Security fix for project edits.

[timetracker.git] / projects.php

diff --git a/projects.php b/projects.php
index ce7bb9a1a4e0717a1aed84d9318e55da42363114..1d5f7e2e49ddad197a6839b6517ac5116f6e3ad0 100644 (file)
--- a/projects.php
+++ b/projects.php
@@ -30,13 +30,19 @@ require_once('initialize.php');
 import('form.Form');
 import('ttTeamHelper');
 
-// Access check.
-if (!ttAccessAllowed('track_own_time') || (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->tracking_mode)) {
+// Access checks.
+// TODO: introduce view_projects right to keep access checks simple.
+if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time') || ttAccessAllowed('manage_projects'))) {
   header('Location: access_denied.php');
   exit();
 }
+if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->tracking_mode) {
+  header('Location: feature_disabled.php');
+  exit();
+}
+// End of access checks.
 
-if($user->canManageTeam()) {
+if($user->can('manage_projects')) {
   $active_projects = ttTeamHelper::getActiveProjects($user->team_id);
   $inactive_projects = ttTeamHelper::getInactiveProjects($user->team_id);
 } else
@@ -44,6 +50,6 @@ if($user->canManageTeam()) {
 
 $smarty->assign('active_projects', $active_projects);
 $smarty->assign('inactive_projects', $inactive_projects);
-$smarty->assign('title', $i18n->getKey('title.projects'));
+$smarty->assign('title', $i18n->get('title.projects'));
 $smarty->assign('content_page_name', 'projects.tpl');
 $smarty->display('index.tpl');