return $user_list;
}
+ // getUser function is used to manage users in group and returns user details.
+ // At the moment, the function is used for user edits and deletes.
+ function getUser($user_id) {
+ if (!$this->can('manage_users')) return false;
+
+ $mdb2 = getConnection();
+
+ $sql = "select u.id, u.name, u.login, u.role_id, u.status, u.rate, u.email, r.rank from tt_users u".
+ " left join tt_roles r on (u.role_id = r.id)".
+ " where u.id = $user_id and u.team_id = $this->team_id and u.status is not null".
+ " and (r.rank < $this->rank or (r.rank = $this->rank and u.id = $this->id))"; // Users with lesser roles or self.
+ $res = $mdb2->query($sql);
+ if (!is_a($res, 'PEAR_Error')) {
+ $val = $res->fetchRow();
+ return $val;
+ }
+ return false;
+ }
+
// checkBehalfId checks whether behalf_id is appropriate.
// On behalf user must be active and have lower rank.
function checkBehalfId() {
// Class ttUserHelper contains helper functions for operations with users.
class ttUserHelper {
- // The getUserDetails function returns user details.
- static function getUserDetails($user_id) {
- global $user;
- $mdb2 = getConnection();
-
- $sql = "select u.*, r.rank from tt_users u left join tt_roles r on (u.role_id = r.id) where u.id = $user_id and u.team_id = $user->team_id and u.status is not null";
- $res = $mdb2->query($sql);
-
- if (!is_a($res, 'PEAR_Error')) {
- $val = $res->fetchRow();
- return $val;
- }
- return false;
- }
-
// The getUserName function returns user name.
static function getUserName($user_id) {
$mdb2 = getConnection();
<br>
<table cellspacing="0" cellpadding="4" width="100%" border="0">
<tr>
- <td align="center"> Anuko Time Tracker 1.17.72.4171 | Copyright © <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+ <td align="center"> Anuko Time Tracker 1.17.72.4172 | Copyright © <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
<a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
<a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
<a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
header('Location: access_denied.php');
exit();
}
-
-// Get user id we are deleting from the request.
-// A cast to int is for safety against manipulation of request parameter (sql injection).
$user_id = (int) $request->getParameter('id');
-
-// We need user name and login to display.
-$user_details = ttUserHelper::getUserDetails($user_id);
-
-// Security checks.
-if (!$user_details || // No details.
- $user_details['rank'] > $user->rank || // User has a bigger rank.
- ($user_details['rank'] == $user->rank && $user_details['id'] <> $user->id) // Same rank but not us.
- ) {
+$user_details = $user->getUser($user_id);
+if (!$user_details) {
header('Location: access_denied.php');
exit();
}
+// End of access checks.
$smarty->assign('user_to_delete', $user_details['name']." (".$user_details['login'].")");
header('Location: access_denied.php');
exit();
}
-
-// Get user id we are editing from the request.
$user_id = (int) $request->getParameter('id');
-// Get user details.
-$user_details = ttUserHelper::getUserDetails($user_id);
-
-// Security checks.
-if (!$user_details || // No details.
- $user_details['rank'] > $user->rank || // User has a bigger rank.
- ($user_details['rank'] == $user->rank && $user_details['id'] <> $user->id) // Same rank but not us.
- ) {
+$user_details = $user->getUser($user_id);
+if (!$user_details) {
header('Location: access_denied.php');
exit();
}
+// End of access checks.
if ($user->isPluginEnabled('cl'))
$clients = ttTeamHelper::getActiveClients($user->team_id);
header('Location: access_denied.php');
exit();
}
-// Get user id we are deleting.
-// A cast to int is for safety against manipulation of request parameter (sql injection).
$user_id = (int) $request->getParameter('id');
-// We need user name and login to display.
-$user_details = ttUserHelper::getUserDetails($user_id);
-if (!$user_details || // No details.
- $user_details['rank'] > $user->rank || // User has a bigger rank.
- ($user_details['rank'] == $user->rank && $user_details['id'] <> $user->id) // Same rank but not us.
- ) {
+$user_details = $user->getUser($user_id);
+if (!$user_details) {
header('Location: access_denied.php');
exit();
}
header('Location: access_denied.php');
exit();
}
-// Get user id we are editing from the request.
$user_id = (int) $request->getParameter('id');
-// Get user details.
-$user_details = ttUserHelper::getUserDetails($user_id);
-if (!$user_details || // No details.
- $user_details['rank'] > $user->rank || // User has a bigger rank.
- ($user_details['rank'] == $user->rank && $user_details['id'] <> $user->id) // Same rank but not us.
- ) {
+$user_details = $user->getUser($user_id);
+if (!$user_details) {
header('Location: access_denied.php');
exit();
}