From dd2ba64b1b4aaddacec2b9f6763c0ed7a35efc3b Mon Sep 17 00:00:00 2001 From: Nik Okuntseff Date: Sat, 24 Mar 2018 21:08:52 +0000 Subject: [PATCH] Finished improving access checks by providing separate error msg for disabled features. --- WEB-INF/templates/footer.tpl | 2 +- mobile/client_add.php | 8 ++++++-- mobile/client_delete.php | 8 ++++++-- mobile/client_edit.php | 8 ++++++-- mobile/clients.php | 8 ++++++-- mobile/expense_delete.php | 8 ++++++-- mobile/expense_edit.php | 8 ++++++-- mobile/index.php | 2 +- mobile/project_add.php | 8 ++++++-- mobile/project_delete.php | 8 ++++++-- mobile/project_edit.php | 8 ++++++-- mobile/projects.php | 8 ++++++-- mobile/task_add.php | 8 ++++++-- mobile/task_delete.php | 8 ++++++-- mobile/task_edit.php | 8 ++++++-- mobile/tasks.php | 8 ++++++-- mobile/users.php | 2 +- 17 files changed, 87 insertions(+), 31 deletions(-) diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl index a4a020e7..4eb4fd67 100644 --- a/WEB-INF/templates/footer.tpl +++ b/WEB-INF/templates/footer.tpl @@ -12,7 +12,7 @@
-
 Anuko Time Tracker 1.17.69.4158 | Copyright © Anuko | +  Anuko Time Tracker 1.17.70.4159 | Copyright © Anuko | {$i18n.footer.credits} | {$i18n.footer.license} | {$i18n.footer.improve} diff --git a/mobile/client_add.php b/mobile/client_add.php index 134819bb..fc57853d 100644 --- a/mobile/client_add.php +++ b/mobile/client_add.php @@ -31,11 +31,15 @@ import('form.Form'); import('ttClientHelper'); import('ttTeamHelper'); -// Access check. -if (!ttAccessAllowed('manage_clients') || !$user->isPluginEnabled('cl')) { +// Access checks. +if (!ttAccessAllowed('manage_clients')) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('cl')) { + header('Location: feature_disabled.php'); + exit(); +} $projects = ttTeamHelper::getActiveProjects($user->team_id); diff --git a/mobile/client_delete.php b/mobile/client_delete.php index e23cd026..154d8930 100644 --- a/mobile/client_delete.php +++ b/mobile/client_delete.php @@ -30,11 +30,15 @@ require_once('../initialize.php'); import('form.Form'); import('ttClientHelper'); -// Access check. -if (!ttAccessAllowed('manage_clients') || !$user->isPluginEnabled('cl')) { +// Access checks. +if (!ttAccessAllowed('manage_clients')) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('cl')) { + header('Location: feature_disabled.php'); + exit(); +} $id = (int)$request->getParameter('id'); $client = ttClientHelper::getClient($id); diff --git a/mobile/client_edit.php b/mobile/client_edit.php index e4bc9b22..eb859229 100644 --- a/mobile/client_edit.php +++ b/mobile/client_edit.php @@ -31,11 +31,15 @@ import('form.Form'); import('ttClientHelper'); import('ttTeamHelper'); -// Access check. -if (!ttAccessAllowed('manage_clients') || !$user->isPluginEnabled('cl')) { +// Access checks. +if (!ttAccessAllowed('manage_clients')) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('cl')) { + header('Location: feature_disabled.php'); + exit(); +} $cl_id = (int) $request->getParameter('id'); diff --git a/mobile/clients.php b/mobile/clients.php index d1a49f1e..43e6848a 100644 --- a/mobile/clients.php +++ b/mobile/clients.php @@ -30,11 +30,15 @@ require_once('../initialize.php'); import('form.Form'); import('ttTeamHelper'); -// Access check. -if (!ttAccessAllowed('manage_clients') || !$user->isPluginEnabled('cl')) { +// Access checks. +if (!ttAccessAllowed('manage_clients')) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('cl')) { + header('Location: feature_disabled.php'); + exit(); +} $smarty->assign('active_clients', ttTeamHelper::getActiveClients($user->team_id, true)); $smarty->assign('inactive_clients', ttTeamHelper::getInactiveClients($user->team_id, true)); diff --git a/mobile/expense_delete.php b/mobile/expense_delete.php index 48051b42..cca61b7c 100644 --- a/mobile/expense_delete.php +++ b/mobile/expense_delete.php @@ -31,11 +31,15 @@ import('form.Form'); import('DateAndTime'); import('ttExpenseHelper'); -// Access check. -if (!ttAccessAllowed('track_own_expenses') || !