anuko / timetracker Goto Github PK

Hey there!

I'd like to report a security issue but cannot find contact instructions on your repository.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

I just found out that if you create one custom user field, then
the button "create" is locked and you cannot create a second one.

Hi,

There is this configuration below. I have uncomment out the last line to allow the session to prolong persistent up to 24 hours. But when the user logon and use, they were timed out within less than 1 hour. Is there any other way to make the TTL session persistent?

Thanks.

Time to live in seconds for script session cookie (named tt_PHPSESSID).
// PHPSESSID_TTL
//
// Lifetime in seconds for tt_PHPSESSID cookie. Time to live is extended by this value
// with each visit to the site so that users don't have to re-login.
// define('PHPSESSID_TTL', 86400);

I think that READONLY_START_FINISH, FUTURE_ENTRIES, ALLOW_OVERLAP, SHOW_HOLIDAYS, and COST_ON_REPORTS should be per team not global. I also think that there should be a (non-default) global option to restrict changing team options and plugins to managers only and not co-managers.

Hello,
It would be very useful to enable Group by custom fields in the reports.php form.
Our example case is:
Client: xyz
Project: Support
Task: Support Ticket
Ticket Number: A1234 <--- this is our custom text field. Grouping by this field would be very useful to show who and how long each ticket takes to resolve.

I have the comma , decimal mark selected in the settings for the current (and only) manager.
But when I deactivate and reactivate the project it populates the rate field with a regular dot ..

I'm not very experienced with JavaScript, so unfortunately I don't feel comfortable providing a PR.

Is it possible to use any other (external) resource as calendar for holidays instead of changing i18n_holidays per year

Please decide on tabs or spaces. Im getting merge conflicts due to whitespace. Also I'd be happy to keep the code tidy, once decided. Cheers!

Sessions kept timing out early.
I found this post on the forum:
https://www.anuko.com/forum/posting.php?mode=reply&f=4&t=2059

If someone has a forum account, you could add the following correction in that post.
Please add it to the master branch too.

After enabling the lines WEB-INF/config.php that was supposed to fix it, I was unable to log in, just as described in that forum post.

So I made the following correction in initialize.php (lines 84-91):
$phpsessid_ttl = defined('PHPSESSID_TTL') ? PHPSESSID_TTL : 606024;
// Set lifetime for garbage collection.
ini_set('session.gc_maxlifetime', $phpsessid_ttl);
// Set PHP session path, if defined to avoid garbage collection interference from other scripts.
if (defined('PHP_SESSION_PATH')) {
ini_set('session.save_path', realpath(PHP_SESSION_PATH));
ini_set('session.gc_probability', 1);
}

The original code was corrected by enclosing PHP_SESSION_PATH in realpath()

Hi, first of all thanks so much for making this tool :)

System:
mysql Ver 14.14 Distrib 5.7.19, for Linux (x86_64) using EditLine wrapper
PHP 7.0.18-0ubuntu0.16.04.1

Issue:
In cron.php, line 50:

 $sql = "select * from tt_cron c
   left join tt_fav_reports fr on (c.report_id = fr.id)
   where $now >= c.next and fr.status = 1
   and c.status = 1 and c.report_id is not null and c.email is not null";

This code replaces the tt_cron.id with tt_fav_reports.id, which leads to line 94 not updating the correct entry for $next:

  $sql = "update tt_cron set last = $now, next = $next where id = ".$val['id'];

A quick fix that I've tested is replacing line 50 with the following:

 $sql = "select * from tt_fav_reports fr
   left join tt_cron c on (c.report_id = fr.id)
   where $now >= c.next and fr.status = 1
   and c.status = 1 and c.report_id is not null and c.email is not null";

This keeps all columns but uses tt_cron.id instead of tt_fav_reports.id.
If you'd like I can open a PR.

This would be good for adding a Social Security Number/Personal Identity Number or any useful information, such as an address, phone numbers, etc.

Maybe you, as manager, could decide per custom field if it should be publicly visible to everyone logged in or private to just the managers?

It would be great, if the input field (german: Dauer:) would accept ',' as a decimals spearator, too.

There are list of times shown at the bottom of the time.php and week.php. It would be great to also show the custom fields in that list.

