denied.php');
exit();
}
$cl_id = (int)$request->getParameter('id');
-// Get the time record we are editing.
$time_rec = ttTimeHelper::getRecord($cl_id, $user->getActiveUser());
if (!$time_rec || $time_rec['invoice_id']) {
// Prohibit editing not ours or invoiced records.
header('Location: access_denied.php');
exit();
}
$time_rec = ttTimeHelper::getRecord($cl_id, $user->getActiveUser());
if (!$time_rec || $time_rec['invoice_id']) {
// Prohibit editing not ours or invoiced records.
header('Location: access_denied.php');
exit();
}
+// End of access checks.
// Use custom fields plugin if it is enabled.
if ($user->isPluginEnabled('cf')) {
// Use custom fields plugin if it is enabled.
if ($user->isPluginEnabled('cf')) {
diff --git
a/mobile/user_add.php
b/mobile/user_add.php
index
838981d
..
53b9842
100644
(file)
--- a/
mobile/user_add.php
+++ b/
mobile/user_add.php
@@
-33,11
+33,12
@@
import('ttUserHelper');
import('form.Table');
import('form.TableColumn');
import('form.Table');
import('form.TableColumn');
-// Access check.
+// Access check
s
.
if (!ttAccessAllowed('manage_users')) {
header('Location: access_denied.php');
exit();
}
if (!ttAccessAllowed('manage_users')) {
header('Location: access_denied.php');
exit();
}
+// End of access checks.
// Use the "limit" plugin if we have one. Ignore include errors.
// The "limit" plugin is not required for normal operation of the Time Tracker.
// Use the "limit" plugin if we have one. Ignore include errors.
// The "limit" plugin is not required for normal operation of the Time Tracker.
diff --git
a/mobile/user_delete.php
b/mobile/user_delete.php
index
4c9aad8
..
b5c8dae
100644
(file)
--- a/
mobile/user_delete.php
+++ b/
mobile/user_delete.php
@@
-30,12
+30,12
@@
require_once('../initialize.php');
import('form.Form');
import('ttUserHelper');
import('form.Form');
import('ttUserHelper');
-// Access check.
+// Access check
s
.
if (!ttAccessAllowed('manage_users')) {
header('Location: access_denied.php');
exit();
}
if (!ttAccessAllowed('manage_users')) {
header('Location: access_denied.php');
exit();
}
-$user_id = (int)
$request->getParameter('id');
+$user_id = (int)$request->getParameter('id');
$user_details = $user->getUser($user_id);
if (!$user_details) {
header('Location: access_denied.php');
$user_details = $user->getUser($user_id);
if (!$user_details) {
header('Location: access_denied.php');
diff --git
a/mobile/user_edit.php
b/mobile/user_edit.php
index
3baaf1e
..
f82d931
100644
(file)
--- a/
mobile/user_edit.php
+++ b/
mobile/user_edit.php
@@
-34,12
+34,12
@@
import('ttUserHelper');
import('form.Table');
import('form.TableColumn');
import('form.Table');
import('form.TableColumn');
-// Access check.
+// Access check
s
.
if (!ttAccessAllowed('manage_users')) {
header('Location: access_denied.php');
exit();
}
if (!ttAccessAllowed('manage_users')) {
header('Location: access_denied.php');
exit();
}
-$user_id = (int)
$request->getParameter('id');
+$user_id = (int)$request->getParameter('id');
$user_details = $user->getUser($user_id);
if (!$user_details) {
header('Location: access_denied.php');
$user_details = $user->getUser($user_id);
if (!$user_details) {
header('Location: access_denied.php');
diff --git
a/mobile/users.php
b/mobile/users.php
index
6765437
..
18ad2e5
100644
(file)
--- a/
mobile/users.php
+++ b/
mobile/users.php
@@
-31,11
+31,12
@@
import('form.Form');
import('ttTeamHelper');
import('ttTimeHelper');
import('ttTeamHelper');
import('ttTimeHelper');
-// Access check.
+// Access check
s
.
if (!(ttAccessAllowed('view_users') || ttAccessAllowed('manage_users'))) {
header('Location: access_denied.php');
exit();
}
if (!(ttAccessAllowed('view_users') || ttAccessAllowed('manage_users'))) {
header('Location: access_denied.php');
exit();
}
+// End of access checks.
// Get users.
$active_users = ttTeamHelper::getActiveUsers(array('getAllFields'=>true));
// Get users.
