Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Fix missing tests on permissions

Browse Source
This commit is contained in:
Laurent Destailleur
2024-09-03 15:22:50 +02:00
parent e7c0913b1f
commit c79f72f785
20 changed files with 116 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/compta/sociales/card.php
View File

@@ -497,9 +497,7 @@ if ($id > 0) {
$formconfirm = $hookmanager->resPrint;
}
/*
* View card
*/
print dol_get_fiche_head($head, 'card', $langs->trans("SocialContribution"), -1, 'bill', 0, '', '', 0, '', 1);
// Print form confirm

2
htdocs/contact/list.php
View File

@@ -409,7 +409,7 @@ if (empty($reshook)) {
$uploaddir = $conf->societe->dir_output;
include DOL_DOCUMENT_ROOT.'/core/actions_massactions.inc.php';
if ($action == 'setstcomm') {
if ($action == 'setstcomm' && $permissiontoadd) {
$object = new Contact($db);
$result = $object->fetch(GETPOST('stcommcontactid'));
$object->stcomm_id = dol_getIdFromCode($db, GETPOST('stcomm', 'alpha'), 'c_stcommcontact');

2
htdocs/core/ajax/check_notifications.php
View File

@@ -53,7 +53,7 @@ $listofreminderids = GETPOST('listofreminderids', 'aZ09');
* Actions
*/
if ($action == 'stopreminder') {
if ($action == 'stopreminder') { // Test on permission not required here. Endpoint can be called
dol_syslog("Clear notification for listofreminderids=".$listofreminderids);
$listofreminderid = GETPOST('listofreminderids', 'intcomma');

21
htdocs/core/ajax/constantonoff.php
View File

@@ -59,23 +59,28 @@ if (empty($user->admin)) {
/*
* View
* Actions
*/
top_httphead();
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Registering the new value of constant
if (!empty($action) && !empty($name)) {
if ($action == 'set') {
if ($action == 'set') { // Test on permission not required here. Already done into test on user->admin in header.
dolibarr_set_const($db, $name, $value, 'chaine', 0, '', $entity);
} elseif ($action == 'del') {
} elseif ($action == 'del') { // Test on permission not required here. Already done into test on user->admin in header.
dolibarr_del_const($db, $name, $entity);
if ($entity == 1) { // Sometimes the param was saved in both entity 0 and 1. When we work on master entity, we should clean also if entity is 0
dolibarr_del_const($db, $name, 0);
}
}
} else {
http_response_code(403);
httponly_accessforbidden('Param action and name is required', 403);
}
/*
* View
*/
top_httphead();
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";

