diff --git a/htdocs/product/inventory/ajax/searchfrombarcode.php b/htdocs/product/inventory/ajax/searchfrombarcode.php index 68b848bcc34..82a50720428 100644 --- a/htdocs/product/inventory/ajax/searchfrombarcode.php +++ b/htdocs/product/inventory/ajax/searchfrombarcode.php @@ -54,6 +54,12 @@ $warehousefound = 0; $warehouseid = 0; $objectreturn = array(); +/* + * Action + */ + +// None + /* * View @@ -61,7 +67,7 @@ $objectreturn = array(); top_httphead('application/json'); -if ($action == "existbarcode" && !empty($barcode)) { +if ($action == "existbarcode" && !empty($barcode) && $user->hasRight('stock', 'lire')) { if (!empty($mode) && $mode == "lotserial") { $sql = "SELECT ps.fk_entrepot, ps.fk_product, p.barcode, ps.reel, pb.batch"; $sql .= " FROM ".MAIN_DB_PREFIX."product_batch as pb"; diff --git a/htdocs/product/stock/info.php b/htdocs/product/stock/info.php index c1eb0875cfe..9544fcf0f42 100644 --- a/htdocs/product/stock/info.php +++ b/htdocs/product/stock/info.php @@ -36,8 +36,17 @@ $ref = GETPOST('ref', 'alpha'); // Security check //$result=restrictedArea($user,'stock', $id, 'entrepot&stock'); $result = restrictedArea($user, 'stock'); + $usercancreate = $user->hasRight('stock', 'creer'); + +/* + * Actions + */ + +// None + + /* * View */ diff --git a/htdocs/projet/element.php b/htdocs/projet/element.php index 24459f7dcbd..1e4ddef9a32 100644 --- a/htdocs/projet/element.php +++ b/htdocs/projet/element.php @@ -145,9 +145,6 @@ if (isModEnabled('mrp')) { if (isModEnabled('eventorganization')) { $langs->load("eventorganization"); } -//if (isModEnabled('stocktransfer')) { -// $langs->load("stockstransfer"); -//} $id = GETPOSTINT('id'); $ref = GETPOST('ref', 'alpha'); @@ -194,6 +191,13 @@ $hookmanager->initHooks(array('projectOverview')); $result = restrictedArea($user, 'projet', $object->id, 'projet&project'); +/* + * Actions + */ + +// None + + /* * View */ diff --git a/htdocs/public/bookcal/bookcalAjax.php b/htdocs/public/bookcal/bookcalAjax.php index 1c5db0273f6..16e791c859b 100644 --- a/htdocs/public/bookcal/bookcalAjax.php +++ b/htdocs/public/bookcal/bookcalAjax.php @@ -62,10 +62,16 @@ $result = "{}"; * Actions */ +// None + + +/* + * View + */ + top_httphead('application/json'); - -if ($action == 'verifyavailability') { +if ($action == 'verifyavailability') { // Test on permission not required here (anonymous action protected by mitigation of /public/... urls) $response = array(); if (empty($id)) { $error++; @@ -176,8 +182,4 @@ if ($action == 'verifyavailability') { } -/* - * View - */ - echo json_encode($result); diff --git a/htdocs/public/bookcal/index.php b/htdocs/public/bookcal/index.php index 02b830e47cf..5b4d763c7a0 100644 --- a/htdocs/public/bookcal/index.php +++ b/htdocs/public/bookcal/index.php @@ -97,7 +97,7 @@ $max_day_in_prev_month = idate("t", dol_mktime(0, 0, 0, $prev_month, 1, $prev_ye $max_day_in_month = idate("t", dol_mktime(0, 0, 0, $month, 1, $year)); // Nb of days in next month // tmpday is a negative or null cursor to know how many days before the 1st to show on month view (if tmpday=0, 1st is monday) $tmpday = - idate("w", dol_mktime(12, 0, 0, $month, 1, $year, 'gmt')) + 2; // idate('w') is 0 for sunday -$tmpday += ((isset($conf->global->MAIN_START_WEEK) ? $conf->global->MAIN_START_WEEK : 1) - 1); +$tmpday += (getDolGlobalInt('MAIN_START_WEEK', 1) - 1); if ($tmpday >= 1) { $tmpday -= 7; // If tmpday is 0 we start with sunday, if -6, we start with monday of previous week. } @@ -130,7 +130,7 @@ $errmsg = ''; */ function llxHeaderVierge($title, $head = "", $disablejs = 0, $disablehead = 0, $arrayofjs = [], $arrayofcss = []) { - global $user, $conf, $langs, $mysoc; + global $conf, $langs, $mysoc; top_htmlhead($head, $title, $disablejs, $disablehead, $arrayofjs, $arrayofcss); // Show html headers @@ -185,7 +185,7 @@ function llxHeaderVierge($title, $head = "", $disablejs = 0, $disablehead = 0, $ * Actions */ -if ($action == 'add') { +if ($action == 'add' ) { // Test on permission not required here (anonymous action protected by mitigation of /public/... urls) $error = 0; $idcontact = 0; $calendar = $object; diff --git a/htdocs/public/payment/newpayment.php b/htdocs/public/payment/newpayment.php index 494f1e0d4ec..82ac493418d 100644 --- a/htdocs/public/payment/newpayment.php +++ b/htdocs/public/payment/newpayment.php @@ -115,7 +115,10 @@ if (!