From a8a4278a6a87c600835890a10c774dfdc58e930a Mon Sep 17 00:00:00 2001
From: Nik Okuntseff <support@anuko.com>
Date: Sat, 24 Mar 2018 19:52:42 +0000
Subject: [PATCH] More improvements to access checks.

---
 WEB-INF/templates/footer.tpl | 2 +-
 task_add.php                 | 8 ++++++--
 task_delete.php              | 8 ++++++--
 task_edit.php                | 8 ++++++--
 tasks.php                    | 8 ++++++--
 time.php                     | 2 +-
 time_delete.php              | 2 +-
 time_edit.php                | 2 +-
 tofile.php                   | 2 +-
 topdf.php                    | 2 +-
 users.php                    | 2 +-
 week.php                     | 8 ++++++--
 week_view.php                | 8 ++++++--
 13 files changed, 43 insertions(+), 19 deletions(-)

diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl
index b99c720b..a4a020e7 100644
--- a/WEB-INF/templates/footer.tpl
+++ b/WEB-INF/templates/footer.tpl
@@ -12,7 +12,7 @@
       <br>
       <table cellspacing="0" cellpadding="4" width="100%" border="0">
         <tr>
-          <td align="center">&nbsp;Anuko Time Tracker 1.17.69.4157 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+          <td align="center">&nbsp;Anuko Time Tracker 1.17.69.4158 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
             <a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
             <a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
             <a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
diff --git a/task_add.php b/task_add.php
index 12c54464..a5149e84 100644
--- a/task_add.php
+++ b/task_add.php
@@ -32,11 +32,15 @@ import('form.ActionForm');
 import('ttTeamHelper');
 import('ttTaskHelper');
 
-// Access check.
-if (!ttAccessAllowed('manage_tasks') || MODE_PROJECTS_AND_TASKS != $user->tracking_mode) {
+// Access checks.
+if (!ttAccessAllowed('manage_tasks')) {
   header('Location: access_denied.php');
   exit();
 }
+if (MODE_PROJECTS_AND_TASKS != $user->tracking_mode) {
+  header('Location: feature_disabled.php');
+  exit();
+}
 
 $projects = ttTeamHelper::getActiveProjects($user->team_id);
 
diff --git a/task_delete.php b/task_delete.php
index d72220d2..0e9f40cf 100644
--- a/task_delete.php
+++ b/task_delete.php
@@ -30,11 +30,15 @@ require_once('initialize.php');
 import('ttTaskHelper');
 import('form.Form');
 
-// Access check.
-if (!ttAccessAllowed('manage_tasks') || MODE_PROJECTS_AND_TASKS != $user->tracking_mode) {
+// Access checks.
+if (!ttAccessAllowed('manage_tasks')) {
   header('Location: access_denied.php');
   exit();
 }
+if (MODE_PROJECTS_AND_TASKS != $user->tracking_mode) {
+  header('Location: feature_disabled.php');
+  exit();
+}
 
 $cl_task_id = (int)$request->getParameter('id');
 $task = ttTaskHelper::get($cl_task_id);
diff --git a/task_edit.php b/task_edit.php
index 36e717d7..bba89beb 100644
--- a/task_edit.php
+++ b/task_edit.php
@@ -31,11 +31,15 @@ import('form.Form');
 import('ttTeamHelper');
 import('ttTaskHelper');
 
-// Access check.
-if (!ttAccessAllowed('manage_tasks') || MODE_PROJECTS_AND_TASKS != $user->tracking_mode) {
+// Access checks.
+if (!ttAccessAllowed('manage_tasks')) {
   header('Location: access_denied.php');
   exit();
 }
+if (MODE_PROJECTS_AND_TASKS != $user->tracking_mode) {
+  header('Location: feature_disabled.php');
+  exit();
+}
 
 $cl_task_id = (int)$request->getParameter('id');
 $projects = ttTeamHelper::getActiveProjects($user->team_id);
diff --git a/tasks.php b/tasks.php
index 5bc3fd45..5505e6dd 100644
--- a/tasks.php
+++ b/tasks.php
@@ -30,11 +30,15 @@ require_once('initialize.php');
 import('form.Form');
 import('ttTeamHelper');
 
