Implemented access control for users that are not allowed to delete timesheets...

Implemented access control for users that are not allowed to delete timesheets when created. It is now assumed that only the admin will assign delete rights for people that need them. Be carefull the users filter box is also hooked up on this access rights. Once granted delete rights a user can delete timesheets from someone else.

This should be fixed in future. Currently I do not know how to fix this.

addedit.php

 <?php
+$perms =& $AppUI->acl();
+
 // Create new timesheet or edit an existing one.
 $timesheet_id = intval( dPgetParam( $_GET, "timesheet_id", 0 ) );
 
@@ -7,6 +9,7 @@ $canEdit = !getDenyEdit( $m, $timesheet_id );
 if (!$canEdit) {
 	$AppUI->redirect( "m=public&a=access_denied" );
 }
+$canDelete = $perms->checkModule( $m, 'delete' );
 
 // use the object oriented design of dP for loading the timesheet that should be edited
 // therefore create a new instance of the Timesheet Class
@@ -22,17 +25,13 @@ if (!$obj->load( $timesheet_id, false ) && ($timesheet_id > 0) ) {
 	$AppUI->redirect();					// go back to the calling location
 }
 
-// check if this record has dependancies to prevent deletion
-$msg = '';
-$canDelete = $obj->canDelete( $msg, $timesheet_id );
-
 // setup the title block
 // Fill the title block either with 'Edit' or with 'New' depending on 
 // if timesheet_id has been transmitted via GET or is empty
 $ttl = $timesheet_id > 0 ? "Edit Timesheet" : "New Timesheet";
 $titleBlock = new CTitleBlock( $ttl, 'timesheet.png', $m, "$m.$a" );
 $titleBlock->addCrumb( "?m=timesheet", "view all timesheets" );
-if ($canEdit && $timesheet_id > 0) {
+if ($canDelete && ($timesheet_id > 0) ) {
 	$titleBlock->addCrumbDelete( 'delete timesheet', $canDelete, $msg );
 }
 $titleBlock->show();

index.php

@@ -2,10 +2,14 @@
 // this is the index site for our timesheet module
 // it is automatically appended on the applications main ./index.php
 // by the dPframework
+
+$perms =& $AppUI->acl();
 
 // we check for permissions on this module
-$canRead = !getDenyRead( $m );	// retrieve module-based readPermission bool flag
-$canEdit = !getDenyEdit( $m );	// retrieve module-based writePermission bool flag
+$canRead = !getDenyRead( $m );
+$canEdit = !getDenyEdit( $m );
+$canDelete = $perms->checkModule( $m, 'delete' );
+
 // lock out users that do not have at least readPermission on this module
 if (!$canRead) {
 	$AppUI->redirect( "m=public&a=access_denied" );

vw_idx_inc.php

@@ -24,15 +24,20 @@ if(isset($_REQUEST["user_filter_id"])){
 	$AppUI->setState("user_filter_id", $_REQUEST["user_filter_id"]);
 	$user_filter_id = $_REQUEST["user_filter_id"];
 } else {
-	$user_filter_id = $AppUI->getState( 'user_filter_id');
-	if (! isset($user_filter_id)) {
+	$user_filter_id = $AppUI->getState('user_filter_id');
+	if (!isset($user_filter_id)) {
 		$user_filter_id = $AppUI->user_id;
 		$AppUI->setState('user_filter_id', $user_filter_id);
 	}
 }
 
 $perms =& $AppUI->acl();
-$user_list = array( 0 => $AppUI->_("All", UI_OUTPUT_RAW)) + $perms->getPermittedUsers("timesheet"); // db_loadHashList($sql);
+if ($canDelete) {
+	$user_list = array( 0 => $AppUI->_("All", UI_OUTPUT_RAW)) + $perms->getPermittedUsers("timesheet");
+}
+else {
+	$user_list = array( ) + $perms->getPermittedUsers("timesheet");
+}
 $user_combo = arraySelect($user_list, "user_filter_id", "class='text' onchange='javascript:document.searchform.submit()'", $user_filter_id, false);
 
 echo "<tr><form name='searchform' action='?m=timesheet' method='post'>