From 1c55e1b9d6da2173f7e946011908c02dd80df26d Mon Sep 17 00:00:00 2001 From: Nik Okuntseff Date: Sat, 28 Jul 2018 21:48:56 +0000 Subject: [PATCH] Added group_id to getWhere parts as additional protection. --- WEB-INF/lib/ttReportHelper.class.php | 18 +++++++++--------- WEB-INF/templates/footer.tpl | 2 +- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/WEB-INF/lib/ttReportHelper.class.php b/WEB-INF/lib/ttReportHelper.class.php index acf33681..d46e783f 100644 --- a/WEB-INF/lib/ttReportHelper.class.php +++ b/WEB-INF/lib/ttReportHelper.class.php @@ -64,11 +64,11 @@ class ttReportHelper { // Prepare sql query part for user list. $userlist = $options['users'] ? $options['users'] : '-1'; - $user_list_part = null; if ($user->can('view_reports') || $user->can('view_all_reports') || $user->isClient()) $user_list_part = " and l.user_id in ($userlist)"; else $user_list_part = " and l.user_id = ".$user->id; + $user_list_part .= " and l.group_id = ".$user->getActiveGroup(); // Prepare sql query part for where. if ($options['period']) @@ -106,22 +106,22 @@ class ttReportHelper { // Prepare user list part. $userlist = -1; - if (($user->can('view_reports') || $user->isClient())) { + if ($user->can('view_reports') || $user->can('view_all_reports') || $user->isClient()) { if ($options['users']) $userlist = $options['users']; else { - $active_users = ttTeamHelper::getActiveUsers(); - foreach ($active_users as $single_user) + $group_users = ttTeamHelper::getUsers(); // active and inactive users + foreach ($group_users as $single_user) $users[] = $single_user['id']; $userlist = join(',', $users); } } // Prepare sql query part for user list. - $user_list_part = null; - if ($user->can('view_reports') || $user->isClient()) + if ($user->can('view_reports') || $user->can('view_all_reports') || $user->isClient()) $user_list_part = " and l.user_id in ($userlist)"; else $user_list_part = " and l.user_id = ".$user->id; + $user_list_part .= " and l.group_id = ".$user->getActiveGroup(); // Prepare sql query part for where. if ($options['period']) @@ -155,11 +155,11 @@ class ttReportHelper { // Prepare sql query part for user list. $userlist = $options['users'] ? $options['users'] : '-1'; - $user_list_part = null; if ($user->can('view_reports') || $user->can('view_all_reports') || $user->isClient()) $user_list_part = " and ei.user_id in ($userlist)"; else $user_list_part = " and ei.user_id = ".$user->id; + $user_list_part .= " and ei.group_id = ".$user->getActiveGroup(); // Prepare sql query part for where. if ($options['period']) @@ -204,11 +204,11 @@ class ttReportHelper { } } // Prepare sql query part for user list. - $user_list_part = null; - if ($user->can('view_reports') || $user->isClient()) + if ($user->can('view_reports') || $user->can('view_all_reports') || $user->isClient()) $user_list_part = " and ei.user_id in ($userlist)"; else $user_list_part = " and ei.user_id = ".$user->id; + $user_list_part .= " and ei.group_id = ".$user->getActiveGroup(); // Prepare sql query part for where. if ($options['period']) diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl index a261f3e7..d36605b6 100644 --- a/WEB-INF/templates/footer.tpl +++ b/WEB-INF/templates/footer.tpl @@ -12,7 +12,7 @@
-
 Anuko Time Tracker 1.17.96.4299 | Copyright © Anuko | +  Anuko Time Tracker 1.17.96.4300 | Copyright © Anuko | {$i18n.footer.credits} | {$i18n.footer.license} | {$i18n.footer.improve} -- 2.20.1