2008-04-29 23:13:49 +02:00
< ? php
2011-03-30 09:55:22 +02:00
/* Copyright ( C ) 2008 - 2011 Laurent Destailleur < eldy @ users . sourceforge . net >
2018-10-27 14:43:12 +02:00
* Copyright ( C ) 2008 - 2017 Regis Houssin < regis . houssin @ inodbox . com >
2020-08-03 11:17:30 +02:00
* Copyright ( C ) 2020 Ferran Marcet < fmarcet @ 2 byte . es >
2008-04-29 23:13:49 +02:00
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
2013-01-16 15:36:08 +01:00
* the Free Software Foundation ; either version 3 of the License , or
2008-04-29 23:13:49 +02:00
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License
2019-09-23 21:55:30 +02:00
* along with this program . If not , see < https :// www . gnu . org / licenses />.
* or see https :// www . gnu . org /
2008-04-29 23:13:49 +02:00
*/
/**
2011-10-24 10:45:06 +02:00
* \file htdocs / core / lib / security . lib . php
2011-09-24 15:44:04 +02:00
* \ingroup core
2012-02-12 17:41:28 +01:00
* \brief Set of function used for dolibarr security ( common function included into filefunc . inc . php )
2011-09-24 15:44:04 +02:00
* Warning , this file must not depends on other library files , except function . lib . php
* because it is used at low code level .
2008-11-17 01:02:57 +01:00
*/
2008-04-29 23:13:49 +02:00
/**
2018-04-19 12:03:42 +02:00
* Encode a string with base 64 algorithm + specific delta change .
2011-09-16 19:06:10 +02:00
*
2012-02-19 19:14:17 +01:00
* @ param string $chain string to encode
2018-04-19 12:03:42 +02:00
* @ param string $key rule to use for delta ( '0' , '1' or 'myownkey' )
2012-02-19 19:14:17 +01:00
* @ return string encoded string
2019-03-11 01:01:15 +01:00
* @ see dol_decode ()
2008-04-29 23:13:49 +02:00
*/
2019-01-27 15:20:16 +01:00
function dol_encode ( $chain , $key = '1' )
2008-04-29 23:13:49 +02:00
{
2021-02-23 22:03:23 +01:00
if ( is_numeric ( $key ) && $key == '1' ) { // rule 1 is offset of 17 for char
2019-11-26 12:52:04 +01:00
$output_tab = array ();
$strlength = dol_strlen ( $chain );
2021-02-23 22:03:23 +01:00
for ( $i = 0 ; $i < $strlength ; $i ++ ) {
2019-11-26 12:52:04 +01:00
$output_tab [ $i ] = chr ( ord ( substr ( $chain , $i , 1 )) + 17 );
2018-04-19 12:03:42 +02:00
}
2019-01-27 11:55:16 +01:00
$chain = implode ( " " , $output_tab );
2021-02-23 22:03:23 +01:00
} elseif ( $key ) {
2019-11-26 12:52:04 +01:00
$result = '' ;
$strlength = dol_strlen ( $chain );
2021-02-23 22:03:23 +01:00
for ( $i = 0 ; $i < $strlength ; $i ++ ) {
2019-11-26 12:52:04 +01:00
$keychar = substr ( $key , ( $i % strlen ( $key )) - 1 , 1 );
$result .= chr ( ord ( substr ( $chain , $i , 1 )) + ( ord ( $keychar ) - 65 ));
2018-04-19 12:03:42 +02:00
}
2019-11-26 12:52:04 +01:00
$chain = $result ;
2008-04-29 23:13:49 +02:00
}
2018-04-19 12:03:42 +02:00
return base64_encode ( $chain );
2008-04-29 23:13:49 +02:00
}
/**
2018-04-19 12:03:42 +02:00
* Decode a base 64 encoded + specific delta change .
2012-02-19 19:14:17 +01:00
* This function is called by filefunc . inc . php at each page call .
2011-09-16 19:06:10 +02:00
*
2012-02-19 19:14:17 +01:00
* @ param string $chain string to decode
2018-04-19 12:03:42 +02:00
* @ param string $key rule to use for delta ( '0' , '1' or 'myownkey' )
2012-02-19 19:14:17 +01:00
* @ return string decoded string
2019-03-11 01:01:15 +01:00
* @ see dol_encode ()
2008-04-29 23:13:49 +02:00
*/
2019-01-27 15:20:16 +01:00
function dol_decode ( $chain , $key = '1' )
2008-04-29 23:13:49 +02:00
{
$chain = base64_decode ( $chain );
2021-02-23 22:03:23 +01:00
if ( is_numeric ( $key ) && $key == '1' ) { // rule 1 is offset of 17 for char
2019-11-26 12:52:04 +01:00
$output_tab = array ();
$strlength = dol_strlen ( $chain );
2021-02-23 22:03:23 +01:00
for ( $i = 0 ; $i < $strlength ; $i ++ ) {
2019-11-26 12:52:04 +01:00
$output_tab [ $i ] = chr ( ord ( substr ( $chain , $i , 1 )) - 17 );
2018-04-19 12:03:42 +02:00
}
2019-01-27 11:55:16 +01:00
$chain = implode ( " " , $output_tab );
2021-02-23 22:03:23 +01:00
} elseif ( $key ) {
2019-11-26 12:52:04 +01:00
$result = '' ;
$strlength = dol_strlen ( $chain );
2021-02-23 22:03:23 +01:00
for ( $i = 0 ; $i < $strlength ; $i ++ ) {
2019-11-26 12:52:04 +01:00
$keychar = substr ( $key , ( $i % strlen ( $key )) - 1 , 1 );
$result .= chr ( ord ( substr ( $chain , $i , 1 )) - ( ord ( $keychar ) - 65 ));
2018-04-19 12:03:42 +02:00
}
2019-11-26 12:52:04 +01:00
$chain = $result ;
2008-04-29 23:13:49 +02:00
}
2018-04-19 12:03:42 +02:00
return $chain ;
2008-04-29 23:13:49 +02:00
}
2008-11-17 01:02:57 +01:00
2011-05-03 12:53:44 +02:00
/**
2013-11-06 16:32:25 +01:00
* Returns a hash of a string .
2018-02-23 14:38:41 +01:00
* If constant MAIN_SECURITY_HASH_ALGO is defined , we use this function as hashing function ( recommanded value is 'password_hash' )
* If constant MAIN_SECURITY_SALT is defined , we use it as a salt ( used only if hashing algorightm is something else than 'password_hash' ) .
2011-09-16 19:06:10 +02:00
*
* @ param string $chain String to hash
2020-02-23 23:37:46 +01:00
* @ param string $type Type of hash ( '0' : auto will use MAIN_SECURITY_HASH_ALGO else md5 , '1' : sha1 , '2' : sha1 + md5 , '3' : md5 , '4' : md5 for OpenLdap with no salt , '5' : sha256 ) . Use '3' here , if hash is not needed for security purpose , for security need , prefer '0' .
