Some refactoring of access checks - in progress.
authorNik Okuntseff <support@anuko.com>
Sat, 24 Mar 2018 18:05:53 +0000 (18:05 +0000)
committerNik Okuntseff <support@anuko.com>
Sat, 24 Mar 2018 18:05:53 +0000 (18:05 +0000)
24 files changed:
WEB-INF/templates/footer.tpl
client_add.php
client_delete.php
client_edit.php
clients.php
expense_delete.php
expense_edit.php
expenses.php
index.php
invoice_add.php
invoice_delete.php
invoice_send.php
invoice_view.php
invoices.php
locking.php
login.php
mobile/expenses.php
mobile/feature_disabled.php [new file with mode: 0644]
mysql.sql
notification_add.php
notification_delete.php
notification_edit.php
notifications.php
password_change.php

index 2403c2b..8b84e12 100644 (file)
@@ -12,7 +12,7 @@
       <br>
       <table cellspacing="0" cellpadding="4" width="100%" border="0">
         <tr>
-          <td align="center">&nbsp;Anuko Time Tracker 1.17.69.4155 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+          <td align="center">&nbsp;Anuko Time Tracker 1.17.69.4156 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
             <a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
             <a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
             <a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
index c0526e5..5ae5997 100644 (file)
@@ -31,11 +31,15 @@ import('form.Form');
 import('ttClientHelper');
 import('ttTeamHelper');
 
-// Access check.
-if (!ttAccessAllowed('manage_clients') || !$user->isPluginEnabled('cl')) {
+// Access checks.
+if (!ttAccessAllowed('manage_clients')) {
   header('Location: access_denied.php');
   exit();
 }
+if (!$user->isPluginEnabled('cl')) {
+  header('Location: feature_disabled.php');
+  exit();
+}
 
 $projects = ttTeamHelper::getActiveProjects($user->team_id);
 
index b162ea8..22ae9d4 100644 (file)
@@ -30,11 +30,15 @@ require_once('initialize.php');
 import('form.Form');
 import('ttClientHelper');
 
-// Access check.
-if (!ttAccessAllowed('manage_clients') || !$user->isPluginEnabled('cl')) {
+// Access checks.
+if (!ttAccessAllowed('manage_clients')) {
   header('Location: access_denied.php');
   exit();
 }
+if (!$user->isPluginEnabled('cl')) {
+  header('Location: feature_disabled.php');
+  exit();
+}
 
 $id = (int)$request->getParameter('id');
 $client = ttClientHelper::getClient($id);
index 0520323..b74fb31 100644 (file)
@@ -31,11 +31,15 @@ import('form.Form');
 import('ttClientHelper');
 import('ttTeamHelper');
 
-// Access check.
-if (!ttAccessAllowed('manage_clients') || !$user->isPluginEnabled('cl')) {
+// Access checks.
+if (!ttAccessAllowed('manage_clients')) {
   header('Location: access_denied.php');
   exit();
 }
+if (!$user->isPluginEnabled('cl')) {
+  header('Location: feature_disabled.php');
+  exit();
+}
 
 $cl_id = (int) $request->getParameter('id');
 
index 89b5c4a..6ac6f5a 100644 (file)
@@ -30,11 +30,15 @@ require_once('initialize.php');
 import('form.Form');
 import('ttTeamHelper');
 
-// Access check.
-if (!ttAccessAllowed('manage_clients') || !$user->isPluginEnabled('cl')) {
+// Access checks.
+if (!ttAccessAllowed('manage_clients')) {
   header('Location: access_denied.php');
   exit();
 }
+if (!$user->isPluginEnabled('cl')) {
+  header('Location: feature_disabled.php');
+  exit();
+}
 
 $smarty->assign('active_clients', ttTeamHelper::getActiveClients($user->team_id, true));
 $smarty->assign('inactive_clients', ttTeamHelper::getInactiveClients($user->team_id, true));
index 06c9690..42a6add 100644 (file)
@@ -31,11 +31,17 @@ import('form.Form');
 import('DateAndTime');
 import('ttExpenseHelper');
 
