Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

add missing rule

Browse Source
This commit is contained in:
Frédéric FRANCE
2021-03-01 20:37:16 +01:00
parent c5dac4854a
commit a4e25359e7
225 changed files with 1968 additions and 1202 deletions
Download Patch File Download Diff File Expand all files Collapse all files

91
htdocs/core/lib/security.lib.php
View File

@@ -207,10 +207,13 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
$features = 'adherent';
}
if ($features == 'subscription') {
$features = 'adherent'; $feature2 = 'cotisation';
$features = 'adherent';
$feature2 = 'cotisation';
};
if ($features == 'websitepage') {
$features = 'website'; $tableandshare = 'website_page'; $parentfortableentity = 'fk_website@website';
$features = 'website';
$tableandshare = 'website_page';
$parentfortableentity = 'fk_website@website';
}
if ($features == 'project') {
$features = 'projet';
@@ -252,48 +255,58 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
$listofmodules = explode(',', $conf->global->MAIN_MODULES_FOR_EXTERNAL);
// Check read permission from module
$readok = 1; $nbko = 0;
$readok = 1;
$nbko = 0;
foreach ($featuresarray as $feature) { // first we check nb of test ko
$featureforlistofmodule = $feature;
if ($featureforlistofmodule == 'produit') {
$featureforlistofmodule = 'product';
}
if (!empty($user->socid) && !empty($conf->global->MAIN_MODULES_FOR_EXTERNAL) && !in_array($featureforlistofmodule, $listofmodules)) { // If limits on modules for external users, module must be into list of modules for external users
$readok = 0; $nbko++;
$readok = 0;
$nbko++;
continue;
}
if ($feature == 'societe') {
if (!$user->rights->societe->lire && !$user->rights->fournisseur->lire) {
$readok = 0; $nbko++;
$readok = 0;
$nbko++;
}
} elseif ($feature == 'contact') {
if (!$user->rights->societe->contact->lire) {
$readok = 0; $nbko++;
$readok = 0;
$nbko++;
}
} elseif ($feature == 'produit|service') {
if (!$user->rights->produit->lire && !$user->rights->service->lire) {
$readok = 0; $nbko++;
$readok = 0;
$nbko++;
}
} elseif ($feature == 'prelevement') {
if (!$user->rights->prelevement->bons->lire) {
$readok = 0; $nbko++;
$readok = 0;
$nbko++;
}
} elseif ($feature == 'cheque') {
if (!$user->rights->banque->cheque) {
$readok = 0; $nbko++;
$readok = 0;
$nbko++;
}
} elseif ($feature == 'projet') {
if (!$user->rights->projet->lire && !$user->rights->projet->all->lire) {
$readok = 0; $nbko++;
$readok = 0;
$nbko++;
}
} elseif ($feature == 'payment') {
if (!$user->rights->facture->lire) {
$readok = 0; $nbko++;
$readok = 0;
$nbko++;
}
} elseif ($feature == 'payment_supplier') {
if (!$user->rights->fournisseur->facture->lire) {
$readok = 0; $nbko++;
$readok = 0;
$nbko++;
}
} elseif (!empty($feature2)) { // This is for permissions on 2 levels
$tmpreadok = 1;
@@ -306,7 +319,8 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
} elseif (empty($subfeature) && empty($user->rights->$feature->lire) && empty($user->rights->$feature->read)) {
$tmpreadok = 0;
} else {
$tmpreadok = 1; break;
$tmpreadok = 1;
break;
} // Break is to bypass second test if the first is ok
}
if (!$tmpreadok) { // We found a test on feature that is ko
@@ -317,7 +331,8 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
if (empty($user->rights->$feature->lire)
&& empty($user->rights->$feature->read)
&& empty($user->rights->$feature->run)) {
$readok = 0; $nbko++;
$readok = 0;
$nbko++;
}
}
}
@@ -333,7 +348,8 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
//print "Read access is ok";
// Check write permission from module (we need to know write permission to create but also to delete drafts record or to upload files)
$createok = 1; $nbko = 0;
$createok = 1;
$nbko = 0;
$wemustcheckpermissionforcreate = (GETPOST('sendit', 'alpha') || GETPOST('linkit', 'alpha') || GETPOST('action', 'aZ09') == 'create' || GETPOST('action', 'aZ09') == 'update');
$wemustcheckpermissionfordeletedraft = ((GETPOST("action", "aZ09") == 'confirm_delete' && GETPOST("confirm", "aZ09") == 'yes') || GETPOST("action", "aZ09") == 'delete');
@@ -341,35 +357,43 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
foreach ($featuresarray as $feature) {
if ($feature == 'contact') {
if (!$user->rights->societe->contact->creer) {
