diff --git a/htdocs/adherents/card_subscriptions.php b/htdocs/adherents/card_subscriptions.php index e13a5bbef61..568837befd2 100644 --- a/htdocs/adherents/card_subscriptions.php +++ b/htdocs/adherents/card_subscriptions.php @@ -46,7 +46,7 @@ $rowid=GETPOST('rowid','int'); $typeid=GETPOST('typeid','int'); // Security check -$result=restrictedArea($user,'adherent',$rowid); +$result=restrictedArea($user,'adherent',$rowid,'','cotisation'); $object = new Adherent($db); $extrafields = new ExtraFields($db); diff --git a/htdocs/adherents/cotisations.php b/htdocs/adherents/cotisations.php index 1b4fabaf47e..dfba0935953 100644 --- a/htdocs/adherents/cotisations.php +++ b/htdocs/adherents/cotisations.php @@ -46,8 +46,8 @@ if (! $sortfield) { $sortfield="c.dateadh"; } $msg=''; $date_select=isset($_GET["date_select"])?$_GET["date_select"]:$_POST["date_select"]; -if (! $user->rights->adherent->cotisation->lire) -accessforbidden(); +// Security check +$result=restrictedArea($user,'adherent','','','cotisation'); /* diff --git a/htdocs/adherents/index.php b/htdocs/adherents/index.php index 60d7243c5fd..af2676a7d31 100644 --- a/htdocs/adherents/index.php +++ b/htdocs/adherents/index.php @@ -28,10 +28,12 @@ require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/adherents/class/adherent.class.php'; require_once DOL_DOCUMENT_ROOT.'/adherents/class/adherent_type.class.php'; - $langs->load("companies"); $langs->load("members"); +// Security check +$result=restrictedArea($user,'adherent'); + /* * View diff --git a/htdocs/adherents/liste.php b/htdocs/adherents/liste.php index 592881b2b72..5e26c9e35ab 100644 --- a/htdocs/adherents/liste.php +++ b/htdocs/adherents/liste.php @@ -31,6 +31,9 @@ require_once DOL_DOCUMENT_ROOT.'/adherents/class/adherent_type.class.php'; $langs->load("members"); $langs->load("companies"); +// Security check +$result=restrictedArea($user,'adherent'); + $action=GETPOST("action"); $filter=GETPOST("filter"); $statut=GETPOST("statut"); @@ -70,7 +73,6 @@ if (GETPOST("button_removefilter")) } - /* * View */ diff --git a/htdocs/adherents/stats/byproperties.php b/htdocs/adherents/stats/byproperties.php index dcc25501d84..12732ecdc47 100755 --- a/htdocs/adherents/stats/byproperties.php +++ b/htdocs/adherents/stats/byproperties.php @@ -35,11 +35,10 @@ $mode=GETPOST('mode')?GETPOST('mode'):''; // Security check if ($user->societe_id > 0) { - $action = ''; - $socid = $user->societe_id; + $action = ''; + $socid = $user->societe_id; } -if (! $user->rights->adherent->cotisation->lire) - accessforbidden(); +$result=restrictedArea($user,'adherent','','','cotisation'); $year = strftime("%Y", time()); $startyear=$year-2; diff --git a/htdocs/adherents/stats/geo.php b/htdocs/adherents/stats/geo.php index cdc731ecdca..d78ab4fe61f 100755 --- a/htdocs/adherents/stats/geo.php +++ b/htdocs/adherents/stats/geo.php @@ -37,8 +37,7 @@ if ($user->societe_id > 0) $action = ''; $socid = $user->societe_id; } -if (! $user->rights->adherent->cotisation->lire) -accessforbidden(); +$result=restrictedArea($user,'adherent','','','cotisation'); $year = strftime("%Y", time()); $startyear=$year-2; diff --git a/htdocs/adherents/stats/index.php b/htdocs/adherents/stats/index.php index 0d5da2773f9..82dc17506e9 100644 --- a/htdocs/adherents/stats/index.php +++ b/htdocs/adherents/stats/index.php @@ -33,12 +33,14 @@ $HEIGHT=200; $userid=GETPOST('userid','int'); if ($userid < 0) $userid=0; $socid=GETPOST('socid','int'); if ($socid < 0) $socid=0; + // Security check if ($user->societe_id > 0) { $action = ''; $socid = $user->societe_id; } +$result=restrictedArea($user,'adherent','','','cotisation'); $year = strftime("%Y", time()); $startyear=$year-2; diff --git a/htdocs/admin/modules.php b/htdocs/admin/modules.php index 7a83d625831..dd96c83e797 100644 --- a/htdocs/admin/modules.php +++ b/htdocs/admin/modules.php @@ -206,9 +206,8 @@ if ($mode==='expdev') print $langs->trans("ModuleFamilyExperimental")."
$nbofactivatedmodules=count($conf->modules); print $langs->trans("TotalNumberOfActivatedModules",($nbofactivatedmodules-1)); if ($nbofactivatedmodules <= 1) print ' '.img_warning($langs->trans("YouMustEnableOneModule")); -print '
'."\n"; +print '
'."\n"; -print "
\n"; $h = 0; @@ -266,6 +265,11 @@ $head[$h][2] = 'marketplace'; $h++; +// Show warning about external users +print showModulesExludedForExternal($modules).'
'."\n"; +print "
\n"; + + dol_fiche_head($head, $mode, $langs->trans("Modules")); $var=true; @@ -495,9 +499,6 @@ else dol_fiche_end(); -// Pour eviter bug mise en page IE -print '
'; -print '
'; llxFooter(); diff --git a/htdocs/admin/perms.php b/htdocs/admin/perms.php index d01c3421b6b..28627537977 100644 --- a/htdocs/admin/perms.php +++ b/htdocs/admin/perms.php @@ -68,8 +68,12 @@ print_fiche_titre($langs->trans("SecuritySetup"),'','setup'); print $langs->trans("DefaultRightsDesc"); print " ".$langs->trans("OnlyActiveElementsAreShown")."
\n"; + +// Show warning about external users +print showModulesExludedForExternal($modules).'
'."\n"; print "
\n"; + $head=security_prepare_head(); dol_fiche_head($head, 'default', $langs->trans("Security")); diff --git a/htdocs/comm/mailing/index.php b/htdocs/comm/mailing/index.php index f19458c0f03..35896917b86 100644 --- a/htdocs/comm/mailing/index.php +++ b/htdocs/comm/mailing/index.php @@ -30,7 +30,9 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php'; $langs->load("commercial"); $langs->load("orders"); -if (! $user->rights->mailing->lire || $user->societe_id > 0) accessforbidden(); + +// Security check +$result=restrictedArea($user,'mailing'); /* diff --git a/htdocs/comm/mailing/liste.php b/htdocs/comm/mailing/liste.php index 3ad2198f3dd..549b621b763 100644 --- a/htdocs/comm/mailing/liste.php +++ b/htdocs/comm/mailing/liste.php @@ -27,14 +27,8 @@ require_once DOL_DOCUMENT_ROOT.'/comm/mailing/class/mailing.class.php'; $langs->load("mails"); -if (!$user->rights->mailing->lire) accessforbidden(); - -// Securite acces client -if ($user->societe_id > 0) -{ - $action = ''; - $socid = $user->societe_id; -} +// Security check +$result=restrictedArea($user,'mailing'); $sortfield = GETPOST("sortfield",'alpha'); $sortorder = GETPOST("sortorder",'alpha'); diff --git a/htdocs/compta/deplacement/stats/index.php b/htdocs/compta/deplacement/stats/index.php index 2ca118c47cf..e8e72eace88 100755 --- a/htdocs/compta/deplacement/stats/index.php +++ b/htdocs/compta/deplacement/stats/index.php @@ -34,12 +34,16 @@ $HEIGHT=200; $userid=GETPOST('userid','int'); if ($userid < 0) $userid=0; $socid=GETPOST('socid','int'); if ($socid < 0) $socid=0; -// Securite acces client +$id = GETPOST('id','int'); + +// Security check if ($user->societe_id > 0) { $action = ''; $socid = $user->societe_id; } +if ($user->societe_id) $socid=$user->societe_id; +$result = restrictedArea($user, 'deplacement', $id,''); $nowyear=strftime("%Y", dol_now()); $year = GETPOST('year')>0?GETPOST('year'):$nowyear; diff --git a/htdocs/compta/journal/index.php b/htdocs/compta/journal/index.php deleted file mode 100755 index 4b7e347204d..00000000000 --- a/htdocs/compta/journal/index.php +++ /dev/null @@ -1,68 +0,0 @@ - - * Copyright (C) 2007-2010 Jean Heimburger - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -require '../../main.inc.php'; - - -$langs->load("companies"); -$langs->load("other"); -$langs->load("compta"); - -// Protection if external user -if ($user->societe_id > 0) -{ - accessforbidden(); -} - - -/******************************************************************* -* ACTIONS -* -* Put here all code to do according to value of "action" parameter -********************************************************************/ - - -/*************************************************** -* PAGE -* -* Put here all code to build page -****************************************************/ - -llxHeader('','MyPageName',''); - -$form=new Form($db); - - -// Put here content of your page -// ... - -/*************************************************** -* LINKED OBJECT BLOCK -* -* Put here code to view linked object -****************************************************/ -/* - -$somethingshown=$myobject->showLinkedObjectBlock(); - -*/ - -// End of page -$db->close(); -llxFooter(); -?> \ No newline at end of file diff --git a/htdocs/compta/journal/purchasesjournal.php b/htdocs/compta/journal/purchasesjournal.php index 826d40b00ec..529e70e550a 100755 --- a/htdocs/compta/journal/purchasesjournal.php +++ b/htdocs/compta/journal/purchasesjournal.php @@ -41,11 +41,10 @@ $date_endmonth=GETPOST('date_endmonth'); $date_endday=GETPOST('date_endday'); $date_endyear=GETPOST('date_endyear'); -// Protection if external user -if ($user->societe_id > 0) - accessforbidden(); - -$result = restrictedArea($user, 'societe&facture'); +// Security check +if ($user->societe_id > 0) $socid = $user->societe_id; +if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat'); +if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport'); /* diff --git a/htdocs/compta/journal/sellsjournal.php b/htdocs/compta/journal/sellsjournal.php index e90ae2ef7e7..df18c41a697 100755 --- a/htdocs/compta/journal/sellsjournal.php +++ b/htdocs/compta/journal/sellsjournal.php @@ -42,11 +42,10 @@ $date_endmonth=GETPOST('date_endmonth'); $date_endday=GETPOST('date_endday'); $date_endyear=GETPOST('date_endyear'); -// Protection if external user -if ($user->societe_id > 0) - accessforbidden(); - -$result = restrictedArea($user, 'societe&facture'); +// Security check +if ($user->societe_id > 0) $socid = $user->societe_id; +if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat'); +if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport'); /* * Actions diff --git a/htdocs/compta/resultat/bilan.php b/htdocs/compta/resultat/bilan.php index fb8526d077c..524f10b79aa 100644 --- a/htdocs/compta/resultat/bilan.php +++ b/htdocs/compta/resultat/bilan.php @@ -25,7 +25,11 @@ require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/compta/tva/class/tva.class.php'; require_once DOL_DOCUMENT_ROOT.'/compta/sociales/class/chargesociales.class.php'; -if (!$user->rights->compta->resultat->lire) accessforbidden(); +// Security check +$socid = GETPOST('socid','int'); +if ($user->societe_id > 0) $socid = $user->societe_id; +if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat'); +if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport'); /* diff --git a/htdocs/compta/resultat/clientfourn.php b/htdocs/compta/resultat/clientfourn.php index e4b9ddeadf8..2fa2d09a864 100644 --- a/htdocs/compta/resultat/clientfourn.php +++ b/htdocs/compta/resultat/clientfourn.php @@ -42,8 +42,8 @@ $date_endyear=GETPOST('date_endyear'); // Security check $socid = GETPOST('socid','int'); if ($user->societe_id > 0) $socid = $user->societe_id; -if (! $user->rights->compta->resultat->lire && ! $user->rights->accounting->comptarapport->lire) - accessforbidden(); +if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat'); +if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport'); // Date range $year=GETPOST("year"); diff --git a/htdocs/compta/resultat/compteres.php b/htdocs/compta/resultat/compteres.php index 0e9a8db8595..74960f97de7 100644 --- a/htdocs/compta/resultat/compteres.php +++ b/htdocs/compta/resultat/compteres.