From b327b5fb9dfffae60a70a6da8781136eac06089d Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 13 May 2015 09:32:54 +0200 Subject: [PATCH] Save regressions --- htdocs/core/lib/security.lib.php | 16 ++++++++-------- htdocs/user/card.php | 2 +- htdocs/user/clicktodial.php | 2 +- htdocs/user/document.php | 2 +- htdocs/user/info.php | 2 +- htdocs/user/ldap.php | 2 +- htdocs/user/note.php | 2 +- htdocs/user/param_ihm.php | 2 +- htdocs/user/perms.php | 2 +- 9 files changed, 16 insertions(+), 16 deletions(-) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 644e2702a74..0879fc814b7 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -102,21 +102,21 @@ function dol_hash($chain,$type=0) * @param User $user User to check * @param string $features Features to check (it must be module name. Examples: 'societe', 'contact', 'produit&service', 'produit|service', ...) * @param int $objectid Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional). - * @param string $dbtablename 'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity. Not used if objectid is null (optional) + * @param string $tableandshare 'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity. Not used if objectid is null (optional) * @param string $feature2 Feature to check, second level of permission (optional). Can be or check with 'level1|level2'. * @param string $dbt_keyfield Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional) * @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optional) * @param Canvas $objcanvas Object canvas * @return int Always 1, die process if not allowed */ -function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid', $objcanvas=null) +function restrictedArea($user, $features, $objectid=0, $tableandshare='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid', $objcanvas=null) { global $db, $conf; //dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename,$feature2,$dbt_socfield,$dbt_select"); //print "user_id=".$user->id.", features=".$features.", feature2=".$feature2.", objectid=".$objectid; //print ", dbtablename=".$dbtablename.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select; - //print ", perm: ".$features."->".$feature2."=".$user->rights->$features->$feature2->lire."
"; + //print ", perm: ".$features."->".$feature2."=".($user->rights->$features->$feature2->lire)."
"; // If we use canvas, we try to use function that overlod restrictarea if provided with canvas if (is_object($objcanvas)) @@ -135,7 +135,7 @@ function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature if (! empty($feature2)) $feature2 = explode("|", $feature2); // More parameters - $params = explode('&', $dbtablename); + $params = explode('&', $tableandshare); $dbtablename=(! empty($params[0]) ? $params[0] : ''); $sharedelement=(! empty($params[1]) ? $params[1] : $dbtablename); @@ -331,7 +331,7 @@ function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature // is linked to a company allowed to $user. if (! empty($objectid) && $objectid > 0) { - $ok = checkUserAccessToObject($user, $featuresarray,$objectid,$dbtablename,$feature2,$dbt_keyfield,$dbt_select); + $ok = checkUserAccessToObject($user, $featuresarray, $objectid, $tableandshare, $feature2, $dbt_keyfield, $dbt_select); return $ok ? 1 : accessforbidden(); } @@ -344,19 +344,19 @@ function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature * @param User $user User to check * @param array $featuresarray Features/modules to check * @param int $objectid Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional). - * @param string $dbtablename 'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity. Not used if objectid is null (optional) + * @param string $tableandshare 'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity. Not used if objectid is null (optional) * @param string $feature2 Feature to check, second level of permission (optional). Can be or check with 'level1|level2'. * @param string $dbt_keyfield Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional) * @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optional) * * @return bool True if user has access, False otherwise */ -function checkUserAccessToObject($user, $featuresarray, $objectid=0, $dbtablename='', $feature2='', $dbt_keyfield='', $dbt_select='') +function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandshare='', $feature2='', $dbt_keyfield='', $dbt_select='') { global $db, $conf; // More parameters - $params = explode('&', $dbtablename); + $params = explode('&', $tableandshare); $dbtablename=(! empty($params[0]) ? $params[0] : ''); $sharedelement=(! empty($params[1]) ? $params[1] : $dbtablename); diff --git a/htdocs/user/card.php b/htdocs/user/card.php index 1cbeb6e653d..7ad0f048a69 100644 --- a/htdocs/user/card.php +++ b/htdocs/user/card.php @@ -75,7 +75,7 @@ if ($user->societe_id > 0) $socid = $user->societe_id; $feature2='user'; if ($user->id == $id) { $feature2=''; $canreaduser=1; } // A user can always read its own card if (!$canreaduser) { - $result = restrictedArea($user, 'user', $id, '&user', $feature2); + $result = restrictedArea($user, 'user', $id, 'user&user', $feature2); } if ($user->id <> $id && ! $canreaduser) accessforbidden(); diff --git a/htdocs/user/clicktodial.php b/htdocs/user/clicktodial.php index 93d6587ef1e..7aaaebbac3e 100644 --- a/htdocs/user/clicktodial.php +++ b/htdocs/user/clicktodial.php @@ -39,7 +39,7 @@ if ($user->id == $id) // A user can always read its own card { $feature2=''; } -$result = restrictedArea($user, 'user', $id, '&user', $feature2); +$result = restrictedArea($user, 'user', $id, 'user&user', $feature2); /* diff --git a/htdocs/user/document.php b/htdocs/user/document.php index 2659b9427c8..fc09667f6ed 100644 --- a/htdocs/user/document.php +++ b/htdocs/user/document.php @@ -68,7 +68,7 @@ if ($user->societe_id > 0) $socid = $user->societe_id; $feature2='user'; if ($user->id == $id) { $feature2=''; $canreaduser=1; } // A user can always read its own card if (!$canreaduser) { - $result = restrictedArea($user, 'user', $id, '&user', $feature2); + $result = restrictedArea($user, 'user', $id, 'user&user', $feature2); } if ($user->id <> $id && ! $canreaduser) accessforbidden(); diff --git a/htdocs/user/info.php b/htdocs/user/info.php index fd74a0ca95d..454ac080cbc 100644 --- a/htdocs/user/info.php +++ b/htdocs/user/info.php @@ -42,7 +42,7 @@ if ($user->id == $id) // A user can always read its own card { $feature2=''; } -$result = restrictedArea($user, 'user', $id, '&user', $feature2); +$result = restrictedArea($user, 'user', $id, 'user&user', $feature2); // If user is not user read and no permission to read other users, we stop if (($fuser->id != $user->id) && (! $user->rights->user->user->lire)) diff --git a/htdocs/user/ldap.php b/htdocs/user/ldap.php index 87a0dec31e2..6ef0b4db688 100644 --- a/htdocs/user/ldap.php +++ b/htdocs/user/ldap.php @@ -39,7 +39,7 @@ $socid=0; if ($user->societe_id > 0) $socid = $user->societe_id; $feature2 = (($socid && $user->rights->user->self->creer)?'':'user'); if ($user->id == $id) $feature2=''; // A user can always read its own card -$result = restrictedArea($user, 'user', $id, '&user', $feature2); +$result = restrictedArea($user, 'user', $id, 'user&user', $feature2); $fuser = new User($db); $fuser->fetch($id); diff --git a/htdocs/user/note.php b/htdocs/user/note.php index 2a992aa3212..7fb4ae06ed6 100644 --- a/htdocs/user/note.php +++ b/htdocs/user/note.php @@ -46,7 +46,7 @@ $socid=0; if ($user->societe_id > 0) $socid = $user->societe_id; $feature2 = (($socid && $user->rights->user->self->creer)?'':'user'); if ($user->id == $id) $feature2=''; // A user can always read its own card -$result = restrictedArea($user, 'user', $id, '&user', $feature2); +$result = restrictedArea($user, 'user', $id, 'user&user', $feature2); diff --git a/htdocs/user/param_ihm.php b/htdocs/user/param_ihm.php index 77e03728af6..e749f2891fb 100644 --- a/htdocs/user/param_ihm.php +++ b/htdocs/user/param_ihm.php @@ -55,7 +55,7 @@ if ($user->id == $id) // A user can always read its own card $feature2=''; $canreaduser=1; } -$result = restrictedArea($user, 'user', $id, '&user', $feature2); +$result = restrictedArea($user, 'user', $id, 'user&user', $feature2); if ($user->id <> $id && ! $canreaduser) accessforbidden(); $dirtop = "../core/menus/standard"; diff --git a/htdocs/user/perms.php b/htdocs/user/perms.php index a01b5ffa7ab..a1c7fbff5ea 100644 --- a/htdocs/user/perms.php +++ b/htdocs/user/perms.php @@ -64,7 +64,7 @@ if ($user->id == $id && (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || $user- $canreaduser=1; } -$result = restrictedArea($user, 'user', $id, '&user', $feature2); +$result = restrictedArea($user, 'user', $id, 'user&user', $feature2); if ($user->id <> $id && ! $canreaduser) accessforbidden();