Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-06 01:28:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '21.0' of git@github.com:Dolibarr/dolibarr.git into 21.0

Browse Source
This commit is contained in:
Laurent Destailleur
2025-11-20 11:51:51 +01:00
parent b9b8fc5bbe ecda16a5f6
commit ae131796d6
16 changed files with 140 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
htdocs/core/lib/security.lib.php
View File

@@ -509,6 +509,7 @@ function restrictedArea(User $user, $features, $object = 0, $tableandshare = '',
$tableandshare = 'paiementcharge';
$parentfortableentity = 'fk_charge@chargesociales';
}
// if commonObjectLine : Using many2one related commonObject
// @see commonObjectLine::parentElement
if (in_array($features, ['commandedet', 'propaldet', 'facturedet', 'supplier_proposaldet', 'evaluationdet', 'skilldet', 'deliverydet', 'contratdet'])) {
@@ -520,6 +521,11 @@ function restrictedArea(User $user, $features, $object = 0, $tableandshare = '',
} elseif ($features == 'invoice_supplier_det_rec') {
$features = 'invoice_supplier_rec';
}
if ($features == 'evaluation') {
$features = 'hrm';
$feature2 = 'evaluation';
}
// @todo check : project_task
// @todo possible ?
// elseif (substr($features, -3, 3) == 'det') {
@@ -965,8 +971,11 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl
if ($feature == 'project') {
$feature = 'projet';
}
if ($feature == 'task') {
$feature = 'projet_task';
if ($feature == 'projet' && !empty($feature2) && is_array($feature2) && !empty(array_intersect(array('project_task', 'projet_task'), $feature2))) {
$feature = 'project_task';
}
if ($feature == 'task' || $feature == 'projet_task') {
$feature = 'project_task';
}
if ($feature == 'eventorganization') {
$feature = 'agenda';
@@ -987,8 +996,8 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl
$checksoc = array('societe'); // Test for object Societe
$checkparentsoc = array('agenda', 'contact', 'contrat'); // Test on entity + link to third party on field $dbt_keyfield. Allowed if link is empty (Ex: contacts...).
$checkproject = array('projet', 'project'); // Test for project object
$checktask = array('projet_task'); // Test for task object
$checkhierarchy = array('expensereport', 'holiday'); // check permission among the hierarchy of user
$checktask = array('projet_task', 'project_task'); // Test for task object
$checkhierarchy = array('expensereport', 'holiday', 'hrm'); // check permission among the hierarchy of user
$checkuser = array('bookmark'); // check permission among the fk_user (must be myself or null)
$nocheck = array('barcode', 'stock'); // No test
@@ -1127,6 +1136,7 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl
return false;
}
} else {
$sharedelement = 'project'; // for multicompany compatibility
$sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
@@ -1215,6 +1225,20 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl
}
}
}
if ($feature == 'hrm' && in_array('evaluation', $feature2)) {
$useridtocheck = $object->fk_user;
if ($user->hasRight('hrm', 'evaluation', 'readall')) {
// the user can view evaluations for anyone
return true;
}
if (!$user->hasRight('hrm', 'evaluation', 'read')) {
// the user can't view any evaluations
return false;
}
// the user can only their own evaluations or their subordinates'
return in_array($useridtocheck, $childids);
}
}
// For some object, we also have to check it is public or owned by user