Skip to content

Commit

Permalink
Fix test on permission
Browse files Browse the repository at this point in the history
  • Loading branch information
eldy committed Sep 6, 2024
1 parent 045f991 commit 70a8f2e
Show file tree
Hide file tree
Showing 7 changed files with 76 additions and 90 deletions.
20 changes: 5 additions & 15 deletions htdocs/adherents/subscription.php
Original file line number Diff line number Diff line change
Expand Up @@ -112,11 +112,7 @@
}

// Define variables to determine what the current user can do on the members
$canaddmember = $user->hasRight('adherent', 'creer');
// Define variables to determine what the current user can do on the properties of a member
if ($id) {
$caneditfieldmember = $user->hasRight('adherent', 'creer');
}
$permissiontoaddmember = $user->hasRight('adherent', 'creer');

// Security check
$result = restrictedArea($user, 'adherent', $object->id, '', '', 'socid', 'rowid', 0);
Expand Down Expand Up @@ -170,12 +166,12 @@
}
}

if (empty($reshook) && $action == 'setsocid') {
if (empty($reshook) && $action == 'setsocid' && $permissiontoaddmember) {
$error = 0;
if (!$error) {
if (GETPOSTINT('socid') != $object->fk_soc) { // If link differs from currently in database
if (GETPOSTINT('socid') != $object->socid) { // If link differs from currently in database
$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."adherent";
$sql .= " WHERE fk_soc = '".GETPOSTINT('socid')."'";
$sql .= " WHERE fk_soc = ".((int) GETPOSTINT('socid'));
$resql = $db->query($sql);
if ($resql) {
$obj = $db->fetch_object($resql);
Expand Down Expand Up @@ -306,7 +302,7 @@
}

// Record the subscription then complementary actions
if (!$error && $action == 'subscription') {
if (!$error && $action == 'subscription') { // Test on permission already done
$db->begin();

// Create subscription
Expand Down Expand Up @@ -466,12 +462,6 @@
print $langs->trans("ErrorRecordNotFound");
}

/*$res = $object->fetch($rowid);
if ($res < 0) {
dol_print_error($db, $object->error);
exit;
}
*/

$adht->fetch($object->typeid);

Expand Down
108 changes: 54 additions & 54 deletions htdocs/categories/viewcat.php
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
<?php
/* Copyright (C) 2005 Matthieu Valleton <[email protected]>
* Copyright (C) 2006-2020 Laurent Destailleur <[email protected]>
* Copyright (C) 2006-2024 Laurent Destailleur <[email protected]>
* Copyright (C) 2007 Patrick Raguin <[email protected]>
* Copyright (C) 2005-2012 Regis Houssin <[email protected]>
* Copyright (C) 2015 Raphaël Doursenaud <[email protected]>
Expand Down Expand Up @@ -108,7 +108,7 @@
$parameters = array('type' => $type, 'id' => $id, 'label' => $label);
$reshook = $hookmanager->executeHooks('doActions', $parameters, $object, $action); // Note that $action and $object may have been modified by some hooks
// Remove element from category
if ($id > 0 && $removeelem > 0 && $action == 'unlink') {
if ($id > 0 && $removeelem > 0 && $action == 'unlink') { // Test on permission not required here. Done later according to type of object.
if ($type == Categorie::TYPE_PRODUCT && ($user->hasRight('produit', 'creer') || $user->hasRight('service', 'creer'))) {
require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php';
$tmpobject = new Product($db);
Expand Down Expand Up @@ -174,9 +174,8 @@
}
}

