From: Nik Okuntseff Date: Sun, 9 Dec 2018 18:40:14 +0000 (+0000) Subject: Added validation of checkbox group input on project config. X-Git-Tag: timetracker_1.19-1~441 X-Git-Url: http://wagnertech.de/git?a=commitdiff_plain;h=c059d4ceb33fc1a959028abd85808e33b910cf7e;p=timetracker.git Added validation of checkbox group input on project config. --- diff --git a/WEB-INF/lib/ttGroupHelper.class.php b/WEB-INF/lib/ttGroupHelper.class.php index 0e45110c..780e39ed 100644 --- a/WEB-INF/lib/ttGroupHelper.class.php +++ b/WEB-INF/lib/ttGroupHelper.class.php @@ -526,4 +526,42 @@ class ttGroupHelper { } return $result; } + + // validateCheckboxGroupInput - validates user input in a group of checkboxes + // in context of a specific database table. + // + // We need to make sure that input is a set of unique positive integers, and is + // "relevant" to the current group (entities exists in table). + // + // It is a safeguard against manipulation of data in posts. + static function validateCheckboxGroupInput($input, $table) { + // Empty input is valid. + if (!$input) return true; + + // Input containing duplicates is invalid. + if (count($input) !== count(array_unique($input))) return false; + + // Input containing anything but positive integers is invalid. + foreach ($input as $single_selection) { + if (!is_numeric($single_selection) || $single_selection <= 0) return false; + } + + global $user; + $mdb2 = getConnection(); + + $group_id = $user->getGroup(); + $org_id = $user->org_id; + + // Now check the table. It must contain all entities associated with current group and org. + $comma_separated = implode(',', $input); + $sql = "select count(*) as item_count from $table". + " where id in ($comma_separated) and group_id = $group_id and org_id = $org_id and status = 1"; + $res = $mdb2->query($sql); + if (is_a($res, 'PEAR_Error')) return false; + $val = $res->fetchRow(); + if (count($input) != $val['item_count']) + return false; // Number of entities in table is different. + + return true; // All is good. + } } diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl index 1cb0da70..4631c2ec 100644 --- a/WEB-INF/templates/footer.tpl +++ b/WEB-INF/templates/footer.tpl @@ -12,7 +12,7 @@
-
 Anuko Time Tracker 1.18.29.4623 | Copyright © Anuko | +  Anuko Time Tracker 1.18.29.4624 | Copyright © Anuko | {$i18n.footer.credits} | {$i18n.footer.license} | {$i18n.footer.improve} diff --git a/mobile/project_add.php b/mobile/project_add.php index 98f7c064..6f6f452d 100644 --- a/mobile/project_add.php +++ b/mobile/project_add.php @@ -74,6 +74,8 @@ if ($request->isPost()) { // Validate user input. if (!ttValidString($cl_name)) $err->add($i18n->get('error.field'), $i18n->get('label.thing_name')); if (!ttValidString($cl_description, true)) $err->add($i18n->get('error.field'), $i18n->get('label.description')); + if (!ttGroupHelper::validateCheckboxGroupInput($cl_users, 'tt_users')) $err->add($i18n->get('error.field'), $i18n->get('label.users')); + if (!ttGroupHelper::validateCheckboxGroupInput($cl_tasks, 'tt_tasks')) $err->add($i18n->get('error.field'), $i18n->get('label.tasks')); if ($err->no()) { if (!ttProjectHelper::getProjectByName($cl_name)) { diff --git a/mobile/project_edit.php b/mobile/project_edit.php index 40728aaf..8bccd110 100644 --- a/mobile/project_edit.php +++ b/mobile/project_edit.php @@ -95,6 +95,8 @@ if ($request->isPost()) { // Validate user input. if (!ttValidString($cl_name)) $err->add($i18n->get('error.field'), $i18n->get('label.thing_name')); if (!ttValidString($cl_description, true)) $err->add($i18n->get('error.field'), $i18n->get('label.description')); + if (!ttGroupHelper::validateCheckboxGroupInput($cl_users, 'tt_users')) $err->add($i18n->get('error.field'), $i18n->get('label.users')); + if (!ttGroupHelper::validateCheckboxGroupInput($cl_tasks, 'tt_tasks')) $err->add($i18n->get('error.field'), $i18n->get('label.tasks')); if ($err->no()) { if ($request->getParameter('btn_save')) { diff --git a/project_add.php b/project_add.php index e00a0316..70327eb3 100644 --- a/project_add.php +++ b/project_add.php @@ -74,6 +74,8 @@ if ($request->isPost()) { // Validate user input. if (!ttValidString($cl_name)) $err->add($i18n->get('error.field'), $i18n->get('label.thing_name')); if (!ttValidString($cl_description, true)) $err->add($i18n->get('error.field'), $i18n->get('label.description')); + if (!ttGroupHelper::validateCheckboxGroupInput($cl_users, 'tt_users')) $err->add($i18n->get('error.field'), $i18n->get('label.users')); + if (!ttGroupHelper::validateCheckboxGroupInput($cl_tasks, 'tt_tasks')) $err->add($i18n->get('error.field'), $i18n->get('label.tasks')); if ($err->no()) { if (!ttProjectHelper::getProjectByName($cl_name)) { diff --git a/project_edit.php b/project_edit.php index 6fe08287..106e657b 100644 --- a/project_edit.php +++ b/project_edit.php @@ -94,6 +94,8 @@ if ($request->isPost()) { // Validate user input. if (!ttValidString($cl_name)) $err->add($i18n->get('error.field'), $i18n->get('label.thing_name')); if (!ttValidString($cl_description, true)) $err->add($i18n->get('error.field'), $i18n->get('label.description')); + if (!ttGroupHelper::validateCheckboxGroupInput($cl_users, 'tt_users')) $err->add($i18n->get('error.field'), $i18n->get('label.users')); + if (!ttGroupHelper::validateCheckboxGroupInput($cl_tasks, 'tt_tasks')) $err->add($i18n->get('error.field'), $i18n->get('label.tasks')); if ($err->no()) { if ($request->getParameter('btn_save')) {