forked from Wavyzz/dolibarr
Fix test on permissions
This commit is contained in:
Laurent Destailleur
@@ -159,7 +159,7 @@ $error = 0;
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
* View
|
||||
*/
|
||||
|
||||
dolibarr_install_syslog("--- step1: entering step1.php page");
|
||||
@@ -372,7 +372,7 @@ if (!$error && $db->connected) {
|
||||
|
||||
|
||||
// Create config file
|
||||
if (!$error && $db->connected && $action == "set") {
|
||||
if (!$error && $db->connected && $action == "set") { // Test on permission not required here
|
||||
umask(0);
|
||||
if (is_array($_POST)) {
|
||||
foreach ($_POST as $key => $value) {
|
||||
@@ -384,7 +384,7 @@ if (!$error && $db->connected && $action == "set") {
|
||||
|
||||
// Show title of step
|
||||
print '<h3><img class="valignmiddle inline-block paddingright" src="../theme/common/octicons/build/svg/gear.svg" width="20" alt="Configuration"> '.$langs->trans("ConfigurationFile").'</h3>';
|
||||
print '<table cellspacing="0" width="100%" cellpadding="1" border="0">';
|
||||
print '<table cellspacing="0" class="centpercent" cellpadding="1">';
|
||||
|
||||
// Check parameter main_dir
|
||||
if (!$error) {
|
||||
|
||||
@@ -1056,7 +1056,7 @@ if (empty($reshook)) {
|
||||
|
||||
|
||||
// Add product into object (when PRODUCT_ADD_FORM_ADD_TO is set)
|
||||
if ($object->id > 0 && $action == 'addin') { // Test on permission is done just after
|
||||
if ($object->id > 0 && $action == 'addin') { // Test on permission not required here. it is done later according to object.
|
||||
$thirpdartyid = 0;
|
||||
$permissiontoaddline = false;
|
||||
|
||||
|
||||
@@ -190,7 +190,7 @@ if ($reshook < 0) {
|
||||
}
|
||||
|
||||
// Action called when page is submitted
|
||||
if (empty($reshook) && $action == 'add') {
|
||||
if (empty($reshook) && $action == 'add') { // Test on permission not required here. This is a public page. Security is done on constant and mitigation.
|
||||
$error = 0;
|
||||
$urlback = '';
|
||||
|
||||
@@ -236,6 +236,7 @@ if (empty($reshook) && $action == 'add') {
|
||||
$societe->name_alias = GETPOST('name_alias', 'alphanohtml');
|
||||
|
||||
$societe->note_private = GETPOST('note_private');
|
||||
|
||||
if (!$error) {
|
||||
$result = $societe->create($user);
|
||||
if ($result > 0) {
|
||||
@@ -272,7 +273,7 @@ if (empty($reshook) && $action == 'add') {
|
||||
// If MEMBER_URL_REDIRECT_SUBSCRIPTION is set to an url, we never go here because a redirect was done to this url. Same if we ask to redirect to the payment page.
|
||||
// backtopage parameter with an url was set on prospect submit page, we never go here because a redirect was done to this url.
|
||||
|
||||
if (empty($reshook) && $action == 'added') {
|
||||
if (empty($reshook) && $action == 'added') { // Test on permission not required here
|
||||
llxHeaderVierge("newSocieteAdded");
|
||||
|
||||
// If we have not been redirected
|
||||
|
||||
@@ -237,7 +237,7 @@ if ($reshook < 0) {
|
||||
}
|
||||
|
||||
// Action called when page is submitted
|
||||
if (empty($reshook) && $action == 'add' && (!empty($conference->id) && $conference->status == 2 || !empty($project->id) && $project->status == Project::STATUS_VALIDATED)) {
|
||||
if (empty($reshook) && $action == 'add' && (!empty($conference->id) && $conference->status == 2 || !empty($project->id) && $project->status == Project::STATUS_VALIDATED)) { // Test on permission not required. Check are done on securitykey and mitigation
|
||||
$error = 0;
|
||||
|
||||
$urlback = '';
|
||||
|
||||
@@ -114,7 +114,7 @@ $user->loadDefaultValues();
|
||||
*/
|
||||
function llxHeaderVierge($title, $head = "", $disablejs = 0, $disablehead = 0, $arrayofjs = [], $arrayofcss = [])
|
||||
{
|
||||
global $user, $conf, $langs, $mysoc;
|
||||
global $conf, $langs, $mysoc;
|
||||
|
||||
top_htmlhead($head, $title, $disablejs, $disablehead, $arrayofjs, $arrayofcss); // Show html headers
|
||||
|
||||
@@ -192,7 +192,7 @@ if ($reshook < 0) {
|
||||
}
|
||||
|
||||
// Action called when page is submitted
|
||||
if (empty($reshook) && $action == 'add') {
|
||||
if (empty($reshook) && $action == 'add') { // Test on permission not required here. This is an anonymous form. Check is done on constant to enable and mitigation.