$active_users = ttTeamHelper::getActiveUsers(array('getAllFields'=>true));
diff --git
a/task_add.php
b/task_add.php
index
a5149e8
..
eaaba5e
100644
(file)
--- a/
task_add.php
+++ b/
task_add.php
@@
-41,6
+41,7
@@
if (MODE_PROJECTS_AND_TASKS != $user->tracking_mode) {
header('Location: feature_disabled.php');
exit();
}
header('Location: feature_disabled.php');
exit();
}
+// End of access checks.
$projects = ttTeamHelper::getActiveProjects($user->team_id);
$projects = ttTeamHelper::getActiveProjects($user->team_id);
diff --git
a/task_delete.php
b/task_delete.php
index
0e9f40c
..
d8e1439
100644
(file)
--- a/
task_delete.php
+++ b/
task_delete.php
@@
-39,9
+39,14
@@
if (MODE_PROJECTS_AND_TASKS != $user->tracking_mode) {
header('Location: feature_disabled.php');
exit();
}
header('Location: feature_disabled.php');
exit();
}
-
$cl_task_id = (int)$request->getParameter('id');
$task = ttTaskHelper::get($cl_task_id);
$cl_task_id = (int)$request->getParameter('id');
$task = ttTaskHelper::get($cl_task_id);
+if (!$task) {
+ header('Location: access_denied.php');
+ exit();
+}
+// End of access checks.
+
$task_to_delete = $task['name'];
$form = new Form('taskDeleteForm');
$task_to_delete = $task['name'];
$form = new Form('taskDeleteForm');
diff --git
a/task_edit.php
b/task_edit.php
index
bba89be
..
324f1db
100644
(file)
--- a/
task_edit.php
+++ b/
task_edit.php
@@
-40,8
+40,14
@@
if (MODE_PROJECTS_AND_TASKS != $user->tracking_mode) {
header('Location: feature_disabled.php');
exit();
}
header('Location: feature_disabled.php');
exit();
}
-
$cl_task_id = (int)$request->getParameter('id');
$cl_task_id = (int)$request->getParameter('id');
+$task = ttTaskHelper::get($cl_task_id);
+if (!$task) {
+ header('Location: access_denied.php');
+ exit();
+}
+// End of access checks.
+
$projects = ttTeamHelper::getActiveProjects($user->team_id);
if ($request->isPost()) {
$projects = ttTeamHelper::getActiveProjects($user->team_id);
if ($request->isPost()) {
@@
-50,11
+56,9
@@
if ($request->isPost()) {
$cl_status = $request->getParameter('status');
$cl_projects = $request->getParameter('projects');
} else {
$cl_status = $request->getParameter('status');
$cl_projects = $request->getParameter('projects');
} else {
- $task = ttTaskHelper::get($cl_task_id);
$cl_name = $task['name'];
$cl_description = $task['description'];
$cl_status = $task['status'];
$cl_name = $task['name'];
$cl_description = $task['description'];
$cl_status = $task['status'];
-
$assigned_projects = ttTaskHelper::getAssignedProjects($cl_task_id);
foreach ($assigned_projects as $project_item)
$cl_projects[] = $project_item['id'];
$assigned_projects = ttTaskHelper::getAssignedProjects($cl_task_id);
foreach ($assigned_projects as $project_item)
$cl_projects[] = $project_item['id'];
diff --git
a/tasks.php
b/tasks.php
index
5505e6d
..
2d310d0
100644
(file)
--- a/
tasks.php
+++ b/
tasks.php
@@
-39,6
+39,7
@@
if (MODE_PROJECTS_AND_TASKS != $user->tracking_mode) {
header('Location: feature_disabled.php');
exit();
}
header('Location: feature_disabled.php');
exit();
}
+// End of access checks.
$smarty->assign('active_tasks', ttTeamHelper::getActiveTasks($user->team_id));
$smarty->assign('inactive_tasks', ttTeamHelper::getInactiveTasks($user->team_id));
$smarty->assign('active_tasks', ttTeamHelper::getActiveTasks($user->team_id));
$smarty->assign('inactive_tasks', ttTeamHelper::getInactiveTasks($user->team_id));
diff --git
a/time.php
b/time.php
index
98a383f
..
d75854c
100644
(file)
--- a/
time.php
+++ b/
time.php
@@
-34,13
+34,6
@@
import('ttClientHelper');
import('ttTimeHelper');
import('DateAndTime');
import('ttTimeHelper');
import('DateAndTime');
-// This is a now removed check whether user browser supports cookies.
