From: Nik Okuntseff Date: Sat, 24 Mar 2018 18:05:53 +0000 (+0000) Subject: Some refactoring of access checks - in progress. X-Git-Tag: timetracker_1.19-1~952 X-Git-Url: http://wagnertech.de/git?a=commitdiff_plain;h=4dcb88a76a3de466ee6116ae0852f53ba2b259a5;p=timetracker.git Some refactoring of access checks - in progress. --- diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl index 2403c2b2..8b84e12b 100644 --- a/WEB-INF/templates/footer.tpl +++ b/WEB-INF/templates/footer.tpl @@ -12,7 +12,7 @@
-
 Anuko Time Tracker 1.17.69.4155 | Copyright © Anuko | +  Anuko Time Tracker 1.17.69.4156 | Copyright © Anuko | {$i18n.footer.credits} | {$i18n.footer.license} | {$i18n.footer.improve} diff --git a/client_add.php b/client_add.php index c0526e51..5ae5997f 100644 --- a/client_add.php +++ b/client_add.php @@ -31,11 +31,15 @@ import('form.Form'); import('ttClientHelper'); import('ttTeamHelper'); -// Access check. -if (!ttAccessAllowed('manage_clients') || !$user->isPluginEnabled('cl')) { +// Access checks. +if (!ttAccessAllowed('manage_clients')) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('cl')) { + header('Location: feature_disabled.php'); + exit(); +} $projects = ttTeamHelper::getActiveProjects($user->team_id); diff --git a/client_delete.php b/client_delete.php index b162ea84..22ae9d4a 100644 --- a/client_delete.php +++ b/client_delete.php @@ -30,11 +30,15 @@ require_once('initialize.php'); import('form.Form'); import('ttClientHelper'); -// Access check. -if (!ttAccessAllowed('manage_clients') || !$user->isPluginEnabled('cl')) { +// Access checks. +if (!ttAccessAllowed('manage_clients')) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('cl')) { + header('Location: feature_disabled.php'); + exit(); +} $id = (int)$request->getParameter('id'); $client = ttClientHelper::getClient($id); diff --git a/client_edit.php b/client_edit.php index 05203237..b74fb315 100644 --- a/client_edit.php +++ b/client_edit.php @@ -31,11 +31,15 @@ import('form.Form'); import('ttClientHelper'); import('ttTeamHelper'); -// Access check. -if (!ttAccessAllowed('manage_clients') || !$user->isPluginEnabled('cl')) { +// Access checks. +if (!ttAccessAllowed('manage_clients')) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('cl')) { + header('Location: feature_disabled.php'); + exit(); +} $cl_id = (int) $request->getParameter('id'); diff --git a/clients.php b/clients.php index 89b5c4a3..6ac6f5a1 100644 --- a/clients.php +++ b/clients.php @@ -30,11 +30,15 @@ require_once('initialize.php'); import('form.Form'); import('ttTeamHelper'); -// Access check. -if (!ttAccessAllowed('manage_clients') || !$user->isPluginEnabled('cl')) { +// Access checks. +if (!ttAccessAllowed('manage_clients')) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('cl')) { + header('Location: feature_disabled.php'); + exit(); +} $smarty->assign('active_clients', ttTeamHelper::getActiveClients($user->team_id, true)); $smarty->assign('inactive_clients', ttTeamHelper::getInactiveClients($user->team_id, true)); diff --git a/expense_delete.php b/expense_delete.php index 06c9690b..42a6add8 100644 --- a/expense_delete.php +++ b/expense_delete.php @@ -31,11 +31,17 @@ import('form.Form'); import('DateAndTime'); import('ttExpenseHelper'); -// Access check. -if (!ttAccessAllowed('track_own_expenses') || !$user->isPluginEnabled('ex')) { +// Access checks. +if (!(ttAccessAllowed('track_own_expenses') || ttAccessAllowed('track_expenses'))) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('ex')) { + header('Location: feature_disabled.php'); + exit(); +} + + $cl_id = $request->getParameter('id'); $expense_item = ttExpenseHelper::getItem($cl_id, $user->getActiveUser()); diff --git a/expense_edit.php b/expense_edit.php index 9ea7c649..15cfcfaf 100644 --- a/expense_edit.php +++ b/expense_edit.php @@ -32,11 +32,15 @@ import('ttTeamHelper'); import('DateAndTime'); import('ttExpenseHelper'); -// Access check. -if (!ttAccessAllowed('track_own_expenses') || !$user->isPluginEnabled('ex')) { +// Access checks. +if (!(ttAccessAllowed('track_own_expenses') || ttAccessAllowed('track_expenses'))) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('ex')) { + header('Location: feature_disabled.php'); + exit(); +} $cl_id = $request->getParameter('id'); diff --git a/expenses.php b/expenses.php index bb769481..00b43179 100644 --- a/expenses.php +++ b/expenses.php @@ -33,11 +33,15 @@ import('ttTeamHelper'); import('DateAndTime'); import('ttExpenseHelper'); -// Access check. -if (!ttAccessAllowed('track_own_expenses') || !