lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix security permissions to edit/delete time spent

Browse Source
This commit is contained in:
Laurent Destailleur 2017-01-13 13:43:09 +01:00
parent 380b61a0e9
commit 3a2f44adac
1 changed files with 20 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
htdocs/projet/tasks/time.php
View File

@ -128,7 +128,7 @@ if ($action == 'addtimespent' && $user->rights->projet->lire)
}
}
if ($action == 'updateline' && ! $_POST["cancel"] && $user->rights->projet->creer)
if ($action == 'updateline' && ! $_POST["cancel"] && $user->rights->projet->lire)
{
$error=0;
@ -141,7 +141,8 @@ if ($action == 'updateline' && ! $_POST["cancel"] && $user->rights->projet->cree
if (! $error)
{
$object->fetch($id, $ref);
// TODO Check that ($task_time->fk_user == $user->id || in_array($task_time->fk_user, $childids))
$object->timespent_id = $_POST["lineid"];
$object->timespent_note = $_POST["timespent_note_line"];
$object->timespent_old_duration = $_POST["old_duration"];
@ -175,9 +176,10 @@ if ($action == 'updateline' && ! $_POST["cancel"] && $user->rights->projet->cree
}
}
if ($action == 'confirm_delete' && $confirm == "yes" && $user->rights->projet->creer)
if ($action == 'confirm_delete' && $confirm == "yes" && $user->rights->projet->lire)
{
$object->fetchTimeSpent($_GET['lineid']);
// TODO Check that ($task_time->fk_user == $user->id || in_array($task_time->fk_user, $childids))
$result = $object->delTimeSpent($user);
if ($result < 0)
@ -585,6 +587,8 @@ if (($id > 0 || ! empty($ref)) || $projectidforalltimes > 0)
$tasktmp = new Task($db);
$childids = $user->getAllChildIds();
$total = 0;
$totalvalue = 0;
foreach ($tasks as $task_time)
@ -688,17 +692,20 @@ if (($id > 0 || ! empty($ref)) || $projectidforalltimes > 0)
print '<br>';
print '<input type="submit" class="button" name="cancel" value="'.$langs->trans('Cancel').'">';
}
else if ($user->rights->projet->creer)
else if ($user->rights->projet->lire) // Read project and enter time consumed on assigned tasks
{
print '&nbsp;';
print '<a href="'.$_SERVER["PHP_SELF"].'?'.($projectidforalltimes?'projectid='.$projectidforalltimes.'&amp;':'').'id='.$task_time->fk_task.'&amp;action=editline&amp;lineid='.$task_time->rowid.($withproject?'&amp;withproject=1':'').'">';
print img_edit();
print '</a>';
print '&nbsp;';
print '<a href="'.$_SERVER["PHP_SELF"].'?'.($projectidforalltimes?'projectid='.$projectidforalltimes.'&amp;':'').'id='.$task_time->fk_task.'&amp;action=deleteline&amp;lineid='.$task_time->rowid.($withproject?'&amp;withproject=1':'').'">';
print img_delete();
print '</a>';
if ($task_time->fk_user == $user->id || in_array($task_time->fk_user, $childids))
{
print '&nbsp;';
print '<a href="'.$_SERVER["PHP_SELF"].'?'.($projectidforalltimes?'projectid='.$projectidforalltimes.'&amp;':'').'id='.$task_time->fk_task.'&amp;action=editline&amp;lineid='.$task_time->rowid.($withproject?'&amp;withproject=1':'').'">';
print img_edit();
print '</a>';
print '&nbsp;';
print '<a href="'.$_SERVER["PHP_SELF"].'?'.($projectidforalltimes?'projectid='.$projectidforalltimes.'&amp;':'').'id='.$task_time->fk_task.'&amp;action=deleteline&amp;lineid='.$task_time->rowid.($withproject?'&amp;withproject=1':'').'">';
print img_delete();
print '</a>';
}
}
print '</td>';