Refactoring.

[timetracker.git] / notification_add.php

diff --git a/notification_add.php b/notification_add.php
index 6d0e4d31a2d894affbbae46f3ea0673f7385bb2a..e7f541bb94248ae01c3b46262ac911afe06cad4b 100644 (file)
--- a/notification_add.php
+++ b/notification_add.php
@@ -33,16 +33,33 @@ import('form.Form');
 import('ttFavReportHelper');
 import('ttNotificationHelper');
 
-// Access check.
-if (!ttAccessAllowed('manage_advanced_settings') || !$user->isPluginEnabled('no')) {
+// Access checks.
+if (!ttAccessAllowed('manage_advanced_settings')) {
   header('Location: access_denied.php');
   exit();
 }
+if (!$user->isPluginEnabled('no')) {
+  header('Location: feature_disabled.php');
+  exit();
+}
+if (!$user->exists()) {
+  header('Location: access_denied.php'); // No users in subgroup.
+  exit();
+}
+if ($request->isPost()) {
+  // TODO: improve this, perhaps by refactoring elsewhere.
+  $cl_fav_report = (int) $request->getParameter('fav_report');
+  $fav_report = ttFavReportHelper::getReport($cl_fav_report);
+  if ($user->getUser() != $fav_report['user_id']) {
+    header('Location: access_denied.php'); // Invalid fav report id in post.
+    exit();
+  }
+}
+// End of access checks.
 
-$fav_reports = ttFavReportHelper::getReports($user->id);
+$fav_reports = ttFavReportHelper::getReports();
 
 if ($request->isPost()) {
-  $cl_fav_report = trim($request->getParameter('fav_report'));
   $cl_cron_spec = trim($request->getParameter('cron_spec'));
   $cl_email = trim($request->getParameter('email'));
   $cl_cc = trim($request->getParameter('cc'));
@@ -82,7 +99,6 @@ if ($request->isPost()) {
     $next = tdCron::getNextOccurrence($cl_cron_spec, mktime()); 
 
     if (ttNotificationHelper::insert(array(
-        'team_id' => $user->team_id,
         'cron_spec' => $cl_cron_spec,
         'next' => $next,
         'report_id' => $cl_fav_report,