]> wagnertech.de Git - timetracker.git/blobdiff - WEB-INF/lib/ttTaskHelper.class.php
projects / timetracker.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Included team_id in task update sql to avoid risk of misuse.
[timetracker.git] / WEB-INF / lib / ttTaskHelper.class.php
diff --git a/WEB-INF/lib/ttTaskHelper.class.php b/WEB-INF/lib/ttTaskHelper.class.php
index 2bb99da424374a896a0078b21cbee4fb5913ac4f..24831cb26bef38468b09c06517a93b27fd301198 100644 (file)
--- a/WEB-INF/lib/ttTaskHelper.class.php
+++ b/WEB-INF/lib/ttTaskHelper.class.php
@@ -198,7 +198,7 @@ class ttTaskHelper {
     $projects = $fields['projects'];
 
     $sql = "update tt_tasks set name = ".$mdb2->quote($name).", description = ".$mdb2->quote($description).
-      ", status = $status where id = $task_id";
+      ", status = $status where id = $task_id and team_id = $user->team_id";
     $affected = $mdb2->exec($sql);
     if (is_a($affected, 'PEAR_Error'))
       die($affected->getMessage());
Unnamed repository; edit this file 'description' to name the repository.