]> wagnertech.de Git - timetracker.git/commitdiff
projects / timetracker.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: dab1057)
Security fix for project edits.
authorNik Okuntseff <support@anuko.com>
Mon, 26 Mar 2018 20:31:45 +0000 (20:31 +0000)
committerNik Okuntseff <support@anuko.com>
Mon, 26 Mar 2018 20:31:45 +0000 (20:31 +0000)
WEB-INF/templates/footer.tpl patch | blob | history
mobile/project_delete.php patch | blob | history
mobile/project_edit.php patch | blob | history
mobile/projects.php patch | blob | history
project_delete.php patch | blob | history
project_edit.php patch | blob | history
projects.php patch | blob | history

diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl
index 7c8bd634ffa0b3043c06bdc3a932d18e03de0a1b..95bed59a13f08614f109e28ad8a2dbb7096da5dd 100644 (file)
--- a/WEB-INF/templates/footer.tpl
+++ b/WEB-INF/templates/footer.tpl
@@ -12,7 +12,7 @@
       <br>
       <table cellspacing="0" cellpadding="4" width="100%" border="0">
         <tr>
       <br>
       <table cellspacing="0" cellpadding="4" width="100%" border="0">
         <tr>
-          <td align="center">&nbsp;Anuko Time Tracker 1.17.74.4182 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+          <td align="center">&nbsp;Anuko Time Tracker 1.17.75.4183 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
             <a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
             <a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
             <a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
             <a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
             <a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
             <a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
diff --git a/mobile/project_delete.php b/mobile/project_delete.php
index c8753b844ed1a196adda441618ce870e0dc6b8ef..5785496aa5ef818f6c1ff07f0937e9d6d94998b8 100644 (file)
--- a/mobile/project_delete.php
+++ b/mobile/project_delete.php
@@ -39,9 +39,14 @@ if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->t
   header('Location: feature_disabled.php');
   exit();
 }
   header('Location: feature_disabled.php');
   exit();
 }
-
 $cl_project_id = (int)$request->getParameter('id');
 $project = ttProjectHelper::get($cl_project_id);
 $cl_project_id = (int)$request->getParameter('id');
 $project = ttProjectHelper::get($cl_project_id);
+if (!$project) {
+  header('Location: access_denied.php');
+  exit();
+}
+// End of access checks.
+
 $project_to_delete = $project['name'];
 
 $form = new Form('projectDeleteForm');
 $project_to_delete = $project['name'];
 
 $form = new Form('projectDeleteForm');
@@ -51,12 +56,9 @@ $form->addInput(array('type'=>'submit','name'=>'btn_cancel','value'=>$i18n->get(
 
 if ($request->isPost()) {
   if ($request->getParameter('btn_delete')) {
 
 if ($request->isPost()) {
   if ($request->getParameter('btn_delete')) {
-    if(ttProjectHelper::get($cl_project_id)) {
-      if (ttProjectHelper::delete($cl_project_id)) {
-        header('Location: projects.php');
-        exit();
-      } else
-        $err->add($i18n->get('error.db'));
+    if (ttProjectHelper::delete($cl_project_id)) {
+      header('Location: projects.php');
+      exit();
     } else
       $err->add($i18n->get('error.db'));
   } elseif ($request->getParameter('btn_cancel')) {
     } else
       $err->add($i18n->get('error.db'));
   } elseif ($request->getParameter('btn_cancel')) {
diff --git a/mobile/project_edit.php b/mobile/project_edit.php
index 74454ec410b4c71a0bad94e16e7e55c75b381c3c..6adb475e41e61f006c9188386dc67ac5d938eb4f 100644 (file)
--- a/mobile/project_edit.php
+++ b/mobile/project_edit.php
@@ -40,8 +40,13 @@ if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->t
   header('Location: feature_disabled.php');
   exit();
 }
   header('Location: feature_disabled.php');
   exit();
 }
-
 $cl_project_id = (int)$request->getParameter('id');
 $cl_project_id = (int)$request->getParameter('id');
+$project = ttProjectHelper::get($cl_project_id);
+if (!$project) {
+  header('Location: access_denied.php');
+  exit();
+}
+// End of access checks.
 
 $users = ttTeamHelper::getActiveUsers();
 foreach ($users as $user_item)
 
 $users = ttTeamHelper::getActiveUsers();
 foreach ($users as $user_item)
@@ -58,7 +63,6 @@ if ($request->isPost()) {
   $cl_users = $request->getParameter('users', array());
   $cl_tasks = $request->getParameter('tasks', array());
 } else {
   $cl_users = $request->getParameter('users', array());
   $cl_tasks = $request->getParameter('tasks', array());
 } else {
-  $project = ttProjectHelper::get($cl_project_id);
   $cl_name = $project['name'];
   $cl_description = $project['description'];
   $cl_status = $project['status'];
   $cl_name = $project['name'];
   $cl_description = $project['description'];
   $cl_status = $project['status'];
diff --git a/mobile/projects.php b/mobile/projects.php
index 93261d425f108fc203dfa16f15d646f3b55a7115..938eab82aced7a6e29d9e301f142cede32d3a373 100644 (file)
--- a/mobile/projects.php
+++ b/mobile/projects.php
@@ -31,7 +31,8 @@ import('form.Form');
 import('ttTeamHelper');
 
 // Access checks.
 import('ttTeamHelper');
 
