From: Nik Okuntseff Date: Fri, 7 Dec 2018 22:42:31 +0000 (+0000) Subject: Improved access checks in notifications config. X-Git-Tag: timetracker_1.19-1~455 X-Git-Url: http://wagnertech.de/git?a=commitdiff_plain;h=35a538725eb9bc8a651a012a7bccc546aa22e6b2;p=timetracker.git Improved access checks in notifications config. --- diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl index bdd2fd61..bf2c3a05 100644 --- a/WEB-INF/templates/footer.tpl +++ b/WEB-INF/templates/footer.tpl @@ -12,7 +12,7 @@
- - + diff --git a/notification_add.php b/notification_add.php index e30970af..f1221117 100644 --- a/notification_add.php +++ b/notification_add.php @@ -42,11 +42,24 @@ if (!$user->isPluginEnabled('no')) { header('Location: feature_disabled.php'); exit(); } +if (!$user->exists()) { + header('Location: access_denied.php'); // No users in subgroup. + exit(); +} +if ($request->isPost()) { + // TODO: improve this, perhaps by refactoring elsewhere. + $cl_fav_report = (int) $request->getParameter('fav_report'); + $fav_report = ttFavReportHelper::getReport($cl_fav_report); + if ($user->getUser() != $fav_report['user_id']) { + header('Location: access_denied.php'); // Invalid fav report id in post. + exit(); + } +} +// End of access checks. -$fav_reports = ttFavReportHelper::getReports($user->id); +$fav_reports = ttFavReportHelper::getReports($user->getUser()); if ($request->isPost()) { - $cl_fav_report = trim($request->getParameter('fav_report')); $cl_cron_spec = trim($request->getParameter('cron_spec')); $cl_email = trim($request->getParameter('email')); $cl_cc = trim($request->getParameter('cc')); @@ -86,7 +99,6 @@ if ($request->isPost()) { $next = tdCron::getNextOccurrence($cl_cron_spec, mktime()); if (ttNotificationHelper::insert(array( - 'group_id' => $user->group_id, 'cron_spec' => $cl_cron_spec, 'next' => $next, 'report_id' => $cl_fav_report, diff --git a/notification_delete.php b/notification_delete.php index b18ac614..c1f0785e 100644 --- a/notification_delete.php +++ b/notification_delete.php @@ -39,9 +39,18 @@ if (!$user->isPluginEnabled('no')) { header('Location: feature_disabled.php'); exit(); } - +if (!$user->exists()) { + header('Location: access_denied.php'); // No users in subgroup. + exit(); +} $cl_notification_id = (int)$request->getParameter('id'); $notification = ttNotificationHelper::get($cl_notification_id); +if (!$notification) { + header('Location: access_denied.php'); // Wrong notification id. + exit(); +} +// End of access checks. + $notification_to_delete = $notification['name']; $form = new Form('notificationDeleteForm'); @@ -51,12 +60,9 @@ $form->addInput(array('type'=>'submit','name'=>'btn_cancel','value'=>$i18n->get( if ($request->isPost()) { if ($request->getParameter('btn_delete')) { - if(ttNotificationHelper::get($cl_notification_id)) { - if (ttNotificationHelper::delete($cl_notification_id)) { - header('Location: notifications.php'); - exit(); - } else - $err->add($i18n->get('error.db')); + if (ttNotificationHelper::delete($cl_notification_id)) { + header('Location: notifications.php'); + exit(); } else $err->add($i18n->get('error.db')); } elseif ($request->getParameter('btn_cancel')) { diff --git a/notification_edit.php b/notification_edit.php index 7442305a..de09f75e 100644 --- a/notification_edit.php +++ b/notification_edit.php @@ -42,12 +42,30 @@ if (!$user->isPluginEnabled('no')) { header('Location: feature_disabled.php'); exit(); } +if (!$user->exists()) { + header('Location: access_denied.php'); // No users in subgroup. + exit(); +} +$notification_id = (int)$request->getParameter('id'); +$notification = ttNotificationHelper::get($notification_id); +if (!$notification) { + header('Location: access_denied.php'); // Wrong notification id. + exit(); +} +if ($request->isPost()) { + // TODO: improve this, perhaps by refactoring elsewhere. + $cl_fav_report = (int) $request->getParameter('fav_report'); + $fav_report = ttFavReportHelper::getReport($cl_fav_report); + if ($user->getUser() != $fav_report['user_id']) { + header('Location: access_denied.php'); // Invalid fav report id in post. + exit(); + } +} +// End of access checks. -$notification_id = (int) $request->getParameter('id'); -$fav_reports = ttFavReportHelper::getReports($user->id); +$fav_reports = ttFavReportHelper::getReports($user->getUser()); if ($request->isPost()) { - $cl_fav_report = trim($request->getParameter('fav_report')); $cl_cron_spec = trim($request->getParameter('cron_spec')); $cl_email = trim($request->getParameter('email')); $cl_cc = trim($request->getParameter('cc')); diff --git a/notifications.php b/notifications.php index d70f5b48..7fe0e11d 100644 --- a/notifications.php +++ b/notifications.php @@ -39,6 +39,14 @@ if (!$user->isPluginEnabled('no')) { header('Location: feature_disabled.php'); exit(); } +if (!$user->exists()) { + header('Location: access_denied.php'); // No users in subgroup. + exit(); +} +// End of access checks. + +// TODO: extend and re-design notifications. +// Currently they only work with fav reports, which are bound to users. $form = new Form('notificationsForm'); diff --git a/plugins.php b/plugins.php index e036c173..a19c1e12 100644 --- a/plugins.php +++ b/plugins.php @@ -174,6 +174,7 @@ if ($request->isPost() && $request->getParameter('btn_save')) { $smarty->assign('forms', array($form->getName()=>$form->toArray())); $smarty->assign('onload', 'onLoad="handlePluginCheckboxes();"'); +$smarty->assign('user_exists', $user->exists()); $smarty->assign('title', $i18n->get('title.plugins')); $smarty->assign('content_page_name', 'plugins.tpl'); $smarty->display('index.tpl'); diff --git a/user_add.php b/user_add.php index 8a507e9e..9fa61129 100644 --- a/user_add.php +++ b/user_add.php @@ -157,7 +157,13 @@ if ($request->isPost()) { 'client_id' => $cl_client_id, 'projects' => $assigned_projects, 'email' => $cl_email); - if (ttUserHelper::insert($fields)) { + $user_id = ttUserHelper::insert($fields); + if ($user_id) { + if (!$user->exists()) { + // We added a user to an empty subgroup. Set new user as on behalf user. + // Needed for user-based things to work (such as notifications config). + $user->setOnBehalfUser($user_id); + } header('Location: users.php'); exit(); } else
 Anuko Time Tracker 1.18.29.4609 | Copyright © Anuko | +  Anuko Time Tracker 1.18.29.4610 | Copyright © Anuko | {$i18n.footer.credits} | {$i18n.footer.license} | {$i18n.footer.improve} diff --git a/WEB-INF/templates/plugins.tpl b/WEB-INF/templates/plugins.tpl index d31bb841..6b88725b 100644 --- a/WEB-INF/templates/plugins.tpl +++ b/WEB-INF/templates/plugins.tpl @@ -123,7 +123,7 @@ function handlePluginCheckboxes() {
{$forms.pluginsForm.notifications.control} {$i18n.label.configure} {if $user_exists}{$i18n.label.configure}{/if}
{$forms.pluginsForm.locking.control}