Commit 07d054c5 authored by Jean-Paul Saman's avatar Jean-Paul Saman

Implemented access control for users that are not allowed to delete timesheets...

Implemented access control for users that are not allowed to delete timesheets when created. It is now assumed that only the admin will assign delete rights for people that need them. Be carefull the users filter box is also hooked up on this access rights. Once granted delete rights a user can delete timesheets from someone else.

This should be fixed in future. Currently I do not know how to fix this.
parent 62f685f0
<?php
$perms =& $AppUI->acl();
// Create new timesheet or edit an existing one.
$timesheet_id = intval( dPgetParam( $_GET, "timesheet_id", 0 ) );
......@@ -7,6 +9,7 @@ $canEdit = !getDenyEdit( $m, $timesheet_id );
if (!$canEdit) {
$AppUI->redirect( "m=public&a=access_denied" );
}
$canDelete = $perms->checkModule( $m, 'delete' );
// use the object oriented design of dP for loading the timesheet that should be edited
// therefore create a new instance of the Timesheet Class
......@@ -22,17 +25,13 @@ if (!$obj->load( $timesheet_id, false ) && ($timesheet_id > 0) ) {
$AppUI->redirect(); // go back to the calling location
}
// check if this record has dependancies to prevent deletion
$msg = '';
$canDelete = $obj->canDelete( $msg, $timesheet_id );
// setup the title block
// Fill the title block either with 'Edit' or with 'New' depending on
// if timesheet_id has been transmitted via GET or is empty
$ttl = $timesheet_id > 0 ? "Edit Timesheet" : "New Timesheet";
$titleBlock = new CTitleBlock( $ttl, 'timesheet.png', $m, "$m.$a" );
$titleBlock->addCrumb( "?m=timesheet", "view all timesheets" );
if ($canEdit && $timesheet_id > 0) {
if ($canDelete && ($timesheet_id > 0) ) {
$titleBlock->addCrumbDelete( 'delete timesheet', $canDelete, $msg );
}
$titleBlock->show();
......
......@@ -2,10 +2,14 @@
// this is the index site for our timesheet module
// it is automatically appended on the applications main ./index.php
// by the dPframework
$perms =& $AppUI->acl();
// we check for permissions on this module
$canRead = !getDenyRead( $m ); // retrieve module-based readPermission bool flag
$canEdit = !getDenyEdit( $m ); // retrieve module-based writePermission bool flag
$canRead = !getDenyRead( $m );
$canEdit = !getDenyEdit( $m );
$canDelete = $perms->checkModule( $m, 'delete' );
// lock out users that do not have at least readPermission on this module
if (!$canRead) {
$AppUI->redirect( "m=public&a=access_denied" );
......
......@@ -24,15 +24,20 @@ if(isset($_REQUEST["user_filter_id"])){
$AppUI->setState("user_filter_id", $_REQUEST["user_filter_id"]);
$user_filter_id = $_REQUEST["user_filter_id"];
} else {
$user_filter_id = $AppUI->getState( 'user_filter_id');
if (! isset($user_filter_id)) {
$user_filter_id = $AppUI->getState('user_filter_id');
if (!isset($user_filter_id)) {
$user_filter_id = $AppUI->user_id;
$AppUI->setState('user_filter_id', $user_filter_id);
}
}
$perms =& $AppUI->acl();
$user_list = array( 0 => $AppUI->_("All", UI_OUTPUT_RAW)) + $perms->getPermittedUsers("timesheet"); // db_loadHashList($sql);
if ($canDelete) {
$user_list = array( 0 => $AppUI->_("All", UI_OUTPUT_RAW)) + $perms->getPermittedUsers("timesheet");
}
else {
$user_list = array( ) + $perms->getPermittedUsers("timesheet");
}
$user_combo = arraySelect($user_list, "user_filter_id", "class='text' onchange='javascript:document.searchform.submit()'", $user_filter_id, false);
echo "<tr><form name='searchform' action='?m=timesheet' method='post'>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment