Implemented very crude attempt at security privleges. This is not really intended to be security, just a quick and dirty mechanism to avoid prying eyes. More robust security is left to future implementation.

git-svn-id: file:///svn-source/pmgr/branches/yafr_20090716@538 97e9348a-65ac-dc4b-aefc-98561f571b83

site/controllers/ledger_entries_controller.php

@@ -145,12 +145,6 @@ class LedgerEntriesController extends AppController {
    */
 
   function view($id = null) {
-    if (!$id) {
-      $this->Session->setFlash(__('Invalid Item.', true));
-      $this->redirect(array('controller' => 'accounts', 'action'=>'index'));
-    }
-
-    // Get the Entry and related fields
     $entry = $this->LedgerEntry->find
       ('first',
        array('contain' => array
@@ -163,6 +157,10 @@ class LedgerEntriesController extends AppController {
 	      array('fields' => array('id', 'sequence', 'name'),
 		    'Account' => 
 		    array('fields' => array('id', 'name', 'type'),
+			  'conditions' =>
+			  // REVISIT <AP>: 20090811
+			  //  No security issues have been worked out yet
+			  array('Account.level >=' => 10),
 			),
 		  ),
 
@@ -177,6 +175,11 @@ class LedgerEntriesController extends AppController {
 	     'conditions' => array('LedgerEntry.id' => $id),
 	     ));
 
+    if (empty($entry) || empty($entry['Ledger']['Account'])) {
+      $this->Session->setFlash(__('Invalid Item.', true));
+      $this->redirect(array('controller' => 'accounts', 'action'=>'index'));
+    }
+
     if (!empty($entry['DebitEntry']) && !empty($entry['CreditEntry']))
       die("LedgerEntry has both a matching DebitEntry and CreditEntry");
     if (empty($entry['DebitEntry']) && empty($entry['CreditEntry']))