- Fixed expense permission issue

9db56994 · Frank Bergmann · 57625d51 · 9db56994 · 9db56994 · 9db56994
Commit 9db56994 authored Apr 15, 2017 by Frank Bergmann
6 changed files
--- a/tcl/intranet-expenses-procs.tcl
+++ b/tcl/intranet-expenses-procs.tcl
@@ -52,6 +52,37 @@ ad_proc -public im_expense_bundle_permissions {user_id bundle_id view_var read_v
    im_cost_permissions $user_id $bundle_id view read write admin
 }

+
+ad_proc -public im_expense_permissions {user_id expense_id view_var read_var write_var admin_var} {
+    Fill the "by-reference" variables read, write and admin
+    with the permissions of $user_id on $expense_id.<br>
+    Basically, users can only see and modify their own expenses.
+} {
+    upvar $view_var view
+    upvar $read_var read
+    upvar $write_var write
+    upvar $admin_var admin
+
+    set user_admin_p [im_is_user_site_wide_or_intranet_admin $user_id]
+
+    # Get expense information
+    set provider_id [util_memoize [list db_string expense_info "select provider_id from	im_costs where cost_id=$expense_id" -default 0] 3600]
+
+    if {$user_admin_p || ($user_id eq $provider_id)} {
+	set view_p 1
+	set read_p 1
+	set write_p 1
+	set admin_p 1
+    } else {
+	set view_p 0
+	set read_p 0
+	set write_p 0
+	set admin_p 0
+    }
+
+}
+
+
 # ----------------------------------------------------------------------
 # Sum up multiple Expense Items for a single Bundle
 # ----------------------------------------------------------------------
@@ -221,6 +252,7 @@ ad_proc im_expense_bundle_new_page_wf_perm_modify_included_expenses {
    set perm_set [im_workflow_object_permissions -object_id $bundle_id -perm_table $perm_table]
    return [expr {[lsearch $perm_set "w"] > -1}]
 }
+
 ad_proc im_expense_bundle_new_page_wf_perm_edit_button {
    -bundle_id:required
 } {

--- a/www/bundle-create.tcl
+++ b/www/bundle-create.tcl
@@ -19,6 +19,7 @@ ad_page_contract {
    { user_id_from_search "" }
 }

+
 # ---------------------------------------------------------------
 # Defaults & Security
 # ---------------------------------------------------------------
@@ -41,13 +42,35 @@ if {"" == $user_id_from_search || !$add_hours_all_p} { set user_id_from_search $
 #    ad_script_abort
 # }

-# Add a "0" expense to avoid syntax error if the list was empty.
-lappend epense_id 0
+
+# ---------------------------------------------------------------
+# Check security
+# ---------------------------------------------------------------
+
+set debug_html ""
+foreach id $expense_id {
+    set view_p 0
+    set read_p 0
+    set write_p 0
+    set admin_p 0
+    im_expense_permissions $current_user_id $id view_p read_p write_p admin_p
+    if {!$write_p} {
+	append debug_html "<li>You don't have permissions to bundle expense item #$id"
+    }
+}
+if {"" ne $debug_html} {
+    ad_return_complaint 1 "<b>Creating Expense Bundles</b>:<br><ul>$debug_html</ul>"
+    ad_script_abort
+}
+

 # ---------------------------------------------------------------
 # Sum up the expenses
 # ---------------------------------------------------------------

+# Add a "0" expense to avoid syntax error if the list was empty.
+lappend expense_id 0
+
 array set hash [im_expense_bundle_item_sum -user_id_from_search $user_id_from_search -expense_ids $expense_id]

 set common_project_id $hash(common_project_id)

--- a/www/classify-costs-2.tcl
+++ b/www/classify-costs-2.tcl
@@ -42,6 +42,30 @@ if {!$add_expense_bundles_p} {
 lappend epense_ids 0


+
+
+# ---------------------------------------------------------------
+# Check security
+# ---------------------------------------------------------------
+
+set debug_html ""
+foreach id $expense_ids {
+    set view_p 0
+    set read_p 0
+    set write_p 0
+    set admin_p 0
+    im_expense_permissions $current_user_id $id view_p read_p write_p admin_p
+    if {!$write_p} {
+	append debug_html "<li>You don't have permissions to modify expense item #$id"
+    }
+}
+if {"" ne $debug_html} {
+    ad_return_complaint 1 "<b>Classifying Expenses</b>:<br><ul>$debug_html</ul>"
+    ad_script_abort
+}
+
+
+
 # ---------------------------------------------------------------
 # assign items to project
 # ---------------------------------------------------------------

