From 98ac4653960f1505086afb84d318c9c7df6d7493 Mon Sep 17 00:00:00 2001 From: Skylar Ittner Date: Mon, 20 Nov 2017 20:09:50 -0700 Subject: [PATCH] Enforce permissions in report system --- action.php | 16 ++++++++++++++-- api.php | 26 ++++++++++++++++++++++++-- database.mwb | Bin 9217 -> 9289 bytes database.sql | 3 ++- lang/en_us.php | 5 +++-- lib/reports.php | 39 +++++++++++++++++++++++++++++++++++---- pages/export.php | 9 ++++++--- static/css/app.css | 4 ++++ static/js/export.js | 22 ++++++++++++++++++++-- 9 files changed, 108 insertions(+), 16 deletions(-) diff --git a/action.php b/action.php index e697b3c..1c1cfb3 100644 --- a/action.php +++ b/action.php @@ -39,7 +39,7 @@ switch ($VARS['action']) { $shiftid = null; if ($database->has('assigned_shifts', ['uid' => $_SESSION['uid']])) { $minclockintime = strtotime("now + 5 minutes"); - $shifts = $database->select('shifts', ["[>]assigned_shifts" => ['shiftid' => 'shiftid']], ["shifts.shiftid", "start", "end", "days"], ["AND" =>['uid' => $_SESSION['uid'], 'start[<=]' => date("H:i:s", $minclockintime)]]); + $shifts = $database->select('shifts', ["[>]assigned_shifts" => ['shiftid' => 'shiftid']], ["shifts.shiftid", "start", "end", "days"], ["AND" => ['uid' => $_SESSION['uid'], 'start[<=]' => date("H:i:s", $minclockintime)]]); foreach ($shifts as $shift) { $curday = substr(date("D"), 0, 2); if (strpos($shift['days'], $curday) === FALSE) { @@ -167,7 +167,19 @@ switch ($VARS['action']) { $resp = json_decode($response->getBody(), TRUE); if ($resp['status'] == "OK") { - exit(json_encode($resp['result'])); + if (!account_has_permission($_SESSION['username'], "ADMIN")) { + require_once __DIR__ . "/lib/userinfo.php"; + $managed = getManagedUIDs($_SESSION['uid']); + $result = $resp['result']; + for ($i = 0; $i < count($result); $i++) { + if (!in_array($result[$i]['uid'], $managed)) { + $result[$i]['managed'] = 0; + } + } + exit(json_encode($result)); + } else { + exit(json_encode($resp['result'])); + } } else { exit("[]"); } diff --git a/api.php b/api.php index b16a7f2..6acd53c 100644 --- a/api.php +++ b/api.php @@ -31,10 +31,32 @@ switch ($VARS['action']) { $out = ["status" => "OK", "maxresults" => $max, "pong" => true]; exit(json_encode($out)); case "punchin": - if ($database->has('punches', ['AND' => ['uid' => $userinfo['uid'], 'out' => null]])) { + if ($database->has('punches', ['AND' => ['uid' => $_SESSION['uid'], 