mirror of
https://github.com/Dolibarr/dolibarr.git
synced 2025-12-06 01:28:19 +01:00
Fix: Security does not need special case
This commit is contained in:
Laurent Destailleur
@@ -150,10 +150,6 @@ function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature
|
||||
{
|
||||
if (! $user->rights->prelevement->bons->lire) $readok=0;
|
||||
}
|
||||
else if ($feature == 'commande_fournisseur')
|
||||
{
|
||||
if (! $user->rights->fournisseur->commande->lire) $readok=0;
|
||||
}
|
||||
else if ($feature == 'cheque')
|
||||
{
|
||||
if (! $user->rights->banque->cheque) $readok=0;
|
||||
|
||||
@@ -40,7 +40,7 @@ $action = GETPOST('action', 'alpha');
|
||||
|
||||
// Security check
|
||||
if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user, 'commande_fournisseur', $id,'');
|
||||
$result = restrictedArea($user, 'fournisseur', $id, '', 'commande');
|
||||
|
||||
$object = new CommandeFournisseur($db);
|
||||
|
||||
@@ -166,10 +166,10 @@ if ($id > 0 || ! empty($ref))
|
||||
print '</div>';
|
||||
|
||||
print '<br>';
|
||||
|
||||
|
||||
// Contacts lines
|
||||
include DOL_DOCUMENT_ROOT.'/core/tpl/contacts.tpl.php';
|
||||
|
||||
|
||||
}
|
||||
else
|
||||
{
|
||||
|
||||
@@ -44,7 +44,7 @@ $langs->load('stocks');
|
||||
// Security check
|
||||
$id = isset($_GET["id"])?$_GET["id"]:'';
|
||||
if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user, 'commande_fournisseur', $id,'');
|
||||
$result = restrictedArea($user, 'fournisseur', $id, '', 'commande');
|
||||
|
||||
if (empty($conf->stock->enabled))
|
||||
{
|
||||
@@ -84,7 +84,7 @@ if ($_POST["action"] == 'dispatch' && $user->rights->fournisseur->commande->rece
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if (! $notrigger)
|
||||
{
|
||||
global $conf, $langs, $user;
|
||||
@@ -94,7 +94,7 @@ if ($_POST["action"] == 'dispatch' && $user->rights->fournisseur->commande->rece
|
||||
$result_trigger=$interface->run_triggers('ORDER_SUPPLIER_DISPATCH',$this,$user,$langs,$conf);
|
||||
if ($result_trigger < 0) { $error++; $this->errors=$interface->errors; }
|
||||
// Fin appel triggers
|
||||
|
||||
|
||||
$this->db->commit();
|
||||
}
|
||||
|
||||
@@ -282,7 +282,7 @@ if ($id > 0 || ! empty($ref))
|
||||
print '<a href="'.DOL_URL_ROOT.'/product/fournisseurs.php?id='.$objp->fk_product.'">'.img_object($langs->trans("ShowProduct"),'product').' '.$objp->ref.'</a>';
|
||||
print ' - '.$objp->label;
|
||||
// To show detail cref and description value, we must make calculation by cref
|
||||
//print ($objp->cref?' ('.$objp->cref.')':'');
|
||||
//print ($objp->cref?' ('.$objp->cref.')':'');
|
||||
//if ($objp->description) print '<br>'.nl2br($objp->description);
|
||||
print '<input name="product_'.$i.'" type="hidden" value="'.$objp->fk_product.'">';
|
||||
print '<input name="pu_'.$i.'" type="hidden" value="'.$objp->subprice.'">';
|
||||
|
||||
@@ -49,7 +49,7 @@ $confirm = GETPOST('confirm','alpha');
|
||||
|
||||
// Security check
|
||||
if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user, 'commande_fournisseur', $id,'');
|
||||
$result = restrictedArea($user, 'fournisseur', $id, '', 'commande');
|
||||
|
||||
// Get parameters
|
||||
$sortfield = GETPOST("sortfield",'alpha');
|
||||
|
||||
@@ -67,7 +67,7 @@ $hideref = (GETPOST('hideref','int') ? GETPOST('hideref','int') : (! empty($co
|
||||
|
||||
// Security check
|
||||
if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user, 'commande_fournisseur', $id,'');
|
||||
$result = restrictedArea($user, 'fournisseur', $id, '', 'commande');
|
||||
|
||||
// Initialize technical object to manage hooks of thirdparties. Note that conf->hooks_modules contains array array
|
||||
$hookmanager->initHooks(array('ordersuppliercard'));
|
||||
@@ -683,7 +683,7 @@ else if ($action == 'add' && $user->rights->fournisseur->commande->creer)
|
||||
{
|
||||
$error++;
|
||||
}
|
||||
|
||||
|
||||
if ($error)
|
||||
{
|
||||
$langs->load("errors");
|
||||
@@ -840,7 +840,7 @@ if ($action == 'send' && ! GETPOST('addfile') && ! GETPOST('removedfile') && ! G
|
||||
else
|
||||
{
|
||||
// Redirect here
|
||||
// This avoid sending mail twice if going out and then back to page
|
||||
// This avoid sending mail twice if going out and then back to page
|
||||
header('Location: '.$_SERVER["PHP_SELF"].'?id='.$object->id);
|
||||
exit;
|
||||
}
|
||||
@@ -959,28 +959,28 @@ $now=dol_now();
|
||||
if ($action=="create")
|
||||
{
|
||||
print_fiche_titre($langs->trans('NewOrder'));
|
||||
|
||||
|
||||
dol_htmloutput_mesg($mesg);
|
||||
|
||||
|
||||
$societe='';
|
||||
if ($socid>0)
|
||||
