A bit of refactoring of access checks in user edits and deletes.

diff --git a/WEB-INF/lib/ttUser.class.php b/WEB-INF/lib/ttUser.class.php
index 5321e74d941d35b6250c0c5aa7b18d5fb255bd07..7f9894efd455ba918378c33d5362ad2439b6b6be 100644 (file)
--- a/WEB-INF/lib/ttUser.class.php
+++ b/WEB-INF/lib/ttUser.class.php
@@ -298,6 +298,25 @@ class ttUser {
     return $user_list;
   }
 
+  // getUser function is used to manage users in group and returns user details.
+  // At the moment, the function is used for user edits and deletes.
+  function getUser($user_id) {
+    if (!$this->can('manage_users')) return false;
+
+    $mdb2 = getConnection();
+
+    $sql =  "select u.id, u.name, u.login, u.role_id, u.status, u.rate, u.email, r.rank from tt_users u".
+            " left join tt_roles r on (u.role_id = r.id)".
+            " where u.id = $user_id and u.team_id = $this->team_id and u.status is not null".
+            " and (r.rank < $this->rank or (r.rank = $this->rank and u.id = $this->id))"; // Users with lesser roles or self.
+    $res = $mdb2->query($sql);
+    if (!is_a($res, 'PEAR_Error')) {
+      $val = $res->fetchRow();
+      return $val;
+    }
+    return false;
+  }
+
   // checkBehalfId checks whether behalf_id is appropriate.
   // On behalf user must be active and have lower rank.
   function checkBehalfId() {

diff --git a/WEB-INF/lib/ttUserHelper.class.php b/WEB-INF/lib/ttUserHelper.class.php
index 583049bd75d3270d3cad4a4595f14dd9950e048a..31c7bde4d3fa41d6c9824aa0bea6594631bd42fb 100644 (file)
--- a/WEB-INF/lib/ttUserHelper.class.php
+++ b/WEB-INF/lib/ttUserHelper.class.php
@@ -31,21 +31,6 @@ import('ttTeamHelper');
 // Class ttUserHelper contains helper functions for operations with users.
 class ttUserHelper {
 
-  // The getUserDetails function returns user details.
-  static function getUserDetails($user_id) {
-    global $user;
-    $mdb2 = getConnection();
-
-    $sql =  "select u.*, r.rank from tt_users u left join tt_roles r on (u.role_id = r.id) where u.id = $user_id and u.team_id = $user->team_id and u.status is not null";
-    $res = $mdb2->query($sql);
-
-    if (!is_a($res, 'PEAR_Error')) {
-      $val = $res->fetchRow();
-      return $val;
-    }
-    return false;
-  }
-
   // The getUserName function returns user name.
   static function getUserName($user_id) {
     $mdb2 = getConnection();

diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl
index 77e160e9b226eca8ff5bbaf66213144daa0a1294..851570f352ef1f71ebb52c7d00e21a401aa869cf 100644 (file)
--- a/WEB-INF/templates/footer.tpl
+++ b/WEB-INF/templates/footer.tpl
@@ -12,7 +12,7 @@
       <br>
       <table cellspacing="0" cellpadding="4" width="100%" border="0">
         <tr>
-          <td align="center">&nbsp;Anuko Time Tracker 1.17.72.4171 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+          <td align="center">&nbsp;Anuko Time Tracker 1.17.72.4172 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
             <a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
             <a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
             <a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>