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2004-2012 Laurent Destailleur * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -15,17 +15,22 @@ * along with this program. If not, see . */ - require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/compta/tva/class/tva.class.php'; require_once DOL_DOCUMENT_ROOT.'/compta/sociales/class/chargesociales.class.php'; -if (!$user->rights->compta->resultat->lire) accessforbidden(); +// Security check +$socid = GETPOST('socid','int'); +if ($user->societe_id > 0) $socid = $user->societe_id; +if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat'); +if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport'); + + /* -* Views -*/ + * Views + */ llxHeader(); $year=$_GET["year"]; diff --git a/htdocs/compta/resultat/index.php b/htdocs/compta/resultat/index.php index 9eb6016c585..4a100fe00dc 100644 --- a/htdocs/compta/resultat/index.php +++ b/htdocs/compta/resultat/index.php @@ -40,8 +40,9 @@ else { // Security check $socid = GETPOST('socid','int'); if ($user->societe_id > 0) $socid = $user->societe_id; -if (! $user->rights->compta->resultat->lire && ! $user->rights->accounting->comptarapport->lire) - accessforbidden(); +if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat'); +if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport'); + // Define modecompta ('CREANCES-DETTES' or 'RECETTES-DEPENSES') $modecompta=(GETPOST("modecompta")?GETPOST("modecompta"):$conf->global->COMPTA_MODE); diff --git a/htdocs/compta/stats/cabyuser.php b/htdocs/compta/stats/cabyuser.php index 1a01eba1c0e..4665c9b7758 100644 --- a/htdocs/compta/stats/cabyuser.php +++ b/htdocs/compta/stats/cabyuser.php @@ -27,11 +27,12 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/report.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/tax.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php'; +$socid = GETPOST('socid','int'); + // Security check -$socid = isset($_REQUEST["socid"])?$_REQUEST["socid"]:''; if ($user->societe_id > 0) $socid = $user->societe_id; -if (!$user->rights->compta->resultat->lire && !$user->rights->accounting->comptarapport->lire) -accessforbidden(); +if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat'); +if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport'); // Define modecompta ('CREANCES-DETTES' or 'RECETTES-DEPENSES') $modecompta = $conf->global->COMPTA_MODE; diff --git a/htdocs/compta/stats/casoc.php b/htdocs/compta/stats/casoc.php index 3e71698da1b..5a5c8211665 100644 --- a/htdocs/compta/stats/casoc.php +++ b/htdocs/compta/stats/casoc.php @@ -39,10 +39,12 @@ $sortfield=isset($_GET["sortfield"])?$_GET["sortfield"]:$_POST["sortfield"]; if (! $sortorder) $sortorder="asc"; if (! $sortfield) $sortfield="nom"; +$socid = GETPOST('socid','int'); + // Security check -$socid = isset($_REQUEST["socid"])?$_REQUEST["socid"]:''; if ($user->societe_id > 0) $socid = $user->societe_id; -if (!$user->rights->compta->resultat->lire && !