forked from Wavyzz/dolibarr
Fix: Security does not need special case
This commit is contained in:
Laurent Destailleur
@@ -150,10 +150,6 @@ function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature
|
|||||||
{
|
{
|
||||||
if (! $user->rights->prelevement->bons->lire) $readok=0;
|
if (! $user->rights->prelevement->bons->lire) $readok=0;
|
||||||
}
|
}
|
||||||
else if ($feature == 'commande_fournisseur')
|
|
||||||
{
|
|
||||||
if (! $user->rights->fournisseur->commande->lire) $readok=0;
|
|
||||||
}
|
|
||||||
else if ($feature == 'cheque')
|
else if ($feature == 'cheque')
|
||||||
{
|
{
|
||||||
if (! $user->rights->banque->cheque) $readok=0;
|
if (! $user->rights->banque->cheque) $readok=0;
|
||||||
|
|||||||
@@ -40,7 +40,7 @@ $action = GETPOST('action', 'alpha');
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if ($user->societe_id) $socid=$user->societe_id;
|
if ($user->societe_id) $socid=$user->societe_id;
|
||||||
$result = restrictedArea($user, 'commande_fournisseur', $id,'');
|
$result = restrictedArea($user, 'fournisseur', $id, '', 'commande');
|
||||||
|
|
||||||
$object = new CommandeFournisseur($db);
|
$object = new CommandeFournisseur($db);
|
||||||
|
|
||||||
@@ -166,10 +166,10 @@ if ($id > 0 || ! empty($ref))
|
|||||||
print '</div>';
|
print '</div>';
|
||||||
|
|
||||||
print '<br>';
|
print '<br>';
|
||||||
|
|
||||||
// Contacts lines
|
// Contacts lines
|
||||||
include DOL_DOCUMENT_ROOT.'/core/tpl/contacts.tpl.php';
|
include DOL_DOCUMENT_ROOT.'/core/tpl/contacts.tpl.php';
|
||||||
|
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -44,7 +44,7 @@ $langs->load('stocks');
|
|||||||
// Security check
|
// Security check
|
||||||
$id = isset($_GET["id"])?$_GET["id"]:'';
|
$id = isset($_GET["id"])?$_GET["id"]:'';
|
||||||
if ($user->societe_id) $socid=$user->societe_id;
|
if ($user->societe_id) $socid=$user->societe_id;
|
||||||
$result = restrictedArea($user, 'commande_fournisseur', $id,'');
|
$result = restrictedArea($user, 'fournisseur', $id, '', 'commande');
|
||||||
|
|
||||||
if (empty($conf->stock->enabled))
|
if (empty($conf->stock->enabled))
|
||||||
{
|
{
|
||||||
@@ -84,7 +84,7 @@ if ($_POST["action"] == 'dispatch' && $user->rights->fournisseur->commande->rece
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (! $notrigger)
|
if (! $notrigger)
|
||||||
{
|
{
|
||||||
global $conf, $langs, $user;
|
global $conf, $langs, $user;
|
||||||
@@ -94,7 +94,7 @@ if ($_POST["action"] == 'dispatch' && $user->rights->fournisseur->commande->rece
|
|||||||
$result_trigger=$interface->run_triggers('ORDER_SUPPLIER_DISPATCH',$this,$user,$langs,$conf);
|
$result_trigger=$interface->run_triggers('ORDER_SUPPLIER_DISPATCH',$this,$user,$langs,$conf);
|
||||||
if ($result_trigger < 0) { $error++; $this->errors=$interface->errors; }
|
if ($result_trigger < 0) { $error++; $this->errors=$interface->errors; }
|
||||||
// Fin appel triggers
|
// Fin appel triggers
|
||||||
|
|
||||||
$this->db->commit();
|
$this->db->commit();
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -282,7 +282,7 @@ if ($id > 0 || ! empty($ref))
|
|||||||
print '<a href="'.DOL_URL_ROOT.'/product/fournisseurs.php?id='.$objp->fk_product.'">'.img_object($langs->trans("ShowProduct"),'product').' '.$objp->ref.'</a>';
|
print '<a href="'.DOL_URL_ROOT.'/product/fournisseurs.php?id='.$objp->fk_product.'">'.img_object($langs->trans("ShowProduct"),'product').' '.$objp->ref.'</a>';
|
||||||
print ' - '.$objp->label;
|
print ' - '.$objp->label;
|
||||||
// To show detail cref and description value, we must make calculation by cref
|
