From bf5a15e178435b96ea646ca7c3d7ca56a4f4be45 Mon Sep 17 00:00:00 2001 From: Nik Okuntseff Date: Thu, 7 Mar 2019 16:50:07 +0000 Subject: [PATCH] Prohibited editing approved expense items. --- WEB-INF/lib/ttExpenseHelper.class.php | 5 +++-- WEB-INF/templates/expenses.tpl | 8 +++++++- WEB-INF/templates/footer.tpl | 2 +- WEB-INF/templates/mobile/expenses.tpl | 8 +++++++- expense_delete.php | 4 ++-- expense_edit.php | 4 ++-- mobile/expense_delete.php | 4 ++-- mobile/expense_edit.php | 4 ++-- 8 files changed, 26 insertions(+), 13 deletions(-) diff --git a/WEB-INF/lib/ttExpenseHelper.class.php b/WEB-INF/lib/ttExpenseHelper.class.php index 40a3e88f..e7da92cb 100644 --- a/WEB-INF/lib/ttExpenseHelper.class.php +++ b/WEB-INF/lib/ttExpenseHelper.class.php @@ -140,7 +140,8 @@ class ttExpenseHelper { if ($user->isPluginEnabled('cl')) $left_joins .= " left join tt_clients c on (ei.client_id = c.id)"; - $sql = "select ei.id, ei.date, ei.client_id, ei.project_id, ei.name, ei.cost, ei.invoice_id, ei.paid $client_field, p.name as project_name". + $sql = "select ei.id, ei.date, ei.client_id, ei.project_id, ei.name, ei.cost, ei.invoice_id, ei.approved,". + " ei.paid $client_field, p.name as project_name". " from tt_expense_items ei $left_joins". " where ei.id = $id and ei.group_id = $group_id and ei.org_id = $org_id and ei.user_id = $user_id and ei.status = 1"; $res = $mdb2->query($sql); @@ -177,7 +178,7 @@ class ttExpenseHelper { $left_joins .= " left join tt_clients c on (ei.client_id = c.id)"; $sql = "select ei.id as id $client_field, p.name as project, ei.name as item, ei.cost as cost,". - " ei.invoice_id from tt_expense_items ei $left_joins". + " ei.invoice_id, ei.approved from tt_expense_items ei $left_joins". " where ei.date = ".$mdb2->quote($date)." and ei.user_id = $user_id". " and ei.group_id = $group_id and ei.org_id = $org_id and ei.status = 1 order by ei.id"; diff --git a/WEB-INF/templates/expenses.tpl b/WEB-INF/templates/expenses.tpl index 45a8ef27..11b4fb85 100644 --- a/WEB-INF/templates/expenses.tpl +++ b/WEB-INF/templates/expenses.tpl @@ -195,7 +195,13 @@ function recalculateCost() { {/if} {$item.item|escape} {$item.cost} - {if $item.invoice_id} {else}{$i18n.label.edit}{/if} + + {if $item.approved || $item.invoice_id} +   + {else} + {$i18n.label.edit} + {/if} + {/foreach} diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl index 180b9a8c..2c367628 100644 --- a/WEB-INF/templates/footer.tpl +++ b/WEB-INF/templates/footer.tpl @@ -12,7 +12,7 @@
- {/if} - + {/foreach} diff --git a/expense_delete.php b/expense_delete.php index c7031769..788fb59f 100644 --- a/expense_delete.php +++ b/expense_delete.php @@ -43,8 +43,8 @@ if (!$user->isPluginEnabled('ex')) { $cl_id = (int)$request->getParameter('id'); // Get the expense item we are deleting. $expense_item = ttExpenseHelper::getItem($cl_id); -if (!$expense_item || $expense_item['invoice_id']) { - // Prohibit deleting not ours or invoiced items. +if (!$expense_item || $expense_item['approved'] || $expense_item['invoice_id']) { + // Prohibit deleting not ours, approved, or invoiced items. header('Location: access_denied.php'); exit(); } diff --git a/expense_edit.php b/expense_edit.php index b1115f1e..877ec663 100644 --- a/expense_edit.php +++ b/expense_edit.php @@ -45,8 +45,8 @@ if (!$user->isPluginEnabled('ex')) { $cl_id = (int)$request->getParameter('id'); // Get the expense item we are editing. $expense_item = ttExpenseHelper::getItem($cl_id); -if (!$expense_item || $expense_item['invoice_id']) { - // Prohibit editing not ours or invoiced items. +if (!$expense_item || $expense_item['approved'] || $expense_item['invoice_id']) { + // Prohibit editing not ours, approved, or invoiced items. header('Location: access_denied.php'); exit(); } diff --git a/mobile/expense_delete.php b/mobile/expense_delete.php index 3bdc179d..48e74dc0 100644 --- a/mobile/expense_delete.php +++ b/mobile/expense_delete.php @@ -43,8 +43,8 @@ if (!$user->isPluginEnabled('ex')) { $cl_id = (int)$request->getParameter('id'); // Get the expense item we are deleting. $expense_item = ttExpenseHelper::getItem($cl_id); -if (!$expense_item || $expense_item['invoice_id']) { - // Prohibit deleting not ours or invoiced items. +if (!$expense_item || $expense_item['approved'] || $expense_item['invoice_id']) { + // Prohibit deleting not ours, approved, or invoiced items. header('Location: access_denied.php'); exit(); } diff --git a/mobile/expense_edit.php b/mobile/expense_edit.php index e9e1ca63..10035a9b 100644 --- a/mobile/expense_edit.php +++ b/mobile/expense_edit.php @@ -45,8 +45,8 @@ if (!$user->isPluginEnabled('ex')) { $cl_id = (int)$request->getParameter('id'); // Get the expense item we are editing. $expense_item = ttExpenseHelper::getItem($cl_id); -if (!$expense_item || $expense_item['invoice_id']) { - // Prohibit editing not ours or invoiced items. +if (!$expense_item || $expense_item['approved'] || $expense_item['invoice_id']) { + // Prohibit editing not ours, approved, or invoiced items. header('Location: access_denied.php'); exit(); } -- 2.20.1
 Anuko Time Tracker 1.18.53.4832 | Copyright © Anuko | +  Anuko Time Tracker 1.18.53.4833 | Copyright © Anuko | {$i18n.footer.credits} | {$i18n.footer.license} | {$i18n.footer.improve} diff --git a/WEB-INF/templates/mobile/expenses.tpl b/WEB-INF/templates/mobile/expenses.tpl index a6aa66d9..7afde73d 100644 --- a/WEB-INF/templates/mobile/expenses.tpl +++ b/WEB-INF/templates/mobile/expenses.tpl @@ -203,7 +203,13 @@ function recalculateCost() { {if $show_project} {$item.project|escape}{if $item.invoice_id} {$item.item|escape} {else}{$item.item|escape}{/if} + {if $item.approved || $item.invoice_id} + {$item.item|escape} + {else} + {$item.item|escape} + {/if} + {$item.cost}