* timesheet: fix reported bug #2488 (stylite tracker), status and cat change still allowed via context menu, even if the entry in question should be ->edit by admins only<- (via status admin flag)

timesheet/inc/class.timesheet_bo.inc.php

@@ -259,6 +259,40 @@ class timesheet_bo extends so_sql_cf
 		return $result;
 	}
 
+	/**
+	 * checks if the user has enough rights for a certain operation
+	 *
+	 * Rights are given via status config admin/noadmin
+	 *
+	 * @param array|int $data=null use $this->data or $this->data['ts_id'] (to fetch the data)
+	 * @param int $user=null for which user to check, default current user
+	 * @return boolean true if the rights are ok, false if no rights
+	 */
+	function check_statusForEditRights($data=null,$user=null)
+	{
+		if (is_null($data) || (int)$data == $this->data['ts_id'])
+		{
+			$data =& $this->data;
+		}
+		if (!is_array($data))
+		{
+			$save_data = $this->data;
+			$data = $this->read($data,true);
+			$this->data = $save_data;
+
+			if (!$data) return null; 	// entry not found
+		}
+		if (!$user) $user = $this->user;
+		if (!isset($GLOBALS['egw_info']['user']['apps']['admin']) && $data['ts_status'])
+		{
+			if ($this->status_labels_config[$data['ts_status']]['admin'])
+			{
+				return false;
+			}
+		}
+		return true;
+	}
+
 	/**
 	 * checks if the user has enough rights for a certain operation
 	 *

timesheet/inc/class.timesheet_ui.inc.php

@@ -708,6 +708,11 @@ class timesheet_ui extends timesheet_bo
 				$readonlys["edit[$row[ts_id]]"] = true;
 				$row['class'] .= ' rowNoEdit ';
 			}
+			if (!$this->check_statusForEditRights($row))
+			{
+				$readonlys["edit[$row[ts_id]]"] = true;
+				$row['class'] .= ' rowNoEdit ';
+			}
 			if (!$this->check_acl(EGW_ACL_DELETE,$row))
 			{
 				$readonlys["delete[$row[ts_id]]"] = true;