From cdd27c2b163122cb6e2169851019721b3382abd7 Mon Sep 17 00:00:00 2001
From: Nik Okuntseff <support@anuko.com>
Date: Fri, 26 Apr 2019 21:17:51 +0000
Subject: [PATCH] Wrote a validation routine for holidays.

---
 WEB-INF/lib/common.lib.php   | 17 +++++++++++++++++
 WEB-INF/lib/ttUser.class.php |  3 ++-
 WEB-INF/templates/footer.tpl |  2 +-
 group_edit.php               |  4 ++++
 4 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/WEB-INF/lib/common.lib.php b/WEB-INF/lib/common.lib.php
index 747f3e01..b19feacd 100644
--- a/WEB-INF/lib/common.lib.php
+++ b/WEB-INF/lib/common.lib.php
@@ -349,6 +349,23 @@ function ttValidIP($val, $emptyValid = false)
   return true;
 }
 
+// ttValidHolidays is used to check user input to validate holidays spec.
+// To keep things simple, the format is a comma-separated list of dates:
+// ****-01-01,****-12-31,2019-04-20
+// The above means Jan 1 and Dec 31 are holidays in all years, while Apr 20 is only in 2019.
+function ttValidHolidays($val)
+{
+  $val = trim($val);
+  if (strlen($val) == 0) return true;
+
+  $dates = explode(',', $val);
+  foreach ($dates as $date) {
+    if (!preg_match('/^[\d*]{4}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01])$/', $date))
+      return false;
+  }
+  return true;
+}
+
 // ttAccessAllowed checks whether user is allowed access to a particular page.
 // It is used as an initial check on all publicly available pages
 // (except login.php, register.php, and others where we don't have to check).
diff --git a/WEB-INF/lib/ttUser.class.php b/WEB-INF/lib/ttUser.class.php
index 5ee67f59..ab0affe4 100644
--- a/WEB-INF/lib/ttUser.class.php
+++ b/WEB-INF/lib/ttUser.class.php
@@ -669,12 +669,13 @@ class ttUser {
     if (isset($fields['plugins'])) $plugins_part = ', plugins = '.$mdb2->quote($fields['plugins']);
     if (isset($fields['config'])) $config_part = ', config = '.$mdb2->quote($fields['config']);
     if (isset($fields['lock_spec'])) $lock_spec_part = ', lock_spec = '.$mdb2->quote($fields['lock_spec']);
+    if (isset($fields['holidays'])) $holidays_part = ', holidays = '.$mdb2->quote($fields['holidays']);
     if (isset($fields['workday_minutes'])) $workday_minutes_part = ', workday_minutes = '.$mdb2->quote($fields['workday_minutes']);
     $modified_part = ', modified = now(), modified_ip = '.$mdb2->quote($_SERVER['REMOTE_ADDR']).', modified_by = '.$mdb2->quote($this->id);
 
     $parts = trim($name_part.$description_part.$currency_part.$lang_part.$decimal_mark_part.$date_format_part.
       $time_format_part.$week_start_part.$tracking_mode_part.$task_required_part.$project_required_part.$record_type_part.
-      $bcc_email_part.$allow_ip_part.$plugins_part.$config_part.$lock_spec_part.$workday_minutes_part.$modified_part, ',');
+      $bcc_email_part.$allow_ip_part.$plugins_part.$config_part.$lock_spec_part.$holidays_part.$workday_minutes_part.$modified_part, ',');
 
     $sql = "update tt_groups set $parts where id = $group_id and org_id = $this->org_id";
     $affected = $mdb2->exec($sql);
diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl
index b02e30e9..4d893815 100644
--- a/WEB-INF/templates/footer.tpl
+++ b/WEB-INF/templates/footer.tpl
@@ -12,7 +12,7 @@
       <br>
       <table cellspacing="0" cellpadding="4" width="100%" border="0">
         <tr>
-          <td align="center">&nbsp;Anuko Time Tracker 1.19.4.4990 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+          <td align="center">&nbsp;Anuko Time Tracker 1.19.4.4991 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
             <a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
             <a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
             <a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
diff --git a/group_edit.php b/group_edit.php
index 583c4424..2855de88 100644
--- a/group_edit.php
+++ b/group_edit.php
@@ -86,6 +86,7 @@ if ($request->isPost() && !$groupChanged) {
   $cl_time_format = $request->getParameter('time_format');
   $cl_start_week = $request->getParameter('start_week');
   $cl_show_holidays = $request->getParameter('show_holidays');
+  $cl_holidays = trim($request->getParameter('holidays'));
   $cl_tracking_mode = $request->getParameter('tracking_mode');
   $cl_project_required = $request->getParameter('project_required');
   $cl_task_required = $request->getParameter('task_required');
@@ -107,6 +108,7 @@ if ($request->isPost() && !$groupChanged) {
   $cl_time_format = $group['time_format'];
   $cl_start_week = $group['week_start'];
   $cl_show_holidays = $config->getDefinedValue('show_holidays');
+  $cl_holidays = $group['holidays'];
   $cl_tracking_mode = $group['tracking_mode'];
   $cl_project_required = $group['project_required'];
   $cl_task_required = $group['task_required'];
@@ -238,6 +240,7 @@ if ($request->isPost()) {
     if (!ttValidString($cl_group)) $err->add($i18n->get('error.field'), $i18n->get('label.group_name'));
     if (!ttValidString($cl_description, true)) $err->add($i18n->get('error.field'), $i18n->get('label.description'));
     if (!ttValidString($cl_currency, true)) $err->add($i18n->get('error.field'), $i18n->get('label.currency'));
+    if (!ttValidHolidays($cl_holidays)) $err->add($i18n->get('error.field'), $i18n->get('form.group_edit.holidays'));
     if ($advanced_settings) {
       if (!ttValidEmail($cl_bcc_email, true)) $err->add($i18n->get('error.field'), $i18n->get('label.bcc'));
       if (!ttValidIP($cl_allow_ip, true)) $err->add($i18n->get('error.field'), $i18n->get('form.group_edit.allow_ip'));
@@ -263,6 +266,7 @@ if ($request->isPost()) {
         'date_format' => $cl_date_format,
         'time_format' => $cl_time_format,
         'week_start' => $cl_start_week,
+        'holidays' => $cl_holidays,
         'tracking_mode' => $cl_tracking_mode,
         'project_required' => $cl_project_required,
         'task_required' => $cl_task_required,
-- 
2.20.1