Business/QwikClock
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Enforce permissions in report system

Browse Source
This commit is contained in:
Skylar Ittner 2017-11-20 20:09:50 -07:00
parent a02d96385c
commit 98ac465396
9 changed files with 108 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
action.php
View File

@ -167,7 +167,19 @@ switch ($VARS['action']) {
$resp = json_decode($response->getBody(), TRUE);
if ($resp['status'] == "OK") {
if (!account_has_permission($_SESSION['username'], "ADMIN")) {
require_once __DIR__ . "/lib/userinfo.php";
$managed = getManagedUIDs($_SESSION['uid']);
$result = $resp['result'];
for ($i = 0; $i < count($result); $i++) {
if (!in_array($result[$i]['uid'], $managed)) {
$result[$i]['managed'] = 0;
}
}
exit(json_encode($result));
} else {
exit(json_encode($resp['result']));
}
} else {
exit("[]");
}

26
api.php
View File

@ -31,10 +31,32 @@ switch ($VARS['action']) {
$out = ["status" => "OK", "maxresults" => $max, "pong" => true];
exit(json_encode($out));
case "punchin":
if ($database->has('punches', ['AND' => ['uid' => $userinfo['uid'], 'out' => null]])) {
if ($database->has('punches', ['AND' => ['uid' => $_SESSION['uid'], 'out' => null]])) {
die(json_encode(["status" => "ERROR", "msg" => lang("already punched in", false)]));
}
$database->insert('punches', ['uid' => $userinfo['uid'], 'in' => date("Y-m-d H:i:s"), 'out' => null, 'notes' => '']);
$shiftid = null;
if ($database->has('assigned_shifts', ['uid' => $_SESSION['uid']])) {
$minclockintime = strtotime("now + 5 minutes");
$shifts = $database->select('shifts', ["[>]assigned_shifts" => ['shiftid' => 'shiftid']], ["shifts.shiftid", "start", "end", "days"], ["AND" =>['uid' => $_SESSION['uid'], 'start[<=]' => date("H:i:s", $minclockintime)]]);
foreach ($shifts as $shift) {
$curday = substr(date("D"), 0, 2);
if (strpos($shift['days'], $curday) === FALSE) {
continue;
}
if (strtotime($shift['end']) >= strtotime($shift['start'])) {
if (strtotime("now") >= strtotime($shift['end'])) {
continue; // shift is already over
}
}
$shiftid = $shift['shiftid'];
}
if (is_null($shiftid)) {
die(json_encode(["status" => "ERROR", "msg" => lang("not assigned to work now", false)]));
}
}
$database->insert('punches', ['uid' => $_SESSION['uid'], 'in' => date("Y-m-d H:i:s"), 'out' => null, 'notes' => '', 'shiftid' => $shiftid]);
exit(json_encode(["status" => "OK", "msg" => lang("punched in", false)]));
case "punchout":
if (!$database->has('punches', ['AND' => ['uid' => $userinfo['uid'], 'out' => null]])) {

BIN
database.mwb
View File

Binary file not shown.

3
database.sql
View File

@ -1,5 +1,5 @@
-- MySQL Script generated by MySQL Workbench
-- Mon 20 Nov 2017 04:45:50 PM MST
-- Mon 20 Nov 2017 08:04:01 PM MST
-- Model: New Model Version: 1.0
-- MySQL Workbench Forward Engineering
@ -84,6 +84,7 @@ CREATE TABLE IF NOT EXISTS `qwikclock`.`report_access_codes` (
`id` INT NOT NULL,
`code` VARCHAR(45) NULL,
`expires` DATETIME NULL,
`uid` INT NOT NULL DEFAULT -1,
PRIMARY KEY (`id`))
ENGINE = InnoDB;

5
lang/en_us.php
View File

@ -88,7 +88,7 @@ define("STRINGS", [
"report filtered to user" => "Report filtered to {name} ({username})",
"report filtered to start date" => "Only showing entries later than {date}",
"report filtered to end date" => "Only showing entries earlier than {date}",
"all users" => "All users",
"all managed users" => "All managed users",
"one user" => "One user",
"choose user" => "Type to choose user",
"filter" => "Filter",
@ -97,5 +97,6 @@ define("STRINGS", [
"shiftid" => "Shift ID",
"shiftname" => "Shift Name",
"punches" => "Punches",
"not assigned to work now" => "You are not assigned to work right now."
"not assigned to work now" => "You are not assigned to work right now.",
"not a managed user" => "Not a managed user",
]);