$action) { } } -if ($source == 'organizedeventregistration') { + +// Load data required later for actions and view + +if ($source == 'organizedeventregistration') { // Test on permission not required here (anonymous action protected by mitigation of /public/... urls) // Finding the Attendee $attendee = new ConferenceOrBoothAttendee($db); @@ -166,7 +169,7 @@ if ($source == 'organizedeventregistration') { } } } -} elseif ($source == 'boothlocation') { +} elseif ($source == 'boothlocation') { // Test on permission not required here (anonymous action protected by mitigation of /public/... urls) // Getting the amount to pay, the invoice, finding the thirdparty $invoiceid = GETPOST('ref'); $invoice = new Facture($db); @@ -361,7 +364,7 @@ $mesg = ''; */ // Action dopayment is called after clicking/choosing the payment mode -if ($action == 'dopayment') { +if ($action == 'dopayment') { // Test on permission not required here (anonymous action protected by mitigation of /public/... urls) dol_syslog("--- newpayment.php Execute action = ".$action." paymentmethod=".$paymentmethod.' amount='.$amount.' newamount='.GETPOST("newamount", 'alpha'), LOG_DEBUG, 0, '_payment'); if ($paymentmethod == 'paypal') { @@ -488,7 +491,7 @@ if ($action == 'dopayment') { // Called when choosing Stripe mode. // When using the old Charge API architecture, this code is called after clicking the 'dopayment' with the Charge API architecture. // When using the PaymentIntent API architecture, the Stripe customer was already created when creating PaymentIntent when showing payment page, and the payment is already ok when action=charge. -if ($action == 'charge' && isModEnabled('stripe')) { +if ($action == 'charge' && isModEnabled('stripe')) { // Test on permission not required here (anonymous action protected by mitigation of /public/... urls) $amountstripe = (float) $amount; // Correct the amount according to unit of currency diff --git a/htdocs/public/recruitment/view.php b/htdocs/public/recruitment/view.php index 228f29633f6..1875782ad5d 100644 --- a/htdocs/public/recruitment/view.php +++ b/htdocs/public/recruitment/view.php @@ -94,7 +94,7 @@ if ($cancel) { $action = 'view'; } -if ($action == "view" || $action == "presend" || $action == "dosubmit") { +if ($action == "view" || $action == "presend" || $action == "dosubmit") { // Test on permission not required here (anonymous action protected by mitigation of /public/... urls) $error = 0; $display_ticket = false; if (!strlen($ref)) { diff --git a/htdocs/salaries/card.php b/htdocs/salaries/card.php index 8f399d0cd38..3944e3283f2 100644 --- a/htdocs/salaries/card.php +++ b/htdocs/salaries/card.php @@ -228,7 +228,7 @@ if ($action == 'setbankaccount' && $permissiontoadd) { } } -if ($action == 'add' && empty($cancel)) { +if ($action == 'add' && empty($cancel) && $permissiontoadd) { $error = 0; if (empty($datev)) { @@ -344,7 +344,7 @@ if ($action == 'add' && empty($cancel)) { $action = 'create'; } -if ($action == 'confirm_delete') { +if ($action == 'confirm_delete' && $permissiontodelete) { $result = $object->fetch($id); $totalpaid = $object->getSommePaiement(); @@ -389,7 +389,7 @@ if ($action == 'update' && !GETPOST("cancel") && $permissiontoadd) { } } -if ($action == 'confirm_clone' && $confirm != 'yes') { +if ($action == 'confirm_clone' && $confirm != 'yes') { // Test on permission not required here $action = ''; } diff --git a/htdocs/salaries/virement_request.php b/htdocs/salaries/virement_request.php index 8ceca2cf153..96a5db052a2 100644 --- a/htdocs/salaries/virement_request.php +++ b/htdocs/salaries/virement_request.php @@ -74,7 +74,6 @@ if ($user->socid) { } - $object = new Salary($db); $extrafields = new ExtraFields($db); @@ -153,7 +152,7 @@ if ($reshook < 0) { } -if ($action == "new") { +if ($action == "add" && $permissiontoadd) { //var_dump($object);exit; if ($object->id > 0) { $db->begin(); @@ -187,8 +186,6 @@ if ($action == "delete" && $permissiontodelete) { } - - /* * View */ @@ -475,7 +472,7 @@ if ($object->paye == 0 && $hadRequest == 0) { print ''; print ''; print ''; - print ''; + print ''; print ''; print ''; print ''; @@ -490,7 +487,7 @@ if ($object->paye == 0 && $hadRequest == 0) { print ''; print ''; print ''; - print ''; + print ''; print ''; print ''; print ''; @@ -520,14 +517,8 @@ print ''; print '
'; -/* - * Withdraw receipts - */ $bprev = new BonPrelevement($db); -/* - * Withdrawals - */ print '
