From 926b8d63a0be596b0c95cb55f01addae410af50c Mon Sep 17 00:00:00 2001 From: Nik Okuntseff Date: Mon, 26 Mar 2018 17:09:46 +0000 Subject: [PATCH] Improved access checks for invoices. --- WEB-INF/templates/footer.tpl | 2 +- invoice_add.php | 1 + invoice_delete.php | 7 ++++++- invoice_send.php | 13 +++++++------ invoice_view.php | 8 +++----- 5 files changed, 18 insertions(+), 13 deletions(-) diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl index 3e9eb18d..2aa36a25 100644 --- a/WEB-INF/templates/footer.tpl +++ b/WEB-INF/templates/footer.tpl @@ -12,7 +12,7 @@
-
 Anuko Time Tracker 1.17.73.4177 | Copyright © Anuko | +  Anuko Time Tracker 1.17.73.4178 | Copyright © Anuko | {$i18n.footer.credits} | {$i18n.footer.license} | {$i18n.footer.improve} diff --git a/invoice_add.php b/invoice_add.php index 5267056c..ad9c3cfb 100644 --- a/invoice_add.php +++ b/invoice_add.php @@ -40,6 +40,7 @@ if (!$user->isPluginEnabled('iv')) { header('Location: feature_disabled.php'); exit(); } +// End of access checks. if ($request->isPost()) { $cl_date = $request->getParameter('date'); diff --git a/invoice_delete.php b/invoice_delete.php index 2bca58ce..ffdcf2c1 100644 --- a/invoice_delete.php +++ b/invoice_delete.php @@ -39,9 +39,14 @@ if (!$user->isPluginEnabled('iv')) { header('Location: feature_disabled.php'); exit(); } - $cl_invoice_id = (int)$request->getParameter('id'); $invoice = ttInvoiceHelper::getInvoice($cl_invoice_id); +if (!$invoice) { + header('Location: access_denied.php'); + exit(); +} +// End of access checks. + $invoice_to_delete = $invoice['name']; $form = new Form('invoiceDeleteForm'); diff --git a/invoice_send.php b/invoice_send.php index f0e30bc4..20c3c187 100644 --- a/invoice_send.php +++ b/invoice_send.php @@ -40,14 +40,15 @@ if (!$user->isPluginEnabled('iv')) { header('Location: feature_disabled.php'); exit(); } - $cl_invoice_id = (int)$request->getParameter('id'); -$invoice = ttInvoiceHelper::getInvoice($cl_invoice_id); -$sc = new ttSysConfig($user->id); +$invoice = ttInvoiceHelper::getInvoice($cl_invoice_id); +if (!$invoice) { + header('Location: access_denied.php'); + exit(); +} +// End of access checks. -// Security check. -if (!$cl_invoice_id || !$invoice) - die ($i18n->get('error.sys')); +$sc = new ttSysConfig($user->id); if ($request->isPost()) { $cl_receiver = trim($request->getParameter('receiver')); diff --git a/invoice_view.php b/invoice_view.php index 62f0cbbf..fd8424a3 100644 --- a/invoice_view.php +++ b/invoice_view.php @@ -41,15 +41,13 @@ if (!$user->isPluginEnabled('iv')) { header('Location: feature_disabled.php'); exit(); } - -$cl_id = (int)$request->getParameter('id'); -$invoice = ttInvoiceHelper::getInvoice($cl_id); -// Temporary fix for invalid invoice id. TODO: implement properly and review security of other pages, -// where item id is passed (or posted) as parameter. +$cl_invoice_id = (int)$request->getParameter('id'); +$invoice = ttInvoiceHelper::getInvoice($cl_invoice_id); if (!$invoice) { header('Location: access_denied.php'); exit(); } +// End of access checks. $invoice_date = new DateAndTime(DB_DATEFORMAT, $invoice['date']); $client = ttClientHelper::getClient($invoice['client_id'], true); -- 2.20.1