// To show detail cref and description value, we must make calculation by cref
|
||||||
//print ($objp->cref?' ('.$objp->cref.')':'');
|
//print ($objp->cref?' ('.$objp->cref.')':'');
|
||||||
//if ($objp->description) print '<br>'.nl2br($objp->description);
|
//if ($objp->description) print '<br>'.nl2br($objp->description);
|
||||||
print '<input name="product_'.$i.'" type="hidden" value="'.$objp->fk_product.'">';
|
print '<input name="product_'.$i.'" type="hidden" value="'.$objp->fk_product.'">';
|
||||||
print '<input name="pu_'.$i.'" type="hidden" value="'.$objp->subprice.'">';
|
print '<input name="pu_'.$i.'" type="hidden" value="'.$objp->subprice.'">';
|
||||||
|
|||||||
@@ -49,7 +49,7 @@ $confirm = GETPOST('confirm','alpha');
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if ($user->societe_id) $socid=$user->societe_id;
|
if ($user->societe_id) $socid=$user->societe_id;
|
||||||
$result = restrictedArea($user, 'commande_fournisseur', $id,'');
|
$result = restrictedArea($user, 'fournisseur', $id, '', 'commande');
|
||||||
|
|
||||||
// Get parameters
|
// Get parameters
|
||||||
$sortfield = GETPOST("sortfield",'alpha');
|
$sortfield = GETPOST("sortfield",'alpha');
|
||||||
|
|||||||
@@ -67,7 +67,7 @@ $hideref = (GETPOST('hideref','int') ? GETPOST('hideref','int') : (! empty($co
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if ($user->societe_id) $socid=$user->societe_id;
|
if ($user->societe_id) $socid=$user->societe_id;
|
||||||
$result = restrictedArea($user, 'commande_fournisseur', $id,'');
|
$result = restrictedArea($user, 'fournisseur', $id, '', 'commande');
|
||||||
|
|
||||||
// Initialize technical object to manage hooks of thirdparties. Note that conf->hooks_modules contains array array
|
// Initialize technical object to manage hooks of thirdparties. Note that conf->hooks_modules contains array array
|
||||||
$hookmanager->initHooks(array('ordersuppliercard'));
|
$hookmanager->initHooks(array('ordersuppliercard'));
|
||||||
@@ -683,7 +683,7 @@ else if ($action == 'add' && $user->rights->fournisseur->commande->creer)
|
|||||||
{
|
{
|
||||||
$error++;
|
$error++;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($error)
|
if ($error)
|
||||||
{
|
{
|
||||||
$langs->load("errors");
|
$langs->load("errors");
|
||||||
@@ -840,7 +840,7 @@ if ($action == 'send' && ! GETPOST('addfile') && ! GETPOST('removedfile') && ! G
|
|||||||
else
|
else
|
||||||
{
|
{
|
||||||
// Redirect here
|
// Redirect here
|
||||||
// This avoid sending mail twice if going out and then back to page
|
// This avoid sending mail twice if going out and then back to page
|
||||||
header('Location: '.$_SERVER["PHP_SELF"].'?id='.$object->id);
|
header('Location: '.$_SERVER["PHP_SELF"].'?id='.$object->id);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
@@ -959,28 +959,28 @@ $now=dol_now();
|
|||||||
if ($action=="create")
|
if ($action=="create")
|
||||||
{
|
{
|
||||||
print_fiche_titre($langs->trans('NewOrder'));
|
print_fiche_titre($langs->trans('NewOrder'));
|
||||||
|
|
||||||
dol_htmloutput_mesg($mesg);
|
dol_htmloutput_mesg($mesg);
|
||||||
|
|
||||||
$societe='';
|
$societe='';
|
||||||
if ($socid>0)
|
if ($socid>0)
|
||||||
{
|
{
|
||||||
$societe=new Societe($db);
|
$societe=new Societe($db);
|
||||||
$societe->fetch($socid);
|
$societe->fetch($socid);
|
||||||
}
|
}
|
||||||
|
|
||||||
print '<form name="add" action="'.$_SERVER["PHP_SELF"].'" method="post">';
|
print '<form name="add" action="'.$_SERVER["PHP_SELF"].'" method="post">';
|
||||||
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
|
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
