Moderate severityNVD Advisory· Published Nov 19, 2021· Updated Aug 3, 2024
Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2
CVE-2021-3976
Description
Kimai2 is vulnerable to Cross-Site Request Forgery, allowing attackers to perform unauthorized actions on behalf of authenticated users.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Kimai2 is vulnerable to Cross-Site Request Forgery, allowing attackers to perform unauthorized actions on behalf of authenticated users.
Vulnerability
Kimai2 before version 1.16.2 is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability exists in various forms and actions that do not enforce CSRF tokens, allowing an attacker to trick authenticated users into executing unintended requests. The fix was introduced in commit b28e9c120c87222e21a238f1b03a609d6a5d506e [1].
Exploitation
An attacker can craft a malicious web page or email that, when visited by an authenticated Kimai2 user, triggers a cross-origin request to the Kimai2 application. No special privileges are required; the attacker only needs to lure a logged-in user to interact with the crafted page. The request will be executed with the victim's session and permissions.
Impact
Successful exploitation allows an attacker to perform state-changing operations on behalf of the victim, such as modifying user settings, creating or altering timesheets, or changing project configurations. The attacker gains the same privileges as the victim, potentially leading to data manipulation or unauthorized actions.
Mitigation
The vulnerability is fixed in Kimai2 version 1.16.2, released with the referenced commit [1]. Users should upgrade to this version or later. The NVD entry [2] also references the fix. No workaround is available for unpatched versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
kevinpapst/kimai2Packagist | < 1.16.2 | 1.16.2 |
Affected products
2- kevinpapst/kevinpapst/kimai2v5Range: unspecified
Patches
1b28e9c120c87version 1.16.2 (#2942)
37 files changed · +291 −154
src/Constants.php+2 −2 modified@@ -17,11 +17,11 @@ class Constants /** * The current release version */ - public const VERSION = '1.16.0'; + public const VERSION = '1.16.2'; /** * The current release: major * 10000 + minor * 100 + patch */ - public const VERSION_ID = 11600; + public const VERSION_ID = 11602; /** * The current release status, either "stable" or "dev" */
src/Controller/ProjectController.php+12 −2 modified@@ -421,13 +421,23 @@ public function editAction(Project $project, Request $request) } /** - * @Route(path="/{id}/duplicate", name="admin_project_duplicate", methods={"GET", "POST"}) + * @Route(path="/{id}/duplicate/{token}", name="admin_project_duplicate", methods={"GET", "POST"}) * @Security("is_granted('edit', project)") */ - public function duplicateAction(Project $project, Request $request, ProjectDuplicationService $projectDuplicationService) + public function duplicateAction(Project $project, string $token, ProjectDuplicationService $projectDuplicationService, CsrfTokenManagerInterface $csrfTokenManager) { + if (!$csrfTokenManager->isTokenValid(new CsrfToken('project.duplicate', $token))) { + $this->flashError('action.csrf.error'); + + return $this->redirectToRoute('project_details', ['id' => $project->getId()]); + } + + $csrfTokenManager->refreshToken($token); + $newProject = $projectDuplicationService->duplicate($project, $project->getName() . ' [COPY]'); + $this->flashSuccess('action.update.success'); + return $this->redirectToRoute('project_details', ['id' => $newProject->getId()]); }
src/Controller/TeamController.php+12 −2 modified@@ -22,6 +22,8 @@ use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Response; use Symfony\Component\Routing\Annotation\Route; +use Symfony\Component\Security\Csrf\CsrfToken; +use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface; /** * @Route(path="/admin/teams") @@ -81,11 +83,19 @@ public function createTeam(Request $request) } /** - * @Route(path="/{id}/duplicate", name="team_duplicate", methods={"GET", "POST"}) + * @Route(path="/{id}/duplicate/{token}", name="team_duplicate", methods={"GET", "POST"}) * @Security("is_granted('edit', team) and is_granted('create_team')") */ - public function duplicateTeam(Team $team, Request $request) + public function duplicateTeam(Team $team, string $token, CsrfTokenManagerInterface $csrfTokenManager) { + if (!$csrfTokenManager->isTokenValid(new CsrfToken('team.duplicate', $token))) { + $this->flashError('action.csrf.error'); + + return $this->redirectToRoute('admin_team_edit', ['id' => $team->getId()]); + } + + $csrfTokenManager->refreshToken($token); + $newTeam = clone $team; $newTeam->setName($team->getName() . ' [COPY]');
src/Controller/TimesheetAbstractController.php+3 −3 modified@@ -211,14 +211,14 @@ protected function create(Request $request, string $renderTemplate, ProjectRepos ]); } - protected function duplicate(Timesheet $timesheet, Request $request, string $renderTemplate): Response + protected function duplicate(Timesheet $timesheet, Request $request, string $renderTemplate, string $token): Response { $copyTimesheet = clone $timesheet; $event = new TimesheetMetaDefinitionEvent($copyTimesheet); $this->dispatcher->dispatch($event); - $form = $this->getDuplicateForm($copyTimesheet, $timesheet); + $form = $this->getDuplicateForm($copyTimesheet, $timesheet, $token); $form->handleRequest($request); if ($form->isSubmitted() && $form->isValid()) { @@ -612,7 +612,7 @@ protected function createDefaultQuery(string $suffix = 'Listing'): TimesheetQuer return $query; } - abstract protected function getDuplicateForm(Timesheet $entry, Timesheet $original): FormInterface; + abstract protected function getDuplicateForm(Timesheet $entry, Timesheet $original, string $token): FormInterface; abstract protected function getCreateForm(Timesheet $entry): FormInterface; }
src/Controller/TimesheetController.php+15 −5 modified@@ -21,6 +21,8 @@ use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Response; use Symfony\Component\Routing\Annotation\Route; +use Symfony\Component\Security\Csrf\CsrfToken; +use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface; /** * @Route(path="/timesheet") @@ -60,12 +62,20 @@ public function editAction(Timesheet $entry, Request $request): Response } /** - * @Route(path="/{id}/duplicate", name="timesheet_duplicate", methods={"GET", "POST"}) + * @Route(path="/{id}/duplicate/{token}", name="timesheet_duplicate", methods={"GET", "POST"}) * @Security("is_granted('duplicate', entry)") */ - public function duplicateAction(Timesheet $entry, Request $request): Response + public function duplicateAction(Timesheet $entry, Request $request, string $token, CsrfTokenManagerInterface $csrfTokenManager): Response { - return $this->duplicate($entry, $request, 'timesheet/edit.html.twig'); + if (!$csrfTokenManager->isTokenValid(new CsrfToken('timesheet.duplicate', $token))) { + $this->flashError('action.csrf.error'); + + return $this->redirectToRoute('timesheet'); + } + + $csrfTokenManager->refreshToken($token); + + return $this->duplicate($entry, $request, 'timesheet/edit.html.twig', $token); } /** @@ -100,8 +110,8 @@ protected function getCreateForm(Timesheet $entry): FormInterface return $this->generateCreateForm($entry, TimesheetEditForm::class, $this->generateUrl('timesheet_create')); } - protected function getDuplicateForm(Timesheet $entry, Timesheet $original): FormInterface + protected function getDuplicateForm(Timesheet $entry, Timesheet $original, string $token): FormInterface { - return $this->generateCreateForm($entry, TimesheetEditForm::class, $this->generateUrl('timesheet_duplicate', ['id' => $original->getId()])); + return $this->generateCreateForm($entry, TimesheetEditForm::class, $this->generateUrl('timesheet_duplicate', ['id' => $original->getId(), 'token' => $token])); } }
