Business/QwikClock
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Enforce permissions in report system

Browse Source
This commit is contained in:
Skylar Ittner 2017-11-20 20:09:50 -07:00
parent a02d96385c
commit 98ac465396
9 changed files with 108 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
action.php
View File

@ -39,7 +39,7 @@ switch ($VARS['action']) {
$shiftid = null; $shiftid = null;
if ($database->has('assigned_shifts', ['uid' => $_SESSION['uid']])) { if ($database->has('assigned_shifts', ['uid' => $_SESSION['uid']])) {
$minclockintime = strtotime("now + 5 minutes"); $minclockintime = strtotime("now + 5 minutes");
$shifts = $database->select('shifts', ["[>]assigned_shifts" => ['shiftid' => 'shiftid']], ["shifts.shiftid", "start", "end", "days"], ["AND" =>['uid' => $_SESSION['uid'], 'start[<=]' => date("H:i:s", $minclockintime)]]); $shifts = $database->select('shifts', ["[>]assigned_shifts" => ['shiftid' => 'shiftid']], ["shifts.shiftid", "start", "end", "days"], ["AND" => ['uid' => $_SESSION['uid'], 'start[<=]' => date("H:i:s", $minclockintime)]]);
foreach ($shifts as $shift) { foreach ($shifts as $shift) {
$curday = substr(date("D"), 0, 2); $curday = substr(date("D"), 0, 2);
if (strpos($shift['days'], $curday) === FALSE) { if (strpos($shift['days'], $curday) === FALSE) {
@ -167,7 +167,19 @@ switch ($VARS['action']) {
$resp = json_decode($response->getBody(), TRUE); $resp = json_decode($response->getBody(), TRUE);
if ($resp['status'] == "OK") { if ($resp['status'] == "OK") {
exit(json_encode($resp['result'])); if (!account_has_permission($_SESSION['username'], "ADMIN")) {
require_once __DIR__ . "/lib/userinfo.php";
$managed = getManagedUIDs($_SESSION['uid']);
$result = $resp['result'];
for ($i = 0; $i < count($result); $i++) {
if (!in_array($result[$i]['uid'], $managed)) {
$result[$i]['managed'] = 0;
}
}
exit(json_encode($result));
} else {
exit(json_encode($resp['result']));
}
} else { } else {
exit("[]"); exit("[]");
} }

26
api.php
View File

@ -31,10 +31,32 @@ switch ($VARS['action']) {
$out = ["status" => "OK", "maxresults" => $max, "pong" => true]; $out = ["status" => "OK", "maxresults" => $max, "pong" => true];
exit(json_encode($out)); exit(json_encode($out));
case "punchin": case "punchin":
if ($database->has('punches', ['AND' => ['uid' => $userinfo['uid'], 'out' => null]])) { if ($database->has('punches', ['AND' => ['uid' => $_SESSION['uid'], 'out' => null]])) {
die(json_encode(["status" => "ERROR", "msg" => lang("already punched in", false)])); die(json_encode(["status" => "ERROR", "msg" => lang("already punched in", false)]));
} }
$database->insert('punches', ['uid' => $userinfo['uid'], 'in' => date("Y-m-d H:i:s"), 'out' => null, 'notes' => '']);
$shiftid = null;
if ($database->has('assigned_shifts', ['uid' => $_SESSION['uid']])) {
$minclockintime = strtotime("now + 5 minutes");
$shifts = $database->select('shifts', ["[>]assigned_shifts" => ['shiftid' => 'shiftid']], ["shifts.shiftid", "start", "end", "days"], ["AND" =>['uid' => $_SESSION['uid'], 'start[<=]' => date("H:i:s", $minclockintime)]]);
foreach ($shifts as $shift) {
$curday = substr(date("D"), 0, 2);
if (strpos($shift['days'], $curday) === FALSE) {
continue;
}
if (strtotime($shift['end']) >= strtotime($shift['start'])) {
if (strtotime("now") >= strtotime($shift['end'])) {
continue; // shift is already over
}
}
$shiftid = $shift['shiftid'];
}
if (is_null($shiftid)) {
die(json_encode(["status" => "ERROR", "msg" => lang("not assigned to work now", false)]));
}
}
$database->insert('punches', ['uid' => $_SESSION['uid'], 'in' => date("Y-m-d H:i:s"), 'out' => null, 'notes' => '', 'shiftid' => $shiftid]);
exit(json_encode(["status" => "OK", "msg" => lang("punched in", false)])); exit(json_encode(["status" => "OK", "msg" => lang("punched in", false)]));
case "punchout": case "punchout":
if (!$database->has('punches', ['AND' => ['uid' => $userinfo['uid'], 'out' => null]])) { if (!$database->has('punches', ['AND' => ['uid' => $userinfo['uid'], 'out' => null]])) {

