From 0a7886b373c91ef0c2c41307f81177d043c807be Mon Sep 17 00:00:00 2001 From: Nik Okuntseff Date: Sun, 25 Mar 2018 22:31:31 +0000 Subject: [PATCH] Access check improvements for time and expense edits and deletes. --- WEB-INF/templates/footer.tpl | 2 +- expense_delete.php | 12 +++++++----- expense_edit.php | 12 ++++++------ mobile/expense_delete.php | 12 +++++++----- mobile/expense_edit.php | 12 ++++++------ mobile/time_delete.php | 14 ++++++++------ mobile/time_edit.php | 16 ++++++++-------- time_delete.php | 14 ++++++++------ time_edit.php | 18 +++++++++--------- 9 files changed, 60 insertions(+), 52 deletions(-) diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl index 2be4b935..658d120a 100644 --- a/WEB-INF/templates/footer.tpl +++ b/WEB-INF/templates/footer.tpl @@ -12,7 +12,7 @@
-
 Anuko Time Tracker 1.17.71.4167 | Copyright © Anuko | +  Anuko Time Tracker 1.17.72.4168 | Copyright © Anuko | {$i18n.footer.credits} | {$i18n.footer.license} | {$i18n.footer.improve} diff --git a/expense_delete.php b/expense_delete.php index 1f7fbb34..49bb8ac1 100644 --- a/expense_delete.php +++ b/expense_delete.php @@ -40,12 +40,14 @@ if (!$user->isPluginEnabled('ex')) { header('Location: feature_disabled.php'); exit(); } - -$cl_id = $request->getParameter('id'); +$cl_id = (int)$request->getParameter('id'); +// Get the expense item we are deleting. $expense_item = ttExpenseHelper::getItem($cl_id, $user->getActiveUser()); - -// Prohibit deleting invoiced records. -if ($expense_item['invoice_id']) die($i18n->get('error.sys')); +if (!$expense_item || $expense_item['invoice_id']) { + // Prohibit deleting not ours or invoiced items. + header('Location: access_denied.php'); + exit(); +} if ($request->isPost()) { if ($request->getParameter('delete_button')) { // Delete button pressed. diff --git a/expense_edit.php b/expense_edit.php index 15cfcfaf..99503b06 100644 --- a/expense_edit.php +++ b/expense_edit.php @@ -41,14 +41,14 @@ if (!$user->isPluginEnabled('ex')) { header('Location: feature_disabled.php'); exit(); } - -$cl_id = $request->getParameter('id'); - +$cl_id = (int)$request->getParameter('id'); // Get the expense item we are editing. $expense_item = ttExpenseHelper::getItem($cl_id, $user->getActiveUser()); - -// Prohibit editing invoiced items. -if ($expense_item['invoice_id']) die($i18n->get('error.sys')); +if (!$expense_item || $expense_item['invoice_id']) { + // Prohibit editing not ours or invoiced items. + header('Location: access_denied.php'); + exit(); +} $item_date = new DateAndTime(DB_DATEFORMAT, $expense_item['date']); diff --git a/mobile/expense_delete.php b/mobile/expense_delete.php index cca61b7c..a6f0989e 100644 --- a/mobile/expense_delete.php +++ b/mobile/expense_delete.php @@ -40,12 +40,14 @@ if (!$user->isPluginEnabled('ex')) { header('Location: feature_disabled.php'); exit(); } - -$cl_id = $request->getParameter('id'); +$cl_id = (int)$request->getParameter('id'); +// Get the expense item we are deleting. $expense_item = ttExpenseHelper::getItem($cl_id, $user->getActiveUser()); - -// Prohibit deleting invoiced records. -if ($expense_item['invoice_id']) die($i18n->get('error.sys')); +if (!$expense_item || $expense_item['invoice_id']) { + // Prohibit deleting not ours or invoiced items. + header('Location: access_denied.php'); + exit(); +} if ($request->isPost()) { if ($request->getParameter('delete_button')) { // Delete button pressed. diff --git a/mobile/expense_edit.php b/mobile/expense_edit.php index 8da55a1e..1611378d 100644 --- a/mobile/expense_edit.php +++ b/mobile/expense_edit.php @@ -41,14 +41,14 @@ if (!$user->isPluginEnabled('ex')) { header('Location: feature_disabled.php'); exit(); } - -$cl_id = $request->getParameter('id'); - +$cl_id = (int)$request->getParameter('id'); // Get the expense item we are editing. $expense_item = ttExpenseHelper::getItem($cl_id, $user->getActiveUser()); - -// Prohibit editing invoiced items. -if ($expense_item['invoice_id']) die($i18n->get('error.sys')); +if (!$expense_item || $expense_item['invoice_id']) { + // Prohibit editing not ours or invoiced items. + header('Location: access_denied.php'); + exit(); +} $item_date = new DateAndTime(DB_DATEFORMAT, $expense_item['date']); diff --git a/mobile/time_delete.php b/mobile/time_delete.php index 33ba6146..5d6918c5 100644 --- a/mobile/time_delete.php +++ b/mobile/time_delete.php @@ -32,17 +32,19 @@ import('ttUserHelper'); import('ttTimeHelper'); import('DateAndTime'); -// Access check. +// Access checks. if (!ttAccessAllowed('track_own_time')) { header('Location: access_denied.php'); exit(); } - -$cl_id = $request->getParameter('id'); +$cl_id = (int)$request->getParameter('id'); +// Get the time record we are deleting. $time_rec = ttTimeHelper::getRecord($cl_id, $user->getActiveUser()); - -// Prohibit deleting invoiced records. -if ($time_rec['invoice_id']) die($i18n->get('error.sys')); +if (!$time_rec || $time_rec['invoice_id']) { + // Prohibit deleting not ours or invoiced records. + header('Location: access_denied.php'); + exit(); +} // Escape comment for presentation. $time_rec['comment'] = htmlspecialchars($time_rec['comment']); diff --git a/mobile/time_edit.php b/mobile/time_edit.php index 683bab74..eff9b335 100644 --- a/mobile/time_edit.php +++ b/mobile/time_edit.php @@ -39,6 +39,14 @@ if (!ttAccessAllowed('track_own_time')) { header('Location: access_denied.php'); exit(); } +$cl_id = (int)$request->getParameter('id'); +// Get the time record we are editing. +$time_rec = ttTimeHelper::getRecord($cl_id, $user->getActiveUser()); +if (!$time_rec || $time_rec['invoice_id']) { + // Prohibit editing not ours or invoiced records. + header('Location: access_denied.php'); + exit(); +} // Use custom fields plugin if it is enabled. if ($user->isPluginEnabled('cf')) { @@ -47,14 +55,6 @@ if ($user->isPluginEnabled('cf')) { $smarty->assign('custom_fields', $custom_fields); } -$cl_id = $request->getParameter('id'); - -// Get the time record we are editing. -$time_rec = ttTimeHelper::getRecord($cl_id, $user->getActiveUser()); - -// Prohibit editing invoiced records. -if ($time_rec['invoice_id']) die($i18n->get('error.sys')); - $item_date = new DateAndTime(DB_DATEFORMAT, $time_rec['date']); // Initialize variables. diff --git a/time_delete.php b/time_delete.php index ec3c677c..060311e8 100644 --- a/time_delete.php +++ b/time_delete.php @@ -32,17 +32,19 @@ import('ttUserHelper'); import('ttTimeHelper'); import('DateAndTime'); -// Access check. +// Access checks. if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) { header('Location: access_denied.php'); exit(); } - -$cl_id = $request->getParameter('id'); +$cl_id = (int)$request->getParameter('id'); +// Get the time record we are deleting. $time_rec = ttTimeHelper::getRecord($cl_id, $user->getActiveUser()); - -// Prohibit deleting invoiced records. -if ($time_rec['invoice_id']) die($i18n->get('error.sys')); +if (!$time_rec || $time_rec['invoice_id']) { + // Prohibit deleting not ours or invoiced records. + header('Location: access_denied.php'); + exit(); +} // Escape comment for presentation. $time_rec['comment'] = htmlspecialchars($time_rec['comment']); diff --git a/time_edit.php b/time_edit.php index c14928f5..05db97c0 100644 --- a/time_edit.php +++ b/time_edit.php @@ -34,11 +34,19 @@ import('ttClientHelper'); import('ttTimeHelper'); import('DateAndTime'); -// Access check. +// Access checks. if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) { header('Location: access_denied.php'); exit(); } +$cl_id = (int)$request->getParameter('id'); +// Get the time record we are editing. +$time_rec = ttTimeHelper::getRecord($cl_id, $user->getActiveUser()); +if (!$time_rec || $time_rec['invoice_id']) { + // Prohibit editing not ours or invoiced records. + header('Location: access_denied.php'); + exit(); +} // Use custom fields plugin if it is enabled. if ($user->isPluginEnabled('cf')) { @@ -47,14 +55,6 @@ if ($user->isPluginEnabled('cf')) { $smarty->assign('custom_fields', $custom_fields); } -$cl_id = $request->getParameter('id'); - -// Get the time record we are editing. -$time_rec = ttTimeHelper::getRecord($cl_id, $user->getActiveUser()); - -// Prohibit editing invoiced records. -if ($time_rec['invoice_id']) die($i18n->get('error.sys')); - $item_date = new DateAndTime(DB_DATEFORMAT, $time_rec['date']); // Initialize variables. -- 2.20.1