From 3ad790a3d4bc23cb23f7ee072171ca6ef987eb56 Mon Sep 17 00:00:00 2001
From: anuko <support@anuko.com>
Date: Sun, 25 Sep 2016 20:35:09 +0000
Subject: [PATCH] Added more access control checks.

---
 expense_delete.php      | 2 +-
 expense_edit.php        | 2 +-
 invoice_add.php         | 2 +-
 invoice_delete.php      | 2 +-
 invoice_send.php        | 2 +-
 invoice_view.php        | 2 +-
 invoices.php            | 2 +-
 locking.php             | 2 +-
 notification_add.php    | 2 +-
 notification_delete.php | 2 +-
 notification_edit.php   | 2 +-
 notifications.php       | 2 +-
 project_add.php         | 2 +-
 project_delete.php      | 2 +-
 project_edit.php        | 2 +-
 projects.php            | 2 +-
 quotas.php              | 2 +-
 task_add.php            | 2 +-
 task_delete.php         | 2 +-
 task_edit.php           | 2 +-
 tasks.php               | 2 +-
 21 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/expense_delete.php b/expense_delete.php
index 38800b62..c5f53aa9 100644
--- a/expense_delete.php
+++ b/expense_delete.php
@@ -32,7 +32,7 @@ import('DateAndTime');
 import('ttExpenseHelper');
 
 // Access check.
-if (!ttAccessCheck(right_data_entry)) {
+if (!ttAccessCheck(right_data_entry) || !$user->isPluginEnabled('ex')) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/expense_edit.php b/expense_edit.php
index 213cfcba..2f026917 100644
--- a/expense_edit.php
+++ b/expense_edit.php
@@ -33,7 +33,7 @@ import('DateAndTime');
 import('ttExpenseHelper');
 
 // Access check.
-if (!ttAccessCheck(right_data_entry)) {
+if (!ttAccessCheck(right_data_entry) || !$user->isPluginEnabled('ex')) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/invoice_add.php b/invoice_add.php
index f68753fc..0e752dca 100644
--- a/invoice_add.php
+++ b/invoice_add.php
@@ -32,7 +32,7 @@ import('ttTeamHelper');
 import('ttInvoiceHelper');
 
 // Access check.
-if (!ttAccessCheck(right_manage_team)) {
+if (!ttAccessCheck(right_manage_team) || !$user->isPluginEnabled('iv')) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/invoice_delete.php b/invoice_delete.php
index 7db539a5..41f7c190 100644
--- a/invoice_delete.php
+++ b/invoice_delete.php
@@ -31,7 +31,7 @@ import('form.Form');
 import('ttInvoiceHelper');
 
 // Access check.
-if (!ttAccessCheck(right_manage_team)) {
+if (!ttAccessCheck(right_manage_team) || !$user->isPluginEnabled('iv')) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/invoice_send.php b/invoice_send.php
index e519132d..b9e2a293 100644
--- a/invoice_send.php
+++ b/invoice_send.php
@@ -32,7 +32,7 @@ import('ttInvoiceHelper');
 import('ttSysConfig');
 
 // Access check.
-if (!ttAccessCheck(right_view_invoices)) {
+if (!ttAccessCheck(right_view_invoices) || !$user->isPluginEnabled('iv')) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/invoice_view.php b/invoice_view.php
index 2bb98763..e94c04b7 100644
--- a/invoice_view.php
+++ b/invoice_view.php
@@ -32,7 +32,7 @@ import('ttInvoiceHelper');
 import('ttClientHelper');
 
 // Access check.
-if (!ttAccessCheck(right_view_invoices)) {
+if (!ttAccessCheck(right_view_invoices) || !$user->isPluginEnabled('iv')) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/invoices.php b/invoices.php
index ad0b2853..a014472f 100644
--- a/invoices.php
+++ b/invoices.php
@@ -31,7 +31,7 @@ import('form.Form');
 import('ttTeamHelper');
 
 // Access check.
-if (!ttAccessCheck(right_view_invoices)) {
+if (!ttAccessCheck(right_view_invoices) || !$user->isPluginEnabled('iv')) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/locking.php b/locking.php
index dfdc2f2f..8acdcd70 100644
--- a/locking.php
+++ b/locking.php
@@ -31,7 +31,7 @@ import('form.Form');
 import('ttTeamHelper');
 
 // Access check.
-if (!ttAccessCheck(right_manage_team)) {
+if (!ttAccessCheck(right_manage_team) || !$user->isPluginEnabled('lk')) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/notification_add.php b/notification_add.php
index 80f46bb2..05b6ce0c 100644
--- a/notification_add.php
+++ b/notification_add.php
@@ -34,7 +34,7 @@ import('ttFavReportHelper');
 import('ttNotificationHelper');
 
 // Access check.
-if (!ttAccessCheck(right_manage_team)) {
+if (!ttAccessCheck(right_manage_team) || !$user->isPluginEnabled('no')) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/notification_delete.php b/notification_delete.php
index 50c33952..834befbe 100644
--- a/notification_delete.php
+++ b/notification_delete.php
@@ -31,7 +31,7 @@ import('form.Form');
 import('ttNotificationHelper');
 
