Security fix for reports.

[timetracker.git] / reports.php

diff --git a/reports.php b/reports.php
index fcefd047bae708497b740bbed8269e4f6b881dd7..79c011f986f11b90fe4f67132468ff169b17c97c 100644 (file)
--- a/reports.php
+++ b/reports.php
@@ -35,6 +35,7 @@ import('Period');
 import('ttProjectHelper');
 import('ttFavReportHelper');
 import('ttClientHelper');
+import('ttReportHelper');
 
 // Access check.
 if (!(ttAccessAllowed('view_own_reports') || ttAccessAllowed('view_reports') || ttAccessAllowed('view_all_reports'))) {
@@ -214,6 +215,9 @@ $form->addInput(array('type'=>'checkbox','name'=>'chcost'));
 // If we have a custom field - add a checkbox for it.
 if ($custom_fields && $custom_fields->fields[0])
   $form->addInput(array('type'=>'checkbox','name'=>'chcf_1'));
+if ($user->isPluginEnabled('wu'))
+  $form->addInput(array('type'=>'checkbox','name'=>'chunits'));
+
 // Add group by control.
 $group_by_options['no_grouping'] = $i18n->get('form.reports.group_by_no');
 $group_by_options['date'] = $i18n->get('form.reports.group_by_date');
@@ -260,6 +264,7 @@ if ($request->isGet() && !$bean->isSaved()) {
   $form->setValueByElement('chfinish', '1');
   $form->setValueByElement('chnote', '1');
   $form->setValueByElement('chcf_1', '0');
+  $form->setValueByElement('chunits', '0');
   $form->setValueByElement('chtotalsonly', '0');
 }
 
@@ -330,6 +335,9 @@ if ($request->isPost()) {
     }
 
     $bean->saveBean();
+    // Check some more values. TODO: Perhaps it's not a good place to check values, re-evaluate this.
+    // Also make sure other post variations are sane.
+    if (!ttReportHelper::verifyBean($bean)) $err->add($i18n->get('error.sys'));
 
     if ($err->no()) {
       // Now we can go ahead and create a report.