From 35a538725eb9bc8a651a012a7bccc546aa22e6b2 Mon Sep 17 00:00:00 2001
From: Nik Okuntseff <support@anuko.com>
Date: Fri, 7 Dec 2018 22:42:31 +0000
Subject: [PATCH] Improved access checks in notifications config.

---
 WEB-INF/templates/footer.tpl  |  2 +-
 WEB-INF/templates/plugins.tpl |  2 +-
 notification_add.php          | 18 +++++++++++++++---
 notification_delete.php       | 20 +++++++++++++-------
 notification_edit.php         | 24 +++++++++++++++++++++---
 notifications.php             |  8 ++++++++
 plugins.php                   |  1 +
 user_add.php                  |  8 +++++++-
 8 files changed, 67 insertions(+), 16 deletions(-)
diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl
index bdd2fd61..bf2c3a05 100644
--- a/WEB-INF/templates/footer.tpl
+++ b/WEB-INF/templates/footer.tpl
@@ -12,7 +12,7 @@
       <br>
       <table cellspacing="0" cellpadding="4" width="100%" border="0">
         <tr>
-          <td align="center">&nbsp;Anuko Time Tracker 1.18.29.4609 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+          <td align="center">&nbsp;Anuko Time Tracker 1.18.29.4610 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
             <a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
             <a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
             <a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
diff --git a/WEB-INF/templates/plugins.tpl b/WEB-INF/templates/plugins.tpl
index d31bb841..6b88725b 100644
--- a/WEB-INF/templates/plugins.tpl
+++ b/WEB-INF/templates/plugins.tpl
@@ -123,7 +123,7 @@ function handlePluginCheckboxes() {
           </tr>
           <tr>
             <td align="right" nowrap>{$forms.pluginsForm.notifications.control}</td>
-            <td><label for="notifications">{$i18n.title.notifications}</label> <span id="notifications_config"><a href="notifications.php">{$i18n.label.configure}</a></span></td>
+            <td><label for="notifications">{$i18n.title.notifications}</label> <span id="notifications_config">{if $user_exists}<a href="notifications.php">{$i18n.label.configure}</a>{/if}</span></td>
           </tr>
           <tr>
             <td align="right" nowrap>{$forms.pluginsForm.locking.control}</td>
diff --git a/notification_add.php b/notification_add.php
index e30970af..f1221117 100644
--- a/notification_add.php
+++ b/notification_add.php
@@ -42,11 +42,24 @@ if (!$user->isPluginEnabled('no')) {
   header('Location: feature_disabled.php');
   exit();
 }
+if (!$user->exists()) {
+  header('Location: access_denied.php'); // No users in subgroup.
+  exit();
+}
+if ($request->isPost()) {
+  // TODO: improve this, perhaps by refactoring elsewhere.
+  $cl_fav_report = (int) $request->getParameter('fav_report');
+  $fav_report = ttFavReportHelper::getReport($cl_fav_report);
+  if ($user->getUser() != $fav_report['user_id']) {
+    header('Location: access_denied.php'); // Invalid fav report id in post.
+    exit();
+  }
+}
+// End of access checks.
 
-$fav_reports = ttFavReportHelper::getReports($user->id);
+$fav_reports = ttFavReportHelper::getReports($user->getUser());
 
 if ($request->isPost()) {
-  $cl_fav_report = trim($request->getParameter('fav_report'));
   $cl_cron_spec = trim($request->getParameter('cron_spec'));
   $cl_email = trim($request->getParameter('email'));
   $cl_cc = trim($request->getParameter('cc'));
@@ -86,7 +99,6 @@ if ($request->isPost()) {
     $next = tdCron::getNextOccurrence($cl_cron_spec, mktime()); 
 
     if (ttNotificationHelper::insert(array(
-        'group_id' => $user->group_id,
         'cron_spec' => $cl_cron_spec,
         'next' => $next,
         'report_id' => $cl_fav_report,
diff --git a/notification_delete.php b/notification_delete.php
index b18ac614..c1f0785e 100644
--- a/notification_delete.php
+++ b/notification_delete.php
@@ -39,9 +39,18 @@ if (!$user->isPluginEnabled('no')) {
   header('Location: feature_disabled.php');
   exit();
 }
-
+if (!$user->exists()) {
+  header('Location: access_denied.php'); // No users in subgroup.
+  exit();
+}
 $cl_notification_id = (int)$request->getParameter('id');
 $notification = ttNotificationHelper::get($cl_notification_id);
+if (!$notification) {
+  header('Location: access_denied.php'); // Wrong notification id.
+  exit();
+}
+// End of access checks.
+
 $notification_to_delete = $notification['name'];
 