12
htdocs/ecm/index_medias.php
View File

@@ -98,7 +98,11 @@ $hookmanager->initHooks(array('ecmmediascard', 'globalcard'));
$result = restrictedArea($user, 'ecm', 0);
$permissiontoread = ($user->hasRight('ecm', 'read') || $user->hasRight('mailing', 'lire') || $user->hasRight('website', 'read'));
$permissiontouploadfile = ($user->hasRight('ecm', 'setup') || $user->hasRight('mailing', 'creer') || $user->hasRight('website', 'write'));
$permissiontoadd = $permissiontouploadfile; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles
$diroutput = $conf->medias->multidir_output[$conf->entity];
$relativepath = $section_dir;
@@ -106,7 +110,7 @@ $upload_dir = preg_replace('/\/$/', '', $diroutput).'/'.preg_replace('/^\//', ''
$websitekey = '';
$permissiontoadd = $permissiontouploadfile; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles
/*
* Actions
@@ -124,7 +128,7 @@ include DOL_DOCUMENT_ROOT.'/core/actions_linkedfiles.inc.php'; // This manage 's
$backtopage = $savbacktopage;
if ($action == 'renamefile') { // Must be after include DOL_DOCUMENT_ROOT.'/core/actions_linkedfiles.inc.php'; If action were renamefile, we set it to 'file_manager'
if ($action == 'renamefile') { // Test on permission not required here. Must be after include DOL_DOCUMENT_ROOT.'/core/actions_linkedfiles.inc.php'; If action were renamefile, we set it to 'file_manager'
$action = 'file_manager';
}
@@ -148,7 +152,7 @@ if ($action == 'add' && $permissiontouploadfile) {
}
// Remove directory
if ($action == 'confirm_deletesection' && GETPOST('confirm', 'alpha') == 'yes') {
if ($action == 'confirm_deletesection' && GETPOST('confirm', 'alpha') == 'yes' && $permissiontoadd) {
$result = $ecmdir->delete($user);
setEventMessages($langs->trans("ECMSectionWasRemoved", $ecmdir->label), null, 'mesgs');
@@ -158,7 +162,7 @@ if ($action == 'confirm_deletesection' && GETPOST('confirm', 'alpha') == 'yes')
// Refresh directory view
// This refresh list of dirs, not list of files (for performance reason). List of files is refresh only if dir was not synchronized.
// To refresh content of dir with cache, just open the dir in edit mode.
if ($action == 'refreshmanual') {
if ($action == 'refreshmanual' && $permissiontoread) {
$ecmdirtmp = new EcmDirectory($db);
// This part of code is same than into file ecm/ajax/ecmdatabase.php TODO Remove duplicate

10
htdocs/expedition/ajax/searchfrombarcode.php
View File

@@ -65,13 +65,21 @@ if (!$result) {
httponly_accessforbidden('Not allowed by restrictArea (module='.$object->module.' table_element='.$object->table_element.')');
}
/*
* Action
*/
// None
/*
* View
*/
top_httphead('application/json');
if ($action == "existbarcode" && !empty($barcode)) {
if ($action == "existbarcode" && !empty($barcode) && $user->hasRight('stock', 'lire')) {
if (!empty($mode) && $mode == "lotserial") {
$sql = "SELECT ps.fk_entrepot, ps.fk_product, p.barcode, ps.reel, pb.batch";
$sql .= " FROM ".MAIN_DB_PREFIX."product_batch as pb";

22
htdocs/expedition/card.php
View File

@@ -528,7 +528,7 @@ if (empty($reshook)) {
setEventMessages($object->error, $object->errors, 'errors');
}
// TODO add alternative status
//} elseif ($action == 'reopen' && (!empty($user->rights->expedition->creer) || !empty($user->rights->expedition->shipping_advance->validate)))
//} elseif ($action == 'reopen' && ($user->hasRight('expedition', 'creer') || $user->hasRight('expedition', 'shipping_advance', 'validate')))
//{
// $result = $object->setStatut(0);
// if ($result < 0)
@@ -544,15 +544,7 @@ if (empty($reshook)) {
if ($result < 0) {
setEventMessages($object->error, $object->errors, 'errors');
}
} elseif (($action == 'settracking_number'
|| $action == 'settracking_url'
|| $action == 'settrueWeight'
|| $action == 'settrueWidth'
|| $action == 'settrueHeight'
|| $action == 'settrueDepth'
|| $action == 'setshipping_method_id')
&& $user->hasRight('expedition', 'creer')
) {
} elseif (in_array($action, array('settracking_number', 'settracking_url', 'settrueWeight', 'settrueWidth', 'settrueHeight', 'settrueDepth', 'setshipping_method_id')) && $user->hasRight('expedition', 'creer')) {
// Action update
$error = 0;
@@ -589,7 +581,7 @@ if (empty($reshook)) {
}
$action = "";
} elseif ($action == 'classifybilled') {
} elseif ($action == 'classifybilled' && $permissiontoadd) {
$object->fetch($id);
$result = $object->setBilled();
if ($result >= 0) {
@@ -597,7 +589,7 @@ if (empty($reshook)) {
exit();
}
setEventMessages($object->error, $object->errors, 'errors');
} elseif ($action == 'classifyclosed') {
} elseif ($action == 'classifyclosed' && $permissiontoadd) {
$object->fetch($id);
$result = $object->setClosed();
if ($result >= 0) {
@@ -605,7 +597,7 @@ if (empty($reshook)) {
exit();
}
setEventMessages($object->error, $object->errors, 'errors');
} elseif ($action == 'deleteline' && !empty($line_id)) {
} elseif ($action == 'deleteline' && !empty($line_id) && $permissiontoadd) {
// delete a line
$object->fetch($id);
$lines = $object->lines;
@@ -640,7 +632,7 @@ if (empty($reshook)) {
} else {
setEventMessages($line->error, $line->errors, 'errors');
}
} elseif ($action == 'updateline' && $user->hasRight('expedition', 'creer') && GETPOST('save')) {
} elseif ($action == 'updateline' && $permissiontoadd && GETPOST('save')) {
// Update a line
// Clean parameters
$qty = 0;
@@ -876,7 +868,7 @@ if (empty($reshook)) {
header('Location: '.$_SERVER['PHP_SELF'].'?id='.$object->id); // To redisplay the form being edited
exit();
}
} elseif ($action == 'updateline' && $user->hasRight('expedition', 'creer') && GETPOST('cancel', 'alpha') == $langs->trans("Cancel")) {
} elseif ($action == 'updateline' && $permissiontoadd && GETPOST('cancel', 'alpha') == $langs->trans("Cancel")) {
header('Location: '.$_SERVER['PHP_SELF'].'?id='.$object->id); // To redisplay the form being edited
exit();
}

