From: Nik Okuntseff <support@anuko.com>
Date: Mon, 26 Mar 2018 19:18:51 +0000 (+0000)
Subject: Improved access checks for swap_roles.php.
X-Git-Tag: timetracker_1.19-1~926
X-Git-Url: http://wagnertech.de/git?a=commitdiff_plain;h=2f5b2dc68a73954b497c7aaa3223be7f3db1d117;p=timetracker.git

Improved access checks for swap_roles.php.
---

diff --git a/WEB-INF/lib/ttTeamHelper.class.php b/WEB-INF/lib/ttTeamHelper.class.php
index 5aeee219..fb74d8e1 100644
--- a/WEB-INF/lib/ttTeamHelper.class.php
+++ b/WEB-INF/lib/ttTeamHelper.class.php
@@ -108,6 +108,7 @@ class ttTeamHelper {
     global $user;
     $mdb2 = getConnection();
 
+    // Obtain role id for the user we are swapping ourselves with.
     $sql = "select u.id, u.role_id from tt_users u left join tt_roles r on (u.role_id = r.id) where u.id = $user_id and u.team_id = $user->team_id and u.status = 1 and r.rank < $user->rank";
     $res = $mdb2->query($sql);
     if (is_a($res, 'PEAR_Error'))
diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl
index 9defcca8..6646f126 100644
--- a/WEB-INF/templates/footer.tpl
+++ b/WEB-INF/templates/footer.tpl
@@ -12,7 +12,7 @@
       <br>
       <table cellspacing="0" cellpadding="4" width="100%" border="0">
         <tr>
-          <td align="center">&nbsp;Anuko Time Tracker 1.17.74.4180 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+          <td align="center">&nbsp;Anuko Time Tracker 1.17.74.4181 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
             <a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
             <a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
             <a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
diff --git a/swap_roles.php b/swap_roles.php
index 59a726c5..05485018 100644
--- a/swap_roles.php
+++ b/swap_roles.php
@@ -40,10 +40,15 @@ if (!is_array($users_for_swap) || sizeof($users_for_swap) == 0) {
   header('Location: access_denied.php');
   exit();
 }
-
 if ($request->isPost()) {
-  $cl_id = $request->getParameter('swap_with');
+  $user_id = (int)$request->getParameter('swap_with');
+  $user_details = $user->getUser($user_id);
+  if (!$user_details) {
+    header('Location: access_denied.php');
+    exit();
+  }
 }
+// End of access checks.
 
 $form = new Form('swapForm');
 $form->addInput(array('type'=>'combobox','name'=>'swap_with','style'=>'width: 250px;','data'=>$users_for_swap,'datakeys'=>array('id','name')));
@@ -52,7 +57,7 @@ $form->addInput(array('type'=>'submit','name'=>'btn_cancel','value'=>$i18n->get(
 
 if ($request->isPost()) {
   if ($request->getParameter('btn_submit')) {
-    if (ttTeamHelper::swapRolesWith($cl_id)) {
+    if (ttTeamHelper::swapRolesWith($user_id)) {
       header('Location: users.php');
       exit();
     } else