src/Controller/TimesheetTeamController.php+15 −5 modified@@ -28,6 +28,8 @@ use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Response; use Symfony\Component\Routing\Annotation\Route; +use Symfony\Component\Security\Csrf\CsrfToken; +use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface; /** * @Route(path="/team/timesheet") @@ -71,12 +73,20 @@ public function editAction(Timesheet $entry, Request $request): Response } /** - * @Route(path="/{id}/duplicate", name="admin_timesheet_duplicate", methods={"GET", "POST"}) + * @Route(path="/{id}/duplicate/{token}", name="admin_timesheet_duplicate", methods={"GET", "POST"}) * @Security("is_granted('duplicate', entry)") */ - public function duplicateAction(Timesheet $entry, Request $request): Response + public function duplicateAction(Timesheet $entry, Request $request, string $token, CsrfTokenManagerInterface $csrfTokenManager): Response { - return $this->duplicate($entry, $request, 'timesheet-team/edit.html.twig'); + if (!$csrfTokenManager->isTokenValid(new CsrfToken('admin_timesheet.duplicate', $token))) { + $this->flashError('action.csrf.error'); + + return $this->redirectToRoute('admin_timesheet'); + } + + $csrfTokenManager->refreshToken($token); + + return $this->duplicate($entry, $request, 'timesheet-team/edit.html.twig', $token); } /** @@ -195,9 +205,9 @@ protected function getCreateForm(Timesheet $entry): FormInterface return $this->generateCreateForm($entry, TimesheetAdminEditForm::class, $this->generateUrl('admin_timesheet_create')); } - protected function getDuplicateForm(Timesheet $entry, Timesheet $original): FormInterface + protected function getDuplicateForm(Timesheet $entry, Timesheet $original, string $token): FormInterface { - return $this->generateCreateForm($entry, TimesheetAdminEditForm::class, $this->generateUrl('admin_timesheet_duplicate', ['id' => $original->getId()])); + return $this->generateCreateForm($entry, TimesheetAdminEditForm::class, $this->generateUrl('admin_timesheet_duplicate', ['id' => $original->getId(), 'token' => $token])); } protected function getPermissionEditExport(): string
src/EventSubscriber/Actions/AbstractTimesheetSubscriber.php+1 −1 modified@@ -39,7 +39,7 @@ protected function timesheetActions(PageActionsEvent $event, string $routeEdit, if ($this->isGranted('duplicate', $timesheet)) { $class = $event->isView('edit') ? '' : 'modal-ajax-form'; - $event->addAction('copy', ['url' => $this->path($routeDuplicate, ['id' => $timesheet->getId()]), 'class' => $class]); + $event->addAction('copy', ['url' => $this->path($routeDuplicate, ['id' => $timesheet->getId(), 'token' => $payload['token']]), 'class' => $class]); } if ($event->countActions() > 0) {
src/EventSubscriber/Actions/ProjectSubscriber.php+1 −1 modified@@ -73,7 +73,7 @@ public function onActions(PageActionsEvent $event): void if ($this->isGranted('edit', $project) && $this->isGranted('create_project')) { $event->addAction( 'copy', - ['url' => $this->path('admin_project_duplicate', ['id' => $project->getId()])] + ['url' => $this->path('admin_project_duplicate', ['id' => $project->getId(), 'token' => $payload['token']])] ); }
src/EventSubscriber/Actions/TeamSubscriber.php+1 −1 modified@@ -34,7 +34,7 @@ public function onActions(PageActionsEvent $event): void $event->addAction('edit', ['url' => $this->path('admin_team_edit', ['id' => $team->getId()])]); if ($this->isGranted('create_team')) { - $event->addAction('copy', ['url' => $this->path('team_duplicate', ['id' => $team->getId()])]); + $event->addAction('copy', ['url' => $this->path('team_duplicate', ['id' => $team->getId(), 'token' => $payload['token']])]); } }
src/Migrations/Version20180701120000.php+12 −20 modified@@ -22,26 +22,18 @@ final class Version20180701120000 extends AbstractMigration { public function up(Schema $schema): void { - $users = 'kimai2_users'; - $userPreferences = 'kimai2_user_preferences'; - $customers = 'kimai2_customers'; - $projects = 'kimai2_projects'; - $activities = 'kimai2_activities'; - $timesheets = 'kimai2_timesheet'; - $invoiceTemplates = 'kimai2_invoice_templates'; - - $this->addSql('CREATE TABLE ' . $users . ' (id INT AUTO_INCREMENT NOT NULL, name VARCHAR(60) NOT NULL, mail VARCHAR(160) NOT NULL, password VARCHAR(254) DEFAULT NULL, alias VARCHAR(60) DEFAULT NULL, active TINYINT(1) NOT NULL, registration_date DATETIME DEFAULT NULL, title VARCHAR(50) DEFAULT NULL, avatar VARCHAR(255) DEFAULT NULL, roles LONGTEXT NOT NULL COMMENT \'(DC2Type:array)\', UNIQUE INDEX UNIQ_B9AC5BCE5E237E06 (name), UNIQUE INDEX UNIQ_B9AC5BCE5126AC48 (mail), PRIMARY KEY(id)) DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci ENGINE = InnoDB'); - $this->addSql('CREATE TABLE ' . $userPreferences . ' (id INT AUTO_INCREMENT NOT NULL, user_id INT DEFAULT NULL, name VARCHAR(50) NOT NULL, value VARCHAR(255) DEFAULT NULL, INDEX IDX_8D08F631A76ED395 (user_id), UNIQUE INDEX UNIQ_8D08F631A76ED3955E237E06 (user_id, name), PRIMARY KEY(id)) DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci ENGINE = InnoDB'); - $this->addSql('CREATE TABLE ' . $customers . ' (id INT AUTO_INCREMENT NOT NULL, name VARCHAR(150) NOT NULL, number VARCHAR(50) DEFAULT NULL, comment TEXT DEFAULT NULL, visible TINYINT(1) NOT NULL, company VARCHAR(255) DEFAULT NULL, contact VARCHAR(255) DEFAULT NULL, address TEXT DEFAULT NULL, country VARCHAR(2) NOT NULL, currency VARCHAR(3) NOT NULL, phone VARCHAR(255) DEFAULT NULL, fax VARCHAR(255) DEFAULT NULL, mobile VARCHAR(255) DEFAULT NULL, mail VARCHAR(255) DEFAULT NULL, homepage VARCHAR(255) DEFAULT NULL, timezone VARCHAR(255) NOT NULL, PRIMARY KEY(id)) DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci ENGINE = InnoDB'); - $this->addSql('CREATE TABLE ' . $projects . ' (id INT AUTO_INCREMENT NOT NULL, customer_id INT DEFAULT NULL, name VARCHAR(150) NOT NULL, order_number TINYTEXT DEFAULT NULL, comment TEXT DEFAULT