From b239e5e01ca823026e96776413f6bb0de0f9e478 Mon Sep 17 00:00:00 2001 From: Nik Okuntseff Date: Mon, 3 Dec 2018 17:46:41 +0000 Subject: [PATCH] Improved access checks on client_delete.php. --- WEB-INF/templates/footer.tpl | 2 +- client_delete.php | 23 ++++++++++++----------- mobile/client_delete.php | 21 +++++++++++---------- 3 files changed, 24 insertions(+), 22 deletions(-) diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl index 00e7a3f0..ba7efd42 100644 --- a/WEB-INF/templates/footer.tpl +++ b/WEB-INF/templates/footer.tpl @@ -12,7 +12,7 @@
-
 Anuko Time Tracker 1.18.29.4574 | Copyright © Anuko | +  Anuko Time Tracker 1.18.29.4575 | Copyright © Anuko | {$i18n.footer.credits} | {$i18n.footer.license} | {$i18n.footer.improve} diff --git a/client_delete.php b/client_delete.php index 22ae9d4a..a5f00656 100644 --- a/client_delete.php +++ b/client_delete.php @@ -39,9 +39,13 @@ if (!$user->isPluginEnabled('cl')) { header('Location: feature_disabled.php'); exit(); } - $id = (int)$request->getParameter('id'); $client = ttClientHelper::getClient($id); +if (!$client) { + header('Location: access_denied.php'); + exit(); +} +// End of access checks. $client_to_delete = $client['name']; @@ -53,16 +57,13 @@ $form->addInput(array('type'=>'submit','name'=>'btn_delete','value'=>$i18n->get( $form->addInput(array('type'=>'submit','name'=>'btn_cancel','value'=>$i18n->get('button.cancel'))); if ($request->isPost()) { - if(ttClientHelper::getClient($id)) { - if ($request->getParameter('btn_delete')) { - if (ttClientHelper::delete($id, $request->getParameter('delete_client_entries'))) { - header('Location: clients.php'); - exit(); - } else - $err->add($i18n->get('error.db')); - } - } else - $err->add($i18n->get('error.db')); + if ($request->getParameter('btn_delete')) { + if (ttClientHelper::delete($id, $request->getParameter('delete_client_entries'))) { + header('Location: clients.php'); + exit(); + } else + $err->add($i18n->get('error.db')); + } if ($request->getParameter('btn_cancel')) { header('Location: clients.php'); diff --git a/mobile/client_delete.php b/mobile/client_delete.php index 154d8930..8e05ccde 100644 --- a/mobile/client_delete.php +++ b/mobile/client_delete.php @@ -39,9 +39,13 @@ if (!$user->isPluginEnabled('cl')) { header('Location: feature_disabled.php'); exit(); } - $id = (int)$request->getParameter('id'); $client = ttClientHelper::getClient($id); +if (!$client) { + header('Location: access_denied.php'); + exit(); +} +// End of access checks. $client_to_delete = $client['name']; @@ -53,16 +57,13 @@ $form->addInput(array('type'=>'submit','name'=>'btn_delete','value'=>$i18n->get( $form->addInput(array('type'=>'submit','name'=>'btn_cancel','value'=>$i18n->get('button.cancel'))); if ($request->isPost()) { - if(ttClientHelper::getClient($id)) { - if ($request->getParameter('btn_delete')) { - if (ttClientHelper::delete($id, $request->getParameter('delete_client_entries'))) { - header('Location: clients.php'); - exit(); - } else - $err->add($i18n->get('error.db')); - } - } else + if ($request->getParameter('btn_delete')) { + if (ttClientHelper::delete($id, $request->getParameter('delete_client_entries'))) { + header('Location: clients.php'); + exit(); + } else $err->add($i18n->get('error.db')); + } if ($request->getParameter('btn_cancel')) { header('Location: clients.php'); -- 2.20.1