Security fix for invoice view.

[timetracker.git] / WEB-INF / lib / ttInvoiceHelper.class.php

diff --git a/WEB-INF/lib/ttInvoiceHelper.class.php b/WEB-INF/lib/ttInvoiceHelper.class.php
index 9fa7e58c38017f67338c10a30a9443718eb0e943..fd701fe51c288ef0ed9da9b1fb109dbbc033df7c 100644 (file)
--- a/WEB-INF/lib/ttInvoiceHelper.class.php
+++ b/WEB-INF/lib/ttInvoiceHelper.class.php
@@ -69,7 +69,9 @@ class ttInvoiceHelper {
     global $user;
     $mdb2 = getConnection();
 
-    $sql = "select * from tt_invoices where id = $invoice_id and team_id = $user->team_id and status = 1";
+    if ($user->isClient()) $client_part = " and client_id = $user->client_id";
+
+    $sql = "select * from tt_invoices where id = $invoice_id and team_id = $user->team_id $client_part and status = 1";
     $res = $mdb2->query($sql);
     if (!is_a($res, 'PEAR_Error')) {
       if ($val = $res->fetchRow())