2011-09-16 19:06:10 +02:00
* @ return string Hash of string
2019-04-22 14:12:58 +02:00
* @ see getRandomPassword ()
2011-05-03 12:53:44 +02:00
*/
2019-01-27 15:20:16 +01:00
function dol_hash ( $chain , $type = '0' )
2011-05-03 12:53:44 +02:00
{
2013-11-04 10:45:43 +01:00
global $conf ;
2013-11-06 16:32:25 +01:00
2018-01-15 00:33:25 +01:00
// No need to add salt for password_hash
2021-02-23 22:03:23 +01:00
if (( $type == '0' || $type == 'auto' ) && ! empty ( $conf -> global -> MAIN_SECURITY_HASH_ALGO ) && $conf -> global -> MAIN_SECURITY_HASH_ALGO == 'password_hash' && function_exists ( 'password_hash' )) {
2018-02-23 14:38:41 +01:00
return password_hash ( $chain , PASSWORD_DEFAULT );
}
2018-01-15 00:33:25 +01:00
2013-11-04 10:47:24 +01:00
// Salt value
2021-02-23 22:03:23 +01:00
if ( ! empty ( $conf -> global -> MAIN_SECURITY_SALT ) && $type != '4' && $type !== 'md5openldap' ) {
$chain = $conf -> global -> MAIN_SECURITY_SALT . $chain ;
}
2013-11-06 16:32:25 +01:00
2021-02-23 22:03:23 +01:00
if ( $type == '1' || $type == 'sha1' ) {
return sha1 ( $chain );
} elseif ( $type == '2' || $type == 'sha1md5' ) {
return sha1 ( md5 ( $chain ));
} elseif ( $type == '3' || $type == 'md5' ) {
return md5 ( $chain );
} elseif ( $type == '4' || $type == 'md5openldap' ) {
return '{md5}' . base64_encode ( mhash ( MHASH_MD5 , $chain )); // For OpenLdap with md5 (based on an unencrypted password in base)
} elseif ( $type == '5' ) {
return hash ( 'sha256' , $chain );
} elseif ( ! empty ( $conf -> global -> MAIN_SECURITY_HASH_ALGO ) && $conf -> global -> MAIN_SECURITY_HASH_ALGO == 'sha1' ) {
return sha1 ( $chain );
} elseif ( ! empty ( $conf -> global -> MAIN_SECURITY_HASH_ALGO ) && $conf -> global -> MAIN_SECURITY_HASH_ALGO == 'sha1md5' ) {
return sha1 ( md5 ( $chain ));
}
2014-10-18 16:08:15 +02:00
2017-11-03 20:04:18 +01:00
// No particular encoding defined, use default
2014-10-18 16:08:15 +02:00
return md5 ( $chain );
2011-05-03 12:53:44 +02:00
}
2018-01-15 00:33:25 +01:00
/**
* Compute a hash and compare it to the given one
* For backward compatibility reasons , if the hash is not in the password_hash format , we will try to match against md5 and sha1md5
* If constant MAIN_SECURITY_HASH_ALGO is defined , we use this function as hashing function .
* If constant MAIN_SECURITY_SALT is defined , we use it as a salt .
*
2018-12-04 18:07:02 +01:00
* @ param string $chain String to hash ( not hashed string )
2018-01-15 00:33:25 +01:00
* @ param string $hash hash to compare
* @ param string $type Type of hash ( '0' : auto , '1' : sha1 , '2' : sha1 + md5 , '3' : md5 , '4' : md5 for OpenLdap , '5' : sha256 ) . Use '3' here , if hash is not needed for security purpose , for security need , prefer '0' .
* @ return bool True if the computed hash is the same as the given one
*/
2019-01-27 15:20:16 +01:00
function dol_verifyHash ( $chain , $hash , $type = '0' )
2018-01-15 00:33:25 +01:00
{
global $conf ;
2019-11-26 12:52:04 +01:00
if ( $type == '0' && ! empty ( $conf -> global -> MAIN_SECURITY_HASH_ALGO ) && $conf -> global -> MAIN_SECURITY_HASH_ALGO == 'password_hash' && function_exists ( 'password_verify' )) {
2021-02-23 22:03:23 +01:00
if ( $hash [ 0 ] == '$' ) {
return password_verify ( $chain , $hash );
} elseif ( strlen ( $hash ) == 32 ) {
return dol_verifyHash ( $chain , $hash , '3' ); // md5
} elseif ( strlen ( $hash ) == 40 ) {
return dol_verifyHash ( $chain , $hash , '2' ); // sha1md5
}
2018-01-15 00:33:25 +01:00
return false ;
}
return dol_hash ( $chain , $type ) == $hash ;
}
2012-02-12 17:41:28 +01:00
/**
* Check permissions of a user to show a page and an object . Check read permission .
2017-05-16 13:27:32 +02:00
* If GETPOST ( 'action' , 'aZ09' ) defined , we also check write and delete permission .
2021-02-19 12:35:26 +01:00
* This method check permission on module then call checkUserAccessToObject () for permission on object ( according to entity and socid of user ) .
2012-02-12 17:41:28 +01:00
*
* @ param User $user User to check
2020-02-07 11:53:09 +01:00
* @ param string $features Features to check ( it must be module $object -> element . Examples : 'societe' , 'contact' , 'produit&service' , 'produit|service' , ... )
2014-03-05 09:57:36 +01:00
* @ param int $objectid Object ID if we want to check a particular record ( optional ) is linked to a owned thirdparty ( optional ) .
2020-06-07 23:00:38 +02:00
* @ param string $tableandshare 'TableName&SharedElement' with Tablename is table where object is stored . SharedElement is an optional key to define where to check entity for multicompany module . Param not used if objectid is null ( optional ) .
2020-01-31 14:53:47 +01:00
* @ param string $feature2 Feature to check , second level of permission ( optional ) . Can be a 'or' check with 'sublevela|sublevelb' .
2014-03-05 09:57:36 +01:00
* @ param string $dbt_keyfield Field name for socid foreign key if not fk_soc . Not used if objectid is null ( optional )
* @ param string $dbt_select Field name for select if not rowid . Not used if objectid is null ( optional )
2018-10-29 18:19:40 +01:00
* @ param int $isdraft 1 = The object with id = $objectid is a draft
2012-02-12 17:41:28 +01:00
* @ return int Always 1 , die process if not allowed
2021-02-19 12:35:26 +01:00
* @ see dol_check_secure_access_document (), checkUserAccessToObject ()
2012-02-12 17:41:28 +01:00
*/
2019-01-27 15:20:16 +01:00
function restrictedArea ( $user , $features , $objectid = 0 , $tableandshare = '' , $feature2 = '' , $dbt_keyfield = 'fk_soc' , $dbt_select = 'rowid' , $isdraft = 0 )
2012-02-12 17:41:28 +01:00
{
2018-05-10 11:30:27 +02:00
global $db , $conf ;
global $hookmanager ;
2012-02-12 17:41:28 +01:00
2021-02-19 12:35:26 +01:00
//dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename, $feature2, $dbt_socfield, $dbt_select, $isdraft");
2018-10-29 18:19:40 +01:00
//print "user_id=".$user->id.", features=".$features.", feature2=".$feature2.", objectid=".$objectid;
//print ", dbtablename=".$dbtablename.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select;
//print ", perm: ".$features."->".$feature2."=".($user->rights->$features->$feature2->lire)."<br>";
2012-02-12 17:41:28 +01:00
2020-06-07 23:00:38 +02:00
$parentfortableentity = '' ;
2021-02-19 12:35:26 +01:00
// Fix syntax of $features param
$originalfeatures = $features ;
2021-02-23 22:03:23 +01:00
if ( $features == 'facturerec' ) {
$features = 'facture' ;
}
if ( $features == 'mo' ) {
$features = 'mrp' ;
}
if ( $features == 'member' ) {
$features = 'adherent' ;
}
if ( $features == 'subscription' ) {
2021-03-01 20:37:16 +01:00
$features = 'adherent' ;
$feature2 = 'cotisation' ;
2021-02-23 22:03:23 +01:00
};
if ( $features == 'websitepage' ) {
2021-03-01 20:37:16 +01:00
$features = 'website' ;
$tableandshare = 'website_page' ;
$parentfortableentity = 'fk_website@website' ;
2021-02-23 22:03:23 +01:00
}
if ( $features == 'project' ) {
$features = 'projet' ;
}
if ( $features == 'product' ) {
$features = 'produit' ;
}
2020-02-07 11:53:09 +01:00
2018-05-10 11:30:27 +02:00
// Get more permissions checks from hooks
2021-02-19 12:35:26 +01:00
$parameters = array ( 'features' => $features , 'originalfeatures' => $originalfeatures , 'objectid' => $objectid , 'dbt_select' => $dbt_select , 'idtype' => $dbt_select , 'isdraft' => $isdraft );
2019-11-26 12:52:04 +01:00
$reshook = $hookmanager -> executeHooks ( 'restrictedArea' , $parameters );
2020-03-08 18:26:41 +01:00
if ( isset ( $hookmanager -> resArray [ 'result' ])) {
2021-02-23 22:03:23 +01:00
if ( $hookmanager -> resArray [ 'result' ] == 0 ) {
accessforbidden (); // Module returns 0, so access forbidden
}
2020-03-08 18:26:41 +01:00
}
if ( $reshook > 0 ) { // No other test done.