'out' => null]])) { die(json_encode(["status" => "ERROR", "msg" => lang("already punched in", false)])); } - $database->insert('punches', ['uid' => $userinfo['uid'], 'in' => date("Y-m-d H:i:s"), 'out' => null, 'notes' => '']); + + $shiftid = null; + if ($database->has('assigned_shifts', ['uid' => $_SESSION['uid']])) { + $minclockintime = strtotime("now + 5 minutes"); + $shifts = $database->select('shifts', ["[>]assigned_shifts" => ['shiftid' => 'shiftid']], ["shifts.shiftid", "start", "end", "days"], ["AND" =>['uid' => $_SESSION['uid'], 'start[<=]' => date("H:i:s", $minclockintime)]]); + foreach ($shifts as $shift) { + $curday = substr(date("D"), 0, 2); + if (strpos($shift['days'], $curday) === FALSE) { + continue; + } + if (strtotime($shift['end']) >= strtotime($shift['start'])) { + if (strtotime("now") >= strtotime($shift['end'])) { + continue; // shift is already over + } + } + $shiftid = $shift['shiftid']; + } + if (is_null($shiftid)) { + die(json_encode(["status" => "ERROR", "msg" => lang("not assigned to work now", false)])); + } + } + + $database->insert('punches', ['uid' => $_SESSION['uid'], 'in' => date("Y-m-d H:i:s"), 'out' => null, 'notes' => '', 'shiftid' => $shiftid]); exit(json_encode(["status" => "OK", "msg" => lang("punched in", false)])); case "punchout": if (!$database->has('punches', ['AND' => ['uid' => $userinfo['uid'], 'out' => null]])) { diff --git a/database.mwb b/database.mwb index 06f6e70426ab23f72618834f6b2cac52f2ef508c..398ab2f38e633230dff8a6c96f10d879402990eb 100644 GIT binary patch delta 5541 zcmV;W6@6aWAK2ml3|bW0s+zK-J`002<@u^4U*e|8A`d=(+rQnf>f zELDQvc7vae$57EF__2c@uRRt4e>(DjAIR-ZxxLAXdqOHAZXejm!camBL%FKzZN|mk zm=#Uif>IUriLk@IWAHw?WUg+TTbN5$i`iusv&<#q&LyJ>cG&1#GMc$5bID{bnM~^6 z^t>@wx8T0#jkWcnf43y5UuKBO3^C?ai>}KIvE9xPYv;?!3^AD@CNsojhS<`rCRb*N z?Pi9UsvfFNN7Fy)Y#Cy%;(Kq9A%@x0l#c3tQq6bE5K9prxV#S_#1^hkBEDpn7}v^& zMUYGWuO1lTQu?0o9XM4j}@p#FKdr z9e+2B77alrqqxc-uIyoZ6X==jCa{J1<2QX2X0KUX3mz_d^je_}BqArYhtlsTy~N@i z`_7XGFJ|;276K70lnK3A>6gwps^tR;7QD9CyiKk1g4m*$=XHy&nphnCK&WIW?|R{2 z;li7pl8>Mxh7ue(rXq&a{YVf`4@u~xVt+^xfQ(gvv@|iavPWc#p#(A*hGIw+e}tK! z?g^uGkGvE;ilLQD1|?bU3v;$yT@!{se~gBiID<3v3}M7nOBks|@}gW6%@n_&*p(C$yec4Q zl`0Aw-lHLyr(8ed+&Ek$K)>C#*=;ht02Gty4@4Bq)(fgL;{e#l!G%6hOrNpP7Relw zK@cDV6hoSmWDqicawq>Re#ixK-daJ<)ckh>Ia9Z`3gqC&Th92VEsJ>n6Z!uwHl#^!I|-0B#e! z`pQ1Tt8JP42d_(B{Py+q`0kATy;I!5#`iW7&Vzk}a|Ct{&M~1dkgMfQfOB76E1cWn zPJJ2S-1dX5f^%(W;QaRH+ug-ABcMBmvu;2?