{
|
||||
$societe=new Societe($db);
|
||||
$societe->fetch($socid);
|
||||
}
|
||||
|
||||
|
||||
print '<form name="add" action="'.$_SERVER["PHP_SELF"].'" method="post">';
|
||||
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
|
||||
print '<input type="hidden" name="action" value="add">';
|
||||
print '<table class="border" width="100%">';
|
||||
|
||||
|
||||
// Ref
|
||||
print '<tr><td>'.$langs->trans('Ref').'</td><td>'.$langs->trans('Draft').'</td></tr>';
|
||||
|
||||
|
||||
// Third party
|
||||
print '<tr><td class="fieldrequired">'.$langs->trans('Supplier').'</td>';
|
||||
print '<td>';
|
||||
|
||||
|
||||
if ($socid > 0)
|
||||
{
|
||||
print $societe->getNomUrl(1);
|
||||
@@ -991,30 +991,30 @@ if ($action=="create")
|
||||
print $form->select_company((empty($socid)?'':$socid),'socid','s.fournisseur = 1',1);
|
||||
}
|
||||
print '</td>';
|
||||
|
||||
|
||||
// Ref supplier
|
||||
print '<tr><td>'.$langs->trans('RefSupplier').'</td><td><input name="refsupplier" type="text"></td>';
|
||||
print '</tr>';
|
||||
|
||||
|
||||
print '</td></tr>';
|
||||
|
||||
|
||||
print '<tr><td>'.$langs->trans('Note').'</td>';
|
||||
print '<td><textarea name="note" wrap="soft" cols="60" rows="'.ROWS_5.'"></textarea></td>';
|
||||
print '</tr>';
|
||||
|
||||
|
||||
print '<tr><td>'.$langs->trans('NotePublic').'</td>';
|
||||
print '<td><textarea name="note_public" wrap="soft" cols="60" rows="'.ROWS_5.'"></textarea></td>';
|
||||
print '</tr>';
|
||||
|
||||
|
||||
// Other options
|
||||
$parameters=array();
|
||||
$reshook=$hookmanager->executeHooks('formObjectOptions',$parameters,$object,$action); // Note that $action and $object may have been modified by hook
|
||||
|
||||
|
||||
// Bouton "Create Draft"
|
||||
print "</table>\n";
|
||||
|
||||
|
||||
print '<br><center><input type="submit" class="button" name="bouton" value="'.$langs->trans('CreateDraft').'"></center>';
|
||||
|
||||
|
||||
print "</form>\n";
|
||||
}
|
||||
elseif (! empty($object->id))
|
||||
@@ -1909,12 +1909,12 @@ elseif (! empty($object->id))
|
||||
$formmail->substit['__SIGNATURE__']=$user->signature;
|
||||
$formmail->substit['__PERSONALIZED__']='';
|
||||
$formmail->substit['__CONTACTCIVNAME__']='';
|
||||
|
||||
|
||||
//Find the good contact adress
|
||||
$custcontact='';
|
||||
$contactarr=array();
|
||||
$contactarr=$object->liste_contact(-1,'external');
|
||||
|
||||
|
||||
if (is_array($contactarr) && count($contactarr)>0) {
|
||||
foreach($contactarr as $contact) {
|
||||
if ($contact['libelle']==$langs->trans('TypeContact_order_supplier_external_BILLING')) {
|
||||
@@ -1924,12 +1924,12 @@ elseif (! empty($object->id))
|
||||
$custcontact=$contactstatic->getFullName($langs,1);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if (!empty($custcontact)) {
|
||||
$formmail->substit['__CONTACTCIVNAME__']=$custcontact;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// Tableau des parametres complementaires
|
||||
$formmail->param['action']='send';
|
||||
$formmail->param['models']='order_supplier_send';
|
||||
|
||||
@@ -38,7 +38,7 @@ $ref=GETPOST('ref','alpha');
|
||||
// Security check
|
||||
$socid='';
|
||||
if (! empty($user->societe_id)) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user, 'commande_fournisseur', $id,'');
|
||||
$result = restrictedArea($user, 'fournisseur', $id, '', 'commande');
|
||||
|
||||
|
||||
/*
|
||||
|
||||
@@ -32,7 +32,7 @@ require_once DOL_DOCUMENT_ROOT.'/contact/class/contact.class.php';
|
||||
// Security check
|
||||
$orderid = GETPOST('orderid');
|
||||
if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user, 'commande_fournisseur', $orderid,'');
|
||||
$result = restrictedArea($user, 'fournisseur', $orderid, '', 'commande');
|
||||
|
||||
$langs->load("suppliers");
|
||||
$langs->load("orders");
|
||||
|
||||
@@ -43,7 +43,7 @@ $sortfield = GETPOST('sortfield','alpha');
|
||||
// Security check
|
||||
$orderid = GETPOST('orderid');
|
||||
if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user, 'commande_fournisseur', $orderid,'');
|
||||
$result = restrictedArea($user, 'fournisseur', $orderid, '', 'commande');
|
||||
|
||||
|
||||
/*
|
||||
|
||||
@@ -39,7 +39,7 @@ $action = GETPOST('action');
|
||||
|
||||
// Security check
|
||||
if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user, 'commande_fournisseur', $id,'');
|
||||
$result = restrictedArea($user, 'fournisseur', $id, '', 'commande');
|
||||
|
||||
$object = new CommandeFournisseur($db);
|
||||
$object->fetch($id, $ref);
|
||||
|
||||
Reference in New Issue
Block a user