From: Nik Okuntseff Date: Sun, 2 Dec 2018 14:01:13 +0000 (+0000) Subject: Adjusted custom field config pages for subgroups. X-Git-Tag: timetracker_1.19-1~499 X-Git-Url: http://wagnertech.de/git?a=commitdiff_plain;h=b5426618bbd3ee3178a86f6318b321632047f25b;p=timetracker.git Adjusted custom field config pages for subgroups. --- diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl index 91ff8c9f..77ebe494 100644 --- a/WEB-INF/templates/footer.tpl +++ b/WEB-INF/templates/footer.tpl @@ -12,7 +12,7 @@
-
 Anuko Time Tracker 1.18.29.4566 | Copyright © Anuko | +  Anuko Time Tracker 1.18.29.4567 | Copyright © Anuko | {$i18n.footer.credits} | {$i18n.footer.license} | {$i18n.footer.improve} diff --git a/admin_options.php b/admin_options.php index 164ff33a..9448ef78 100644 --- a/admin_options.php +++ b/admin_options.php @@ -36,6 +36,7 @@ if (!ttAccessAllowed('administer_site')) { header('Location: access_denied.php'); exit(); } +// End of access checks. if ($request->isPost()) { $cl_name = trim($request->getParameter('name')); diff --git a/cf_custom_field_add.php b/cf_custom_field_add.php index 8227d254..c0dc255f 100644 --- a/cf_custom_field_add.php +++ b/cf_custom_field_add.php @@ -45,6 +45,7 @@ if (count($fields) >= 1) { header('Location: access_denied.php'); exit(); } +// End of access checks. if ($request->isPost()) { $cl_field_name = trim($request->getParameter('name')); diff --git a/cf_custom_field_delete.php b/cf_custom_field_delete.php index 86c10b1f..c8a13369 100644 --- a/cf_custom_field_delete.php +++ b/cf_custom_field_delete.php @@ -39,8 +39,13 @@ if (!$user->isPluginEnabled('cf')) { header('Location: feature_disabled.php'); exit(); } - -$id = $request->getParameter('id'); +$id = (int)$request->getParameter('id'); +$field = CustomFields::getField($id); +if (!$field) { + header('Location: access_denied.php'); + exit(); +} +// End of access checks. $form = new Form('fieldDeleteForm'); @@ -60,15 +65,9 @@ if ($request->isPost()) { exit(); } } else { - $field = CustomFields::getField($id); - if (false === $field) - $err->add($i18n->get('error.db')); - - if ($err->no()) { - $form->addInput(array('type'=>'hidden','name'=>'id','value'=>$id)); - $form->addInput(array('type'=>'submit','name'=>'btn_delete','value'=>$i18n->get('label.delete'))); - $form->addInput(array('type'=>'submit','name'=>'btn_cancel','value'=>$i18n->get('button.cancel'))); - } + $form->addInput(array('type'=>'hidden','name'=>'id','value'=>$id)); + $form->addInput(array('type'=>'submit','name'=>'btn_delete','value'=>$i18n->get('label.delete'))); + $form->addInput(array('type'=>'submit','name'=>'btn_cancel','value'=>$i18n->get('button.cancel'))); } $smarty->assign('field', $field['label']); diff --git a/cf_custom_field_edit.php b/cf_custom_field_edit.php index 499f6d02..0bf5818d 100644 --- a/cf_custom_field_edit.php +++ b/cf_custom_field_edit.php @@ -39,11 +39,13 @@ if (!$user->isPluginEnabled('cf')) { header('Location: feature_disabled.php'); exit(); } - -$cl_id = $request->getParameter('id'); +$cl_id = (int)$request->getParameter('id'); $field = CustomFields::getField($cl_id); -if (false === $field) - $err->add($i18n->get('error.db')); +if (!$field) { + header('Location: access_denied.php'); + exit(); +} +// End of access checks. $form = new Form('fieldForm'); if ($err->no()) { diff --git a/cf_custom_fields.php b/cf_custom_fields.php index 53f80e40..6de626cc 100644 --- a/cf_custom_fields.php +++ b/cf_custom_fields.php @@ -39,6 +39,7 @@ if (!$user->isPluginEnabled('cf')) { header('Location: feature_disabled.php'); exit(); } +// End of access checks. $form = new Form('customFieldsForm'); diff --git a/plugins/CustomFields.class.php b/plugins/CustomFields.class.php index 74fef831..885f60b9 100644 --- a/plugins/CustomFields.class.php +++ b/plugins/CustomFields.class.php @@ -237,8 +237,12 @@ class CustomFields { global $user; $mdb2 = getConnection(); + $group_id = $user->getGroup(); + $org_id = $user->org_id; + $fields = array(); - $sql = "select id, type, label from tt_custom_fields where group_id = $user->group_id and status = 1 and type > 0"; + $sql = "select id, type, label from tt_custom_fields". + " where group_id = $group_id and org_id = $org_id and status = 1 and type > 0"; $res = $mdb2->query($sql); if (!is_a($res, 'PEAR_Error')) { while ($val = $res->fetchRow()) { @@ -254,7 +258,11 @@ class CustomFields { global $user; $mdb2 = getConnection(); - $sql = "select label, type, required from tt_custom_fields where id = $id and group_id = $user->group_id"; + $group_id = $user->getGroup(); + $org_id = $user->org_id; + + $sql = "select label, type, required from tt_custom_fields". + " where id = $id and group_id = $group_id and org_id = $org_id"; $res = $mdb2->query($sql); if (!is_a($res, 'PEAR_Error')) { $val = $res->fetchRow(); @@ -295,40 +303,39 @@ class CustomFields { static function updateField($id, $name, $type, $required) { global $user; $mdb2 = getConnection(); - $sql = "update tt_custom_fields set label = ".$mdb2->quote($name).", type = $type, required = $required where id = $id and group_id = $user->group_id"; + $group_id = $user->getGroup(); + $org_id = $user->org_id; + $sql = "update tt_custom_fields set label = ".$mdb2->quote($name).", type = $type, required = $required". + " where id = $id and group_id = $group_id and org_id = $org_id"; $affected = $mdb2->exec($sql); return (!is_a($affected, 'PEAR_Error')); } // The deleteField deletes a custom field, its options and log entries for group. static function deleteField($field_id) { - global $user; $mdb2 = getConnection(); - // First make sure that the field is ours so that we can safely delete it. - $sql = "select group_id from tt_custom_fields where id = $field_id"; - $res = $mdb2->query($sql); - if (is_a($res, 'PEAR_Error')) - return false; - $val = $res->fetchRow(); - if ($user->group_id != $val['group_id']) - return false; + $group_id = $user->getGroup(); + $org_id = $user->org_id; - // Mark log entries as deleted. - $sql = "update tt_custom_field_log set status = NULL where field_id = $field_id"; + // Mark log entries as deleted. TODO: why are we doing this? Research impact. + $sql = "update tt_custom_field_log set status = null". + " where field_id = $field_id and group_id = $group_id and org_id = $org_id"; $affected = $mdb2->exec($sql); if (is_a($affected, 'PEAR_Error')) return false; // Mark field options as deleted. - $sql = "update tt_custom_field_options set status = NULL where field_id = $field_id"; + $sql = "update tt_custom_field_options set status = null". + " where field_id = $field_id and group_id = $group_id and org_id = $org_id"; $affected = $mdb2->exec($sql); if (is_a($affected, 'PEAR_Error')) return false; // Mark custom field as deleted. - $sql = "update tt_custom_fields set status = NULL where id = $field_id and group_id = $user->group_id"; + $sql = "update tt_custom_fields set status = null". + " where id = $field_id and group_id = $group_id and org_id = $org_id"; $affected = $mdb2->exec($sql); return (!is_a($affected, 'PEAR_Error')); }