`~B?X+tvYI^90>Nz_X#hLx7hiMIOee zi=GfHawIW-PbB8i=Ciarp=>BpIey5W%`quuiM8Z;NjXanYS|D(kvMW#^TJ{%j-EJ5 zUN{g(EQk^yiWatgkswljQedxH6fp$Dp)l5#UAVzPDi%nq;VKXw&cu=v5l}qaQ=#;T z8OqUI72&Y8h)pvt`##$5C~5H?fC zk|UQBR5igxS-T?2Ly>|k2@02H&8A3^dZDN;qqrD~T8W^XJLe{7R}=kPhSC?ywqoWH zR|?60JWaBHx48eLq3OURNwjba&v7*`K)Q0kydkh`T?$}cfQahygoYJo(<;5X`htCR zkK3N9?|5`~asBU$>$|_J|IN9x^7-cGvc-0a$ek4a?Rai=LLinJwFZqkJHFmer3%6) zipt=_p{SI)hV){W^A5PE#2pP1C=_zyg9z( zRVDJSvB$dPY@mT!x;gt6_UY!^^3W+NZF2Tgo3NLnO8;rG|77qY9e!EeTXoVlPo0_$ z0pCEMdf0QiBnoA7-m26Fy5jGrOyyR8 zf!ackjJ?&P4Rpho$AP?oDt*5ALbOR!T4>Y$I^w9jyFnTzVTS2!c^b)%YZD1fm_)>E zs{gbsa^lS#sLz)-pE#YdxB^pBgm`eLq5FVuRd&QxLwVaCLEddU=LP?5A?Y#So<-lxN4{&yKIZ zU7g)tob0Dw;o*}yC0?g6js4W8$@M#%r&Y_cOWr`Gh?~tHGDY4#KDpcE{RX;NQ&Z7e z$C}Q>m}U*-;FrnaS8|0fx%zsV74BKgS>ZMSz(D?33BT7w8z$K_-_w>FrL0?vAmh02!RaoF-)#JE|y+&yh`uuv0D7@o9aB%wE<1J zxvRQdUkt$X<|L!H;pKMHV!D{%Rr5`fisLFR;X27dWh!BsJZ3?X4S%2c;6k}KW8BXQTH?igA@$Mbsws4^C9%Bty~k` z(&`~!F%`&e^)y|BnxPwXb`C~KhWr(Cf2Jk@Q1ljqSymBf9?C}8rIqAt3q+WnuIi3! zmvzEC7Gb&`Kpu28ri)7<7*(?*c<6&H3kNas``LXMBs-6u_(`=9swO z{=&0}5^N0q%XL0~pPwGHiVm@k{tQCgzd7fa$aS~%{{Z@jb{{VHRCkf zkJ604gBh;}#%X<4u#0AV3$3_KZxJ`e9d}x~oez-WUiBZ&Xhx>1r9y{N#tjp{4qI^$Z|H{(rt(AQ zJpG~51OMGgf=-T!5}Nhr503~vln+b(I$_qqpws>E;p_>JD9cZsUU65Pr=7>7i2TkF zfw=tjhsn=zzeB&1#Q29XCQMpJS^41uHhj405P#`^R=t5BL*yOIa2Dp_cg!CqmXgLx z@*h0ZiIYw?0vNA;=#ckGV@c}czWNEu;=kn|hJbXv%Q+G!l{IgH1LtSwr%P*$trZ8b zo4I}aGJ03vJ|xh(ZX1VQ>nhHkVZlrLR{s25Jbcv;prU);A%ua!a=tA+{PlYH^}v9p zf!SMs58tr1(6VdWXW5OGKEAE(nPJBsW|HQ80I`9|`Vh09i9HcsI308ccUPJIXPAa< z*t)4Wj%8SesyeP|o2qN-szx@?bo$d{zwPPqt4a3ij>J_mJv+PY)G9#Dw`nZ8s4W@2 z3QuQH!z=P{`$&Io?5-s_6O3*%AFrssYCvFrc;hscB*`nXESIP?tqIzMFDx8NOEcdj zfMM|s0)m5EL`Uj~jt@Pe*(G41N8?^D$u4Bjkk%OxU(%!))e15opR*M=Ij+$RuW}?B z!_XFqN7qH#@T~AI7n<=Et^^I+%N+^V)@B5&Xqv6tx@DV&p=-LPn66jGP`Hfmj< z(lhSw^unN?&@S_Y-oAx_s~B%F%a*i%?MaujK|HD^T}}}$Ck;Mtk;`eTmUKC{*yUs> zQc+pcX@QCfY<*l-Z(~uR2-ITf`X$YKd6FWZL_&;p7=N6vPC;=vQp;8=cM zTsY}fU5`b*0glUPops9khkq&-9Vn#tTQAEfSq)?#_${0 z7zam_8N*DUCg*EqlF3r)uAykYZa@m^9NJh@N6plEwb3;KLo@W|T0lny58t+G_{cP< zq|*O(eeugT_B+;G$8(Wqt!N~S*$D^Oh^y)fxgoiqq*effoY;T3ZEQxc-s-})Od(#j7C-(gf6(QGB zHS7^t>QaE=8F`vyu2tzH%ZXFedSED2va%t!xgp*Wuc>>i-QXK)(^Oq`73^?#rKD~u z>jAZzx=zJAFZB4fWd|C6pwU>e&S0kx1KfZMR?sK)EBJRZbWbrnqj7QZYlt4FrED3t zwh0BYraA?9(R!pQs*QVbs3{%Q{iIr-6qm7R1n%ho<^RGfs0$x2Cc_{k`$~%zS6qa9 zc*+bxRYWEJ zQd$ozGAFRe@?