From 5a8c491a993c0052f16a7cce9247d96d4be5cd5a Mon Sep 17 00:00:00 2001 From: Tomasz Chilinski Date: Wed, 2 May 2012 18:02:07 +0200 Subject: [PATCH] required read permission to cash registry to be able view receipt list --- doc/ChangeLog | 1 + modules/receiptlist.php | 5 ++--- templates/cashreginfo.html | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/ChangeLog b/doc/ChangeLog index 5d89424f3e..f092427674 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -131,6 +131,7 @@ version ? (????-??-??): - new simple plugin which allows to use one-time sms passwords [chilan] - payments: support %type placeholder which gets its value from tarifftypes config section [chilan] - queues to whom we don't have access privileges, are not shown at all [chilan] + - required read permission to cash registry to be able view receipt list [chilan] version 1.11.13 Dira (2011-04-07) diff --git a/modules/receiptlist.php b/modules/receiptlist.php index f254bc7146..e4607ecb47 100644 --- a/modules/receiptlist.php +++ b/modules/receiptlist.php @@ -198,9 +198,8 @@ function GetReceiptList($registry, $order='', $search=NULL, $cat=NULL, $from=0, $SESSION->redirect('?m=cashreglist'); } -if(! $DB->GetOne('SELECT rights FROM cashrights WHERE userid=? AND regid=?', array($AUTH->id, $regid)) ) -{ - $SMARTY->display('noaccess.html'); +if (!$DB->GetOne('SELECT rights FROM cashrights WHERE userid = ? AND regid = ? AND rights & 1 = 1', array($AUTH->id, $regid))) { + $SMARTY->display('noaccess.html'); $SESSION->close(); die; } diff --git a/templates/cashreginfo.html b/templates/cashreginfo.html index 0807e40a24..4e6ecf2405 100644 --- a/templates/cashreginfo.html +++ b/templates/cashreginfo.html @@ -80,7 +80,7 @@

{$layout.pagetitle}

- {if $right.rights > 0}{/if} + {if ($right.rights & 1) == 1}{/if} {if ($right.rights & 2)==2}{/if}