Security fix for reports.
[timetracker.git] / reports.php
1 <?php
2 // +----------------------------------------------------------------------+
3 // | Anuko Time Tracker
4 // +----------------------------------------------------------------------+
5 // | Copyright (c) Anuko International Ltd. (https://www.anuko.com)
6 // +----------------------------------------------------------------------+
7 // | LIBERAL FREEWARE LICENSE: This source code document may be used
8 // | by anyone for any purpose, and freely redistributed alone or in
9 // | combination with other software, provided that the license is obeyed.
10 // |
11 // | There are only two ways to violate the license:
12 // |
13 // | 1. To redistribute this code in source form, with the copyright
14 // |    notice or license removed or altered. (Distributing in compiled
15 // |    forms without embedded copyright notices is permitted).
16 // |
17 // | 2. To redistribute modified versions of this code in *any* form
18 // |    that bears insufficient indications that the modifications are
19 // |    not the work of the original author(s).
20 // |
21 // | This license applies to this document only, not any other software
22 // | that it may be combined with.
23 // |
24 // +----------------------------------------------------------------------+
25 // | Contributors:
26 // | https://www.anuko.com/time_tracker/credits.htm
27 // +----------------------------------------------------------------------+
28
29 require_once('initialize.php');
30 import('form.Form');
31 import('form.ActionForm');
32 import('DateAndTime');
33 import('ttTeamHelper');
34 import('Period');
35 import('ttProjectHelper');
36 import('ttFavReportHelper');
37 import('ttClientHelper');
38 import('ttReportHelper');
39
40 // Access check.
41 if (!(ttAccessAllowed('view_own_reports') || ttAccessAllowed('view_reports') || ttAccessAllowed('view_all_reports'))) {
42   header('Location: access_denied.php');
43   exit();
44 }
45
46 // Use custom fields plugin if it is enabled.
47 if ($user->isPluginEnabled('cf')) {
48   require_once('plugins/CustomFields.class.php');
49   $custom_fields = new CustomFields($user->group_id);
50   $smarty->assign('custom_fields', $custom_fields);
51 }
52
53 $form = new Form('reportForm');
54
55 // Get saved favorite reports for user.
56 $report_list = ttFavReportHelper::getReports($user->id);
57 $form->addInput(array('type'=>'combobox',
58   'name'=>'favorite_report',
59   'onchange'=>'document.reportForm.fav_report_changed.value=1;document.reportForm.submit();',
60   'style'=>'width: 250px;',
61   'data'=>$report_list,
62   'datakeys'=>array('id','name'),
63   'empty'=>array('-1'=>$i18n->get('dropdown.no'))));
64 $form->addInput(array('type'=>'hidden','name'=>'fav_report_changed'));
65 // Generate and Delete buttons.
66 $form->addInput(array('type'=>'submit','name'=>'btn_generate','value'=>$i18n->get('button.generate')));
67 $form->addInput(array('type'=>'submit','name'=>'btn_delete','value'=>$i18n->get('label.delete'),'onclick'=>"return confirm('".$i18n->get('form.reports.confirm_delete')."')"));
68
69 // Dropdown for clients if the clients plugin is enabled.
70 if ($user->isPluginEnabled('cl') && !$user->isClient()) {
71   if ($user->can('view_reports') || $user->can('view_all_reports')) {
72     $client_list = ttClientHelper::getClients(); // TODO: improve getClients for "view_reports"
73                                                  // by filtering out not relevant clients.
74   } else
75     $client_list = ttClientHelper::getClientsForUser();
76   $form->addInput(array('type'=>'combobox',
77     'name'=>'client',
78     'style'=>'width: 250px;',
79     'data'=>$client_list,
80     'datakeys'=>array('id', 'name'),
81     'empty'=>array(''=>$i18n->get('dropdown.all'))));
82 }
83
84 // If we have a TYPE_DROPDOWN custom field - add control to select an option.
85 if ($custom_fields && $custom_fields->fields[0] && $custom_fields->fields[0]['type'] == CustomFields::TYPE_DROPDOWN) {
86     $form->addInput(array('type'=>'combobox','name'=>'option',
87       'style'=>'width: 250px;',
88       'value'=>$cl_cf_1,
89       'data'=>$custom_fields->options,
90       'empty'=>array(''=>$i18n->get('dropdown.all'))));
91 }
92
93 // Add controls for projects and tasks.
94 if ($user->can('view_reports') || $user->can('view_all_reports')) {
95   $project_list = ttProjectHelper::getProjects(); // All active and inactive projects.