diff --git a/mobile/user_delete.php b/mobile/user_delete.php
index 0e045d018cce25297bea52e67cb449b5332c5e70..4c9aad878cc3cab3b5aea5b36d9620da25e27f11 100644 (file)
--- a/mobile/user_delete.php
+++ b/mobile/user_delete.php
@@ -35,22 +35,13 @@ if (!ttAccessAllowed('manage_users')) {
   header('Location: access_denied.php');
   exit();
 }
-
-// Get user id we are deleting from the request.
-// A cast to int is for safety against manipulation of request parameter (sql injection). 
 $user_id = (int) $request->getParameter('id');
-
-// We need user name and login to display.
-$user_details = ttUserHelper::getUserDetails($user_id);
-
-// Security checks.
-if (!$user_details || // No details.
-     $user_details['rank'] > $user->rank || // User has a bigger rank.
-     ($user_details['rank'] == $user->rank && $user_details['id'] <> $user->id) // Same rank but not us.
-   ) {
+$user_details = $user->getUser($user_id);
+if (!$user_details) {
   header('Location: access_denied.php');
   exit();
 }
+// End of access checks.
 
 $smarty->assign('user_to_delete', $user_details['name']." (".$user_details['login'].")");
 

diff --git a/mobile/user_edit.php b/mobile/user_edit.php
index 49781226175593655bbef6229f64fa66ba5c36f1..3baaf1e93dd0c4f893aa71bced5859f65d3540e7 100644 (file)
--- a/mobile/user_edit.php
+++ b/mobile/user_edit.php
@@ -39,20 +39,13 @@ if (!ttAccessAllowed('manage_users')) {
   header('Location: access_denied.php');
   exit();
 }
-
-// Get user id we are editing from the request.
 $user_id = (int) $request->getParameter('id');
-// Get user details.
-$user_details = ttUserHelper::getUserDetails($user_id);
-
-// Security checks.
-if (!$user_details || // No details.
-     $user_details['rank'] > $user->rank || // User has a bigger rank.
-     ($user_details['rank'] == $user->rank && $user_details['id'] <> $user->id) // Same rank but not us.
-   ) {
+$user_details = $user->getUser($user_id);
+if (!$user_details) {
   header('Location: access_denied.php');
   exit();
 }
+// End of access checks.
 
 if ($user->isPluginEnabled('cl'))
   $clients = ttTeamHelper::getActiveClients($user->team_id);

diff --git a/user_delete.php b/user_delete.php
index b8ec5e9add3fafd9d02eab22684bc414455d1711..d06463b8a68fd24d980be546e5a2c190d0ddea5b 100644 (file)
--- a/user_delete.php
+++ b/user_delete.php
@@ -35,15 +35,9 @@ if (!ttAccessAllowed('manage_users')) {
   header('Location: access_denied.php');
   exit();
 }
-// Get user id we are deleting.
-// A cast to int is for safety against manipulation of request parameter (sql injection). 
 $user_id = (int) $request->getParameter('id');
-// We need user name and login to display.
-$user_details = ttUserHelper::getUserDetails($user_id);
-if (!$user_details || // No details.
-     $user_details['rank'] > $user->rank || // User has a bigger rank.
-     ($user_details['rank'] == $user->rank && $user_details['id'] <> $user->id) // Same rank but not us.
-   ) {
+$user_details = $user->getUser($user_id);
+if (!$user_details) {
   header('Location: access_denied.php');
   exit();
 }

diff --git a/user_edit.php b/user_edit.php
index 5ceac373e91140f876568345a0f50b3db10e6c97..8f588db97594d19c98305e72bec90bba7b4890f6 100644 (file)
--- a/user_edit.php
+++ b/user_edit.php
@@ -40,14 +40,9 @@ if (!ttAccessAllowed('manage_users')) {
   header('Location: access_denied.php');
   exit();
 }
-// Get user id we are editing from the request.
 $user_id = (int) $request->getParameter('id');
-// Get user details.
-$user_details = ttUserHelper::getUserDetails($user_id);
-if (!$user_details || // No details.
-     $user_details['rank'] > $user->rank || // User has a bigger rank.
-     ($user_details['rank'] == $user->rank && $user_details['id'] <> $user->id) // Same rank but not us.
-   ) {
+$user_details = $user->getUser($user_id);
+if (!$user_details) {
   header('Location: access_denied.php');
   exit();
 }