Softwareversion: 1.7.8.3094

to open the reports.php document a co-manager needs about 35-40 seconds. We suspect the following code in "reports.php":

$user_list = array();
if ($user->canManageTeam() || $user->isClient()) {
  // Prepare user and assigned projects arrays.
  $users = ttTeamHelper::getActiveUsers();
  foreach ($users as $single_user) {
    $user_list[$single_user['id']] = $single_user['name'];
    $projects = ttProjectHelper::getAssignedProjects($single_user['id']);
    if ($projects) {
      foreach ($projects as $single_project) {
        $assigned_projects[$single_user['id']][] = $single_project['id'];
      }
    }
  }
  $row_count = ceil(count($user_list)/3);
  $form->addInput(array('type'=>'checkboxgroup',
    'name'=>'users',
    'data'=>$user_list,
    'layout'=>'V',
    'groupin'=>$row_count,
    'style'=>'width: 100%;'
  ));
}

in this sample a co-manager requests about 50 users and 800 projects.
is there a patch or any solutions/ suggestions to improve the performance?

thanks in advance!

Spanish translation is way out of date. See comments in WEB-INF/resources/es.lang.php

See the comments in WEB-INF/resources/it.lang.php

After running the docker container with docker-compose up, below error is shown while loading the landing page i.e., login.php

anuko-timetracker | [Sat Jun 13 21:09:00.679180 2020] [php7:warn] [pid 16] [client 192.167.0.1:40318] PHP Warning:  rename(/tmp/wrtljinTL,/var/www/html/WEB-INF/templates_c/a532f1d2ec12e6e52447bbd961e358f8a172ef48.file.index.tpl.php): Permission denied in /var/www/html/WEB-INF/lib/smarty/sysplugins/smarty_internal_write_file.php on line 48
anuko-timetracker | [Sat Jun 13 21:09:00.679245 2020] [php7:warn] [pid 16] [client 192.167.0.1:40318] PHP Warning:  chmod(): No such file or directory in /var/www/html/WEB-INF/lib/smarty/sysplugins/smarty_internal_write_file.php on line 50
anuko-timetracker | [Sat Jun 13 21:09:00.679303 2020] [php7:warn] [pid 16] [client 192.167.0.1:40318] PHP Warning:  include(/var/www/html/WEB-INF/templates_c/a532f1d2ec12e6e52447bbd961e358f8a172ef48.file.index.tpl.php): failed to open stream: No such file or directory in /var/www/html/WEB-INF/lib/smarty/sysplugins/smarty_internal_template.php on line 432
anuko-timetracker | [Sat Jun 13 21:09:00.679317 2020] [php7:warn] [pid 16] [client 192.167.0.1:40318] PHP Warning:  include(): Failed opening '/var/www/html/WEB-INF/templates_c/a532f1d2ec12e6e52447bbd961e358f8a172ef48.file.index.tpl.php' for inclusion (include_path='/var/www/html/WEB-INF/lib/pear:.:/usr/local/lib/php') in /var/www/html/WEB-INF/lib/smarty/sysplugins/smarty_internal_template.php on line 432
anuko-timetracker | 192.167.0.1 - - [13/Jun/2020:21:09:00 +0000] "GET /login.php HTTP/1.1" 200 454 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"
anuko-timetracker | 192.167.0.1 - - [13/Jun/2020:21:09:00 +0000] "GET /favicon.ico HTTP/1.1" 200 1193 "http://localhost/login.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"

I already have a fix and wish to commit. Request the access to commit on a branch please.

Hi,

Since Arch Linux switched to php8 as default PHP version I'd like to know when a Time Track version gets released that works with php8?

It was one of the applications that did not work with php8 - I'm using version 1.19.20.5234

kind regards
Ralf

Hi,
i would like to ask if there is any possibility that we integrate a script or module in the "password_reset.php" or other page that allow you to get IP address on the Email Notification than we can know were is the origine and who request it

To keep the master clean, would request if the new features are pushed into a branch and merged into master only after the feature is complete, tested and reviewed (possibly via a pull request).

Hi,
It would be nice if the releases are tagged (as releases, with version number) on github or respective branches would exist. I know that this creates an overhead, but would make looking up the changes easier (as the Change Log on the website is sometime lagging a bit behind).
And Thanks for maintaining and developing!