=PAcdx9d3fgY0UV-#svg1B1zpUI<@>R;iH0H_QQa2U)@tA9R{>#fA zL&Kgq_gOqn6S9kccc8DHd%s+sdRK{$XXU3a2s4fC%W<9qJmvjfy_xrFXPSxHNs92l z7qO3?T2eYqlTll4F5(QOq)%!aDizL%;OAS0T2lB8q%l@tUPi8y^PkU?bRri{BBZK& z_J3IMzNX>#FhT>wPm6dfUn2k!Ntq+_o{!MYFsvN{G7-3cNc0}U(fQA%?sE61q%qAD zX+h;SDRK;=r6WhIOIt#1c)6>SH&&3CGp_SgU}+cn*z@aSc1A_sC%g6w4KNi~gL*#n zYrYdNL)m@u*neziHYUUhZUYu4{qN|pKWabI6Fk$$ z0{XK6QN65x;G&gbU=gY}xE5eE>YgUBAoVCO;vkv3^+IFz z-#ri5j^a6!>@!Sp_0$DLeovxldJoSLNIMsKj)$Lm;!oM^itUE zNuF1M35H?KhFU0&sad9~Ihw0#s-|d~t{A3nkZ+2s+vb97wdSTS%lIa%i)qaMXBmdA zIhL+}sjBPZKPk3?AL+JZS<{vjrj~B2kgd09>W(1R8XB6vKP3&vg%l2s$hmY1!kks% zE7ilZz2>UE2)6-VhOjbhA#vp)XD5Jb!@Ri^zKu)na9b;A3u_t zyN*8mKTt~p1QY-O0000agLF%H`R=*}0001!T_XsS@gEZj>6vs(K`fAn?vo858GldP zFc`<3rZ1yXwFA-+;^G}9(TSiq&MT*NRS(mcfKnKoQag4;rM|E>yzDY*Fuv2Y@38B> z#|}Gfhb3u&c7@{GwADW)b?oQ=Sh1bwanjwL%~r%=*z0#l1Tn}0MFB4$1OP0?=K{Fp zNqlC<>I!(6MWB8EoJ+*&&!k=$7Jm|n_aEBDBq2#&q38u4Z9IG=#XL5$pzHPNPi7BJySOrHiOwtoo`lRExz!fPfhjE8>eH)ZJ^NB3BQUZ=ym(H*^Q*I&J<)DPk7+9ABT;eWAPzHTa)ie)X6 zU#hGqpw(skeDs-5PNH5~_eYcIqtS($?EK08uYzYFbEbTVi@Ukl&!?gG>2W&!h=qZU zDba!;H1An%5zWG6sEN2tg_>bem*}oN+i6Viy4bP8KvZu!%m@t1MfD7E?%BwQL%~K5 zhQi0wTspBA!yHCzkAK>Bm?j%~Puz)U9!*ZHh|AQ(5{e8bP6D%?ZuJx+?0Pm8(w8su z+2Iq_O9##j9FPFdOqe2?+~mMTT&4!j;)mBmCKpbAj_rg75l;3j2xAA2i0btaTcLqn z(S>km+|H@sLdf@ji9~+?OC*x{<2O)C0Rj{Q6aWAK2ml3|bPG!zX}*r*9{>PQ{F5Og zPErvd003-nV{1@L0Rj{Q6aWAK2mtAsbW1@jkcjRA0000a000XB0000000000006du nI3NH3KxASsWMOn+E@Wa*O9ci10000300RK20000_lfffELrtxK delta 5398 zcmV+x73u29NP$QgP)h>@6aWAK2mrQ)bW06XdM%|N000T~u^4U*e>M;NWUUOLwK7~) z^)}Ky-Dt{J5lcwUhnF*xrO2NwU}LIG0X6J?(lk=^Pi0lucw)tGQ3`f z*ULP|O%J7abqnr$D1BQmdQ0*gWzf6~nrB|M=(-G=-|e9JcD|epnwLTIGH6}~%`e?* za%Ir`ZU)V(>Y?g%H8lN`&K5N9D!%syLGx4goOcVFPZ1utybmD67OqbY!DZk)*UE=Q zkW2os?D6Yc-%MA;#Z!}S4jTd4lZy@^0z{3It_~f4FpQegQLRr)1FiUt;wpo#dGquhOVvSy&*Db2Py*M0#P{~l<^}@lzg*Q7TA3;Y9B{*_SMGUF? zkszLb9+J>W#gHNZ8LI+mX<}$)kH{8731lz~#gHog2s1(56GrJCc`14nLn{w6OB1B* zsDKZtICU??kQ#WJt_o7oL5k3WC?lh4qO8oodk{FCO;M9@NT#76`&TUrgiwN+CJZMm zOOU>!XHOVkL$ZVvMk-B)AQlI#nm|pp1x`g(RUj=(AT2?C^uidV&w|ViO0wJ+=4`pT zCJcZ67!5OV250CQ!icGsFj9-;MY$-N$p@y`l@t@aDj;Z;DlQw|qam25TtDO7I9wz^ zzumUkZ8E(R4U-uVL=^JK3#v2Y0NBUDg+5SBpRx7`$t9C<5Fi88hnSO;5Hf$#Y~#}I z-tvN+w^oodHUFJJ&eW}~0y(%dAa{5C`SOen<4iYLH^%kOF3(QxwhiXIJ%c$@Gj<5( z$`hq77KEQ*Iuh?T0q^{^;+>@`?}T@j>TVU@p?