-// if (!isset($_COOKIE['tt_PHPSESSID'])) {
- // This test gives a false-positive if user goes directly to this page
- // as from a desktop shortcut (on first request only).
- // die ("Your browser's cookie functionality is turned off. Please turn it on.");
-// }
-
// Access checks.
if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) {
header('Location: access_denied.php');
// Access checks.
if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) {
header('Location: access_denied.php');
@@
-54,6
+47,7
@@
if (!$user->behalf_id && !$user->can('track_own_time') && !$user->adjustBehalfId
header('Location: access_denied.php'); // Trying as self, but no right for self, and noone to work on behalf.
exit();
}
header('Location: access_denied.php'); // Trying as self, but no right for self, and noone to work on behalf.
exit();
}
+// End of access checks.
// Initialize and store date in session.
$cl_date = $request->getParameter('date', @$_SESSION['date']);
// Initialize and store date in session.
$cl_date = $request->getParameter('date', @$_SESSION['date']);
diff --git
a/time_delete.php
b/time_delete.php
index
060311e
..
5d721ab
100644
(file)
--- a/
time_delete.php
+++ b/
time_delete.php
@@
-38,13
+38,13
@@
if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) {
exit();
}
$cl_id = (int)$request->getParameter('id');
exit();
}
$cl_id = (int)$request->getParameter('id');
-// Get the time record we are deleting.
$time_rec = ttTimeHelper::getRecord($cl_id, $user->getActiveUser());
if (!$time_rec || $time_rec['invoice_id']) {
// Prohibit deleting not ours or invoiced records.
header('Location: access_denied.php');
exit();
}
$time_rec = ttTimeHelper::getRecord($cl_id, $user->getActiveUser());
if (!$time_rec || $time_rec['invoice_id']) {
// Prohibit deleting not ours or invoiced records.
header('Location: access_denied.php');
exit();
}
+// End of access checks.
// Escape comment for presentation.
$time_rec['comment'] = htmlspecialchars($time_rec['comment']);
// Escape comment for presentation.
$time_rec['comment'] = htmlspecialchars($time_rec['comment']);
diff --git
a/time_edit.php
b/time_edit.php
index
05db97c
..
507f28a
100644
(file)
--- a/
time_edit.php
+++ b/
time_edit.php
@@
-40,13
+40,13
@@
if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) {
exit();
}
$cl_id = (int)$request->getParameter('id');
exit();
}
$cl_id = (int)$request->getParameter('id');
-// Get the time record we are editing.
$time_rec = ttTimeHelper::getRecord($cl_id, $user->getActiveUser());
if (!$time_rec || $time_rec['invoice_id']) {
// Prohibit editing not ours or invoiced records.
header('Location: access_denied.php');
exit();
}
$time_rec = ttTimeHelper::getRecord($cl_id, $user->getActiveUser());
if (!$time_rec || $time_rec['invoice_id']) {
// Prohibit editing not ours or invoiced records.
header('Location: access_denied.php');
exit();
}
+// End of access checks.
// Use custom fields plugin if it is enabled.
if ($user->isPluginEnabled('cf')) {
// Use custom fields plugin if it is enabled.
if ($user->isPluginEnabled('cf')) {
diff --git
a/tofile.php
b/tofile.php
index
abd1f27
..
e7b9ed9
100644
(file)
--- a/
tofile.php
+++ b/
tofile.php
@@
-31,11
+31,12
@@
import('form.Form');
import('form.ActionForm');
import('ttReportHelper');
import('form.ActionForm');
import('ttReportHelper');
-// Access check.
+// Access check
s
.
if (!(ttAccessAllowed('view_own_reports') || ttAccessAllowed('view_reports'))) {
header('Location: access_denied.php');
exit();
}
if (!(ttAccessAllowed('view_own_reports') || ttAccessAllowed('view_reports'))) {
header('Location: access_denied.php');
exit();
}
+// End of access checks.
// Use custom fields plugin if it is enabled.
if ($user->isPluginEnabled('cf')) {
// Use custom fields plugin if it is enabled.
if ($user->isPluginEnabled('cf')) {
diff --git
a/topdf.php
b/topdf.php
index
3177d15
..
475522e
100644
(file)
--- a/
topdf.php
+++ b/
topdf.php
@@
-35,11
+35,12
@@
import('form.Form');
import('form.ActionForm');
import('ttReportHelper');
import('form.ActionForm');
import('ttReportHelper');
-// Access check.
