Better protection against editing and deleting approved records.
authorNik Okuntseff <support@anuko.com>
Wed, 6 Mar 2019 22:12:43 +0000 (22:12 +0000)
committerNik Okuntseff <support@anuko.com>
Wed, 6 Mar 2019 22:12:43 +0000 (22:12 +0000)
WEB-INF/lib/ttTimeHelper.class.php
WEB-INF/templates/footer.tpl
mobile/time_delete.php
mobile/time_edit.php
time_delete.php
time_edit.php

index 2a47c74..b2bb2c0 100644 (file)
@@ -676,7 +676,7 @@ class ttTimeHelper {
       " TIME_FORMAT(sec_to_time(time_to_sec(l.start) + time_to_sec(l.duration)), $sql_time_format) as finish,".
       " TIME_FORMAT(l.duration, '%k:%i') as duration,".
       " p.name as project_name, t.name as task_name, l.comment, l.client_id, l.project_id, l.task_id,".
-      " l.timesheet_id, l.invoice_id, l.billable, l.paid, l.date from tt_log l".
+      " l.timesheet_id, l.invoice_id, l.billable, l.approved, l.paid, l.date from tt_log l".
       " left join tt_projects p on (p.id = l.project_id)".
       " left join tt_tasks t on (t.id = l.task_id)".
       " where l.id = $id and l.user_id = $user_id and l.group_id = $group_id and l.org_id = $org_id and l.status = 1";
index ff57292..08935c6 100644 (file)
@@ -12,7 +12,7 @@
       <br>
       <table cellspacing="0" cellpadding="4" width="100%" border="0">
         <tr>
-          <td align="center">&nbsp;Anuko Time Tracker 1.18.53.4830 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+          <td align="center">&nbsp;Anuko Time Tracker 1.18.53.4831 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
             <a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
             <a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
             <a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
index 1b122fb..a68da76 100644 (file)
@@ -39,8 +39,8 @@ if (!ttAccessAllowed('track_own_time')) {
 }
 $cl_id = (int)$request->getParameter('id');
 $time_rec = ttTimeHelper::getRecord($cl_id);
-if (!$time_rec || $time_rec['timesheet_id'] || $time_rec['invoice_id']) {
-  // Prohibit deleting not ours, or assigned to timesheet, or invoiced records.
+if (!$time_rec || $time_rec['approved'] || $time_rec['timesheet_id'] || $time_rec['invoice_id']) {
+  // Prohibit deleting not ours, approved, assigned to timesheet, or invoiced records.
   header('Location: access_denied.php');
   exit();
 }
index 1f8f7de..e81f693 100644 (file)
@@ -41,8 +41,8 @@ if (!ttAccessAllowed('track_own_time')) {
 }
 $cl_id = (int)$request->getParameter('id');
 $time_rec = ttTimeHelper::getRecord($cl_id);
-if (!$time_rec || $time_rec['timesheet_id'] || $time_rec['invoice_id']) {
-  // Prohibit editing not ours, or assigned to timesheet, or invoiced records.
+if (!$time_rec || $time_rec['approved'] || $time_rec['timesheet_id'] || $time_rec['invoice_id']) {
+  // Prohibit editing not ours, approved, assigned to timesheet, or invoiced records.
   header('Location: access_denied.php');
   exit();
 }
index e83630e..a7b802b 100644 (file)
@@ -39,8 +39,8 @@ if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) {
 }
 $cl_id = (int)$request->getParameter('id');
 $time_rec = ttTimeHelper::getRecord($cl_id);
-if (!$time_rec || $time_rec['timesheet_id'] || $time_rec['invoice_id']) {
-  // Prohibit deleting not ours, or assigned to timesheet, or invoiced records.
+if (!$time_rec || $time_rec['approved'] || $time_rec['timesheet_id'] || $time_rec['invoice_id']) {
+  // Prohibit deleting not ours, approved, assigned to timesheet, or invoiced records.
   header('Location: access_denied.php');
   exit();
 }
index 23cc63d..ef45226 100644 (file)
@@ -41,8 +41,8 @@ if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) {
 }
 $cl_id = (int)$request->getParameter('id');
 $time_rec = ttTimeHelper::getRecord($cl_id);
-if (!$time_rec || $time_rec['timesheet_id'] || $time_rec['invoice_id']) {
-  // Prohibit editing not ours, or assigned to timesheet, or invoiced records.
+if (!$time_rec || $time_rec['approved'] || $time_rec['timesheet_id'] || $time_rec['invoice_id']) {
+  // Prohibit editing not ours, approved, assigned to timesheet, or invoiced records.
   header('Location: access_denied.php');
   exit();
 }