[hermes] [patch] Don't allow edit, delete of submitted time
Jason M. Felice
jfelice at cronosys.com
Wed Nov 5 12:57:45 PST 2003
Provide Hermes::canModifyTimeslice(), prevent users from deleting timeslices
not owned by themselves or which have been submitted, and does not show delete
or edit icons for timeslices which are visible which have been submitted.
I'm working towards implementing an administrative review screen where a
time admin can edit other user's entries and select which items to
export.
--
Jason M. Felice
Cronosys, LLC <http://www.cronosys.com/>
216.221.4600 x302
-------------- next part --------------
epm diff lib/Driver/sql.php
--- lib/Driver/sql.php 2003-11-05 15:50:06.000000000 -0500
+++ lib/Driver/sql.php 2003-11-05 15:50:06.000000000 -0500
@@ -121,6 +121,9 @@
$this->_connect();
foreach ($entries as $info) {
+ if (!Hermes::canEditTimeslice($info['id'])) {
+ return PEAR::raiseError(_("Access denied; user cannot modify this timeslice."));
+ }
if (!empty($info['delete'])) {
$sql = sprintf('DELETE FROM hermes_timeslices' .
' WHERE timeslice_id = %d',
@@ -166,7 +169,8 @@
' b.timeslice_isbillable as billable,' .
' b.timeslice_date as "date",' .
' b.timeslice_description as description,' .
- ' b.timeslice_note as note' .
+ ' b.timeslice_note as note,' .
+ ' b.timeslice_submitted as submitted' .
' FROM hermes_timeslices b INNER JOIN hermes_jobtypes j ON b.jobtype_id = j.jobtype_id');
if (count($filters) > 0) {
$sql .= ' WHERE';
@@ -197,6 +201,11 @@
$sql .= $glue . ' employee_id = ' . $this->_db->quote($filter);
$glue = ' AND';
break;
+
+ case 'id':
+ $sql .= $glue . ' timeslice_id = ' . (int)$filter;
+ $glue .= ' AND';
+ break;
}
}
}
epm diff templates/time/table-item.inc
--- templates/time/table-item.inc 2003-11-05 15:50:06.000000000 -0500
+++ templates/time/table-item.inc 2003-11-05 15:53:25.000000000 -0500
@@ -1,10 +1,10 @@
<tr class="text" onmouseover="className='text-hi';" onmouseout="className='text';">
<td><?php
- if (isset($item['id'])) {
+ if (isset($item['id']) && Hermes::canEditTimeslice($item['id'])) {
echo Horde::link($item_link, _("Edit Entry"), 'widget'),
- Horde::img('edit.gif', _("Edit Entry")), "</a>",
- Horde::link($delete_link, _("Delete Entry"), 'widget'),
- Horde::img('delete.gif', _("Delete Entry")), "</a>";
+ Horde::img('edit.gif', _("Edit Entry")), "</a>",
+ Horde::link($delete_link, _("Delete Entry"), 'widget'),
+ Horde::img('delete.gif', _("Delete Entry")), "</a>";
}
?></td><td><?php
if (isset($item['date'])) {
epm diff lib/Hermes.php
--- lib/Hermes.php 2003-11-05 15:50:06.000000000 -0500
+++ lib/Hermes.php 2003-11-05 15:50:06.000000000 -0500
@@ -105,4 +105,21 @@
Help::javascript();
}
+ function canEditTimeslice($id)
+ {
+ global $hermes;
+
+ $hours = $hermes->getHours(array('id' => $id));
+ if (!is_array($hours) || count($hours) != 1) {
+ return false;
+ }
+ $slice = $hours[0];
+
+ // We can edit our own time if it hasn't been submitted.
+ if ($slice['employee'] == Auth::getAuth() && !$slice['submitted']) {
+ return true;
+ }
+ return false;
+ }
+
}
More information about the hermes
mailing list