Security fix for project edits.
authorNik Okuntseff <support@anuko.com>
Mon, 26 Mar 2018 20:31:45 +0000 (20:31 +0000)
committerNik Okuntseff <support@anuko.com>
Mon, 26 Mar 2018 20:31:45 +0000 (20:31 +0000)
WEB-INF/templates/footer.tpl
mobile/project_delete.php
mobile/project_edit.php
mobile/projects.php
project_delete.php
project_edit.php
projects.php

index 7c8bd63..95bed59 100644 (file)
@@ -12,7 +12,7 @@
       <br>
       <table cellspacing="0" cellpadding="4" width="100%" border="0">
         <tr>
-          <td align="center">&nbsp;Anuko Time Tracker 1.17.74.4182 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+          <td align="center">&nbsp;Anuko Time Tracker 1.17.75.4183 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
             <a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
             <a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
             <a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
index c8753b8..5785496 100644 (file)
@@ -39,9 +39,14 @@ if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->t
   header('Location: feature_disabled.php');
   exit();
 }
-
 $cl_project_id = (int)$request->getParameter('id');
 $project = ttProjectHelper::get($cl_project_id);
+if (!$project) {
+  header('Location: access_denied.php');
+  exit();
+}
+// End of access checks.
+
 $project_to_delete = $project['name'];
 
 $form = new Form('projectDeleteForm');
@@ -51,12 +56,9 @@ $form->addInput(array('type'=>'submit','name'=>'btn_cancel','value'=>$i18n->get(
 
 if ($request->isPost()) {
   if ($request->getParameter('btn_delete')) {
-    if(ttProjectHelper::get($cl_project_id)) {
-      if (ttProjectHelper::delete($cl_project_id)) {
-        header('Location: projects.php');
-        exit();
-      } else
-        $err->add($i18n->get('error.db'));
+    if (ttProjectHelper::delete($cl_project_id)) {
+      header('Location: projects.php');
+      exit();
     } else
       $err->add($i18n->get('error.db'));
   } elseif ($request->getParameter('btn_cancel')) {
index 74454ec..6adb475 100644 (file)
@@ -40,8 +40,13 @@ if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->t
   header('Location: feature_disabled.php');
   exit();
 }
-
 $cl_project_id = (int)$request->getParameter('id');
+$project = ttProjectHelper::get($cl_project_id);
+if (!$project) {
+  header('Location: access_denied.php');
+  exit();
+}
+// End of access checks.
 
 $users = ttTeamHelper::getActiveUsers();
 foreach ($users as $user_item)
@@ -58,7 +63,6 @@ if ($request->isPost()) {
   $cl_users = $request->getParameter('users', array());
   $cl_tasks = $request->getParameter('tasks', array());
 } else {
-  $project = ttProjectHelper::get($cl_project_id);
   $cl_name = $project['name'];
   $cl_description = $project['description'];
   $cl_status = $project['status'];
index 93261d4..938eab8 100644 (file)
@@ -31,7 +31,8 @@ import('form.Form');
 import('ttTeamHelper');
 
 // Access checks.
-if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) {
+// TODO: introduce view_projects right to keep access checks simple.
+if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time') || ttAccessAllowed('manage_projects'))) {
   header('Location: access_denied.php');
   exit();
 }
@@ -40,7 +41,7 @@ if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->t
   exit();
 }
 
-if($user->canManageTeam()) {
+if($user->can('manage_projects')) {
   $active_projects = ttTeamHelper::getActiveProjects($user->team_id);
   $inactive_projects = ttTeamHelper::getInactiveProjects($user->team_id);
 } else
index 2373bbe..450241e 100644 (file)
@@ -39,9 +39,14 @@ if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->t
   header('Location: feature_disabled.php');
   exit();
 }
-
 $cl_project_id = (int)$request->getParameter('id');
 $project = ttProjectHelper::get($cl_project_id);
+if (!$project) {
+  header('Location: access_denied.php');
+  exit();
+}
+// End of access checks.
+
 $project_to_delete = $project['name'];
 
 $form = new Form('projectDeleteForm');
@@ -51,12 +56,9 @@ $form->addInput(array('type'=>'submit','name'=>'btn_cancel','value'=>$i18n->get(
 
 if ($request->isPost()) {
   if ($request->getParameter('btn_delete')) {
-    if(ttProjectHelper::get($cl_project_id)) {
-      if (ttProjectHelper::delete($cl_project_id)) {
-        header('Location: projects.php');
-        exit();
-      } else
-        $err->add($i18n->get('error.db'));
+    if (ttProjectHelper::delete($cl_project_id)) {
+      header('Location: projects.php');
+      exit();
     } else
       $err->add($i18n->get('error.db'));
   } elseif ($request->getParameter('btn_cancel')) {
index d30782a..543c532 100644 (file)
@@ -40,8 +40,13 @@ if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->t
   header('Location: feature_disabled.php');
   exit();
 }
-
 $cl_project_id = (int)$request->getParameter('id');
+$project = ttProjectHelper::get($cl_project_id);
+if (!$project) {
+  header('Location: access_denied.php');
+  exit();
+}
+// End of access checks.
 
 $users = ttTeamHelper::getActiveUsers();
 foreach ($users as $user_item)
@@ -58,7 +63,6 @@ if ($request->isPost()) {
   $cl_users = $request->getParameter('users', array());
   $cl_tasks = $request->getParameter('tasks', array());
 } else {
-  $project = ttProjectHelper::get($cl_project_id);
   $cl_name = $project['name'];
   $cl_description = $project['description'];
   $cl_status = $project['status'];
index 5315c4f..1d5f7e2 100644 (file)
@@ -31,7 +31,8 @@ import('form.Form');
 import('ttTeamHelper');
 
 // Access checks.
-if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) {
+// TODO: introduce view_projects right to keep access checks simple.
+if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time') || ttAccessAllowed('manage_projects'))) {
   header('Location: access_denied.php');
   exit();
 }
@@ -39,8 +40,9 @@ if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->t
   header('Location: feature_disabled.php');
   exit();
 }
+// End of access checks.
 
-if($user->canManageTeam()) {
+if($user->can('manage_projects')) {
   $active_projects = ttTeamHelper::getActiveProjects($user->team_id);
   $inactive_projects = ttTeamHelper::getInactiveProjects($user->team_id);
 } else