NULL, visible TINYINT(1) NOT NULL, budget NUMERIC(10, 2) NOT NULL, INDEX IDX_407F12069395C3F3 (customer_id), PRIMARY KEY(id)) DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci ENGINE = InnoDB'); - $this->addSql('CREATE TABLE ' . $activities . ' (id INT AUTO_INCREMENT NOT NULL, project_id INT DEFAULT NULL, name VARCHAR(150) NOT NULL, comment TEXT DEFAULT NULL, visible TINYINT(1) NOT NULL, INDEX IDX_8811FE1C166D1F9C (project_id), PRIMARY KEY(id)) DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci ENGINE = InnoDB'); - $this->addSql('CREATE TABLE ' . $timesheets . ' (id INT AUTO_INCREMENT NOT NULL, user INT DEFAULT NULL, activity_id INT DEFAULT NULL, start_time DATETIME NOT NULL, end_time DATETIME DEFAULT NULL, duration INT DEFAULT NULL, description TEXT DEFAULT NULL, rate NUMERIC(10, 2) NOT NULL, INDEX IDX_4F60C6B18D93D649 (user), INDEX IDX_4F60C6B181C06096 (activity_id), PRIMARY KEY(id)) DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci ENGINE = InnoDB'); - $this->addSql('CREATE TABLE ' . $invoiceTemplates . ' (id INT AUTO_INCREMENT NOT NULL, name VARCHAR(60) NOT NULL, title VARCHAR(255) NOT NULL, company VARCHAR(255) NOT NULL, address TEXT DEFAULT NULL, due_days INT NOT NULL, vat INT DEFAULT NULL, calculator VARCHAR(20) NOT NULL, number_generator VARCHAR(20) NOT NULL, renderer VARCHAR(20) NOT NULL, payment_terms TEXT DEFAULT NULL, UNIQUE INDEX UNIQ_1626CFE95E237E06 (name), PRIMARY KEY(id)) DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci ENGINE = InnoDB'); - $this->addSql('ALTER TABLE ' . $userPreferences . ' ADD CONSTRAINT FK_8D08F631A76ED395 FOREIGN KEY (user_id) REFERENCES ' . $users . ' (id) ON DELETE CASCADE'); - $this->addSql('ALTER TABLE ' . $projects . ' ADD CONSTRAINT FK_407F12069395C3F3 FOREIGN KEY (customer_id) REFERENCES ' . $customers . ' (id) ON DELETE CASCADE'); - $this->addSql('ALTER TABLE ' . $activities . ' ADD CONSTRAINT FK_8811FE1C166D1F9C FOREIGN KEY (project_id) REFERENCES ' . $projects . ' (id) ON DELETE CASCADE'); - $this->addSql('ALTER TABLE ' . $timesheets . ' ADD CONSTRAINT FK_4F60C6B18D93D649 FOREIGN KEY (user) REFERENCES ' . $users . ' (id)'); - $this->addSql('ALTER TABLE ' . $timesheets . ' ADD CONSTRAINT FK_4F60C6B181C06096 FOREIGN KEY (activity_id) REFERENCES ' . $activities . ' (id) ON DELETE CASCADE'); + $this->addSql('CREATE TABLE kimai2_users (id INT AUTO_INCREMENT NOT NULL, name VARCHAR(60) NOT NULL, mail VARCHAR(160) NOT NULL, password VARCHAR(254) DEFAULT NULL, alias VARCHAR(60) DEFAULT NULL, active TINYINT(1) NOT NULL, registration_date DATETIME DEFAULT NULL, title VARCHAR(50) DEFAULT NULL, avatar VARCHAR(255) DEFAULT NULL, roles LONGTEXT NOT NULL COMMENT \'(DC2Type:array)\', UNIQUE INDEX UNIQ_B9AC5BCE5E237E06 (name), UNIQUE INDEX UNIQ_B9AC5BCE5126AC48 (mail), PRIMARY KEY(id)) DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci ENGINE = InnoDB'); + $this->addSql('CREATE TABLE kimai2_user_preferences (id INT AUTO_INCREMENT NOT NULL, user_id INT DEFAULT NULL, name VARCHAR(50) NOT NULL, value VARCHAR(255) DEFAULT NULL, INDEX IDX_8D08F631A76ED395 (user_id), UNIQUE INDEX UNIQ_8D08F631A76ED3955E237E06 (user_id, name), PRIMARY KEY(id)) DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci ENGINE = InnoDB'); + $this->addSql('CREATE TABLE kimai2_customers (id INT AUTO_INCREMENT NOT NULL, name VARCHAR(150) NOT NULL, number VARCHAR(50) DEFAULT NULL, comment TEXT DEFAULT NULL, visible TINYINT(1) NOT NULL, company VARCHAR(255) DEFAULT NULL, contact VARCHAR(255) DEFAULT NULL, address TEXT DEFAULT NULL, country VARCHAR(2) NOT NULL, currency VARCHAR(3) NOT NULL, phone VARCHAR(255) DEFAULT NULL, fax VARCHAR(255) DEFAULT NULL, mobile VARCHAR(255) DEFAULT NULL, mail VARCHAR(255) DEFAULT NULL, homepage VARCHAR(255) DEFAULT NULL, timezone VARCHAR(255) NOT NULL, PRIMARY KEY(id)) DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci ENGINE = InnoDB'); + $this->addSql('CREATE TABLE kimai2_projects (id INT AUTO_INCREMENT NOT NULL, customer_id INT DEFAULT NULL, name VARCHAR(150) NOT NULL, order_number TINYTEXT DEFAULT NULL, comment TEXT DEFAULT NULL, visible TINYINT(1) NOT NULL, budget NUMERIC(10, 2) NOT NULL, INDEX IDX_407F12069395C3F3 (customer_id), PRIMARY KEY(id)) DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci ENGINE = InnoDB'); + $this->addSql('CREATE TABLE kimai2_activities (id INT AUTO_INCREMENT NOT NULL, project_id INT DEFAULT NULL, name VARCHAR(150) NOT NULL, comment TEXT DEFAULT NULL, visible TINYINT(1) NOT NULL, INDEX IDX_8811FE1C166D1F9C (project_id), PRIMARY KEY(id)) DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci ENGINE = InnoDB'); + $this->addSql('CREATE TABLE kimai2_timesheet (id INT AUTO_INCREMENT NOT NULL, user INT DEFAULT NULL, activity_id INT DEFAULT NULL, start_time DATETIME NOT NULL, end_time DATETIME DEFAULT NULL, duration INT DEFAULT NULL, description TEXT DEFAULT NULL, rate NUMERIC(10, 2) NOT NULL, INDEX IDX_4F60C6B18D93D649 (user), INDEX IDX_4F60C6B181C06096 (activity_id), PRIMARY KEY(id)) DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci ENGINE = InnoDB'); + $this->addSql('CREATE TABLE kimai2_invoice_templates (id INT AUTO_INCREMENT NOT NULL, name VARCHAR(60) NOT NULL, title VARCHAR(255) NOT NULL, company VARCHAR(255) NOT NULL, address TEXT DEFAULT NULL, due_days INT NOT NULL, vat INT DEFAULT NULL, calculator VARCHAR(20) NOT NULL, number_generator VARCHAR(20) NOT NULL, renderer VARCHAR(20) NOT NULL, payment_terms TEXT DEFAULT NULL, UNIQUE INDEX UNIQ_1626CFE95E237E06 (name), PRIMARY KEY(id)) DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci ENGINE = InnoDB'); + $this->addSql('ALTER TABLE kimai2_user_preferences ADD CONSTRAINT FK_8D08F631A76ED395 FOREIGN KEY (user_id) REFERENCES kimai2_users (id) ON DELETE CASCADE'); + $this->addSql('ALTER TABLE kimai2_projects ADD CONSTRAINT FK_407F12069395C3F3 FOREIGN KEY (customer_id) REFERENCES kimai2_customers (id) ON DELETE CASCADE'); + $this->addSql('ALTER TABLE kimai2_activities ADD CONSTRAINT FK_8811FE1C166D1F9C FOREIGN KEY (project_id) REFERENCES kimai2_projects (id) ON DELETE CASCADE'); + $this->addSql('ALTER TABLE kimai2_timesheet ADD CONSTRAINT FK_4F60C6B18D93D649 FOREIGN KEY (user) REFERENCES kimai2_users (id)'); + $this->addSql('ALTER TABLE kimai2_timesheet ADD CONSTRAINT FK_4F60C6B181C06096 FOREIGN KEY (activity_id) REFERENCES kimai2_activities (id) ON DELETE CASCADE'); } public function down(Schema $schema): void