$user->isPluginEnabled('ex')) { +// Access checks. +if (!(ttAccessAllowed('track_own_expenses') || ttAccessAllowed('track_expenses'))) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('ex')) { + header('Location: feature_disabled.php'); + exit(); +} // Initialize and store date in session. $cl_date = $request->getParameter('date', @$_SESSION['date']); diff --git a/index.php b/index.php index 51e1e016..fd4dde8e 100644 --- a/index.php +++ b/index.php @@ -30,7 +30,7 @@ require_once('initialize.php'); // Redirects for admin and client roles. if ($auth->isAuthenticated()) { - if ($user->isAdmin()) { + if ($user->can('administer_site')) { header('Location: admin_teams.php'); exit(); } elseif ($user->isClient()) { diff --git a/invoice_add.php b/invoice_add.php index ed0a8c52..5267056c 100644 --- a/invoice_add.php +++ b/invoice_add.php @@ -31,11 +31,15 @@ import('form.Form'); import('ttTeamHelper'); import('ttInvoiceHelper'); -// Access check. -if (!ttAccessAllowed('manage_invoices') || !$user->isPluginEnabled('iv')) { +// Access checks. +if (!ttAccessAllowed('manage_invoices')) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('iv')) { + header('Location: feature_disabled.php'); + exit(); +} if ($request->isPost()) { $cl_date = $request->getParameter('date'); diff --git a/invoice_delete.php b/invoice_delete.php index 29160ba5..2bca58ce 100644 --- a/invoice_delete.php +++ b/invoice_delete.php @@ -30,11 +30,15 @@ require_once('initialize.php'); import('form.Form'); import('ttInvoiceHelper'); -// Access check. -if (!ttAccessAllowed('manage_invoices') || !$user->isPluginEnabled('iv')) { +// Access checks. +if (!ttAccessAllowed('manage_invoices')) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('iv')) { + header('Location: feature_disabled.php'); + exit(); +} $cl_invoice_id = (int)$request->getParameter('id'); $invoice = ttInvoiceHelper::getInvoice($cl_invoice_id); diff --git a/invoice_send.php b/invoice_send.php index 2c0894a3..f0e30bc4 100644 --- a/invoice_send.php +++ b/invoice_send.php @@ -31,11 +31,15 @@ import('form.Form'); import('ttInvoiceHelper'); import('ttSysConfig'); -// Access check. -if (!(ttAccessAllowed('manage_invoices') || ttAccessAllowed('view_own_invoices')) || !$user->isPluginEnabled('iv')) { +// Access checks. +if (!(ttAccessAllowed('manage_invoices') || ttAccessAllowed('view_own_invoices'))) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('iv')) { + header('Location: feature_disabled.php'); + exit(); +} $cl_invoice_id = (int)$request->getParameter('id'); $invoice = ttInvoiceHelper::getInvoice($cl_invoice_id); diff --git a/invoice_view.php b/invoice_view.php index 3715b80a..62f0cbbf 100644 --- a/invoice_view.php +++ b/invoice_view.php @@ -32,11 +32,15 @@ import('ttInvoiceHelper'); import('ttClientHelper'); import('form.Form'); -// Access check. -if (!(ttAccessAllowed('manage_invoices') || ttAccessAllowed('view_own_invoices')) || !$user->isPluginEnabled('iv')) { +// Access checks. +if (!(ttAccessAllowed('manage_invoices') || ttAccessAllowed('view_own_invoices'))) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('iv')) { + header('Location: feature_disabled.php'); + exit(); +} $cl_id = (int)$request->getParameter('id'); $invoice = ttInvoiceHelper::getInvoice($cl_id); diff --git a/invoices.php b/invoices.php index a03579b0..1723a8d1 100644 --- a/invoices.php +++ b/invoices.php @@ -30,11 +30,15 @@ require_once('initialize.php'); import('form.Form'); import('ttTeamHelper'); -// Access check. -if (!(ttAccessAllowed('manage_invoices') || ttAccessAllowed('view_own_invoices')) || !$user->isPluginEnabled('iv')) { +// Access checks. +if (!(ttAccessAllowed('manage_invoices') || ttAccessAllowed('view_own_invoices'))) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('iv')) { + header('Location: feature_disabled.php'); + exit(); +} $invoices = ttTeamHelper::getActiveInvoices(); diff --git a/locking.php b/locking.php index 8a6f4304..2b49b837 100644 --- a/locking.php +++ b/locking.php @@ -30,11 +30,15 @@ require_once('initialize.php'); import('form.Form'); import('ttTeamHelper'); -// Access check. -if (!ttAccessAllowed('manage_advanced_settings') || !