Description:
Any user can delete a time tracking entries.
From what I can tell users can only delete their own entries in the UI, but no permission checking is in the code.
Yes, you have to know the id of the entry you want to delete, but if you were an idiot, you could quickly delete them all.
How to repeat:
Log in as a Viewer role user.
Run http://PATH_TO_EVENTUM/popup.php?cat=delete_time&id=TIME_ENTRY_ID in the browser
Suggested fix:
I don't know if this is the optimal solution, but it does work.
$ diff -Naur ../e/include/class.time_tracking.php include/class.time_tracking.php
--- ../e/include/class.time_tracking.php Wed Mar 9 16:31:32 2005
+++ include/class.time_tracking.php Fri Mar 11 15:31:29 2005
@@ -384,12 +384,18 @@
function removeEntry($time_id)
{
$stmt = "SELECT
- ttr_iss_id
+ ttr_iss_id, ttr_usr_id
FROM
" . APP_DEFAULT_DB . "." . APP_TABLE_PREFIX . "time_tracking
WHERE
ttr_id=$time_id";
- $issue_id = $GLOBALS["db_api"]->dbh->getOne($stmt);
+ $res = $GLOBALS["db_api"]->dbh->getRow($stmt, DB_FETCHMODE_ASSOC);
+
+ // people can only delete their own time entries
+ if (Auth::getUserID() != $res['ttr_usr_id']) {
+ return -1;
+ }
+ $issue_id = $res['ttr_iss_id'];
$stmt = "DELETE FROM
" . APP_DEFAULT_DB . "." . APP_TABLE_PREFIX . "time_tracking