From eb88312a950031020c710aa5994c445a0dfd4443 Mon Sep 17 00:00:00 2001 From: Nik Okuntseff Date: Tue, 27 Nov 2018 21:11:38 +0000 Subject: [PATCH] Fixed time.php for subgroup support in high rank situations. --- WEB-INF/lib/ttUser.class.php | 21 +++++++++------------ WEB-INF/templates/footer.tpl | 2 +- mobile/user_delete.php | 2 +- mobile/user_edit.php | 2 +- swap_roles.php | 2 +- time.php | 2 +- user_delete.php | 2 +- user_edit.php | 2 +- 8 files changed, 16 insertions(+), 19 deletions(-) diff --git a/WEB-INF/lib/ttUser.class.php b/WEB-INF/lib/ttUser.class.php index 968a1f10..82a31958 100644 --- a/WEB-INF/lib/ttUser.class.php +++ b/WEB-INF/lib/ttUser.class.php @@ -479,19 +479,23 @@ class ttUser { return $groups; } - // getUser function is used to manage users in group and returns user details. + // getUserDetails function is used to manage users in group and returns user details. // At the moment, the function is used for user edits and deletes. - function getUser($user_id) { + function getUserDetails($user_id) { if (!$this->can('manage_users')) return false; $mdb2 = getConnection(); $group_id = $this->getGroup(); $org_id = $this->org_id; + // Determine max rank. If we are searching in on behalf group + // then rank restriction does not apply. + $max_rank = $this->behalfGroup ? MAX_RANK : $this->rank; + $sql = "select u.id, u.name, u.login, u.role_id, u.client_id, u.status, u.rate, u.email from tt_users u". " left join tt_roles r on (u.role_id = r.id)". " where u.id = $user_id and u.group_id = $group_id and u.org_id = $org_id and u.status is not null". - " and (r.rank < $this->rank or (r.rank = $this->rank and u.id = $this->id))"; // Users with lesser roles or self. + " and (r.rank < $max_rank or (r.rank = $max_rank and u.id = $this->id))"; // Users with lesser roles or self. $res = $mdb2->query($sql); if (!is_a($res, 'PEAR_Error')) { $val = $res->fetchRow(); @@ -608,7 +612,7 @@ class ttUser { return false; // Make sure we operate on a legit user. - $user_details = $this->getUser($user_id); + $user_details = $this->getUserDetails($user_id); if (!$user_details) return false; $mdb2 = getConnection(); @@ -671,14 +675,7 @@ class ttUser { function isUserValid($user_id) { if ($user_id == $this->id) return true; - - $user_details = $this->getUser($user_id); // TODO: this will probably not work for higher ranks. - // In this case we'll need another function. - // Or adjust getUser for max rank. - if (!$user_details) - return false; - - return true; + return ($this->getUserDetails($user_id) != null); } // isGroupValid determines if a group is valid for user. diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl index 6e62d6e3..1f6329b1 100644 --- a/WEB-INF/templates/footer.tpl +++ b/WEB-INF/templates/footer.tpl @@ -12,7 +12,7 @@
-
 Anuko Time Tracker 1.18.28.4529 | Copyright © Anuko | +  Anuko Time Tracker 1.18.28.4530 | Copyright © Anuko | {$i18n.footer.credits} | {$i18n.footer.license} | {$i18n.footer.improve} diff --git a/mobile/user_delete.php b/mobile/user_delete.php index ac6c7c88..e44483ec 100644 --- a/mobile/user_delete.php +++ b/mobile/user_delete.php @@ -36,7 +36,7 @@ if (!ttAccessAllowed('manage_users')) { exit(); } $user_id = (int)$request->getParameter('id'); -$user_details = $user->getUser($user_id); +$user_details = $user->getUserDetails($user_id); if (!$user_details) { header('Location: access_denied.php'); exit(); diff --git a/mobile/user_edit.php b/mobile/user_edit.php index 46646bca..c9b4af81 100644 --- a/mobile/user_edit.php +++ b/mobile/user_edit.php @@ -40,7 +40,7 @@ if (!ttAccessAllowed('manage_users')) { exit(); } $user_id = (int)$request->getParameter('id'); -$user_details = $user->getUser($user_id); +$user_details = $user->getUserDetails($user_id); if (!$user_details) { header('Location: access_denied.php'); exit(); diff --git a/swap_roles.php b/swap_roles.php index 05485018..1652ae2a 100644 --- a/swap_roles.php +++ b/swap_roles.php @@ -42,7 +42,7 @@ if (!is_array($users_for_swap) || sizeof($users_for_swap) == 0) { } if ($request->isPost()) { $user_id = (int)$request->getParameter('swap_with'); - $user_details = $user->getUser($user_id); + $user_details = $user->getUserDetails($user_id); if (!$user_details) { header('Location: access_denied.php'); exit(); diff --git a/time.php b/time.php index 33768d46..782c3472 100644 --- a/time.php +++ b/time.php @@ -56,7 +56,7 @@ if ($request->isPost()) { } $userChanged = $request->getParameter('user_changed'); // Reused in multiple places below. if ($userChanged && !($user->can('track_time') && $user->isUserValid($request->getParameter('user')))) { - header('Location: access_denied.php'); // Group changed, but no rght or wrong group id. + header('Location: access_denied.php'); // Group changed, but no rght or wrong user id. exit(); } } diff --git a/user_delete.php b/user_delete.php index 13b5ed0b..38d4f542 100644 --- a/user_delete.php +++ b/user_delete.php @@ -36,7 +36,7 @@ if (!ttAccessAllowed('manage_users')) { exit(); } $user_id = (int)$request->getParameter('id'); -$user_details = $user->getUser($user_id); +$user_details = $user->getUserDetails($user_id); if (!$user_details) { header('Location: access_denied.php'); exit(); diff --git a/user_edit.php b/user_edit.php index c1c9e6c8..8a4e421b 100644 --- a/user_edit.php +++ b/user_edit.php @@ -41,7 +41,7 @@ if (!ttAccessAllowed('manage_users')) { exit(); } $user_id = (int)$request->getParameter('id'); -$user_details = $user->getUser($user_id); +$user_details = $user->getUserDetails($user_id); if (!$user_details) { header('Location: access_denied.php'); exit(); -- 2.20.1