diff --git a/htdocs/core/class/canvas.class.php b/htdocs/core/class/canvas.class.php index 5d21a82476c..dba98f4e22b 100644 --- a/htdocs/core/class/canvas.class.php +++ b/htdocs/core/class/canvas.class.php @@ -164,6 +164,23 @@ class Canvas return 1; } + + /** + * Check permissions of a user to show a page and an object. Check read permission + * If $_REQUEST['action'] defined, we also check write permission. + * @param user User to check + * @param features Features to check (in most cases, it's module name) + * @param objectid Object ID if we want to check permission on a particular record (optionnal) + * @param dbtablename Table name where object is stored. Not used if objectid is null (optionnal) + * @param feature2 Feature to check (second level of permission) + * @param dbt_keyfield Field name for socid foreign key if not fk_soc. (optionnal) + * @param dbt_select Field name for select if not rowid. (optionnal) + * @return int 1 + */ + function restrictedArea($user, $features='societe', $objectid=0, $dbtablename='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid') + { + return $this->control->restrictedArea($user,$features,$objectid,$dbtablename,$feature2,$dbt_keyfield,$dbt_select); + } /** * Assign templates values diff --git a/htdocs/societe/canvas/default/actions_card_default.class.php b/htdocs/societe/canvas/default/actions_card_default.class.php index 6bbe459bfa5..8f2675df6d2 100644 --- a/htdocs/societe/canvas/default/actions_card_default.class.php +++ b/htdocs/societe/canvas/default/actions_card_default.class.php @@ -178,6 +178,23 @@ class ActionsCardDefault extends ActionsCardCommon } } } + + /** + * Check permissions of a user to show a page and an object. Check read permission + * If $_REQUEST['action'] defined, we also check write permission. + * @param user User to check + * @param features Features to check (in most cases, it's module name) + * @param objectid Object ID if we want to check permission on a particular record (optionnal) + * @param dbtablename Table name where object is stored. Not used if objectid is null (optionnal) + * @param feature2 Feature to check (second level of permission) + * @param dbt_keyfield Field name for socid foreign key if not fk_soc. (optionnal) + * @param dbt_select Field name for select if not rowid. (optionnal) + * @return int 1 + */ + function restrictedArea($user, $features='societe', $objectid=0, $dbtablename='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid') + { + return restrictedArea($user,$features,$objectid,$dbtablename,$feature2,$dbt_keyfield,$dbt_select); + } } diff --git a/htdocs/societe/canvas/individual/actions_card_individual.class.php b/htdocs/societe/canvas/individual/actions_card_individual.class.php index 7327a0d0871..9f360a4a7e8 100644 --- a/htdocs/societe/canvas/individual/actions_card_individual.class.php +++ b/htdocs/societe/canvas/individual/actions_card_individual.class.php @@ -104,6 +104,23 @@ class ActionsCardIndividual extends ActionsCardCommon } } } + + /** + * Check permissions of a user to show a page and an object. Check read permission + * If $_REQUEST['action'] defined, we also check write permission. + * @param user User to check + * @param features Features to check (in most cases, it's module name) + * @param objectid Object ID if we want to check permission on a particular record (optionnal) + * @param dbtablename Table name where object is stored. Not used if objectid is null (optionnal) + * @param feature2 Feature to check (second level of permission) + * @param dbt_keyfield Field name for socid foreign key if not fk_soc. (optionnal) + * @param dbt_select Field name for select if not rowid. (optionnal) + * @return int 1 + */ + function restrictedArea($user, $features='societe', $objectid=0, $dbtablename='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid') + { + return restrictedArea($user,$features,$objectid,$dbtablename,$feature2,$dbt_keyfield,$dbt_select); + } } diff --git a/htdocs/societe/soc.php b/htdocs/societe/soc.php index ae2ed523252..9ce021d5146 100644 --- a/htdocs/societe/soc.php +++ b/htdocs/societe/soc.php @@ -44,10 +44,8 @@ $langs->load("banks"); $langs->load("users"); if ($conf->notification->enabled) $langs->load("mails"); -// Security check $socid = isset($_GET["socid"])?$_GET["socid"]:''; if ($user->societe_id) $socid=$user->societe_id; -$result = restrictedArea($user, 'societe', $socid); $soc = new Societe($db); @@ -58,6 +56,16 @@ if (! empty($canvas)) { require_once(DOL_DOCUMENT_ROOT."/core/class/canvas.class.php"); $soccanvas = new Canvas($db); + + $soccanvas->getCanvas('thirdparty','card',$canvas); + + // Security check + $result = $soccanvas->restrictedArea($user, 'societe', $socid); +} +else +{ + // Security check + $result = restrictedArea($user, 'societe', $socid); } @@ -74,7 +82,6 @@ if (! empty($canvas)) // ----------------------------------------- // When used with CANVAS // ----------------------------------------- - $soccanvas->getCanvas('thirdparty','card',$canvas); // Load data control $soccanvas->doActions($socid); diff --git a/htdocs/user/home.php b/htdocs/user/home.php index 845d253a5bf..58e19e44072 100644 --- a/htdocs/user/home.php +++ b/htdocs/user/home.php @@ -61,7 +61,7 @@ print "
\n"; print ''; // Search Group -if ($user->rights->user->group->read) +if ($user->admin || $user->rights->user->group->read) { $var=false; print '
'; @@ -84,7 +84,8 @@ print ''; $max=10; $sql = "SELECT u.rowid, u.name, u.firstname, u.admin, u.login, u.fk_societe, u.datec,"; -$sql.= " u.entity, u.ldap_sid, s.nom"; +$sql.= " u.entity, u.ldap_sid,"; +$sql.= " s.nom, s.canvas"; $sql.= " FROM ".MAIN_DB_PREFIX."user as u"; $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON u.fk_societe = s.rowid"; $sql.= " WHERE u.entity IN (0,".$conf->entity.")"; @@ -106,7 +107,7 @@ if ($resql) $var=!$var; print ""; - print "rowid\">".img_object($langs->trans("ShowUser"),"user")." ".$obj->firstname." ".$obj->name.""; + print ''.img_object($langs->trans("ShowUser"),"user").' '.$obj->firstname.' '.$obj->name.''; if ($conf->global->MAIN_MODULE_MULTICOMPANY && $obj->admin && ! $obj->entity) { print img_redstar($langs->trans("SuperAdministrator")); @@ -116,11 +117,11 @@ if ($resql) print img_picto($langs->trans("Administrator"),'star'); } print ""; - print "".$obj->login.''; + print ''.$obj->login.''; print ""; if ($obj->fk_societe) { - print ''.img_object($langs->trans("ShowCompany"),"company").' '.$obj->nom.''; + print ''.img_object($langs->trans("ShowCompany"),"company").' '.$obj->nom.''; } else if ($obj->ldap_sid) { @@ -128,7 +129,7 @@ if ($resql) } else print $langs->trans("InternalUser"); print ''; - print "".dol_print_date($db->jdate($obj->datec),'dayhour').""; + print ''.dol_print_date($db->jdate($obj->datec),'dayhour').''; print ''; $i++; } @@ -145,7 +146,7 @@ else /* * Derniers groupes crees */ -if ($user->rights->user->group->read) +if ($user->admin || $user->rights->user->group->read) { $max=5; @@ -176,7 +177,7 @@ if ($user->rights->user->group->read) print img_picto($langs->trans("GlobalGroup"),'redstar'); } print ""; - print "".dol_print_date($db->jdate($obj->datec)).""; + print ''.dol_print_date($db->jdate($obj->datec)).''; print ""; $i++; }