if ($elemid && $action == 'addintocategory' &&
(
($type == Categorie::TYPE_PRODUCT && ($user->hasRight('produit', 'creer') || $user->hasRight('service', 'creer'))) ||
if ($elemid && $action == 'addintocategory') { // Test on permission not required here. Done just after depending on object type
if (($type == Categorie::TYPE_PRODUCT && ($user->hasRight('produit', 'creer') || $user->hasRight('service', 'creer'))) ||
($type == Categorie::TYPE_CUSTOMER && $user->hasRight('societe', 'creer')) ||
($type == Categorie::TYPE_SUPPLIER && $user->hasRight('societe', 'creer')) ||
($type == Categorie::TYPE_TICKET && $user->hasRight('ticket', 'write')) ||
Expand All @@ -185,57 +184,58 @@
($type == Categorie::TYPE_CONTACT && $user->hasRight('societe', 'creer')) ||
($type == Categorie::TYPE_USER && $user->hasRight('user', 'user', 'creer')) ||
($type == Categorie::TYPE_ACCOUNT && $user->hasRight('banque', 'configurer'))
)) {
if ($type == Categorie::TYPE_PRODUCT) {
require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php';
$newobject = new Product($db);
$elementtype = 'product';
} elseif ($type == Categorie::TYPE_CUSTOMER) {
require_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php';
$newobject = new Societe($db);
$elementtype = 'customer';
} elseif ($type == Categorie::TYPE_SUPPLIER) {
require_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php';
$newobject = new Societe($db);
$elementtype = 'supplier';
} elseif ($type == Categorie::TYPE_TICKET) {
require_once DOL_DOCUMENT_ROOT.'/ticket/class/ticket.class.php';
$newobject = new Ticket($db);
$elementtype = 'ticket';
} elseif ($type == Categorie::TYPE_PROJECT) {
require_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
$newobject = new Project($db);
$elementtype = 'project';
} elseif ($type == Categorie::TYPE_MEMBER) {
require_once DOL_DOCUMENT_ROOT.'/adherents/class/adherent.class.php';
$newobject = new Adherent($db);
$elementtype = 'member';
} elseif ($type == Categorie::TYPE_CONTACT) {
require_once DOL_DOCUMENT_ROOT.'/contact/class/contact.class.php';
$newobject = new Contact($db);
$elementtype = 'contact';
} elseif ($type == Categorie::TYPE_USER) {
require_once DOL_DOCUMENT_ROOT.'/user/class/user.class.php';
$newobject = new User($db);
$elementtype = 'user';
} elseif ($type == Categorie::TYPE_ACCOUNT) {
require_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php';
$newobject = new Account($db);
$elementtype = 'bank_account';
} else {
dol_print_error(null, "Not supported value of type = ".$type);
}
$result = $newobject->fetch($elemid);
) {
if ($type == Categorie::TYPE_PRODUCT) {
require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php';
$newobject = new Product($db);
$elementtype = 'product';
} elseif ($type == Categorie::TYPE_CUSTOMER) {
require_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php';
$newobject = new Societe($db);
$elementtype = 'customer';
} elseif ($type == Categorie::TYPE_SUPPLIER) {
require_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php';
$newobject = new Societe($db);
$elementtype = 'supplier';
} elseif ($type == Categorie::TYPE_TICKET) {
require_once DOL_DOCUMENT_ROOT.'/ticket/class/ticket.class.php';
$newobject = new Ticket($db);
$elementtype = 'ticket';
} elseif ($type == Categorie::TYPE_PROJECT) {
require_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
$newobject = new Project($db);
$elementtype = 'project';
} elseif ($type == Categorie::TYPE_MEMBER) {
require_once DOL_DOCUMENT_ROOT.'/adherents/class/adherent.class.php';
$newobject = new Adherent($db);
$elementtype = 'member';
} elseif ($type == Categorie::TYPE_CONTACT) {
require_once DOL_DOCUMENT_ROOT.'/contact/class/contact.class.php';
$newobject = new Contact($db);
$elementtype = 'contact';
} elseif ($type == Categorie::TYPE_USER) {
require_once DOL_DOCUMENT_ROOT.'/user/class/user.class.php';
$newobject = new User($db);
$elementtype = 'user';
} elseif ($type == Categorie::TYPE_ACCOUNT) {
require_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php';
$newobject = new Account($db);
$elementtype = 'bank_account';
} else {
dol_print_error(null, "Not supported value of type = ".$type);
}
$result = $newobject->fetch($elemid);

// Add into category
$result = $object->add_type($newobject, $elementtype);
if ($result >= 0) {
setEventMessages($langs->trans("WasAddedSuccessfully", $newobject->ref), null, 'mesgs');
} else {
if ($object->error == 'DB_ERROR_RECORD_ALREADY_EXISTS') {
setEventMessages($langs->trans("ObjectAlreadyLinkedToCategory"), null, 'warnings');
// Add into category
$result = $object->add_type($newobject, $elementtype);
if ($result >= 0) {
setEventMessages($langs->trans("WasAddedSuccessfully", $newobject->ref), null, 'mesgs');
} else {
setEventMessages($object->error, $object->errors, 'errors');
if ($object->error == 'DB_ERROR_RECORD_ALREADY_EXISTS') {
setEventMessages($langs->trans("ObjectAlreadyLinkedToCategory"), null, 'warnings');
} else {
setEventMessages($object->error, $object->errors, 'errors');
}
}
}
}
Expand Down
10 changes: 3 additions & 7 deletions htdocs/compta/accounting-files.php
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,7 @@
'@phan-var-force array<string,array{id:string,entity:string,date:string,date_due:string,paid:float|int,amount_ht:float|int,amount_ttc:float|int,amount_vat:float|int,amount_localtax1:float|int,amount_localtax2:float|int,amount_revenuestamp:float|int,ref:string,fk:string,item:string,thirdparty_name:string,thirdparty_code:string,country_code:string,vatnum:string,sens:string,currency:string,line?:string,name?:string,files?:mixed}> $filesarray';

$result = false;
if ($action == 'searchfiles' || $action == 'dl') { // Test on pemrission not required here. Test is done per object type later.
if ($action == 'searchfiles' || $action == 'dl') { // Test on permission not required here. Test is done per object type later.
if (empty($date_start)) {
setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("DateStart")), null, 'errors');
$error++;
Expand Down Expand Up @@ -479,19 +479,15 @@
}
}


