Improved access checks in notifications config.
authorNik Okuntseff <support@anuko.com>
Fri, 7 Dec 2018 22:42:31 +0000 (22:42 +0000)
committerNik Okuntseff <support@anuko.com>
Fri, 7 Dec 2018 22:42:31 +0000 (22:42 +0000)
WEB-INF/templates/footer.tpl
WEB-INF/templates/plugins.tpl
notification_add.php
notification_delete.php
notification_edit.php
notifications.php
plugins.php
user_add.php

index bdd2fd6..bf2c3a0 100644 (file)
@@ -12,7 +12,7 @@
       <br>
       <table cellspacing="0" cellpadding="4" width="100%" border="0">
         <tr>
-          <td align="center">&nbsp;Anuko Time Tracker 1.18.29.4609 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+          <td align="center">&nbsp;Anuko Time Tracker 1.18.29.4610 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
             <a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
             <a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
             <a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
index d31bb84..6b88725 100644 (file)
@@ -123,7 +123,7 @@ function handlePluginCheckboxes() {
           </tr>
           <tr>
             <td align="right" nowrap>{$forms.pluginsForm.notifications.control}</td>
-            <td><label for="notifications">{$i18n.title.notifications}</label> <span id="notifications_config"><a href="notifications.php">{$i18n.label.configure}</a></span></td>
+            <td><label for="notifications">{$i18n.title.notifications}</label> <span id="notifications_config">{if $user_exists}<a href="notifications.php">{$i18n.label.configure}</a>{/if}</span></td>
           </tr>
           <tr>
             <td align="right" nowrap>{$forms.pluginsForm.locking.control}</td>
index e30970a..f122111 100644 (file)
@@ -42,11 +42,24 @@ if (!$user->isPluginEnabled('no')) {
   header('Location: feature_disabled.php');
   exit();
 }
+if (!$user->exists()) {
+  header('Location: access_denied.php'); // No users in subgroup.
+  exit();
+}
+if ($request->isPost()) {
+  // TODO: improve this, perhaps by refactoring elsewhere.
+  $cl_fav_report = (int) $request->getParameter('fav_report');
+  $fav_report = ttFavReportHelper::getReport($cl_fav_report);
+  if ($user->getUser() != $fav_report['user_id']) {
+    header('Location: access_denied.php'); // Invalid fav report id in post.
+    exit();
+  }
+}
+// End of access checks.
 
-$fav_reports = ttFavReportHelper::getReports($user->id);
+$fav_reports = ttFavReportHelper::getReports($user->getUser());
 
 if ($request->isPost()) {
-  $cl_fav_report = trim($request->getParameter('fav_report'));
   $cl_cron_spec = trim($request->getParameter('cron_spec'));
   $cl_email = trim($request->getParameter('email'));
   $cl_cc = trim($request->getParameter('cc'));
@@ -86,7 +99,6 @@ if ($request->isPost()) {
     $next = tdCron::getNextOccurrence($cl_cron_spec, mktime()); 
 
     if (ttNotificationHelper::insert(array(
-        'group_id' => $user->group_id,
         'cron_spec' => $cl_cron_spec,
         'next' => $next,
         'report_id' => $cl_fav_report,
index b18ac61..c1f0785 100644 (file)
@@ -39,9 +39,18 @@ if (!$user->isPluginEnabled('no')) {
   header('Location: feature_disabled.php');
   exit();
 }
-
+if (!$user->exists()) {
+  header('Location: access_denied.php'); // No users in subgroup.
+  exit();
+}
 $cl_notification_id = (int)$request->getParameter('id');
 $notification = ttNotificationHelper::get($cl_notification_id);
+if (!$notification) {
+  header('Location: access_denied.php'); // Wrong notification id.
+  exit();
+}
+// End of access checks.
+
 $notification_to_delete = $notification['name'];
 