--- a/www/classify-costs.tcl
+++ b/www/classify-costs.tcl
@@ -40,11 +40,27 @@ set percent_format "FM999"
 # List of expense_ids
 # ---------------------------------------------------------------

+set debug_html ""
 set expense_ids_html ""
 foreach id $expense_id {
    append expense_ids_html "<input type=hidden name=expense_ids value=$id>\n"
+
+    set view_p 0
+    set read_p 0
+    set write_p 0
+    set admin_p 0
+    im_expense_permissions $current_user_id $id view_p read_p write_p admin_p
+    if {!$write_p} {
+	append debug_html "<li>You don't have permissions to modify expense item #$id"
+    }
 }

+if {"" ne $debug_html} {
+    ad_return_complaint 1 "<b>Classifying Expense Items</b>:<br><ul>$debug_html</ul>"
+    ad_script_abort
+}
+
+

 # ---------------------------------------------------------------
 # Expenses info

--- a/www/expense-del.tcl
+++ b/www/expense-del.tcl
@@ -29,15 +29,29 @@ set user_id [auth::require_login]
 set current_user_id $user_id
 set user_admin_p [im_is_user_site_wide_or_intranet_admin $current_user_id]

+set debug_html ""
 foreach id $expense_id {
-    
-    # Audit the action
-    im_audit -object_type im_expense -action before_nuke -object_id $id
-
-    # delete expense
-    db_transaction {
-	db_string del_expense {}
+    set view_p 0
+    set read_p 0
+    set write_p 0
+    set admin_p 0
+
+    im_expense_permissions $current_user_id $id view_p read_p write_p admin_p
+    if {$write_p} {
+	# Audit the action
+	im_audit -object_type im_expense -action before_nuke -object_id $id
+
+	# delete expense
+	db_transaction {
+	    db_string del_expense {}
+	}
+    } else {
+	append debug_html "<li>You don't have permissions to delete expense item #$id"
    }
 }

-ad_returnredirect $return_url
+if {"" ne $debug_html} {
+    ad_return_complaint 1 "<b>Deleting Expenses</b>:<br><ul>$debug_html</ul>"
+} else {
+    ad_returnredirect $return_url
+}
--- a/www/index.tcl
+++ b/www/index.tcl
@@ -127,16 +127,9 @@ set bulk_action_list [list]

 if {$add_expense_p} {
    append admin_links "<li><a href=\"[export_vars -base new { project_id user_id_from_search return_url}]\">[lang::message::lookup "" intranet-expenses.Add_a_new_Expense_Item "Add new Expense Item"]</a></li>\n"
-    # lappend action_list [lang::message::lookup "" intranet-expenses.Add_one_new_Expense_Item "Add one new Expense Item"]
-    # lappend action_list [export_vars -base "/intranet-expenses/new" {return_url user_id_from_search project_id}]
-    # lappend action_list [lang::message::lookup "" intranet-expenses.Add_one_new_Expense_Item "Add one new Expense Item"]
    if {$multiple_expense_items_enabled_p} {
-	#lappend action_list [lang::message::lookup "" intranet-expenses.Add_multiple_new_Expense_Items "Add multiple new Expense Items"]
-	#lappend action_list [export_vars -base "/intranet-expenses/new-multiple" {return_url user_id_from_search project_id}]
-	#lappend action_list [lang::message::lookup "" intranet-expenses.Add_multiple_new_Expense_Items "Add multiplen new Expense Item"]
-	append admin_links "<li><a href=\"/intranet-expenses/new-multiple\">[lang::message::lookup "" intranet-expenses.Add_multiple_new_Expense_Items "Add multiple new Expense Items"]</a></li>\n"
+	append admin_links "<li><a href=\"[export_vars -base "/intranet-expenses/new-multiple" {project_id user_id_from_search return_url}]\">[lang::message::lookup "" intranet-expenses.Add_multiple_new_Expense_Items "Add multiple new Expense Items"]</a></li>\n"
    }
-
    lappend bulk_action_list "[_ intranet-expenses.Delete]" "expense-del" "[_ intranet-expenses.Delete]"
 }