$user->rights->accounting->comptarapport->lire) accessforbidden(); +if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat'); +if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport'); // Date range $year=GETPOST("year"); diff --git a/htdocs/compta/stats/index.php b/htdocs/compta/stats/index.php index c66b840fda0..699465c5c60 100644 --- a/htdocs/compta/stats/index.php +++ b/htdocs/compta/stats/index.php @@ -25,27 +25,28 @@ require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/report.lib.php'; - $year_start=GETPOST("year_start"); $year_current = strftime("%Y",time()); $nbofyear=4; if (! $year_start) { - $year_start = $year_current - ($nbofyear-1); - $year_end = $year_current; + $year_start = $year_current - ($nbofyear-1); + $year_end = $year_current; } else { - $year_end=$year_start + ($nbofyear-1); + $year_end=$year_start + ($nbofyear-1); } - $userid=GETPOST('userid','int'); -$socid=GETPOST('socid','int'); +$socid = GETPOST('socid','int'); +// Define modecompta ('CREANCES-DETTES' or 'RECETTES-DEPENSES') +$modecompta = $conf->global->COMPTA_MODE; +if ($_GET["modecompta"]) $modecompta=$_GET["modecompta"]; + // Security check if ($user->societe_id > 0) $socid = $user->societe_id; -if (!$user->rights->compta->resultat->lire && !$user->rights->accounting->comptarapport->lire) accessforbidden(); +if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat'); +if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport'); + -// Define modecompta ('CREANCES-DETTES' or 'RECETTES-DEPENSES') -$modecompta = $conf->global->COMPTA_MODE; -if ($_GET["modecompta"]) $modecompta=$_GET["modecompta"]; /* diff --git a/htdocs/contrat/index.php b/htdocs/contrat/index.php index a63e3f320e2..95d534609da 100644 --- a/htdocs/contrat/index.php +++ b/htdocs/contrat/index.php @@ -233,7 +233,7 @@ if (! empty($conf->contrat->enabled) && $user->rights->contrat->lire) $sql.= " AND c.entity IN (".getEntity('contract').")"; $sql.= " AND c.statut = 0"; if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; - if ($socid) $sql.= " AND s.fk_soc = ".$socid; + if ($socid) $sql.= " AND c.fk_soc = ".$socid; $resql = $db->query($sql); diff --git a/htdocs/core/class/conf.class.php b/htdocs/core/class/conf.class.php index cdef1458b2c..d131db5e89b 100644 --- a/htdocs/core/class/conf.class.php +++ b/htdocs/core/class/conf.class.php @@ -386,7 +386,7 @@ class Conf $this->mailing->email_from=$this->email_from; if (! empty($this->global->MAILING_EMAIL_FROM)) $this->mailing->email_from=$this->global->MAILING_EMAIL_FROM; - // Format for date (used by default when not found or searched in lang) + // Format for date (used by default when not found or not searched in lang) $this->format_date_short="%d/%m/%Y"; // Format of day with PHP/C tags (strftime functions) $this->format_date_short_java="dd/MM/yyyy"; // Format of day with Java tags $this->format_hour_short="%H:%M"; @@ -406,7 +406,10 @@ class Conf if (! isset($this->global->MAIN_MAX_DECIMALS_SHOWN)) $this->global->MAIN_MAX_DECIMALS_SHOWN=8; // Default max file size for upload - $this->maxfilesize = (! empty($this->global->MAIN_UPLOAD_DOC) ? $this->global->MAIN_UPLOAD_DOC * 1024 : 0); + $this->maxfilesize = (empty($this->global->MAIN_UPLOAD_DOC) ? 0 : $this->global->MAIN_UPLOAD_DOC * 1024); + + // Define list of limited modules + if (! isset($this->global->MAIN_MODULES_FOR_EXTERNAL)) $this->global->MAIN_MODULES_FOR_EXTERNAL='facture,commande,contact,propal,projet,contrat,societe,ficheinter,expedition,agenda'; // '' means 'all'. Note that contact is added here as it should be a module later. // Timeouts if (empty($this->global->MAIN_USE_CONNECT_TIMEOUT)) $this->global->MAIN_USE_CONNECT_TIMEOUT=10; diff --git a/htdocs/core/lib/admin.lib.php b/htdocs/core/lib/admin.lib.php index 21d32e2cbbe..a60c3c63946 100644 --- a/htdocs/core/lib/admin.lib.php +++ b/htdocs/core/lib/admin.lib.php @@ -1133,6 +1133,38 @@ function form_constantes($tableau) print ''; } + +/** + * Show array with constants to edit + * + * @param array $modules Array of all modules + * @return string HTML string with warning + */ +function showModulesExludedForExternal($modules) +{ + global $conf,$langs; + + $text=$langs->trans("OnlyFollowingModulesAreOpenedToExternalUsers"); + $listofmodules=explode(',',$conf->global->MAIN_MODULES_FOR_EXTERNAL); + $i=0; + foreach($modules as $module) + { + $moduleconst=$module->const_name; + $modulename=strtolower($module->name); + //print 'modulename='.$modulename; + + //if (empty($conf->global->$moduleconst)) continue; + if (! in_array($modulename,$listofmodules)) continue; + + if ($i > 0) $text.=', '; + else $text.=' '; + $i++; + $text.=$langs->trans($module->name); + } + return img_picto($langs->trans('InfoAdmin'), 'star').' '.$text; +} + + /** * Add document model used by doc generator * diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index f5fde411c8f..988493874e2 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -2040,9 +2040,10 @@ function img_phone($alt = 'default', $option = 0) * * @param string $text Text info * @param string $infoonimgalt Info is shown only on alt of star picto, otherwise it is show on output after the star picto + * @param int $nodiv No div * @return string String with info text */ -function info_admin($text, $infoonimgalt = 0) +function info_admin($text, $infoonimgalt = 0, $nodiv=0) { global $conf, $langs; @@ -2051,7 +2052,7 @@ function info_admin($text, $infoonimgalt = 0) return img_picto($text, 'star'); } - return '
'.img_picto($langs->trans('InfoAdmin'), 'star').' '.$text.'
'; + return ($nodiv?'':'
').img_picto($langs->trans('InfoAdmin'), 'star').' '.$text.($nodiv?'':'
'); } diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 17c9bf7e249..76920f1fb88 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -88,12 +88,12 @@ function dol_hash($chain,$type=0) * If GETPOST('action') defined, we also check write and delete permission. * * @param User $user User to check - * @param string $features Features to check (in most cases, it's module name. Examples: 'societe', 'contact', 'produit|service', ...) + * @param string $features Features to check (it must be module name. Examples: 'societe', 'contact', 'produit&service', ...) * @param int $objectid Object ID if we want to check a particular record (optionnal) is linked to a owned thirdparty (optionnal). - * @param string $dbtablename 'TableName&SharedElement' with Tablename is table where object is stored, SharedElement is key to define where to check entity. Not used if objectid is null (optionnal) + * @param string $dbtablename 'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optionnal key to define where to check entity. Not used if objectid is null (optionnal) * @param string $feature2 Feature to check, second level of permission (optionnal) - * @param string $dbt_keyfield Field name for socid foreign key if not fk_soc (optionnal) - * @param string $dbt_select Field name for select if not rowid (optionnal) + * @param string $dbt_keyfield Field name for socid foreign key if not fk_soc. Not used if objectid is null (optionnal) + * @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optionnal) * @param Canvas $objcanvas Object canvas * @return int Always 1, die process if not allowed */ @@ -122,11 +122,18 @@ function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature $dbtablename=(! empty($params[0]) ? $params[0] : ''); $sharedelement=(! empty($params[1]) ? $params[1] : ''); - // Check read permission from module - // TODO Replace "feature" param into caller by first level of permission + $listofmodules=explode(',',$conf->global->MAIN_MODULES_FOR_EXTERNAL); + + // Check read permission from module $readok=1; foreach ($features as $feature) { + if (! empty($user->societe_id) && ! empty($conf->global->MAIN_MODULES_FOR_EXTERNAL) && ! in_array($feature,$listofmodules)) // If limits on modules for external users, module must be into list of modules for external users + { + $readok=0; + continue; + } + if ($feature == 'societe') { if (! $user->rights->societe->lire && ! $user->rights->fournisseur->lire) $readok=0; diff --git a/htdocs/exports/index.php b/htdocs/exports/index.php index b4dcbd6cd9c..a0501a3418e 100644 --- a/htdocs/exports/index.php +++ b/htdocs/exports/index.php @@ -26,7 +26,9 @@ require_once DOL_DOCUMENT_ROOT.'/exports/class/export.class.php'; $langs->load("exports"); -if (! $user->rights->export->lire) accessforbidden(); + +// Security check +$result=restrictedArea($user,'export'); diff --git a/htdocs/imports/import.php b/htdocs/imports/import.php index ad0369299e8..d70f63cebd7 100644 --- a/htdocs/imports/import.php +++ b/htdocs/imports/import.php @@ -36,7 +36,6 @@ $langs->load("exports"); $langs->load("errors"); // Security check -if (! empty($user->societe_id)) $socid=$user->societe_id; $result=restrictedArea($user, 'import'); $entitytoicon=array( diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang index 89d200d7731..4ec24bb0232 100644 --- a/htdocs/langs/en_US/admin.lang +++ b/htdocs/langs/en_US/admin.lang @@ -929,6 +929,7 @@ TotalNumberOfActivatedModules=Total number of activated feature modules: %s* Soit de manière globale depuis le menu Accueil - Configuration - Affichage
* Soit de manière spécifique à l'utilisateur depuis l'onglet Interface utilisateur de sa fiche utilisateur (cliquer sur le login en haut de l'écran). ClassNotFoundIntoPathWarning=La class %s n'a pas été trouvée dans le path PHP YesInSummer=Oui en été +OnlyFollowingModulesAreOpenedToExternalUsers=Remarque, seuls les modules suivants sont ouverts aux utilisateurs externes (quelquesoit les permissions de ces utilisateurs): ##### Module password generation= undefined PasswordGenerationStandard= Renvoie un mot de passe généré selon algorithme interne Dolibarr: 8 caractères, chiffres et caractères en minuscules mélangés. diff --git a/htdocs/product/stock/fiche-valo.php b/htdocs/product/stock/fiche-valo.php index ef79496af20..976df224365 100644 --- a/htdocs/product/stock/fiche-valo.php +++ b/htdocs/product/stock/fiche-valo.php @@ -31,6 +31,8 @@ $langs->load("stocks"); $langs->load("companies"); $mesg = ''; +// Security check +$result=restrictedArea($user,'stock'); /* diff --git a/htdocs/product/stock/fiche.php b/htdocs/product/stock/fiche.php index 2102de86d25..fbf597aee34 100644 --- a/htdocs/product/stock/fiche.php +++ b/htdocs/product/stock/fiche.php @@ -44,6 +44,10 @@ if (! $sortorder) $sortorder="DESC"; $mesg = ''; +// Security check +$result=restrictedArea($user,'stock'); + + /* * Actions diff --git a/htdocs/product/stock/index.php b/htdocs/product/stock/index.php index 9e65a8d41db..76732b5ac07 100644 --- a/htdocs/product/stock/index.php +++ b/htdocs/product/stock/index.php @@ -29,8 +29,8 @@ require_once DOL_DOCUMENT_ROOT.'/product/stock/class/entrepot.class.php'; $langs->load("stocks"); -if (!