- fixed security for showing timesheet information on projects

a40fa4f7 · Frank Bergmann · 6388f7d1 · a40fa4f7 · a40fa4f7 · a40fa4f7
Commit a40fa4f7 authored Oct 08, 2007 by Frank Bergmann
Hide whitespace changes
Inline Side-by-side

Showing with 31 additions and 8 deletions

intranet-timesheet2-procs.tcl tcl/intranet-timesheet2-procs.tcl +3 -1

full.tcl www/hours/full.tcl +16 -7

one-project.tcl www/hours/one-project.tcl +12 -0

No files found.
--- a/tcl/intranet-timesheet2-procs.tcl
+++ b/tcl/intranet-timesheet2-procs.tcl
@@ -258,6 +258,8 @@ ad_proc -public im_timesheet_project_component {user_id project_id} {
 	set return_url "[ad_conn url]?[ad_conn query]"
    }

+    set view_ours_all_p [im_permission $user_id "view_hours_all"]
+
    # disable the component for users who can neither see stuff nor add stuff
    set add_hours [im_permission $user_id "add_hours"]
    set view_hours_all [im_permission $user_id "add_hours"]
@@ -267,7 +269,7 @@ ad_proc -public im_timesheet_project_component {user_id project_id} {
    set info_html ""

    # fraber 2007-01-31: Admin doesn't make sense.
-    if {$write} {
+    if {$read && $view_ours_all_p} {
        set total_hours [im_timesheet_hours_sum -project_id $project_id]
 	set total_hours_str "[util_commify_number $total_hours]"
        set info_html "[_ intranet-timesheet2.lt_A_total_of_total_hour]"

--- a/www/hours/full.tcl
+++ b/www/hours/full.tcl
@@ -29,18 +29,27 @@ ad_page_contract {
    { item "" }
 }

-set caller_id [ad_maybe_redirect_for_registration]
-set return_url [im_url_with_query]
+
+set current_user_id [ad_maybe_redirect_for_registration]

 # Has the current user the right to edit all timesheet information?
-set edit_timesheet_p [im_permission $caller_id "edit_hours_all"]
+set edit_timesheet_p [im_permission $current_user_id "edit_hours_all"]
+set view_ours_all_p [im_permission $current_user_id "view_hours_all"]
+set view_finance_p [im_permission $current_user_id "view_finance"]
+

+if {!$view_ours_all_p} {
+    ad_return_complaint 1 "<li>[_ intranet-core.lt_You_have_insufficient_6]"
+    ad_script_abort
+}
+
+set return_url [im_url_with_query]

-if { [empty_string_p $user_id] && ($caller_id != 0) } {
+if { [empty_string_p $user_id] && ($current_user_id != 0) } {
    set looking_at_self_p 1
-    set user_id $caller_id
+    set user_id $current_user_id
 } else {
-    if {$caller_id == $user_id} {
+    if {$current_user_id == $user_id} {
        set looking_at_self_p 1
    } else {
        set looking_at_self_p 0
@@ -108,7 +117,7 @@ db_foreach hours_on_project $sql {

    set total_hours_on_project [expr $total_hours_on_project + $hours]

-    if ![empty_string_p $amount_earned] {
+    if {$view_finance_p && ![empty_string_p $amount_earned]} {
        append page_body " (@ \$[format %4.2f $billing_rate]/hour = \$[format %4.2f $amount_earned])"
        set hourly_bill [expr $hourly_bill + $amount_earned]
        set total_hours_billed_hourly [expr $total_hours_billed_hourly + $hours]

--- a/www/hours/one-project.tcl
+++ b/www/hours/one-project.tcl
@@ -28,6 +28,14 @@ ad_page_contract {
 }


+set current_user_id [ad_maybe_redirect_for_registration]
+set view_ours_all_p [im_permission $current_user_id "view_hours_all"]
+if {!$view_ours_all_p} { 
+    ad_return_complaint 1 "<li>[_ intranet-core.lt_You_have_insufficient_6]"
+    ad_script_abort
+}
+
+
 set show_notes_p 1

 set page_title "[_ intranet-timesheet2.Units]"
@@ -41,6 +49,10 @@ set page_body "
 <ul>
 "

+
+
+
+
 set sql "
 	select 
 		u.user_id,