return 1 ;
}
2018-05-10 12:29:58 +02:00
2021-02-23 22:03:23 +01:00
if ( $dbt_select != 'rowid' && $dbt_select != 'id' ) {
$objectid = " ' " . $objectid . " ' " ;
}
2018-05-10 12:34:23 +02:00
// Features/modules to check
2018-10-29 18:19:40 +01:00
$featuresarray = array ( $features );
2021-02-23 22:03:23 +01:00
if ( preg_match ( '/&/' , $features )) {
$featuresarray = explode ( " & " , $features );
} elseif ( preg_match ( '/\|/' , $features )) {
$featuresarray = explode ( " | " , $features );
}
2012-02-12 17:41:28 +01:00
2018-10-29 18:19:40 +01:00
// More subfeatures to check
2021-02-23 22:03:23 +01:00
if ( ! empty ( $feature2 )) {
$feature2 = explode ( " | " , $feature2 );
}
2012-02-12 17:41:28 +01:00
2019-11-26 12:52:04 +01:00
$listofmodules = explode ( ',' , $conf -> global -> MAIN_MODULES_FOR_EXTERNAL );
2013-01-02 18:43:59 +01:00
// Check read permission from module
2021-03-01 20:37:16 +01:00
$readok = 1 ;
$nbko = 0 ;
2020-06-29 13:48:00 +02:00
foreach ( $featuresarray as $feature ) { // first we check nb of test ko
2019-11-26 12:52:04 +01:00
$featureforlistofmodule = $feature ;
2021-02-23 22:03:23 +01:00
if ( $featureforlistofmodule == 'produit' ) {
$featureforlistofmodule = 'product' ;
}
2020-06-29 13:48:00 +02:00
if ( ! empty ( $user -> socid ) && ! empty ( $conf -> global -> MAIN_MODULES_FOR_EXTERNAL ) && ! in_array ( $featureforlistofmodule , $listofmodules )) { // If limits on modules for external users, module must be into list of modules for external users
2021-03-01 20:37:16 +01:00
$readok = 0 ;
$nbko ++ ;
2018-10-29 18:19:40 +01:00
continue ;
}
2012-02-12 17:41:28 +01:00
2020-06-29 13:48:00 +02:00
if ( $feature == 'societe' ) {
2021-02-23 22:03:23 +01:00
if ( ! $user -> rights -> societe -> lire && ! $user -> rights -> fournisseur -> lire ) {
2021-03-01 20:37:16 +01:00
$readok = 0 ;
$nbko ++ ;
2021-02-23 22:03:23 +01:00
}
2020-06-29 13:48:00 +02:00
} elseif ( $feature == 'contact' ) {
2021-02-23 22:03:23 +01:00
if ( ! $user -> rights -> societe -> contact -> lire ) {
2021-03-01 20:37:16 +01:00
$readok = 0 ;
$nbko ++ ;
2021-02-23 22:03:23 +01:00
}
2020-06-29 13:48:00 +02:00
} elseif ( $feature == 'produit|service' ) {
2021-02-23 22:03:23 +01:00
if ( ! $user -> rights -> produit -> lire && ! $user -> rights -> service -> lire ) {
2021-03-01 20:37:16 +01:00
$readok = 0 ;
$nbko ++ ;
2021-02-23 22:03:23 +01:00
}
2020-06-29 13:48:00 +02:00
} elseif ( $feature == 'prelevement' ) {
2021-02-23 22:03:23 +01:00
if ( ! $user -> rights -> prelevement -> bons -> lire ) {
2021-03-01 20:37:16 +01:00
$readok = 0 ;
$nbko ++ ;
2021-02-23 22:03:23 +01:00
}
2020-06-29 13:48:00 +02:00
} elseif ( $feature == 'cheque' ) {
2021-02-23 22:03:23 +01:00
if ( ! $user -> rights -> banque -> cheque ) {
2021-03-01 20:37:16 +01:00
$readok = 0 ;
$nbko ++ ;
2021-02-23 22:03:23 +01:00
}
2020-06-29 13:48:00 +02:00
} elseif ( $feature == 'projet' ) {
2021-02-23 22:03:23 +01:00
if ( ! $user -> rights -> projet -> lire && ! $user -> rights -> projet -> all -> lire ) {
2021-03-01 20:37:16 +01:00
$readok = 0 ;
$nbko ++ ;
2021-02-23 22:03:23 +01:00
}
2021-02-19 12:35:26 +01:00
} elseif ( $feature == 'payment' ) {
2021-02-23 22:03:23 +01:00
if ( ! $user -> rights -> facture -> lire ) {
2021-03-01 20:37:16 +01:00
$readok = 0 ;
$nbko ++ ;
2021-02-23 22:03:23 +01:00
}
2021-02-19 12:35:26 +01:00
} elseif ( $feature == 'payment_supplier' ) {
2021-02-23 22:03:23 +01:00
if ( ! $user -> rights -> fournisseur -> facture -> lire ) {
2021-03-01 20:37:16 +01:00
$readok = 0 ;
$nbko ++ ;
2021-02-23 22:03:23 +01:00
}
2020-06-29 13:48:00 +02:00
} elseif ( ! empty ( $feature2 )) { // This is for permissions on 2 levels
2019-11-26 12:52:04 +01:00
$tmpreadok = 1 ;
2020-06-29 13:48:00 +02:00
foreach ( $feature2 as $subfeature ) {
2021-02-23 22:03:23 +01:00
if ( $subfeature == 'user' && $user -> id == $objectid ) {
continue ; // A user can always read its own card
}
if ( ! empty ( $subfeature ) && empty ( $user -> rights -> $feature -> $subfeature -> lire ) && empty ( $user -> rights -> $feature -> $subfeature -> read )) {
$tmpreadok = 0 ;
} elseif ( empty ( $subfeature ) && empty ( $user -> rights -> $feature -> lire ) && empty ( $user -> rights -> $feature -> read )) {
$tmpreadok = 0 ;
} else {
2021-03-01 20:37:16 +01:00
$tmpreadok = 1 ;
break ;
2021-02-23 22:03:23 +01:00
} // Break is to bypass second test if the first is ok
2018-10-29 18:19:40 +01:00
}
2020-06-29 13:48:00 +02:00
if ( ! $tmpreadok ) { // We found a test on feature that is ko
2019-11-26 12:52:04 +01:00
$readok = 0 ; // All tests are ko (we manage here the and, the or will be managed later using $nbko).