-// Access check.
-if (!ttAccessAllowed('track_own_expenses') || !$user->isPluginEnabled('ex')) {
+// Access checks.
+if (!(ttAccessAllowed('track_own_expenses') || ttAccessAllowed('track_expenses'))) {
   header('Location: access_denied.php');
   exit();
 }
+if (!$user->isPluginEnabled('ex')) {
+  header('Location: feature_disabled.php');
+  exit();
+}
+
+
 
 $cl_id = $request->getParameter('id');
 $expense_item = ttExpenseHelper::getItem($cl_id, $user->getActiveUser());
index 9ea7c64..15cfcfa 100644 (file)
@@ -32,11 +32,15 @@ import('ttTeamHelper');
 import('DateAndTime');
 import('ttExpenseHelper');
 
-// Access check.
-if (!ttAccessAllowed('track_own_expenses') || !$user->isPluginEnabled('ex')) {
+// Access checks.
+if (!(ttAccessAllowed('track_own_expenses') || ttAccessAllowed('track_expenses'))) {
   header('Location: access_denied.php');
   exit();
 }
+if (!$user->isPluginEnabled('ex')) {
+  header('Location: feature_disabled.php');
+  exit();
+}
 
 $cl_id = $request->getParameter('id');
 
index bb76948..00b4317 100644 (file)
@@ -33,11 +33,15 @@ import('ttTeamHelper');
 import('DateAndTime');
 import('ttExpenseHelper');
 
-// Access check.
-if (!ttAccessAllowed('track_own_expenses') || !$user->isPluginEnabled('ex')) {
+// Access checks.
+if (!(ttAccessAllowed('track_own_expenses') || ttAccessAllowed('track_expenses'))) {
   header('Location: access_denied.php');
   exit();
 }
+if (!$user->isPluginEnabled('ex')) {
+  header('Location: feature_disabled.php');
+  exit();
+}
 
 // Initialize and store date in session.
 $cl_date = $request->getParameter('date', @$_SESSION['date']);
index 51e1e01..fd4dde8 100644 (file)
--- a/index.php
+++ b/index.php
@@ -30,7 +30,7 @@ require_once('initialize.php');
 
 // Redirects for admin and client roles.
 if ($auth->isAuthenticated()) {
-  if ($user->isAdmin()) {
+  if ($user->can('administer_site')) {
     header('Location: admin_teams.php');
     exit();
   } elseif ($user->isClient()) {
index ed0a8c5..5267056 100644 (file)
@@ -31,11 +31,15 @@ import('form.Form');
 import('ttTeamHelper');
 import('ttInvoiceHelper');
 
-// Access check.
-if (!ttAccessAllowed('manage_invoices') || !$user->isPluginEnabled('iv')) {
+// Access checks.
+if (!ttAccessAllowed('manage_invoices')) {
   header('Location: access_denied.php');
   exit();
 }
+if (!$user->isPluginEnabled('iv')) {
+  header('Location: feature_disabled.php');
+  exit();
+}
 
 if ($request->isPost()) {
   $cl_date = $request->getParameter('date');
index 29160ba..2bca58c 100644 (file)
@@ -30,11 +30,15 @@ require_once('initialize.php');
 import('form.Form');
 import('ttInvoiceHelper');
 
-// Access check.
-if (!ttAccessAllowed('manage_invoices') || !$user->isPluginEnabled('iv')) {
+// Access checks.
+if (!ttAccessAllowed('manage_invoices')) {
   header('Location: access_denied.php');
   exit();
 }
+if (!$user->isPluginEnabled('iv')) {
+  header('Location: feature_disabled.php');
+  exit();
+}
 
 $cl_invoice_id = (int)$request->getParameter('id');
 $invoice = ttInvoiceHelper::getInvoice($cl_invoice_id);
index 2c0894a..f0e30bc 100644 (file)
@@ -31,11 +31,15 @@ import('form.Form');
 import('ttInvoiceHelper');
 import('ttSysConfig');
 
-// Access check.
-if (!(ttAccessAllowed('manage_invoices') || ttAccessAllowed('view_own_invoices')) || !$user->isPluginEnabled('iv')) {
+// Access checks.
+if (!(ttAccessAllowed('manage_invoices') || ttAccessAllowed('view_own_invoices'))) {
   header('Location: access_denied.php');
   exit();
 }
+if (!$user->isPluginEnabled('iv')) {
+  header('Location: feature_disabled.php');
+  exit();
+}
 
 $cl_invoice_id = (int)$request->getParameter('id');
 $invoice = ttInvoiceHelper::getInvoice($cl_invoice_id); 
index 3715b80..62f0cbb 100644 (file)
@@ -32,11 +32,15 @@ import('ttInvoiceHelper');
 import('ttClientHelper');
 import('form.Form');
 
-// Access check.
-if (!(ttAccessAllowed('manage_invoices') || ttAccessAllowed('view_own_invoices')) || !$user->isPluginEnabled('iv')) {
+// Access checks.
+if (!(ttAccessAllowed('manage_invoices') || ttAccessAllowed('view_own_invoices'))) {
   header('Location: access_denied.php');
   exit();
 }
+if (!$user->isPluginEnabled('iv')) {
+  header('Location: feature_disabled.php');
+  exit();
+}
 
 $cl_id = (int)$request->getParameter('id');
 $invoice = ttInvoiceHelper::getInvoice($cl_id);
index a03579b..1723a8d 100644 (file)
@@ -30,11 +30,15 @@ require_once('initialize.php');
 import('form.Form');
 import('ttTeamHelper');
 
-// Access check.
-if (!(ttAccessAllowed('manage_invoices') || ttAccessAllowed('view_own_invoices')) || !$user->isPluginEnabled('iv')) {
+// Access checks.
+if (!(ttAccessAllowed('manage_invoices') || ttAccessAllowed('view_own_invoices'))) {
   header('Location: access_denied.php');
   exit();
 }
+if (!$user->isPluginEnabled('iv')) {
+  header('Location: feature_disabled.php');
+  exit();
+}
 
 $invoices = ttTeamHelper::getActiveInvoices();
 
index 8a6f430..2b49b83 100644 (file)
@@ -30,11 +30,15 @@ require_once('initialize.php');
 import('form.Form');
 import('ttTeamHelper');
 
-// Access check.
-if (!ttAccessAllowed('manage_advanced_settings') || !$user->isPluginEnabled('lk')) {
+// Access checks.
+if (!ttAccessAllowed('manage_advanced_settings')) {
   header('Location: access_denied.php');
   exit();
 }
+if (!$user->isPluginEnabled('lk')) {
+  header('Location: feature_disabled.php');
+  exit();
+}
 
 $cl_lock_spec = $request->isPost() ? $request->getParameter('lock_spec') : $user->lock_spec;
 
index e246e0a..a3345d0 100644 (file)
--- a/login.php
+++ b/login.php
@@ -62,7 +62,7 @@ if ($request->isPost()) {
 
       $user = new ttUser(null, $auth->getUserId());
       // Redirect, depending on user role.
-      if ($user->isAdmin()) {
+      if ($user->can('administer_site')) {
         header('Location: admin_teams.php');
       } elseif ($user->isClient()) {
         header('Location: reports.php');
index 934c63a..f0fc5c3 100644 (file)
@@ -33,11 +33,15 @@ import('ttTeamHelper');
 import('DateAndTime');
 import('ttExpenseHelper');
 
-// Access check.
-if (!ttAccessAllowed('track_own_expenses') || !$user->isPluginEnabled('ex')) {
+// Access checks.
+if (!(ttAccessAllowed('track_own_expenses') || ttAccessAllowed('track_expenses'))) {
   header('Location: access_denied.php');
   exit();
 }
+if (!$user->isPluginEnabled('ex')) {
+  header('Location: feature_disabled.php');
+  exit();
+}
 