'; print ''; diff --git a/htdocs/societe/list.php b/htdocs/societe/list.php index cd5527cbcdc..dfde30e9ca3 100644 --- a/htdocs/societe/list.php +++ b/htdocs/societe/list.php @@ -328,6 +328,8 @@ if ($user->socid) { } $result = restrictedArea($user, 'societe', $socid, ''); +$permissiontoadd = $user->hasRight('societe', 'lire'); + /* * Actions @@ -463,7 +465,7 @@ if (empty($reshook)) { $uploaddir = $conf->societe->dir_output; include DOL_DOCUMENT_ROOT.'/core/actions_massactions.inc.php'; - if ($action == 'setstcomm') { + if ($action == 'setstcomm' && $permissiontoadd) { $object = new Client($db); $result = $object->fetch(GETPOST('stcommsocid')); $object->stcomm_id = dol_getIdFromCode($db, GETPOST('stcomm', 'alpha'), 'c_stcomm'); diff --git a/htdocs/societe/paymentmodes.php b/htdocs/societe/paymentmodes.php index fdb0b054404..68fd3a89976 100644 --- a/htdocs/societe/paymentmodes.php +++ b/htdocs/societe/paymentmodes.php @@ -136,7 +136,7 @@ if (empty($reshook)) { } } - if ($action == 'update') { + if ($action == 'update' && $permissiontoaddupdatepaymentinformation) { // Update the bank account if (!GETPOST('label', 'alpha') || !(GETPOST('bank', 'alpha') || (getDolGlobalInt('WITHDRAWAL_WITHOUT_BIC')!=0))) { if (!GETPOST('label', 'alpha')) { @@ -221,7 +221,7 @@ if (empty($reshook)) { } } - if ($action == 'updatecard') { + if ($action == 'updatecard' && $permissiontoaddupdatepaymentinformation) { // Update credit card if (!GETPOST('label', 'alpha') || !GETPOST('proprio', 'alpha') || !GETPOST('exp_date_month', 'alpha') || !GETPOST('exp_date_year', 'alpha')) { if (!GETPOST('label', 'alpha')) { @@ -284,7 +284,7 @@ if (empty($reshook)) { } // Add bank account - if ($action == 'add') { + if ($action == 'add' && $permissiontoaddupdatepaymentinformation) { $error = 0; if (!GETPOST('label', 'alpha')) { @@ -380,7 +380,7 @@ if (empty($reshook)) { } // Add credit card - if ($action == 'addcard') { + if ($action == 'addcard' && $permissiontoaddupdatepaymentinformation) { $error = 0; if (!GETPOST('label', 'alpha') || !GETPOST('proprio', 'alpha') || !GETPOST('exp_date_month', 'alpha') || !GETPOST('exp_date_year', 'alpha')) { @@ -447,7 +447,7 @@ if (empty($reshook)) { } } - if ($action == 'setasbankdefault' && GETPOSTINT('ribid') > 0) { + if ($action == 'setasbankdefault' && GETPOSTINT('ribid') > 0 && $permissiontoaddupdatepaymentinformation) { $companybankaccount = new CompanyBankAccount($db); $res = $companybankaccount->setAsDefault(GETPOSTINT('ribid')); if ($res) { @@ -459,7 +459,7 @@ if (empty($reshook)) { } } - if ($action == 'confirm_deletecard' && GETPOST('confirm', 'alpha') == 'yes') { + if ($action == 'confirm_deletecard' && GETPOST('confirm', 'alpha') == 'yes' && $permissiontoaddupdatepaymentinformation) { // Delete the credi card $companypaymentmode = new CompanyPaymentMode($db); if ($companypaymentmode->fetch($ribid ? $ribid : $id)) { @@ -486,7 +486,7 @@ if (empty($reshook)) { setEventMessages($companypaymentmode->error, $companypaymentmode->errors, 'errors'); } } - if ($action == 'confirm_deletebank' && GETPOST('confirm', 'alpha') == 'yes') { + if ($action == 'confirm_deletebank' && GETPOST('confirm', 'alpha') == 'yes' && $permissiontoaddupdatepaymentinformation) { // Delete the bank account $companybankaccount = new CompanyBankAccount($db); if ($companybankaccount->fetch($ribid ? $ribid : $id) > 0) { @@ -518,7 +518,7 @@ if (empty($reshook)) { $savid = $id; // Actions to build doc - if ($action == 'builddocrib') { + if ($action == 'builddocrib' && $permissiontoread) { $action = 'builddoc'; $moreparams = array( 'use_companybankid' => GETPOST('companybankid'), @@ -536,7 +536,7 @@ if (empty($reshook)) { // Action for stripe if (isModEnabled('stripe') && class_exists('Stripe')) { - if ($action == 'synccustomertostripe' || $action == 'synccustomertostripetest') { + if (($action == 'synccustomertostripe' || $action == 'synccustomertostripetest') && $permissiontoaddupdatepaymentinformation) { if ($object->client == 0) { $error++; setEventMessages('ThisThirdpartyIsNotACustomer', null, 'errors'); @@ -565,7 +565,7 @@ if (empty($reshook)) { } } } - if ($action == 'synccardtostripe') { + if ($action == 'synccardtostripe' && $permissiontoaddupdatepaymentinformation) { // Create the credit card on current Stripe env $companypaymentmode = new CompanyPaymentMode($db); $companypaymentmode->fetch($id); @@ -593,7 +593,7 @@ if (empty($reshook)) { } } } - if ($action == 'syncsepatostripe') { + if ($action == 'syncsepatostripe' && $permissiontoaddupdatepaymentinformation) { // Create the bank account on current Stripe env $companypaymentmode = new CompanyPaymentMode($db); // Get record in llx_societe_rib $companypaymentmode->fetch($id); @@ -625,7 +625,7 @@ if (empty($reshook)) { } // Set the customer Stripe account (for Live or Test env) - if ($action == 'setkey_account' || $action == 'setkey_accounttest') { + if (($action == 'setkey_account' || $action == 'setkey_accounttest') && $permissiontoaddupdatepaymentinformation) { $error = 0; $tmpservice = 'StripeTest'; @@ -692,7 +692,7 @@ if (empty($reshook)) { } // Set the supplier Stripe account (for