 $form = new Form('notificationDeleteForm');
@@ -51,12 +60,9 @@ $form->addInput(array('type'=>'submit','name'=>'btn_cancel','value'=>$i18n->get(
 
 if ($request->isPost()) {
   if ($request->getParameter('btn_delete')) {
-    if(ttNotificationHelper::get($cl_notification_id)) {
-      if (ttNotificationHelper::delete($cl_notification_id)) {
-        header('Location: notifications.php');
-        exit();
-      } else
-        $err->add($i18n->get('error.db'));
+    if (ttNotificationHelper::delete($cl_notification_id)) {
+      header('Location: notifications.php');
+      exit();
     } else
       $err->add($i18n->get('error.db'));
   } elseif ($request->getParameter('btn_cancel')) {
diff --git a/notification_edit.php b/notification_edit.php
index 7442305a..de09f75e 100644
--- a/notification_edit.php
+++ b/notification_edit.php
@@ -42,12 +42,30 @@ if (!$user->isPluginEnabled('no')) {
   header('Location: feature_disabled.php');
   exit();
 }
+if (!$user->exists()) {
+  header('Location: access_denied.php'); // No users in subgroup.
+  exit();
+}
+$notification_id = (int)$request->getParameter('id');
+$notification = ttNotificationHelper::get($notification_id);
+if (!$notification) {
+  header('Location: access_denied.php'); // Wrong notification id.
+  exit();
+}
+if ($request->isPost()) {
+  // TODO: improve this, perhaps by refactoring elsewhere.
+  $cl_fav_report = (int) $request->getParameter('fav_report');
+  $fav_report = ttFavReportHelper::getReport($cl_fav_report);
+  if ($user->getUser() != $fav_report['user_id']) {
+    header('Location: access_denied.php'); // Invalid fav report id in post.
+    exit();
+  }
+}
+// End of access checks.
 
-$notification_id = (int) $request->getParameter('id');
-$fav_reports = ttFavReportHelper::getReports($user->id);
+$fav_reports = ttFavReportHelper::getReports($user->getUser());
 
 if ($request->isPost()) {
-  $cl_fav_report = trim($request->getParameter('fav_report'));
   $cl_cron_spec = trim($request->getParameter('cron_spec'));
   $cl_email = trim($request->getParameter('email'));
   $cl_cc = trim($request->getParameter('cc'));
diff --git a/notifications.php b/notifications.php
index d70f5b48..7fe0e11d 100644
--- a/notifications.php
+++ b/notifications.php
@@ -39,6 +39,14 @@ if (!$user->isPluginEnabled('no')) {
   header('Location: feature_disabled.php');
   exit();
 }
+if (!$user->exists()) {
+  header('Location: access_denied.php'); // No users in subgroup.
+  exit();
+}
+// End of access checks.
+
+// TODO: extend and re-design notifications.
+// Currently they only work with fav reports, which are bound to users.
 
 $form = new Form('notificationsForm');
 
diff --git a/plugins.php b/plugins.php
index e036c173..a19c1e12 100644
--- a/plugins.php
+++ b/plugins.php
@@ -174,6 +174,7 @@ if ($request->isPost() && $request->getParameter('btn_save')) {
 
 $smarty->assign('forms', array($form->getName()=>$form->toArray()));
 $smarty->assign('onload', 'onLoad="handlePluginCheckboxes();"');
+$smarty->assign('user_exists', $user->exists());
 $smarty->assign('title', $i18n->get('title.plugins'));
 $smarty->assign('content_page_name', 'plugins.tpl');
 $smarty->display('index.tpl');
diff --git a/user_add.php b/user_add.php
index 8a507e9e..9fa61129 100644
--- a/user_add.php
+++ b/user_add.php
@@ -157,7 +157,13 @@ if ($request->isPost()) {
         'client_id' => $cl_client_id,
         'projects' => $assigned_projects,
         'email' => $cl_email);
-      if (ttUserHelper::insert($fields)) {
+      $user_id = ttUserHelper::insert($fields);
+      if ($user_id) {
+        if (!$user->exists()) {
+          // We added a user to an empty subgroup. Set new user as on behalf user.
+          // Needed for user-based things to work (such as notifications config).
+          $user->setOnBehalfUser($user_id);
+        }
         header('Location: users.php');
         exit();
       } else
-- 
2.20.1


Anuko Time Tracker 1.18.29.4609 \| Copyright © Anuko \| +	Anuko Time Tracker 1.18.29.4610 \| Copyright © Anuko \| {$i18n.footer.credits} \| {$i18n.footer.license} \| {$i18n.footer.improve} diff --git a/WEB-INF/templates/plugins.tpl b/WEB-INF/templates/plugins.tpl index d31bb841..6b88725b 100644 --- a/WEB-INF/templates/plugins.tpl +++ b/WEB-INF/templates/plugins.tpl @@ -123,7 +123,7 @@ function handlePluginCheckboxes() {
{$forms.pluginsForm.notifications.control}	{$i18n.title.notifications} {$i18n.label.configure}	{$i18n.title.notifications} {if $user_exists}{$i18n.label.configure}{/if}
{$forms.pluginsForm.locking.control}