$user->rights->stock->lire) - accessforbidden(); +// Security check +$result=restrictedArea($user,'stock'); /* diff --git a/htdocs/product/stock/info.php b/htdocs/product/stock/info.php index 46e13daee1f..0dc4938ab2f 100644 --- a/htdocs/product/stock/info.php +++ b/htdocs/product/stock/info.php @@ -28,6 +28,10 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/stock.lib.php'; $langs->load("stocks"); +// Security check +$result=restrictedArea($user,'stock'); + + /* * View */ diff --git a/htdocs/product/stock/liste.php b/htdocs/product/stock/liste.php index 29402b26066..b571f5bb3ff 100644 --- a/htdocs/product/stock/liste.php +++ b/htdocs/product/stock/liste.php @@ -28,8 +28,8 @@ require_once DOL_DOCUMENT_ROOT.'/product/stock/class/entrepot.class.php'; $langs->load("stocks"); -if (!$user->rights->stock->lire) - accessforbidden(); +// Security check +$result=restrictedArea($user,'stock'); $sref=isset($_GET["sref"])?$_GET["sref"]:$_POST["sref"]; $snom=isset($_GET["snom"])?$_GET["snom"]:$_POST["snom"]; diff --git a/htdocs/product/stock/mouvement.php b/htdocs/product/stock/mouvement.php index 172f2211947..22c2d1baea6 100644 --- a/htdocs/product/stock/mouvement.php +++ b/htdocs/product/stock/mouvement.php @@ -35,7 +35,8 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php'; $langs->load("products"); $langs->load("stocks"); -if (!$user->rights->produit->lire) accessforbidden(); +// Security check +$result=restrictedArea($user,'stock'); $id=GETPOST('id','int'); $product_id=GETPOST("product_id"); diff --git a/htdocs/product/stock/valo.php b/htdocs/product/stock/valo.php index c6631ad078e..5addef0fbb7 100644 --- a/htdocs/product/stock/valo.php +++ b/htdocs/product/stock/valo.php @@ -28,8 +28,8 @@ require_once DOL_DOCUMENT_ROOT.'/product/stock/class/entrepot.class.php'; $langs->load("stocks"); -if (!$user->rights->stock->lire) -accessforbidden(); +// Security check +$result=restrictedArea($user,'stock'); $sref=isset($_GET["sref"])?$_GET["sref"]:$_POST["sref"]; $snom=isset($_GET["snom"])?$_GET["snom"]:$_POST["snom"]; diff --git a/htdocs/user/perms.php b/htdocs/user/perms.php index 32de5b9d73c..15e6bd24801 100644 --- a/htdocs/user/perms.php +++ b/htdocs/user/perms.php @@ -27,7 +27,8 @@ require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/usergroups.lib.php'; -require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php'; +require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php'; +require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; $langs->load("users"); $langs->load("admin"); @@ -253,19 +254,22 @@ print $form->showrefnav($fuser,'id','',$user->rights->user->user->lire || $user- print ''; print ''."\n"; -// Nom +// Lastname print ''.$langs->trans("Lastname").''; print ''.$fuser->nom.''; print ''."\n"; -// Prenom +// Firstname print ''.$langs->trans("Firstname").''; print ''.$fuser->prenom.''; print ''."\n"; print '
'; -if ($user->admin) print info_admin($langs->trans("WarningOnlyPermissionOfActivatedModules")); +if ($user->admin) print info_admin($langs->trans("WarningOnlyPermissionOfActivatedModules"), 0, 1).'
'; +// Show warning about external users +print showModulesExludedForExternal($modules).'
'."\n"; +print "
\n"; // For multicompany transversal mode if (! empty($conf->multicompany->enabled) && ! empty($conf->multicompany->transverse_mode)) @@ -366,7 +370,7 @@ if ($result) print img_picto($langs->trans("Active"),'tick'); print ''; } - + else if (is_array($permsgroupbyentity[$entity])) { if (in_array($obj->id, $permsgroupbyentity[$entity])) // Permission own by group