$user->isPluginEnabled('ex')) { +// Access checks. +if (!(ttAccessAllowed('track_own_expenses') || ttAccessAllowed('track_expenses'))) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('ex')) { + header('Location: feature_disabled.php'); + exit(); +} $cl_id = $request->getParameter('id'); $expense_item = ttExpenseHelper::getItem($cl_id, $user->getActiveUser()); diff --git a/mobile/expense_edit.php b/mobile/expense_edit.php index 7107e785..8da55a1e 100644 --- a/mobile/expense_edit.php +++ b/mobile/expense_edit.php @@ -32,11 +32,15 @@ import('ttTeamHelper'); import('DateAndTime'); import('ttExpenseHelper'); -// Access check. -if (!ttAccessAllowed('track_own_expenses') || !$user->isPluginEnabled('ex')) { +// Access checks. +if (!(ttAccessAllowed('track_own_expenses') || ttAccessAllowed('track_expenses'))) { header('Location: access_denied.php'); exit(); } +if (!$user->isPluginEnabled('ex')) { + header('Location: feature_disabled.php'); + exit(); +} $cl_id = $request->getParameter('id'); diff --git a/mobile/index.php b/mobile/index.php index 1c7cf231..9b2ed530 100644 --- a/mobile/index.php +++ b/mobile/index.php @@ -30,7 +30,7 @@ require_once('../initialize.php'); // Redirects for admin and client roles. if ($auth->isAuthenticated()) { - if ($user->isAdmin()) { + if ($user->can('administer_site')) { header('Location: ../admin_teams.php'); exit(); } elseif ($user->isClient()) { diff --git a/mobile/project_add.php b/mobile/project_add.php index bbaa8fa7..a9495d71 100644 --- a/mobile/project_add.php +++ b/mobile/project_add.php @@ -31,11 +31,15 @@ import('form.Form'); import('ttProjectHelper'); import('ttTeamHelper'); -// Access check. -if (!ttAccessAllowed('manage_projects') || (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->tracking_mode)) { +// Access checks. +if (!ttAccessAllowed('manage_projects')) { header('Location: access_denied.php'); exit(); } +if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->tracking_mode) { + header('Location: feature_disabled.php'); + exit(); +} $users = ttTeamHelper::getActiveUsers(); foreach ($users as $user_item) diff --git a/mobile/project_delete.php b/mobile/project_delete.php index d2b0b32b..c8753b84 100644 --- a/mobile/project_delete.php +++ b/mobile/project_delete.php @@ -30,11 +30,15 @@ require_once('../initialize.php'); import('form.Form'); import('ttProjectHelper'); -// Access check. -if (!ttAccessAllowed('manage_projects') || (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->tracking_mode)) { +// Access checks. +if (!ttAccessAllowed('manage_projects')) { header('Location: access_denied.php'); exit(); } +if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->tracking_mode) { + header('Location: feature_disabled.php'); + exit(); +} $cl_project_id = (int)$request->getParameter('id'); $project = ttProjectHelper::get($cl_project_id); diff --git a/mobile/project_edit.php b/mobile/project_edit.php index 31ea65da..74454ec4 100644 --- a/mobile/project_edit.php +++ b/mobile/project_edit.php @@ -31,11 +31,15 @@ import('form.Form'); import('ttProjectHelper'); import('ttTeamHelper'); -// Access check. -if (!ttAccessAllowed('manage_projects') || (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->tracking_mode)) { +// Access checks. +if (!ttAccessAllowed('manage_projects')) { header('Location: access_denied.php'); exit(); } +if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->tracking_mode) { + header('Location: feature_disabled.php'); + exit(); +} $cl_project_id = (int)$request->getParameter('id'); diff --git a/mobile/projects.php