BIN
database.mwb
View File

Binary file not shown.

3
database.sql
View File

@ -1,5 +1,5 @@
-- MySQL Script generated by MySQL Workbench -- MySQL Script generated by MySQL Workbench
-- Mon 20 Nov 2017 04:45:50 PM MST -- Mon 20 Nov 2017 08:04:01 PM MST
-- Model: New Model Version: 1.0 -- Model: New Model Version: 1.0
-- MySQL Workbench Forward Engineering -- MySQL Workbench Forward Engineering
@ -84,6 +84,7 @@ CREATE TABLE IF NOT EXISTS `qwikclock`.`report_access_codes` (
`id` INT NOT NULL, `id` INT NOT NULL,
`code` VARCHAR(45) NULL, `code` VARCHAR(45) NULL,
`expires` DATETIME NULL, `expires` DATETIME NULL,
`uid` INT NOT NULL DEFAULT -1,
PRIMARY KEY (`id`)) PRIMARY KEY (`id`))
ENGINE = InnoDB; ENGINE = InnoDB;

5
lang/en_us.php
View File

@ -88,7 +88,7 @@ define("STRINGS", [
"report filtered to user" => "Report filtered to {name} ({username})", "report filtered to user" => "Report filtered to {name} ({username})",
"report filtered to start date" => "Only showing entries later than {date}", "report filtered to start date" => "Only showing entries later than {date}",
"report filtered to end date" => "Only showing entries earlier than {date}", "report filtered to end date" => "Only showing entries earlier than {date}",
"all users" => "All users", "all managed users" => "All managed users",
"one user" => "One user", "one user" => "One user",
"choose user" => "Type to choose user", "choose user" => "Type to choose user",
"filter" => "Filter", "filter" => "Filter",
@ -97,5 +97,6 @@ define("STRINGS", [
"shiftid" => "Shift ID", "shiftid" => "Shift ID",
"shiftname" => "Shift Name", "shiftname" => "Shift Name",
"punches" => "Punches", "punches" => "Punches",
"not assigned to work now" => "You are not assigned to work right now." "not assigned to work now" => "You are not assigned to work right now.",
"not a managed user" => "Not a managed user",
]); ]);

