From: Nik Okuntseff Date: Tue, 27 Mar 2018 09:57:42 +0000 (+0000) Subject: Added team_id to project delete and update queries to reduce risk of misuse. X-Git-Tag: timetracker_1.19-1~922 X-Git-Url: http://wagnertech.de/git?a=commitdiff_plain;h=a575a9147976a06263d8a7eae006d6ba3372446e;p=timetracker.git Added team_id to project delete and update queries to reduce risk of misuse. --- diff --git a/WEB-INF/lib/ttProjectHelper.class.php b/WEB-INF/lib/ttProjectHelper.class.php index 06605c76..d3e0eb1b 100644 --- a/WEB-INF/lib/ttProjectHelper.class.php +++ b/WEB-INF/lib/ttProjectHelper.class.php @@ -154,33 +154,31 @@ class ttProjectHelper { // delete - deletes things associated with a project and marks the project as deleted. static function delete($id) { + global $user; $mdb2 = getConnection(); - + + // Start with project itself. Reason: if the passed in project_id is bogus, + // we'll fail right here and don't damage any other data. + + // Mark project as deleted and remove associated tasks. + $sql = "update tt_projects set status = NULL, tasks = NULL where id = $id and team_id = $user->team_id"; + $affected = $mdb2->exec($sql); + if (is_a($affected, 'PEAR_Error') || 0 == $affected) + return false; // An error ocurred, or 0 rows updated. + // Delete user binds to this project. $sql = "delete from tt_user_project_binds where project_id = $id"; $affected = $mdb2->exec($sql); - if (is_a($affected, 'PEAR_Error')) - return false; - - // Delete task binds to this project. - $sql = "delete from tt_project_task_binds where project_id = $id"; - $affected = $mdb2->exec($sql); - if (is_a($affected, 'PEAR_Error')) - return false; - - // Remove associated tasks. - $sql = "update tt_projects set tasks = NULL where id = $id"; - $affected = $mdb2->exec($sql); if (is_a($affected, 'PEAR_Error')) return false; - // Mark project as deleted. - $sql = "update tt_projects set status = NULL where id = $id"; + // Delete task binds to this project. + $sql = "delete from tt_project_task_binds where project_id = $id"; $affected = $mdb2->exec($sql); if (is_a($affected, 'PEAR_Error')) return false; - return true; + return true; } // insert function inserts a new project into database. @@ -236,8 +234,8 @@ class ttProjectHelper { } // update function - updates the project in database. - static function update($fields) - { + static function update($fields) { + global $user; $mdb2 = getConnection(); $project_id = $fields['id']; // Project we are updating. @@ -313,7 +311,8 @@ class ttProjectHelper { // Update project name, description, tasks and status in tt_projects table. $comma_separated = implode(",", $tasks_to_bind); // This is a comma-separated list of associated task ids. - $sql = "update tt_projects set name = ".$mdb2->quote($name).", description = ".$mdb2->quote($description).", tasks = ".$mdb2->quote($comma_separated).", status = $status where id = $project_id"; + $sql = "update tt_projects set name = ".$mdb2->quote($name).", description = ".$mdb2->quote($description). + ", tasks = ".$mdb2->quote($comma_separated).", status = $status where id = $project_id and team_id = $user->team_id"; $affected = $mdb2->exec($sql); return (!is_a($affected, 'PEAR_Error')); } diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl index ceaf9982..37e220f6 100644 --- a/WEB-INF/templates/footer.tpl +++ b/WEB-INF/templates/footer.tpl @@ -12,7 +12,7 @@
-
 Anuko Time Tracker 1.17.76.4184 | Copyright © Anuko | +  Anuko Time Tracker 1.17.76.4185 | Copyright © Anuko | {$i18n.footer.credits} | {$i18n.footer.license} | {$i18n.footer.improve}