/*
*ZIP creation
*/
// zip creation

$dirfortmpfile = (!empty($conf->accounting->dir_temp) ? $conf->accounting->dir_temp : $conf->comptabilite->dir_temp);
if (empty($dirfortmpfile)) {
setEventMessages($langs->trans("ErrorNoAccountingModuleEnabled"), null, 'errors');
$error++;
}


if ($result && $action == "dl" && !$error) {
if ($result && $action == "dl" && !$error) { // Test on permission not required here. Test is done per object type later.
if (!extension_loaded('zip')) {
setEventMessages('PHPZIPExtentionNotLoaded', null, 'errors');
} else {
Expand Down
14 changes: 7 additions & 7 deletions htdocs/contact/ajax/contact.php
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@

/**
* \file htdocs/contact/ajax/contact.php
* \brief File to return Ajax response on contact list request. Used by the combo list of contacts.
* \brief File to return Ajax response on contact list request. Used by the combo list of contacts, for example into page list of projects
* Search done on name, firstname...
*/

Expand Down Expand Up @@ -66,6 +66,8 @@
}
restrictedArea($user, 'societe', $object->id, '&societe');

$permissiontoread = $user->hasRight('societe', 'lire');


/*
* View
Expand All @@ -75,7 +77,7 @@

//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";

if (!empty($action) && $action == 'fetch' && !empty($id)) {
if ($action == 'fetch' && !empty($id) && $permissiontoread) {
require_once DOL_DOCUMENT_ROOT.'/contact/class/contact.class.php';

$outjson = array();
Expand All @@ -90,11 +92,11 @@
}

echo json_encode($outjson);
} else {
} elseif ($permissiontoread) { // $action can be 'getContacts'
require_once DOL_DOCUMENT_ROOT.'/core/class/html.form.class.php';

if (empty($htmlname)) {
return;
return 'Error value for parameter htmlname';
}

// The filter on the company to search for can be:
Expand Down Expand Up @@ -149,9 +151,7 @@
} else {
$arrayresult = $form->selectcontacts($socid, array(), $htmlname, 1, $exclude, $limitto, $showfunction, $morecss, $options_only, $showsoc, $forcecombo, $events, $moreparam, $htmlid, $multiple, $disableifempty, $filter);

if ($outjson) {
print json_encode($arrayresult);
}
print json_encode($arrayresult);
}
}

Expand Down
10 changes: 5 additions & 5 deletions htdocs/public/ticket/view.php
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@
$action = 'view_ticket';
}

if ($action == "view_ticket" || $action == "presend" || $action == "close" || $action == "confirm_public_close" || $action == "add_message" || $action == "add_contact") {
if (in_array($action, array("view_ticket", "presend", "close", "confirm_public_close", "add_message", "add_contact"))) { // Test on permission not required here. Done later by using the $track_id + check email in session
$error = 0;
$display_ticket = false;
if (!strlen($track_id)) {
Expand Down Expand Up @@ -169,7 +169,7 @@
}
}

if (!$error && $action == 'confirm_public_close' && $display_ticket) {
if (!$error && $action == 'confirm_public_close' && $display_ticket) { // Test on permission already done
if ($object->dao->close($user)) {
setEventMessages($langs->trans('TicketMarkedAsClosed'), null, 'mesgs');

Expand All @@ -182,7 +182,7 @@
}
}

if (!$error && $action == "add_message" && $display_ticket && GETPOSTISSET('btn_add_message')) {
if (!$error && $action == "add_message" && $display_ticket && GETPOSTISSET('btn_add_message')) { // Test on permission already done
$ret = $object->dao->newMessage($user, $action, 0, 1);

if (!$error) {
Expand All @@ -191,7 +191,7 @@
}

// Add a new external contributor to a ticket
if (!$error && $action == "add_contact" && $display_ticket && GETPOSTISSET('btn_add_contact')) {
if (!$error && $action == "add_contact" && $display_ticket && GETPOSTISSET('btn_add_contact')) { // Test on permission already done
$ret = $object->dao->add_contact(GETPOSTINT('contactid'), 'CONTRIBUTOR');

if (!$error) {
Expand All @@ -201,7 +201,7 @@

if ($error || !empty($object->errors)) {
setEventMessages($object->error, $object->errors, 'errors');
if ($action == "add_message") {
if ($action == "add_message") { // Test on permission not required here
$action = 'presend';
} else {
$action = '';
Expand Down
2 changes: 1 addition & 1 deletion htdocs/societe/ajax/company.php
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@

//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";

if (!empty($action) && $action == 'fetch' && !empty($id)) {
if (!empty($action) && $action == 'fetch' && !empty($id) && $user->hasRight('societe', 'lire')) {
require_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php';

$outjson = array();
Expand Down
2 changes: 1 addition & 1 deletion htdocs/ticket/card.php
Original file line number Diff line number Diff line change
Expand Up @@ -671,7 +671,7 @@
include DOL_DOCUMENT_ROOT . '/core/actions_sendmails.inc.php';

// Set $action to correct value for the case we used presend action to add a message
if (GETPOSTISSET('actionbis') && $action == 'presend') {
if (GETPOSTISSET('actionbis') && $action == 'presend') { // Test on permission not required here
$action = 'presend_addmessage';
}
}
Expand Down

0 comments on commit 70a8f2e

Please sign in to comment.