-// Access check.
-if (!ttAccessAllowed('manage_tasks') || MODE_PROJECTS_AND_TASKS != $user->tracking_mode) {
+// Access checks.
+if (!ttAccessAllowed('manage_tasks')) {
   header('Location: access_denied.php');
   exit();
 }
+if (MODE_PROJECTS_AND_TASKS != $user->tracking_mode) {
+  header('Location: feature_disabled.php');
+  exit();
+}
 
 $smarty->assign('active_tasks', ttTeamHelper::getActiveTasks($user->team_id));
 $smarty->assign('inactive_tasks', ttTeamHelper::getInactiveTasks($user->team_id));
diff --git a/time.php b/time.php
index 270a8aae..1c29aa8f 100644
--- a/time.php
+++ b/time.php
@@ -42,7 +42,7 @@ import('DateAndTime');
 // }
 
 // Access check.
-if (!ttAccessAllowed('track_own_time')) {
+if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/time_delete.php b/time_delete.php
index 2ad3ea41..ec3c677c 100644
--- a/time_delete.php
+++ b/time_delete.php
@@ -33,7 +33,7 @@ import('ttTimeHelper');
 import('DateAndTime');
 
 // Access check.
-if (!ttAccessAllowed('track_own_time')) {
+if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/time_edit.php b/time_edit.php
index dd3edde1..c14928f5 100644
--- a/time_edit.php
+++ b/time_edit.php
@@ -35,7 +35,7 @@ import('ttTimeHelper');
 import('DateAndTime');
 
 // Access check.
-if (!ttAccessAllowed('track_own_time')) {
+if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/tofile.php b/tofile.php
index 67c5b31c..abd1f278 100644
--- a/tofile.php
+++ b/tofile.php
@@ -32,7 +32,7 @@ import('form.ActionForm');
 import('ttReportHelper');
 
 // Access check.
-if (!ttAccessAllowed('view_own_reports')) {
+if (!(ttAccessAllowed('view_own_reports') || ttAccessAllowed('view_reports'))) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/topdf.php b/topdf.php
index b8f6684c..3177d155 100644
--- a/topdf.php
+++ b/topdf.php
@@ -36,7 +36,7 @@ import('form.ActionForm');
 import('ttReportHelper');
 
 // Access check.
-if (!ttAccessAllowed('view_own_reports')) {
+if (!(ttAccessAllowed('view_own_reports') || ttAccessAllowed('view_reports'))) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/users.php b/users.php
index 86021863..35fd4168 100644
--- a/users.php
+++ b/users.php
@@ -33,7 +33,7 @@ import('ttTimeHelper');
 import('ttRoleHelper');
 
 // Access check.
-if (!ttAccessAllowed('view_users')) {
+if (!(ttAccessAllowed('view_users') || ttAccessAllowed('manage_users'))) {
   header('Location: access_denied.php');
   exit();
 }
diff --git a/week.php b/week.php
index e26aa119..f1dc7889 100644
--- a/week.php
+++ b/week.php
@@ -38,11 +38,15 @@ import('ttClientHelper');
 import('ttTimeHelper');
 import('DateAndTime');
 
-// Access check.
-if (!ttAccessAllowed('track_own_time') || !$user->isPluginEnabled('wv')) {
+// Access checks.
+if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) {
   header('Location: access_denied.php');
   exit();
 }
+if (!$user->isPluginEnabled('wv')) {
+  header('Location: feature_disabled.php');
+  exit();
+}
 
 // Initialize and store date in session.
 $cl_date = $request->getParameter('date', @$_SESSION['date']);
diff --git a/week_view.php b/week_view.php
index b273d278..e5ec1479 100644
--- a/week_view.php
+++ b/week_view.php
@@ -30,11 +30,15 @@ require_once('initialize.php');
 import('form.Form');
 import('ttTeamHelper');
 
-// Access check.
-if (!ttAccessAllowed('manage_advanced_settings') || !$user->isPluginEnabled('wv')) {
+// Access checks.
+if (!ttAccessAllowed('manage_advanced_settings')) {
   header('Location: access_denied.php');
   exit();
 }
+if (!$user->isPluginEnabled('wv')) {
+  header('Location: feature_disabled.php');
+  exit();
+}
 
 if ($request->isPost()) {
   $cl_week_note = $request->getParameter('week_note');
-- 
2.20.1