From 70a8f2e9eec0f1f0693f3c9e21a0c5b255471a90 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 6 Sep 2024 16:40:06 +0200 Subject: [PATCH] Fix test on permission --- htdocs/adherents/subscription.php | 20 ++---- htdocs/categories/viewcat.php | 108 ++++++++++++++--------------- htdocs/compta/accounting-files.php | 10 +-- htdocs/contact/ajax/contact.php | 14 ++-- htdocs/public/ticket/view.php | 10 +-- htdocs/societe/ajax/company.php | 2 +- htdocs/ticket/card.php | 2 +- 7 files changed, 76 insertions(+), 90 deletions(-) diff --git a/htdocs/adherents/subscription.php b/htdocs/adherents/subscription.php index 1cf4c41a04daf..c7eda4dbaf389 100644 --- a/htdocs/adherents/subscription.php +++ b/htdocs/adherents/subscription.php @@ -112,11 +112,7 @@ } // Define variables to determine what the current user can do on the members -$canaddmember = $user->hasRight('adherent', 'creer'); -// Define variables to determine what the current user can do on the properties of a member -if ($id) { - $caneditfieldmember = $user->hasRight('adherent', 'creer'); -} +$permissiontoaddmember = $user->hasRight('adherent', 'creer'); // Security check $result = restrictedArea($user, 'adherent', $object->id, '', '', 'socid', 'rowid', 0); @@ -170,12 +166,12 @@ } } -if (empty($reshook) && $action == 'setsocid') { +if (empty($reshook) && $action == 'setsocid' && $permissiontoaddmember) { $error = 0; if (!$error) { - if (GETPOSTINT('socid') != $object->fk_soc) { // If link differs from currently in database + if (GETPOSTINT('socid') != $object->socid) { // If link differs from currently in database $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."adherent"; - $sql .= " WHERE fk_soc = '".GETPOSTINT('socid')."'"; + $sql .= " WHERE fk_soc = ".((int) GETPOSTINT('socid')); $resql = $db->query($sql); if ($resql) { $obj = $db->fetch_object($resql); @@ -306,7 +302,7 @@ } // Record the subscription then complementary actions - if (!$error && $action == 'subscription') { + if (!$error && $action == 'subscription') { // Test on permission already done $db->begin(); // Create subscription @@ -466,12 +462,6 @@ print $langs->trans("ErrorRecordNotFound"); } -/*$res = $object->fetch($rowid); - if ($res < 0) { - dol_print_error($db, $object->error); - exit; - } -*/ $adht->fetch($object->typeid); diff --git a/htdocs/categories/viewcat.php b/htdocs/categories/viewcat.php index e4b081e7e4759..76e46d12b0773 100644 --- a/htdocs/categories/viewcat.php +++ b/htdocs/categories/viewcat.php @@ -1,6 +1,6 @@ - * Copyright (C) 2006-2020 Laurent Destailleur + * Copyright (C) 2006-2024 Laurent Destailleur * Copyright (C) 2007 Patrick Raguin * Copyright (C) 2005-2012 Regis Houssin * Copyright (C) 2015 Raphaƫl Doursenaud @@ -108,7 +108,7 @@ $parameters = array('type' => $type, 'id' => $id, 'label' => $label); $reshook = $hookmanager->executeHooks('doActions', $parameters, $object, $action); // Note that $action and $object may have been modified by some hooks // Remove element from category -if ($id > 0 && $removeelem > 0 && $action == 'unlink') { +if ($id > 0 && $removeelem > 0 && $action == 'unlink') { // Test on permission not required here. Done later according to type of object. if ($type == Categorie::TYPE_PRODUCT && ($user->hasRight('produit', 'creer') || $user->hasRight('service', 'creer'))) { require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php'; $tmpobject = new Product($db); @@ -174,9 +174,8 @@ } } -if ($elemid && $action == 'addintocategory' && - ( - ($type == Categorie::TYPE_PRODUCT && ($user->hasRight('produit', 'creer') || $user->hasRight('service', 'creer'))) || +if ($elemid && $action == 'addintocategory') { // Test on permission not required here. Done just after depending on object type + if (($type == Categorie::TYPE_PRODUCT && ($user->hasRight('produit', 'creer') || $user->hasRight('service', 'creer'))) || ($type == Categorie::TYPE_CUSTOMER && $user->hasRight('societe', 'creer')) || ($type == Categorie::TYPE_SUPPLIER && $user->hasRight('societe', 'creer')) || ($type == Categorie::TYPE_TICKET && $user->hasRight('ticket', 'write')) || @@ -185,57 +184,58 @@ ($type == Categorie::TYPE_CONTACT && $user->hasRight('societe', 'creer')) || ($type == Categorie::TYPE_USER && $user->hasRight('user', 'user', 'creer')) || ($type == Categorie::TYPE_ACCOUNT && $user->hasRight('banque', 'configurer')) - )) { - if ($type == Categorie::TYPE_PRODUCT) { - require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php'; - $newobject = new Product($db); - $elementtype = 'product'; - } elseif ($type == Categorie::TYPE_CUSTOMER) { - require_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php'; - $newobject = new Societe($db); - $elementtype = 'customer'; - } elseif ($type == Categorie::TYPE_SUPPLIER) { - require_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php'; - $newobject = new Societe($db); - $elementtype = 'supplier'; - } elseif ($type == Categorie::TYPE_TICKET) { - require_once DOL_DOCUMENT_ROOT.'/ticket/class/ticket.class.php'; - $newobject = new Ticket($db); - $elementtype = 'ticket'; - } elseif ($type == Categorie::TYPE_PROJECT) { - require_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php'; - $newobject = new Project($db); - $elementtype = 'project'; - } elseif ($type == Categorie::TYPE_MEMBER) { - require_once DOL_DOCUMENT_ROOT.'/adherents/class/adherent.class.php'; - $newobject = new Adherent($db); - $elementtype = 'member'; - } elseif ($type == Categorie::TYPE_CONTACT) { - require_once DOL_DOCUMENT_ROOT.'/contact/class/contact.class.php'; - $newobject = new Contact($db); - $elementtype = 'contact'; - } elseif ($type == Categorie::TYPE_USER) { - require_once DOL_DOCUMENT_ROOT.'/user/class/user.class.php'; - $newobject = new User($db); - $elementtype = 'user'; - } elseif ($type == Categorie::TYPE_ACCOUNT) { - require_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php'; - $newobject = new Account($db); - $elementtype = 'bank_account'; - } else { - dol_print_error(null, "Not supported value of type = ".$type); - } - $result = $newobject->fetch($elemid); + ) { + if ($type == Categorie::TYPE_PRODUCT) { + require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php'; + $newobject = new Product($db); + $elementtype = 'product'; + } elseif ($type == Categorie::TYPE_CUSTOMER) { + require_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php'; + $newobject = new Societe($db); + $elementtype = 'customer'; + } elseif ($type == Categorie::TYPE_SUPPLIER) { + require_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php'; + $newobject = new Societe($db); + $elementtype = 'supplier'; + } elseif ($type == Categorie::TYPE_TICKET) { + require_once DOL_DOCUMENT_ROOT.'/ticket/class/ticket.class.php'; + $newobject = new Ticket($db); + $elementtype = 'ticket'; + } elseif ($type == Categorie::TYPE_PROJECT) { + require_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php'; + $newobject = new Project($db); + $elementtype = 'project'; + } elseif ($type == Categorie::TYPE_MEMBER) { + require_once DOL_DOCUMENT_ROOT.'/adherents/class/adherent.class.php'; + $newobject = new Adherent($db); + $elementtype = 'member'; + } elseif ($type == Categorie::TYPE_CONTACT) { + require_once DOL_DOCUMENT_ROOT.'