Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-09 11:08:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX rights paymentsc paiementcharge

Browse Source
This commit is contained in:
Quentin VIAL-GOUTEYRON
2023-09-26 14:54:15 +02:00
parent 8cfac1a901
commit f4c6beac74
1 changed files with 7 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
htdocs/core/lib/security.lib.php
View File

@@ -397,6 +397,10 @@ function restrictedArea(User $user, $features, $object = 0, $tableandshare = '',
if ($features == 'product') { if ($features == 'product') {
$features = 'produit'; $features = 'produit';
} }
if ($features == 'payment_sc') {
$tableandshare = 'paiementcharge';
$parentfortableentity = 'fk_charge@chargesociales';
}
// Get more permissions checks from hooks // Get more permissions checks from hooks
$parameters = array('features'=>$features, 'originalfeatures'=>$originalfeatures, 'objectid'=>$objectid, 'dbt_select'=>$dbt_select, 'idtype'=>$dbt_select, 'isdraft'=>$isdraft); $parameters = array('features'=>$features, 'originalfeatures'=>$originalfeatures, 'objectid'=>$objectid, 'dbt_select'=>$dbt_select, 'idtype'=>$dbt_select, 'isdraft'=>$isdraft);
@@ -804,7 +808,6 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl
$params = explode('&', $tableandshare); $params = explode('&', $tableandshare);
$dbtablename = (!empty($params[0]) ? $params[0] : ''); $dbtablename = (!empty($params[0]) ? $params[0] : '');
$sharedelement = (!empty($params[1]) ? $params[1] : $dbtablename); $sharedelement = (!empty($params[1]) ? $params[1] : $dbtablename);
foreach ($featuresarray as $feature) { foreach ($featuresarray as $feature) {
$sql = ''; $sql = '';
@@ -820,14 +823,13 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl
if ($feature == 'task') { if ($feature == 'task') {
$feature = 'projet_task'; $feature = 'projet_task';
} }
if ($feature == 'payment_sc') { if ($feature == 'payment_sc') {
$feature = "chargesociales"; $feature = 'paiementcharge';
} }
$checkonentitydone = 0; $checkonentitydone = 0;
// Array to define rules of checks to do // Array to define rules of checks to do
$check = array('adherent', 'banque', 'bom', 'don', 'mrp', 'user', 'usergroup', 'payment', 'payment_supplier', 'product', 'produit', 'service', 'produit|service', 'categorie', 'resource', 'expensereport', 'holiday', 'salaries', 'website', 'recruitment','chargesociales'); // Test on entity only (Objects with no link to company) $check = array('adherent', 'banque', 'bom', 'don', 'mrp', 'user', 'usergroup', 'payment', 'payment_supplier', 'product', 'produit', 'service', 'produit|service', 'categorie', 'resource', 'expensereport', 'holiday', 'salaries', 'website', 'recruitment','chargesociales', 'paiementcharge'); // Test on entity only (Objects with no link to company)
$checksoc = array('societe'); // Test for object Societe $checksoc = array('societe'); // Test for object Societe
$checkother = array('contact', 'agenda', 'contrat'); // Test on entity + link to third party on field $dbt_keyfield. Allowed if link is empty (Ex: contacts...). $checkother = array('contact', 'agenda', 'contrat'); // Test on entity + link to third party on field $dbt_keyfield. Allowed if link is empty (Ex: contacts...).
$checkproject = array('projet', 'project'); // Test for project object $checkproject = array('projet', 'project'); // Test for project object
@@ -848,7 +850,6 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl
if ($dbt_select != 'rowid' && $dbt_select != 'id') { if ($dbt_select != 'rowid' && $dbt_select != 'id') {
$objectid = "'".$objectid."'"; // Note: $objectid was already cast into int at begin of this method. $objectid = "'".$objectid."'"; // Note: $objectid was already cast into int at begin of this method.
} }
// Check permission for objectid on entity only // Check permission for objectid on entity only
if (in_array($feature, $check) && $objectid > 0) { // For $objectid = 0, no check if (in_array($feature, $check) && $objectid > 0) { // For $objectid = 0, no check
$sql = "SELECT COUNT(dbt.".$dbt_select.") as nb"; $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
@@ -1016,7 +1017,7 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl
$sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
} }
} }
//print $sql;
// For events, check on users assigned to event // For events, check on users assigned to event
if ($feature === 'agenda' && $objectid > 0) { if ($feature === 'agenda' && $objectid > 0) {