From 75ef763b9bd7f515280a6d130e5ad81720d72156 Mon Sep 17 00:00:00 2001 From: Nik Okuntseff Date: Mon, 26 Mar 2018 20:31:45 +0000 Subject: [PATCH] Security fix for project edits. --- WEB-INF/templates/footer.tpl | 2 +- mobile/project_delete.php | 16 +++++++++------- mobile/project_edit.php | 8 ++++++-- mobile/projects.php | 5 +++-- project_delete.php | 16 +++++++++------- project_edit.php | 8 ++++++-- projects.php | 6 ++++-- 7 files changed, 38 insertions(+), 23 deletions(-) diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl index 7c8bd634..95bed59a 100644 --- a/WEB-INF/templates/footer.tpl +++ b/WEB-INF/templates/footer.tpl @@ -12,7 +12,7 @@
-
 Anuko Time Tracker 1.17.74.4182 | Copyright © Anuko | +  Anuko Time Tracker 1.17.75.4183 | Copyright © Anuko | {$i18n.footer.credits} | {$i18n.footer.license} | {$i18n.footer.improve} diff --git a/mobile/project_delete.php b/mobile/project_delete.php index c8753b84..5785496a 100644 --- a/mobile/project_delete.php +++ b/mobile/project_delete.php @@ -39,9 +39,14 @@ if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->t header('Location: feature_disabled.php'); exit(); } - $cl_project_id = (int)$request->getParameter('id'); $project = ttProjectHelper::get($cl_project_id); +if (!$project) { + header('Location: access_denied.php'); + exit(); +} +// End of access checks. + $project_to_delete = $project['name']; $form = new Form('projectDeleteForm'); @@ -51,12 +56,9 @@ $form->addInput(array('type'=>'submit','name'=>'btn_cancel','value'=>$i18n->get( if ($request->isPost()) { if ($request->getParameter('btn_delete')) { - if(ttProjectHelper::get($cl_project_id)) { - if (ttProjectHelper::delete($cl_project_id)) { - header('Location: projects.php'); - exit(); - } else - $err->add($i18n->get('error.db')); + if (ttProjectHelper::delete($cl_project_id)) { + header('Location: projects.php'); + exit(); } else $err->add($i18n->get('error.db')); } elseif ($request->getParameter('btn_cancel')) { diff --git a/mobile/project_edit.php b/mobile/project_edit.php index 74454ec4..6adb475e 100644 --- a/mobile/project_edit.php +++ b/mobile/project_edit.php @@ -40,8 +40,13 @@ if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->t header('Location: feature_disabled.php'); exit(); } - $cl_project_id = (int)$request->getParameter('id'); +$project = ttProjectHelper::get($cl_project_id); +if (!$project) { + header('Location: access_denied.php'); + exit(); +} +// End of access checks. $users = ttTeamHelper::getActiveUsers(); foreach ($users as $user_item) @@ -58,7 +63,6 @@ if ($request->isPost()) { $cl_users = $request->getParameter('users', array()); $cl_tasks = $request->getParameter('tasks', array()); } else { - $project = ttProjectHelper::get($cl_project_id); $cl_name = $project['name']; $cl_description = $project['description']; $cl_status = $project['status']; diff --git a/mobile/projects.php b/mobile/projects.php index 93261d42..938eab82 100644 --- a/mobile/projects.php +++ b/mobile/projects.php @@ -31,7 +31,8 @@ import('form.Form'); import('ttTeamHelper'); // Access checks. -if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) { +// TODO: introduce view_projects right to keep access checks simple. +if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time') || ttAccessAllowed('manage_projects'))) { header('Location: access_denied.php'); exit(); } @@ -40,7 +41,7 @@ if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->t exit(); } -if($user->canManageTeam()) { +if($user->can('manage_projects')) { $active_projects = ttTeamHelper::getActiveProjects($user->team_id); $inactive_projects = ttTeamHelper::getInactiveProjects($user->team_id); } else diff --git a/project_delete.php b/project_delete.php index 2373bbea..450241e7 100644 --- a/project_delete.php +++ b/project_delete.php @@ -39,9 +39,14 @@ if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->t header('Location: feature_disabled.php'); exit(); } - $cl_project_id = (int)$request->getParameter('id'); $project = ttProjectHelper::get($cl_project_id); +if (!$project) { + header('Location: access_denied.php'); + exit(); +} +// End of access checks. + $project_to_delete = $project['name']; $form = new Form('projectDeleteForm'); @@ -51,12 +56,9 @@ $form->addInput(array('type'=>'submit','name'=>'btn_cancel','value'=>$i18n->get( if ($request->isPost()) { if ($request->getParameter('btn_delete')) { - if(ttProjectHelper::get($cl_project_id)) { - if (ttProjectHelper::delete($cl_project_id)) { - header('Location: projects.php'); - exit(); - } else - $err->add($i18n->get('error.db')); + if (ttProjectHelper::delete($cl_project_id)) { + header('Location: projects.php'); + exit(); } else $err->add($i18n->get('error.db')); } elseif ($request->getParameter('btn_cancel')) { diff --git a/project_edit.php b/project_edit.php index d30782ab..543c532e 100644 --- a/project_edit.php +++ b/project_edit.php @@ -40,8 +40,13 @@ if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->t header('Location: feature_disabled.php'); exit(); } - $cl_project_id = (int)$request->getParameter('id'); +$project = ttProjectHelper::get($cl_project_id); +if (!$project) { + header('Location: access_denied.php'); + exit(); +} +// End of access checks. $users = ttTeamHelper::getActiveUsers(); foreach ($users as $user_item) @@ -58,7 +63,6 @@ if ($request->isPost()) { $cl_users = $request->getParameter('users', array()); $cl_tasks = $request->getParameter('tasks', array()); } else { - $project = ttProjectHelper::get($cl_project_id); $cl_name = $project['name']; $cl_description = $project['description']; $cl_status = $project['status']; diff --git a/projects.php b/projects.php index 5315c4f7..1d5f7e2e 100644 --- a/projects.php +++ b/projects.php @@ -31,7 +31,8 @@ import('form.Form'); import('ttTeamHelper'); // Access checks. -if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) { +// TODO: introduce view_projects right to keep access checks simple. +if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time') || ttAccessAllowed('manage_projects'))) { header('Location: access_denied.php'); exit(); } @@ -39,8 +40,9 @@ if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->t header('Location: feature_disabled.php'); exit(); } +// End of access checks. -if($user->canManageTeam()) { +if($user->can('manage_projects')) { $active_projects = ttTeamHelper::getActiveProjects($user->team_id); $inactive_projects = ttTeamHelper::getInactiveProjects($user->team_id); } else -- 2.20.1