Live or Test env) - if ($action == 'setkey_account_supplier' || $action == 'setkey_account_suppliertest') { + if (($action == 'setkey_account_supplier' || $action == 'setkey_account_suppliertest') && $permissiontoaddupdatepaymentinformation) { $error = 0; $tmpservice = 'StripeTest'; @@ -762,7 +762,7 @@ if (empty($reshook)) { } } - if ($action == 'setlocalassourcedefault') { // Set as default when payment mode defined locally (and may be also remotely) + if ($action == 'setlocalassourcedefault' && $permissiontoaddupdatepaymentinformation) { // Set as default when payment mode defined locally (and may be also remotely) try { $companypaymentmode->setAsDefault($id); @@ -773,7 +773,7 @@ if (empty($reshook)) { $error++; setEventMessages($e->getMessage(), null, 'errors'); } - } elseif ($action == 'setassourcedefault') { // Set as default when payment mode defined remotely only + } elseif ($action == 'setassourcedefault' && $permissiontoaddupdatepaymentinformation) { // Set as default when payment mode defined remotely only try { $cu = $stripe->customerStripe($object, $stripeacc, $servicestatus); if (preg_match('/pm_|src_/', $source)) { @@ -791,7 +791,7 @@ if (empty($reshook)) { $error++; setEventMessages($e->getMessage(), null, 'errors'); } - } elseif ($action == 'deletecard' && $source) { + } elseif ($action == 'deletecard' && $source && $permissiontoaddupdatepaymentinformation) { // Delete the credit card on Stripe side try { if (preg_match('/pm_/', $source)) { @@ -823,7 +823,7 @@ if (empty($reshook)) { $error++; setEventMessages($e->getMessage(), null, 'errors'); } - } elseif ($action == 'deletebank' && $source) { + } elseif ($action == 'deletebank' && $source && $permissiontoaddupdatepaymentinformation) { // Delete the bank account on Stripe side try { if (preg_match('/pm_/', $source)) { diff --git a/htdocs/takepos/ajax/ajax.php b/htdocs/takepos/ajax/ajax.php index eb2782f7be9..a4f4c723fc6 100644 --- a/htdocs/takepos/ajax/ajax.php +++ b/htdocs/takepos/ajax/ajax.php @@ -67,7 +67,7 @@ $pricelevel = 1; // default price level if PRODUIT_MULTIPRICES. TODO Get price l $thirdparty = new Societe($db); -if ($action == 'getProducts') { +if ($action == 'getProducts' && $user->hasRight('takepos', 'run')) { $tosell = GETPOSTISSET('tosell') ? GETPOSTINT('tosell') : ''; $limit = GETPOSTISSET('limit') ? GETPOSTINT('limit') : 0; $offset = GETPOSTISSET('offset') ? GETPOSTINT('offset') : 0; @@ -122,7 +122,7 @@ if ($action == 'getProducts') { } else { echo 'Failed to load category with id='.dol_escape_htmltag($category); } -} elseif ($action == 'search' && $term != '') { +} elseif ($action == 'search' && $term != '' && $user->hasRight('takepos', 'run')) { top_httphead('application/json'); // Search barcode into thirdparties. If found, it means we want to change thirdparties. @@ -395,7 +395,7 @@ if ($action == 'getProducts') { } else { echo 'Failed to search product : '.$db->lasterror(); } -} elseif ($action == "opendrawer" && $term != '') { +} elseif ($action == "opendrawer" && $term != '' && $user->hasRight('takepos', 'run')) { top_httphead('application/html'); require_once DOL_DOCUMENT_ROOT.'/core/class/dolreceiptprinter.class.php'; $printer = new dolReceiptPrinter($db); @@ -410,7 +410,7 @@ if ($action == 'getProducts') { print 'Failed to init printer with ID='.getDolGlobalInt('TAKEPOS_PRINTER_TO_USE'.$term); } } -} elseif ($action == "printinvoiceticket" && $term != '' && $id > 0 && $user->hasRight('facture', 'lire')) { +} elseif ($action == "printinvoiceticket" && $term != '' && $id > 0 && $user->hasRight('takepos', 'run') && $user->hasRight('facture', 'lire')) { top_httphead('application/html'); require_once DOL_DOCUMENT_ROOT.'/core/class/dolreceiptprinter.class.php'; @@ -422,7 +422,7 @@ if ($action == 'getProducts') { $object->fetch($id); $ret = $printer->sendToPrinter($object, getDolGlobalString('TAKEPOS_TEMPLATE_TO_USE_FOR_INVOICES'.$term), getDolGlobalString('TAKEPOS_PRINTER_TO_USE'.$term)); } -} elseif ($action == 'getInvoice') { +} elseif ($action == 'getInvoice' && $user->hasRight('takepos', 'run')) { top_httphead('application/json'); require_once DOL_DOCUMENT_ROOT.'