Adjusted custom field config pages for subgroups.

diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl
index 91ff8c9..77ebe49 100644 (file)
--- a/WEB-INF/templates/footer.tpl
+++ b/WEB-INF/templates/footer.tpl
@@ -12,7 +12,7 @@
       <br>
       <table cellspacing="0" cellpadding="4" width="100%" border="0">
         <tr>
-          <td align="center">&nbsp;Anuko Time Tracker 1.18.29.4566 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+          <td align="center">&nbsp;Anuko Time Tracker 1.18.29.4567 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
             <a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
             <a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
             <a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>

diff --git a/admin_options.php b/admin_options.php
index 164ff33..9448ef7 100644 (file)
--- a/admin_options.php
+++ b/admin_options.php
@@ -36,6 +36,7 @@ if (!ttAccessAllowed('administer_site')) {
   header('Location: access_denied.php');
   exit();
 }
+// End of access checks.
 
 if ($request->isPost()) {
   $cl_name = trim($request->getParameter('name'));

diff --git a/cf_custom_field_add.php b/cf_custom_field_add.php
index 8227d25..c0dc255 100644 (file)
--- a/cf_custom_field_add.php
+++ b/cf_custom_field_add.php
@@ -45,6 +45,7 @@ if (count($fields) >= 1) {
   header('Location: access_denied.php');
   exit();
 }
+// End of access checks.
 
 if ($request->isPost()) {
   $cl_field_name = trim($request->getParameter('name'));

diff --git a/cf_custom_field_delete.php b/cf_custom_field_delete.php
index 86c10b1..c8a1336 100644 (file)
--- a/cf_custom_field_delete.php
+++ b/cf_custom_field_delete.php
@@ -39,8 +39,13 @@ if (!$user->isPluginEnabled('cf')) {
   header('Location: feature_disabled.php');
   exit();
 }
-
-$id = $request->getParameter('id');
+$id = (int)$request->getParameter('id');
+$field = CustomFields::getField($id);
+if (!$field) {
+  header('Location: access_denied.php');
+  exit();
+}
+// End of access checks.
 
 $form = new Form('fieldDeleteForm');
 
@@ -60,15 +65,9 @@ if ($request->isPost()) {
     exit();
   }
 } else {
-  $field = CustomFields::getField($id);        
-  if (false === $field)
-    $err->add($i18n->get('error.db'));
-
-  if ($err->no()) {
-    $form->addInput(array('type'=>'hidden','name'=>'id','value'=>$id));
-    $form->addInput(array('type'=>'submit','name'=>'btn_delete','value'=>$i18n->get('label.delete')));
-    $form->addInput(array('type'=>'submit','name'=>'btn_cancel','value'=>$i18n->get('button.cancel')));
-  }
+  $form->addInput(array('type'=>'hidden','name'=>'id','value'=>$id));
+  $form->addInput(array('type'=>'submit','name'=>'btn_delete','value'=>$i18n->get('label.delete')));
+  $form->addInput(array('type'=>'submit','name'=>'btn_cancel','value'=>$i18n->get('button.cancel')));
 }
 
 $smarty->assign('field', $field['label']);

diff --git a/cf_custom_field_edit.php b/cf_custom_field_edit.php
index 499f6d0..0bf5818 100644 (file)
--- a/cf_custom_field_edit.php
+++ b/cf_custom_field_edit.php
@@ -39,11 +39,13 @@ if (!$user->isPluginEnabled('cf')) {
   header('Location: feature_disabled.php');
   exit();
 }
-
-$cl_id = $request->getParameter('id');
+$cl_id = (int)$request->getParameter('id');
 $field = CustomFields::getField($cl_id);
-if (false === $field)
-  $err->add($i18n->get('error.db'));
+if (!$field) {
+  header('Location: access_denied.php');
+  exit();
+}
+// End of access checks.
 
 $form = new Form('fieldForm');
 if ($err->no()) {

diff --git a/cf_custom_fields.php b/cf_custom_fields.php
index 53f80e4..6de626c 100644 (file)
--- a/cf_custom_fields.php
+++ b/cf_custom_fields.php
@@ -39,6 +39,7 @@ if (!$user->isPluginEnabled('cf')) {
   header('Location: feature_disabled.php');
   exit();
 }
+// End of access checks.
 
