From 3a2f44adaca76269c8883461e554e1c27deb377d Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 13 Jan 2017 13:43:09 +0100
Subject: [PATCH] Fix security permissions to edit/delete time spent
---
htdocs/projet/tasks/time.php | 33 ++++++++++++++++++++-------------
1 file changed, 20 insertions(+), 13 deletions(-)
diff --git a/htdocs/projet/tasks/time.php b/htdocs/projet/tasks/time.php
index f6da55731fc..aa572966321 100644
--- a/htdocs/projet/tasks/time.php
+++ b/htdocs/projet/tasks/time.php
@@ -128,7 +128,7 @@ if ($action == 'addtimespent' && $user->rights->projet->lire)
}
}
-if ($action == 'updateline' && ! $_POST["cancel"] && $user->rights->projet->creer)
+if ($action == 'updateline' && ! $_POST["cancel"] && $user->rights->projet->lire)
{
$error=0;
@@ -141,7 +141,8 @@ if ($action == 'updateline' && ! $_POST["cancel"] && $user->rights->projet->cree
if (! $error)
{
$object->fetch($id, $ref);
-
+ // TODO Check that ($task_time->fk_user == $user->id || in_array($task_time->fk_user, $childids))
+
$object->timespent_id = $_POST["lineid"];
$object->timespent_note = $_POST["timespent_note_line"];
$object->timespent_old_duration = $_POST["old_duration"];
@@ -175,9 +176,10 @@ if ($action == 'updateline' && ! $_POST["cancel"] && $user->rights->projet->cree
}
}
-if ($action == 'confirm_delete' && $confirm == "yes" && $user->rights->projet->creer)
+if ($action == 'confirm_delete' && $confirm == "yes" && $user->rights->projet->lire)
{
$object->fetchTimeSpent($_GET['lineid']);
+ // TODO Check that ($task_time->fk_user == $user->id || in_array($task_time->fk_user, $childids))
$result = $object->delTimeSpent($user);
if ($result < 0)
@@ -585,6 +587,8 @@ if (($id > 0 || ! empty($ref)) || $projectidforalltimes > 0)
$tasktmp = new Task($db);
+ $childids = $user->getAllChildIds();
+
$total = 0;
$totalvalue = 0;
foreach ($tasks as $task_time)
@@ -688,17 +692,20 @@ if (($id > 0 || ! empty($ref)) || $projectidforalltimes > 0)
print '<br>';
print '<input type="submit" class="button" name="cancel" value="'.$langs->trans('Cancel').'">';
}
- else if ($user->rights->projet->creer)
+ else if ($user->rights->projet->lire) // Read project and enter time consumed on assigned tasks
{
- print ' ';
- print '<a href="'.$_SERVER["PHP_SELF"].'?'.($projectidforalltimes?'projectid='.$projectidforalltimes.'&':'').'id='.$task_time->fk_task.'&action=editline&lineid='.$task_time->rowid.($withproject?'&withproject=1':'').'">';
- print img_edit();
- print '</a>';
-
- print ' ';
- print '<a href="'.$_SERVER["PHP_SELF"].'?'.($projectidforalltimes?'projectid='.$projectidforalltimes.'&':'').'id='.$task_time->fk_task.'&action=deleteline&lineid='.$task_time->rowid.($withproject?'&withproject=1':'').'">';
- print img_delete();
- print '</a>';
+ if ($task_time->fk_user == $user->id || in_array($task_time->fk_user, $childids))
+ {
+ print ' ';
+ print '<a href="'.$_SERVER["PHP_SELF"].'?'.($projectidforalltimes?'projectid='.$projectidforalltimes.'&':'').'id='.$task_time->fk_task.'&action=editline&lineid='.$task_time->rowid.($withproject?'&withproject=1':'').'">';
+ print img_edit();
+ print '</a>';
+
+ print ' ';
+ print '<a href="'.$_SERVER["PHP_SELF"].'?'.($projectidforalltimes?'projectid='.$projectidforalltimes.'&':'').'id='.$task_time->fk_task.'&action=deleteline&lineid='.$task_time->rowid.($withproject?'&withproject=1':'').'">';
+ print img_delete();
+ print '</a>';
+ }
}
print '</td>';
--
GitLab