/compta/facture/class/facture.class.php'; @@ -433,7 +433,7 @@ if ($action == 'getProducts') { } echo json_encode($object); -} elseif ($action == 'thecheck') { +} elseif ($action == 'thecheck' && $user->hasRight('takepos', 'run')) { top_httphead('application/html'); $place = GETPOST('place', 'alpha'); diff --git a/htdocs/takepos/invoice.php b/htdocs/takepos/invoice.php index b83154dcd8c..f654a7d6dbb 100644 --- a/htdocs/takepos/invoice.php +++ b/htdocs/takepos/invoice.php @@ -583,7 +583,7 @@ if (empty($reshook)) { } if (($action == 'history' || $action == 'creditnote') && $user->hasRight('takepos', 'run')) { - if ($action == 'creditnote' && $creditnote->id > 0) { + if ($action == 'creditnote' && $creditnote->id > 0) { // Test on permission already done $placeid = $creditnote->id; } else { $placeid = GETPOSTINT('placeid'); diff --git a/htdocs/user/card.php b/htdocs/user/card.php index c7479eeffe0..51b58b13ac1 100644 --- a/htdocs/user/card.php +++ b/htdocs/user/card.php @@ -139,7 +139,7 @@ if ($id > 0) { } -/** +/* * Actions */ @@ -385,10 +385,10 @@ if (empty($reshook)) { $object->fetch($id); - if ($action == 'addgroup') { + if ($action == 'addgroup') { // Test on permission already done $result = $object->SetInGroup($group, $editgroup->entity); } - if ($action == 'removegroup') { + if ($action == 'removegroup') { // Test on permission already done $result = $object->RemoveFromGroup($group, $editgroup->entity); } @@ -766,7 +766,6 @@ if (empty($reshook)) { // Actions to build doc $upload_dir = $conf->user->dir_output; - $permissiontoadd = $user->hasRight("user", "user", "write"); include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php'; } @@ -811,7 +810,6 @@ $help_url = ''; llxHeader('', $title, $help_url, '', 0, 0, '', '', '', 'mod-user page-card'); - if ($action == 'create' || $action == 'adduserldap') { print load_fiche_titre($title, '', 'user'); @@ -1521,16 +1519,12 @@ if ($action == 'create' || $action == 'adduserldap') { print $form->formconfirm($_SERVER['PHP_SELF']."?id=$object->id", $langs->trans("EnableAUser"), $langs->trans("ConfirmEnableUser", $object->login), "confirm_enable", '', 0, 1); } - /* - * Confirmation suppression - */ + // Confirmation delete if ($action == 'delete') { print $form->formconfirm($_SERVER['PHP_SELF']."?id=$object->id", $langs->trans("DeleteAUser"), $langs->trans("ConfirmDeleteUser", $object->login), "confirm_delete", '', 0, 1); } - /* - * View mode - */ + // View mode if ($action != 'edit') { print dol_get_fiche_head($head, 'user', $title, -1, 'user'); diff --git a/htdocs/user/group/card.php b/htdocs/user/group/card.php index 53b28530e91..2abd7183b86 100644 --- a/htdocs/user/group/card.php +++ b/htdocs/user/group/card.php @@ -34,18 +34,19 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/extrafields.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; // Define if user can read permissions -$canreadperms = ($user->admin || $user->hasRight("user", "user", "read")); -$caneditperms = ($user->admin || $user->hasRight("user", "user", "write")); -$candisableperms = ($user->admin || $user->hasRight("user", "user", "delete")); +$permissiontoadd = ($user->admin || $user->hasRight("user", "user", "write")); +$permissiontoread = ($user->admin || $user->hasRight("user", "user", "read")); +$permissiontoedit = ($user->admin || $user->hasRight("user", "user", "write")); +$permissiontodisable = ($user->admin || $user->hasRight("user", "user", "delete")); $feature2 = 'user'; // Advanced permissions $advancedpermsactive = false; if (getDolGlobalString('MAIN_USE_ADVANCED_PERMS')) { $advancedpermsactive = true; - $canreadperms = ($user->admin || ($user->hasRight("user", "group_advance", "read") && $user->hasRight("user", "group_advance", "readperms"))); - $caneditperms = ($user->admin || $user->hasRight("user", "group_advance", "write")); - $candisableperms = ($user->admin || $user->hasRight("user", "group_advance", "delete")); + $permissiontoread = ($user->admin || ($user->hasRight("user", "group_advance", "read") && $user->hasRight("user", "group_advance", "readperms"))); + $permissiontoedit = ($user->admin || $user->hasRight("user", "group_advance", "write")); + $permissiontodisable = ($user->admin || $user->hasRight("user", "group_advance", "delete")); $feature2 = 'group_advance'; } @@ -86,7 +87,7 @@ if (isModEnabled('multicompany') && $conf->entity > 1 && $conf->global->MULTICOM * Actions */ -$parameters = array('id' => $id, 'userid' => $userid, 'caneditperms' => $caneditperms); +$parameters = array('id' => $id, 'userid' => $userid, 'caneditperms' => $permissiontoedit); $reshook = $hookmanager->executeHooks('doActions', $parameters, $object, $action); // Note that $action and $object may have been modified by some hooks if ($reshook < 0) { setEventMessages($hookmanager->error, $hookmanager->errors, 'errors'); @@ -111,139 +112,118 @@ if (empty($reshook)) { } // Action remove group - if ($action == 'confirm_delete' && $confirm == "yes") { - if ($caneditperms) { - $object->fetch($id); - $object->delete($user); - header("Location: ".DOL_URL_ROOT."