 $form = new Form('customFieldsForm');
 

diff --git a/plugins/CustomFields.class.php b/plugins/CustomFields.class.php
index 74fef83..885f60b 100644 (file)
--- a/plugins/CustomFields.class.php
+++ b/plugins/CustomFields.class.php
@@ -237,8 +237,12 @@ class CustomFields {
     global $user;
     $mdb2 = getConnection();
 
+    $group_id = $user->getGroup();
+    $org_id = $user->org_id;
+
     $fields = array();
-    $sql = "select id, type, label from tt_custom_fields where group_id = $user->group_id and status = 1 and type > 0";
+    $sql = "select id, type, label from tt_custom_fields".
+      " where group_id = $group_id and org_id = $org_id and status = 1 and type > 0";
     $res = $mdb2->query($sql);
     if (!is_a($res, 'PEAR_Error')) {
       while ($val = $res->fetchRow()) {
@@ -254,7 +258,11 @@ class CustomFields {
     global $user;
     $mdb2 = getConnection();
 
-    $sql = "select label, type, required from tt_custom_fields where id = $id and group_id = $user->group_id";
+    $group_id = $user->getGroup();
+    $org_id = $user->org_id;
+
+    $sql = "select label, type, required from tt_custom_fields".
+      " where id = $id and group_id = $group_id and org_id = $org_id";
     $res = $mdb2->query($sql);
     if (!is_a($res, 'PEAR_Error')) {
       $val = $res->fetchRow();
@@ -295,40 +303,39 @@ class CustomFields {
   static function updateField($id, $name, $type, $required) {
     global $user;
     $mdb2 = getConnection();
-    $sql = "update tt_custom_fields set label = ".$mdb2->quote($name).", type = $type, required = $required where id = $id and group_id = $user->group_id";
+    $group_id = $user->getGroup();
+    $org_id = $user->org_id;
+    $sql = "update tt_custom_fields set label = ".$mdb2->quote($name).", type = $type, required = $required".
+      " where id = $id and group_id = $group_id and org_id = $org_id";
     $affected = $mdb2->exec($sql);
     return (!is_a($affected, 'PEAR_Error'));
   }
 
   // The deleteField deletes a custom field, its options and log entries for group.
   static function deleteField($field_id) {
-
     global $user;
     $mdb2 = getConnection();
 
-    // First make sure that the field is ours so that we can safely delete it.
-    $sql = "select group_id from tt_custom_fields where id = $field_id";
-    $res = $mdb2->query($sql);
-    if (is_a($res, 'PEAR_Error'))
-      return false;
-    $val = $res->fetchRow();
-    if ($user->group_id != $val['group_id'])
-      return false;
+    $group_id = $user->getGroup();
+    $org_id = $user->org_id;
 
-    // Mark log entries as deleted.
-    $sql = "update tt_custom_field_log set status = NULL where field_id = $field_id";
+    // Mark log entries as deleted. TODO: why are we doing this? Research impact.
+    $sql = "update tt_custom_field_log set status = null".
+      " where field_id = $field_id and group_id = $group_id and org_id = $org_id";
     $affected = $mdb2->exec($sql);
     if (is_a($affected, 'PEAR_Error'))
       return false;
 
     // Mark field options as deleted.
-    $sql = "update tt_custom_field_options set status = NULL where field_id = $field_id";
+    $sql = "update tt_custom_field_options set status = null".
+      " where field_id = $field_id and group_id = $group_id and org_id = $org_id";
     $affected = $mdb2->exec($sql);
     if (is_a($affected, 'PEAR_Error'))
       return false;
 
     // Mark custom field as deleted.
-    $sql = "update tt_custom_fields set status = NULL where id = $field_id and group_id = $user->group_id";
+    $sql = "update tt_custom_fields set status = null".
+      " where id = $field_id and group_id = $group_id and org_id = $org_id";
     $affected = $mdb2->exec($sql);
     return (!is_a($affected, 'PEAR_Error'));
   }