Location: PHPKode > projects > Time Recording System > header.php
<?php
/*
	################################################################
	# >>> Time Recording System											#
	################################################################
	# > Authors:  Lucian Pricop and David Sturtevant					#
	# > E-mail:  hide@address.com						#
	# > Date: 	 17 April 2007											#
	#																			#
	# This web application allows your staff to submit their time	#
	# sheets on line 														#
	################################################################
	#	Copyright (C) 2007  Oxford Archaeology							#
	#																			#
	# This program is free software; you can redistribute 			#
	# it and/or modify it under the terms of the GNU General 		#
	# Public License as published by the Free Software 				#
	# Foundation; either version 2 of the License, or (at your	 	#
	# option) any later version.											#
	#																			#
	# This program is distributed in the hope that it will be 		#
	# useful, but WITHOUT ANY WARRANTY; without even the 				#
	# implied warranty of MERCHANTABILITY or FITNESS FOR A 			#
	# PARTICULAR PURPOSE.  See the GNU General Public License 		#
	# for more details.														#
	#																			#
	# You should have received a copy of the GNU General 				#
	# Public License along with this program; if not, write to 		#
	# the Free Software Foundation, Inc., 59 Temple Place - 			#
	# Suite 330, Boston, MA  02111-1307, USA.							#
	################################################################
*/
//This is to block access when things go wooohooo with the DB
/* if(isset($_POST["xmlResponse"]) || strstr($_SERVER["SCRIPT_NAME"],"valueList.php")===TRUE)
{
	$status = "sessionexpired";
	$response = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
	$response .= "<RESPONSE>\n";
	$response .= "\t<STATUS>".$status."</STATUS>\n";
	if(isset($refid))
		$response .= "\t<REFID>".$refid."</REFID>\n";
	$response .= "</RESPONSE>\n";
	header("Content-type: application/xml");
	echo $response;
	die();
}
else
 	die("The TimeRecordingSystem is <b>DOWN :-(</b> for maintenance.<br/>Please try again later.<br/>If you were working on something, just leave the browser open and press the back button in half an hour.
 	<br/><b>Sorry for the inconvenience!</b><br/><a href=\"http://news.bbc.co.uk/2/hi/europe/6267121.stm\">cool link to keep you busy</a>");
*/ 	
	
//End of the Woohoo cover
	if(!defined("FINANCIAL_YEAR_CHANGE_DATE"))
		define("FINANCIAL_YEAR_CHANGE_DATE","xxxx-04-01");
    if(strpos($_SERVER["HTTP_USER_AGENT"],"MSIE") != FALSE)
	{
		header("Location: nobrowsersupport.php");
		die();
	}
	$APP_LINK = "http://timesheets.thehumanjourney.net/";	
	//this is a manual random generated number that will pe appended to all the session variables that will be used
	//this way a XSRF attacker won't be able to guess the session vars name to access them
	$privateKey = "9hJK34Ij56";
	$sessionLifeSpan =  8 * 60 * 60; //8 hours - normal working day
	$sessionPath = "/";
	$sessionDomain = "";
	$sessionSecure = false;
	$sessionHTTPonly = true;
		
// 	ini_set("session.cookie_lifetime", $sessionLifeSpan);
	ini_set("session.gc_maxlifetime", $sessionLifeSpan);
	ini_set("session.cookie_httponly",$sessionHTTPonly);
	header("Cache-Control: no-cache, must-revalidate");
	header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
	session_start();
	if(isset($_SESSION["logged".$privateKey]) || strstr($_SERVER["SCRIPT_NAME"],"index.php")!=FALSE  || strstr($_SERVER["SCRIPT_NAME"],"logonAuthentication.php")!=FALSE)
		;//nothing
	else
	{
		if(isset($_POST["xmlResponse"]) || strstr($_SERVER["SCRIPT_NAME"],"valueList.php")===TRUE)
		{
			//in this case it's possible that the user tried to save or to retrieve data, but the session expired
			//let's make sure we don't get data from unauthorised (l)users
			if(strcmp($_POST["xmlResponse"],"")!=0)
			{
				$xml = new DOMDocument();
				$xml->preserveWhiteSpace=false;
				$xml->loadXML($_POST["xmlResponse"]);
				$forms = $xml->getElementsByTagName("FORM");
				$form = $forms->item(0);
				$refid = intval($form->getAttribute("REFID"));
			}
			$status = "sessionexpired";
			$response = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
			$response .= "<RESPONSE>\n";
			$response .= "\t<STATUS>".$status."</STATUS>\n";
			if(isset($refid))
				$response .= "\t<REFID>".$refid."</REFID>\n";
			$response .= "</RESPONSE>\n";
			header("Content-type: application/xml");
			echo $response;
			die();
		}
		if(isset($_SERVER["REQUEST_URI"]))
		{
			$refArr = split("/",$_SERVER["REQUEST_URI"]);
			$ref = rawurlencode($refArr[count($refArr)-1]);
		}	
		else
			$ref = "";
		header("Location: index.php?status=nosession&ref=".$ref);
		die();
	}

	function checkCredentials($dbconn,$timesheetRefid)
	{
		global $privateKey;
		//getting all the data about the owner of this timesheet
		$queryString = "SELECT a.* FROM tbl_staff_lookup AS a, tbl_office_time_sheet AS b WHERE a.refid = b.staffrefid AND b.refid = ".$timesheetRefid;
		$queryResult = $dbconn->sendquery2($queryString);
		if($dbconn->numberofrows() == 0)
			return 0;
		$rowarray = pg_fetch_array($queryResult,null,PGSQL_ASSOC);
		
		/* NOTE:
		credentials of the current user over the specified timesheet
		are to be checked differently depending on the type of user 
		*/
		//the logged user is the owner
		if(intval($rowarray["refid"]) == $_SESSION["refid".$privateKey])
		    return 1;
		
		//line manager
		if(intval($rowarray["linemanager"]) == $_SESSION["refid".$privateKey])
		//the logged user is the line manager of the time sheet owner
			return 2;
		if($_SESSION["usertype".$privateKey] == 1)
		//the logged user is an administrator
			return 3;
		
		
		return 0;
	}
?>
Return current item: Time Recording System