/contact/class/contact.class.php'; + $newobject = new Contact($db); + $elementtype = 'contact'; + } elseif ($type == Categorie::TYPE_USER) { + require_once DOL_DOCUMENT_ROOT.'/user/class/user.class.php'; + $newobject = new User($db); + $elementtype = 'user'; + } elseif ($type == Categorie::TYPE_ACCOUNT) { + require_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php'; + $newobject = new Account($db); + $elementtype = 'bank_account'; + } else { + dol_print_error(null, "Not supported value of type = ".$type); + } + $result = $newobject->fetch($elemid); - // Add into category - $result = $object->add_type($newobject, $elementtype); - if ($result >= 0) { - setEventMessages($langs->trans("WasAddedSuccessfully", $newobject->ref), null, 'mesgs'); - } else { - if ($object->error == 'DB_ERROR_RECORD_ALREADY_EXISTS') { - setEventMessages($langs->trans("ObjectAlreadyLinkedToCategory"), null, 'warnings'); + // Add into category + $result = $object->add_type($newobject, $elementtype); + if ($result >= 0) { + setEventMessages($langs->trans("WasAddedSuccessfully", $newobject->ref), null, 'mesgs'); } else { - setEventMessages($object->error, $object->errors, 'errors'); + if ($object->error == 'DB_ERROR_RECORD_ALREADY_EXISTS') { + setEventMessages($langs->trans("ObjectAlreadyLinkedToCategory"), null, 'warnings'); + } else { + setEventMessages($object->error, $object->errors, 'errors'); + } } } } diff --git a/htdocs/compta/accounting-files.php b/htdocs/compta/accounting-files.php index 7a1e2210a780c..dc47a4e29c330 100644 --- a/htdocs/compta/accounting-files.php +++ b/htdocs/compta/accounting-files.php @@ -161,7 +161,7 @@ '@phan-var-force array $filesarray'; $result = false; -if ($action == 'searchfiles' || $action == 'dl') { // Test on pemrission not required here. Test is done per object type later. +if ($action == 'searchfiles' || $action == 'dl') { // Test on permission not required here. Test is done per object type later. if (empty($date_start)) { setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("DateStart")), null, 'errors'); $error++; @@ -479,10 +479,7 @@ } } - -/* - *ZIP creation - */ +// zip creation $dirfortmpfile = (!empty($conf->accounting->dir_temp) ? $conf->accounting->dir_temp : $conf->comptabilite->dir_temp); if (empty($dirfortmpfile)) { @@ -490,8 +487,7 @@ $error++; } - -if ($result && $action == "dl" && !$error) { +if ($result && $action == "dl" && !$error) { // Test on permission not required here. Test is done per object type later. if (!extension_loaded('zip')) { setEventMessages('PHPZIPExtentionNotLoaded', null, 'errors'); } else { diff --git a/htdocs/contact/ajax/contact.php b/htdocs/contact/ajax/contact.php index 4a447a4ddca5c..6cdfaad327eaa 100644 --- a/htdocs/contact/ajax/contact.php +++ b/htdocs/contact/ajax/contact.php @@ -20,7 +20,7 @@ /** * \file htdocs/contact/ajax/contact.php - * \brief File to return Ajax response on contact list request. Used by the combo list of contacts. + * \brief File to return Ajax response on contact list request. Used by the combo list of contacts, for example into page list of projects * Search done on name, firstname... */ @@ -66,6 +66,8 @@ } restrictedArea($user, 'societe', $object->id, '&societe'); +$permissiontoread = $user->hasRight('societe', 'lire'); + /* * View @@ -75,7 +77,7 @@ //print ''."\n"; -if (!empty($action) && $action == 'fetch' && !empty($id)) { +if ($action == 'fetch' && !empty($id) && $permissiontoread) { require_once DOL_DOCUMENT_ROOT.'/contact/class/contact.class.php'; $outjson = array(); @@ -90,11 +92,11 @@ } echo json_encode($outjson); -} else { +} elseif ($permissiontoread) { // $action can be 'getContacts' require_once DOL_DOCUMENT_ROOT.'