From 81ca36ba9b5294ecb417d9b82196752211c652b7 Mon Sep 17 00:00:00 2001 From: Nik Okuntseff Date: Mon, 26 Mar 2018 18:56:07 +0000 Subject: [PATCH] Included team_id in task update sql to avoid risk of misuse. --- WEB-INF/lib/ttTaskHelper.class.php | 2 +- WEB-INF/templates/footer.tpl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/WEB-INF/lib/ttTaskHelper.class.php b/WEB-INF/lib/ttTaskHelper.class.php index 2bb99da4..24831cb2 100644 --- a/WEB-INF/lib/ttTaskHelper.class.php +++ b/WEB-INF/lib/ttTaskHelper.class.php @@ -198,7 +198,7 @@ class ttTaskHelper { $projects = $fields['projects']; $sql = "update tt_tasks set name = ".$mdb2->quote($name).", description = ".$mdb2->quote($description). - ", status = $status where id = $task_id"; + ", status = $status where id = $task_id and team_id = $user->team_id"; $affected = $mdb2->exec($sql); if (is_a($affected, 'PEAR_Error')) die($affected->getMessage()); diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl index b9939f90..9defcca8 100644 --- a/WEB-INF/templates/footer.tpl +++ b/WEB-INF/templates/footer.tpl @@ -12,7 +12,7 @@
-
 Anuko Time Tracker 1.17.74.4179 | Copyright © Anuko | +  Anuko Time Tracker 1.17.74.4180 | Copyright © Anuko | {$i18n.footer.credits} | {$i18n.footer.license} | {$i18n.footer.improve} -- 2.20.1