Context

I recently did an installation of anuko time tracker where we used a parent group with several child subgroups, each with their specific user and activities.

At a given moment, a user was relocated from a subgroup to another subgroup, but the system did not allow the user to be registered in the new location because his login already existed in the previous subgroup.

Possible solution

It would be nice to have an option that allows you to move the user between subgroups.

Doubts

• Would it be a viable option to allow registering duplicate logins as long as the user has only one active user? Or would that mess up the user table over time?
• If the option is to move the user, would there be any way to keep the entries in the old group just for reporting purposes?

According to GDPR there should be an audit trail of actions performed on records (create, update, delete).

Revision trail must save data about:

• WHO (user that performed an action) did
• WHAT (object; field; action; original value; changed value) and
• WHEN (date, time of action) (dd.mm.yyy; hh:mm)

The question that presents itself is: is it a good idea to do it in code, or install one of mysql logging plugins?

I would avoid triggers, but that is just my personal preference.

There are concerns about existing Time Tracker UI design, especially on small screens.

Current approach of having separate mobile code and page layout templates is not working well - there is duplication of code, and mobile section does require a lot of work to look good.

I am thinking about Bootstrap 4 based responsive design, no separate mobile section. Perhaps drop smarty templates altogether. I see a particular challenge with reports as there may be many columns there.

I plan to start working towards this goal after we do subgroups, which is a big task.

Feel free to suggest ideas and discuss if you feel like so.

New approach must be flexible enough to provide custom css and other templates, not necessarily responsive.

Also discussed at https://www.anuko.com/forum/viewtopic.php?f=4&t=1833 this issue is to to hear your thoughts on user roles and rights (or are they "permissions"?) redesign in Time Tracker.

Current problems:

1. Users are limited to one group, which is not enough for a mid-size organization.
2. User rights is currently a bit mask. It is obvious that we will run out of bits at some point after introducing more rights.

Currently suggested direction to solve both problems:

• Introduce a tree-like structure for organizations, with groups of 1 or more users possibly containing other groups in a parent-child relationship. Think about tt_teams table having org_id, unit_id, and parent_unit_id instead of just one id field,
• Have rights as an array of strings instead of bits in a number. For example:

CLIENT - when Clients plugin is enabled, a Client (which is external to a group) can be provided with a login to view own data such as reports, charts, and invoices.
"view_own_data" - view reports, charts, and invoices for self. The same right as for USER. What own data means: reports, charts, and invoices for this client. Note that clients do not have the "data_entry" right but can view what is entered into the system by other users and is associated with a specific client.

USER - a regular user in a group without any management rights. Primary function is data entry and viewing own data.
"data_entry" - enter time and expense records into Time Tracker.
"view_own_data" - view own reports and charts.

SUPERVISOR - a person who has a small set of management functions in a group. Has all of USER permissions plus the following.
"on_behalf_data_entry" - can enter data on behalf of lower roles.
"view_group_data" - can view data for lower roles.
"override_punch_mode" - can input any start and finish times for self and lower roles.
"approve_timesheets" - reserved for future approval workflow (not implemented at this point).

CO-MANAGER - a person with an extended set of management functions, who is helping a group manager with most of the work. Has all of SUPERVISOR permissions plus the following.
"manage_users" - can add, modify, delete, and assign roles to users with roles less than self.
"manage_projects" - full access to project management.
"manage_tasks" - full access to task management.
"manage_clients" - full access to client management.
"manage_invoices" - full access to invoice management.

MANAGER - a person with a full set of permissions to a group and the entire tree of its subgroups. Has all of CO-MANAGER permissions plus the following.
"manage_group_settings" - enable plugins, etc.
"manage_roles" - assign roles to users, create custom roles, etc,
"export_data" - export group and all subgroups data to an XML file.
"manage_subgroups" - add, modify, and delete subgroups. Essentially, it gives a capability to create subgroups and assume group manager role in there and all subgroups below.

CUSTOM - a customized role for situations when roles above do not suffice. Based on some already existing role to determine how "manage_users" works for it, if assigned. Has an arbitrary collection of permissions as set by group manager. Any number of custom roles can be defined.

