From 9339284bfdaba5a0c2a4e3c9fa000194a508d0bf Mon Sep 17 00:00:00 2001
From: Nik Okuntseff <support@anuko.com>
Date: Mon, 26 Mar 2018 13:14:51 +0000
Subject: [PATCH] Improved getUserDetails to not return info for deleted users.

---
 WEB-INF/lib/ttUserHelper.class.php | 2 +-
 WEB-INF/templates/footer.tpl       | 2 +-
 mobile/user_delete.php             | 1 -
 mobile/user_edit.php               | 1 -
 user_delete.php                    | 9 +++------
 user_edit.php                      | 7 ++-----
 6 files changed, 7 insertions(+), 15 deletions(-)

diff --git a/WEB-INF/lib/ttUserHelper.class.php b/WEB-INF/lib/ttUserHelper.class.php
index e4591ea4..583049bd 100644
--- a/WEB-INF/lib/ttUserHelper.class.php
+++ b/WEB-INF/lib/ttUserHelper.class.php
@@ -36,7 +36,7 @@ class ttUserHelper {
     global $user;
     $mdb2 = getConnection();
 
-    $sql =  "select u.*, r.rank from tt_users u left join tt_roles r on (u.role_id = r.id) where u.id = $user_id and u.team_id = $user->team_id";
+    $sql =  "select u.*, r.rank from tt_users u left join tt_roles r on (u.role_id = r.id) where u.id = $user_id and u.team_id = $user->team_id and u.status is not null";
     $res = $mdb2->query($sql);
 
     if (!is_a($res, 'PEAR_Error')) {
diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl
index 7239c138..77e160e9 100644
--- a/WEB-INF/templates/footer.tpl
+++ b/WEB-INF/templates/footer.tpl
@@ -12,7 +12,7 @@
       <br>
       <table cellspacing="0" cellpadding="4" width="100%" border="0">
         <tr>
-          <td align="center">&nbsp;Anuko Time Tracker 1.17.72.4170 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+          <td align="center">&nbsp;Anuko Time Tracker 1.17.72.4171 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
             <a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
             <a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
             <a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
diff --git a/mobile/user_delete.php b/mobile/user_delete.php
index d8400456..0e045d01 100644
--- a/mobile/user_delete.php
+++ b/mobile/user_delete.php
@@ -45,7 +45,6 @@ $user_details = ttUserHelper::getUserDetails($user_id);
 
 // Security checks.
 if (!$user_details || // No details.
-     $user_details['team_id'] <> $user->team_id || // User not in team.
      $user_details['rank'] > $user->rank || // User has a bigger rank.
      ($user_details['rank'] == $user->rank && $user_details['id'] <> $user->id) // Same rank but not us.
    ) {
diff --git a/mobile/user_edit.php b/mobile/user_edit.php
index 285c3442..49781226 100644
--- a/mobile/user_edit.php
+++ b/mobile/user_edit.php
@@ -47,7 +47,6 @@ $user_details = ttUserHelper::getUserDetails($user_id);
 
 // Security checks.
 if (!$user_details || // No details.
-     $user_details['team_id'] <> $user->team_id || // User not in team.
      $user_details['rank'] > $user->rank || // User has a bigger rank.
      ($user_details['rank'] == $user->rank && $user_details['id'] <> $user->id) // Same rank but not us.
    ) {
diff --git a/user_delete.php b/user_delete.php
index a88454bf..b8ec5e9a 100644
--- a/user_delete.php
+++ b/user_delete.php
@@ -30,27 +30,24 @@ require_once('initialize.php');
 import('form.Form');
 import('ttUserHelper');
 
-// Access check.
+// Access checks.
 if (!ttAccessAllowed('manage_users')) {
   header('Location: access_denied.php');
   exit();
 }
-
-// Get user id we are deleting from the request.
+// Get user id we are deleting.
 // A cast to int is for safety against manipulation of request parameter (sql injection). 
 $user_id = (int) $request->getParameter('id');
 // We need user name and login to display.
 $user_details = ttUserHelper::getUserDetails($user_id);
-
-// Security checks.
 if (!$user_details || // No details.
-     $user_details['team_id'] <> $user->team_id || // User not in team.
      $user_details['rank'] > $user->rank || // User has a bigger rank.
      ($user_details['rank'] == $user->rank && $user_details['id'] <> $user->id) // Same rank but not us.
    ) {
   header('Location: access_denied.php');
   exit();
 }
+// End of access checks.
 
 $smarty->assign('user_to_delete', $user_details['name']." (".$user_details['login'].")");
 
diff --git a/user_edit.php b/user_edit.php
index 75d89e50..5ceac373 100644
--- a/user_edit.php
+++ b/user_edit.php
@@ -35,26 +35,23 @@ import('form.Table');
 import('form.TableColumn');
 import('ttRoleHelper');
 
-// Access check.
+// Access checks.
 if (!ttAccessAllowed('manage_users')) {
   header('Location: access_denied.php');
   exit();
 }
-
 // Get user id we are editing from the request.
 $user_id = (int) $request->getParameter('id');
 // Get user details.
 $user_details = ttUserHelper::getUserDetails($user_id);
-
-// Security checks.
 if (!$user_details || // No details.
-     $user_details['team_id'] <> $user->team_id || // User not in team.
      $user_details['rank'] > $user->rank || // User has a bigger rank.
      ($user_details['rank'] == $user->rank && $user_details['id'] <> $user->id) // Same rank but not us.
    ) {
   header('Location: access_denied.php');
   exit();
 }
+// End of access checks.
 
 if ($user->isPluginEnabled('cl'))
   $clients = ttTeamHelper::getActiveClients($user->team_id);
-- 
2.20.1