Sub Tasks show all the Users irrespective of the access

[nsrivastava2]

Feng Office Community edition v1.6.1

Scenario:
Create a new Task and then create a Sub-Task. Now try to assign that sub task to someone.

Error:
Above scenario will show the list of all the users in the system although the ID with which the person is logged in does not have access to assign task to anyone else.

Expected working:
Users should not be able to see anyone who is not accessible to that user.

[dam-scasi]

We've noticed that too and it's really annoying !

First, some clarification :
It's only in a one task view, when you click add sub task just below the description or the sub-tasks list of the task.

In fact, this form use the assign_to_select_box function in application/helper/application.php to display the users select box, instead of the ExtJs select used elsewhere.

In my opinion, this function should not be used anymore, but as I don't figured out how to replace this select by a ExtJs select, I've fixed this function taking inspiration from allowed_users_to_assign function in application/controllers/TaskController.class.php.

So here is my replacement of assign_to_select_box function in application/helper/application.php to fix this bug :

Code: [Select]

/**
 * Render assign to SELECT
 *
 * @param string $list_name Name of the select control
 * @param Project $project Selected project, if NULL active project will be used
 * @param integer $selected ID of selected user
 * @param array $attributes Array of select box attributes, if needed
 * @return null
 */
function assign_to_select_box($list_name, $project = null, $selected = null, $attributes = null) {
   if(is_null($project)) {
      $project = active_or_personal_project();
   } // if
   if(!($project instanceof Project)) {
      throw new InvalidInstanceError('$project', $project, 'Project');
   } // if

   $companies = Companies::findAll();
   $comp_array = array();
   if ($companies != null) {
      foreach ($companies as $comp) {
         if ($project != null) $users = $comp->getUsersOnProject($project);
         else continue;
         if (is_array($users)) {
            foreach ($users as $k => $user) {
               // if logged_user can assign tasks to user
               // and user can read tasks the user is allowed
               if (!can_assign_task(logged_user(), $project, $user)
                  || !can_read_type($user, $project, 'ProjectTasks')) {
                  unset($users[$k]);
               }
            }
            if (count($users) > 0) {
               $comp_data = array(
                           'id' => $comp->getId(),
                           'name' => $comp->getName(),
                           'users' => array()
               );
               foreach ($users as $user) {
                  $comp_data['users'][] = $user->getArrayInfo();
               }
               //if ($ws == null || can_assign_task(logged_user(), $ws, $comp)) {
               if (count($users) > 0) {
                  $comp_array[] = $comp_data;
               }
            }
         }
      }
   }

   $options = array(option_tag(lang('anyone'), '0:0'));
   if(is_array($comp_array) && count($comp_array)) {
      foreach($comp_array as $company) {
         $options[] = option_tag('--', '0:0');

         $option_attributes = $company['id'] . ':0' == $selected
            ? array('selected' => 'selected') : null;
         $options[] = option_tag($company['name'], $company['id'] . ':0', $option_attributes);

         if(is_array($company['users'])) {
            foreach($company['users'] as $user) {
               $option_attributes = $company['id'] . ':' . $user['id'] == $selected
                  ? array('selected' => 'selected') : null;
               $options[] = option_tag($user['name'] . ' : ' . $company['name'] ,
                  $company['id'] . ':' . $user['id'], $option_attributes);
            }
         }
      }
   }

   return select_box($list_name, $options, $attributes);
} // assign_to_select_box