View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0001687 | v3.5 Release (Development) | [All Projects] General | public | 2016-04-14 08:10 | 2019-01-01 16:15 | ||||||||
Reporter | karstenmtr | ||||||||||||
Assigned To | |||||||||||||
Priority | normal | Severity | minor | Reproducibility | always | ||||||||
Status | new | Resolution | open | ||||||||||
Summary | 0001687: Administrator can't edit task_log entrys | ||||||||||||
Description | An administrator can't edit a task log entry of another coworker, even if the permissions are set correctly. I found this problem when using the timecard module, but the problem is located in the tasks module. So it also allpys when using the task log edit function is task view. | ||||||||||||
Steps To Reproduce | Just try to edit a task log entry made by someone else. An error is thrown reporting a misleading unexpected character in JSON line 1 row 1. | ||||||||||||
Additional Information | I figured out that the problem is located in logs.class.php. In line 145 three parameters are set. The first two are ok, but the third is "tasks", which causes the problem. This should be "task_log" or "". In BaseObject.class.php line 65 the _tbl_module is set, using the $module parameter (tasks in this case). This value is used in logs.class.php canEdit-function in line 339. But this is combined with the ID of the task log entry. So a sql-query for the permission check is build using the id of the task-log and the table tasks. This results in an empty result-array and equals no granted permission. Therefore, an admin is not allowed to edit a task log entry, if the permisson-option of the canEdit-function is required. A solution is simple as stated above. Just remove the "tasks"-parameter and leave it empty oder set "task_log". In both cases the correct table is later used for the query and a correct permisson check result is achieved. | ||||||||||||
Tags | No tags attached. | ||||||||||||
Attached Files |
|
![]() |
|
karstenmtr (reporter) 2016-04-14 23:04 Last edited: 2016-04-14 23:09 |
Just some more thoughts about this problem. The solution mentioned in the first post was to modify the contructor to //Line 143 in logs.class.php public function __construct() { parent::__construct('task_log', 'task_log_id', 'task_log'); // ensure changes to checkboxes are honoured $this->task_log_problem = (int) $this->task_log_problem; } It might be better to leave the constructor untouched and change the function executing the permission check to use the _tbl-property instead of _tbl_module like this. //line 336 in logs.class.php public function canEdit() { if($this->_AppUI->user_id == $this->task_log_creator || $this->_AppUI->user_id == $this->task_log_record_creator || $this->_perms->checkModuleItem($this->_tbl, 'edit', $this->{$this->_tbl_key})) { return true; } return false; } The second solution should be a better fix. |
![]() |
|||
Date Modified | Username | Field | Change |
---|---|---|---|
2016-04-14 08:10 | karstenmtr | New Issue | |
2016-04-14 23:04 | karstenmtr | Note Added: 0003766 | |
2016-04-14 23:08 | karstenmtr | Note Edited: 0003766 | View Revisions |
2016-04-14 23:09 | karstenmtr | Note Edited: 0003766 | View Revisions |
2016-12-26 23:34 | caseydk | Project | v3.3 Release => v3.4 Release (Current) |
2019-01-01 16:15 | caseydk | Project | v3.4 Release (Current) => v3.5 Release (Development) |
2019-01-01 16:15 | caseydk | Category | Tasks => General |