4
htdocs/exports/export.php
View File

@@ -243,10 +243,10 @@ if ($action == 'unselectfield' && $user->hasRight('export', 'creer')) {
if (($action == 'downfield' || $action == 'upfield') && $user->hasRight('export', 'creer')) {
$pos = $array_selected[GETPOST("field")];
if ($action == 'downfield') {
if ($action == 'downfield') { // Test on permission already done
$newpos = $pos + 1;
}
if ($action == 'upfield') {
if ($action == 'upfield') { // Test on permission already done
$newpos = $pos - 1;
}
// Recherche code avec qui switcher

10
htdocs/fourn/commande/card.php
View File

@@ -1063,7 +1063,7 @@ if (empty($reshook)) {
}
// Force mandatory order method
if ($action == 'commande') { // Not a real action so no permission test
if ($action == 'commande') { // Test on permission not required here
$methodecommande = GETPOSTINT('methodecommande');
if ($cancel) {
@@ -1546,8 +1546,8 @@ if (empty($reshook)) {
}
}
if (getDolGlobalString('MAIN_DISABLE_CONTACTS_TAB') && $permissiontoadd) {
if ($action == 'addcontact') {
if (getDolGlobalString('MAIN_DISABLE_CONTACTS_TAB')) {
if ($action == 'addcontact' && $permissiontoadd) {
if ($object->id > 0) {
$contactid = (GETPOST('userid') ? GETPOST('userid') : GETPOST('contactid'));
$typeid = (GETPOST('typecontact') ? GETPOST('typecontact') : GETPOST('type'));
@@ -1565,10 +1565,10 @@ if (empty($reshook)) {
setEventMessages($object->error, $object->errors, 'errors');
}
}
} elseif ($action == 'swapstatut' && $object->id > 0) {
} elseif ($action == 'swapstatut' && $object->id > 0 && $permissiontoadd) {
// bascule du statut d'un contact
$result = $object->swapContactStatus(GETPOSTINT('ligne'));
} elseif ($action == 'deletecontact' && $object->id > 0) {
} elseif ($action == 'deletecontact' && $object->id > 0 && $permissiontoadd) {
// Efface un contact
$result = $object->delete_contact(GETPOSTINT("lineid"));

5
htdocs/fourn/facture/card-rec.php
View File

@@ -889,9 +889,8 @@ $invoicerectmp = new FactureFournisseurRec($db);
$now = dol_now();
$nowlasthour = dol_get_last_hour($now);
/*
* Create mode
*/
// Create mode
if ($action == 'create') {
print load_fiche_titre($langs->trans("CreateRepeatableInvoice"), '', 'bill');

19
htdocs/fourn/paiement/card.php
View File

@@ -68,12 +68,16 @@ if ($socid && $socid != $object->thirdparty->id) {
accessforbidden();
}
$permissiontoadd = ($user->hasRight("fournisseur", "facture", "creer") || $user->hasRight("supplier_invoice", "write"));
$permissiontovalidate = ((!getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && ($user->hasRight("fournisseur", "facture", "creer") || $user->hasRight("supplier_invoice", "write"))) || (getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && $user->hasRight("fournisseur", "supplier_invoice_advance", "validate")));
$permissiontodelete = ($user->hasRight("fournisseur", "facture", "supprimer") || $user->hasRight("supplier_invoice", "delete"));
/*
* Actions
*/
if ($action == 'setnote' && ($user->hasRight("fournisseur", "facture", "creer") || $user->hasRight("supplier_invoice", "creer"))) {
if ($action == 'setnote' && $permissiontoadd) {
$db->begin();
$object->fetch($id);
@@ -87,7 +91,7 @@ if ($action == 'setnote' && ($user->hasRight("fournisseur", "facture", "creer")
}
}
if ($action == 'confirm_delete' && $confirm == 'yes' && $user->hasRight("fournisseur", "facture", "supprimer")) {
if ($action == 'confirm_delete' && $confirm == 'yes' && $permissiontodelete) {
$db->begin();
$object->fetch($id);
@@ -102,10 +106,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes' && $user->hasRight("fournis
}
}
if ($action == 'confirm_validate' && $confirm == 'yes' &&
((!getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && ($user->hasRight("fournisseur", "facture", "creer") || $user->hasRight("supplier_invoice", "creer")))
|| (getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && $user->hasRight("fournisseur", "supplier_invoice_advance", "validate")))
) {
if ($action == 'confirm_validate' && $confirm == 'yes' && $permissiontovalidate) {
$db->begin();
$object->fetch($id);
@@ -119,7 +120,7 @@ if ($action == 'confirm_validate' && $confirm == 'yes' &&
}
}
if ($action == 'setnum_paiement' && GETPOST('num_paiement')) {
if ($action == 'setnum_paiement' && GETPOST('num_paiement') && $permissiontoadd) {
$object->fetch($id);
$res = $object->update_num(GETPOST('num_paiement'));
if ($res === 0) {
@@ -129,7 +130,7 @@ if ($action == 'setnum_paiement' && GETPOST('num_paiement')) {
}
}
if ($action == 'setdatep' && GETPOST('datepday')) {
if ($action == 'setdatep' && GETPOST('datepday') && $permissiontoadd) {
$object->fetch($id);
$datepaye = dol_mktime(GETPOSTINT('datephour'), GETPOSTINT('datepmin'), GETPOSTINT('datepsec'), GETPOSTINT('datepmonth'), GETPOSTINT('datepday'), GETPOSTINT('datepyear'));
$res = $object->update_date($datepaye);
@@ -142,8 +143,6 @@ if ($action == 'setdatep' && GETPOST('datepday')) {
// Build document
$upload_dir = $conf->fournisseur->payment->dir_output;
// TODO: get the appropriate permission
$permissiontoadd = true;
include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php';
// Actions to send emails