src/Migrations/Version20180715160326.php+27 −31 modified@@ -37,32 +37,30 @@ final class Version20180715160326 extends AbstractMigration */ public function up(Schema $schema): void { - $users = 'kimai2_users'; - // delete all existing indexes - $indexesOld = $schema->getTable($users)->getIndexes(); + $indexesOld = $schema->getTable('kimai2_users')->getIndexes(); foreach ($indexesOld as $index) { if (\in_array('name', $index->getColumns()) || \in_array('mail', $index->getColumns())) { $this->indexesOld[] = $index; - $this->addSql('DROP INDEX ' . $index->getName() . ' ON ' . $users); + $this->addSql('DROP INDEX ' . $index->getName() . ' ON kimai2_users'); } } - $this->addSql('ALTER TABLE ' . $users . ' CHANGE name username VARCHAR(180) NOT NULL, ADD username_canonical VARCHAR(180) NOT NULL, CHANGE mail email VARCHAR(180) NOT NULL, ADD email_canonical VARCHAR(180) NOT NULL, ADD salt VARCHAR(255) DEFAULT NULL, ADD last_login DATETIME DEFAULT NULL, ADD confirmation_token VARCHAR(180) DEFAULT NULL, ADD password_requested_at DATETIME DEFAULT NULL, CHANGE password password VARCHAR(255) NOT NULL, CHANGE alias alias VARCHAR(60) DEFAULT NULL, CHANGE registration_date registration_date DATETIME DEFAULT NULL, CHANGE title title VARCHAR(50) DEFAULT NULL, CHANGE avatar avatar VARCHAR(255) DEFAULT NULL, CHANGE roles roles LONGTEXT NOT NULL COMMENT \'(DC2Type:array)\', CHANGE active enabled TINYINT(1) NOT NULL'); - $this->addSql('UPDATE ' . $users . ' set username_canonical = username'); - $this->addSql('UPDATE ' . $users . ' set email_canonical = email'); - - $this->addSql('UPDATE ' . $users . ' SET roles = \'a:1:{i:0;s:16:"ROLE_SUPER_ADMIN";}\' WHERE roles LIKE \'%ROLE_SUPER_ADMIN%\''); - $this->addSql('UPDATE ' . $users . ' SET roles = \'a:1:{i:0;s:10:"ROLE_ADMIN";}\' WHERE roles LIKE \'%ROLE_ADMIN%\''); - $this->addSql('UPDATE ' . $users . ' SET roles = \'a:1:{i:0;s:13:"ROLE_TEAMLEAD";}\' WHERE roles LIKE \'%ROLE_TEAMLEAD%\''); - $this->addSql('UPDATE ' . $users . ' SET roles = \'a:0:{}\' WHERE roles LIKE \'%ROLE_USER%\''); - $this->addSql('UPDATE ' . $users . ' SET roles = \'a:1:{i:0;s:13:"ROLE_CUSTOMER";}\' WHERE roles LIKE \'%ROLE_CUSTOMER%\''); - - $this->addSql('CREATE UNIQUE INDEX UNIQ_B9AC5BCE92FC23A8 ON ' . $users . ' (username_canonical)'); - $this->addSql('CREATE UNIQUE INDEX UNIQ_B9AC5BCEA0D96FBF ON ' . $users . ' (email_canonical)'); - $this->addSql('CREATE UNIQUE INDEX UNIQ_B9AC5BCEC05FB297 ON ' . $users . ' (confirmation_token)'); - $this->addSql('CREATE UNIQUE INDEX UNIQ_B9AC5BCEF85E0677 ON ' . $users . ' (username)'); - $this->addSql('CREATE UNIQUE INDEX UNIQ_B9AC5BCEE7927C74 ON ' . $users . ' (email)'); + $this->addSql('ALTER TABLE kimai2_users CHANGE name username VARCHAR(180) NOT NULL, ADD username_canonical VARCHAR(180) NOT NULL, CHANGE mail email VARCHAR(180) NOT NULL, ADD email_canonical VARCHAR(180) NOT NULL, ADD salt VARCHAR(255) DEFAULT NULL, ADD last_login DATETIME DEFAULT NULL, ADD confirmation_token VARCHAR(180) DEFAULT NULL, ADD password_requested_at DATETIME DEFAULT NULL, CHANGE password password VARCHAR(255) NOT NULL, CHANGE alias alias VARCHAR(60) DEFAULT NULL, CHANGE registration_date registration_date DATETIME DEFAULT NULL, CHANGE title title VARCHAR(50) DEFAULT NULL, CHANGE avatar avatar VARCHAR(255) DEFAULT NULL, CHANGE roles roles LONGTEXT NOT NULL COMMENT \'(DC2Type:array)\', CHANGE active enabled TINYINT(1) NOT NULL'); + $this->addSql('UPDATE kimai2_users set username_canonical = username'); + $this->addSql('UPDATE kimai2_users set email_canonical = email'); + + $this->addSql('UPDATE kimai2_users SET roles = \'a:1:{i:0;s:16:"ROLE_SUPER_ADMIN";}\' WHERE roles LIKE \'%ROLE_SUPER_ADMIN%\''); + $this->addSql('UPDATE kimai2_users SET roles = \'a:1:{i:0;s:10:"ROLE_ADMIN";}\' WHERE roles LIKE \'%ROLE_ADMIN%\''); + $this->addSql('UPDATE kimai2_users SET roles = \'a:1:{i:0;s:13:"ROLE_TEAMLEAD";}\' WHERE roles LIKE \'%ROLE_TEAMLEAD%\''); + $this->addSql('UPDATE kimai2_users SET roles = \'a:0:{}\' WHERE roles LIKE \'%ROLE_USER%\''); + $this->addSql('UPDATE kimai2_users SET roles = \'a:1:{i:0;s:13:"ROLE_CUSTOMER";}\' WHERE roles LIKE \'%ROLE_CUSTOMER%\''); + + $this->addSql('CREATE UNIQUE INDEX UNIQ_B9AC5BCE92FC23A8 ON kimai2_users (username_canonical)'); + $this->addSql('CREATE UNIQUE INDEX UNIQ_B9AC5BCEA0D96FBF ON kimai2_users (email_canonical)'); + $this->addSql('CREATE UNIQUE INDEX UNIQ_B9AC5BCEC05FB297 ON kimai2_users (confirmation_token)'); + $this->addSql('CREATE UNIQUE INDEX UNIQ_B9AC5BCEF85E0677 ON kimai2_users (username)'); + $this->addSql('CREATE UNIQUE INDEX UNIQ_B9AC5BCEE7927C74 ON kimai2_users (email)'); } /** @@ -72,25 +70,23 @@ public function up(Schema $schema): void */ public function down(Schema $schema): void { - $users = 'kimai2_users'; - $indexToDelete = ['UNIQ_B9AC5BCE92FC23A8', 'UNIQ_B9AC5BCEA0D96FBF', 'UNIQ_B9AC5BCEC05FB297', 'UNIQ_B9AC5BCEF85E0677', 'UNIQ_B9AC5BCEE7927C74']; foreach ($indexToDelete as $indexName) { - $this->addSql('DROP INDEX ' . $indexName . ' ON ' . $users); + $this->addSql('DROP INDEX ' . $indexName . ' ON kimai2_users'); } - $this->addSql('ALTER TABLE ' . $users . ' CHANGE username name VARCHAR(60) NOT NULL COLLATE utf8mb4_unicode_ci, CHANGE email mail VARCHAR(160) NOT NULL COLLATE utf8mb4_unicode_ci, DROP username_canonical, DROP email_canonical, DROP salt, DROP last_login, DROP confirmation_token, DROP password_requested_at, CHANGE password password VARCHAR(254) DEFAULT NULL COLLATE utf8mb4_unicode_ci, CHANGE roles roles LONGTEXT NOT NULL COMMENT \'(DC2Type:array)\', CHANGE alias alias VARCHAR(60) DEFAULT NULL COLLATE utf8mb4_unicode_ci, CHANGE registration_date registration_date DATETIME DEFAULT NULL, CHANGE title title VARCHAR(50) DEFAULT NULL COLLATE utf8mb4_unicode_ci, CHANGE avatar avatar VARCHAR(255) DEFAULT NULL COLLATE utf8mb4_unicode_ci, CHANGE enabled active TINYINT(1) NOT NULL'); + $this->addSql('ALTER TABLE kimai2_users CHANGE username name VARCHAR(60) NOT NULL COLLATE utf8mb4_unicode_ci, CHANGE email mail VARCHAR(160) NOT NULL COLLATE utf8mb4_unicode_ci, DROP username_canonical, DROP email_canonical, DROP salt, DROP last_login, DROP confirmation_token, DROP password_requested_at, CHANGE password password VARCHAR(254) DEFAULT NULL COLLATE utf8mb4_unicode_ci, CHANGE roles roles LONGTEXT NOT NULL COMMENT \'(DC2Type:array)\', CHANGE alias alias VARCHAR(60) DEFAULT NULL COLLATE utf8mb4_unicode_ci, CHANGE registration_date registration_date DATETIME DEFAULT NULL, CHANGE title title VARCHAR(50) DEFAULT NULL COLLATE utf8mb4_unicode_ci, CHANGE avatar avatar VARCHAR(255) DEFAULT NULL COLLATE utf8mb4_unicode_ci, CHANGE enabled active TINYINT(1) NOT NULL'); - $this->addSql('UPDATE ' . $users . ' SET roles = \'["ROLE_SUPER_ADMIN"]\' WHERE roles LIKE \'%ROLE_SUPER_ADMIN%\''); - $this->addSql('UPDATE ' . $users . ' SET roles = \'["ROLE_ADMIN"]\' WHERE roles LIKE \'%ROLE_ADMIN%\''); - $this->addSql('UPDATE ' . $users . ' SET roles = \'["ROLE_TEAMLEAD"]\' WHERE roles LIKE \'%ROLE_TEAMLEAD%\''); - $this->addSql('UPDATE ' . $users . ' SET roles = \'["ROLE_USER"]\' WHERE roles LIKE \'%ROLE_USER%\''); - $this->addSql('UPDATE ' . $users . ' SET roles = \'["ROLE_CUSTOMER"]\' WHERE roles LIKE \'%ROLE_CUSTOMER%\''); + $this->addSql('UPDATE kimai2_users SET roles = \'["ROLE_SUPER_ADMIN"]\' WHERE roles