2018-10-29 18:19:40 +01:00
$nbko ++ ;
}
2020-06-29 13:48:00 +02:00
} elseif ( ! empty ( $feature ) && ( $feature != 'user' && $feature != 'usergroup' )) { // This is permissions on 1 level
2018-10-29 18:19:40 +01:00
if ( empty ( $user -> rights -> $feature -> lire )
&& empty ( $user -> rights -> $feature -> read )
2021-02-23 22:03:23 +01:00
&& empty ( $user -> rights -> $feature -> run )) {
2021-03-01 20:37:16 +01:00
$readok = 0 ;
$nbko ++ ;
2021-02-23 22:03:23 +01:00
}
2018-10-29 18:19:40 +01:00
}
}
2014-05-10 18:57:04 +02:00
2018-10-29 18:19:40 +01:00
// If a or and at least one ok
2021-02-23 22:03:23 +01:00
if ( preg_match ( '/\|/' , $features ) && $nbko < count ( $featuresarray )) {
$readok = 1 ;
}
2012-02-12 17:41:28 +01:00
2021-02-23 22:03:23 +01:00
if ( ! $readok ) {
accessforbidden ();
}
2018-10-29 18:19:40 +01:00
//print "Read access is ok";
2012-02-12 17:41:28 +01:00
2020-06-17 13:29:43 +02:00
// Check write permission from module (we need to know write permission to create but also to delete drafts record or to upload files)
2021-03-01 20:37:16 +01:00
$createok = 1 ;
$nbko = 0 ;
2020-06-17 13:29:43 +02:00
$wemustcheckpermissionforcreate = ( GETPOST ( 'sendit' , 'alpha' ) || GETPOST ( 'linkit' , 'alpha' ) || GETPOST ( 'action' , 'aZ09' ) == 'create' || GETPOST ( 'action' , 'aZ09' ) == 'update' );
$wemustcheckpermissionfordeletedraft = (( GETPOST ( " action " , " aZ09 " ) == 'confirm_delete' && GETPOST ( " confirm " , " aZ09 " ) == 'yes' ) || GETPOST ( " action " , " aZ09 " ) == 'delete' );
2021-02-23 22:03:23 +01:00
if ( $wemustcheckpermissionforcreate || $wemustcheckpermissionfordeletedraft ) {
foreach ( $featuresarray as $feature ) {
2020-06-29 13:48:00 +02:00
if ( $feature == 'contact' ) {
2021-02-23 22:03:23 +01:00
if ( ! $user -> rights -> societe -> contact -> creer ) {
2021-03-01 20:37:16 +01:00
$createok = 0 ;
$nbko ++ ;
2021-02-23 22:03:23 +01:00
}
2020-06-29 13:48:00 +02:00
} elseif ( $feature == 'produit|service' ) {
2021-02-23 22:03:23 +01:00
if ( ! $user -> rights -> produit -> creer && ! $user -> rights -> service -> creer ) {
2021-03-01 20:37:16 +01:00
$createok = 0 ;
$nbko ++ ;
2021-02-23 22:03:23 +01:00
}
2020-06-29 13:48:00 +02:00
} elseif ( $feature == 'prelevement' ) {
2021-02-23 22:03:23 +01:00
if ( ! $user -> rights -> prelevement -> bons -> creer ) {
2021-03-01 20:37:16 +01:00
$createok = 0 ;
$nbko ++ ;
2021-02-23 22:03:23 +01:00
}
2020-06-29 13:48:00 +02:00
} elseif ( $feature == 'commande_fournisseur' ) {
2021-04-12 09:47:16 +02:00
if ( ! $user -> rights -> fournisseur -> commande -> creer || ! $user -> rights -> supplier_order -> creer ) {
2021-03-01 20:37:16 +01:00
$createok = 0 ;
$nbko ++ ;
2021-02-23 22:03:23 +01:00
}
2020-06-29 13:48:00 +02:00
} elseif ( $feature == 'banque' ) {
2021-02-23 22:03:23 +01:00
if ( ! $user -> rights -> banque -> modifier ) {
2021-03-01 20:37:16 +01:00
$createok = 0 ;
$nbko ++ ;
2021-02-23 22:03:23 +01:00
}
2020-06-29 13:48:00 +02:00
} elseif ( $feature == 'cheque' ) {
2021-02-23 22:03:23 +01:00
if ( ! $user -> rights -> banque -> cheque ) {
2021-03-01 20:37:16 +01:00
$createok = 0 ;
$nbko ++ ;
2021-02-23 22:03:23 +01:00
}
2020-06-25 16:59:48 +02:00
} elseif ( $feature == 'import' ) {
2021-02-23 22:03:23 +01:00
if ( ! $user -> rights -> import -> run ) {
2021-03-01 20:37:16 +01:00
$createok = 0 ;
$nbko ++ ;
2021-02-23 22:03:23 +01:00
}
2020-06-29 13:48:00 +02:00
} elseif ( $feature == 'ecm' ) {
2021-02-23 22:03:23 +01:00
if ( ! $user -> rights -> ecm -> upload ) {
2021-03-01 20:37:16 +01:00
$createok = 0 ;
$nbko ++ ;
2021-02-23 22:03:23 +01:00
}
2020-06-29 18:06:42 +02:00
} elseif ( ! empty ( $feature2 )) { // This is for permissions on one level
2020-06-29 13:48:00 +02:00
foreach ( $feature2 as $subfeature ) {
2021-02-23 22:03:23 +01:00
if ( $subfeature == 'user' && $user -> id == $objectid && $user -> rights -> user -> self -> creer ) {
continue ; // User can edit its own card
}
if ( $subfeature == 'user' && $user -> id == $objectid && $user -> rights -> user -> self -> password ) {
continue ; // User can edit its own password
}
2020-02-12 17:28:18 +01:00
2018-10-29 18:19:40 +01:00
if ( empty ( $user -> rights -> $feature -> $subfeature -> creer )
2019-10-27 11:53:20 +01:00
&& empty ( $user -> rights -> $feature -> $subfeature -> write )
&& empty ( $user -> rights -> $feature -> $subfeature -> create )) {
2019-11-26 12:52:04 +01:00
$createok = 0 ;
2019-10-27 11:53:20 +01:00
$nbko ++ ;
} else {
2019-11-26 12:52:04 +01:00
$createok = 1 ;
2019-10-27 11:53:20 +01:00
// Break to bypass second test if the first is ok
break ;
}
2018-10-29 18:19:40 +01:00
}
2020-09-07 10:18:17 +02:00
} elseif ( ! empty ( $feature )) { // This is for permissions on 2 levels ('creer' or 'write')
2020-06-29 13:48:00 +02:00
//print '<br>feature='.$feature.' creer='.$user->rights->$feature->creer.' write='.$user->rights->$feature->write; exit;
2018-10-29 18:19:40 +01:00
if ( empty ( $user -> rights -> $feature -> creer )
2019-10-27 11:53:20 +01:00
&& empty ( $user -> rights -> $feature -> write )
&& empty ( $user -> rights -> $feature -> create )) {
2019-11-26 12:52:04 +01:00
$createok = 0 ;
2019-10-27 11:53:20 +01:00
$nbko ++ ;
}
2018-10-29 18:19:40 +01:00
}
}
2012-02-12 17:41:28 +01:00
2018-10-29 18:19:40 +01:00
// If a or and at least one ok
2021-02-23 22:03:23 +01:00
if ( preg_match ( '/\|/' , $features ) && $nbko < count ( $featuresarray )) {
$createok = 1 ;
}
2012-02-12 17:41:28 +01:00
2021-02-23 22:03:23 +01:00
if ( $wemustcheckpermissionforcreate && ! $createok ) {
accessforbidden ();
}
2018-10-29 18:19:40 +01:00
//print "Write access is ok";
}
2012-02-12 17:41:28 +01:00
2018-10-29 18:19:40 +01:00
// Check create user permission
2019-11-26 12:52:04 +01:00
$createuserok = 1 ;
2021-02-23 22:03:23 +01:00
if ( GETPOST ( 'action' , 'aZ09' ) == 'confirm_create_user' && GETPOST ( " confirm " , 'aZ09' ) == 'yes' ) {
if ( ! $user -> rights -> user -> user -> creer ) {
$createuserok = 0 ;
}
2018-10-29 18:19:40 +01:00
2021-02-23 22:03:23 +01:00
if ( ! $createuserok ) {
accessforbidden ();
}
2018-10-29 18:19:40 +01:00
//print "Create user access is ok";
}
// Check delete permission from module
2021-03-01 20:37:16 +01:00
$deleteok = 1 ;
$nbko = 0 ;
2021-02-23 22:03:23 +01:00
if (( GETPOST ( " action " , " aZ09 " ) == 'confirm_delete' && GETPOST ( " confirm " , " aZ09 " ) == 'yes' ) || GETPOST ( " action " , " aZ09 " ) == 'delete' ) {
foreach ( $featuresarray as $feature ) {
if ( $feature == 'contact' ) {
if ( ! $user -> rights -> societe -> contact -> supprimer ) {
$deleteok = 0 ;
2018-10-29 18:19:40 +01:00
}
2021-02-23 22:03:23 +01:00
} elseif ( $feature == 'produit|service' ) {
if ( ! $user -> rights -> produit -> supprimer && ! $user -> rights -> service -> supprimer ) {
$deleteok = 0 ;
}
} elseif ( $feature == 'commande_fournisseur' ) {
if ( ! $user -> rights -> fournisseur -> commande -> supprimer ) {
$deleteok = 0 ;
}
2021-05-11 20:34:46 +02:00
} elseif ( $feature == 'payment_supplier' ) {
if ( ! $user -> rights -> fournisseur -> facture -> creer ) {
$deleteok = 0 ;
}
2021-02-23 22:03:23 +01:00
} elseif ( $feature == 'banque' ) {
if ( ! $user -> rights -> banque -> modifier ) {
$deleteok = 0 ;
}
} elseif ( $feature == 'cheque' ) {
if ( ! $user -> rights -> banque -> cheque ) {
$deleteok = 0 ;
}
} elseif ( $feature == 'ecm' ) {
if ( ! $user -> rights -> ecm -> upload ) {
$deleteok = 0 ;
}
} elseif ( $feature == 'ftp' ) {
if ( ! $user -> rights -> ftp -> write ) {
$deleteok = 0 ;
}
} elseif ( $feature == 'salaries' ) {
if ( ! $user -> rights -> salaries -> delete ) {
$deleteok = 0 ;
}
} elseif ( $feature == 'salaries' ) {
if ( ! $user -> rights -> salaries -> delete ) {
$deleteok = 0 ;
}
} elseif ( ! empty ( $feature2 )) { // This is for permissions on 2 levels
foreach ( $feature2 as $subfeature ) {
if ( empty ( $user -> rights -> $feature -> $subfeature -> supprimer ) && empty ( $user -> rights -> $feature -> $subfeature -> delete )) {
$deleteok = 0 ;
} else {
2021-03-01 20:37:16 +01:00
$deleteok = 1 ;
break ;
2021-02-23 22:03:23 +01:00
} // For bypass the second test if the first is ok
2018-10-29 18:19:40 +01:00
}
2021-02-23 22:03:23 +01:00
} elseif ( ! empty ( $feature )) { // This is used for permissions on 1 level
2018-10-29 18:19:40 +01:00
//print '<br>feature='.$feature.' creer='.$user->rights->$feature->supprimer.' write='.$user->rights->$feature->delete;
if ( empty ( $user -> rights -> $feature -> supprimer )
&& empty ( $user -> rights -> $feature -> delete )
2021-02-23 22:03:23 +01:00
&& empty ( $user -> rights -> $feature -> run )) {
$deleteok = 0 ;
}
2018-10-29 18:19:40 +01:00
}
}
2012-02-12 17:41:28 +01:00
2018-10-29 18:19:40 +01:00
// If a or and at least one ok
2021-02-23 22:03:23 +01:00
if ( preg_match ( '/\|/' , $features ) && $nbko < count ( $featuresarray )) {
$deleteok = 1 ;
}
2018-10-29 18:19:40 +01:00
2021-02-23 22:03:23 +01:00
if ( ! $deleteok && ! ( $isdraft && $createok )) {
accessforbidden ();
}
2018-10-29 18:19:40 +01:00
//print "Delete access is ok";
}
// If we have a particular object to check permissions on, we check this object
// is linked to a company allowed to $user.
2021-02-23 22:03:23 +01:00
if ( ! empty ( $objectid ) && $objectid > 0 ) {
2020-06-07 23:00:38 +02:00
$ok = checkUserAccessToObject ( $user , $featuresarray , $objectid , $tableandshare , $feature2 , $dbt_keyfield , $dbt_select , $parentfortableentity );
2019-11-26 12:52:04 +01:00
$params = array ( 'objectid' => $objectid , 'features' => join ( ',' , $featuresarray ), 'features2' => $feature2 );
2021-04-29 12:10:55 +02:00
//print 'checkUserAccessToObject ok='.$ok;
2019-11-22 16:13:22 +01:00
return $ok ? 1 : accessforbidden ( '' , 1 , 1 , 0 , $params );
2018-10-29 18:19:40 +01:00
}
return 1 ;
2012-02-12 17:41:28 +01:00
}
2015-05-03 14:41:51 +02:00
/**
2017-01-29 16:42:59 +01:00
* Check access by user to object .
2021-04-08 00:33:25 +02:00
* This function is also called by restrictedArea that check before if module is enabled and permissions of user compared to $action .
2015-05-31 03:30:38 +02:00
*
2020-06-07 23:00:38 +02:00
* @ param User $user User to check
* @ param array $featuresarray Features / modules to check . Example : ( 'user' , 'service' , 'member' , 'project' , 'task' , ... )
* @ param int | string $objectid Object ID if we want to check a particular record ( optional ) is linked to a owned thirdparty ( optional ) .
* @ param string $tableandshare 'TableName&SharedElement' with Tablename is table where object is stored . SharedElement is an optional key to define where to check entity for multicompany modume . Param not used if objectid is null ( optional ) .
* @ param string $feature2 Feature to check , second level of permission ( optional ) . Can be or check with 'level1|level2' .
* @ param string $dbt_keyfield Field name for socid foreign key if not fk_soc . Not used if objectid is null ( optional )
* @ param string $dbt_select Field name for select if not rowid . Not used if objectid is null ( optional )
* @ param string $parenttableforentity Parent table for entity . Example 'fk_website@website'
* @ return bool True if user has access , False otherwise
2019-03-11 01:01:15 +01:00
* @ see restrictedArea ()
2015-05-03 14:41:51 +02:00
*/
2020-06-07 23:00:38 +02:00
function checkUserAccessToObject ( $user , $featuresarray , $objectid = 0 , $tableandshare = '' , $feature2 = '' , $dbt_keyfield = '' , $dbt_select = 'rowid' , $parenttableforentity = '' )
2015-05-03 14:41:51 +02:00
{
global $db , $conf ;
2015-05-31 03:30:38 +02:00
2021-02-19 12:35:26 +01:00
//dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename, $feature2, $dbt_socfield, $dbt_select, $isdraft");
2021-03-23 18:08:44 +01:00
//print "user_id=".$user->id.", features=".join(',', $featuresarray).", feature2=".$feature2.", objectid=".$objectid;
//print ", tableandshare=".$tableandshare.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select."<br>";
2021-02-19 12:35:26 +01:00
2015-05-03 14:41:51 +02:00
// More parameters
2015-05-13 09:32:54 +02:00
$params = explode ( '&' , $tableandshare );
2019-11-26 12:52:04 +01:00
$dbtablename = ( ! empty ( $params [ 0 ]) ? $params [ 0 ] : '' );
$sharedelement = ( ! empty ( $params [ 1 ]) ? $params [ 1 ] : $dbtablename );
2015-05-31 03:30:38 +02:00
2021-02-23 22:03:23 +01:00
foreach ( $featuresarray as $feature ) {
2019-11-26 12:52:04 +01:00
$sql = '' ;
2015-05-03 14:41:51 +02:00
2021-04-02 23:23:44 +02:00
//var_dump($feature);
2017-02-03 11:42:49 +01:00
// For backward compatibility
2021-02-23 22:03:23 +01:00
if ( $feature == 'member' ) {
$feature = 'adherent' ;
}
if ( $feature == 'project' ) {
$feature = 'projet' ;
}
if ( $feature == 'task' ) {
$feature = 'projet_task' ;
}
2019-11-26 12:52:04 +01:00
2021-04-02 23:23:44 +02:00
$check = array ( 'adherent' , 'banque' , 'bom' , 'don' , 'mrp' , 'user' , 'usergroup' , 'payment' , 'payment_supplier' , 'product' , 'produit' , 'service' , 'produit|service' , 'categorie' , 'resource' , 'expensereport' , 'holiday' , 'salary' , 'website' ); // Test on entity only (Objects with no link to company)
2019-11-26 12:52:04 +01:00
$checksoc = array ( 'societe' ); // Test for societe object
2021-02-19 12:35:26 +01:00
$checkother = array ( 'contact' , 'agenda' ); // Test on entity + link to third party on field $dbt_keyfield. Allowed if link is empty (Ex: contacts...).
2019-11-26 12:52:04 +01:00
$checkproject = array ( 'projet' , 'project' ); // Test for project object
2021-02-02 00:19:41 +01:00
$checktask = array ( 'projet_task' ); // Test for task object
2019-11-26 12:52:04 +01:00
$nocheck = array ( 'barcode' , 'stock' ); // No test
2021-02-19 12:35:26 +01:00
//$checkdefault = 'all other not already defined'; // Test on entity + link to third party on field $dbt_keyfield. Not allowed if link is empty (Ex: invoice, orders...).
2015-05-03 14:41:51 +02:00
2017-10-17 12:58:26 +02:00
// If dbtablename not defined, we use same name for table than module name
2021-02-23 22:03:23 +01:00
if ( empty ( $dbtablename )) {
2017-10-17 12:58:26 +02:00
$dbtablename = $feature ;
2019-11-26 12:52:04 +01:00
$sharedelement = ( ! empty ( $params [ 1 ]) ? $params [ 1 ] : $dbtablename ); // We change dbtablename, so we set sharedelement too.
2017-10-17 12:58:26 +02:00
}
2015-05-03 14:41:51 +02:00
2021-02-19 12:35:26 +01:00
// Check permission for object on entity only
2021-02-23 22:03:23 +01:00
if ( in_array ( $feature , $check )) {
2017-12-18 15:39:40 +01:00
$sql = " SELECT COUNT(dbt. " . $dbt_select . " ) as nb " ;
2019-11-26 12:52:04 +01:00
$sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt " ;
2021-02-19 12:35:26 +01:00
if (( $feature == 'user' || $feature == 'usergroup' ) && ! empty ( $conf -> multicompany -> enabled )) { // Special for multicompany
if ( ! empty ( $conf -> global -> MULTICOMPANY_TRANSVERSE_MODE )) {
if ( $conf -> entity == 1 && $user -> admin && ! $user -> entity ) {
2021-03-22 11:30:18 +01:00
$sql .= " WHERE dbt. " . $dbt_select . " IN ( " . $db -> sanitize ( $objectid , 1 ) . " ) " ;
2019-11-26 12:52:04 +01:00
$sql .= " AND dbt.entity IS NOT NULL " ;
2020-05-21 15:05:19 +02:00
} else {
2019-11-26 12:52:04 +01:00
$sql .= " , " . MAIN_DB_PREFIX . " usergroup_user as ug " ;
2021-03-22 11:30:18 +01:00
$sql .= " WHERE dbt. " . $dbt_select . " IN ( " . $db -> sanitize ( $objectid , 1 ) . " ) " ;
2019-11-26 12:52:04 +01:00
$sql .= " AND ((ug.fk_user = dbt.rowid " ;
$sql .= " AND ug.entity IN ( " . getEntity ( 'usergroup' ) . " )) " ;
$sql .= " OR dbt.entity = 0) " ; // Show always superadmin
2018-07-02 10:09:56 +02:00
}
2020-05-21 15:05:19 +02:00
} else {
2021-03-22 11:30:18 +01:00
$sql .= " WHERE dbt. " . $dbt_select . " IN ( " . $db -> sanitize ( $objectid , 1 ) . " ) " ;
2019-11-26 12:52:04 +01:00
$sql .= " AND dbt.entity IN ( " . getEntity ( $sharedelement , 1 ) . " ) " ;
2018-07-02 10:09:56 +02:00
}
2020-05-21 15:05:19 +02:00
} else {
2020-06-07 23:00:38 +02:00
$reg = array ();
if ( $parenttableforentity && preg_match ( '/(.*)@(.*)/' , $parenttableforentity , $reg )) {
$sql .= " , " . MAIN_DB_PREFIX . $reg [ 2 ] . " as dbtp " ;
2021-03-22 11:30:18 +01:00
$sql .= " WHERE dbt. " . $reg [ 1 ] . " = dbtp.rowid AND dbt. " . $dbt_select . " IN ( " . $db -> sanitize ( $objectid , 1 ) . " ) " ;
2020-06-07 23:00:38 +02:00
$sql .= " AND dbtp.entity IN ( " . getEntity ( $sharedelement , 1 ) . " ) " ;
} else {
2021-03-22 11:30:18 +01:00
$sql .= " WHERE dbt. " . $dbt_select . " IN ( " . $db -> sanitize ( $objectid , 1 ) . " ) " ;
2020-06-07 23:00:38 +02:00
$sql .= " AND dbt.entity IN ( " . getEntity ( $sharedelement , 1 ) . " ) " ;
}
2015-05-03 14:41:51 +02:00
}
2021-02-19 12:35:26 +01:00
} elseif ( in_array ( $feature , $checksoc )) { // We check feature = checksoc
2015-05-03 14:41:51 +02:00
// If external user: Check permission for external users
2021-03-19 00:00:06 +01:00
if ( $user -> socid > 0 ) {
2021-02-23 22:03:23 +01:00
if ( $user -> socid <> $objectid ) {
2021-03-11 16:37:27 +01:00
return false ;
}
2021-02-19 12:35:26 +01:00
} elseif ( ! empty ( $conf -> societe -> enabled ) && ( $user -> rights -> societe -> lire && ! $user -> rights -> societe -> client -> voir )) {
2021-03-11 16:37:27 +01:00
// If internal user: Check permission for internal users that are restricted on their objects
2017-12-18 15:39:40 +01:00
$sql = " SELECT COUNT(sc.fk_soc) as nb " ;
2019-11-26 12:52:04 +01:00
$sql .= " FROM ( " . MAIN_DB_PREFIX . " societe_commerciaux as sc " ;
$sql .= " , " . MAIN_DB_PREFIX . " societe as s) " ;
2021-03-22 11:30:18 +01:00
$sql .= " WHERE sc.fk_soc IN ( " . $db -> sanitize ( $objectid , 1 ) . " ) " ;
2019-11-26 12:52:04 +01:00
$sql .= " AND sc.fk_user = " . $user -> id ;
$sql .= " AND sc.fk_soc = s.rowid " ;
$sql .= " AND s.entity IN ( " . getEntity ( $sharedelement , 1 ) . " ) " ;
2021-02-19 12:35:26 +01:00
} elseif ( ! empty ( $conf -> multicompany -> enabled )) {
// If multicompany and internal users with all permissions, check user is in correct entity
2017-12-18 15:39:40 +01:00
$sql = " SELECT COUNT(s.rowid) as nb " ;
2019-11-26 12:52:04 +01:00
$sql .= " FROM " . MAIN_DB_PREFIX . " societe as s " ;
2021-03-22 11:30:18 +01:00
$sql .= " WHERE s.rowid IN ( " . $db -> sanitize ( $objectid , 1 ) . " ) " ;
2019-11-26 12:52:04 +01:00
$sql .= " AND s.entity IN ( " . getEntity ( $sharedelement , 1 ) . " ) " ;
2015-05-03 14:41:51 +02:00
}
2021-02-23 22:03:23 +01:00
} elseif ( in_array ( $feature , $checkother )) { // Test on entity + link to thirdparty. Allowed if link is empty (Ex: contacts...).
2015-05-03 14:41:51 +02:00
// If external user: Check permission for external users
2021-02-23 22:03:23 +01:00
if ( $user -> socid > 0 ) {
2017-12-18 15:39:40 +01:00
$sql = " SELECT COUNT(dbt. " . $dbt_select . " ) as nb " ;
2019-11-26 12:52:04 +01:00
$sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt " ;
2021-03-22 11:30:18 +01:00
$sql .= " WHERE dbt. " . $dbt_select . " IN ( " . $db -> sanitize ( $objectid , 1 ) . " ) " ;
2019-11-26 12:52:04 +01:00
$sql .= " AND dbt.fk_soc = " . $user -> socid ;
2021-03-01 20:37:16 +01:00
} elseif ( ! empty ( $conf -> societe -> enabled ) && ( $user -> rights -> societe -> lire && ! $user -> rights -> societe -> client -> voir )) {
// If internal user: Check permission for internal users that are restricted on their objects
2017-12-18 15:39:40 +01:00
$sql = " SELECT COUNT(dbt. " . $dbt_select . " ) as nb " ;
2019-11-26 12:52:04 +01:00
$sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt " ;
2020-09-19 22:41:05 +02:00
$sql .= " LEFT JOIN " . MAIN_DB_PREFIX . " societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = " . (( int ) $user -> id );
2021-03-22 11:30:18 +01:00
$sql .= " WHERE dbt. " . $dbt_select . " IN ( " . $db -> sanitize ( $objectid , 1 ) . " ) " ;
2019-11-26 12:52:04 +01:00
$sql .= " AND (dbt.fk_soc IS NULL OR sc.fk_soc IS NOT NULL) " ; // Contact not linked to a company or to a company of user
$sql .= " AND dbt.entity IN ( " . getEntity ( $sharedelement , 1 ) . " ) " ;
2021-03-01 20:37:16 +01:00
} elseif ( ! empty ( $conf -> multicompany -> enabled )) {
// If multicompany and internal users with all permissions, check user is in correct entity
2017-12-18 15:39:40 +01:00
$sql = " SELECT COUNT(dbt. " . $dbt_select . " ) as nb " ;
2019-11-26 12:52:04 +01:00
$sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt " ;
2021-03-22 11:30:18 +01:00
$sql .= " WHERE dbt. " . $dbt_select . " IN ( " . $db -> sanitize ( $objectid , 1 ) . " ) " ;
2019-11-26 12:52:04 +01:00
$sql .= " AND dbt.entity IN ( " . getEntity ( $sharedelement , 1 ) . " ) " ;
2015-05-03 14:41:51 +02:00
}
2021-03-01 20:37:16 +01:00
if ( $feature == 'agenda' ) {
// Also check owner or attendee for users without allactions->read
2020-08-04 16:45:04 +02:00
if ( $objectid > 0 && empty ( $user -> rights -> agenda -> allactions -> read )) {
2020-09-07 10:18:17 +02:00
require_once DOL_DOCUMENT_ROOT . '/comm/action/class/actioncomm.class.php' ;
2020-08-04 16:45:04 +02:00
$action = new ActionComm ( $db );
$action -> fetch ( $objectid );
2020-08-04 16:48:15 +02:00
if ( $action -> authorid != $user -> id && $action -> userownerid != $user -> id && ! ( array_key_exists ( $user -> id , $action -> userassigned ))) {
2020-08-04 16:45:04 +02:00
return false ;
}
}
}
2020-08-17 20:06:01 +02:00
} elseif ( in_array ( $feature , $checkproject )) {
2021-02-23 22:03:23 +01:00
if ( ! empty ( $conf -> projet -> enabled ) && empty ( $user -> rights -> projet -> all -> lire )) {
2015-05-03 14:41:51 +02:00
include_once DOL_DOCUMENT_ROOT . '/projet/class/project.class.php' ;
2019-11-26 12:52:04 +01:00
$projectstatic = new Project ( $db );
$tmps = $projectstatic -> getProjectsAuthorizedForUser ( $user , 0 , 1 , 0 );
