Skip to content
Snippets Groups Projects
Commit 6cad2ac1 authored by Regis Houssin's avatar Regis Houssin
Browse files

Works on enhancement of project tasks

Fix: security check
parent 6d675fc8
No related branches found
No related tags found
No related merge requests found
...@@ -270,6 +270,8 @@ else ...@@ -270,6 +270,8 @@ else
$tasksarray=$task->getTasksArray(0, 0, $project->id, $socid, 0); $tasksarray=$task->getTasksArray(0, 0, $project->id, $socid, 0);
// We load also tasks limited to a particular user // We load also tasks limited to a particular user
$tasksrole=($_REQUEST["mode"]=='mine' ? $task->getUserRolesForProjectsOrTasks(0,$user,$project->id,0) : ''); $tasksrole=($_REQUEST["mode"]=='mine' ? $task->getUserRolesForProjectsOrTasks(0,$user,$project->id,0) : '');
//var_dump($tasksarray);
//var_dump($tasksrole);
print '<table class="noborder" width="100%">'; print '<table class="noborder" width="100%">';
print '<tr class="liste_titre">'; print '<tr class="liste_titre">';
......
...@@ -442,11 +442,12 @@ class Task extends CommonObject ...@@ -442,11 +442,12 @@ class Task extends CommonObject
//print $usert.'-'.$userp.'-'.$projectid.'-'.$socid.'-'.$mode.'<br>'; //print $usert.'-'.$userp.'-'.$projectid.'-'.$socid.'-'.$mode.'<br>';
// List of tasks (does not care about permissions. Filtering will be done later) // List of tasks (does not care about permissions. Filtering will be done later)
$sql = "SELECT p.rowid as projectid, p.ref, p.title as plabel, p.public,"; $sql = "SELECT p.rowid as projectid, p.ref, p.title as plabel, p.public";
$sql.= " t.rowid, t.label, t.fk_task_parent, t.duration_effective"; $sql.= ", t.rowid as taskid, t.label, t.fk_task_parent, t.duration_effective";
if ($mode == 0) if ($mode == 0)
{ {
$sql.= " FROM (".MAIN_DB_PREFIX."projet as p, ".MAIN_DB_PREFIX."projet_task as t)"; $sql.= " FROM ".MAIN_DB_PREFIX."projet as p";
$sql.= ", ".MAIN_DB_PREFIX."projet_task as t";
$sql.= " WHERE t.fk_projet = p.rowid"; $sql.= " WHERE t.fk_projet = p.rowid";
$sql.= " AND p.entity = ".$conf->entity; $sql.= " AND p.entity = ".$conf->entity;
if ($socid) $sql.= " AND p.fk_soc = ".$socid; if ($socid) $sql.= " AND p.fk_soc = ".$socid;
...@@ -476,9 +477,9 @@ class Task extends CommonObject ...@@ -476,9 +477,9 @@ class Task extends CommonObject
$obj = $this->db->fetch_object($resql); $obj = $this->db->fetch_object($resql);
if ((! $obj->public) && ($userp || $usert)) // If not public and we ask a filter on user if ((! $obj->public) && (is_object($userp) || is_object($usert))) // If not public and we ask a filter on user
{ {
if (! $this->getUserRolesForProjectsOrTasks($userp, $usert, $obj->projectid, $obj->rowid)) if (! $this->getUserRolesForProjectsOrTasks($userp, $usert, $obj->projectid, $obj->taskid))
{ {
$error++; $error++;
} }
...@@ -486,7 +487,7 @@ class Task extends CommonObject ...@@ -486,7 +487,7 @@ class Task extends CommonObject
if (! $error) if (! $error)
{ {
$tasks[$i]->id = $obj->rowid; $tasks[$i]->id = $obj->taskid;
$tasks[$i]->projectid = $obj->projectid; $tasks[$i]->projectid = $obj->projectid;
$tasks[$i]->projectref = $obj->ref; $tasks[$i]->projectref = $obj->ref;
$tasks[$i]->projectlabel = $obj->plabel; $tasks[$i]->projectlabel = $obj->plabel;
...@@ -542,8 +543,8 @@ class Task extends CommonObject ...@@ -542,8 +543,8 @@ class Task extends CommonObject
$sql.= " AND ec.statut = 4"; $sql.= " AND ec.statut = 4";
if ($projectid) if ($projectid)
{ {
if ($userp) $sql.= " AND pt.fk_projet = ".$projectid; if ($userp || $usert) $sql.= " AND pt.fk_projet = ".$projectid;
if ($usert) $sql.= " AND pt.rowid = ".$taskid; //if ($usert) $sql.= " AND pt.rowid = ".$taskid;
} }
if ($taskid) if ($taskid)
{ {
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment