Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Enhance the protection on missing permissions

Browse Source
This commit is contained in:
Laurent Destailleur
2024-09-06 15:49:57 +02:00
parent b1b1491299
commit b02a891f2f
4 changed files with 11 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
htdocs/compta/accounting-files.php
View File

@@ -152,7 +152,6 @@ $listofchoices = array(
* Actions * Actions
*/ */
//$parameters = array('socid' => $id); //$parameters = array('socid' => $id);
//$reshook = $hookmanager->executeHooks('doActions', $parameters, $object); // Note that $object may have been modified by some hooks //$reshook = $hookmanager->executeHooks('doActions', $parameters, $object); // Note that $object may have been modified by some hooks
//if ($reshook < 0) setEventMessages($hookmanager->error, $hookmanager->errors, 'errors'); //if ($reshook < 0) setEventMessages($hookmanager->error, $hookmanager->errors, 'errors');
@@ -162,7 +161,7 @@ $filesarray = array();
'@phan-var-force array<string,array{id:string,entity:string,date:string,date_due:string,paid:float|int,amount_ht:float|int,amount_ttc:float|int,amount_vat:float|int,amount_localtax1:float|int,amount_localtax2:float|int,amount_revenuestamp:float|int,ref:string,fk:string,item:string,thirdparty_name:string,thirdparty_code:string,country_code:string,vatnum:string,sens:string,currency:string,line?:string,name?:string,files?:mixed}> $filesarray'; '@phan-var-force array<string,array{id:string,entity:string,date:string,date_due:string,paid:float|int,amount_ht:float|int,amount_ttc:float|int,amount_vat:float|int,amount_localtax1:float|int,amount_localtax2:float|int,amount_revenuestamp:float|int,ref:string,fk:string,item:string,thirdparty_name:string,thirdparty_code:string,country_code:string,vatnum:string,sens:string,currency:string,line?:string,name?:string,files?:mixed}> $filesarray';
$result = false; $result = false;
if (($action == 'searchfiles' || $action == 'dl')) { if ($action == 'searchfiles' || $action == 'dl') { // Test on pemrission not required here. Test is done per object type later.
if (empty($date_start)) { if (empty($date_start)) {
setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("DateStart")), null, 'errors'); setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("DateStart")), null, 'errors');
$error++; $error++;

9
htdocs/core/ajax/objectonoff.php
View File

@@ -87,6 +87,13 @@ if (preg_match('/stat[u][st]$/', $field) || ($field == 'evenunsubscribe' && $obj
} }
/*
* Actions
*/
// None
/* /*
* View * View
*/ */
@@ -96,7 +103,7 @@ top_httphead();
print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n"; print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Registering new values // Registering new values
if (($action == 'set') && !empty($id)) { if (($action == 'set') && !empty($id)) { // Test on permission already done in header according to object and field.
$triggerkey = strtoupper(($module != $element ? $module.'_' : '').$element).'_UPDATE'; $triggerkey = strtoupper(($module != $element ? $module.'_' : '').$element).'_UPDATE';
// Special case // Special case
if ($triggerkey == 'SOCIETE_UPDATE') { if ($triggerkey == 'SOCIETE_UPDATE') {

2
htdocs/ticket/card.php
View File

@@ -189,7 +189,7 @@ if (empty($reshook)) {
} }
if (($action == 'add' || ($action == 'update' && $object->status < Ticket::STATUS_CLOSED)) && $permissiontoadd) { if (($action == 'add' || ($action == 'update' && $object->status < Ticket::STATUS_CLOSED)) && $permissiontoadd) {
$ifErrorAction = ($action == 'add' ? 'create' : 'edit'); $ifErrorAction = ($action == 'add' ? 'create' : 'edit'); // Test on permission not required here
if ($action == 'add') { // Test on permission already done if ($action == 'add') { // Test on permission already done
$object->track_id = null; $object->track_id = null;
} }

2
test/phpunit/CodingPhpTest.php
View File

@@ -662,7 +662,7 @@ class CodingPhpTest extends CommonClassTest
$filecontentaction = $filecontent; $filecontentaction = $filecontent;
} }
preg_match_all('/if\s*\(\s*\$action\s*==\s*[\'"][a-z]+[\'"].*/', $filecontentaction, $matches, PREG_SET_ORDER); preg_match_all('/if.*\(\s*\$action\s*==\s*[\'"][a-z]+[\'"].*/', $filecontentaction, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) { foreach ($matches as $key => $val) {
if (!preg_match('/\$user->hasR/', $val[0]) if (!preg_match('/\$user->hasR/', $val[0])
&& !preg_match('/\$permission/', $val[0]) && !preg_match('/\$permission/', $val[0])