LIKE \'%ROLE_SUPER_ADMIN%\''); + $this->addSql('UPDATE kimai2_users SET roles = \'["ROLE_ADMIN"]\' WHERE roles LIKE \'%ROLE_ADMIN%\''); + $this->addSql('UPDATE kimai2_users SET roles = \'["ROLE_TEAMLEAD"]\' WHERE roles LIKE \'%ROLE_TEAMLEAD%\''); + $this->addSql('UPDATE kimai2_users SET roles = \'["ROLE_USER"]\' WHERE roles LIKE \'%ROLE_USER%\''); + $this->addSql('UPDATE kimai2_users SET roles = \'["ROLE_CUSTOMER"]\' WHERE roles LIKE \'%ROLE_CUSTOMER%\''); - $this->addSql('CREATE UNIQUE INDEX UNIQ_B9AC5BCE5E237E06 ON ' . $users . ' (name)'); - $this->addSql('CREATE UNIQUE INDEX UNIQ_B9AC5BCE5126AC48 ON ' . $users . ' (mail)'); + $this->addSql('CREATE UNIQUE INDEX UNIQ_B9AC5BCE5E237E06 ON kimai2_users (name)'); + $this->addSql('CREATE UNIQUE INDEX UNIQ_B9AC5BCE5126AC48 ON kimai2_users (mail)'); - $usersTable = $schema->getTable($users); + $usersTable = $schema->getTable('kimai2_users'); foreach ($this->indexesOld as $index) { $usersTable->addIndex($index->getColumns(), $index->getName(), $index->getFlags(), $index->getOptions()); }
src/Migrations/Version20180730044139.php+4 −11 modified@@ -33,12 +33,8 @@ final class Version20180730044139 extends AbstractMigration */ public function up(Schema $schema): void { - $timesheet = 'kimai2_timesheet'; - $user = 'kimai2_users'; - $activity = 'kimai2_activities'; - - $this->addSql('ALTER TABLE ' . $timesheet . ' DROP FOREIGN KEY FK_4F60C6B18D93D649'); - $this->addSql('ALTER TABLE ' . $timesheet . ' ADD CONSTRAINT FK_4F60C6B18D93D649 FOREIGN KEY (user) REFERENCES ' . $user . ' (id) ON DELETE CASCADE'); + $this->addSql('ALTER TABLE kimai2_timesheet DROP FOREIGN KEY FK_4F60C6B18D93D649'); + $this->addSql('ALTER TABLE kimai2_timesheet ADD CONSTRAINT FK_4F60C6B18D93D649 FOREIGN KEY (user) REFERENCES kimai2_users (id) ON DELETE CASCADE'); } /** @@ -47,10 +43,7 @@ public function up(Schema $schema): void */ public function down(Schema $schema): void { - $timesheet = 'kimai2_timesheet'; - $user = 'kimai2_users'; - - $this->addSql('ALTER TABLE ' . $timesheet . ' DROP FOREIGN KEY FK_4F60C6B18D93D649'); - $this->addSql('ALTER TABLE ' . $timesheet . ' ADD CONSTRAINT FK_4F60C6B18D93D649 FOREIGN KEY (user) REFERENCES ' . $user . ' (id)'); + $this->addSql('ALTER TABLE kimai2_timesheet DROP FOREIGN KEY FK_4F60C6B18D93D649'); + $this->addSql('ALTER TABLE kimai2_timesheet ADD CONSTRAINT FK_4F60C6B18D93D649 FOREIGN KEY (user) REFERENCES kimai2_users (id)'); } }
src/Migrations/Version20180924111853.php+3 −7 modified@@ -23,16 +23,12 @@ final class Version20180924111853 extends AbstractMigration { public function up(Schema $schema): void { - $invoiceTemplates = 'kimai2_invoice_templates'; - - $this->addSql('UPDATE ' . $invoiceTemplates . ' SET name=SUBSTRING(name, 1, 60)'); - $this->addSql('ALTER TABLE ' . $invoiceTemplates . ' CHANGE name name VARCHAR(60) NOT NULL, CHANGE vat vat DOUBLE PRECISION DEFAULT 0'); + $this->addSql('UPDATE kimai2_invoice_templates SET name=SUBSTRING(name, 1, 60)'); + $this->addSql('ALTER TABLE kimai2_invoice_templates CHANGE name name VARCHAR(60) NOT NULL, CHANGE vat vat DOUBLE PRECISION DEFAULT 0'); } public function down(Schema $schema): void { - $invoiceTemplates = 'kimai2_invoice_templates'; - - $this->addSql('ALTER TABLE ' . $invoiceTemplates . ' CHANGE name name VARCHAR(255) NOT NULL COLLATE utf8mb4_unicode_ci, CHANGE vat vat INT DEFAULT NULL'); + $this->addSql('ALTER TABLE kimai2_invoice_templates CHANGE name name VARCHAR(255) NOT NULL COLLATE utf8mb4_unicode_ci, CHANGE vat vat INT DEFAULT NULL'); } }
src/Migrations/Version20181031220003.php+18 −28 modified@@ -22,45 +22,35 @@ final class Version20181031220003 extends AbstractMigration { public function up(Schema $schema): void { - $timesheet = 'kimai2_timesheet'; - $projects = 'kimai2_projects'; - $activities = 'kimai2_activities'; - $users = 'kimai2_users'; - $customers = 'kimai2_customers'; - // project table - $this->addSql('ALTER TABLE ' . $projects . ' DROP FOREIGN KEY FK_407F12069395C3F3'); - $this->addSql('ALTER TABLE ' . $projects . ' CHANGE customer_id customer_id INT NOT NULL'); - $this->addSql('ALTER TABLE ' . $projects . ' ADD CONSTRAINT FK_407F12069395C3F3 FOREIGN KEY (customer_id) REFERENCES ' . $customers . ' (id) ON DELETE CASCADE'); + $this->addSql('ALTER TABLE kimai2_projects DROP FOREIGN KEY FK_407F12069395C3F3'); + $this->addSql('ALTER TABLE kimai2_projects CHANGE customer_id customer_id INT NOT NULL'); + $this->addSql('ALTER TABLE kimai2_projects ADD CONSTRAINT FK_407F12069395C3F3 FOREIGN KEY (customer_id) REFERENCES kimai2_customers (id) ON DELETE CASCADE'); // timesheet table - $this->addSql('ALTER TABLE ' . $timesheet . ' ADD project_id INT DEFAULT NULL AFTER activity_id'); - $this->addSql('CREATE INDEX IDX_4F60C6B1166D1F9C ON ' . $timesheet . ' (project_id)'); + $this->addSql('ALTER TABLE kimai2_timesheet ADD project_id INT DEFAULT NULL AFTER activity_id'); + $this->addSql('CREATE INDEX IDX_4F60C6B1166D1F9C ON kimai2_timesheet (project_id)'); // update timesheet table and insert project_id from activity table - $this->addSql('UPDATE ' . $timesheet . ' SET project_id = (SELECT project_id FROM ' . $activities . ' WHERE id = activity_id)'); + $this->addSql('UPDATE kimai2_timesheet SET project_id = (SELECT project_id FROM kimai2_activities WHERE id = activity_id)'); // now update the timesheet table and disallow null values for all required columns (that was a bug before) - $this->addSql('ALTER TABLE ' . $timesheet . ' DROP FOREIGN KEY FK_4F60C6B18D93D649'); - $this->addSql('ALTER TABLE ' . $timesheet . ' DROP FOREIGN KEY FK_4F60C6B181C06096'); - $this->addSql('ALTER TABLE ' . $timesheet . ' CHANGE project_id project_id INT NOT NULL, CHANGE user user INT NOT NULL, CHANGE activity_id activity_id INT NOT NULL'); - $this->addSql('ALTER TABLE ' . $timesheet . ' ADD CONSTRAINT FK_4F60C6B1166D1F9C FOREIGN KEY (project_id) REFERENCES ' . $projects . ' (id) ON DELETE CASCADE'); - $this->addSql('ALTER TABLE ' . $timesheet . ' ADD CONSTRAINT FK_4F60C6B18D93D649 FOREIGN KEY (user) REFERENCES ' . $users . ' (id) ON DELETE CASCADE'); - $this->addSql('ALTER TABLE ' . $timesheet . ' ADD CONSTRAINT FK_4F60C6B181C06096 FOREIGN KEY (activity_id) REFERENCES ' . $activities . ' (id) ON DELETE CASCADE'); + $this->addSql('ALTER TABLE kimai2_timesheet DROP FOREIGN KEY FK_4F60C6B18D93D649'); + $this->addSql('ALTER TABLE kimai2_timesheet DROP FOREIGN KEY FK_4F60C6B181C06096'); + $this->addSql('ALTER TABLE kimai2_timesheet CHANGE project_id project_id INT NOT NULL, CHANGE user user INT NOT NULL, CHANGE activity_id activity_id INT NOT NULL'); + $this->addSql('ALTER TABLE kimai2_timesheet ADD CONSTRAINT FK_4F60C6B1166D1F9C FOREIGN KEY (project_id) REFERENCES kimai2_projects (id) ON DELETE CASCADE'); + $this->addSql('ALTER TABLE kimai2_timesheet ADD CONSTRAINT FK_4F60C6B18D93D649 FOREIGN KEY (user) REFERENCES kimai2_users (id) ON DELETE CASCADE'); + $this->addSql('ALTER TABLE kimai2_timesheet ADD CONSTRAINT FK_4F60C6B181C06096 FOREIGN KEY (activity_id) REFERENCES kimai2_activities (id) ON DELETE CASCADE'); } public function down(Schema $schema): void { - $timesheet = 'kimai2_timesheet'; - $projects = 'kimai2_projects'; - $customers = 'kimai2_customers'; - // project table - $this->addSql('ALTER TABLE ' . $projects . ' DROP FOREIGN KEY FK_407F12069395C3F3'); - $this->addSql('ALTER TABLE ' . $projects . ' CHANGE customer_id customer_id INT DEFAULT NULL'); - $this->addSql('ALTER TABLE ' . $projects . ' ADD CONSTRAINT FK_407F12069395C3F3 FOREIGN KEY (customer_id) REFERENCES ' . $customers . ' (id) ON DELETE CASCADE'); + $this->addSql('ALTER TABLE kimai2_projects DROP FOREIGN KEY FK_407F12069395C3F3'); + $this->addSql('ALTER TABLE kimai2_projects CHANGE customer_id customer_id INT DEFAULT NULL'); + $this->addSql('ALTER TABLE kimai2_projects ADD CONSTRAINT FK_407F12069395C3F3 FOREIGN KEY (customer_id) REFERENCES kimai2_customers (id) ON DELETE CASCADE'); // timesheet table - $this->addSql('ALTER TABLE ' . $timesheet . ' DROP FOREIGN KEY FK_4F60C6B1166D1F9C'); - $this->addSql('DROP INDEX IDX_4F60C6B1166D1F9C ON ' . $timesheet); - $this->addSql('ALTER TABLE ' . $timesheet . ' DROP project_id, CHANGE user user INT DEFAULT NULL, CHANGE activity_id activity_id INT DEFAULT NULL'); + $this->addSql('ALTER TABLE kimai2_timesheet DROP FOREIGN KEY FK_4F60C6B1166D1F9C'); + $this->addSql('DROP INDEX IDX_4F60C6B1166D1F9C ON kimai2_timesheet'); + $this->addSql('ALTER TABLE kimai2_timesheet DROP project_id, CHANGE user user INT DEFAULT NULL, CHANGE activity_id activity_id INT DEFAULT NULL'); } }
src/Migrations/Version20190305152308.php+8 −19 modified@@ -25,28 +25,17 @@ final class Version20190305152308 extends AbstractMigration { public function up(Schema $schema): void { - $customers = 'kimai2_customers'; - $projects = 'kimai2_projects'; - $activities = 'kimai2_activities'; - $timesheet = 'kimai2_timesheet'; - $users = 'kimai2_users'; - - $this->addSql('ALTER TABLE ' . $activities . ' CHANGE fixed_rate fixed_rate DOUBLE PRECISION DEFAULT NULL, CHANGE hourly_rate hourly_rate DOUBLE PRECISION DEFAULT NULL'); - $this->addSql('ALTER TABLE ' . $customers . ' CHANGE mail email VARCHAR(255) DEFAULT NULL, CHANGE fixed_rate fixed_rate DOUBLE PRECISION DEFAULT NULL, CHANGE hourly_rate hourly_rate DOUBLE PRECISION DEFAULT NULL'); - $this->addSql('ALTER TABLE ' . $projects . ' CHANGE budget budget DOUBLE PRECISION NOT NULL, CHANGE fixed_rate fixed_rate DOUBLE PRECISION DEFAULT NULL, CHANGE hourly_rate hourly_rate DOUBLE PRECISION DEFAULT NULL'); - $this->addSql('ALTER TABLE ' . $timesheet . ' CHANGE rate rate DOUBLE PRECISION NOT NULL, CHANGE fixed_rate fixed_rate DOUBLE PRECISION DEFAULT NULL, CHANGE hourly_rate hourly_rate DOUBLE PRECISION DEFAULT NULL'); + $this->addSql('ALTER TABLE kimai2_activities CHANGE fixed_rate fixed_rate DOUBLE PRECISION DEFAULT NULL, CHANGE hourly_rate hourly_rate DOUBLE PRECISION DEFAULT NULL'); + $this->addSql('ALTER TABLE kimai2_customers CHANGE mail email VARCHAR(255) DEFAULT NULL, CHANGE fixed_rate fixed_rate DOUBLE PRECISION DEFAULT NULL, CHANGE hourly_rate hourly_rate DOUBLE PRECISION DEFAULT NULL'); + $this->addSql('ALTER TABLE kimai2_projects CHANGE budget budget DOUBLE PRECISION NOT NULL, CHANGE fixed_rate fixed_rate DOUBLE PRECISION DEFAULT NULL, CHANGE hourly_rate hourly_rate DOUBLE PRECISION DEFAULT NULL'); + $this->addSql('ALTER TABLE kimai2_timesheet CHANGE rate rate DOUBLE PRECISION NOT NULL, CHANGE fixed_rate fixed_rate DOUBLE PRECISION DEFAULT NULL, CHANGE hourly_rate hourly_rate DOUBLE PRECISION DEFAULT NULL'); } public function down(Schema $schema): void { - $customers = 'kimai2_customers'; - $projects = 'kimai2_projects'; - $activities = 'kimai2_activities'; - $timesheet = 'kimai2_timesheet'; - - $this->addSql('ALTER TABLE ' . $activities . ' CHANGE fixed_rate fixed_rate NUMERIC(10, 2) DEFAULT NULL, CHANGE hourly_rate hourly_rate NUMERIC(10, 2) DEFAULT NULL'); - $this->addSql('ALTER TABLE ' . $customers . ' CHANGE email mail VARCHAR(255) DEFAULT NULL, CHANGE fixed_rate fixed_rate NUMERIC(10, 2) DEFAULT NULL, CHANGE hourly_rate hourly_rate NUMERIC(10, 2) DEFAULT NULL'); - $this->addSql('ALTER TABLE ' . $projects . ' CHANGE budget budget NUMERIC(10, 2) NOT NULL, CHANGE fixed_rate fixed_rate NUMERIC(10, 2) DEFAULT NULL, CHANGE hourly_rate hourly_rate NUMERIC(10, 2) DEFAULT NULL'); - $this->addSql('ALTER TABLE ' . $timesheet . ' CHANGE rate rate NUMERIC(10, 2) NOT NULL, CHANGE fixed_rate fixed_rate NUMERIC(10, 2) DEFAULT NULL, CHANGE hourly_rate hourly_rate NUMERIC(10, 2) DEFAULT NULL'); + $this->addSql('ALTER TABLE kimai2_activities CHANGE fixed_rate fixed_rate NUMERIC(10, 2) DEFAULT NULL, CHANGE hourly_rate hourly_rate NUMERIC(10, 2) DEFAULT NULL'); + $this->addSql('ALTER TABLE kimai2_customers CHANGE email mail VARCHAR(255) DEFAULT NULL, CHANGE fixed_rate fixed_rate NUMERIC(10, 2) DEFAULT NULL, CHANGE hourly_rate hourly_rate NUMERIC(10, 2) DEFAULT NULL'); + $this->addSql('ALTER TABLE kimai2_projects CHANGE budget budget NUMERIC(10, 2) NOT NULL, CHANGE fixed_rate fixed_rate NUMERIC(10, 2) DEFAULT NULL, CHANGE hourly_rate hourly_rate NUMERIC(10, 2) DEFAULT NULL'); + $this->addSql('ALTER TABLE kimai2_timesheet CHANGE rate rate NUMERIC(10, 2) NOT NULL, CHANGE fixed_rate fixed_rate NUMERIC(10, 2) DEFAULT NULL, CHANGE hourly_rate hourly_rate NUMERIC(10, 2) DEFAULT NULL'); } }
src/Migrations/Version20210802152814.php+1 −1 modified@@ -44,7 +44,7 @@ public function up(Schema $schema): void $fetch->free(); - $this->preventEmptyMigrationWarning(); + $this->addSql('ALTER TABLE kimai2_timesheet ALTER date_tz DROP DEFAULT'); } public function down(Schema $schema): void
src/Migrations/Version20211008092010.php+2 −0 modified@@ -29,6 +29,8 @@ public function up(Schema $schema): void $projects = $schema->getTable('kimai2_projects'); $column = $projects->getColumn('order_number'); $column->setOptions(['length' => 50]); + + $this->preventEmptyMigrationWarning(); } public function down(Schema $schema): void
templates/form/kimai-theme.html.twig+2 −4 modified@@ -158,10 +158,8 @@ <a class="btn btn-default" href="#" onclick="return false;"> <span id="{{ form.vars.id }}_week_number" data-toggle="tooltip" data-placement="top" title="{{ 'stats.workingTimeWeek'|trans({'%week%': week|date_format('W')}) }}"> {{ week|month_name(true) }} - {% if week|date_format('m') != nextWeek|date_format('m') %} - – - {{ nextWeek|month_name(true) }} - {% endif %} + – + {{ 'stats.workingTimeWeekShort'|trans({'%week%': week|date_format('W')}) }} </span> </a> <a class="btn btn-default btn-right" href="#" onclick="jQuery('#{{ form.vars.id }}').val('{{ nextWeek|report_date }}').change()" data-toggle="tooltip" data-placement="top" title="{{ 'stats.workingTimeWeek'|trans({'%week%': nextWeek|date_format('W')}) }}">