 // Initialize and store date in session.
 $cl_date = $request->getParameter('date', @$_SESSION['date']);
diff --git a/mobile/feature_disabled.php b/mobile/feature_disabled.php
new file mode 100644 (file)
index 0000000..cf39956
--- /dev/null
@@ -0,0 +1,36 @@
+<?php
+// +----------------------------------------------------------------------+
+// | Anuko Time Tracker
+// +----------------------------------------------------------------------+
+// | Copyright (c) Anuko International Ltd. (https://www.anuko.com)
+// +----------------------------------------------------------------------+
+// | LIBERAL FREEWARE LICENSE: This source code document may be used
+// | by anyone for any purpose, and freely redistributed alone or in
+// | combination with other software, provided that the license is obeyed.
+// |
+// | There are only two ways to violate the license:
+// |
+// | 1. To redistribute this code in source form, with the copyright
+// |    notice or license removed or altered. (Distributing in compiled
+// |    forms without embedded copyright notices is permitted).
+// |
+// | 2. To redistribute modified versions of this code in *any* form
+// |    that bears insufficient indications that the modifications are
+// |    not the work of the original author(s).
+// |
+// | This license applies to this document only, not any other software
+// | that it may be combined with.
+// |
+// +----------------------------------------------------------------------+
+// | Contributors:
+// | https://www.anuko.com/time_tracker/credits.htm
+// +----------------------------------------------------------------------+
+
+require_once('../initialize.php');
+
+$err->add($i18n->get('error.feature_disabled'));
+if ($auth->isAuthenticated()) $smarty->assign('authenticated', true); // Used in header.tpl for menu display.
+
+$smarty->assign('title', $i18n->get('label.error'));
+$smarty->assign('content_page_name', 'mobile/access_denied.tpl');
+$smarty->display('mobile/index.tpl');
index df34b77..ebe5993 100644 (file)
--- a/mysql.sql
+++ b/mysql.sql
 # This table stores settings common to all team members such as language, week start day, etc.
 #
 CREATE TABLE `tt_teams` (
-  `id` int(11) NOT NULL auto_increment,                      # team id
-  `name` varchar(80) default NULL,                           # team name
-  `currency` varchar(7) default NULL,                        # team currency symbol
-  `decimal_mark` char(1) NOT NULL default '.',               # separator in decimals
-  `lang` varchar(10) NOT NULL default 'en',                  # language
-  `date_format` varchar(20) NOT NULL default '%Y-%m-%d',     # date format
-  `time_format` varchar(20) NOT NULL default '%H:%M',        # time format
-  `week_start` smallint(2) NOT NULL default 0,               # Week start day, 0 == Sunday.
-  `tracking_mode` smallint(2) NOT NULL default 1,            # tracking mode ("time", "projects" or "projects and tasks")
-  `project_required` smallint(2) NOT NULL default 0,         # whether a project selection is required or optional
-  `task_required` smallint(2) NOT NULL default 0,            # whether a task selection is required or optional
-  `record_type` smallint(2) NOT NULL default 0,              # time record type ("start and finish", "duration", or both)
-  `bcc_email` varchar(100) default NULL,                     # bcc email to copy all reports to
-  `plugins` varchar(255) default NULL,                       # a list of enabled plugins for team
-  `lock_spec` varchar(255) default NULL,                     # Cron specification for record locking,
-                                                             # for example: "0 10 * * 1" for "weekly on Mon at 10:00".
-  `workday_minutes` smallint(4) default 480,                 # number of work minutes in a regular working day
-  `custom_logo` tinyint(4) default 0,                        # whether to use a custom logo or not
-  `config` text default NULL,                                # miscellaneous team configuration settings
-  `created` datetime default NULL,                           # creation timestamp
-  `created_ip` varchar(45) default NULL,                     # creator ip
-  `created_by` int(11) default NULL,                         # creator user_id
-  `modified` datetime default NULL,                          # modification timestamp
-  `modified_ip` varchar(45) default NULL,                    # modifier ip
-  `modified_by` int(11) default NULL,                        # modifier user_id
-  `status` tinyint(4) default 1,                             # team status
+  `id` int(11) NOT NULL auto_increment,                  # team id
+  `name` varchar(80) default NULL,                       # team name
+  `currency` varchar(7) default NULL,                    # team currency symbol
+  `decimal_mark` char(1) NOT NULL default '.',           # separator in decimals
+  `lang` varchar(10) NOT NULL default 'en',              # language
+  `date_format` varchar(20) NOT NULL default '%Y-%m-%d', # date format
+  `time_format` varchar(20) NOT NULL default '%H:%M',    # time format
+  `week_start` smallint(2) NOT NULL default 0,           # Week start day, 0 == Sunday.
+  `tracking_mode` smallint(2) NOT NULL default 1,        # tracking mode ("time", "projects" or "projects and tasks")
+  `project_required` smallint(2) NOT NULL default 0,     # whether a project selection is required or optional
+  `task_required` smallint(2) NOT NULL default 0,        # whether a task selection is required or optional
+  `record_type` smallint(2) NOT NULL default 0,          # time record type ("start and finish", "duration", or both)
+  `bcc_email` varchar(100) default NULL,                 # bcc email to copy all reports to
+  `plugins` varchar(255) default NULL,                   # a list of enabled plugins for team
+  `lock_spec` varchar(255) default NULL,                 # Cron specification for record locking,
+                                                         # for example: "0 10 * * 1" for "weekly on Mon at 10:00".
+  `workday_minutes` smallint(4) default 480,             # number of work minutes in a regular working day
+  `custom_logo` tinyint(4) default 0,                    # whether to use a custom logo or not
+  `config` text default NULL,                            # miscellaneous team configuration settings
+  `created` datetime default NULL,                       # creation timestamp
+  `created_ip` varchar(45) default NULL,                 # creator ip
+  `created_by` int(11) default NULL,                     # creator user_id
+  `modified` datetime default NULL,                      # modification timestamp
+  `modified_ip` varchar(45) default NULL,                # modifier ip
+  `modified_by` int(11) default NULL,                    # modifier user_id
+  `status` tinyint(4) default 1,                         # team status
   PRIMARY KEY (`id`)
 );
 
index 6d0e4d3..7dd680f 100644 (file)
@@ -33,11 +33,15 @@ import('form.Form');
 import('ttFavReportHelper');
 import('ttNotificationHelper');
 
-// Access check.
-if (!ttAccessAllowed('manage_advanced_settings') || !$user->isPluginEnabled('no')) {
+// Access checks.
+if (!ttAccessAllowed('manage_advanced_settings')) {
   header('Location: access_denied.php');
   exit();
 }
+if (!$user->isPluginEnabled('no')) {
+  header('Location: feature_disabled.php');
+  exit();
+}
 
 $fav_reports = ttFavReportHelper::getReports($user->id);
 
index 46de065..b18ac61 100644 (file)
@@ -30,11 +30,15 @@ require_once('initialize.php');
 import('form.Form');
 import('ttNotificationHelper');
 
-// Access check.
-if (!ttAccessAllowed('manage_advanced_settings') || !$user->isPluginEnabled('no')) {
+// Access checks.
+if (!ttAccessAllowed('manage_advanced_settings')) {
   header('Location: access_denied.php');
   exit();
 }
+if (!$user->isPluginEnabled('no')) {
+  header('Location: feature_disabled.php');
+  exit();
+}
 
 $cl_notification_id = (int)$request->getParameter('id');
 $notification = ttNotificationHelper::get($cl_notification_id);
index 4317982..1c36865 100644 (file)
@@ -33,11 +33,15 @@ import('form.Form');
 import('ttFavReportHelper');
 import('ttNotificationHelper');
 
-// Access check.
-if (!ttAccessAllowed('manage_advanced_settings') || !$user->isPluginEnabled('no')) {
+// Access checks.
+if (!ttAccessAllowed('manage_advanced_settings')) {
   header('Location: access_denied.php');
   exit();
 }
+if (!$user->isPluginEnabled('no')) {
+  header('Location: feature_disabled.php');
+  exit();
+}
 
 $notification_id = (int) $request->getParameter('id');
 $fav_reports = ttFavReportHelper::getReports($user->id);
index c03378d..6dcf33f 100644 (file)
@@ -30,11 +30,15 @@ require_once('initialize.php');
 import('form.Form');
 import('ttTeamHelper');
 
-// Access check.
-if (!ttAccessAllowed('manage_advanced_settings') || !$user->isPluginEnabled('no')) {
+// Access checks.
+if (!ttAccessAllowed('manage_advanced_settings')) {
   header('Location: access_denied.php');
   exit();
 }
+if (!$user->isPluginEnabled('no')) {
+  header('Location: feature_disabled.php');
+  exit();
+}
 
 $form = new Form('notificationsForm');
 
index bcbd5f4..832118f 100644 (file)
@@ -82,7 +82,7 @@ if ($request->isPost()) {
     if ($auth->doLogin($user->login, $cl_password1)) {
       setcookie('tt_login', $user->login, time() + COOKIE_EXPIRE, '/');
       // Redirect, depending on user role.
-      if ($user->isAdmin()) {
+      if ($user->can('administer_site')) {
         header('Location: admin_teams.php');
       } elseif ($user->isClient()) {
         header('Location: reports.php');