39
lib/reports.php
View File

@ -19,14 +19,35 @@ use odsPhpGenerator\odsTableCellString;
use odsPhpGenerator\odsStyleTableColumn;
use odsPhpGenerator\odsStyleTableCell;
require_once __DIR__ . "/userinfo.php";
require_once __DIR__ . "/login.php";
// Allow access with a download code, for mobile app and stuff
$date = date("Y-m-d H:i:s");
$allowed_users = [];
$requester = -1;
if (isset($VARS['code']) && LOADED) {
if (!$database->has('report_access_codes', ["AND" => ['code' => $VARS['code'], 'expires[>]' => $date]])) {
dieifnotloggedin();
$requester = $_SESSION['uid'];
} else {
$requester = $database->get('report_access_codes', 'uid', ['code' => $VARS['code']]);
}
} else {
dieifnotloggedin();
$requester = $_SESSION['uid'];
}
if (account_has_permission($_SESSION['username'], "ADMIN")) {
$allowed_users = true;
} else {
if (account_has_permission($_SESSION['username'], "QWIKCLOCK_MANAGE")) {
$allowed_users = getManagedUIDs($requester);
}
if (account_has_permission($_SESSION['username'], "QWIKCLOCK_EDITSELF")) {
$allowed_users[] = $_SESSION['uid'];
}
}
// Delete old DB entries
@ -34,8 +55,6 @@ $database->delete('report_access_codes', ['expires[<=]' => $date]);
if (LOADED) {
$user = null;
require_once __DIR__ . "/userinfo.php";
require_once __DIR__ . "/login.php";
if ($VARS['users'] != "all" && !is_empty($VARS['user']) && user_exists($VARS['user'])) {
$user = getUserByUsername($VARS['user']);
}
@ -50,14 +69,19 @@ if (LOADED) {
function getShiftReport($user = null) {
global $database;
global $allowed_users;
if ($user != null && array_key_exists('uid', $user)) {
$uid = -1;
if ($allowed_users === true || in_array($user['uid'], $allowed_users)) {
$uid = $user['uid'];
}
$shifts = $database->select(
"shifts", [
"[>]assigned_shifts" => ["shiftid" => "shiftid"]
], [
"shifts.shiftid", "shiftname", "start", "end", "days"
], [
"uid" => $user['uid']
"uid" => $uid
]
);
} else {
@ -92,6 +116,7 @@ function getShiftReport($user = null) {
function getPunchReport($user = null, $start = null, $end = null) {
global $database;
global $allowed_users;
$where = [];
if ((bool) strtotime($start) == TRUE) {
$where["OR #start"] = [
@ -103,8 +128,14 @@ function getPunchReport($user = null, $start = null, $end = null) {
// Make the date be the end of the day, not the start
$where["in[<=]"] = date("Y-m-d", strtotime($end)) . " 23:59:59";
}
if ($user != null && array_key_exists('uid', $user)) {
if ($user != null && array_key_exists('uid', $user) && ($allowed_users === true || in_array($user['uid'], $allowed_users))) {
$where["uid"] = $user['uid'];
} else if ($user != null && array_key_exists('uid', $user) && $allowed_users !== true && !in_array($user['uid'], $allowed_users)) {
$where["uid"] = -1;
} else {
if ($allowed_users !== true) {
$where["uid"] = $allowed_users;
}
}
if (count($where) > 1) {
$where = ["AND" => $where];

7
pages/export.php
View File

@ -51,14 +51,17 @@ if (!account_has_permission($_SESSION['username'], "QWIKCLOCK_MANAGE")) {
<div class="radio">
<label>
<input name="users" value="all" checked="" type="radio"> <i class="fa fa-users fa-fw"></i>
<?php lang("all users") ?>
<?php lang("all managed users") ?>
</label>
</div>
<div class="radio">
<label>
<input name="users" value="one" type="radio"> <i class="fa fa-user fa-fw"></i>
<?php lang("one user") ?>
<div class="form-group" id="user-selection">
<input type="text" name="user" class="form-control" id="user-box" placeholder="<?php lang("choose user") ?>" />
<label class="control-label" id="user-not-managed-text" for="user-box"><i class="fa fa-warning"></i> <?php lang("not a managed user") ?></label>
</div>
</label>
</div>
<hr />
@ -75,7 +78,7 @@ if (!account_has_permission($_SESSION['username'], "QWIKCLOCK_MANAGE")) {
<br />
<?php
$code = uniqid(rand(10000000, 99999999), true);
$database->insert('report_access_codes', ['code' => $code, 'expires' => date("Y-m-d H:i:s", strtotime("+5 minutes"))]);
$database->insert('report_access_codes', ['code' => $code, 'expires' => date("Y-m-d H:i:s", strtotime("+5 minutes")), 'uid' => $_SESSION['uid']]);
?>
<input type="hidden" name="code" value="<?php echo $code; ?>" />

4
static/css/app.css
View File

@ -82,6 +82,10 @@
display: inline-block;
}
.red {
color: red;
}
/*
==============================
THEMING

18
static/js/export.js
View File

@ -18,18 +18,34 @@ var options = {
return data;
},
getValue: function (element) {
if (element.managed == 0) {
$('#user-selection').addClass('has-error');
$('#user-not-managed-text').css('visibility', '');
} else {
$('#user-selection').removeClass('has-error');
$('#user-not-managed-text').css('visibility', 'hidden');
}
return element.username;
},
template: {
type: "custom",
method: function (value, item) {
if (item.managed == 0) {
return "<span class=\"red\">" + item.name + " <i class=\"small\">" + item.username + "</i></span>";
} else {
return item.name + " <i class=\"small\">" + item.username + "</i>";
}
}
}
};
$("#user-box").easyAutocomplete(options);
$('#user-box').on("keypress", function () {
$('#user-not-managed-text').css('visibility', 'hidden');
$('#user-selection').removeClass('has-error');
});
$(function () {
$('#startdate').datetimepicker({
format: "MMM D YYYY",
@ -40,3 +56,5 @@ $(function () {
useCurrent: true
});
});
$('#user-not-managed-text').css('visibility', 'hidden');