From 66d86939b62dc5ae3d5f16088b61822e611cf58f Mon Sep 17 00:00:00 2001 From: Nik Okuntseff Date: Thu, 28 Feb 2019 22:23:59 +0000 Subject: [PATCH] Disallowed editing records assigned to timesheets. --- WEB-INF/lib/ttTimeHelper.class.php | 29 ++++++++++++++--------------- WEB-INF/templates/footer.tpl | 2 +- WEB-INF/templates/mobile/time.tpl | 2 +- WEB-INF/templates/time.tpl | 2 +- mobile/time_delete.php | 4 ++-- mobile/time_edit.php | 4 ++-- time_delete.php | 4 ++-- time_edit.php | 4 ++-- 8 files changed, 25 insertions(+), 26 deletions(-) diff --git a/WEB-INF/lib/ttTimeHelper.class.php b/WEB-INF/lib/ttTimeHelper.class.php index a66652b7..bdec1a5f 100644 --- a/WEB-INF/lib/ttTimeHelper.class.php +++ b/WEB-INF/lib/ttTimeHelper.class.php @@ -667,14 +667,14 @@ class ttTimeHelper { $mdb2 = getConnection(); - $sql = "select l.id as id, TIME_FORMAT(l.start, $sql_time_format) as start, - TIME_FORMAT(sec_to_time(time_to_sec(l.start) + time_to_sec(l.duration)), $sql_time_format) as finish, - TIME_FORMAT(l.duration, '%k:%i') as duration, - p.name as project_name, t.name as task_name, l.comment, l.client_id, l.project_id, l.task_id, l.invoice_id, l.billable, l.paid, l.date - from tt_log l - left join tt_projects p on (p.id = l.project_id) - left join tt_tasks t on (t.id = l.task_id) - where l.id = $id and l.user_id = $user_id and l.status = 1"; + $sql = "select l.id as id, TIME_FORMAT(l.start, $sql_time_format) as start,". + " TIME_FORMAT(sec_to_time(time_to_sec(l.start) + time_to_sec(l.duration)), $sql_time_format) as finish,". + " TIME_FORMAT(l.duration, '%k:%i') as duration,". + " p.name as project_name, t.name as task_name, l.comment, l.client_id, l.project_id, l.task_id,". + " l.timesheet_id, l.invoice_id, l.billable, l.paid, l.date from tt_log l". + " left join tt_projects p on (p.id = l.project_id)". + " left join tt_tasks t on (t.id = l.task_id)". + " where l.id = $id and l.user_id = $user_id and l.status = 1"; $res = $mdb2->query($sql); if (!is_a($res, 'PEAR_Error')) { if (!$res->numRows()) { @@ -730,13 +730,12 @@ class ttTimeHelper { $left_joins .= " left join tt_clients c on (l.client_id = c.id)"; $result = array(); - $sql = "select l.id as id, TIME_FORMAT(l.start, $sql_time_format) as start, - TIME_FORMAT(sec_to_time(time_to_sec(l.start) + time_to_sec(l.duration)), $sql_time_format) as finish, - TIME_FORMAT(l.duration, '%k:%i') as duration, p.name as project, t.name as task, l.comment, l.billable, l.invoice_id $client_field - from tt_log l - $left_joins - where l.date = '$date' and l.user_id = $user_id and l.group_id = $group_id and l.org_id = $org_id and l.status = 1 - order by l.start, l.id"; + $sql = "select l.id as id, TIME_FORMAT(l.start, $sql_time_format) as start,". + " TIME_FORMAT(sec_to_time(time_to_sec(l.start) + time_to_sec(l.duration)), $sql_time_format) as finish,". + " TIME_FORMAT(l.duration, '%k:%i') as duration, p.name as project, t.name as task, l.comment,". + " l.billable, l.timesheet_id, l.invoice_id $client_field from tt_log l $left_joins". + " where l.date = '$date' and l.user_id = $user_id and l.group_id = $group_id and l.org_id = $org_id and l.status = 1". + " order by l.start, l.id"; $res = $mdb2->query($sql); if (!is_a($res, 'PEAR_Error')) { while ($val = $res->fetchRow()) { diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl index e23882ac..b5578c43 100644 --- a/WEB-INF/templates/footer.tpl +++ b/WEB-INF/templates/footer.tpl @@ -12,7 +12,7 @@
- {/if} - + {/foreach}
