From 44205d50394b3c1080ed4c57920c81306ace0bb1 Mon Sep 17 00:00:00 2001 From: dave Date: Wed, 21 Nov 2007 22:30:19 +0000 Subject: [PATCH] - Disable the save and delete option for system reports, and print a message saying that the report can only be saved as a new report. - Add checks to the report_save and report_delete fucntions to ensure system reports cannot be saved/deleted. --- admin/reports.inc.php | 29 +++++++++++++++++++++++++++++ admin/reports_editor.php | 31 +++++++++++++++++++------------ 2 files changed, 48 insertions(+), 12 deletions(-) diff --git a/admin/reports.inc.php b/admin/reports.inc.php index ed15e822..79171d13 100644 --- a/admin/reports.inc.php +++ b/admin/reports.inc.php @@ -297,8 +297,24 @@ foreach($stock as $n=>$v) { /* New report */ mysql_query("INSERT INTO reports (`id`) VALUES ('')"); $report['id'] = mysql_insert_id(); + } else { + /* if the report['id'] is not zero, see if this is a + * systeim report before doing anything. */ + $q = mysql_query("SELECT system_report_id FROM reports WHERE id='{$report['id']}'"); + $i = mysql_fetch_assoc($q); + if(intval($i['system_report_id']) != 0) { + /* This is a system report, the editor (should) + * properly setup the editor pages so that the user + * cannot save this report. The only way to get here + * is by directly modifying the POST variables.. so.. + * we don't have to worry about being user friendly. */ + echo "ERROR: attempt to save a system report (reports.id={$report['id']})"; + exit; + } } + + /* print("
");
 	print_r($_POST);
@@ -361,6 +377,19 @@ foreach($stock as $n=>$v) {
  function report_delete($report_id)
  {
  	$r = intval($report_id);
+	/* if the report['id'] is not zero, see if this is a
+	 * systeim report before doing anything. */
+	$q = mysql_query("SELECT system_report_id FROM reports WHERE id='$r'");
+	$i = mysql_fetch_assoc($q);
+	if(intval($i['system_report_id']) != 0) {
+		/* This is a system report, the editor (should)
+		 * properly setup the editor pages so that the user
+		 * cannot delete this report.  The only way to get here
+		 * is by directly modifying the POST variables.. so..
+		 * we don't have to worry about being user friendly. */
+		echo "ERROR: attempt to delete a system report (reports.id=$r)";
+		exit;
+	}
  	mysql_query("DELETE FROM reports WHERE `id`=$r");
 	mysql_query("DELETE FROM reports_items WHERE `reports_id`=$r");
  }
diff --git a/admin/reports_editor.php b/admin/reports_editor.php
index 2547cdbf..e9cbf52f 100644
--- a/admin/reports_editor.php
+++ b/admin/reports_editor.php
@@ -178,9 +178,7 @@ function reportChange()
 	return $ret;
  }
 
-//print_r($_POST);
  /* Decode the report */
-
  $report = array();
  $report['id'] = intval($_POST['id']);
  $report['name'] = stripslashes($_POST['name']);
@@ -213,8 +211,7 @@ function reportChange()
  }
 
  if($repaction == 'try') {
- 	/* Try this report save it to the database under a new report, and mark it as
-	 * temporary, so when the generator finishes with it, it deletes it */
+ 	/* Generate the report from what was passed through POST */
 	report_gen($report);
 	exit;
  }
@@ -427,15 +424,25 @@ function reportChange()
  } 
 
  echo "
";
+ if($report['system_report_id'] != 0) {
+ 	echo notice(i18n('This is a system report, it cannot be changed or deleted.  To save changes you have made to it, please select the \'Save as a new report\' option.'));
+ }
  echo "";
  echo "";