 // Access checks.
-if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) {
+// TODO: introduce view_projects right to keep access checks simple.
+if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time') || ttAccessAllowed('manage_projects'))) {
   header('Location: access_denied.php');
   exit();
 }
   header('Location: access_denied.php');
   exit();
 }
@@ -40,7 +41,7 @@ if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->t
   exit();
 }
 
   exit();
 }
 
-if($user->canManageTeam()) {
+if($user->can('manage_projects')) {
   $active_projects = ttTeamHelper::getActiveProjects($user->team_id);
   $inactive_projects = ttTeamHelper::getInactiveProjects($user->team_id);
 } else
   $active_projects = ttTeamHelper::getActiveProjects($user->team_id);
   $inactive_projects = ttTeamHelper::getInactiveProjects($user->team_id);
 } else
diff --git a/project_delete.php b/project_delete.php
index 2373bbead3e08c11943bcb6cfc846b3069585042..450241e79ef76c6cab12a665b1d53e32cb552d36 100644 (file)
--- a/project_delete.php
+++ b/project_delete.php
@@ -39,9 +39,14 @@ if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->t
   header('Location: feature_disabled.php');
   exit();
 }
   header('Location: feature_disabled.php');
   exit();
 }
-
 $cl_project_id = (int)$request->getParameter('id');
 $project = ttProjectHelper::get($cl_project_id);
 $cl_project_id = (int)$request->getParameter('id');
 $project = ttProjectHelper::get($cl_project_id);
+if (!$project) {
+  header('Location: access_denied.php');
+  exit();
+}
+// End of access checks.
+
 $project_to_delete = $project['name'];
 
 $form = new Form('projectDeleteForm');
 $project_to_delete = $project['name'];
 
 $form = new Form('projectDeleteForm');
@@ -51,12 +56,9 @@ $form->addInput(array('type'=>'submit','name'=>'btn_cancel','value'=>$i18n->get(
 
 if ($request->isPost()) {
   if ($request->getParameter('btn_delete')) {
 
 if ($request->isPost()) {
   if ($request->getParameter('btn_delete')) {
-    if(ttProjectHelper::get($cl_project_id)) {
-      if (ttProjectHelper::delete($cl_project_id)) {
-        header('Location: projects.php');
-        exit();
-      } else
-        $err->add($i18n->get('error.db'));
+    if (ttProjectHelper::delete($cl_project_id)) {
+      header('Location: projects.php');
+      exit();
     } else
       $err->add($i18n->get('error.db'));
   } elseif ($request->getParameter('btn_cancel')) {
     } else
       $err->add($i18n->get('error.db'));
   } elseif ($request->getParameter('btn_cancel')) {
diff --git a/project_edit.php b/project_edit.php
index d30782ab540c1a0f4d81157f6d6790dcb43c28c7..543c532eff70b1046a8139346daa71457191b235 100644 (file)
--- a/project_edit.php
+++ b/project_edit.php
@@ -40,8 +40,13 @@ if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->t
   header('Location: feature_disabled.php');
   exit();
 }
   header('Location: feature_disabled.php');
   exit();
 }
-
 $cl_project_id = (int)$request->getParameter('id');
 $cl_project_id = (int)$request->getParameter('id');
+$project = ttProjectHelper::get($cl_project_id);
+if (!$project) {
+  header('Location: access_denied.php');
+  exit();
+}
+// End of access checks.
 
 $users = ttTeamHelper::getActiveUsers();
 foreach ($users as $user_item)
 
 $users = ttTeamHelper::getActiveUsers();
 foreach ($users as $user_item)
@@ -58,7 +63,6 @@ if ($request->isPost()) {
   $cl_users = $request->getParameter('users', array());
   $cl_tasks = $request->getParameter('tasks', array());
 } else {
   $cl_users = $request->getParameter('users', array());
   $cl_tasks = $request->getParameter('tasks', array());
 } else {
-  $project = ttProjectHelper::get($cl_project_id);
   $cl_name = $project['name'];
   $cl_description = $project['description'];
   $cl_status = $project['status'];
   $cl_name = $project['name'];
   $cl_description = $project['description'];
   $cl_status = $project['status'];
diff --git a/projects.php b/projects.php
index 5315c4f70015d9da5b79c28a1ee7cce0634f65a6..1d5f7e2e49ddad197a6839b6517ac5116f6e3ad0 100644 (file)
--- a/projects.php
+++ b/projects.php
@@ -31,7 +31,8 @@ import('form.Form');
 import('ttTeamHelper');
 
 // Access checks.
 import('ttTeamHelper');
 
 // Access checks.
-if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time'))) {
+// TODO: introduce view_projects right to keep access checks simple.
+if (!(ttAccessAllowed('track_own_time') || ttAccessAllowed('track_time') || ttAccessAllowed('manage_projects'))) {
   header('Location: access_denied.php');
   exit();
 }
   header('Location: access_denied.php');
   exit();
 }
@@ -39,8 +40,9 @@ if (MODE_PROJECTS != $user->tracking_mode && MODE_PROJECTS_AND_TASKS != $user->t
   header('Location: feature_disabled.php');
   exit();
 }
   header('Location: feature_disabled.php');
   exit();
 }
+// End of access checks.
 
 
-if($user->canManageTeam()) {
+if($user->can('manage_projects')) {
   $active_projects = ttTeamHelper::getActiveProjects($user->team_id);
   $inactive_projects = ttTeamHelper::getInactiveProjects($user->team_id);
 } else
   $active_projects = ttTeamHelper::getActiveProjects($user->team_id);
   $inactive_projects = ttTeamHelper::getInactiveProjects($user->team_id);
 } else
Unnamed repository; edit this file 'description' to name the repository.