projects
/
timetracker.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
dab1057
)
Security fix for project edits.
author
Nik Okuntseff
<support@anuko.com>
Mon, 26 Mar 2018 20:31:45 +0000
(20:31 +0000)
committer
Nik Okuntseff
<support@anuko.com>
Mon, 26 Mar 2018 20:31:45 +0000
(20:31 +0000)
WEB-INF/templates/footer.tpl
patch
|
blob
|
history
mobile/project_delete.php
patch
|
blob
|
history
mobile/project_edit.php
patch
|
blob
|
history
mobile/projects.php
patch
|
blob
|
history
project_delete.php
patch
|
blob
|
history
project_edit.php
patch
|
blob
|
history
projects.php
patch
|
blob
|
history
diff --git
a/WEB-INF/templates/footer.tpl
b/WEB-INF/templates/footer.tpl
index
7c8bd63
..
95bed59
100644
(file)
--- a/
WEB-INF/templates/footer.tpl
+++ b/
WEB-INF/templates/footer.tpl
@@
-12,7
+12,7
@@
<br>
<table cellspacing="0" cellpadding="4" width="100%" border="0">
<tr>
<br>
<table cellspacing="0" cellpadding="4" width="100%" border="0">
<tr>
- <td align="center"> Anuko Time Tracker 1.17.7
4.4182
| Copyright © <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+ <td align="center"> Anuko Time Tracker 1.17.7
5.4183
| Copyright © <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
<a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
<a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
<a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
<a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
<a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
<a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
diff --git
a/mobile/project_delete.php
b/mobile/project_delete.php
index
c8753b8
..
5785496
100644
(file)
--- a/
mobile/project_delete.php
+++ b/
mobile/project_delete.php
@@
-39,9
+39,14
@@
if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->t
header('Location: feature_disabled.php');
exit();
}
header('Location: feature_disabled.php');
exit();
}
-
$cl_project_id = (int)$request->getParameter('id');
$project = ttProjectHelper::get($cl_project_id);
$cl_project_id = (int)$request->getParameter('id');
$project = ttProjectHelper::get($cl_project_id);
+if (!$project) {
+ header('Location: access_denied.php');
+ exit();
+}
+// End of access checks.
+
$project_to_delete = $project['name'];
$form = new Form('projectDeleteForm');
$project_to_delete = $project['name'];
$form = new Form('projectDeleteForm');
@@
-51,12
+56,9
@@
$form->addInput(array('type'=>'submit','name'=>'btn_cancel','value'=>$i18n->get(
if ($request->isPost()) {
if ($request->getParameter('btn_delete')) {
if ($request->isPost()) {
if ($request->getParameter('btn_delete')) {
- if(ttProjectHelper::get($cl_project_id)) {
- if (ttProjectHelper::delete($cl_project_id)) {
- header('Location: projects.php');
- exit();
- } else
- $err->add($i18n->get('error.db'));
+ if (ttProjectHelper::delete($cl_project_id)) {
+ header('Location: projects.php');
+ exit();
} else
$err->add($i18n->get('error.db'));
} elseif ($request->getParameter('btn_cancel')) {
} else
$err->add($i18n->get('error.db'));
} elseif ($request->getParameter('btn_cancel')) {
diff --git
a/mobile/project_edit.php
b/mobile/project_edit.php
index
74454ec
..
6adb475
100644
(file)
--- a/
mobile/project_edit.php
+++ b/
mobile/project_edit.php
@@
-40,8
+40,13
@@
if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->t
header('Location: feature_disabled.php');
exit();
}
header('Location: feature_disabled.php');
exit();
}
-
$cl_project_id = (int)$request->getParameter('id');
$cl_project_id = (int)$request->getParameter('id');
+$project = ttProjectHelper::get($cl_project_id);
+if (!$project) {
+ header('Location: access_denied.php');
+ exit();
+}
+// End of access checks.
$users = ttTeamHelper::getActiveUsers();
foreach ($users as $user_item)
$users = ttTeamHelper::getActiveUsers();
foreach ($users as $user_item)
@@
-58,7
+63,6
@@
if ($request->isPost()) {
$cl_users = $request->getParameter('users', array());
$cl_tasks = $request->getParameter('tasks', array());
} else {
$cl_users = $request->getParameter('users', array());
$cl_tasks = $request->getParameter('tasks', array());
} else {
- $project = ttProjectHelper::get($cl_project_id);
$cl_name = $project['name'];
$cl_description = $project['description'];
$cl_status = $project['status'];
$cl_name = $project['name'];
$cl_description = $project['description'];
$cl_status = $project['status'];
diff --git
a/mobile/projects.php
b/mobile/projects.php
index
93261d4
..
938eab8
100644
(file)
--- a/
mobile/projects.php
+++ b/
mobile/projects.php
@@
-31,7
+31,8
@@
import('form.Form');
import('ttTeamHelper');
// Access checks.
import('ttTeamHelper');
// Access checks.