/user/group/list.php?restore_lastsearch_values=1"); - exit; - } else { - $langs->load("errors"); - setEventMessages($langs->trans('ErrorForbidden'), null, 'errors'); - } + if ($action == 'confirm_delete' && $confirm == "yes" && $permissiontoedit) { + $object->fetch($id); + $object->delete($user); + header("Location: ".DOL_URL_ROOT."/user/group/list.php?restore_lastsearch_values=1"); + exit; } // Action add group - if ($action == 'add') { - if ($caneditperms) { - if (!GETPOST("nom", "alphanohtml")) { - setEventMessages($langs->trans("NameNotDefined"), null, 'errors'); - $action = "create"; // Go back to create page - } else { - $object->name = GETPOST("nom", 'alphanohtml'); - $object->note = dol_htmlcleanlastbr(trim(GETPOST("note", 'restricthtml'))); - - // Fill array 'array_options' with data from add form - $ret = $extrafields->setOptionalsFromPost(null, $object); - if ($ret < 0) { - $error++; - } - - if (isModEnabled('multicompany') && getDolGlobalString('MULTICOMPANY_TRANSVERSE_MODE')) { - $object->entity = 0; - } else { - if ($conf->entity == 1 && $user->admin && !$user->entity) { // Same permissions test than the one used to show the combo of entities into the form - $object->entity = GETPOSTISSET("entity") ? GETPOST("entity") : $conf->entity; - } else { - $object->entity = $conf->entity; - } - } - - $db->begin(); - - $id = $object->create(); - - if ($id > 0) { - $db->commit(); - - header("Location: ".$_SERVER['PHP_SELF']."?id=".$object->id); - exit; - } else { - $db->rollback(); - - $langs->load("errors"); - setEventMessages($langs->trans("ErrorGroupAlreadyExists", $object->name), null, 'errors'); - $action = "create"; // Go back to create page - } - } + if ($action == 'add' && $permissiontoedit) { + if (!GETPOST("nom", "alphanohtml")) { + setEventMessages($langs->trans("NameNotDefined"), null, 'errors'); + $action = "create"; // Go back to create page } else { - $langs->load("errors"); - setEventMessages($langs->trans('ErrorForbidden'), null, 'errors'); - } - } - - // Add/Remove user into group - if ($action == 'adduser' || $action == 'removeuser') { - if ($caneditperms) { - if ($userid > 0) { - $object->fetch($id); - $object->oldcopy = clone $object; - - $edituser = new User($db); - $edituser->fetch($userid); - if ($action == 'adduser') { - $result = $edituser->SetInGroup($object->id, $object->entity); - } - if ($action == 'removeuser') { - $result = $edituser->RemoveFromGroup($object->id, $object->entity); - } - - if ($result > 0) { - header("Location: ".$_SERVER['PHP_SELF']."?id=".$object->id); - exit; - } else { - setEventMessages($edituser->error, $edituser->errors, 'errors'); - } - } - } else { - $langs->load("errors"); - setEventMessages($langs->trans('ErrorForbidden'), null, 'errors'); - } - } - - - if ($action == 'update') { - if ($caneditperms) { - $db->begin(); - - $object->fetch($id); - - $object->oldcopy = clone $object; - - $object->name = GETPOST("nom", 'alphanohtml'); - $object->note = dol_htmlcleanlastbr(trim(GETPOST("note", 'restricthtml'))); - $object->tms = dol_now(); + $object->name = GETPOST("nom", 'alphanohtml'); + $object->note = dol_htmlcleanlastbr(trim(GETPOST("note", 'restricthtml'))); // Fill array 'array_options' with data from add form - $ret = $extrafields->setOptionalsFromPost(null, $object, '@GETPOSTISSET'); + $ret = $extrafields->setOptionalsFromPost(null, $object); if ($ret < 0) { $error++; } if (isModEnabled('multicompany') && getDolGlobalString('MULTICOMPANY_TRANSVERSE_MODE')) { $object->entity = 0; - } elseif (GETPOSTISSET("entity")) { - $object->entity = GETPOSTINT("entity"); - } - - $ret = $object->update(); - - if ($ret >= 0 && !count($object->errors)) { - setEventMessages($langs->trans("GroupModified"), null, 'mesgs'); - $db->commit(); } else { - setEventMessages($object->error, $object->errors, 'errors'); - $db->rollback(); + if ($conf->entity == 1 && $user->admin && !$user->entity) { // Same permissions test than the one used to show the combo of entities into the form + $object->entity = GETPOSTISSET("entity") ? GETPOST("entity") : $conf->entity; + } else { + $object->entity = $conf->entity; + } } + + $db->begin(); + + $id = $object->create(); + + if ($id > 0) { + $db->commit(); + + header("Location: ".$_SERVER['PHP_SELF']."?id=".