Commit 07d054c5 authored by Jean-Paul Saman's avatar Jean-Paul Saman

Implemented access control for users that are not allowed to delete timesheets...

Implemented access control for users that are not allowed to delete timesheets when created. It is now assumed that only the admin will assign delete rights for people that need them. Be carefull the users filter box is also hooked up on this access rights. Once granted delete rights a user can delete timesheets from someone else.

This should be fixed in future. Currently I do not know how to fix this.
parent 62f685f0
<?php <?php
$perms =& $AppUI->acl();
// Create new timesheet or edit an existing one. // Create new timesheet or edit an existing one.
$timesheet_id = intval( dPgetParam( $_GET, "timesheet_id", 0 ) ); $timesheet_id = intval( dPgetParam( $_GET, "timesheet_id", 0 ) );
...@@ -7,6 +9,7 @@ $canEdit = !getDenyEdit( $m, $timesheet_id ); ...@@ -7,6 +9,7 @@ $canEdit = !getDenyEdit( $m, $timesheet_id );
if (!$canEdit) { if (!$canEdit) {
$AppUI->redirect( "m=public&a=access_denied" ); $AppUI->redirect( "m=public&a=access_denied" );
} }
$canDelete = $perms->checkModule( $m, 'delete' );
// use the object oriented design of dP for loading the timesheet that should be edited // use the object oriented design of dP for loading the timesheet that should be edited
// therefore create a new instance of the Timesheet Class // therefore create a new instance of the Timesheet Class
...@@ -22,17 +25,13 @@ if (!$obj->load( $timesheet_id, false ) && ($timesheet_id > 0) ) { ...@@ -22,17 +25,13 @@ if (!$obj->load( $timesheet_id, false ) && ($timesheet_id > 0) ) {
$AppUI->redirect(); // go back to the calling location $AppUI->redirect(); // go back to the calling location
} }
// check if this record has dependancies to prevent deletion
$msg = '';
$canDelete = $obj->canDelete( $msg, $timesheet_id );
// setup the title block // setup the title block
// Fill the title block either with 'Edit' or with 'New' depending on // Fill the title block either with 'Edit' or with 'New' depending on
// if timesheet_id has been transmitted via GET or is empty // if timesheet_id has been transmitted via GET or is empty
$ttl = $timesheet_id > 0 ? "Edit Timesheet" : "New Timesheet"; $ttl = $timesheet_id > 0 ? "Edit Timesheet" : "New Timesheet";
$titleBlock = new CTitleBlock( $ttl, 'timesheet.png', $m, "$m.$a" ); $titleBlock = new CTitleBlock( $ttl, 'timesheet.png', $m, "$m.$a" );
$titleBlock->addCrumb( "?m=timesheet", "view all timesheets" ); $titleBlock->addCrumb( "?m=timesheet", "view all timesheets" );
if ($canEdit && $timesheet_id > 0) { if ($canDelete && ($timesheet_id > 0) ) {
$titleBlock->addCrumbDelete( 'delete timesheet', $canDelete, $msg ); $titleBlock->addCrumbDelete( 'delete timesheet', $canDelete, $msg );
} }
$titleBlock->show(); $titleBlock->show();
......
...@@ -3,9 +3,13 @@ ...@@ -3,9 +3,13 @@
// it is automatically appended on the applications main ./index.php // it is automatically appended on the applications main ./index.php
// by the dPframework // by the dPframework
$perms =& $AppUI->acl();
// we check for permissions on this module // we check for permissions on this module
$canRead = !getDenyRead( $m ); // retrieve module-based readPermission bool flag $canRead = !getDenyRead( $m );
$canEdit = !getDenyEdit( $m ); // retrieve module-based writePermission bool flag $canEdit = !getDenyEdit( $m );
$canDelete = $perms->checkModule( $m, 'delete' );
// lock out users that do not have at least readPermission on this module // lock out users that do not have at least readPermission on this module
if (!$canRead) { if (!$canRead) {
$AppUI->redirect( "m=public&a=access_denied" ); $AppUI->redirect( "m=public&a=access_denied" );
......
...@@ -24,15 +24,20 @@ if(isset($_REQUEST["user_filter_id"])){ ...@@ -24,15 +24,20 @@ if(isset($_REQUEST["user_filter_id"])){
$AppUI->setState("user_filter_id", $_REQUEST["user_filter_id"]); $AppUI->setState("user_filter_id", $_REQUEST["user_filter_id"]);
$user_filter_id = $_REQUEST["user_filter_id"]; $user_filter_id = $_REQUEST["user_filter_id"];
} else { } else {
$user_filter_id = $AppUI->getState( 'user_filter_id'); $user_filter_id = $AppUI->getState('user_filter_id');
if (! isset($user_filter_id)) { if (!isset($user_filter_id)) {
$user_filter_id = $AppUI->user_id; $user_filter_id = $AppUI->user_id;
$AppUI->setState('user_filter_id', $user_filter_id); $AppUI->setState('user_filter_id', $user_filter_id);
} }
} }
$perms =& $AppUI->acl(); $perms =& $AppUI->acl();
$user_list = array( 0 => $AppUI->_("All", UI_OUTPUT_RAW)) + $perms->getPermittedUsers("timesheet"); // db_loadHashList($sql); if ($canDelete) {
$user_list = array( 0 => $AppUI->_("All", UI_OUTPUT_RAW)) + $perms->getPermittedUsers("timesheet");
}
else {
$user_list = array( ) + $perms->getPermittedUsers("timesheet");
}
$user_combo = arraySelect($user_list, "user_filter_id", "class='text' onchange='javascript:document.searchform.submit()'", $user_filter_id, false); $user_combo = arraySelect($user_list, "user_filter_id", "class='text' onchange='javascript:document.searchform.submit()'", $user_filter_id, false);
echo "<tr><form name='searchform' action='?m=timesheet' method='post'> echo "<tr><form name='searchform' action='?m=timesheet' method='post'>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment