From 2ff04a2baeaa449ab30b822e2bb52ff792776753 Mon Sep 17 00:00:00 2001
From: Nik Okuntseff <support@anuko.com>
Date: Sun, 25 Mar 2018 20:25:40 +0000
Subject: [PATCH] A bit better job with access checks for charts.

---
 WEB-INF/lib/ttUser.class.php | 33 +++++++++++++++++++++++++++++++++
 WEB-INF/templates/footer.tpl |  2 +-
 charts.php                   |  8 ++++++++
 3 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/WEB-INF/lib/ttUser.class.php b/WEB-INF/lib/ttUser.class.php
index 95edd6e4..85b26d51 100644
--- a/WEB-INF/lib/ttUser.class.php
+++ b/WEB-INF/lib/ttUser.class.php
@@ -295,4 +295,37 @@ class ttUser {
     }
     return $user_list;
   }
+
+  // checkBehalfId checks whether behalf_id is appropriate.
+  // On behalf user must be active and have lower rank.
+  function checkBehalfId() {
+    $options = array('status'=>ACTIVE,'max_rank'=>$this->rank-1);
+    $users = $this->getUsers($options);
+    foreach($users as $one_user) {
+      if ($one_user['id'] == $this->behalf_id)
+        return true;
+    }
+
+    return false;
+  }
+
+  // adjustBehalfId attempts to adjust behalf_id and behalf_name to a first found
+  // aapropriate user.
+  //
+  // Needed for situations when use does not have do_own_something right.
+  // Example: has view_charts but does not have view_own_charts.
+  // In this case we still allow access to charts, but set behalf_id to someone else.
+  function adjustBehalfId() {
+    $options = array('status'=>ACTIVE,'max_rank'=>$this->rank-1);
+    $users = $this->getUsers($options);
+    foreach($users as $one_user) {
+      // Fake loop to access first element.
+      $this->behalf_id = $one_user['id'];
+      $this->behalf_name = $one_user['name'];
+      $_SESSION['behalf_id'] = $this->behalf_id;
+      $_SESSION['behalf_name'] = $this->behalf_name;
+      return true;
+    }
+    return false;
+  }
 }
diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl
index a470afaa..d003b9bd 100644
--- a/WEB-INF/templates/footer.tpl
+++ b/WEB-INF/templates/footer.tpl
@@ -12,7 +12,7 @@
       <br>
       <table cellspacing="0" cellpadding="4" width="100%" border="0">
         <tr>
-          <td align="center">&nbsp;Anuko Time Tracker 1.17.71.4163 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+          <td align="center">&nbsp;Anuko Time Tracker 1.17.71.4164 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
             <a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
             <a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
             <a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
diff --git a/charts.php b/charts.php
index a44c9926..d6707038 100644
--- a/charts.php
+++ b/charts.php
@@ -46,6 +46,14 @@ if (!$user->isPluginEnabled('ch')) {
   header('Location: feature_disabled.php');
   exit();
 }
+if ($user->behalf_id && (!$user->can('view_charts') || !$user->checkBehalfId())) {
+  header('Location: access_denied.php'); // Trying on behalf, but no right or wrong user.
+  exit();
+}
+if (!$user->behalf_id && !$user->can('view_own_charts') && !$user->adjustBehalfId()) {
+  header('Location: access_denied.php'); // Trying as self, but no right for self, and noone to view on behalf.
+  exit();
+}
 
 // Initialize and store date in session.
 $cl_date = $request->getParameter('date', @$_SESSION['date']);
-- 
2.20.1