From 03b20dd56c15088ed5119a5b82fc36ee897da411 Mon Sep 17 00:00:00 2001 From: Victor Boctor Date: Sat, 23 Jan 2016 02:10:34 +0000 Subject: [PATCH 2/3] Add access check / filtering for billing exports - In case of all projects, filter to user accessible ones. - In case of a specific project, double check that user has access to it. Fixes #20539 --- core/billing_api.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/core/billing_api.php b/core/billing_api.php index c2ddc49..12be079 100644 --- a/core/billing_api.php +++ b/core/billing_api.php @@ -67,10 +67,13 @@ function billing_get_for_project( $p_project_id, $p_from, $p_to, $p_cost_per_hou } if( ALL_PROJECTS != $p_project_id ) { + access_ensure_project_level( config_get( 'view_bug_threshold' ), $p_project_id ); + $t_project_where = ' AND b.project_id = ' . db_param() . ' AND bn.bug_id = b.id '; $t_params[] = $p_project_id; } else { - $t_project_where = ''; + $t_project_ids = current_user_get_accessible_projects(); + $t_project_where = ' AND b.project_id in (' . implode( ', ', $t_project_ids ). ')'; } if( !is_blank( $c_from ) ) { -- 1.9.1