39
lib/reports.php
View File

@ -19,14 +19,35 @@ use odsPhpGenerator\odsTableCellString;
use odsPhpGenerator\odsStyleTableColumn; use odsPhpGenerator\odsStyleTableColumn;
use odsPhpGenerator\odsStyleTableCell; use odsPhpGenerator\odsStyleTableCell;
require_once __DIR__ . "/userinfo.php";
require_once __DIR__ . "/login.php";
// Allow access with a download code, for mobile app and stuff // Allow access with a download code, for mobile app and stuff
$date = date("Y-m-d H:i:s"); $date = date("Y-m-d H:i:s");
$allowed_users = [];
$requester = -1;
if (isset($VARS['code']) && LOADED) { if (isset($VARS['code']) && LOADED) {
if (!$database->has('report_access_codes', ["AND" => ['code' => $VARS['code'], 'expires[>]' => $date]])) { if (!$database->has('report_access_codes', ["AND" => ['code' => $VARS['code'], 'expires[>]' => $date]])) {
dieifnotloggedin(); dieifnotloggedin();
$requester = $_SESSION['uid'];
} else {
$requester = $database->get('report_access_codes', 'uid', ['code' => $VARS['code']]);
} }
} else { } else {
dieifnotloggedin(); dieifnotloggedin();
$requester = $_SESSION['uid'];
}
if (account_has_permission($_SESSION['username'], "ADMIN")) {
$allowed_users = true;
} else {
if (account_has_permission($_SESSION['username'], "QWIKCLOCK_MANAGE")) {
$allowed_users = getManagedUIDs($requester);
}
if (account_has_permission($_SESSION['username'], "QWIKCLOCK_EDITSELF")) {
$allowed_users[] = $_SESSION['uid'];
}
} }
// Delete old DB entries // Delete old DB entries
@ -34,8 +55,6 @@ $database->delete('report_access_codes', ['expires[<=]' => $date]);
if (LOADED) { if (LOADED) {
$user = null; $user = null;
require_once __DIR__ . "/userinfo.php";
require_once __DIR__ . "/login.php";
if ($VARS['users'] != "all" && !is_empty($VARS['user']) && user_exists($VARS['user'])) { if ($VARS['users'] != "all" && !is_empty($VARS['user']) && user_exists($VARS['user'])) {
$user = getUserByUsername($VARS['user']); $user = getUserByUsername($VARS['user']);
} }
@ -50,14 +69,19 @@ if (LOADED) {
function getShiftReport($user = null) { function getShiftReport($user = null) {
global $database; global $database;
global $allowed_users;
if ($user != null && array_key_exists('uid', $user)) { if ($user != null && array_key_exists('uid', $user)) {
$uid = -1;
if ($allowed_users === true || in_array($user['uid'], $allowed_users)) {
$uid = $user['uid'];
}
$shifts = $database->select( $shifts = $database->select(
"shifts", [ "shifts", [
"[>]assigned_shifts" => ["shiftid" => "shiftid"] "[>]assigned_shifts" => ["shiftid" => "shiftid"]
], [ ], [
"shifts.shiftid", "shiftname", "start", "end", "days" "shifts.shiftid", "shiftname", "start", "end", "days"
], [ ], [
"uid" => $user['uid'] "uid" => $uid
] ]
); );
} else { } else {
@ -92,6 +116,7 @@ function getShiftReport($user = null) {
function getPunchReport($user = null, $start = null, $end = null) { function getPunchReport($user = null, $start = null, $end = null) {
global $database; global $database;
global $allowed_users;
$where = []; $where = [];
if ((bool) strtotime($start) == TRUE) { if ((bool) strtotime($start) == TRUE) {
$where["OR #start"] = [ $where["OR #start"] = [
@ -103,8 +128,14 @@ function getPunchReport($user = null, $start = null, $end = null) {
// Make the date be the end of the day, not the start // Make the date be the end of the day, not the start
$where["in[<=]"] = date("Y-m-d", strtotime($end)) . " 23:59:59"; $where["in[<=]"] = date("Y-m-d", strtotime($end)) . " 23:59:59";
} }
if ($user != null && array_key_exists('uid', $user)) { if ($user != null && array_key_exists('uid', $user) && ($allowed_users === true || in_array($user['uid'], $allowed_users))) {
$where["uid"] = $user['uid']; $where["uid"] = $user['uid'];
} else if ($user != null && array_key_exists('uid', $user) && $allowed_users !== true && !in_array($user['uid'], $allowed_users)) {
$where["uid"] = -1;
} else {
if ($allowed_users !== true) {
$where["uid"] = $allowed_users;
}
} }
if (count($where) > 1) { if (count($where) > 1) {
$where = ["AND" => $where]; $where = ["AND" => $where];

