From 926ea063e48ed8a45dcd308b87f92abe2bfed716 Mon Sep 17 00:00:00 2001 From: Nik Okuntseff Date: Mon, 12 Mar 2018 19:21:34 +0000 Subject: [PATCH] Security fix for invoice view. --- WEB-INF/lib/ttInvoiceHelper.class.php | 4 +++- WEB-INF/templates/footer.tpl | 2 +- invoice_send.php | 2 +- invoice_view.php | 2 +- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/WEB-INF/lib/ttInvoiceHelper.class.php b/WEB-INF/lib/ttInvoiceHelper.class.php index 9fa7e58c..fd701fe5 100644 --- a/WEB-INF/lib/ttInvoiceHelper.class.php +++ b/WEB-INF/lib/ttInvoiceHelper.class.php @@ -69,7 +69,9 @@ class ttInvoiceHelper { global $user; $mdb2 = getConnection(); - $sql = "select * from tt_invoices where id = $invoice_id and team_id = $user->team_id and status = 1"; + if ($user->isClient()) $client_part = " and client_id = $user->client_id"; + + $sql = "select * from tt_invoices where id = $invoice_id and team_id = $user->team_id $client_part and status = 1"; $res = $mdb2->query($sql); if (!is_a($res, 'PEAR_Error')) { if ($val = $res->fetchRow()) diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl index c614ff73..3f186179 100644 --- a/WEB-INF/templates/footer.tpl +++ b/WEB-INF/templates/footer.tpl @@ -12,7 +12,7 @@
-
 Anuko Time Tracker 1.17.40.4064 | Copyright © Anuko | +  Anuko Time Tracker 1.17.41.4065 | Copyright © Anuko | {$i18n.footer.credits} | {$i18n.footer.license} | {$i18n.footer.improve} diff --git a/invoice_send.php b/invoice_send.php index ee333a62..48bc14f0 100644 --- a/invoice_send.php +++ b/invoice_send.php @@ -32,7 +32,7 @@ import('ttInvoiceHelper'); import('ttSysConfig'); // Access check. -if (!ttAccessAllowed('manage_invoices') || !$user->isPluginEnabled('iv')) { +if (!(ttAccessAllowed('manage_invoices') || ttAccessAllowed('view_own_invoices')) || !$user->isPluginEnabled('iv')) { header('Location: access_denied.php'); exit(); } diff --git a/invoice_view.php b/invoice_view.php index 7661d9c9..4a6027a5 100644 --- a/invoice_view.php +++ b/invoice_view.php @@ -33,7 +33,7 @@ import('ttClientHelper'); import('form.Form'); // Access check. -if (!ttAccessCheck(right_view_invoices) || !$user->isPluginEnabled('iv')) { +if (!(ttAccessAllowed('manage_invoices') || ttAccessAllowed('view_own_invoices')) || !$user->isPluginEnabled('iv')) { header('Location: access_denied.php'); exit(); } -- 2.20.1