$_X%hBE)@0PrGaosz+<#_Mz_TtNz zv)gS0Sbxs|)>7=91K6-k@R5J;x(VzRFjvw-8b4-d`Vl8=Ia)AK{wQLBYNE|t=d0{aWM^79jFC2&?7DNdUMGM=$NDwJM zDX`ZpiWq|7P#9~=YLIh~iUrbYsE*FVnOJfn0*YsQDwG~ELpgd9H46lis%(%zf>9C= zM0OQR&WjRHl$MAiRY`wNAVDHIf#m+kl30{=t4l-+CbziaG$%n}`Zg3vN>~@4kuXb1 z_{wrH9EqkUtg{1@3{fu3`i>HD&J2D7RqnMg=A!3;u$elR9J#EZstGR2+7(eAiWFo? zP`ET}Hbsim3q^Gq#l=w6N(ANHIX6MOn&{s$l)hND6*G^xQb>R1X_EcB#r-D@O$R1P zqJ>*{j;nbA(v<_|4S{9rQULP;L{!%)G^{wAR_WDc80@Qi-1ba;$D_N8>wjNd-~C0}a&D&DpoG zPdDF|hfYyxle3@NguN71`cI4fCxaL1@XPAns*|>P>eO@y_y+pa!=BS6Q7Eg0LTP)e zQ2OR6RO2!58)($k+3Cf%E22_v3zgFMR;4!36@NcvDz|?M)E0VV?5!Scpc}qC4&)6~ z>GQ=GqD`98LYwy25l7|S4bm_PGfZd8(@1t)n@C{7BqC;0{ikJ-6L01~eZIW;%&A?M zH`iY}zaHOyzPMg~)!cq48HotnR25qm*7Rm7c6avsT}u@^`PcCtTQR9w>(Q+J)Tm+T z`w=P=8{~hUg77_stBcdq%QH-3Kb0#khA0i8JUbSDc6|Nq>g@L7WIy!^51-U2@j8WR z?593WuHV@_ty-2{@&+nJ+-&}kDf0I5$=xRJH_*kJnu^vs)^sMuG;1gazf2Clk}G`4 z)z{OkaL;1S3bz3O2J**B_`N3DFv+I*u3iyF{&jyb^vDn#s;lScOsXvSBT2`vnoMto z@$^lL<;@gD2xN$lVRGehvGk(jReE2K)#7*GROgwl4QR^EUDf6KVgRN$CmFpBFSnBx z)5Qd@ns1U+99L-x*GUd4Qwh`LF$oI>xA3PMp`|jxeISV0(x~Cx+q+mF%`%rzG520Ue<(lZ0RuB1#sX%tCr|BBh4Beo! zb1+IWgwtYcQc?wR(!AVB5Yi2lbBhGKC21~1xU-ZvG-hfo{S-X*Mp4*!H~h+hsjT36I4FNo zG}Y+(`;o8d5I~);Rx3x-rEtcL1IzU+D{#4Vg0As-^c=e|6lh1Ki_@|C9%i8z;XbJx zcA>G75zPXT7pZ*gEqSixA3|inN)WD%%)`L2e8m7raZGbPNHr=jV`z*}s)Q&BQSS~> z^=xpOW`l&N{emdR_Z7uZ-8DA8qY!_^xV__}45nd|-C49eG_1DE!?~dk$}fVJg?FUn z>XBhH-`pvwa9-KZK|a1uTLg zNW;I-X_$>7@Vs=pkro2VVHsE3D?g7Xxg&70VbvZCP|Du(7oJ6wU}NxKuJeES{PdVr zbcl8IXAt5Z5B@#2>T1{3FfeFsjr%2dp6t^{<>#@9vs+7jhV2LiCDWK?W{r;$_`s#2 zLl74r>VEPlxF-L%y>O8PV2LRT{Poc zXvJ-Mi?}K7xYN=dH}=emzc_hbpE<82bDiXKrW_(Ia1hd%O}XW%o(?UQ=^!IW=y&^H zRQG?vFaD>J(SN%C@xgQUpANPQ5eVZl*yY1d3;z4?;qD%F>R(q-(z$<6B0uZokI7+# z@*Jg|4=Ea@C_`}-HIsGz-Yb6STqQqr?(qMALqBvdl^;6i=?|SA`0q{J0=LBJW^^voH_8WBxF)lr&zF|KOocoOH4gzA)lX0s|1JM81f=U-&XG8&ta%F@I6pf-U0P#otvG<)%7YBfyUO%G!!&He)=kB6EWNBVPPcP+`8 zV04@Lct!P90|I};8>guxNnVj+0T)hvJ7ckwuQ{SB^QGkT0{jqP*E zZyBmD%W1^-Y43{>xpC@qvxECaim|Mjr$)V9_SQ4kTYn|Vus*#|m~w?%B(-@6nU1EH z$4GGfNo^{vZd!r4)}*$NYmK?If?zE!%g2pb7ubrmQR@Pgo^gMt7Y6l&c9|#i_ALxt z#dwQZwxoY;Pr959;!!o}a*A*{Y4CZATuxiHq|3R*E+<2giprW!3sg*C>*KO|8;c4> zpcYHlFKOP(lN9+R5@M{w_~U$a3W~#-vfRZjsf{!S$MW;y!bz{{dMxS{XjOirSEA*3 z3Y1?~R@?~GMQ%^_9K)|^5`+<42L^LIDS45is zi>E4x?vpJ4r0a_H>C>N&;R7V|_n_I>U?YiaeNmqykmWze*uI{ACiP!31_wt8bTg=} z@zM~QBNY40ww30vkLhq>X-k^vIY4o&=9WUAm$1`J`0MS(RYP^=<ausF^f+8igr`yloHb2J*aSogq;G?4-*zhTpixI5?Wj7-sr3IbSQ2OqNo2 z4Mp>H15!