9
pages/export.php
View File

@ -51,14 +51,17 @@ if (!account_has_permission($_SESSION['username'], "QWIKCLOCK_MANAGE")) {
<div class="radio"> <div class="radio">
<label> <label>
<input name="users" value="all" checked="" type="radio"> <i class="fa fa-users fa-fw"></i> <input name="users" value="all" checked="" type="radio"> <i class="fa fa-users fa-fw"></i>
<?php lang("all users") ?> <?php lang("all managed users") ?>
</label> </label>
</div> </div>
<div class="radio"> <div class="radio">
<label> <label>
<input name="users" value="one" type="radio"> <i class="fa fa-user fa-fw"></i> <input name="users" value="one" type="radio"> <i class="fa fa-user fa-fw"></i>
<?php lang("one user") ?> <?php lang("one user") ?>
<input type="text" name="user" class="form-control" id="user-box" placeholder="<?php lang("choose user") ?>" /> <div class="form-group" id="user-selection">
<input type="text" name="user" class="form-control" id="user-box" placeholder="<?php lang("choose user") ?>" />
<label class="control-label" id="user-not-managed-text" for="user-box"><i class="fa fa-warning"></i> <?php lang("not a managed user") ?></label>
</div>
</label> </label>
</div> </div>
<hr /> <hr />
@ -75,7 +78,7 @@ if (!account_has_permission($_SESSION['username'], "QWIKCLOCK_MANAGE")) {
<br /> <br />
<?php <?php
$code = uniqid(rand(10000000, 99999999), true); $code = uniqid(rand(10000000, 99999999), true);
$database->insert('report_access_codes', ['code' => $code, 'expires' => date("Y-m-d H:i:s", strtotime("+5 minutes"))]); $database->insert('report_access_codes', ['code' => $code, 'expires' => date("Y-m-d H:i:s", strtotime("+5 minutes")), 'uid' => $_SESSION['uid']]);
?> ?>
<input type="hidden" name="code" value="<?php echo $code; ?>" /> <input type="hidden" name="code" value="<?php echo $code; ?>" />

4
static/css/app.css
View File

@ -82,6 +82,10 @@
display: inline-block; display: inline-block;
} }
.red {
color: red;
}
/* /*
============================== ==============================
THEMING THEMING

22
static/js/export.js
View File

@ -18,18 +18,34 @@ var options = {
return data; return data;
}, },
getValue: function (element) { getValue: function (element) {
if (element.managed == 0) {
$('#user-selection').addClass('has-error');
$('#user-not-managed-text').css('visibility', '');
} else {
$('#user-selection').removeClass('has-error');
$('#user-not-managed-text').css('visibility', 'hidden');
}
return element.username; return element.username;
}, },
template: { template: {
type: "custom", type: "custom",
method: function (value, item) { method: function (value, item) {
return item.name + " <i class=\"small\">" + item.username + "</i>"; if (item.managed == 0) {
return "<span class=\"red\">" + item.name + " <i class=\"small\">" + item.username + "</i></span>";
} else {
return item.name + " <i class=\"small\">" + item.username + "</i>";
}
} }
} }
}; };
$("#user-box").easyAutocomplete(options); $("#user-box").easyAutocomplete(options);
$('#user-box').on("keypress", function () {
$('#user-not-managed-text').css('visibility', 'hidden');
$('#user-selection').removeClass('has-error');
});
$(function () { $(function () {
$('#startdate').datetimepicker({ $('#startdate').datetimepicker({
format: "MMM D YYYY", format: "MMM D YYYY",
@ -39,4 +55,6 @@ $(function () {
format: "MMM D YYYY"/*"YYYY-M-DTH:m"*/, format: "MMM D YYYY"/*"YYYY-M-DTH:m"*/,
useCurrent: true useCurrent: true
}); });
}); });
$('#user-not-managed-text').css('visibility', 'hidden');