96 } elseif ($user->isClient()) {
97   $project_list = ttProjectHelper::getProjectsForClient();
98 } else {
99   $project_list = ttProjectHelper::getAssignedProjects($user->id);      
100 }
101 $form->addInput(array('type'=>'combobox',
102   'onchange'=>'fillTaskDropdown(this.value);selectAssignedUsers(this.value);',
103   'name'=>'project',
104   'style'=>'width: 250px;',
105   'data'=>$project_list,
106   'datakeys'=>array('id','name'),
107   'empty'=>array(''=>$i18n->get('dropdown.all'))));
108 if (MODE_PROJECTS_AND_TASKS == $user->tracking_mode) {
109   $task_list = ttTeamHelper::getActiveTasks($user->group_id);
110   $form->addInput(array('type'=>'combobox',
111     'name'=>'task',
112     'style'=>'width: 250px;',
113     'data'=>$task_list,
114     'datakeys'=>array('id','name'),
115     'empty'=>array(''=>$i18n->get('dropdown.all'))));
116 }
117
118 // Add include records control.
119 $include_options = array('1'=>$i18n->get('form.reports.include_billable'),
120   '2'=>$i18n->get('form.reports.include_not_billable'));
121 $form->addInput(array('type'=>'combobox',
122   'name'=>'include_records',
123   'style'=>'width: 250px;',
124   'data'=>$include_options,
125   'empty'=>array(''=>$i18n->get('dropdown.all'))));
126
127 // Add invoiced / not invoiced selector.
128 if ($user->can('manage_invoices')) {
129   $invoice_options = array('1'=>$i18n->get('form.reports.include_invoiced'),
130     '2'=>$i18n->get('form.reports.include_not_invoiced'));
131   $form->addInput(array('type'=>'combobox',
132     'name'=>'invoice',
133     'style'=>'width: 250px;',
134     'data'=>$invoice_options,
135     'empty'=>array(''=>$i18n->get('dropdown.all'))));
136 }
137
138 if ($user->can('manage_invoices') && $user->isPluginEnabled('ps')) {
139   $form->addInput(array('type'=>'combobox',
140    'name'=>'paid_status',
141    'style'=>'width: 250px;',
142    'data'=>array('1'=>$i18n->get('dropdown.paid'),'2'=>$i18n->get('dropdown.not_paid')),
143    'empty'=>array(''=>$i18n->get('dropdown.all'))
144  ));
145 }
146
147 $user_list = array();
148 if ($user->can('view_reports') || $user->can('view_all_reports') || $user->isClient()) {
149   // Prepare user and assigned projects arrays.
150   if ($user->can('view_reports') || $user->can('view_all_reports')) {
151     $max_rank = $user->rank-1;
152     if ($user->can('view_all_reports')) $max_rank = 512;
153     if ($user->can('view_own_reports'))
154       $options = array('max_rank'=>$max_rank,'include_self'=>true);
155     else
156       $options = array('max_rank'=>$max_rank);
157     $users = $user->getUsers($options); // Active and inactive users.
158   }
159   elseif ($user->isClient())
160     $users = ttTeamHelper::getUsersForClient(); // Active and inactive users for clients.
161
162   foreach ($users as $single_user) {
163     $user_list[$single_user['id']] = $single_user['name'];
164     $projects = ttProjectHelper::getAssignedProjects($single_user['id']);
165     if ($projects) {
166       foreach ($projects as $single_project) {
167         $assigned_projects[$single_user['id']][] = $single_project['id'];
168       }
169     }
170   }
171   $row_count = ceil(count($user_list)/3);
172   $form->addInput(array('type'=>'checkboxgroup',
173     'name'=>'users',
174     'data'=>$user_list,
175     'layout'=>'V',
176     'groupin'=>$row_count,
177     'style'=>'width: 100%;'));
178 }
179
180 // Add control for time period.
181 $form->addInput(array('type'=>'combobox',
182   'name'=>'period',
183   'style'=>'width: 250px;',
184   'data'=>array(INTERVAL_THIS_MONTH=>$i18n->get('dropdown.current_month'),
185     INTERVAL_LAST_MONTH=>$i18n->get('dropdown.previous_month'),
186     INTERVAL_THIS_WEEK=>$i18n->get('dropdown.current_week'),
187     INTERVAL_LAST_WEEK=>$i18n->get('dropdown.previous_week'),
188     INTERVAL_THIS_DAY=>$i18n->get('dropdown.current_day'),
189     INTERVAL_LAST_DAY=>$i18n->get('dropdown.previous_day')),
190   'empty'=>array(''=>$i18n->get('dropdown.select'))));
191 // Add controls for start and end dates.
192 $form->addInput(array('type'=>'datefield','maxlength'=>'20','name'=>'start_date'));
193 $form->addInput(array('type'=>'datefield','maxlength'=>'20','name'=>'end_date'));
194
195 // Add checkboxes for fields.
196 if ($user->isPluginEnabled('cl'))
197   $form->addInput(array('type'=>'checkbox','name'=>'chclient'));
198 if (($user->can('manage_invoices') || $user->isClient()) && $user->isPluginEnabled('iv'))
199   $form->addInput(array('type'=>'checkbox','name'=>'chinvoice'));
200 if ($user->can('manage_invoices') && $user->isPluginEnabled('ps'))
201   $form->addInput(array('type'=>'checkbox','name'=>'chpaid'));
202 if ($user->can('view_reports') || $user->can('view_all_reports'))
203   $form->addInput(array('type'=>'checkbox','name'=>'chip'));
204 if (MODE_PROJECTS == $user->tracking_mode || MODE_PROJECTS_AND_TASKS == $user->tracking_mode)
205   $form->addInput(array('type'=>'checkbox','name'=>'chproject'));
206 if (MODE_PROJECTS_AND_TASKS == $user->tracking_mode)
207   $form->addInput(array('type'=>'checkbox','name'=>'chtask'));
208 if ((TYPE_START_FINISH == $user->record_type) || (TYPE_ALL == $user->record_type)) {
209   $form->addInput(array('type'=>'checkbox','name'=>'chstart'));
210   $form->addInput(array('type'=>'checkbox','name'=>'chfinish'));
211 }
212 $form->addInput(array('type'=>'checkbox','name'=>'chduration'));
213 $form->addInput(array('type'=>'checkbox','name'=>'chnote'));
214 $form->addInput(array('type'=>'checkbox','name'=>'chcost'));
215 // If we have a custom field - add a checkbox for it.
216 if ($custom_fields && $custom_fields->fields[0])
217   $form->addInput(array('type'=>'checkbox','name'=>'chcf_1'));
218 if ($user->isPluginEnabled('wu'))
219   $form->addInput(array('type'=>'checkbox','name'=>'chunits'));
220
221 // Add group by control.
222 $group_by_options['no_grouping'] = $i18n->get('form.reports.group_by_no');
223 $group_by_options['date'] = $i18n->get('form.reports.group_by_date');
224 if ($user->can('view_reports') || $user->can('view_all_reports') || $user->isClient())
225   $group_by_options['user'] = $i18n->get('form.reports.group_by_user');
226 if ($user->isPluginEnabled('cl') && !($user->isClient() && $user->client_id))
227   $group_by_options['client'] = $i18n->get('form.reports.group_by_client');
228 if (MODE_PROJECTS == $user->tracking_mode || MODE_PROJECTS_AND_TASKS == $user->tracking_mode)
229   $group_by_options['project'] = $i18n->get('form.reports.group_by_project');
230 if (MODE_PROJECTS_AND_TASKS == $user->tracking_mode)
231   $group_by_options['task'] = $i18n->get('form.reports.group_by_task');
232 if ($custom_fields && $custom_fields->fields[0] && $custom_fields->fields[0]['type'] == CustomFields::TYPE_DROPDOWN) {
233   $group_by_options['cf_1'] = $custom_fields->fields[0]['label'];
234 }
235 $form->addInput(array('type'=>'combobox','onchange'=>'handleCheckboxes();','name'=>'group_by','data'=>$group_by_options));
236 $form->addInput(array('type'=>'checkbox','name'=>'chtotalsonly'));
237
238 // Add text field for a new favorite report name.
239 $form->addInput(array('type'=>'text','name'=>'new_fav_report','maxlength'=>'30','style'=>'width: 250px;'));
240 // Save button.
241 $form->addInput(array('type'=>'submit','name'=>'btn_save','value'=>$i18n->get('button.save')));
242
243 $form->addInput(array('type'=>'submit','name'=>'btn_generate','value'=>$i18n->get('button.generate')));
244
245 // Create a bean (which is a mechanism to remember form values in session).
246 $bean = new ActionForm('reportBean', $form, $request);
247 // At this point form values are obtained from session if they are there.
248
249 if ($request->isGet() && !$bean->isSaved()) {
250   // No previous form data were found in session. Use the following default values.