|
||||
$error = 0;
|
||||
$urlback = '';
|
||||
|
||||
@@ -490,7 +490,7 @@ if (empty($reshook) && $action == 'add') {
|
||||
// If MEMBER_URL_REDIRECT_SUBSCRIPTION is set to an url, we never go here because a redirect was done to this url. Same if we ask to redirect to the payment page.
|
||||
// backtopage parameter with an url was set on member submit page, we never go here because a redirect was done to this url.
|
||||
|
||||
if (empty($reshook) && $action == 'added') {
|
||||
if (empty($reshook) && $action == 'added') { // Test on permission not required here
|
||||
llxHeaderVierge($langs->trans("NewMemberForm"));
|
||||
|
||||
// If we have not been redirected
|
||||
|
||||
@@ -71,7 +71,7 @@ $action = GETPOST('action', 'aZ09');
|
||||
$langs->loadLangs(array("main", "members", "partnership", "companies", "install", "other"));
|
||||
|
||||
// Security check
|
||||
if (empty($conf->partnership->enabled)) {
|
||||
if (!isModEnabled('partnership')) {
|
||||
httponly_accessforbidden('Module Partnership not enabled');
|
||||
}
|
||||
|
||||
@@ -180,7 +180,7 @@ if ($reshook < 0) {
|
||||
}
|
||||
|
||||
// Action called when page is submitted
|
||||
if (empty($reshook) && $action == 'add') {
|
||||
if (empty($reshook) && $action == 'add') { // Test on permission not required here. This is an anonymous form. Check is done on constant to enable and mitigation.
|
||||
$error = 0;
|
||||
$urlback = '';
|
||||
|
||||
@@ -526,7 +526,7 @@ if (empty($reshook) && $action == 'add') {
|
||||
// Action called after a submitted was send and member created successfully
|
||||
// If PARTNERSHIP_URL_REDIRECT_SUBSCRIPTION is set to url we never go here because a redirect was done to this url.
|
||||
// backtopage parameter with an url was set on member submit page, we never go here because a redirect was done to this url.
|
||||
if (empty($reshook) && $action == 'added') {
|
||||
if (empty($reshook) && $action == 'added') { // Test on permission not required here
|
||||
llxHeaderVierge($langs->trans("NewPartnershipForm"));
|
||||
|
||||
// Si on a pas ete redirige
|
||||
|
||||
@@ -172,7 +172,7 @@ if ($reshook < 0) {
|
||||
}
|
||||
|
||||
// Action called when page is submitted
|
||||
if (empty($reshook) && $action == 'add') { // Test on permission not required here. This is an anonymous public ssubmission. Check is done the constant to enable feature + mitigation.
|
||||
if (empty($reshook) && $action == 'add') { // Test on permission not required here. This is an anonymous public submission form. Check is done on the constant to enable feature + mitigation.
|
||||
$error = 0;
|
||||
$urlback = '';
|
||||
|
||||
@@ -430,7 +430,7 @@ if (empty($reshook) && $action == 'add') { // Test on permission not required he
|
||||
|
||||
// Action called after a submitted was send and member created successfully
|
||||
// backtopage parameter with an url was set on member submit page, we never go here because a redirect was done to this url.
|
||||
if (empty($reshook) && $action == 'added') {
|
||||
if (empty($reshook) && $action == 'added') { // Test on permission not required here
|
||||
llxHeaderVierge($langs->trans("NewLeadForm"));
|
||||
|
||||
// Si on a pas ete redirige
|
||||
|
||||
@@ -662,7 +662,7 @@ class CodingPhpTest extends CommonClassTest
|
||||
$filecontentaction = $filecontent;
|
||||
}
|
||||
|
||||
preg_match_all('/if.*\$action\s*==\s*[\'"][a-z\-]+[\'"].*/', $filecontentaction, $matches, PREG_SET_ORDER);
|
||||
preg_match_all('/if.*\$action\s*==\s*[\'"][a-z\-]+[\'"].*$/', $filecontentaction, $matches, PREG_SET_ORDER);
|
||||
foreach ($matches as $key => $val) {
|
||||
if (!preg_match('/\$user->hasR/', $val[0])
|
||||
&& !preg_match('/\$permission/', $val[0])
|
||||
|
||||
Reference in New Issue
Block a user