44
htdocs/holiday/card.php
View File

@@ -95,14 +95,14 @@ if (($id > 0) || $ref) {
// Initialize a technical object to manage hooks of page. Note that conf->hooks_modules contains an array of hook context
$hookmanager->initHooks(array('holidaycard', 'globalcard'));
$cancreate = 0;
$cancreateall = 0;
$permissiontoadd = 0;
$permissiontoaddall = 0;
if ($user->hasRight('holiday', 'write') && in_array($fuserid, $childids)) {
$cancreate = 1;
$permissiontoadd = 1;
}
if ($user->hasRight('holiday', 'writeall')) {
$cancreate = 1;
$cancreateall = 1;
$permissiontoadd = 1;
$permissiontoaddall = 1;
}
$candelete = 0;
@@ -155,7 +155,7 @@ if (empty($reshook)) {
}
// Add leave request
if ($action == 'add' && $cancreate) {
if ($action == 'add' && $permissiontoadd) {
$object = new Holiday($db);
$db->begin();
@@ -180,7 +180,7 @@ if (empty($reshook)) {
$description = trim(GETPOST('description', 'restricthtml'));
// Check that leave is for a user inside the hierarchy or advanced permission for all is set
if (!$cancreateall) {
if (!$permissiontoaddall) {
if (!getDolGlobalString('MAIN_USE_ADVANCED_PERMS')) {
if (!$user->hasRight('holiday', 'write')) {
$error++;
@@ -332,8 +332,8 @@ if (empty($reshook)) {
}
// If no right to modify a request
if (!$cancreateall) {
if ($cancreate) {
if (!$permissiontoaddall) {
if ($permissiontoadd) {
if (!in_array($fuserid, $childids)) {
setEventMessages($langs->trans("UserNotInHierachy"), null, 'errors');
header('Location: '.$_SERVER["PHP_SELF"].'?action=create');
@@ -351,7 +351,7 @@ if (empty($reshook)) {
// If under validation
if ($object->status == Holiday::STATUS_DRAFT) {
// If this is the requester or has read/write rights
if ($cancreate) {
if ($permissiontoadd) {
$approverid = GETPOSTINT('valideur');
// TODO Check this approver user id has the permission for approval
@@ -454,7 +454,7 @@ if (empty($reshook)) {
$object->fetch($id);
// If draft and owner of leave
if ($object->status == Holiday::STATUS_DRAFT && $cancreate) {
if ($object->status == Holiday::STATUS_DRAFT && $permissiontoadd) {
$object->oldcopy = dol_clone($object, 2);
$object->status = Holiday::STATUS_VALIDATED;
@@ -595,7 +595,7 @@ if (empty($reshook)) {
$object->fetch($id);
// If status is waiting approval and approver is also user
if ($object->status == Holiday::STATUS_VALIDATED && ($user->id == $object->fk_validator || $cancreateall) && $user->hasRight('holiday', 'approve')) {
if ($object->status == Holiday::STATUS_VALIDATED && ($user->id == $object->fk_validator || $permissiontoaddall) && $user->hasRight('holiday', 'approve')) {
$object->oldcopy = dol_clone($object, 2);
$object->date_approval = dol_now();
@@ -702,7 +702,7 @@ if (empty($reshook)) {
$object->fetch($id);
// If status pending validation and validator = user
if ($object->status == Holiday::STATUS_VALIDATED && ($user->id == $object->fk_validator || $cancreateall) && $user->hasRight('holiday', 'approve')) {
if ($object->status == Holiday::STATUS_VALIDATED && ($user->id == $object->fk_validator || $permissiontoaddall) && $user->hasRight('holiday', 'approve')) {
$object->date_refuse = dol_now();
$object->fk_user_refuse = $user->id;
$object->statut = Holiday::STATUS_REFUSED;
@@ -823,7 +823,7 @@ if (empty($reshook)) {
// If status pending validation and validator = validator or user, or rights to do for others
if (($object->status == Holiday::STATUS_VALIDATED || $object->status == Holiday::STATUS_APPROVED) &&
(!empty($user->admin) || $user->id == $object->fk_validator || $cancreate || $cancreateall)) {
(!empty($user->admin) || $user->id == $object->fk_validator || $permissiontoadd || $permissiontoaddall)) {
$db->begin();
$oldstatus = $object->status;
@@ -1047,7 +1047,7 @@ if ((empty($id) && empty($ref)) || $action == 'create' || $action == 'add') {
print '<tr>';
print '<td class="titlefield fieldrequired tdtop">'.$langs->trans("User").'</td>';
print '<td><div class="inline-block">';
if ($cancreate && !$cancreateall) {
if ($permissiontoadd && !$permissiontoaddall) {
