]> wagnertech.de Git - timetracker.git/blobdiff - projects.php
projects / timetracker.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Security fix for project edits.
[timetracker.git] / projects.php
diff --git a/projects.php b/projects.php
index ed0103a4e3ad929cdcf28477957e936f37bcaf3d..1d5f7e2e49ddad197a6839b6517ac5116f6e3ad0 100644 (file)
--- a/projects.php
+++ b/projects.php
@@ -30,13 +30,19 @@ require_once('initialize.php');
 import('form.Form');
 import('ttTeamHelper');
 
-// Access check.
-if (!ttAccessAllowed('track_own_time') || (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->tracking_mode)) {
+// Access checks.
+// TODO: introduce view_projects right to keep access checks simple.
+if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time') || ttAccessAllowed('manage_projects'))) {
   header('Location: access_denied.php');
   exit();
 }
+if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->tracking_mode) {
+  header('Location: feature_disabled.php');
+  exit();
+}
+// End of access checks.
 
-if($user->canManageTeam()) {
+if($user->can('manage_projects')) {
   $active_projects = ttTeamHelper::getActiveProjects($user->team_id);
   $inactive_projects = ttTeamHelper::getInactiveProjects($user->team_id);
 } else
Unnamed repository; edit this file 'description' to name the repository.