|
||||||
print '<input type="hidden" name="action" value="add">';
|
print '<input type="hidden" name="action" value="add">';
|
||||||
print '<table class="border" width="100%">';
|
print '<table class="border" width="100%">';
|
||||||
|
|
||||||
// Ref
|
// Ref
|
||||||
print '<tr><td>'.$langs->trans('Ref').'</td><td>'.$langs->trans('Draft').'</td></tr>';
|
print '<tr><td>'.$langs->trans('Ref').'</td><td>'.$langs->trans('Draft').'</td></tr>';
|
||||||
|
|
||||||
// Third party
|
// Third party
|
||||||
print '<tr><td class="fieldrequired">'.$langs->trans('Supplier').'</td>';
|
print '<tr><td class="fieldrequired">'.$langs->trans('Supplier').'</td>';
|
||||||
print '<td>';
|
print '<td>';
|
||||||
|
|
||||||
if ($socid > 0)
|
if ($socid > 0)
|
||||||
{
|
{
|
||||||
print $societe->getNomUrl(1);
|
print $societe->getNomUrl(1);
|
||||||
@@ -991,30 +991,30 @@ if ($action=="create")
|
|||||||
print $form->select_company((empty($socid)?'':$socid),'socid','s.fournisseur = 1',1);
|
print $form->select_company((empty($socid)?'':$socid),'socid','s.fournisseur = 1',1);
|
||||||
}
|
}
|
||||||
print '</td>';
|
print '</td>';
|
||||||
|
|
||||||
// Ref supplier
|
// Ref supplier
|
||||||
print '<tr><td>'.$langs->trans('RefSupplier').'</td><td><input name="refsupplier" type="text"></td>';
|
print '<tr><td>'.$langs->trans('RefSupplier').'</td><td><input name="refsupplier" type="text"></td>';
|
||||||
print '</tr>';
|
print '</tr>';
|
||||||
|
|
||||||
print '</td></tr>';
|
print '</td></tr>';
|
||||||
|
|
||||||
print '<tr><td>'.$langs->trans('Note').'</td>';
|
print '<tr><td>'.$langs->trans('Note').'</td>';
|
||||||
print '<td><textarea name="note" wrap="soft" cols="60" rows="'.ROWS_5.'"></textarea></td>';
|
print '<td><textarea name="note" wrap="soft" cols="60" rows="'.ROWS_5.'"></textarea></td>';
|
||||||
print '</tr>';
|
print '</tr>';
|
||||||
|
|
||||||
print '<tr><td>'.$langs->trans('NotePublic').'</td>';
|
print '<tr><td>'.$langs->trans('NotePublic').'</td>';
|
||||||
print '<td><textarea name="note_public" wrap="soft" cols="60" rows="'.ROWS_5.'"></textarea></td>';
|
print '<td><textarea name="note_public" wrap="soft" cols="60" rows="'.ROWS_5.'"></textarea></td>';
|
||||||
print '</tr>';
|
print '</tr>';
|
||||||
|
|
||||||
// Other options
|
// Other options
|
||||||
$parameters=array();
|
$parameters=array();
|
||||||
$reshook=$hookmanager->executeHooks('formObjectOptions',$parameters,$object,$action); // Note that $action and $object may have been modified by hook
|
$reshook=$hookmanager->executeHooks('formObjectOptions',$parameters,$object,$action); // Note that $action and $object may have been modified by hook
|
||||||
|
|
||||||
// Bouton "Create Draft"
|
// Bouton "Create Draft"
|
||||||
print "</table>\n";
|
print "</table>\n";
|
||||||
|
|
||||||
print '<br><center><input type="submit" class="button" name="bouton" value="'.$langs->trans('CreateDraft').'"></center>';
|
print '<br><center><input type="submit" class="button" name="bouton" value="'.$langs->trans('CreateDraft').'"></center>';
|
||||||
|
|
||||||
print "</form>\n";
|
print "</form>\n";
|
||||||
}
|
}
|
||||||
elseif (! empty($object->id))
|
elseif (! empty($object->id))
|
||||||
@@ -1909,12 +1909,12 @@ elseif (! empty($object->id))
|
|||||||
$formmail->substit['__SIGNATURE__']=$user->signature;
|
$formmail->substit['__SIGNATURE__']=$user->signature;
|
||||||
$formmail->substit['__PERSONALIZED__']='';
|
$formmail->substit['__PERSONALIZED__']='';
|
||||||
$formmail->substit['__CONTACTCIVNAME__']='';
|
$formmail->substit['__CONTACTCIVNAME__']='';
|
||||||
|
|