+// Access check
s
.
if (!(ttAccessAllowed('view_own_reports') || ttAccessAllowed('view_reports'))) {
header('Location: access_denied.php');
exit();
}
if (!(ttAccessAllowed('view_own_reports') || ttAccessAllowed('view_reports'))) {
header('Location: access_denied.php');
exit();
}
+// End of access checks.
// Check whether TCPDF library is available.
if (!file_exists('WEB-INF/lib/tcpdf/'))
// Check whether TCPDF library is available.
if (!file_exists('WEB-INF/lib/tcpdf/'))
diff --git
a/user_add.php
b/user_add.php
index
9128653
..
b235cbd
100644
(file)
--- a/
user_add.php
+++ b/
user_add.php
@@
-34,11
+34,12
@@
import('form.Table');
import('form.TableColumn');
import('ttRoleHelper');
import('form.TableColumn');
import('ttRoleHelper');
-// Access check.
+// Access check
s
.
if (!ttAccessAllowed('manage_users')) {
header('Location: access_denied.php');
exit();
}
if (!ttAccessAllowed('manage_users')) {
header('Location: access_denied.php');
exit();
}
+// End of access checks.
// Use the "limit" plugin if we have one. Ignore include errors.
// The "limit" plugin is not required for normal operation of the Time Tracker.
// Use the "limit" plugin if we have one. Ignore include errors.
// The "limit" plugin is not required for normal operation of the Time Tracker.
diff --git
a/user_delete.php
b/user_delete.php
index
d06463b
..
647f217
100644
(file)
--- a/
user_delete.php
+++ b/
user_delete.php
@@
-35,7
+35,7
@@
if (!ttAccessAllowed('manage_users')) {
header('Location: access_denied.php');
exit();
}
header('Location: access_denied.php');
exit();
}
-$user_id = (int)
$request->getParameter('id');
+$user_id = (int)$request->getParameter('id');
$user_details = $user->getUser($user_id);
if (!$user_details) {
header('Location: access_denied.php');
$user_details = $user->getUser($user_id);
if (!$user_details) {
header('Location: access_denied.php');
diff --git
a/user_edit.php
b/user_edit.php
index
8f588db
..
95ed29e
100644
(file)
--- a/
user_edit.php
+++ b/
user_edit.php
@@
-40,7
+40,7
@@
if (!ttAccessAllowed('manage_users')) {
header('Location: access_denied.php');
exit();
}
header('Location: access_denied.php');
exit();
}
-$user_id = (int)
$request->getParameter('id');
+$user_id = (int)$request->getParameter('id');
$user_details = $user->getUser($user_id);
if (!$user_details) {
header('Location: access_denied.php');
$user_details = $user->getUser($user_id);
if (!$user_details) {
header('Location: access_denied.php');
diff --git
a/users.php
b/users.php
index
8787844
..
af53890
100644
(file)
--- a/
users.php
+++ b/
users.php
@@
-32,11
+32,12
@@
import('ttTeamHelper');
import('ttTimeHelper');
import('ttRoleHelper');
import('ttTimeHelper');
import('ttRoleHelper');
-// Access check.
+// Access check
s
.
if (!(ttAccessAllowed('view_users') || ttAccessAllowed('manage_users'))) {
header('Location: access_denied.php');
exit();
}
if (!(ttAccessAllowed('view_users') || ttAccessAllowed('manage_users'))) {
header('Location: access_denied.php');
exit();
}
+// End of access checks.
// Prepare a list of active users.
if ($user->can('view_users'))
// Prepare a list of active users.
if ($user->can('view_users'))
diff --git
a/week.php
b/week.php
index
741a2bb
..
1d72ce4
100644
(file)
--- a/
week.php
+++ b/
week.php
@@
-55,6
+55,7
@@
if (!$user->behalf_id && !$user->can('track_own_time') && !$user->adjustBehalfId
header('Location: access_denied.php'); // Trying as self, but no right for self, and noone to work on behalf.
exit();
}
header('Location: access_denied.php'); // Trying as self, but no right for self, and noone to work on behalf.
exit();
}
+// End of access checks.
// Initialize and store date in session.
$cl_date = $request->getParameter('date', @$_SESSION['date']);
// Initialize and store date in session.
$cl_date = $request->getParameter('date', @$_SESSION['date']);