global $user;
$mdb2 = getConnection();
+ // Obtain role id for the user we are swapping ourselves with.
$sql = "select u.id, u.role_id from tt_users u left join tt_roles r on (u.role_id = r.id) where u.id = $user_id and u.team_id = $user->team_id and u.status = 1 and r.rank < $user->rank";
$res = $mdb2->query($sql);
if (is_a($res, 'PEAR_Error'))
<br>
<table cellspacing="0" cellpadding="4" width="100%" border="0">
<tr>
- <td align="center"> Anuko Time Tracker 1.17.74.4180 | Copyright © <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+ <td align="center"> Anuko Time Tracker 1.17.74.4181 | Copyright © <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
<a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
<a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
<a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
header('Location: access_denied.php');
exit();
}
-
if ($request->isPost()) {
- $cl_id = $request->getParameter('swap_with');
+ $user_id = (int)$request->getParameter('swap_with');
+ $user_details = $user->getUser($user_id);
+ if (!$user_details) {
+ header('Location: access_denied.php');
+ exit();
+ }
}
+// End of access checks.
$form = new Form('swapForm');
$form->addInput(array('type'=>'combobox','name'=>'swap_with','style'=>'width: 250px;','data'=>$users_for_swap,'datakeys'=>array('id','name')));
if ($request->isPost()) {
if ($request->getParameter('btn_submit')) {
- if (ttTeamHelper::swapRolesWith($cl_id)) {
+ if (ttTeamHelper::swapRolesWith($user_id)) {
header('Location: users.php');
exit();
} else