ADMIN
"administer_site" - administer a site as a whole.

Currently it is only possible to insert montly quotas with integer values. In some countries this does not work as the working hours are not always integer values.

To make quota work in version 1.13.11.3737 it is necessary to modify line 97 in quotas.php as follows:
$monthsData = $quota->get($selectedYear, null);

Otherwise PHP (at least >=7.x) throws an error that only one parameter was given instead of two. In Apache this leads to an HTTP Error 500.

Currently the input/output is HTML.
Please add support for a REST-like JSON API.
e.g. so that 3rd-party mobile apps do not need to parse the HTML.

Line No. 409 in DateField.class.php is crashing the PHP/Apache Server (Reports Menu) with the error

PHP Fatal error: Uncaught Error: Undefined constant "DIR_NAME" in C:\LavanyaDeepak\Personal\timetracker\WEB-INF\lib\form\DateField.class.php:409\nStack trace:\n#0 C:\LavanyaDeepak\Personal\timetracker\WEB-INF\lib\form\DateField.class.php(409): constant('DIR_NAME')\n#1 C:\LavanyaDeepak\Personal\timetracker\WEB-INF\lib\form\FormElement.class.php(101): DateField->getHtml()\n#2 C:\LavanyaDeepak\Personal\timetracker\WEB-INF\lib\form\Form.class.php(207): FormElement->toArray()\n#3 C:\LavanyaDeepak\Personal\timetracker\reports.php(504): Form->toArray()\n#4 {main}\n thrown in C:\LavanyaDeepak\Personal\timetracker\WEB-INF\lib\form\DateField.class.php on line 409, referer: http://localhost:8099/timetracker/time.php

Workaround/Solution for this is:

In config.php, line 37 which appears commented from OEM should be uncommented:

define('DIR_NAME', 'timetracker');

Is it possible to add further types for custom fields? text and drop down is not enough, when validating additional durations or numbers only.

The severeness of this issue is debatable.
Still, I was surprised to come across the phpinfo.php file in my production installation of Anuko. Perhaps it's better to remove this file from the project?
It would seem to only serve for debugging purposes.
Your production installation also reveals this information: https://timetracker.anuko.com/phpinfo.php
It could potentially help malicious attackers to gain more information about your system easily.

Anuko is great software. Many thanks for writing and maintaining it!

Is it possible to add custom fields to project? (not only for time and user)

Example:
$sql = "update tt_projects set name = ".$mdb2->quote($name).", description = ".$mdb2->quote($description).", tasks = ".$mdb2->quote($comma_separated).", status = $status where id = $project_id";

Better use defined datatypes or escaping:
https://pear.php.net/manual/en/package.database.mdb2.intro-quote.php

Or Best alternative:
http://pear.php.net/manual/en/package.database.mdb2.intro-execute.php

Document the preferred process to report and resolve security vulnerabilities. My proposal is to use specific email address for initial communications (e.g. [email protected]) so that core developers and security researches can share vulnerability details over a secure and private channel. General steps to do that should contain:

• describe the process in CONTRIBUTING.md. For example, see https://bounty.github.com/
• publish PGP public key and require encrypted emails from security researches
• possibly add "Hall of Fame" style "thank you" page for contributors
• create a single page or document any security related release clearly on project home page. This is to help end-users to have a clear understanding, when a new release contains security related fixes and not just any functionality or cosmetic changes.

Importing a XML file in version 1.17.98.4319 (on Ubuntu 18.04, apache, PHP 7.2.10-0ubuntu0.18.04.1) fails with two errors/warnings in apaches error logs and a white page in the browser. I guess the first is a relatively simple php-compatibility thing:

PHP Warning: count(): Parameter must be an array or an object that implements Countable in /var/www/timetracker/WEB-INF/lib/pear/MDB2.php on line 826, referer: http://xxx/timetracker/import.php

The other one looks more problematic to me:

PHP Fatal error: Uncaught Error: Call to undefined function xml_parser_create() in /var/www/timetracker/WEB-INF/lib/ttImportHelper.class.php:393\nStack trace:\n#0 /var/www/timetracker/import.php(47): ttImportHelper->importXml()\n#1 {main}\n thrown in /var/www/timetracker/WEB-INF/lib/ttImportHelper.class.php on line 393, referer: http://xxx/timetracker/import.php

But maybe its just a missing package? I installed via the installation instructions.

