X-Git-Url: http://wagnertech.de/gitweb/gitweb.cgi/timetracker.git/blobdiff_plain/5f1b7a5bed3563565e28a5bf851298d3ed7df8c7..e7b081c97f2f2cfa69ca8df99afdeb8506eff726:/time.php

diff --git a/time.php b/time.php
index 1c29aa8f..18979fe2 100644
--- a/time.php
+++ b/time.php
@@ -41,11 +41,19 @@ import('DateAndTime');
   // die ("Your browser's cookie functionality is turned off. Please turn it on.");
 // }
 
-// Access check.
+// Access checks.
 if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) {
   header('Location: access_denied.php');
   exit();
 }
+if ($user->behalf_id && (!$user->can('track_time') || !$user->checkBehalfId())) {
+  header('Location: access_denied.php'); // Trying on behalf, but no right or wrong user.
+  exit();
+}
+if (!$user->behalf_id && !$user->can('track_own_time') && !$user->adjustBehalfId()) {
+  header('Location: access_denied.php'); // Trying as self, but no right for self, and noone to view on behalf.
+  exit();
+}
 
 // Initialize and store date in session.
 $cl_date = $request->getParameter('date', @$_SESSION['date']);
@@ -103,9 +111,13 @@ $_SESSION['task'] = $cl_task;
 // Elements of timeRecordForm.
 $form = new Form('timeRecordForm');
 
-if ($user->canManageTeam()) {
-  $user_list = ttTeamHelper::getActiveUsers(array('putSelfFirst'=>true));
-  if (count($user_list) > 1) {
+if ($user->can('track_time')) {
+  if ($user->can('track_own_time'))
+    $options = array('status'=>ACTIVE,'max_rank'=>$user->rank-1,'include_self'=>true,'self_first'=>true);
+  else
+    $options = array('status'=>ACTIVE,'max_rank'=>$user->rank-1);
+  $user_list = $user->getUsers($options);
+  if (count($user_list) >= 1) {
     $form->addInput(array('type'=>'combobox',
       'onchange'=>'this.form.submit();',
       'name'=>'onBehalfUser',