[hermes] [patch] Don't allow edit, delete of submitted time

Jason M. Felice jfelice at cronosys.com
Wed Nov 5 12:57:45 PST 2003 

Provide Hermes::canModifyTimeslice(), prevent users from deleting timeslices
not owned by themselves or which have been submitted, and does not show delete
or edit icons for timeslices which are visible which have been submitted.

I'm working towards implementing an administrative review screen where a
time admin can edit other user's entries and select which items to
export.

-- 
 Jason M. Felice
 Cronosys, LLC <http://www.cronosys.com/>
 216.221.4600 x302
-------------- next part --------------
epm diff lib/Driver/sql.php
--- lib/Driver/sql.php	2003-11-05 15:50:06.000000000 -0500
+++ lib/Driver/sql.php	2003-11-05 15:50:06.000000000 -0500
@@ -121,6 +121,9 @@
         $this->_connect();
 
         foreach ($entries as $info) {
+            if (!Hermes::canEditTimeslice($info['id'])) {
+                return PEAR::raiseError(_("Access denied; user cannot modify this timeslice."));
+            }
             if (!empty($info['delete'])) {
                 $sql = sprintf('DELETE FROM hermes_timeslices' .
                                ' WHERE timeslice_id = %d',
@@ -166,7 +169,8 @@
                        ' b.timeslice_isbillable as billable,' .
                        ' b.timeslice_date as "date",' .
                        ' b.timeslice_description as description,' .
-                       ' b.timeslice_note as note' .
+                       ' b.timeslice_note as note,' .
+                       ' b.timeslice_submitted as submitted' .
                        ' FROM hermes_timeslices b INNER JOIN hermes_jobtypes j ON b.jobtype_id = j.jobtype_id');
         if (count($filters) > 0) {
             $sql .= ' WHERE';
@@ -197,6 +201,11 @@
                     $sql .= $glue . ' employee_id = ' . $this->_db->quote($filter);
                     $glue = ' AND';
                     break;
+
+                case 'id':
+                    $sql .= $glue . ' timeslice_id = ' . (int)$filter;
+                    $glue .= ' AND';
+                    break;
                 }
             }
         }
epm diff templates/time/table-item.inc
--- templates/time/table-item.inc	2003-11-05 15:50:06.000000000 -0500
+++ templates/time/table-item.inc	2003-11-05 15:53:25.000000000 -0500
@@ -1,10 +1,10 @@
 <tr class="text" onmouseover="className='text-hi';" onmouseout="className='text';">
   <td><?php
-    if (isset($item['id'])) {
+    if (isset($item['id']) && Hermes::canEditTimeslice($item['id'])) {
         echo Horde::link($item_link, _("Edit Entry"), 'widget'),
-        Horde::img('edit.gif', _("Edit Entry")), "</a>",
-        Horde::link($delete_link, _("Delete Entry"), 'widget'),
-        Horde::img('delete.gif', _("Delete Entry")), "</a>";
+            Horde::img('edit.gif', _("Edit Entry")), "</a>",
+            Horde::link($delete_link, _("Delete Entry"), 'widget'),
+            Horde::img('delete.gif', _("Delete Entry")), "</a>";
     }
   ?></td><td><?php
     if (isset($item['date'])) {
epm diff lib/Hermes.php
--- lib/Hermes.php	2003-11-05 15:50:06.000000000 -0500
+++ lib/Hermes.php	2003-11-05 15:50:06.000000000 -0500
@@ -105,4 +105,21 @@
         Help::javascript();
     }
 
+    function canEditTimeslice($id)
+    {
+        global $hermes;
+
+        $hours = $hermes->getHours(array('id' => $id));
+        if (!is_array($hours) || count($hours) != 1) {
+            return false;
+        }
+        $slice = $hours[0];
+
+        // We can edit our own time if it hasn't been submitted.
+        if ($slice['employee'] == Auth::getAuth() && !$slice['submitted']) {
+            return true;
+        }
+        return false;
+    }
+
 }

More information about the hermes mailing list