PS: The contribution page does not clearly state whether there is a prefered platform for issues (github "vs." forum). I'd prefer github, so I post this issue here. Please guide me to the better place if there is one.

Additional GPS information aids project managers to assure that the work was done in specific location, e.g construction workers. It would be nice to also see the map with a pin while reviewing tasks afterwards.

When using a client accounts, the client can change the paid/not paid status of their own invoices. A Client should not be be able to do this.

in which xampp version does it works

In cron.php line 48, consider replacing the call to mktime() with time(), because:

Note:
As of PHP 5.1, when called with no arguments, mktime() throws an E_STRICT notice: use the time() function instead.

I noticed it after getting messages from cron-daemon because of non-zero exit status. Simple drop-in replacement fixes the issue, both functions return the same timestamp when called with no arguments.

https://medium.com/analytics-vidhya/password-hashing-pbkdf2-scrypt-bcrypt-and-argon2-e25aaf41598e

Timetracker should be using a cryptographically secure password hashing algorithim. And since bcrypt is built in, and reasonably secure it should be the baseline. Ideally with an option to use ARGON2ID if support is available in an end users php installation.

https://www.php.net/manual/en/function.password-hash.php
https://stackoverflow.com/questions/47602044/how-do-i-use-the-argon2-algorithm-with-password-hash

Validating and checking reported tasks helps project managers to assure that all reported hours are valid. There should be a checkbox for each reported task / time and calendar should visually show days that contain records that are not validated. Also, there should be a check or a warning, when user tries to generate report that contains not validated records.

See WEB-INF/resources/zh-cn.lang.php - 简体中文

and WEB-INF/resources/zh-tw.php - 簡體中文 - this one requires even more work.

We have created a custom text field called Client Ticket Number. On the Reports form, the fields are visible with text entry box and a tick box. Ticking the box makes the field appear in the report - all good. But data entered into the text field is ignored. I would expect the report to be filtered to only show time records that match the given text.

In the fillDropdowns() function in mobile/timer.tpl it says "document.timeRecordForm.XXX" instead of "document.timerRecordForm.XXX". It is missing the "r" - the form is called timer and not time like in time.tpl (simple Copy-Paste-Error ;)

WEB-INF/config.php file does not exist. its showing this error

Hello--

My manager account would really like to have access to more pages on mobile. The release version I installed on my server initially only allowed access to the time entry form from mobile.

Have you considered expanding mobile page access? And would you be interested in PR's for this? Thanks

Hi.

In PHP 7 version the expression &new Class it's not allowed and another error it's present PHP Deprecated Non-Static method PEAR::isError should not be called statically

Please help

Regards

Eduardo Rotundo

The following mobile pages are not centered horizontally on mobile screen.

time_edit.php
task_edit.php
project_edit.php
login.php

White space is left on the right. The effect is worse in landscape orientation of the phone.

I tried to use the chart but it fails with error HTTP ERROR 500. The server log shows below

anuko-timetracker | [Fri Jun 19 11:50:56.693582 2020] [php7:error] [pid 20] [client 192.168.2.20:48420] PHP Fatal error: Uncaught Error: Call to undefined function imageftbbox() in /var/www/html/WEB-INF/lib/libchart/classes/view/text/Text.php:67\nStack trace:\n#0 /var/www/html/WEB-INF/lib/libchart/classes/view/chart/PieChart.php(210): Text->printText(Resource id #65, 148.98288271018, 274.99908917797, Object(Color), '50%', '/var/www/html/W...', 18)\n#1 /var/www/html/WEB-INF/lib/libchart/classes/view/chart/PieChart.php(239): PieChart->drawPercent()\n#2 /var/www/html/WEB-INF/lib/PieChartEx.class.php(38): PieChart->printPie()\n#3 /var/www/html/charts.php(219): PieChartEx->renderEx(Array)\n#4 {main}\n thrown in /var/www/html/WEB-INF/lib/libchart/classes/view/text/Text.php on line 67, referer: https://localhost/time.php