 $form = new Form('notificationDeleteForm');
@@ -51,12 +60,9 @@ $form->addInput(array('type'=>'submit','name'=>'btn_cancel','value'=>$i18n->get(
 
 if ($request->isPost()) {
   if ($request->getParameter('btn_delete')) {
-    if(ttNotificationHelper::get($cl_notification_id)) {
-      if (ttNotificationHelper::delete($cl_notification_id)) {
-        header('Location: notifications.php');
-        exit();
-      } else
-        $err->add($i18n->get('error.db'));
+    if (ttNotificationHelper::delete($cl_notification_id)) {
+      header('Location: notifications.php');
+      exit();
     } else
       $err->add($i18n->get('error.db'));
   } elseif ($request->getParameter('btn_cancel')) {
index 7442305..de09f75 100644 (file)
@@ -42,12 +42,30 @@ if (!$user->isPluginEnabled('no')) {
   header('Location: feature_disabled.php');
   exit();
 }
+if (!$user->exists()) {
+  header('Location: access_denied.php'); // No users in subgroup.
+  exit();
+}
+$notification_id = (int)$request->getParameter('id');
+$notification = ttNotificationHelper::get($notification_id);
+if (!$notification) {
+  header('Location: access_denied.php'); // Wrong notification id.
+  exit();
+}
+if ($request->isPost()) {
+  // TODO: improve this, perhaps by refactoring elsewhere.
+  $cl_fav_report = (int) $request->getParameter('fav_report');
+  $fav_report = ttFavReportHelper::getReport($cl_fav_report);
+  if ($user->getUser() != $fav_report['user_id']) {
+    header('Location: access_denied.php'); // Invalid fav report id in post.
+    exit();
+  }
+}
+// End of access checks.
 
-$notification_id = (int) $request->getParameter('id');
-$fav_reports = ttFavReportHelper::getReports($user->id);
+$fav_reports = ttFavReportHelper::getReports($user->getUser());
 
 if ($request->isPost()) {
-  $cl_fav_report = trim($request->getParameter('fav_report'));
   $cl_cron_spec = trim($request->getParameter('cron_spec'));
   $cl_email = trim($request->getParameter('email'));
   $cl_cc = trim($request->getParameter('cc'));
index d70f5b4..7fe0e11 100644 (file)
@@ -39,6 +39,14 @@ if (!$user->isPluginEnabled('no')) {
   header('Location: feature_disabled.php');
   exit();
 }
+if (!$user->exists()) {
+  header('Location: access_denied.php'); // No users in subgroup.
+  exit();
+}
+// End of access checks.
+
+// TODO: extend and re-design notifications.
+// Currently they only work with fav reports, which are bound to users.
 
 $form = new Form('notificationsForm');
 
index e036c17..a19c1e1 100644 (file)
@@ -174,6 +174,7 @@ if ($request->isPost() && $request->getParameter('btn_save')) {
 
 $smarty->assign('forms', array($form->getName()=>$form->toArray()));
 $smarty->assign('onload', 'onLoad="handlePluginCheckboxes();"');
+$smarty->assign('user_exists', $user->exists());
 $smarty->assign('title', $i18n->get('title.plugins'));
 $smarty->assign('content_page_name', 'plugins.tpl');
 $smarty->display('index.tpl');
index 8a507e9..9fa6112 100644 (file)
@@ -157,7 +157,13 @@ if ($request->isPost()) {
         'client_id' => $cl_client_id,
         'projects' => $assigned_projects,
         'email' => $cl_email);
-      if (ttUserHelper::insert($fields)) {
+      $user_id = ttUserHelper::insert($fields);
+      if ($user_id) {
+        if (!$user->exists()) {
+          // We added a user to an empty subgroup. Set new user as on behalf user.
+          // Needed for user-based things to work (such as notifications config).
+          $user->setOnBehalfUser($user_id);
+        }
         header('Location: users.php');
         exit();
       } else