print img_picto('', 'user', 'class="pictofixedwidth"').$form->select_dolusers(($fuserid ? $fuserid : $user->id), 'fuserid', 0, '', 0, 'hierarchyme', '', '0,'.$conf->entity, 0, 0, $morefilter, 0, '', 'minwidth200 maxwidth500 inline-block');
//print '<input type="hidden" name="fuserid" value="'.($fuserid?$fuserid:$user->id).'">';
} else {
@@ -1534,7 +1534,7 @@ if ((empty($id) && empty($ref)) || $action == 'create' || $action == 'add') {
if (($action == 'edit' && $object->status == Holiday::STATUS_DRAFT) || ($action == 'editvalidator')) {
if ($action == 'edit' && $object->status == Holiday::STATUS_DRAFT) {
if ($cancreate && $object->status == Holiday::STATUS_DRAFT) {
if ($permissiontoadd && $object->status == Holiday::STATUS_DRAFT) {
print $form->buttonsSaveCancel();
}
}
@@ -1547,17 +1547,17 @@ if ((empty($id) && empty($ref)) || $action == 'create' || $action == 'add') {
print '<div class="tabsAction">';
if ($cancreate && $object->status == Holiday::STATUS_DRAFT) {
if ($permissiontoadd && $object->status == Holiday::STATUS_DRAFT) {
print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=edit&token='.newToken().'" class="butAction">'.$langs->trans("EditCP").'</a>';
}
if ($cancreate && $object->status == Holiday::STATUS_DRAFT) { // If draft
if ($permissiontoadd && $object->status == Holiday::STATUS_DRAFT) { // If draft
print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=sendToValidate&token='.newToken().'" class="butAction">'.$langs->trans("Validate").'</a>';
}
if ($object->status == Holiday::STATUS_VALIDATED) { // If validated
// Button Approve / Refuse
if (($user->id == $object->fk_validator || $cancreateall) && $user->hasRight('holiday', 'approve')) {
if (($user->id == $object->fk_validator || $permissiontoaddall) && $user->hasRight('holiday', 'approve')) {
print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=valid&token='.newToken().'" class="butAction">'.$langs->trans("Approve").'</a>';
print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=refuse&token='.newToken().'" class="butAction">'.$langs->trans("ActionRefuseCP").'</a>';
} else {
@@ -1565,7 +1565,7 @@ if ((empty($id) && empty($ref)) || $action == 'create' || $action == 'add') {
print '<a href="#" class="butActionRefused classfortooltip" title="'.$langs->trans("NotTheAssignedApprover").'">'.$langs->trans("ActionRefuseCP").'</a>';
// Button Cancel (because we can't approve)
if ($cancreate || $cancreateall) {
if ($permissiontoadd || $permissiontoaddall) {
if (($object->date_fin > dol_now()) || !empty($user->admin)) {
print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=cancel&token='.newToken().'" class="butAction">'.$langs->trans("ActionCancelCP").'</a>';
} else {
@@ -1575,7 +1575,7 @@ if ((empty($id) && empty($ref)) || $action == 'create' || $action == 'add') {
}
}
if ($object->status == Holiday::STATUS_APPROVED) { // If validated and approved
if ($user->id == $object->fk_validator || $user->id == $object->fk_user_approve || $cancreate || $cancreateall) {
if ($user->id == $object->fk_validator || $user->id == $object->fk_user_approve || $permissiontoadd || $permissiontoaddall) {
if (($object->date_fin > dol_now()) || !empty($user->admin) || $user->id == $object->fk_user_approve) {
print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=cancel&token='.newToken().'" class="butAction">'.$langs->trans("ActionCancelCP").'</a>';
} else {
@@ -1590,7 +1590,7 @@ if ((empty($id) && empty($ref)) || $action == 'create' || $action == 'add') {
}
}
if (($cancreate || $cancreateall) && $object->status == Holiday::STATUS_CANCELED) {
if (($permissiontoadd || $permissiontoaddall) && $object->status == Holiday::STATUS_CANCELED) {
print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=backtodraft" class="butAction">'.$langs->trans("SetToDraft").'</a>';
}
if ($candelete && ($object->status == Holiday::STATUS_DRAFT || $object->status == Holiday::STATUS_CANCELED || $object->status == Holiday::STATUS_REFUSED)) { // If draft or canceled or refused

