From 030d2c3ffbf8229cc945427e9e9f7704226effe1 Mon Sep 17 00:00:00 2001 From: Nik Okuntseff Date: Sat, 24 Mar 2018 19:37:00 +0000 Subject: [PATCH] A bit more progress on refactoring access checks. --- WEB-INF/lib/ttTeamHelper.class.php | 2 +- WEB-INF/templates/footer.tpl | 2 +- WEB-INF/templates/user_edit.tpl | 2 +- expense_delete.php | 2 -- predefined_expense_add.php | 8 ++++++-- predefined_expense_delete.php | 8 ++++++-- predefined_expense_edit.php | 8 ++++++-- predefined_expenses.php | 8 ++++++-- project_add.php | 8 ++++++-- project_delete.php | 8 ++++++-- project_edit.php | 8 ++++++-- projects.php | 8 ++++++-- quotas.php | 8 ++++++-- report.php | 2 +- report_send.php | 2 +- reports.php | 2 +- role_edit.php | 3 ++- swap_roles.php | 11 +++++++---- user_edit.php | 8 ++++++++ 19 files changed, 77 insertions(+), 31 deletions(-) diff --git a/WEB-INF/lib/ttTeamHelper.class.php b/WEB-INF/lib/ttTeamHelper.class.php index de034794..5aeee219 100644 --- a/WEB-INF/lib/ttTeamHelper.class.php +++ b/WEB-INF/lib/ttTeamHelper.class.php @@ -143,7 +143,7 @@ class ttTeamHelper { if (is_a($res, 'PEAR_Error')) return false; while ($val = $res->fetchRow()) { - $isClient = in_array('track_own_time', explode(',', $val['rights'])) ? 0 : 1; // Clients do not have data entry right. + $isClient = in_array('track_own_time', explode(',', $val['rights'])) ? 0 : 1; // Clients do not have track_own_time right. if ($isClient) continue; // Skip adding clients. $user_list[] = $val; diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl index 8b84e12b..b99c720b 100644 --- a/WEB-INF/templates/footer.tpl +++ b/WEB-INF/templates/footer.tpl @@ -12,7 +12,7 @@
- - + {/if} diff --git a/expense_delete.php b/expense_delete.php index 42a6add8..1f7fbb34 100644 --- a/expense_delete.php +++ b/expense_delete.php @@ -41,8 +41,6 @@ if (!$user->isPluginEnabled('ex')) { exit(); } - - $cl_id = $request->getParameter('id'); $expense_item = ttExpenseHelper::getItem($cl_id, $user->getActiveUser()); diff --git a/predefined_expense_add.php b/predefined_expense_add.php index 82cf99b6..2f1621ca 100644 --- a/predefined_expense_add.php +++ b/predefined_expense_add.php @@ -30,11 +30,15 @@ require_once('initialize.php'); import('form.Form'); import('ttPredefinedExpenseHelper'); -// Access check. -if (!ttAccessAllowed('manage_advanced_settings') || !$user->isPluginEnabled('ex')) { +// Access checks. +if (!ttAccessAllowed('manage_advanced_settings')) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('ex')) { + header('Location: feature_disabled.php'); + exit(); +} if ($request->isPost()) { $cl_name = trim($request->getParameter('name')); diff --git a/predefined_expense_delete.php b/predefined_expense_delete.php index c8ae1c82..9b445032 100644 --- a/predefined_expense_delete.php +++ b/predefined_expense_delete.php @@ -30,11 +30,15 @@ require_once('initialize.php'); import('form.Form'); import('ttPredefinedExpenseHelper'); -// Access check. -if (!ttAccessAllowed('manage_advanced_settings') || !$user->isPluginEnabled('ex')) { +// Access checks. +if (!ttAccessAllowed('manage_advanced_settings')) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('ex')) { + header('Location: feature_disabled.php'); + exit(); +} $cl_predefined_expense_id = (int)$request->getParameter('id'); $predefined_expense = ttPredefinedExpenseHelper::get($cl_predefined_expense_id); diff --git a/predefined_expense_edit.php b/predefined_expense_edit.php index 220778a9..7791b244 100644 --- a/predefined_expense_edit.php +++ b/predefined_expense_edit.php @@ -30,11 +30,15 @@ require_once('initialize.php'); import('form.Form'); import('ttPredefinedExpenseHelper'); -// Access check. -if (!ttAccessAllowed('manage_advanced_settings') || !$user->isPluginEnabled('ex')) { +// Access checks. +if (!ttAccessAllowed('manage_advanced_settings')) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('ex')) { + header('Location: feature_disabled.php'); + exit(); +} $predefined_expense_id = (int) $request->getParameter('id'); diff --git a/predefined_expenses.php b/predefined_expenses.php index 4e799121..7aed7ad6 100644 --- a/predefined_expenses.php +++ b/predefined_expenses.php @@ -30,11 +30,15 @@ require_once('initialize.php'); import('form.Form'); import('ttTeamHelper'); -// Access check. -if (!ttAccessAllowed('manage_advanced_settings') || !