From: Nik Okuntseff <support@anuko.com>
Date: Wed, 6 Mar 2019 22:12:43 +0000 (+0000)
Subject: Better protection against editing and deleting approved records.
X-Git-Tag: timetracker_1.19-1~214
X-Git-Url: http://wagnertech.de/git?a=commitdiff_plain;h=75f8d0ae1ade35bbe0b0efec6932cd55725ab152;p=timetracker.git

Better protection against editing and deleting approved records.
---

diff --git a/WEB-INF/lib/ttTimeHelper.class.php b/WEB-INF/lib/ttTimeHelper.class.php
index 2a47c741..b2bb2c07 100644
--- a/WEB-INF/lib/ttTimeHelper.class.php
+++ b/WEB-INF/lib/ttTimeHelper.class.php
@@ -676,7 +676,7 @@ class ttTimeHelper {
       " TIME_FORMAT(sec_to_time(time_to_sec(l.start) + time_to_sec(l.duration)), $sql_time_format) as finish,".
       " TIME_FORMAT(l.duration, '%k:%i') as duration,".
       " p.name as project_name, t.name as task_name, l.comment, l.client_id, l.project_id, l.task_id,".
-      " l.timesheet_id, l.invoice_id, l.billable, l.paid, l.date from tt_log l".
+      " l.timesheet_id, l.invoice_id, l.billable, l.approved, l.paid, l.date from tt_log l".
       " left join tt_projects p on (p.id = l.project_id)".
       " left join tt_tasks t on (t.id = l.task_id)".
       " where l.id = $id and l.user_id = $user_id and l.group_id = $group_id and l.org_id = $org_id and l.status = 1";
diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl
index ff57292b..08935c6d 100644
--- a/WEB-INF/templates/footer.tpl
+++ b/WEB-INF/templates/footer.tpl
@@ -12,7 +12,7 @@
       <br>
       <table cellspacing="0" cellpadding="4" width="100%" border="0">
         <tr>
-          <td align="center">&nbsp;Anuko Time Tracker 1.18.53.4830 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+          <td align="center">&nbsp;Anuko Time Tracker 1.18.53.4831 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
             <a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
             <a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
             <a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
diff --git a/mobile/time_delete.php b/mobile/time_delete.php
index 1b122fb9..a68da767 100644
--- a/mobile/time_delete.php
+++ b/mobile/time_delete.php
@@ -39,8 +39,8 @@ if (!ttAccessAllowed('track_own_time')) {
 }
 $cl_id = (int)$request->getParameter('id');
 $time_rec = ttTimeHelper::getRecord($cl_id);
-if (!$time_rec || $time_rec['timesheet_id'] || $time_rec['invoice_id']) {
-  // Prohibit deleting not ours, or assigned to timesheet, or invoiced records.
+if (!$time_rec || $time_rec['approved'] || $time_rec['timesheet_id'] || $time_rec['invoice_id']) {
+  // Prohibit deleting not ours, approved, assigned to timesheet, or invoiced records.
   header('Location: access_denied.php');
   exit();
 }
diff --git a/mobile/time_edit.php b/mobile/time_edit.php
index 1f8f7de9..e81f693c 100644
--- a/mobile/time_edit.php
+++ b/mobile/time_edit.php
@@ -41,8 +41,8 @@ if (!ttAccessAllowed('track_own_time')) {
 }
 $cl_id = (int)$request->getParameter('id');
 $time_rec = ttTimeHelper::getRecord($cl_id);
-if (!$time_rec || $time_rec['timesheet_id'] || $time_rec['invoice_id']) {
-  // Prohibit editing not ours, or assigned to timesheet, or invoiced records.
+if (!$time_rec || $time_rec['approved'] || $time_rec['timesheet_id'] || $time_rec['invoice_id']) {
+  // Prohibit editing not ours, approved, assigned to timesheet, or invoiced records.
   header('Location: access_denied.php');
   exit();
 }
diff --git a/time_delete.php b/time_delete.php
index e83630ed..a7b802b6 100644
--- a/time_delete.php
+++ b/time_delete.php
@@ -39,8 +39,8 @@ if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) {
 }
 $cl_id = (int)$request->getParameter('id');
 $time_rec = ttTimeHelper::getRecord($cl_id);
-if (!$time_rec || $time_rec['timesheet_id'] || $time_rec['invoice_id']) {
-  // Prohibit deleting not ours, or assigned to timesheet, or invoiced records.
+if (!$time_rec || $time_rec['approved'] || $time_rec['timesheet_id'] || $time_rec['invoice_id']) {
+  // Prohibit deleting not ours, approved, assigned to timesheet, or invoiced records.
   header('Location: access_denied.php');
   exit();
 }
diff --git a/time_edit.php b/time_edit.php
index 23cc63d5..ef45226b 100644
--- a/time_edit.php
+++ b/time_edit.php
@@ -41,8 +41,8 @@ if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) {
 }
 $cl_id = (int)$request->getParameter('id');
 $time_rec = ttTimeHelper::getRecord($cl_id);
-if (!$time_rec || $time_rec['timesheet_id'] || $time_rec['invoice_id']) {
-  // Prohibit editing not ours, or assigned to timesheet, or invoiced records.
+if (!$time_rec || $time_rec['approved'] || $time_rec['timesheet_id'] || $time_rec['invoice_id']) {
+  // Prohibit editing not ours, approved, assigned to timesheet, or invoiced records.
   header('Location: access_denied.php');
   exit();
 }