}u(8iiNYNpPsjjj0y-*q__kHUN2Wm~mHxNui(kI6-?8R8o{Kzd zMI&L%PB_3uTvb=dB`I=d%D_^69lKi1luLhj=b*hhmYO~r>RQAURh~ndn*iPNt{DgHFd<ousq9OxBIgynOxy=pn zj!RA5W97)e z@5fgukGz;Ce@op|=*MHO>G>}&dkhVG=5%K9I8Ded-Y33#?)`Fk>Rly1o|S)}z97sr zwlBwd4)B!sd-ayvtNmjpY9}ee|6asCdTL4OG)+crxw(ill#)KFZKzZ@BZ8lA8EQ%4 zH;~3yfq5CZPR@TmPtu88IEj$j>)HQd#rv9u-@^zE5I-&At$d9DL?p3|%zHjUH^Z=Y z2*^a>BGG#YN9RA6y35_4lE!~DpQ8np+oZ@bh?b5Vu`X>1wc+KiPO(@)V$QhEQ-P&j z=wr{XkJ%X&d7td9FEqeZTn*~^(60%HEiBH2mYWM$8_IiyTJ7o|N^{eC@`{W+P19Fc2a{b9hr8Em;DvEWe+8s^(WV-ZJ8sc}Bzcose zDny(tOUJp^^+ReRlPiBj)Gocft!(L6Y%#F?314j(zm-$Vq3>V80QFFwmj-H9-&OXz zSbS*Pu5FJ;W0vwl5zba@1?eD+KPP!!g%22pH5(A2IHqQqs^(~}s;QcyX}V&Vx|;Ux-6rRtS+W8`=4bPw&qy6rmC)s|D@Ooex%!uWldXKQkYu0tpcmwqNzKA zSZio#{+5$89G5#dI3lOVDF|~`g|Ac(&z8IC4N{}Y_nA0|N3UBxFE5S)#)~D~vP!!U zkboq!%ha*O4$-?$-DVyqAAkHv?$*|10?KOSlS?2Oe{a(;7{{Ha zFRW58lh8EvVlHS!%Sht9?nJ42Kn!i`I@nIB9ot%^zKk||;ey1*z7yg*aOHb&-~YtK2_Va(N*v|7f>E7;EJ7SRc2VERN1hPO;z!L}o0L$^Y1a7$>pV^7J z0)Edj(7t@gC1UkkQZI}Oe~Co$_sOfJG&Vnj_>f2>{{?GGVHMQki!L5UY%pXU7Dn(9 z$}JP42QU>&x6OE)R9!ud{j%yCYs)bn;BL@~`~TT;zPGyt zubHw?#)H&v#?n8I?y!XYZkP3&IE2sZhw$cxeP`7|^yAE(P@P#)@tU@Z)} zb;si&qFI^_O%a!w&@^r0Vcm1)J5A_454koEMfH|T&Cn!FNMCt(noB3@VwA(M;}gf> zX|f@A#GQ!df8O*&iMY&66efo0#z|nl)2*H$19`qfg!Glmd^R2U`+hobYN8N_Xl}w3 z(d4EFF5)sXa2h|1zF{%p*{|RC+C?9{>Oe0ritPsZ)0mvO928D z0~7!N00;n~g>*|10?KOS0ssI2Bme*l00000000000002Cf%+el>mwZj2a^dTK "Report filtered to {name} ({username})", "report filtered to start date" => "Only showing entries later than {date}", "report filtered to end date" => "Only showing entries earlier than {date}", - "all users" => "All users", + "all managed users" => "All managed users", "one user" => "One user", "choose user" => "Type to choose user", "filter" => "Filter", @@ -97,5 +97,6 @@ define("STRINGS", [ "shiftid" => "Shift ID", "shiftname" => "Shift Name", "punches" => "Punches", - "not assigned to work now" => "You are not assigned to work right now." + "not assigned to work now" => "You are not assigned to work right now.", + "not a managed user" => "Not a managed user", ]); \ No newline at end of file diff --git a/lib/reports.php b/lib/reports.php index f5f3a21..a2f531c 100644 --- a/lib/reports.php +++ b/lib/reports.php @@ -19,14 +19,35 @@ use odsPhpGenerator\odsTableCellString; use odsPhpGenerator\odsStyleTableColumn; use odsPhpGenerator\odsStyleTableCell; +require_once __DIR__ . "/userinfo.php"; +require_once __DIR__ . "/login.php"; + // Allow access with a download code, for mobile app and stuff $date = date("Y-m-d H:i:s"); +$allowed_users = []; +$requester = -1; if (isset($VARS['code']) && LOADED) { if (!