Included team_id in task update sql to avoid risk of misuse.
authorNik Okuntseff <support@anuko.com>
Mon, 26 Mar 2018 18:56:07 +0000 (18:56 +0000)
committerNik Okuntseff <support@anuko.com>
Mon, 26 Mar 2018 18:56:07 +0000 (18:56 +0000)
WEB-INF/lib/ttTaskHelper.class.php
WEB-INF/templates/footer.tpl

index 2bb99da..24831cb 100644 (file)
@@ -198,7 +198,7 @@ class ttTaskHelper {
     $projects = $fields['projects'];
 
     $sql = "update tt_tasks set name = ".$mdb2->quote($name).", description = ".$mdb2->quote($description).
-      ", status = $status where id = $task_id";
+      ", status = $status where id = $task_id and team_id = $user->team_id";
     $affected = $mdb2->exec($sql);
     if (is_a($affected, 'PEAR_Error'))
       die($affected->getMessage());
index b9939f9..9defcca 100644 (file)
@@ -12,7 +12,7 @@
       <br>
       <table cellspacing="0" cellpadding="4" width="100%" border="0">
         <tr>
-          <td align="center">&nbsp;Anuko Time Tracker 1.17.74.4179 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+          <td align="center">&nbsp;Anuko Time Tracker 1.17.74.4180 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
             <a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
             <a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
             <a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>