From: Nik Okuntseff Date: Wed, 6 Mar 2019 22:12:43 +0000 (+0000) Subject: Better protection against editing and deleting approved records. X-Git-Tag: timetracker_1.19-1~214 X-Git-Url: http://wagnertech.de/git?a=commitdiff_plain;h=75f8d0ae1ade35bbe0b0efec6932cd55725ab152;p=timetracker.git Better protection against editing and deleting approved records. --- diff --git a/WEB-INF/lib/ttTimeHelper.class.php b/WEB-INF/lib/ttTimeHelper.class.php index 2a47c741..b2bb2c07 100644 --- a/WEB-INF/lib/ttTimeHelper.class.php +++ b/WEB-INF/lib/ttTimeHelper.class.php @@ -676,7 +676,7 @@ class ttTimeHelper { " TIME_FORMAT(sec_to_time(time_to_sec(l.start) + time_to_sec(l.duration)), $sql_time_format) as finish,". " TIME_FORMAT(l.duration, '%k:%i') as duration,". " p.name as project_name, t.name as task_name, l.comment, l.client_id, l.project_id, l.task_id,". - " l.timesheet_id, l.invoice_id, l.billable, l.paid, l.date from tt_log l". + " l.timesheet_id, l.invoice_id, l.billable, l.approved, l.paid, l.date from tt_log l". " left join tt_projects p on (p.id = l.project_id)". " left join tt_tasks t on (t.id = l.task_id)". " where l.id = $id and l.user_id = $user_id and l.group_id = $group_id and l.org_id = $org_id and l.status = 1"; diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl index ff57292b..08935c6d 100644 --- a/WEB-INF/templates/footer.tpl +++ b/WEB-INF/templates/footer.tpl @@ -12,7 +12,7 @@
-
 Anuko Time Tracker 1.18.53.4830 | Copyright © Anuko | +  Anuko Time Tracker 1.18.53.4831 | Copyright © Anuko | {$i18n.footer.credits} | {$i18n.footer.license} | {$i18n.footer.improve} diff --git a/mobile/time_delete.php b/mobile/time_delete.php index 1b122fb9..a68da767 100644 --- a/mobile/time_delete.php +++ b/mobile/time_delete.php @@ -39,8 +39,8 @@ if (!ttAccessAllowed('track_own_time')) { } $cl_id = (int)$request->getParameter('id'); $time_rec = ttTimeHelper::getRecord($cl_id); -if (!$time_rec || $time_rec['timesheet_id'] || $time_rec['invoice_id']) { - // Prohibit deleting not ours, or assigned to timesheet, or invoiced records. +if (!$time_rec || $time_rec['approved'] || $time_rec['timesheet_id'] || $time_rec['invoice_id']) { + // Prohibit deleting not ours, approved, assigned to timesheet, or invoiced records. header('Location: access_denied.php'); exit(); } diff --git a/mobile/time_edit.php b/mobile/time_edit.php index 1f8f7de9..e81f693c 100644 --- a/mobile/time_edit.php +++ b/mobile/time_edit.php @@ -41,8 +41,8 @@ if (!ttAccessAllowed('track_own_time')) { } $cl_id = (int)$request->getParameter('id'); $time_rec = ttTimeHelper::getRecord($cl_id); -if (!$time_rec || $time_rec['timesheet_id'] || $time_rec['invoice_id']) { - // Prohibit editing not ours, or assigned to timesheet, or invoiced records. +if (!$time_rec || $time_rec['approved'] || $time_rec['timesheet_id'] || $time_rec['invoice_id']) { + // Prohibit editing not ours, approved, assigned to timesheet, or invoiced records. header('Location: access_denied.php'); exit(); } diff --git a/time_delete.php b/time_delete.php index e83630ed..a7b802b6 100644 --- a/time_delete.php +++ b/time_delete.php @@ -39,8 +39,8 @@ if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) { } $cl_id = (int)$request->getParameter('id'); $time_rec = ttTimeHelper::getRecord($cl_id); -if (!$time_rec || $time_rec['timesheet_id'] || $time_rec['invoice_id']) { - // Prohibit deleting not ours, or assigned to timesheet, or invoiced records. +if (!$time_rec || $time_rec['approved'] || $time_rec['timesheet_id'] || $time_rec['invoice_id']) { + // Prohibit deleting not ours, approved, assigned to timesheet, or invoiced records. header('Location: access_denied.php'); exit(); } diff --git a/time_edit.php b/time_edit.php index 23cc63d5..ef45226b 100644 --- a/time_edit.php +++ b/time_edit.php @@ -41,8 +41,8 @@ if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) { } $cl_id = (int)$request->getParameter('id'); $time_rec = ttTimeHelper::getRecord($cl_id); -if (!$time_rec || $time_rec['timesheet_id'] || $time_rec['invoice_id']) { - // Prohibit editing not ours, or assigned to timesheet, or invoiced records. +if (!$time_rec || $time_rec['approved'] || $time_rec['timesheet_id'] || $time_rec['invoice_id']) { + // Prohibit editing not ours, approved, assigned to timesheet, or invoiced records. header('Location: access_denied.php'); exit(); }