templates/project/actions.html.twig+1 −1 modified@@ -6,7 +6,7 @@ {% macro project(project, view, isTable) %} {% import "macros/widgets.html.twig" as widgets %} - {% set event = actions(app.user, 'project', view, {'project': project}) %} + {% set event = actions(app.user, 'project', view, {'project': project, 'token': csrf_token('project.duplicate')}) %} {% if view == 'index' or view == 'custom' or isTable is not null %} {{ widgets.table_actions(event.actions) }} {% else %}
templates/team/actions.html.twig+1 −1 modified@@ -6,7 +6,7 @@ {% macro team(team, view) %} {% import "macros/widgets.html.twig" as widgets %} - {% set event = actions(app.user, 'team', view, {'team': team}) %} + {% set event = actions(app.user, 'team', view, {'team': team, 'token': csrf_token('team.duplicate')}) %} {% if view == 'index' %} {{ widgets.table_actions(event.actions) }} {% else %}
templates/timesheet/actions.html.twig+1 −1 modified@@ -6,7 +6,7 @@ {% macro timesheet(timesheet, view, options) %} {% import "macros/widgets.html.twig" as widgets %} - {% set event = actions(app.user, 'timesheet', view, {'timesheet': timesheet}) %} + {% set event = actions(app.user, 'timesheet', view, {'timesheet': timesheet, 'token': csrf_token('timesheet.duplicate')}) %} {% if view == 'index' or view == 'custom' %} {{ widgets.table_actions(event.actions) }} {% else %}
templates/timesheet-team/actions.html.twig+1 −1 modified@@ -6,7 +6,7 @@ {% macro timesheet_team(timesheet, view) %} {% import "macros/widgets.html.twig" as widgets %} - {% set event = actions(app.user, 'timesheet_team', view, {'timesheet': timesheet}) %} + {% set event = actions(app.user, 'timesheet_team', view, {'timesheet': timesheet, 'token': csrf_token('admin_timesheet.duplicate')}) %} {% if view == 'index' or view == 'custom' %} {{ widgets.table_actions(event.actions) }} {% else %}
tests/Controller/ControllerBaseTest.php+10 −0 modified@@ -425,4 +425,14 @@ protected function assertExcelExportResponse(HttpKernelBrowser $client, string $ self::assertStringContainsString('attachment; filename=' . $prefix, $response->headers->get('Content-Disposition')); self::assertStringContainsString('.xlsx', $response->headers->get('Content-Disposition')); } + + protected function assertInvalidCsrfToken(HttpKernelBrowser $client, string $url, string $expectedRedirect) + { + $this->request($client, $url); + + $this->assertIsRedirect($client); + $this->assertRedirectUrl($client, $expectedRedirect); + $client->followRedirect(); + $this->assertHasFlashError($client, 'The action could not be performed: invalid security token.'); + } }
tests/Controller/DoctorControllerTest.php+7 −0 modified@@ -34,4 +34,11 @@ public function testIndexAction() $result = $client->getCrawler()->filter('.content .box-header'); self::assertCount(6, $result); } + + public function testFlushLogWithInvalidCsrf() + { + $client = $this->getClientForAuthenticatedUser(User::ROLE_SUPER_ADMIN); + + $this->assertInvalidCsrfToken($client, '/doctor/flush-log/rsetdzfukgli78t6r5uedtjfzkugl', $this->createUrl('/doctor')); + } }
tests/Controller/ProjectControllerTest.php+22 −1 modified@@ -216,7 +216,9 @@ public function testDuplicateAction() $em->persist($rate); $em->flush(); - $this->request($client, '/admin/project/1/duplicate'); + $token = self::$container->get('security.csrf.token_manager')->getToken('project.duplicate'); + + $this->request($client, '/admin/project/1/duplicate/' . $token); $this->assertIsRedirect($client, '/details'); $client->followRedirect(); $node = $client->getCrawler()->filter('div.box#project_rates_box'); @@ -226,6 +228,25 @@ public function testDuplicateAction() self::assertStringContainsString('123.45', $node->text(null, true)); } + public function testDuplicateActionWithInvalidCsrf() + { + $client = $this->getClientForAuthenticatedUser(User::ROLE_ADMIN); + /** @var EntityManager $em */ + $em = $this->getEntityManager(); + $project = $em->find(Project::class, 1); + $project->setMetaField((new ProjectMeta())->setName('foo')->setValue('bar')); + $project->setEnd(new \DateTime()); + $em->persist($project); + $activity = new Activity(); + $activity->setName('blub'); + $activity->setProject($project); + $activity->setMetaField((new ActivityMeta())->setName('blub')->setValue('blab')); + $em->persist($activity); + $em->flush(); + + $this->assertInvalidCsrfToken($client, '/admin/project/1/duplicate/rsetdzfukgli78t6r5uedtjfzkugl', $this->createUrl('/admin/project/1/details')); + } + public function testAddCommentAction() { $client = $this->getClientForAuthenticatedUser(User::ROLE_ADMIN);
tests/Controller/TeamControllerTest.php+10 −1 modified@@ -206,11 +206,20 @@ public function testEditProjectAccessAction() public function testDuplicateAction() { $client = $this->getClientForAuthenticatedUser(User::ROLE_ADMIN); - $this->request($client, '/admin/teams/1/duplicate'); + + $token = self::$container->get('security.csrf.token_manager')->getToken('team.duplicate'); + + $this->request($client, '/admin/teams/1/duplicate/' . $token); $this->assertIsRedirect($client, '/edit'); $client->followRedirect(); $node = $client->getCrawler()->filter('#team_edit_form_name'); self::assertEquals(1, $node->count()); self::assertEquals('Test team [COPY]', $node->attr('value')); } + + public function testDuplicateActionWithInvalidCsrf() + { + $client = $this->getClientForAuthenticatedUser(User::ROLE_ADMIN); + $this->assertInvalidCsrfToken($client, '/admin/teams/1/duplicate/rsetdzfukgli78t6r5uedtjfzkugl', $this->createUrl('/admin/teams/1/edit')); + } }
tests/Controller/TimesheetControllerTest.php+32 −1 modified@@ -708,7 +708,9 @@ public function testDuplicateAction() $ids = $this->importFixture($fixture); $newId = $ids[0]->getId(); - $this->request($client, '/timesheet/' . $newId . '/duplicate'); + $token = self::$container->get('security.csrf.token_manager')->getToken('timesheet.duplicate'); + + $this->request($client, '/timesheet/' . $newId . '/duplicate/' . $token); $this->assertTrue($client->getResponse()->isSuccessful()); $form = $client->getCrawler()->filter('form[name=timesheet_edit_form]')->form(); @@ -730,4 +732,33 @@ public function testDuplicateAction() $this->assertEquals(2016, $timesheet->getFixedRate()); $this->assertEquals(2016, $timesheet->getRate()); } + + public function testDuplicateActionWithInvalidCsrf() + { + $client = $this->getClientForAuthenticatedUser(User::ROLE_ADMIN); + $dateTime = new DateTimeFactory(new \DateTimeZone('Europe/London')); + + $fixture = new TimesheetFixtures(); + $fixture->setAmount(1); + $fixture->setAmountRunning(0); + $fixture->setUser($this->getUserByRole(User::ROLE_USER)); + $fixture->setStartDate($dateTime->createDateTime()); + $fixture->setCallback(function (Timesheet $timesheet) { + $timesheet->setDescription('Testing is fun!'); + $begin = clone $timesheet->getBegin(); + $begin->setTime(0, 0, 0); + $timesheet->setBegin($begin); + $end = clone $timesheet->getBegin(); + $end->modify('+ 8 hours'); + $timesheet->setEnd($end); + $timesheet->setFixedRate(2016); + $timesheet->setHourlyRate(127); + }); + + /** @var Timesheet[] $ids */ + $ids = $this->importFixture($fixture); + $newId = $ids[0]->getId(); + + $this->assertInvalidCsrfToken($client, '/timesheet/' . $newId . '/duplicate/dfghdfghdfghdfghdfgh', $this->createUrl('/timesheet/')); + } }
