Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
I
intranet-hr
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
project-open
intranet-hr
Commits
e40bb77c
Commit
e40bb77c
authored
Jul 06, 2006
by
Frank Bergmann
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
- fixed security bug in intranet-hr/new, allowing
less provileged users to see and edit HR information
parent
0efaf6cc
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
6 additions
and
13 deletions
+6
-13
new.tcl
www/new.tcl
+6
-13
No files found.
www/new.tcl
View file @
e40bb77c
...
...
@@ -12,7 +12,7 @@ ad_page_contract {
@author frank.bergmann@project-open.com
}
{
{
employee_id:integer,optional
}
employee_id:integer
{
return_url
"/intranet-hr/index"
}
edit_p:optional
message:optional
...
...
@@ -30,25 +30,18 @@ set today [db_string birthday_today "select to_char(sysdate,'YYYY-MM-DD') from d
set
date_format
"YYYY-MM-DD"
set
end_century
"2099-12-31"
set
internal_id
[
im_company_internal
]
if
{
!
[
im_permission
$user
_id view_users
]}
{
ad_return_complaint 1
"
[
_ intranet-hr.lt_You_have_insufficient
]
"
return
}
set
action_url
"/intranet-hr/new"
set
focus
"cost.var_name"
set
employee_name
""
set
form_mode
"edit"
if
{[
info
exists employee_id
]}
{
set employee_name
[
db_string employee_name
"select im_name_from_user_id(:employee_id) from dual"
]
ns_log Notice
"/intranet-hr/new/: employee_id=
$employee
_id"
}
else
{
ns_log Notice
"/intranet-hr/new/: employee_id doesn't exist"
im_user_permissions
$user
_id
$employee
_id view read write admin
if
{
!$write || !
[
im_permission
$user
_id view_hr
]}
{
ad_return_complaint 1
"
[
_ intranet-hr.lt_You_have_insufficient
]
"
return
}
set
employee_name
[
db_string employee_name
"select im_name_from_user_id(:employee_id) from dual"
]
set
page_title
"
[
_ intranet-hr.lt_Employee_Information_
]
"
set
context
[
im_context_bar
$page
_title
]
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment