Improved access check for client edit.
authorNik Okuntseff <support@anuko.com>
Tue, 4 Dec 2018 15:07:39 +0000 (15:07 +0000)
committerNik Okuntseff <support@anuko.com>
Tue, 4 Dec 2018 15:07:39 +0000 (15:07 +0000)
WEB-INF/templates/footer.tpl
client_edit.php
mobile/client_edit.php

index 09e0d89..c5ff71c 100644 (file)
@@ -12,7 +12,7 @@
       <br>
       <table cellspacing="0" cellpadding="4" width="100%" border="0">
         <tr>
-          <td align="center">&nbsp;Anuko Time Tracker 1.18.29.4579 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+          <td align="center">&nbsp;Anuko Time Tracker 1.18.29.4580 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
             <a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
             <a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
             <a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
index a1f9824..7b572ea 100644 (file)
@@ -41,8 +41,13 @@ if (!$user->isPluginEnabled('cl')) {
   header('Location: feature_disabled.php');
   exit();
 }
-
-$cl_id = (int) $request->getParameter('id');
+$cl_id = (int)$request->getParameter('id');
+$client = ttClientHelper::getClient($cl_id, true);
+if (!$client) {
+  header('Location: access_denied.php');
+  exit();
+}
+// End of access checks.
 
 $projects = ttGroupHelper::getActiveProjects();
 
@@ -53,7 +58,6 @@ if ($request->isPost()) {
   $cl_status = $request->getParameter('status');
   $cl_projects = $request->getParameter('projects');
 } else {
-  $client = ttClientHelper::getClient($cl_id, true);
   $cl_name = $client['name'];
   $cl_address = $client['address'];
   $cl_tax = $client['tax'];
index b65ac99..ab86865 100644 (file)
@@ -40,8 +40,13 @@ if (!$user->isPluginEnabled('cl')) {
   header('Location: feature_disabled.php');
   exit();
 }
-
-$cl_id = (int) $request->getParameter('id');
+$cl_id = (int)$request->getParameter('id');
+$client = ttClientHelper::getClient($cl_id, true);
+if (!$client) {
+  header('Location: access_denied.php');
+  exit();
+}
+// End of access checks.
 
 $projects = ttGroupHelper::getActiveProjects();
 
@@ -52,7 +57,6 @@ if ($request->isPost()) {
   $cl_status = $request->getParameter('status');
   $cl_projects = $request->getParameter('projects');
 } else {
-  $client = ttClientHelper::getClient($cl_id, true);
   $cl_name = $client['name'];
   $cl_address = $client['address'];
   $cl_tax = $client['tax'];