 // Access check.
-if (!ttAccessCheck(right_manage_team)) {
+if (!ttAccessCheck(right_manage_team) || !$user->isPluginEnabled('no')) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/notification_edit.php b/notification_edit.php
index 30a9d8fe..cd3f41bd 100644
--- a/notification_edit.php
+++ b/notification_edit.php
@@ -34,7 +34,7 @@ import('ttFavReportHelper');
 import('ttNotificationHelper');
 
 // Access check.
-if (!ttAccessCheck(right_manage_team)) {
+if (!ttAccessCheck(right_manage_team) || !$user->isPluginEnabled('no')) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/notifications.php b/notifications.php
index 6a66b2f7..68cdfff8 100644
--- a/notifications.php
+++ b/notifications.php
@@ -31,7 +31,7 @@ import('form.Form');
 import('ttTeamHelper');
 
 // Access check.
-if (!ttAccessCheck(right_manage_team)) {
+if (!ttAccessCheck(right_manage_team) || !$user->isPluginEnabled('no')) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/project_add.php b/project_add.php
index 1c825d9f..fe46a6bd 100644
--- a/project_add.php
+++ b/project_add.php
@@ -32,7 +32,7 @@ import('ttProjectHelper');
 import('ttTeamHelper');
 
 // Access check.
-if (!ttAccessCheck(right_manage_team)) {
+if (!ttAccessCheck(right_manage_team) || (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->tracking_mode)) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/project_delete.php b/project_delete.php
index b6f46559..832bf4f7 100644
--- a/project_delete.php
+++ b/project_delete.php
@@ -31,7 +31,7 @@ import('form.Form');
 import('ttProjectHelper');
 
 // Access check.
-if (!ttAccessCheck(right_manage_team)) {
+if (!ttAccessCheck(right_manage_team) || (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->tracking_mode)) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/project_edit.php b/project_edit.php
index 9cca73e5..11abccc8 100644
--- a/project_edit.php
+++ b/project_edit.php
@@ -32,7 +32,7 @@ import('ttProjectHelper');
 import('ttTeamHelper');
 
 // Access check.
-if (!ttAccessCheck(right_manage_team)) {
+if (!ttAccessCheck(right_manage_team) || (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->tracking_mode)) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/projects.php b/projects.php
index cc79e4ab..d9f36851 100644
--- a/projects.php
+++ b/projects.php
@@ -31,7 +31,7 @@ import('form.Form');
 import('ttTeamHelper');
 
 // Access check.
-if (!ttAccessCheck(right_data_entry)) {
+if (!ttAccessCheck(right_data_entry) || (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->tracking_mode)) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/quotas.php b/quotas.php
index 68b8a619..d846ae25 100644
--- a/quotas.php
+++ b/quotas.php
@@ -32,7 +32,7 @@ import('form.Form');
 import('ttTeamHelper');
 
 // Access check.
-if (!ttAccessCheck(right_manage_team)) {
+if (!ttAccessCheck(right_manage_team) || !$user->isPluginEnabled('mq')) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/task_add.php b/task_add.php
index ff98c977..5ef549bb 100644
--- a/task_add.php
+++ b/task_add.php
@@ -33,7 +33,7 @@ import('ttTeamHelper');
 import('ttTaskHelper');
 
 // Access check.
-if (!ttAccessCheck(right_manage_team)) {
+if (!ttAccessCheck(right_manage_team) || MODE_PROJECTS_AND_TASKS != $user->tracking_mode) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/task_delete.php b/task_delete.php
index 3fd83501..ebc96e21 100644
--- a/task_delete.php
+++ b/task_delete.php
@@ -31,7 +31,7 @@ import('ttTaskHelper');
 import('form.Form');
 
 // Access check.
-if (!ttAccessCheck(right_manage_team)) {
+if (!ttAccessCheck(right_manage_team) || MODE_PROJECTS_AND_TASKS != $user->tracking_mode) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/task_edit.php b/task_edit.php
index 943e9a92..077c7c6b 100644
--- a/task_edit.php
+++ b/task_edit.php
@@ -32,7 +32,7 @@ import('ttTeamHelper');
 import('ttTaskHelper');
 
 // Access check.
-if (!ttAccessCheck(right_manage_team)) {
+if (!ttAccessCheck(right_manage_team) || MODE_PROJECTS_AND_TASKS != $user->tracking_mode) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/tasks.php b/tasks.php
index cf7f607c..3ea2faaa 100644
--- a/tasks.php
+++ b/tasks.php
@@ -31,7 +31,7 @@ import('form.Form');
 import('ttTeamHelper');
 
 // Access check.
-if (!ttAccessCheck(right_manage_team)) {
+if (!ttAccessCheck(right_manage_team) || MODE_PROJECTS_AND_TASKS != $user->tracking_mode) {
   header('Location: access_denied.php');
   exit();
 }
-- 
2.20.1