$createok = 0; $nbko++;
$createok = 0;
$nbko++;
}
} elseif ($feature == 'produit|service') {
if (!$user->rights->produit->creer && !$user->rights->service->creer) {
$createok = 0; $nbko++;
$createok = 0;
$nbko++;
}
} elseif ($feature == 'prelevement') {
if (!$user->rights->prelevement->bons->creer) {
$createok = 0; $nbko++;
$createok = 0;
$nbko++;
}
} elseif ($feature == 'commande_fournisseur') {
if (!$user->rights->fournisseur->commande->creer) {
$createok = 0; $nbko++;
$createok = 0;
$nbko++;
}
} elseif ($feature == 'banque') {
if (!$user->rights->banque->modifier) {
$createok = 0; $nbko++;
$createok = 0;
$nbko++;
}
} elseif ($feature == 'cheque') {
if (!$user->rights->banque->cheque) {
$createok = 0; $nbko++;
$createok = 0;
$nbko++;
}
} elseif ($feature == 'import') {
if (!$user->rights->import->run) {
$createok = 0; $nbko++;
$createok = 0;
$nbko++;
}
} elseif ($feature == 'ecm') {
if (!$user->rights->ecm->upload) {
$createok = 0; $nbko++;
$createok = 0;
$nbko++;
}
} elseif (!empty($feature2)) { // This is for permissions on one level
foreach ($feature2 as $subfeature) {
@@ -427,7 +451,8 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
}
// Check delete permission from module
$deleteok = 1; $nbko = 0;
$deleteok = 1;
$nbko = 0;
if ((GETPOST("action", "aZ09") == 'confirm_delete' && GETPOST("confirm", "aZ09") == 'yes') || GETPOST("action", "aZ09") == 'delete') {
foreach ($featuresarray as $feature) {
if ($feature == 'contact') {
@@ -471,7 +496,8 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
if (empty($user->rights->$feature->$subfeature->supprimer) && empty($user->rights->$feature->$subfeature->delete)) {
$deleteok = 0;
} else {
$deleteok = 1; break;
$deleteok = 1;
break;
} // For bypass the second test if the first is ok
}
} elseif (!empty($feature)) { // This is used for permissions on 1 level
@@ -622,22 +648,23 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand
$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
$sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")";
$sql .= " AND dbt.fk_soc = ".$user->socid;
} // If internal user: Check permission for internal users that are restricted on their objects
elseif (!empty($conf->societe->enabled) && ($user->rights->societe->lire && !$user->rights->societe->client->voir)) {
} elseif (!empty($conf->societe->enabled) && ($user->rights->societe->lire && !$user->rights->societe->client->voir)) {
// If internal user: Check permission for internal users that are restricted on their objects
$sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = ".((int) $user->id);
$sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")";
$sql .= " AND (dbt.fk_soc IS NULL OR sc.fk_soc IS NOT NULL)"; // Contact not linked to a company or to a company of user
$sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
} // If multicompany and internal users with all permissions, check user is in correct entity
elseif (!empty($conf->multicompany->enabled)) {
} elseif (!empty($conf->multicompany->enabled)) {
// If multicompany and internal users with all permissions, check user is in correct entity
$sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
$sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")";
$sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
}
if ($feature == 'agenda') {// Also check owner or attendee for users without allactions->read
if ($feature == 'agenda') {
// Also check owner or attendee for users without allactions->read
if ($objectid > 0 && empty($user->rights->agenda->allactions->read)) {
require_once DOL_DOCUMENT_ROOT.'/comm/action/class/actioncomm.class.php';
$action = new ActionComm($db);
@@ -712,8 +739,8 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand
$sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
$sql .= " AND (sc.fk_user = ".$user->id." OR sc.fk_user IS NULL)";
}
} // If multicompany and internal users with all permissions, check user is in correct entity
elseif (!empty($conf->multicompany->enabled)) {
} elseif (!empty($conf->multicompany->enabled)) {
// If multicompany and internal users with all permissions, check user is in correct entity
$sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
$sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")";