Bug #9137 Any user can delete time tracking entries
Submitted: 11 Mar 2005 23:42 Modified: 14 Mar 2005 16:18
Reporter: Paul Mach Email Updates:
Status: Closed Impact on me:
None 
Category:Eventum Severity:S2 (Serious)
Version:1.5 OS:
Assigned to: Bugs System CPU Architecture:Any

[11 Mar 2005 23:42] Paul Mach 
Description:
Any user can delete a time tracking entries.

From what I can tell users can only delete their own entries in the UI, but no permission checking is in the code.

Yes, you have to know the id of the entry you want to delete, but if you were an idiot, you could quickly delete them all.

How to repeat:
Log in as a Viewer role user.
Run http://PATH_TO_EVENTUM/popup.php?cat=delete_time&id=TIME_ENTRY_ID in the browser

Suggested fix:
I don't know if this is the optimal solution, but it does work.

$ diff -Naur ../e/include/class.time_tracking.php include/class.time_tracking.php
--- ../e/include/class.time_tracking.php        Wed Mar  9 16:31:32 2005
+++ include/class.time_tracking.php     Fri Mar 11 15:31:29 2005
@@ -384,12 +384,18 @@
     function removeEntry($time_id)
     {
         $stmt = "SELECT
-                    ttr_iss_id
+                    ttr_iss_id, ttr_usr_id
                  FROM
                     " . APP_DEFAULT_DB . "." . APP_TABLE_PREFIX . "time_tracking
                  WHERE
                     ttr_id=$time_id";
-        $issue_id = $GLOBALS["db_api"]->dbh->getOne($stmt);
+        $res = $GLOBALS["db_api"]->dbh->getRow($stmt, DB_FETCHMODE_ASSOC);
+
+        // people can only delete their own time entries
+        if (Auth::getUserID() != $res['ttr_usr_id']) {
+            return -1;
+        }
+        $issue_id = $res['ttr_iss_id'];

         $stmt = "DELETE FROM
                     " . APP_DEFAULT_DB . "." . APP_TABLE_PREFIX . "time_tracking
[14 Mar 2005 16:18] Joao Prado Maia 
Paul,

Thanks for the report! This problem has been fixed in our bitkeeper repository and the bug fix will be available in the upcomming 1.5.2 release of Eventum.

--Joao