251   $form->setValueByElement('users', array_keys($user_list));
252   $period = new Period(INTERVAL_THIS_MONTH, new DateAndTime($user->date_format));
253   $form->setValueByElement('start_date', $period->getStartDate());
254   $form->setValueByElement('end_date', $period->getEndDate());
255   $form->setValueByElement('chclient', '1');
256   $form->setValueByElement('chinvoice', '0');
257   $form->setValueByElement('chpaid', '0');
258   $form->setValueByElement('chip', '0');
259   $form->setValueByElement('chproject', '1');
260   $form->setValueByElement('chstart', '1');
261   $form->setValueByElement('chduration', '1');
262   $form->setValueByElement('chcost', '0');
263   $form->setValueByElement('chtask', '1');
264   $form->setValueByElement('chfinish', '1');
265   $form->setValueByElement('chnote', '1');
266   $form->setValueByElement('chcf_1', '0');
267   $form->setValueByElement('chunits', '0');
268   $form->setValueByElement('chtotalsonly', '0');
269 }
270
271 $form->setValueByElement('fav_report_changed','');
272
273 // Disable the Delete button when no favorite report is selected.
274 if (!$bean->getAttribute('favorite_report') || ($bean->getAttribute('favorite_report') == -1))
275   $form->getElement('btn_delete')->setEnabled(false);
276
277 if ($request->isPost()) {
278   if((!$bean->getAttribute('btn_generate') && ($request->getParameter('fav_report_changed')))) {
279     // User changed favorite report. We need to load new values into the form.
280     if ($bean->getAttribute('favorite_report')) {
281       // This loads new favorite report options into the bean (into our form).
282       ttFavReportHelper::loadReport($user->id, $bean);
283
284       // If user selected no favorite report - mark all user checkboxes (most probable scenario).
285       if ($bean->getAttribute('favorite_report') == -1)
286         $form->setValueByElement('users', array_keys($user_list));
287
288       // Save form data in session for future use.
289       $bean->saveBean();
290       header('Location: reports.php');
291       exit();
292     }
293   } elseif ($bean->getAttribute('btn_save')) {
294     // User clicked the Save button. We need to save form options as new favorite report.
295     if (!ttValidString($bean->getAttribute('new_fav_report'))) $err->add($i18n->get('error.field'), $i18n->get('form.reports.save_as_favorite'));
296
297     if ($err->no()) {
298       $id = ttFavReportHelper::saveReport($user->id, $bean);
299       if (!$id)
300         $err->add($i18n->get('error.db'));
301       if ($err->no()) {
302         $bean->setAttribute('favorite_report', $id);
303         $bean->saveBean();
304         header('Location: reports.php');
305         exit();
306       }
307     }
308   } elseif($bean->getAttribute('btn_delete')) {
309     // Delete button pressed. User wants to delete a favorite report.
310     if ($bean->getAttribute('favorite_report')) {
311       ttFavReportHelper::deleteReport($bean->getAttribute('favorite_report'));
312       // Load default report.
313       $bean->setAttribute('favorite_report','');
314       $bean->setAttribute('new_fav_report', $report_list[0]['name']);
315       ttFavReportHelper::loadReport($user->id, $bean);
316       $form->setValueByElement('users', array_keys($user_list));
317       $bean->saveBean();
318       header('Location: reports.php');
319       exit();
320     }
321   } else {
322     // Generate button pressed. Check some values.
323     if (!$bean->getAttribute('period')) {
324       $start_date = new DateAndTime($user->date_format, $bean->getAttribute('start_date'));
325
326       if ($start_date->isError() || !$bean->getAttribute('start_date'))
327         $err->add($i18n->get('error.field'), $i18n->get('label.start_date'));
328
329       $end_date = new DateAndTime($user->date_format, $bean->getAttribute('end_date'));
330       if ($end_date->isError() || !$bean->getAttribute('end_date'))
331         $err->add($i18n->get('error.field'), $i18n->get('label.end_date'));
332
333       if ($start_date->compare($end_date) > 0)
334         $err->add($i18n->get('error.interval'), $i18n->get('label.end_date'), $i18n->get('label.start_date'));
335     }
336
337     $bean->saveBean();
338     // Check some more values. TODO: Perhaps it's not a good place to check values, re-evaluate this.
339     // Also make sure other post variations are sane.
340     if (!ttReportHelper::verifyBean($bean)) $err->add($i18n->get('error.sys'));
341
342     if ($err->no()) {
343       // Now we can go ahead and create a report.
344       header('Location: report.php');
345       exit();
346     }
347   }
348 } // isPost
349
350 $smarty->assign('project_list', $project_list);
351 $smarty->assign('task_list', $task_list);
352 $smarty->assign('assigned_projects', $assigned_projects);
353 $smarty->assign('forms', array($form->getName()=>$form->toArray()));
354 $smarty->assign('onload', 'onLoad="handleCheckboxes()"');
355 $smarty->assign('title', $i18n->get('title.reports'));
356 $smarty->assign('content_page_name', 'reports.tpl');
357 $smarty->display('index.tpl');