$user->isPluginEnabled('lk')) { +// Access checks. +if (!ttAccessAllowed('manage_advanced_settings')) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('lk')) { + header('Location: feature_disabled.php'); + exit(); +} $cl_lock_spec = $request->isPost() ? $request->getParameter('lock_spec') : $user->lock_spec; diff --git a/login.php b/login.php index e246e0a5..a3345d0e 100644 --- a/login.php +++ b/login.php @@ -62,7 +62,7 @@ if ($request->isPost()) { $user = new ttUser(null, $auth->getUserId()); // Redirect, depending on user role. - if ($user->isAdmin()) { + if ($user->can('administer_site')) { header('Location: admin_teams.php'); } elseif ($user->isClient()) { header('Location: reports.php'); diff --git a/mobile/expenses.php b/mobile/expenses.php index 934c63a7..f0fc5c30 100644 --- a/mobile/expenses.php +++ b/mobile/expenses.php @@ -33,11 +33,15 @@ import('ttTeamHelper'); import('DateAndTime'); import('ttExpenseHelper'); -// Access check. -if (!ttAccessAllowed('track_own_expenses') || !$user->isPluginEnabled('ex')) { +// Access checks. +if (!(ttAccessAllowed('track_own_expenses') || ttAccessAllowed('track_expenses'))) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('ex')) { + header('Location: feature_disabled.php'); + exit(); +} // Initialize and store date in session. $cl_date = $request->getParameter('date', @$_SESSION['date']); diff --git a/mobile/feature_disabled.php b/mobile/feature_disabled.php new file mode 100644 index 00000000..cf399568 --- /dev/null +++ b/mobile/feature_disabled.php @@ -0,0 +1,36 @@ +add($i18n->get('error.feature_disabled')); +if ($auth->isAuthenticated()) $smarty->assign('authenticated', true); // Used in header.tpl for menu display. + +$smarty->assign('title', $i18n->get('label.error')); +$smarty->assign('content_page_name', 'mobile/access_denied.tpl'); +$smarty->display('mobile/index.tpl'); diff --git a/mysql.sql b/mysql.sql index df34b775..ebe59936 100644 --- a/mysql.sql +++ b/mysql.sql @@ -13,32 +13,32 @@ # This table stores settings common to all team members such as language, week start day, etc. # CREATE TABLE `tt_teams` ( - `id` int(11) NOT NULL auto_increment, # team id - `name` varchar(80) default NULL, # team name - `currency` varchar(7) default NULL, # team currency symbol - `decimal_mark` char(1) NOT NULL default '.', # separator in decimals - `lang` varchar(10) NOT NULL default 'en', # language - `date_format` varchar(20) NOT NULL default '%Y-%m-%d', # date format - `time_format` varchar(20) NOT NULL default '%H:%M', # time format - `week_start` smallint(2) NOT NULL default 0, # Week start day, 0 == Sunday. - `tracking_mode` smallint(2) NOT NULL default 1, # tracking mode ("time", "projects" or "projects and tasks") - `project_required` smallint(2) NOT NULL default 0, # whether a project selection is required or optional - `task_required` smallint(2) NOT NULL default 0, # whether a task selection is required or optional - `record_type` smallint(2) NOT NULL default 0, # time record type ("start and finish", "duration", or both) - `bcc_email` varchar(100) default NULL, # bcc email to copy all reports to - `plugins` varchar(255) default NULL, # a list of enabled plugins for team - `lock_spec` varchar(255) default NULL, # Cron specification for record locking, - # for example: "0 10 * * 1" for "weekly on Mon at 10:00". - `workday_minutes` smallint(4) default 480, # number of work minutes in a regular working day - `custom_logo` tinyint(4) default 0, # whether to use a custom logo or not - `config` text default NULL, # miscellaneous team configuration settings - `created` datetime default NULL, # creation timestamp - `created_ip` varchar(45) default NULL, # creator ip - `created_by` int(11) default NULL, # creator user_id - `modified` datetime default NULL, # modification timestamp - `modified_ip` varchar(45) default NULL, # modifier ip - `modified_by` int(11) default NULL, # modifier user_id - `status` tinyint(4) default 1, # team status + `id` int(11) NOT NULL auto_increment, # team id + `name` varchar(80) default NULL, # team name + `currency` varchar(7) default NULL, # team currency symbol + `decimal_mark` char(1) NOT NULL default '.', # separator in decimals + `lang` varchar(10) NOT NULL default 'en', # language + `date_format` varchar(20) NOT NULL default '%Y-%m-%d', # date format + `time_format` varchar(20) NOT NULL default '%H:%M', # time format + `week_start` smallint(2) NOT NULL default 0, # Week start day, 