$database->has('report_access_codes', ["AND" => ['code' => $VARS['code'], 'expires[>]' => $date]])) { dieifnotloggedin(); + $requester = $_SESSION['uid']; + } else { + $requester = $database->get('report_access_codes', 'uid', ['code' => $VARS['code']]); } } else { dieifnotloggedin(); + $requester = $_SESSION['uid']; +} + +if (account_has_permission($_SESSION['username'], "ADMIN")) { + $allowed_users = true; +} else { + if (account_has_permission($_SESSION['username'], "QWIKCLOCK_MANAGE")) { + $allowed_users = getManagedUIDs($requester); + } + + if (account_has_permission($_SESSION['username'], "QWIKCLOCK_EDITSELF")) { + $allowed_users[] = $_SESSION['uid']; + } } // Delete old DB entries @@ -34,8 +55,6 @@ $database->delete('report_access_codes', ['expires[<=]' => $date]); if (LOADED) { $user = null; - require_once __DIR__ . "/userinfo.php"; - require_once __DIR__ . "/login.php"; if ($VARS['users'] != "all" && !is_empty($VARS['user']) && user_exists($VARS['user'])) { $user = getUserByUsername($VARS['user']); } @@ -50,14 +69,19 @@ if (LOADED) { function getShiftReport($user = null) { global $database; + global $allowed_users; if ($user != null && array_key_exists('uid', $user)) { + $uid = -1; + if ($allowed_users === true || in_array($user['uid'], $allowed_users)) { + $uid = $user['uid']; + } $shifts = $database->select( "shifts", [ "[>]assigned_shifts" => ["shiftid" => "shiftid"] ], [ "shifts.shiftid", "shiftname", "start", "end", "days" ], [ - "uid" => $user['uid'] + "uid" => $uid ] ); } else { @@ -92,6 +116,7 @@ function getShiftReport($user = null) { function getPunchReport($user = null, $start = null, $end = null) { global $database; + global $allowed_users; $where = []; if ((bool) strtotime($start) == TRUE) { $where["OR #start"] = [ @@ -103,8 +128,14 @@ function getPunchReport($user = null, $start = null, $end = null) { // Make the date be the end of the day, not the start $where["in[<=]"] = date("Y-m-d", strtotime($end)) . " 23:59:59"; } - if ($user != null && array_key_exists('uid', $user)) { + if ($user != null && array_key_exists('uid', $user) && ($allowed_users === true || in_array($user['uid'], $allowed_users))) { $where["uid"] = $user['uid']; + } else if ($user != null && array_key_exists('uid', $user) && $allowed_users !