/core/class/html.form.class.php'; if (empty($htmlname)) { - return; + return 'Error value for parameter htmlname'; } // The filter on the company to search for can be: @@ -149,9 +151,7 @@ } else { $arrayresult = $form->selectcontacts($socid, array(), $htmlname, 1, $exclude, $limitto, $showfunction, $morecss, $options_only, $showsoc, $forcecombo, $events, $moreparam, $htmlid, $multiple, $disableifempty, $filter); - if ($outjson) { - print json_encode($arrayresult); - } + print json_encode($arrayresult); } } diff --git a/htdocs/public/ticket/view.php b/htdocs/public/ticket/view.php index 017969ecd6de3..8f952e3f9c481 100644 --- a/htdocs/public/ticket/view.php +++ b/htdocs/public/ticket/view.php @@ -95,7 +95,7 @@ $action = 'view_ticket'; } -if ($action == "view_ticket" || $action == "presend" || $action == "close" || $action == "confirm_public_close" || $action == "add_message" || $action == "add_contact") { +if (in_array($action, array("view_ticket", "presend", "close", "confirm_public_close", "add_message", "add_contact"))) { // Test on permission not required here. Done later by using the $track_id + check email in session $error = 0; $display_ticket = false; if (!strlen($track_id)) { @@ -169,7 +169,7 @@ } } - if (!$error && $action == 'confirm_public_close' && $display_ticket) { + if (!$error && $action == 'confirm_public_close' && $display_ticket) { // Test on permission already done if ($object->dao->close($user)) { setEventMessages($langs->trans('TicketMarkedAsClosed'), null, 'mesgs'); @@ -182,7 +182,7 @@ } } - if (!$error && $action == "add_message" && $display_ticket && GETPOSTISSET('btn_add_message')) { + if (!$error && $action == "add_message" && $display_ticket && GETPOSTISSET('btn_add_message')) { // Test on permission already done $ret = $object->dao->newMessage($user, $action, 0, 1); if (!$error) { @@ -191,7 +191,7 @@ } // Add a new external contributor to a ticket - if (!$error && $action == "add_contact" && $display_ticket && GETPOSTISSET('btn_add_contact')) { + if (!$error && $action == "add_contact" && $display_ticket && GETPOSTISSET('btn_add_contact')) { // Test on permission already done $ret = $object->dao->add_contact(GETPOSTINT('contactid'), 'CONTRIBUTOR'); if (!$error) { @@ -201,7 +201,7 @@ if ($error || !empty($object->errors)) { setEventMessages($object->error, $object->errors, 'errors'); - if ($action == "add_message") { + if ($action == "add_message") { // Test on permission not required here $action = 'presend'; } else { $action = ''; diff --git a/htdocs/societe/ajax/company.php b/htdocs/societe/ajax/company.php index 7ab64fcb43d88..524fa7e96a9c9 100644 --- a/htdocs/societe/ajax/company.php +++ b/htdocs/societe/ajax/company.php @@ -75,7 +75,7 @@ //print ''."\n"; -if (!empty($action) && $action == 'fetch' && !empty($id)) { +if (!empty($action) && $action == 'fetch' && !empty($id) && $user->hasRight('societe', 'lire')) { require_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php'; $outjson = array(); diff --git a/htdocs/ticket/card.php b/htdocs/ticket/card.php index ff41f36dbc49d..5a1fa5c949c40 100644 --- a/htdocs/ticket/card.php +++ b/htdocs/ticket/card.php @@ -671,7 +671,7 @@ include DOL_DOCUMENT_ROOT . '/core/actions_sendmails.inc.php'; // Set $action to correct value for the case we used presend action to add a message - if (GETPOSTISSET('actionbis') && $action == 'presend') { + if (GETPOSTISSET('actionbis') && $action == 'presend') { // Test on permission not required here $action = 'presend_addmessage'; } }