b/mobile/projects.php index 5dec7ee3..93261d42 100644 --- a/mobile/projects.php +++ b/mobile/projects.php @@ -30,11 +30,15 @@ require_once('../initialize.php'); import('form.Form'); import('ttTeamHelper'); -// Access check. -if (!ttAccessAllowed('track_own_time') || (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->tracking_mode)) { +// Access checks. +if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) { header('Location: access_denied.php'); exit(); } +if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->tracking_mode) { + header('Location: feature_disabled.php'); + exit(); +} if($user->canManageTeam()) { $active_projects = ttTeamHelper::getActiveProjects($user->team_id); diff --git a/mobile/task_add.php b/mobile/task_add.php index 0c405b6f..a976ac5c 100644 --- a/mobile/task_add.php +++ b/mobile/task_add.php @@ -32,11 +32,15 @@ import('form.ActionForm'); import('ttTeamHelper'); import('ttTaskHelper'); -// Access check. -if (!ttAccessAllowed('manage_tasks') || MODE_PROJECTS_AND_TASKS != $user->tracking_mode) { +// Access checks. +if (!ttAccessAllowed('manage_tasks')) { header('Location: access_denied.php'); exit(); } +if (MODE_PROJECTS_AND_TASKS != $user->tracking_mode) { + header('Location: feature_disabled.php'); + exit(); +} $projects = ttTeamHelper::getActiveProjects($user->team_id); diff --git a/mobile/task_delete.php b/mobile/task_delete.php index df3c964a..1146a2ac 100644 --- a/mobile/task_delete.php +++ b/mobile/task_delete.php @@ -30,11 +30,15 @@ require_once('../initialize.php'); import('ttTaskHelper'); import('form.Form'); -// Access check. -if (!ttAccessAllowed('manage_tasks') || MODE_PROJECTS_AND_TASKS != $user->tracking_mode) { +// Access checks. +if (!ttAccessAllowed('manage_tasks')) { header('Location: access_denied.php'); exit(); } +if (MODE_PROJECTS_AND_TASKS != $user->tracking_mode) { + header('Location: feature_disabled.php'); + exit(); +} $cl_task_id = (int)$request->getParameter('id'); $task = ttTaskHelper::get($cl_task_id); diff --git a/mobile/task_edit.php b/mobile/task_edit.php index 2ba2cc55..346899dc 100644 --- a/mobile/task_edit.php +++ b/mobile/task_edit.php @@ -31,11 +31,15 @@ import('form.Form'); import('ttTeamHelper'); import('ttTaskHelper'); -// Access check. -if (!ttAccessAllowed('manage_tasks') || MODE_PROJECTS_AND_TASKS != $user->tracking_mode) { +// Access checks. +if (!ttAccessAllowed('manage_tasks')) { header('Location: access_denied.php'); exit(); } +if (MODE_PROJECTS_AND_TASKS != $user->tracking_mode) { + header('Location: feature_disabled.php'); + exit(); +} $cl_task_id = (int)$request->getParameter('id'); $projects = ttTeamHelper::getActiveProjects($user->team_id); diff --git a/mobile/tasks.php b/mobile/tasks.php index 25575eb6..edb57089 100644 --- a/mobile/tasks.php +++ b/mobile/tasks.php @@ -30,11 +30,15 @@ require_once('../initialize.php'); import('form.Form'); import('ttTeamHelper'); -// Access check. -if (!ttAccessAllowed('manage_tasks') || MODE_PROJECTS_AND_TASKS != $user->tracking_mode) { +// Access checks. +if (!ttAccessAllowed('manage_tasks')) { header('Location: access_denied.php'); exit(); } +if (MODE_PROJECTS_AND_TASKS != $user->tracking_mode) { + header('Location: feature_disabled.php'); + exit(); +} $smarty->assign('active_tasks', ttTeamHelper::getActiveTasks($user->team_id)); $smarty->assign('inactive_tasks', ttTeamHelper::getInactiveTasks($user->team_id)); diff --git a/mobile/users.php b/mobile/users.php index 131d2b44..67654376 100644 --- a/mobile/users.php +++ b/mobile/users.php @@ -32,7 +32,7 @@ import('ttTeamHelper'); import('ttTimeHelper'); // Access check. -if (!ttAccessAllowed('view_users')) { +if (!(ttAccessAllowed('view_users') || ttAccessAllowed('manage_users'))) { header('Location: access_denied.php'); exit(); } -- 2.20.1