$object->id); + exit; + } else { + $db->rollback(); + + $langs->load("errors"); + setEventMessages($langs->trans("ErrorGroupAlreadyExists", $object->name), null, 'errors'); + $action = "create"; // Go back to create page + } + } + } + + // Add/Remove user into group + if (($action == 'adduser' || $action == 'removeuser') && $permissiontoedit) { + if ($userid > 0) { + $object->fetch($id); + $object->oldcopy = clone $object; + + $edituser = new User($db); + $edituser->fetch($userid); + if ($action == 'adduser') { // Test on permission already done + $result = $edituser->SetInGroup($object->id, $object->entity); + } + if ($action == 'removeuser') { // Test on permission already done + $result = $edituser->RemoveFromGroup($object->id, $object->entity); + } + + if ($result > 0) { + header("Location: ".$_SERVER['PHP_SELF']."?id=".$object->id); + exit; + } else { + setEventMessages($edituser->error, $edituser->errors, 'errors'); + } + } + } + + + if ($action == 'update' && $permissiontoedit) { + $db->begin(); + + $object->fetch($id); + + $object->oldcopy = clone $object; + + $object->name = GETPOST("nom", 'alphanohtml'); + $object->note = dol_htmlcleanlastbr(trim(GETPOST("note", 'restricthtml'))); + $object->tms = dol_now(); + + // Fill array 'array_options' with data from add form + $ret = $extrafields->setOptionalsFromPost(null, $object, '@GETPOSTISSET'); + if ($ret < 0) { + $error++; + } + + if (isModEnabled('multicompany') && getDolGlobalString('MULTICOMPANY_TRANSVERSE_MODE')) { + $object->entity = 0; + } elseif (GETPOSTISSET("entity")) { + $object->entity = GETPOSTINT("entity"); + } + + $ret = $object->update(); + + if ($ret >= 0 && !count($object->errors)) { + setEventMessages($langs->trans("GroupModified"), null, 'mesgs'); + $db->commit(); } else { - $langs->load("errors"); - setEventMessages($langs->trans('ErrorForbidden'), null, 'mesgs'); + setEventMessages($object->error, $object->errors, 'errors'); + $db->rollback(); } } // Actions to build doc $upload_dir = $conf->user->dir_output.'/usergroups'; - $permissiontoadd = $user->hasRight("user", "user", "write"); include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php'; } @@ -388,11 +368,11 @@ if ($action == 'create') { setEventMessages($hookmanager->error, $hookmanager->errors, 'errors'); } - if ($caneditperms) { + if ($permissiontoedit) { print ''.$langs->trans("Modify").''; } - if ($candisableperms) { + if ($permissiontodisable) { print ''.$langs->trans("DeleteGroup").''; } @@ -412,12 +392,12 @@ if ($action == 'create') { } // Other form for add user to group - $parameters = array('caneditperms' => $caneditperms, 'exclude' => $exclude); + $parameters = array('caneditperms' => $permissiontoedit, 'exclude' => $exclude); $reshook = $hookmanager->executeHooks('formAddUserToGroup', $parameters, $object, $action); // Note that $action and $object may have been modified by hook print $hookmanager->resPrint; if (empty($reshook)) { - if ($caneditperms) { + if ($permissiontoedit) { print ''."\n"; print ''; print ''; @@ -517,7 +497,7 @@ if ($action == 'create') { * Card in edit mode */ - if ($action == 'edit' && $caneditperms) { + if ($action == 'edit' && $permissiontoedit) { print ''; print ''; print ''; diff --git a/htdocs/user/group/ldap.php b/htdocs/user/group/ldap.php index 7149862bb15..93c5cb91cb7 100644 --- a/htdocs/user/group/ldap.php +++ b/htdocs/user/group/ldap.php @@ -51,9 +51,9 @@ if (isModEnabled('multicompany') && $conf->entity > 1 && getDolGlobalString('MUL accessforbidden(); } -$canreadperms = true; +$permissiontoread = true; if (getDolGlobalString('MAIN_USE_ADVANCED_PERMS')) { - $canreadperms = (!empty($user->admin) || $user->hasRight('user', 'group_advance', 'read')); + $permissiontoread = (!empty($user->admin) || $user->hasRight('user', 'group_advance', 'read')); } diff --git a/htdocs/user/group/perms.php b/htdocs/user/group/perms.php index 8166525316b..ad4802607e2 100644 --- a/htdocs/user/group/perms.php +++ b/htdocs/user/group/perms.php @@ -51,15 +51,15 @@ if (!isset($id) || empty($id)) { } // Define if user can read permissions -$canreadperms = ($user->admin || $user->hasRight("user", "user", "read")); +$permissiontoread = ($user->admin || $user->hasRight("user", "user", "read")); // Define if user can modify group permissions -$caneditperms = ($user->admin || $user->hasRight("user", "user", "write")); +$permissiontoedit = ($user->admin || $user->hasRight("user", "user", "write")); // Advanced permissions $advancedpermsactive = false; if (getDolGlobalString('MAIN_USE_ADVANCED_PERMS')) { $advancedpermsactive = true; - $canreadperms = ($user->admin || ($user->hasRight("user", "group_advance", "read") && $user->hasRight("user", "group_advance", "readperms"))); - $caneditperms = ($user->admin || $user->hasRight("user", "group_advance", "write")); + $permissiontoread = ($user->admin || ($user->hasRight("user", "group_advance", "read") && $user->hasRight("user", "group_advance", "readperms"))); + $permissiontoedit = ($user->admin || $user->hasRight("user", "group_advance", "write")); } // Security check @@ -68,7 +68,7 @@ if (isset($user->socid) && $user->socid > 0) { $socid = $user->socid; } //$result = restrictedArea($user, 'user', $id, 'usergroup', ''); -if (!