tests/Controller/TimesheetTeamControllerTest.php+32 −1 modified@@ -428,7 +428,9 @@ public function testDuplicateAction() $ids = $this->importFixture($fixture); $newId = $ids[0]->getId(); - $this->request($client, '/team/timesheet/' . $newId . '/duplicate'); + $token = self::$container->get('security.csrf.token_manager')->getToken('admin_timesheet.duplicate'); + + $this->request($client, '/team/timesheet/' . $newId . '/duplicate/' . $token); $this->assertTrue($client->getResponse()->isSuccessful()); $form = $client->getCrawler()->filter('form[name=timesheet_admin_edit_form]')->form(); @@ -450,4 +452,33 @@ public function testDuplicateAction() $this->assertEquals(2016, $timesheet->getFixedRate()); $this->assertEquals(2016, $timesheet->getRate()); } + + public function testDuplicateActionWithInvalidCsrf() + { + $client = $this->getClientForAuthenticatedUser(User::ROLE_ADMIN); + $dateTime = new DateTimeFactory(new \DateTimeZone('Europe/London')); + + $fixture = new TimesheetFixtures(); + $fixture->setAmount(1); + $fixture->setAmountRunning(0); + $fixture->setUser($this->getUserByRole(User::ROLE_USER)); + $fixture->setStartDate($dateTime->createDateTime()); + $fixture->setCallback(function (Timesheet $timesheet) { + $timesheet->setDescription('Testing is fun!'); + $begin = clone $timesheet->getBegin(); + $begin->setTime(0, 0, 0); + $timesheet->setBegin($begin); + $end = clone $timesheet->getBegin(); + $end->modify('+ 8 hours'); + $timesheet->setEnd($end); + $timesheet->setFixedRate(2016); + $timesheet->setHourlyRate(127); + }); + + /** @var Timesheet[] $ids */ + $ids = $this->importFixture($fixture); + $newId = $ids[0]->getId(); + + $this->assertInvalidCsrfToken($client, '/team/timesheet/' . $newId . '/duplicate/dfghdfghdfghdfghdfgh', $this->createUrl('/team/timesheet/')); + } }
translations/about.ja.xlf+2 −2 modified@@ -1,4 +1,4 @@ -<?xml version="1.0" encoding="utf-8"?> +<?xml version="1.0" encoding="UTF-8"?> <xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2"> <file source-language="en" target-language="ja" datatype="plaintext" original="about.en.xlf"> <body> @@ -28,7 +28,7 @@ </trans-unit> <trans-unit id="A0nWoXZ" resname="special_thanks"> <source>special_thanks</source> - <target>Special thanks go to …</target> + <target>これらの方々に特に感謝いたします。</target> </trans-unit> <trans-unit id="L7cff3Q" resname="library_authors"> <source>library_authors</source>
translations/flashmessages.el.xlf+5 −1 modified@@ -1,4 +1,4 @@ -<?xml version="1.0" encoding="utf-8"?> +<?xml version="1.0" encoding="UTF-8"?> <xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2"> <file source-language="en" target-language="el" datatype="plaintext" original="flashmessages.en.xlf"> <body> @@ -54,6 +54,10 @@ <source>action.upload.error</source> <target>Δεν ήταν δυνατή η μεταφόρτωση ή η αποθήκευση του αρχείου: %reason%</target> </trans-unit> + <trans-unit resname="action.csrf.error" id="bOE_q5R"> + <source>action.csrf.error</source> + <target>Αυτή η ενέργεια δεν μπορεί να πραγματοποιηθεί: Μη έγκυρο τεκμήριο ασφάλειας.</target> + </trans-unit> </body> </file> </xliff>
translations/flashmessages.fr.xlf+4 −0 modified@@ -54,6 +54,10 @@ <source>action.upload.error</source> <target>Le fichier n'a pas pu être mis en ligne ou enregistré : %reason%</target> </trans-unit> + <trans-unit resname="action.csrf.error" id="bOE_q5R"> + <source>action.csrf.error</source> + <target>L'action n'a pas pu être effectuée : jeton de sécurité invalide.</target> + </trans-unit> </body> </file> </xliff>
translations/flashmessages.he.xlf+4 −0 modified@@ -54,6 +54,10 @@ <source>action.upload.error</source> <target>לא ניתן להעלות או לשמור את הקובץ: %reason%</target> </trans-unit> + <trans-unit resname="action.csrf.error" id="bOE_q5R"> + <source>action.csrf.error</source> + <target>אי אפשר לבצע את הפעולה: אסימון אבטחה שגוי.</target> + </trans-unit> </body> </file> </xliff>
translations/flashmessages.pt_BR.xlf+4 −0 modified@@ -54,6 +54,10 @@ <source>action.upload.error</source> <target>O arquivo não pôde ser carregado ou salvo: %reason%</target> </trans-unit> + <trans-unit resname="action.csrf.error" id="bOE_q5R"> + <source>action.csrf.error</source> + <target>A ação não pôde ser realizada: token de segurança inválido.</target> + </trans-unit> </body> </file> </xliff>
translations/flashmessages.pt.xlf+4 −0 modified@@ -54,6 +54,10 @@ <source>action.upload.error</source> <target>Não foi possível enviar ou guardar o ficheiro: %reason%</target> </trans-unit> + <trans-unit resname="action.csrf.error" id="bOE_q5R"> + <source>action.csrf.error</source> + <target>Não foi possível realizar a ação: token de segurança inválido.</target> + </trans-unit> </body> </file> </xliff>
translations/flashmessages.tr.xlf+4 −0 modified@@ -54,6 +54,10 @@ <source>action.upload.error</source> <target>Dosya karşıya yüklenemedi veya kaydedilemedi: %reason%</target> </trans-unit> + <trans-unit resname="action.csrf.error" id="bOE_q5R"> + <source>action.csrf.error</source> + <target>Eylem gerçekleştirilemedi: geçersiz güvenlik belirteci.</target> + </trans-unit> </body> </file> </xliff>
translations/messages.de.xlf+4 −0 modified@@ -792,6 +792,10 @@ <source>stats.workingTimeWeek</source> <target>Kalenderwoche %week%</target> </trans-unit> + <trans-unit id="HPhRbtc" resname="stats.workingTimeWeekShort"> + <source>stats.workingTimeWeekShort</source> + <target>KW %week%</target> + </trans-unit> <trans-unit id="JIKNAYP" approved="yes" resname="stats.workingTimeMonth"> <source>stats.workingTimeMonth</source> <target>%month% %year%</target>
translations/messages.en.xlf+4 −0 modified@@ -792,6 +792,10 @@ <source>stats.workingTimeWeek</source> <target>Calendar week %week%</target> </trans-unit> + <trans-unit id="HPhRbtc" resname="stats.workingTimeWeekShort"> + <source>stats.workingTimeWeekShort</source> + <target>Week %week%</target> + </trans-unit> <trans-unit id="JIKNAYP" resname="stats.workingTimeMonth"> <source>stats.workingTimeMonth</source> <target>%month% %year%</target>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-427q-jp8v-ww95ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-3976ghsaADVISORY
- github.com/kevinpapst/kimai2/commit/b28e9c120c87222e21a238f1b03a609d6a5d506eghsax_refsource_MISCWEB
- huntr.dev/bounties/0567048a-118c-42ec-9f94-b55533017406ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.