-if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) {
+// TODO: introduce view_projects right to keep access checks simple.
+if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time') || ttAccessAllowed('manage_projects'))) {
header('Location: access_denied.php');
exit();
}
header('Location: access_denied.php');
exit();
}
@@
-40,7
+41,7
@@
if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->t
exit();
}
exit();
}
-if($user->can
ManageTeam(
)) {
+if($user->can
('manage_projects'
)) {
$active_projects = ttTeamHelper::getActiveProjects($user->team_id);
$inactive_projects = ttTeamHelper::getInactiveProjects($user->team_id);
} else
$active_projects = ttTeamHelper::getActiveProjects($user->team_id);
$inactive_projects = ttTeamHelper::getInactiveProjects($user->team_id);
} else
diff --git
a/project_delete.php
b/project_delete.php
index
2373bbe
..
450241e
100644
(file)
--- a/
project_delete.php
+++ b/
project_delete.php
@@
-39,9
+39,14
@@
if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->t
header('Location: feature_disabled.php');
exit();
}
header('Location: feature_disabled.php');
exit();
}
-
$cl_project_id = (int)$request->getParameter('id');
$project = ttProjectHelper::get($cl_project_id);
$cl_project_id = (int)$request->getParameter('id');
$project = ttProjectHelper::get($cl_project_id);
+if (!$project) {
+ header('Location: access_denied.php');
+ exit();
+}
+// End of access checks.
+
$project_to_delete = $project['name'];
$form = new Form('projectDeleteForm');
$project_to_delete = $project['name'];
$form = new Form('projectDeleteForm');
@@
-51,12
+56,9
@@
$form->addInput(array('type'=>'submit','name'=>'btn_cancel','value'=>$i18n->get(
if ($request->isPost()) {
if ($request->getParameter('btn_delete')) {
if ($request->isPost()) {
if ($request->getParameter('btn_delete')) {
- if(ttProjectHelper::get($cl_project_id)) {
- if (ttProjectHelper::delete($cl_project_id)) {
- header('Location: projects.php');
- exit();
- } else
- $err->add($i18n->get('error.db'));
+ if (ttProjectHelper::delete($cl_project_id)) {
+ header('Location: projects.php');
+ exit();
} else
$err->add($i18n->get('error.db'));
} elseif ($request->getParameter('btn_cancel')) {
} else
$err->add($i18n->get('error.db'));
} elseif ($request->getParameter('btn_cancel')) {
diff --git
a/project_edit.php
b/project_edit.php
index
d30782a
..
543c532
100644
(file)
--- a/
project_edit.php
+++ b/
project_edit.php
@@
-40,8
+40,13
@@
if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->t
header('Location: feature_disabled.php');
exit();
}
header('Location: feature_disabled.php');
exit();
}
-
$cl_project_id = (int)$request->getParameter('id');
$cl_project_id = (int)$request->getParameter('id');
+$project = ttProjectHelper::get($cl_project_id);
+if (!$project) {
+ header('Location: access_denied.php');
+ exit();
+}
+// End of access checks.
$users = ttTeamHelper::getActiveUsers();
foreach ($users as $user_item)
$users = ttTeamHelper::getActiveUsers();
foreach ($users as $user_item)
@@
-58,7
+63,6
@@
if ($request->isPost()) {
$cl_users = $request->getParameter('users', array());
$cl_tasks = $request->getParameter('tasks', array());
} else {
$cl_users = $request->getParameter('users', array());
$cl_tasks = $request->getParameter('tasks', array());
} else {
- $project = ttProjectHelper::get($cl_project_id);
$cl_name = $project['name'];
$cl_description = $project['description'];
$cl_status = $project['status'];
$cl_name = $project['name'];
$cl_description = $project['description'];
$cl_status = $project['status'];
diff --git
a/projects.php
b/projects.php
index
5315c4f
..
1d5f7e2
100644
(file)
--- a/
projects.php
+++ b/
projects.php
@@
-31,7
+31,8
@@
import('form.Form');
import('ttTeamHelper');
// Access checks.
import('ttTeamHelper');
// Access checks.
-if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) {
+// TODO: introduce view_projects right to keep access checks simple.
+if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time') || ttAccessAllowed('manage_projects'))) {
header('Location: access_denied.php');
exit();
}
header('Location: access_denied.php');
exit();
}
@@
-39,8
+40,9
@@
if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->t
header('Location: feature_disabled.php');
exit();
}
header('Location: feature_disabled.php');
exit();
}
+// End of access checks.
-if($user->can
ManageTeam(
)) {
+if($user->can
('manage_projects'
)) {
$active_projects = ttTeamHelper::getActiveProjects($user->team_id);
$inactive_projects = ttTeamHelper::getInactiveProjects($user->team_id);
} else
$active_projects = ttTeamHelper::getActiveProjects($user->team_id);
$inactive_projects = ttTeamHelper::getInactiveProjects($user->team_id);
} else