$canreadperms) { +if (!$permissiontoread) { accessforbidden(); } @@ -93,7 +93,7 @@ if ($reshook < 0) { } if (empty($reshook)) { - if ($action == 'addrights' && $caneditperms) { + if ($action == 'addrights' && $permissiontoedit) { $editgroup = new UserGroup($db); $result = $editgroup->fetch($object->id); if ($result > 0) { @@ -109,7 +109,7 @@ if (empty($reshook)) { $user->loadRights(); } - if ($action == 'delrights' && $caneditperms) { + if ($action == 'delrights' && $permissiontoedit) { $editgroup = new UserGroup($db); $result = $editgroup->fetch($id); if ($result > 0) { @@ -268,7 +268,7 @@ if ($object->id > 0) { print '
'; print ''; print ''; - if ($caneditperms) { + if ($permissiontoedit) { print ''; // Permission and tick (2 columns) - if ($caneditperms) { + if ($permissiontoedit) { print ''; } else { // Do not own permission - if ($caneditperms) { + if ($permissiontoedit) { print ''; // Search Group -if ($canreadperms) { +if ($permissiontoreadgroup) { $searchbox .= ''; } @@ -231,7 +231,7 @@ if ($resql) { * Last groups created */ $lastgroupbox = ''; -if ($canreadperms) { +if ($permissiontoreadgroup) { $sql = "SELECT g.rowid, g.nom as name, g.note, g.entity, g.datec"; $sql .= " FROM ".MAIN_DB_PREFIX."usergroup as g"; if (isModEnabled('multicompany') && $conf->entity == 1 && (getDolGlobalInt('MULTICOMPANY_TRANSVERSE_MODE') || ($user->admin && !$user->entity))) { diff --git a/htdocs/website/index.php b/htdocs/website/index.php index d232f6db0af..cbcc2f97213 100644 --- a/htdocs/website/index.php +++ b/htdocs/website/index.php @@ -2338,10 +2338,10 @@ if ((($action == 'updatesource' || $action == 'updatecontent' || $action == 'con if ($res < 0) { $error++; setEventMessages($objectpage->error, $objectpage->errors, 'errors'); - if ($action == 'updatesource') { + if ($action == 'updatesource') { // Test on permissions already done $action = 'editsource'; } - if ($action == 'updatecontent') { + if ($action == 'updatecontent') { // Test on permissions already done $action = 'editcontent'; } } @@ -2400,10 +2400,10 @@ if ((($action == 'updatesource' || $action == 'updatecontent' || $action == 'con exit; } } else { - if ($action == 'updatesource') { + if ($action == 'updatesource') { // Test on permissions already done $action = 'editsource'; } - if ($action == 'updatecontent') { + if ($action == 'updatecontent') { // Test on permissions already done $action = 'editcontent'; } } diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php index b27300d1437..58ca72c3a27 100644 --- a/test/phpunit/CodingPhpTest.php +++ b/test/phpunit/CodingPhpTest.php @@ -655,6 +655,7 @@ class CodingPhpTest extends CommonClassTest && !preg_match('/\$canedit/', $val[0]) && !preg_match('/\$user->admin/', $val[0]) && !preg_match('/already done/i', $val[0]) + && !preg_match('/done later/i', $val[0]) && !preg_match('/not required/i', $val[0])) { $ok = false; print "File ".$file['relativename']." - Line: ".$val[0]."\n";
'.$langs->trans("Module").''; print ''.$langs->trans("All").""; print '/'; @@ -352,7 +352,7 @@ if ($object->id > 0) { print ''; print ''; print 'id.'&confirm=yes">'; //print img_edit_remove($langs->trans("Remove")); print img_picto($langs->trans("Remove"), 'switch_on'); @@ -404,7 +404,7 @@ if ($object->id > 0) { print 'id.'&confirm=yes">'; //print img_edit_add($langs->trans("Add")); print img_picto($langs->trans("Add"), 'switch_off'); @@ -414,7 +414,7 @@ if ($object->id > 0) { } } else { // Do not own permission - if ($caneditperms) { + if ($permissiontoedit) { print 'id.'&confirm=yes&token='.newToken().'">'; //print img_edit_add($langs->trans("Add")); print img_picto($langs->trans("Add"), 'switch_off'); diff --git a/htdocs/user/home.php b/htdocs/user/home.php index e14c062d085..e1b3eb49b80 100644 --- a/htdocs/user/home.php +++ b/htdocs/user/home.php @@ -38,9 +38,9 @@ if (!$user->hasRight('user', 'user', 'lire') && !$user->admin) { // Load translation files required by page $langs->load("users"); -$canreadperms = true; +$permissiontoreadgroup = true; if (getDolGlobalString('MAIN_USE_ADVANCED_PERMS')) { - $canreadperms = (!empty($user->admin) || $user->hasRight("user", "group_advance", "read")); + $permissiontoreadgroup = (!empty($user->admin) || $user->hasRight("user", "group_advance", "read")); } // Security check (for external users) @@ -98,7 +98,7 @@ $searchbox .= '
'; $searchbox .= $langs->trans("User").':
'; $searchbox .= $langs->trans("Group").':