Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Fix missing check on object entity

Browse Source
This commit is contained in:
Laurent Destailleur
2018-01-16 19:52:14 +01:00
parent 4c8af0ff50
commit 94b1d59f2b
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
htdocs/core/lib/security.lib.php
View File

@@ -382,7 +382,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh
$checkother = array('contact','agenda'); // Test on entity and link to third party. Allowed if link is empty (Ex: contacts...). $checkother = array('contact','agenda'); // Test on entity and link to third party. Allowed if link is empty (Ex: contacts...).
$checkproject = array('projet','project'); // Test for project object $checkproject = array('projet','project'); // Test for project object
$checktask = array('projet_task'); $checktask = array('projet_task');
$nocheck = array('barcode','stock','fournisseur'); // No test $nocheck = array('barcode','stock'); // No test
$checkdefault = 'all other not already defined'; // Test on entity and link to third party. Not allowed if link is empty (Ex: invoice, orders...). $checkdefault = 'all other not already defined'; // Test on entity and link to third party. Not allowed if link is empty (Ex: invoice, orders...).
// If dbtablename not defined, we use same name for table than module name // If dbtablename not defined, we use same name for table than module name
@@ -502,7 +502,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh
$sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; $sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
} }
} }
else if (! in_array($feature,$nocheck)) // By default we check with link to third party else if (! in_array($feature,$nocheck)) // By default (case of $checkdefault), we check on object entity + link to third party on field $dbt_keyfield
{ {
// If external user: Check permission for external users // If external user: Check permission for external users
if ($user->societe_id > 0) if ($user->societe_id > 0)
@@ -524,7 +524,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh
$sql.= " WHERE dbt.".$dbt_select." = ".$objectid; $sql.= " WHERE dbt.".$dbt_select." = ".$objectid;
$sql.= " AND sc.fk_soc = dbt.".$dbt_keyfield; $sql.= " AND sc.fk_soc = dbt.".$dbt_keyfield;
$sql.= " AND dbt.".$dbt_keyfield." = s.rowid"; $sql.= " AND dbt.".$dbt_keyfield." = s.rowid";
$sql.= " AND s.entity IN (".getEntity($sharedelement, 1).")"; $sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
$sql.= " AND sc.fk_user = ".$user->id; $sql.= " AND sc.fk_user = ".$user->id;
} }
// If multicompany and internal users with all permissions, check user is in correct entity // If multicompany and internal users with all permissions, check user is in correct entity