== true && !in_array($user['uid'], $allowed_users)) { + $where["uid"] = -1; + } else { + if ($allowed_users !== true) { + $where["uid"] = $allowed_users; + } } if (count($where) > 1) { $where = ["AND" => $where]; diff --git a/pages/export.php b/pages/export.php index f9fd44c..789beb8 100644 --- a/pages/export.php +++ b/pages/export.php @@ -51,14 +51,17 @@ if (!account_has_permission($_SESSION['username'], "QWIKCLOCK_MANAGE")) {
@@ -75,7 +78,7 @@ if (!account_has_permission($_SESSION['username'], "QWIKCLOCK_MANAGE")) {
insert('report_access_codes', ['code' => $code, 'expires' => date("Y-m-d H:i:s", strtotime("+5 minutes"))]); + $database->insert('report_access_codes', ['code' => $code, 'expires' => date("Y-m-d H:i:s", strtotime("+5 minutes")), 'uid' => $_SESSION['uid']]); ?> diff --git a/static/css/app.css b/static/css/app.css index ba45b88..738ab97 100644 --- a/static/css/app.css +++ b/static/css/app.css @@ -82,6 +82,10 @@ display: inline-block; } +.red { + color: red; +} + /* ============================== THEMING diff --git a/static/js/export.js b/static/js/export.js index 2055041..1710249 100644 --- a/static/js/export.js +++ b/static/js/export.js @@ -18,18 +18,34 @@ var options = { return data; }, getValue: function (element) { + if (element.managed == 0) { + $('#user-selection').addClass('has-error'); + $('#user-not-managed-text').css('visibility', ''); + } else { + $('#user-selection').removeClass('has-error'); + $('#user-not-managed-text').css('visibility', 'hidden'); + } return element.username; }, template: { type: "custom", method: function (value, item) { - return item.name + " " + item.username + ""; + if (item.managed == 0) { + return "" + item.name + " " + item.username + ""; + } else { + return item.name + " " + item.username + ""; + } } } }; $("#user-box").easyAutocomplete(options); +$('#user-box').on("keypress", function () { + $('#user-not-managed-text').css('visibility', 'hidden'); + $('#user-selection').removeClass('has-error'); +}); + $(function () { $('#startdate').datetimepicker({ format: "MMM D YYYY", @@ -39,4 +55,6 @@ $(function () { format: "MMM D YYYY"/*"YYYY-M-DTH:m"*/, useCurrent: true }); -}); \ No newline at end of file +}); + +$('#user-not-managed-text').css('visibility', 'hidden'); \ No newline at end of file