||||||
//Find the good contact adress
|
//Find the good contact adress
|
||||||
$custcontact='';
|
$custcontact='';
|
||||||
$contactarr=array();
|
$contactarr=array();
|
||||||
$contactarr=$object->liste_contact(-1,'external');
|
$contactarr=$object->liste_contact(-1,'external');
|
||||||
|
|
||||||
if (is_array($contactarr) && count($contactarr)>0) {
|
if (is_array($contactarr) && count($contactarr)>0) {
|
||||||
foreach($contactarr as $contact) {
|
foreach($contactarr as $contact) {
|
||||||
if ($contact['libelle']==$langs->trans('TypeContact_order_supplier_external_BILLING')) {
|
if ($contact['libelle']==$langs->trans('TypeContact_order_supplier_external_BILLING')) {
|
||||||
@@ -1924,12 +1924,12 @@ elseif (! empty($object->id))
|
|||||||
$custcontact=$contactstatic->getFullName($langs,1);
|
$custcontact=$contactstatic->getFullName($langs,1);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!empty($custcontact)) {
|
if (!empty($custcontact)) {
|
||||||
$formmail->substit['__CONTACTCIVNAME__']=$custcontact;
|
$formmail->substit['__CONTACTCIVNAME__']=$custcontact;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Tableau des parametres complementaires
|
// Tableau des parametres complementaires
|
||||||
$formmail->param['action']='send';
|
$formmail->param['action']='send';
|
||||||
$formmail->param['models']='order_supplier_send';
|
$formmail->param['models']='order_supplier_send';
|
||||||
|
|||||||
@@ -38,7 +38,7 @@ $ref=GETPOST('ref','alpha');
|
|||||||
// Security check
|
// Security check
|
||||||
$socid='';
|
$socid='';
|
||||||
if (! empty($user->societe_id)) $socid=$user->societe_id;
|
if (! empty($user->societe_id)) $socid=$user->societe_id;
|
||||||
$result = restrictedArea($user, 'commande_fournisseur', $id,'');
|
$result = restrictedArea($user, 'fournisseur', $id, '', 'commande');
|
||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|||||||
@@ -32,7 +32,7 @@ require_once DOL_DOCUMENT_ROOT.'/contact/class/contact.class.php';
|
|||||||
// Security check
|
// Security check
|
||||||
$orderid = GETPOST('orderid');
|
$orderid = GETPOST('orderid');
|
||||||
if ($user->societe_id) $socid=$user->societe_id;
|
if ($user->societe_id) $socid=$user->societe_id;
|
||||||
$result = restrictedArea($user, 'commande_fournisseur', $orderid,'');
|
$result = restrictedArea($user, 'fournisseur', $orderid, '', 'commande');
|
||||||
|
|
||||||
$langs->load("suppliers");
|
$langs->load("suppliers");
|
||||||
$langs->load("orders");
|
$langs->load("orders");
|
||||||
|
|||||||
@@ -43,7 +43,7 @@ $sortfield = GETPOST('sortfield','alpha');
|
|||||||
// Security check
|
// Security check
|
||||||
$orderid = GETPOST('orderid');
|
$orderid = GETPOST('orderid');
|
||||||
if ($user->societe_id) $socid=$user->societe_id;
|
if ($user->societe_id) $socid=$user->societe_id;
|
||||||
$result = restrictedArea($user, 'commande_fournisseur', $orderid,'');
|
$result = restrictedArea($user, 'fournisseur', $orderid, '', 'commande');
|
||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|||||||
@@ -39,7 +39,7 @@ $action = GETPOST('action');
|
|||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
if ($user->societe_id) $socid=$user->societe_id;
|
if ($user->societe_id) $socid=$user->societe_id;
|
||||||
$result = restrictedArea($user, 'commande_fournisseur', $id,'');
|
$result = restrictedArea($user, 'fournisseur', $id, '', 'commande');
|
||||||
|
|
||||||
$object = new CommandeFournisseur($db);
|
$object = new CommandeFournisseur($db);
|
||||||
$object->fetch($id, $ref);
|
$object->fetch($id, $ref);
|
||||||
|
|||||||
Reference in New Issue
Block a user