From 2ff04a2baeaa449ab30b822e2bb52ff792776753 Mon Sep 17 00:00:00 2001 From: Nik Okuntseff Date: Sun, 25 Mar 2018 20:25:40 +0000 Subject: [PATCH] A bit better job with access checks for charts. --- WEB-INF/lib/ttUser.class.php | 33 +++++++++++++++++++++++++++++++++ WEB-INF/templates/footer.tpl | 2 +- charts.php | 8 ++++++++ 3 files changed, 42 insertions(+), 1 deletion(-) diff --git a/WEB-INF/lib/ttUser.class.php b/WEB-INF/lib/ttUser.class.php index 95edd6e4..85b26d51 100644 --- a/WEB-INF/lib/ttUser.class.php +++ b/WEB-INF/lib/ttUser.class.php @@ -295,4 +295,37 @@ class ttUser { } return $user_list; } + + // checkBehalfId checks whether behalf_id is appropriate. + // On behalf user must be active and have lower rank. + function checkBehalfId() { + $options = array('status'=>ACTIVE,'max_rank'=>$this->rank-1); + $users = $this->getUsers($options); + foreach($users as $one_user) { + if ($one_user['id'] == $this->behalf_id) + return true; + } + + return false; + } + + // adjustBehalfId attempts to adjust behalf_id and behalf_name to a first found + // aapropriate user. + // + // Needed for situations when use does not have do_own_something right. + // Example: has view_charts but does not have view_own_charts. + // In this case we still allow access to charts, but set behalf_id to someone else. + function adjustBehalfId() { + $options = array('status'=>ACTIVE,'max_rank'=>$this->rank-1); + $users = $this->getUsers($options); + foreach($users as $one_user) { + // Fake loop to access first element. + $this->behalf_id = $one_user['id']; + $this->behalf_name = $one_user['name']; + $_SESSION['behalf_id'] = $this->behalf_id; + $_SESSION['behalf_name'] = $this->behalf_name; + return true; + } + return false; + } } diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl index a470afaa..d003b9bd 100644 --- a/WEB-INF/templates/footer.tpl +++ b/WEB-INF/templates/footer.tpl @@ -12,7 +12,7 @@
-
 Anuko Time Tracker 1.17.71.4163 | Copyright © Anuko | +  Anuko Time Tracker 1.17.71.4164 | Copyright © Anuko | {$i18n.footer.credits} | {$i18n.footer.license} | {$i18n.footer.improve} diff --git a/charts.php b/charts.php index a44c9926..d6707038 100644 --- a/charts.php +++ b/charts.php @@ -46,6 +46,14 @@ if (!$user->isPluginEnabled('ch')) { header('Location: feature_disabled.php'); exit(); } +if ($user->behalf_id && (!$user->can('view_charts') || !$user->checkBehalfId())) { + header('Location: access_denied.php'); // Trying on behalf, but no right or wrong user. + exit(); +} +if (!$user->behalf_id && !$user->can('view_own_charts') && !$user->adjustBehalfId()) { + header('Location: access_denied.php'); // Trying as self, but no right for self, and noone to view on behalf. + exit(); +} // Initialize and store date in session. $cl_date = $request->getParameter('date', @$_SESSION['date']); -- 2.20.1