From: Nik Okuntseff Date: Mon, 26 Mar 2018 13:14:51 +0000 (+0000) Subject: Improved getUserDetails to not return info for deleted users. X-Git-Tag: timetracker_1.19-1~936 X-Git-Url: http://wagnertech.de/git?a=commitdiff_plain;h=9339284bfdaba5a0c2a4e3c9fa000194a508d0bf;p=timetracker.git Improved getUserDetails to not return info for deleted users. --- diff --git a/WEB-INF/lib/ttUserHelper.class.php b/WEB-INF/lib/ttUserHelper.class.php index e4591ea4..583049bd 100644 --- a/WEB-INF/lib/ttUserHelper.class.php +++ b/WEB-INF/lib/ttUserHelper.class.php @@ -36,7 +36,7 @@ class ttUserHelper { global $user; $mdb2 = getConnection(); - $sql = "select u.*, r.rank from tt_users u left join tt_roles r on (u.role_id = r.id) where u.id = $user_id and u.team_id = $user->team_id"; + $sql = "select u.*, r.rank from tt_users u left join tt_roles r on (u.role_id = r.id) where u.id = $user_id and u.team_id = $user->team_id and u.status is not null"; $res = $mdb2->query($sql); if (!is_a($res, 'PEAR_Error')) { diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl index 7239c138..77e160e9 100644 --- a/WEB-INF/templates/footer.tpl +++ b/WEB-INF/templates/footer.tpl @@ -12,7 +12,7 @@
-
 Anuko Time Tracker 1.17.72.4170 | Copyright © Anuko | +  Anuko Time Tracker 1.17.72.4171 | Copyright © Anuko | {$i18n.footer.credits} | {$i18n.footer.license} | {$i18n.footer.improve} diff --git a/mobile/user_delete.php b/mobile/user_delete.php index d8400456..0e045d01 100644 --- a/mobile/user_delete.php +++ b/mobile/user_delete.php @@ -45,7 +45,6 @@ $user_details = ttUserHelper::getUserDetails($user_id); // Security checks. if (!$user_details || // No details. - $user_details['team_id'] <> $user->team_id || // User not in team. $user_details['rank'] > $user->rank || // User has a bigger rank. ($user_details['rank'] == $user->rank && $user_details['id'] <> $user->id) // Same rank but not us. ) { diff --git a/mobile/user_edit.php b/mobile/user_edit.php index 285c3442..49781226 100644 --- a/mobile/user_edit.php +++ b/mobile/user_edit.php @@ -47,7 +47,6 @@ $user_details = ttUserHelper::getUserDetails($user_id); // Security checks. if (!$user_details || // No details. - $user_details['team_id'] <> $user->team_id || // User not in team. $user_details['rank'] > $user->rank || // User has a bigger rank. ($user_details['rank'] == $user->rank && $user_details['id'] <> $user->id) // Same rank but not us. ) { diff --git a/user_delete.php b/user_delete.php index a88454bf..b8ec5e9a 100644 --- a/user_delete.php +++ b/user_delete.php @@ -30,27 +30,24 @@ require_once('initialize.php'); import('form.Form'); import('ttUserHelper'); -// Access check. +// Access checks. if (!ttAccessAllowed('manage_users')) { header('Location: access_denied.php'); exit(); } - -// Get user id we are deleting from the request. +// Get user id we are deleting. // A cast to int is for safety against manipulation of request parameter (sql injection). $user_id = (int) $request->getParameter('id'); // We need user name and login to display. $user_details = ttUserHelper::getUserDetails($user_id); - -// Security checks. if (!$user_details || // No details. - $user_details['team_id'] <> $user->team_id || // User not in team. $user_details['rank'] > $user->rank || // User has a bigger rank. ($user_details['rank'] == $user->rank && $user_details['id'] <> $user->id) // Same rank but not us. ) { header('Location: access_denied.php'); exit(); } +// End of access checks. $smarty->assign('user_to_delete', $user_details['name']." (".$user_details['login'].")"); diff --git a/user_edit.php b/user_edit.php index 75d89e50..5ceac373 100644 --- a/user_edit.php +++ b/user_edit.php @@ -35,26 +35,23 @@ import('form.Table'); import('form.TableColumn'); import('ttRoleHelper'); -// Access check. +// Access checks. if (!ttAccessAllowed('manage_users')) { header('Location: access_denied.php'); exit(); } - // Get user id we are editing from the request. $user_id = (int) $request->getParameter('id'); // Get user details. $user_details = ttUserHelper::getUserDetails($user_id); - -// Security checks. if (!$user_details || // No details. - $user_details['team_id'] <> $user->team_id || // User not in team. $user_details['rank'] > $user->rank || // User has a bigger rank. ($user_details['rank'] == $user->rank && $user_details['id'] <> $user->id) // Same rank but not us. ) { header('Location: access_denied.php'); exit(); } +// End of access checks. if ($user->isPluginEnabled('cl')) $clients = ttTeamHelper::getActiveClients($user->team_id);