19
htdocs/holiday/card_group.php
View File

@@ -99,14 +99,14 @@ if (($id > 0) || $ref) {
// Initialize a technical object to manage hooks of page. Note that conf->hooks_modules contains an array of hook context
$hookmanager->initHooks(array('holidaycard', 'globalcard'));
$cancreate = 0;
$cancreateall = 0;
$permissiontoadd = 0;
$permissiontoaddall = 0;
if ($user->hasRight('holiday', 'write') && in_array($fuserid, $childids)) {
$cancreate = 1;
$permissiontoadd = 1;
}
if ($user->hasRight('holiday', 'writeall')) {
$cancreate = 1;
$cancreateall = 1;
$permissiontoadd = 1;
$permissiontoaddall = 1;
}
$candelete = 0;
@@ -159,7 +159,7 @@ if (empty($reshook)) {
}
// Add leave request
if ($action == 'add' && $cancreate) {
if ($action == 'add' && $permissiontoadd) {
$users = GETPOST('users', 'array');
$groups = GETPOST('groups', 'array');
@@ -184,7 +184,7 @@ if (empty($reshook)) {
$description = trim(GETPOST('description', 'restricthtml'));
// Check that leave is for a user inside the hierarchy or advanced permission for all is set
if (!$cancreateall) {
if (!$permissiontoaddall) {
if (!getDolGlobalString('MAIN_USE_ADVANCED_PERMS')) {
if (!$user->hasRight('holiday', 'write')) {
$error++;
@@ -332,7 +332,7 @@ if (empty($reshook)) {
if ($AutoSendMail && !$error) {
// send a mail to the user
$returnSendMail = sendMail($result, $cancreate, $now, $autoValidation);
$returnSendMail = sendMail($result, $permissiontoadd, $now, $autoValidation);
if (!empty($returnSendMail->msg)) {
setEventMessage($returnSendMail->msg, $returnSendMail->style);
}
@@ -664,6 +664,7 @@ llxFooter();
if (is_object($db)) {
$db->close();
}
/**
* send email to validator for current leave represented by (id)
*
@@ -683,7 +684,7 @@ function sendMail($id, $cancreate, $now, $autoValidation)
$objStd->error = 0;
$objStd->style = '';
global $db, $user, $conf, $langs;
global $db, $user, $langs;
$object = new Holiday($db);

