From a28f7a9f536b47bbc881eb719360d4fb793485c9 Mon Sep 17 00:00:00 2001
From: Nate Jones <git@reliberate.com>
Date: Sun, 17 May 2015 09:58:57 +0000
Subject: [PATCH] Contact Times: Timer now works for contacts under foreign
 domains.  Limit edit and delete to user's own Time entries.

---
 app/contacts/contact_time_edit.php |  9 ++++-----
 app/contacts/contact_times.php     | 23 +++++++++++++++--------
 2 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/app/contacts/contact_time_edit.php b/app/contacts/contact_time_edit.php
index cab8a0f4fa..5055f73aec 100644
--- a/app/contacts/contact_time_edit.php
+++ b/app/contacts/contact_time_edit.php
@@ -97,7 +97,7 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
 			$sql .= ") ";
 			$sql .= "values ";
 			$sql .= "( ";
-			$sql .= "'".$_SESSION['domain_uuid']."', ";
+			$sql .= "'".$domain_uuid."', ";
 			$sql .= "'".$contact_time_uuid."', ";
 			$sql .= "'".$contact_uuid."', ";
 			$sql .= "'".$_SESSION["user"]["user_uuid"]."', ";
@@ -121,7 +121,7 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
 			$sql .= "time_description = '".$time_description."' ";
 			$sql .= "where ";
 			$sql .= "contact_time_uuid = '".$contact_time_uuid."' ";
-			$sql .= "and domain_uuid = '".$_SESSION['domain_uuid']."' ";
+			$sql .= "and domain_uuid = '".$domain_uuid."' ";
 			$sql .= "and contact_uuid = '".$contact_uuid."' ";
 			$sql .= "and user_uuid = '".$_SESSION["user"]["user_uuid"]."' ";
 			$db->exec(check_sql($sql));
@@ -140,11 +140,10 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
 		$sql = "select ct.*, u.username ";
 		$sql .= "from v_contact_times as ct, v_users as u ";
 		$sql .= "where ct.user_uuid = u.user_uuid ";
-		$sql .= "and ct.domain_uuid = '".$_SESSION['domain_uuid']."' ";
-		$sql .= "and u.domain_uuid = '".$_SESSION['domain_uuid']."' ";
+		$sql .= "and ct.domain_uuid = '".$domain_uuid."' ";
 		$sql .= "and ct.contact_uuid = '".$contact_uuid."' ";
+		$sql .= "and ct.user_uuid = '".$_SESSION["user"]["user_uuid"]."' ";
 		$sql .= "and contact_time_uuid = '".$contact_time_uuid."' ";
-		$sql .= "order by ct.time_start desc ";
 		$prep_statement = $db->prepare(check_sql($sql));
 		$prep_statement->execute();
 		$result = $prep_statement->fetch(PDO::FETCH_NAMED);
diff --git a/app/contacts/contact_times.php b/app/contacts/contact_times.php
index 2849c18064..619cfc454c 100644
--- a/app/contacts/contact_times.php
+++ b/app/contacts/contact_times.php
@@ -43,11 +43,10 @@ else {
 	echo "</table>\n";
 
 	//get the contact list
-		$sql = "select ct.*, u.username ";
+		$sql = "select ct.*, u.username, u.domain_uuid as user_domain_uuid ";
 		$sql .= "from v_contact_times as ct, v_users as u ";
 		$sql .= "where ct.user_uuid = u.user_uuid ";
 		$sql .= "and ct.domain_uuid = '".$domain_uuid."' ";
-		$sql .= "and u.domain_uuid = '".$domain_uuid."' ";
 		$sql .= "and ct.contact_uuid = '".$contact_uuid."' ";
 		$sql .= "order by ct.time_start desc ";
 		$prep_statement = $db->prepare(check_sql($sql));
@@ -83,9 +82,7 @@ else {
 	echo "<table id='table_contact_times' class='tr_hover' style='width: 100%; direction: ltr;' border='0' cellpadding='0' cellspacing='0'>\n";
 	if ($result_count > 0) {
 		foreach($result as $row) {
-			if (permission_exists('contact_time_edit')) {
-				$tr_link = "href='contact_time_edit.php?contact_uuid=".$row['contact_uuid']."&id=".$row['contact_time_uuid']."'";
-			}
+			$tr_link = (permission_exists('contact_time_edit') && $row['user_uuid'] == $_SESSION["user"]["user_uuid"]) ? "href='contact_time_edit.php?contact_uuid=".$row['contact_uuid']."&id=".$row['contact_time_uuid']."'" : null;
 			echo "<tr ".$tr_link.">\n";
 			if ($row["time_start"] != '' && $row['time_stop'] != '') {
 				$time_start = strtotime($row["time_start"]);
@@ -95,16 +92,26 @@ else {
 			else { unset($time); }
 			$tmp = explode(' ', $row['time_start']);
 			$time_start = $tmp[0];
-			echo "	<td valign='top' class='".$row_style[$c]."' width='20%'>".$row["username"]."&nbsp;</td>\n";
+			echo "	<td valign='top' class='".$row_style[$c]."' width='20%'><span ".(($row['user_domain_uuid'] != $domain_uuid) ? "title='".$_SESSION['domains'][$row['user_domain_uuid']]['domain_name']."' style='cursor: help;'" : null).">".$row["username"]."</span>&nbsp;</td>\n";
 			echo "	<td valign='top' class='".$row_style[$c]."' width='20%'>".$time_start."&nbsp;</td>\n";
 			echo "	<td valign='top' class='".$row_style[$c]."' width='20%'>".$time."&nbsp;</td>\n";
 			echo "	<td valign='top' class='row_stylebg' style='width: 40%; max-width: 100px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap;'>".$row['time_description']."&nbsp;</td>\n";
 			echo "	<td class='list_control_icons' nowrap>";
 			if (permission_exists('contact_time_edit')) {
-				echo "<a href='contact_time_edit.php?contact_uuid=".$row['contact_uuid']."&id=".$row['contact_time_uuid']."' alt='".$text['button-edit']."'>$v_link_label_edit</a>";
+				if ($row['user_uuid'] == $_SESSION["user"]["user_uuid"]) {
+					echo "<a href='contact_time_edit.php?contact_uuid=".$row['contact_uuid']."&id=".$row['contact_time_uuid']."' alt='".$text['button-edit']."'>".$v_link_label_edit."</a>";
+				}
+				else {
+					echo "<span onclick=\"alert('".$text['message-access_denied']."');\" alt='".$text['button-edit']."'>".str_replace("list_control_icon", "list_control_icon_disabled", $v_link_label_edit)."</span>";
+				}
 			}
 			if (permission_exists('contact_time_delete')) {
-				echo "<a href='contact_time_delete.php?contact_uuid=".$row['contact_uuid']."&id=".$row['contact_time_uuid']."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">$v_link_label_delete</a>";
+				if ($row['user_uuid'] == $_SESSION["user"]["user_uuid"]) {
+					echo "<a href='contact_time_delete.php?contact_uuid=".$row['contact_uuid']."&id=".$row['contact_time_uuid']."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">".$v_link_label_delete."</a>";
+				}
+				else {
+					echo "<span onclick=\"alert('".$text['message-access_denied']."');\" alt='".$text['button-delete']."'>".str_replace("list_control_icon", "list_control_icon_disabled", $v_link_label_delete)."</span>";
+				}
 			}
 			echo "	</td>\n";
 			echo "</tr>\n";