 Anuko Time Tracker 1.18.46.4795 | Copyright © Anuko | +  Anuko Time Tracker 1.18.46.4796 | Copyright © Anuko | {$i18n.footer.credits} | {$i18n.footer.license} | {$i18n.footer.improve} diff --git a/WEB-INF/templates/mobile/time.tpl b/WEB-INF/templates/mobile/time.tpl index 35242e2f..cde0b5ef 100644 --- a/WEB-INF/templates/mobile/time.tpl +++ b/WEB-INF/templates/mobile/time.tpl @@ -25,7 +25,7 @@ {$record.project|escape}{if ($record.duration == '0:00' && $record.start <> '')}{/if}{$record.duration}{if ($record.duration == '0:00' && $record.start <> '')}{/if}{if $record.invoice_id} {else}{$i18n.label.edit}{/if}{if $record.timesheet_id|| $record.invoice_id} {else}{$i18n.label.edit}{/if}
diff --git a/WEB-INF/templates/time.tpl b/WEB-INF/templates/time.tpl index bf28c509..f82897d2 100644 --- a/WEB-INF/templates/time.tpl +++ b/WEB-INF/templates/time.tpl @@ -130,7 +130,7 @@ {if ($record.duration == '0:00' && $record.start <> '')}{$i18n.form.time.uncompleted}{else}{$record.duration}{/if} {if $record.comment}{$record.comment|escape}{else} {/if} - {if $record.invoice_id} + {if $record.timesheet_id || $record.invoice_id}   {else} {$i18n.label.edit} diff --git a/mobile/time_delete.php b/mobile/time_delete.php index 10473260..8ebb98a8 100644 --- a/mobile/time_delete.php +++ b/mobile/time_delete.php @@ -40,8 +40,8 @@ if (!ttAccessAllowed('track_own_time')) { $cl_id = (int)$request->getParameter('id'); $user_id = $user->getUser(); $time_rec = ttTimeHelper::getRecord($cl_id, $user_id); -if (!$time_rec || $time_rec['invoice_id']) { - // Prohibit deleting not ours or invoiced records. +if (!$time_rec || $time_rec['timesheet_id'] || $time_rec['invoice_id']) { + // Prohibit deleting not ours, or assigned to timesheet, or invoiced records. header('Location: access_denied.php'); exit(); } diff --git a/mobile/time_edit.php b/mobile/time_edit.php index 803ca4e4..0b5b090e 100644 --- a/mobile/time_edit.php +++ b/mobile/time_edit.php @@ -42,8 +42,8 @@ if (!ttAccessAllowed('track_own_time')) { $cl_id = (int)$request->getParameter('id'); $user_id = $user->getUser(); $time_rec = ttTimeHelper::getRecord($cl_id, $user_id); -if (!$time_rec || $time_rec['invoice_id']) { - // Prohibit editing not ours or invoiced records. +if (!$time_rec || $time_rec['timesheet_id'] || $time_rec['invoice_id']) { + // Prohibit editing not ours, or assigned to timesheet, or invoiced records. header('Location: access_denied.php'); exit(); } diff --git a/time_delete.php b/time_delete.php index 5d6e5729..1b6f5c29 100644 --- a/time_delete.php +++ b/time_delete.php @@ -40,8 +40,8 @@ if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) { $cl_id = (int)$request->getParameter('id'); $user_id = $user->getUser(); $time_rec = ttTimeHelper::getRecord($cl_id, $user_id); -if (!$time_rec || $time_rec['invoice_id']) { - // Prohibit deleting not ours or invoiced records. +if (!$time_rec || $time_rec['timesheet_id'] || $time_rec['invoice_id']) { + // Prohibit deleting not ours, or assigned to timesheet, or invoiced records. header('Location: access_denied.php'); exit(); } diff --git a/time_edit.php b/time_edit.php index 3bd52e6f..48db27ea 100644 --- a/time_edit.php +++ b/time_edit.php @@ -42,8 +42,8 @@ if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) { $cl_id = (int)$request->getParameter('id'); $user_id = $user->getUser(); $time_rec = ttTimeHelper::getRecord($cl_id, $user_id); -if (!$time_rec || $time_rec['invoice_id']) { - // Prohibit editing not ours or invoiced records. +if (!$time_rec || $time_rec['timesheet_id'] || $time_rec['invoice_id']) { + // Prohibit editing not ours, or assigned to timesheet, or invoiced records. header('Location: access_denied.php'); exit(); } -- 2.20.1