12
htdocs/hrm/establishment/card.php
View File

@@ -55,6 +55,7 @@ include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be 'inclu
$permissiontoread = $user->admin;
$permissiontoadd = $user->admin; // Used by the include of actions_addupdatedelete.inc.php
$permissiontodelete = $user->admin;
$upload_dir = $conf->hrm->multidir_output[isset($object->entity) ? $object->entity : 1];
// Security check - Protection if external user
@@ -74,7 +75,7 @@ if (empty($permissiontoread)) {
* Actions
*/
if ($action == 'confirm_delete' && $confirm == "yes") {
if ($action == 'confirm_delete' && $confirm == "yes" && $permissiontodelete) {
$result = $object->delete($user);
if ($result >= 0) {
header("Location: ../admin/admin_establishment.php");
@@ -82,7 +83,7 @@ if ($action == 'confirm_delete' && $confirm == "yes") {
} else {
setEventMessages($object->error, $object->errors, 'errors');
}
} elseif ($action == 'add') {
} elseif ($action == 'add' && $permissiontoadd) {
if (!$cancel) {
$error = 0;
@@ -117,7 +118,7 @@ if ($action == 'confirm_delete' && $confirm == "yes") {
header("Location: ../admin/admin_establishment.php");
exit;
}
} elseif ($action == 'update') {
} elseif ($action == 'update' && $permissiontoadd) {
// Update record
$error = 0;
@@ -153,6 +154,7 @@ if ($action == 'confirm_delete' && $confirm == "yes") {
}
}
/*
* View
*/
@@ -162,9 +164,7 @@ llxHeader();
$form = new Form($db);
$formcompany = new FormCompany($db);
/*
* Action create
*/
// Action create
if ($action == 'create') {
print load_fiche_titre($langs->trans("NewEstablishment"));

4
htdocs/hrm/skill_card.php
View File

@@ -608,9 +608,7 @@ if ($action != "create" && $action != "edit") {
$arrayfields = dol_sort_array($arrayfields, 'position');
/*
* View
*/
// View
$form = new Form($db);

9
htdocs/install/step2.php
View File

@@ -94,6 +94,13 @@ dolibarr_install_syslog("--- step2: entering step2.php page");
'@phan-var-force string $dolibarr_main_db_prefix'; // From configuraiotn file or install/inc.php
/*
* Actions
*/
// None
/*
* View
*/
@@ -107,7 +114,7 @@ if (!is_writable($conffile)) {
exit;
}
if ($action == "set") {
if ($action == "set") { // Test on permission not required. Already managed by test in inc.php
print '<h3><img class="valignmiddle inline-block paddingright" src="../theme/common/octicons/build/svg/database.svg" width="20" alt="Database"> '.$langs->trans("Database").'</h3>';
print '<table cellspacing="0" style="padding: 4px 4px 4px 0" border="0" width="100%">';

2
htdocs/modulebuilder/index.php
View File

@@ -496,7 +496,7 @@ if ($dirins && in_array($action, array('initapi', 'initphpunit', 'initpagecontac
'---Replace with your own copyright and developer email---' => getLicenceHeader($user, $langs, $now)
);
if ($action == 'initapi') {
if ($action == 'initapi') { // Test on permission already done
if (count($objects) >= 1) {
addObjectsToApiFile($srcfile, $destfile, $objects, $modulename);
}

2
htdocs/product/inventory/ajax/searchfrombarcode.php
View File

@@ -115,7 +115,7 @@ if ($action == "existbarcode" && !empty($barcode) && $user->hasRight('stock', 'l
$response = array('status'=>'error','errorcode'=>'ActionError','message'=>"Error on action");
}
if ($action == "addnewlineproduct") {
if ($action == "addnewlineproduct" && $user->hasRight('stock', 'creer')) {
require_once DOL_DOCUMENT_ROOT."/product/inventory/class/inventory.class.php";
$inventoryline = new InventoryLine($db);
if (!empty($fk_inventory)) {

3
test/phpunit/CodingPhpTest.php
View File

@@ -658,6 +658,9 @@ class CodingPhpTest extends CommonClassTest
&& !preg_match('/done later/i', $val[0])
&& !preg_match('/not required/i', $val[0])) {
$ok = false;
//var_dump($file['fullname'].' '.$filecontentaction);exit;
print "File ".$file['relativename']." - Line: ".$val[0]."\n";
break;
}