$user->isPluginEnabled('ex')) { +// Access checks. +if (!ttAccessAllowed('manage_advanced_settings')) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('ex')) { + header('Location: feature_disabled.php'); + exit(); +} $form = new Form('predefinedExpensesForm'); diff --git a/project_add.php b/project_add.php index 6b55019c..55b83b42 100644 --- a/project_add.php +++ b/project_add.php @@ -31,11 +31,15 @@ import('form.Form'); import('ttProjectHelper'); import('ttTeamHelper'); -// Access check. -if (!ttAccessAllowed('manage_projects') || (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->tracking_mode)) { +// Access checks. +if (!ttAccessAllowed('manage_projects')) { header('Location: access_denied.php'); exit(); } +if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->tracking_mode) { + header('Location: feature_disabled.php'); + exit(); +} $users = ttTeamHelper::getActiveUsers(); foreach ($users as $user_item) diff --git a/project_delete.php b/project_delete.php index 683dbc50..2373bbea 100644 --- a/project_delete.php +++ b/project_delete.php @@ -30,11 +30,15 @@ require_once('initialize.php'); import('form.Form'); import('ttProjectHelper'); -// Access check. -if (!ttAccessAllowed('manage_projects') || (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->tracking_mode)) { +// Access checks. +if (!ttAccessAllowed('manage_projects')) { header('Location: access_denied.php'); exit(); } +if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->tracking_mode) { + header('Location: feature_disabled.php'); + exit(); +} $cl_project_id = (int)$request->getParameter('id'); $project = ttProjectHelper::get($cl_project_id); diff --git a/project_edit.php b/project_edit.php index be0e90fa..d30782ab 100644 --- a/project_edit.php +++ b/project_edit.php @@ -31,11 +31,15 @@ import('form.Form'); import('ttProjectHelper'); import('ttTeamHelper'); -// Access check. -if (!ttAccessAllowed('manage_projects') || (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->tracking_mode)) { +// Access checks. +if (!ttAccessAllowed('manage_projects')) { header('Location: access_denied.php'); exit(); } +if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->tracking_mode) { + header('Location: feature_disabled.php'); + exit(); +} $cl_project_id = (int)$request->getParameter('id'); diff --git a/projects.php b/projects.php index ed0103a4..5315c4f7 100644 --- a/projects.php +++ b/projects.php @@ -30,11 +30,15 @@ require_once('initialize.php'); import('form.Form'); import('ttTeamHelper'); -// Access check. -if (!ttAccessAllowed('track_own_time') || (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->tracking_mode)) { +// Access checks. +if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) { header('Location: access_denied.php'); exit(); } +if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->tracking_mode) { + header('Location: feature_disabled.php'); + exit(); +} if($user->canManageTeam()) { $active_projects = ttTeamHelper::getActiveProjects($user->team_id); diff --git a/quotas.php b/quotas.php index 19e70e50..c921fba4 100644 --- a/quotas.php +++ b/quotas.php @@ -32,11 +32,15 @@ import('form.Form'); import('ttTeamHelper'); import('ttTimeHelper'); -// Access check. -if (!ttAccessAllowed('manage_advanced_settings') || !$user->isPluginEnabled('mq')) { +// Access checks. +if (!ttAccessAllowed('manage_advanced_settings')) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('mq')) { + header('Location: feature_disabled.php'); + exit(); +} // Start and end fallback values for the Year dropdown. $yearStart = 2015; diff --git a/report.php b/report.php index 190dff8e..c59f6b5e 100644 --- a/report.php +++ b/report.php @@ -33,7 +33,7 @@ import('ttReportHelper'); import('ttTeamHelper'); // Access check. -if (!ttAccessAllowed('view_own_reports')) { +if (!(ttAccessAllowed('view_own_reports') || ttAccessAllowed('view_reports'))) { header('Location: access_denied.php'); exit(); } diff --git a/report_send.php b/report_send.php index b420b3ac..d7c031fd 100644 --- a/report_send.php +++ b/report_send.php @@ -33,7 +33,7 @@ import('ttSysConfig'); import('ttReportHelper'); // Access check. -if (!ttAccessAllowed('view_own_reports')) { +if (!(ttAccessAllowed('view_own_reports') || ttAccessAllowed('view_reports'))) { header('Location: access_denied.php'); exit(); } diff --git a/reports.php b/reports.php index 390c85c6..3a7367e7 100644 --- a/reports.php +++ b/reports.php @@ -37,7 +37,7 @@ import('ttFavReportHelper'); import('ttClientHelper'); // Access check. -if (!ttAccessAllowed('view_own_reports')) { +if (!(ttAccessAllowed('view_own_reports') || ttAccessAllowed('view_reports'))) { header('Location: access_denied.php'); exit(); } diff --git a/role_edit.php b/role_edit.php index 3eb7696b..f5f3762b 100644 --- a/role_edit.php +++ b/role_edit.php @@ -32,7 +32,7 @@ import('ttTeamHelper'); // TODO: remove this? import('ttTaskHelper'); // TODO: remove this? import('ttRoleHelper'); -// Access check. +// Access checks. if (!ttAccessAllowed('manage_roles')) { header('Location: access_denied.php'); exit(); @@ -43,6 +43,7 @@ if (!$role) { header('Location: access_denied.php'); exit(); } + $assigned_rights = explode(',', $role['rights']); $available_rights = array_diff($user->rights, $assigned_rights); diff --git a/swap_roles.php b/swap_roles.php index 09178cd9..59a726c5 100644 --- a/swap_roles.php +++ b/swap_roles.php @@ -30,20 +30,23 @@ require_once('initialize.php'); import('form.Form'); import('ttUserHelper'); -// Access check. +// Access checks. if (!ttAccessAllowed('swap_roles')) { header('Location: access_denied.php'); exit(); } - -$users = ttTeamHelper::getUsersForSwap(); +$users_for_swap = ttTeamHelper::getUsersForSwap(); +if (!is_array($users_for_swap) || sizeof($users_for_swap) == 0) { + header('Location: access_denied.php'); + exit(); +} if ($request->isPost()) { $cl_id = $request->getParameter('swap_with'); } $form = new Form('swapForm'); -$form->addInput(array('type'=>'combobox','name'=>'swap_with','style'=>'width: 250px;','data'=>$users,'datakeys'=>array('id','name'))); +$form->addInput(array('type'=>'combobox','name'=>'swap_with','style'=>'width: 250px;','data'=>$users_for_swap,'datakeys'=>array('id','name'))); $form->addInput(array('type'=>'submit','name'=>'btn_submit','value'=>$i18n->get('button.submit'))); $form->addInput(array('type'=>'submit','name'=>'btn_cancel','value'=>$i18n->get('button.cancel'))); diff --git a/user_edit.php b/user_edit.php index 531e8424..75d89e50 100644 --- a/user_edit.php +++ b/user_edit.php @@ -222,11 +222,19 @@ if ($request->isPost()) { } } // isPost +$can_swap = false; +if ($user->id == $user_id && $user->can('swap_roles')) { + $users_for_swap = ttTeamHelper::getUsersForSwap(); + if (is_array($users_for_swap) && sizeof($users_for_swap) > 0) + $can_swap = true; +} + $rates = ttProjectHelper::getRates($user_id); $smarty->assign('rates', $rates); $smarty->assign('auth_external', $auth->isPasswordExternal()); $smarty->assign('active_roles', $active_roles); +$smarty->assign('can_swap', $can_swap); $smarty->assign('forms', array($form->getName()=>$form->toArray())); $smarty->assign('onload', 'onLoad="document.userForm.name.focus();handleClientControl();"'); $smarty->assign('user_id', $user_id); -- 2.20.1
 Anuko Time Tracker 1.17.69.4156 | Copyright © Anuko | +  Anuko Time Tracker 1.17.69.4157 | Copyright © Anuko | {$i18n.footer.credits} | {$i18n.footer.license} | {$i18n.footer.improve} diff --git a/WEB-INF/templates/user_edit.tpl b/WEB-INF/templates/user_edit.tpl index 15bf3fe2..6b09881d 100644 --- a/WEB-INF/templates/user_edit.tpl +++ b/WEB-INF/templates/user_edit.tpl @@ -108,7 +108,7 @@ function handleClientControl() { {if $user->id == $user_id}
{$i18n.form.users.role}:{$user->role_name} {if $user->can('swap_roles')}{$i18n.form.profile.swap_roles}{/if}{$user->role_name} {if $can_swap}{$i18n.form.profile.swap_roles}{/if}