0 == Sunday. + `tracking_mode` smallint(2) NOT NULL default 1, # tracking mode ("time", "projects" or "projects and tasks") + `project_required` smallint(2) NOT NULL default 0, # whether a project selection is required or optional + `task_required` smallint(2) NOT NULL default 0, # whether a task selection is required or optional + `record_type` smallint(2) NOT NULL default 0, # time record type ("start and finish", "duration", or both) + `bcc_email` varchar(100) default NULL, # bcc email to copy all reports to + `plugins` varchar(255) default NULL, # a list of enabled plugins for team + `lock_spec` varchar(255) default NULL, # Cron specification for record locking, + # for example: "0 10 * * 1" for "weekly on Mon at 10:00". + `workday_minutes` smallint(4) default 480, # number of work minutes in a regular working day + `custom_logo` tinyint(4) default 0, # whether to use a custom logo or not + `config` text default NULL, # miscellaneous team configuration settings + `created` datetime default NULL, # creation timestamp + `created_ip` varchar(45) default NULL, # creator ip + `created_by` int(11) default NULL, # creator user_id + `modified` datetime default NULL, # modification timestamp + `modified_ip` varchar(45) default NULL, # modifier ip + `modified_by` int(11) default NULL, # modifier user_id + `status` tinyint(4) default 1, # team status PRIMARY KEY (`id`) ); diff --git a/notification_add.php b/notification_add.php index 6d0e4d31..7dd680ff 100644 --- a/notification_add.php +++ b/notification_add.php @@ -33,11 +33,15 @@ import('form.Form'); import('ttFavReportHelper'); import('ttNotificationHelper'); -// Access check. -if (!ttAccessAllowed('manage_advanced_settings') || !$user->isPluginEnabled('no')) { +// Access checks. +if (!ttAccessAllowed('manage_advanced_settings')) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('no')) { + header('Location: feature_disabled.php'); + exit(); +} $fav_reports = ttFavReportHelper::getReports($user->id); diff --git a/notification_delete.php b/notification_delete.php index 46de065d..b18ac614 100644 --- a/notification_delete.php +++ b/notification_delete.php @@ -30,11 +30,15 @@ require_once('initialize.php'); import('form.Form'); import('ttNotificationHelper'); -// Access check. -if (!ttAccessAllowed('manage_advanced_settings') || !$user->isPluginEnabled('no')) { +// Access checks. +if (!ttAccessAllowed('manage_advanced_settings')) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('no')) { + header('Location: feature_disabled.php'); + exit(); +} $cl_notification_id = (int)$request->getParameter('id'); $notification = ttNotificationHelper::get($cl_notification_id); diff --git a/notification_edit.php b/notification_edit.php index 43179828..1c36865f 100644 --- a/notification_edit.php +++ b/notification_edit.php @@ -33,11 +33,15 @@ import('form.Form'); import('ttFavReportHelper'); import('ttNotificationHelper'); -// Access check. -if (!ttAccessAllowed('manage_advanced_settings') || !$user->isPluginEnabled('no')) { +// Access checks. +if (!ttAccessAllowed('manage_advanced_settings')) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('no')) { + header('Location: feature_disabled.php'); + exit(); +} $notification_id = (int) $request->getParameter('id'); $fav_reports = ttFavReportHelper::getReports($user->id); diff --git a/notifications.php b/notifications.php index c03378d2..6dcf33fd 100644 --- a/notifications.php +++ b/notifications.php @@ -30,11 +30,15 @@ require_once('initialize.php'); import('form.Form'); import('ttTeamHelper'); -// Access check. -if (!ttAccessAllowed('manage_advanced_settings') || !$user->isPluginEnabled('no')) { +// Access checks. +if (!ttAccessAllowed('manage_advanced_settings')) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('no')) { + header('Location: feature_disabled.php'); + exit(); +} $form = new Form('notificationsForm'); diff --git a/password_change.php b/password_change.php index bcbd5f4a..832118f6 100644 --- a/password_change.php +++ b/password_change.php @@ -82,7 +82,7 @@ if ($request->isPost()) { if ($auth->doLogin($user->login, $cl_password1)) { setcookie('tt_login', $user->login, time() + COOKIE_EXPIRE, '/'); // Redirect, depending on user role. - if ($user->isAdmin()) { + if ($user->can('administer_site')) { header('Location: admin_teams.php'); } elseif ($user->isClient()) { header('Location: reports.php');