$tmparray = explode ( ',' , $tmps );
2021-02-23 22:03:23 +01:00
if ( ! in_array ( $objectid , $tmparray )) {
return false ;
}
2020-05-21 15:05:19 +02:00
} else {
2017-12-18 15:39:40 +01:00
$sql = " SELECT COUNT(dbt. " . $dbt_select . " ) as nb " ;
2019-11-26 12:52:04 +01:00
$sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt " ;
2021-03-22 11:30:18 +01:00
$sql .= " WHERE dbt. " . $dbt_select . " IN ( " . $db -> sanitize ( $objectid , 1 ) . " ) " ;
2019-11-26 12:52:04 +01:00
$sql .= " AND dbt.entity IN ( " . getEntity ( $sharedelement , 1 ) . " ) " ;
2015-05-03 14:41:51 +02:00
}
2020-08-17 20:06:01 +02:00
} elseif ( in_array ( $feature , $checktask )) {
2021-02-23 22:03:23 +01:00
if ( ! empty ( $conf -> projet -> enabled ) && empty ( $user -> rights -> projet -> all -> lire )) {
2018-10-29 18:19:40 +01:00
$task = new Task ( $db );
$task -> fetch ( $objectid );
2017-06-01 19:53:12 +02:00
include_once DOL_DOCUMENT_ROOT . '/projet/class/project.class.php' ;
2019-11-26 12:52:04 +01:00
$projectstatic = new Project ( $db );
$tmps = $projectstatic -> getProjectsAuthorizedForUser ( $user , 0 , 1 , 0 );
$tmparray = explode ( ',' , $tmps );
2021-02-23 22:03:23 +01:00
if ( ! in_array ( $task -> fk_project , $tmparray )) {
return false ;
}
2020-05-21 15:05:19 +02:00
} else {
2017-12-18 15:39:40 +01:00
$sql = " SELECT COUNT(dbt. " . $dbt_select . " ) as nb " ;
2019-11-26 12:52:04 +01:00
$sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt " ;
2021-03-22 11:30:18 +01:00
$sql .= " WHERE dbt. " . $dbt_select . " IN ( " . $db -> sanitize ( $objectid , 1 ) . " ) " ;
2019-11-26 12:52:04 +01:00
$sql .= " AND dbt.entity IN ( " . getEntity ( $sharedelement , 1 ) . " ) " ;
2015-05-03 14:41:51 +02:00
}
2021-02-02 00:19:41 +01:00
} elseif ( ! in_array ( $feature , $nocheck )) { // By default (case of $checkdefault), we check on object entity + link to third party on field $dbt_keyfield
2015-05-03 14:41:51 +02:00
// If external user: Check permission for external users
2021-02-02 00:19:41 +01:00
if ( $user -> socid > 0 ) {
2021-02-23 22:03:23 +01:00
if ( empty ( $dbt_keyfield )) {
dol_print_error ( '' , 'Param dbt_keyfield is required but not defined' );
}
2017-12-18 15:39:40 +01:00
$sql = " SELECT COUNT(dbt. " . $dbt_keyfield . " ) as nb " ;
2019-11-26 12:52:04 +01:00
$sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt " ;
2021-03-22 11:30:18 +01:00
$sql .= " WHERE dbt.rowid IN ( " . $db -> sanitize ( $objectid , 1 ) . " ) " ;
2019-11-26 12:52:04 +01:00
$sql .= " AND dbt. " . $dbt_keyfield . " = " . $user -> socid ;
2021-02-09 20:13:13 +01:00
} elseif ( ! empty ( $conf -> societe -> enabled ) && ! $user -> rights -> societe -> client -> voir ) {
2021-02-02 00:19:41 +01:00
// If internal user: Check permission for internal users that are restricted on their objects
2021-02-09 20:13:13 +01:00
if ( $feature != 'ticket' ) {
2021-02-23 22:03:23 +01:00
if ( empty ( $dbt_keyfield )) {
dol_print_error ( '' , 'Param dbt_keyfield is required but not defined' );
}
2021-02-02 00:19:41 +01:00
$sql = " SELECT COUNT(sc.fk_soc) as nb " ;
$sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt " ;
$sql .= " , " . MAIN_DB_PREFIX . " societe_commerciaux as sc " ;
2021-03-22 11:30:18 +01:00
$sql .= " WHERE dbt. " . $dbt_select . " IN ( " . $db -> sanitize ( $objectid , 1 ) . " ) " ;
2021-02-02 00:19:41 +01:00
$sql .= " AND dbt.entity IN ( " . getEntity ( $sharedelement , 1 ) . " ) " ;
$sql .= " AND sc.fk_soc = dbt. " . $dbt_keyfield ;
$sql .= " AND sc.fk_user = " . $user -> id ;
2021-02-09 20:13:13 +01:00
} else {
2021-02-10 14:04:06 +01:00
// On ticket, the thirdparty is not mandatory, so we need a special test to accept record with no thirdparties.
2021-02-02 00:19:41 +01:00
$sql = " SELECT COUNT(dbt. " . $dbt_select . " ) as nb " ;
$sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt " ;
$sql .= " LEFT JOIN " . MAIN_DB_PREFIX . " societe_commerciaux as sc ON sc.fk_soc = dbt. " . $dbt_keyfield . " AND sc.fk_user = " . $user -> id ;
2021-03-22 11:30:18 +01:00
$sql .= " WHERE dbt. " . $dbt_select . " IN ( " . $db -> sanitize ( $objectid , 1 ) . " ) " ;
2021-02-02 00:19:41 +01:00
$sql .= " AND dbt.entity IN ( " . getEntity ( $sharedelement , 1 ) . " ) " ;
$sql .= " AND (sc.fk_user = " . $user -> id . " OR sc.fk_user IS NULL) " ;
}
2021-03-01 20:37:16 +01:00
} elseif ( ! empty ( $conf -> multicompany -> enabled )) {
// If multicompany and internal users with all permissions, check user is in correct entity
2017-12-18 15:39:40 +01:00
$sql = " SELECT COUNT(dbt. " . $dbt_select . " ) as nb " ;
2019-11-26 12:52:04 +01:00
$sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt " ;
2021-03-22 11:30:18 +01:00
$sql .= " WHERE dbt. " . $dbt_select . " IN ( " . $db -> sanitize ( $objectid , 1 ) . " ) " ;
2019-11-26 12:52:04 +01:00
$sql .= " AND dbt.entity IN ( " . getEntity ( $sharedelement , 1 ) . " ) " ;
2015-05-03 14:41:51 +02:00
}
}
2021-03-23 18:08:44 +01:00
//print $sql;
2015-05-03 14:41:51 +02:00
2021-02-23 22:03:23 +01:00
if ( $sql ) {
2019-11-26 12:52:04 +01:00
$resql = $db -> query ( $sql );
2021-02-23 22:03:23 +01:00
if ( $resql ) {
2017-12-18 15:39:40 +01:00
$obj = $db -> fetch_object ( $resql );
2021-02-23 22:03:23 +01:00
if ( ! $obj || $obj -> nb < count ( explode ( ',' , $objectid ))) {
return false ;
}
2020-05-21 15:05:19 +02:00
} else {
2021-03-23 18:02:52 +01:00
dol_syslog ( " Bad forged sql in checkUserAccessToObject " , LOG_WARNING );
2015-05-03 14:41:51 +02:00
return false ;
}
}
}
2020-06-07 23:00:38 +02:00
2015-05-03 14:41:51 +02:00
return true ;
}
2012-02-12 17:41:28 +01:00
/**
* Show a message to say access is forbidden and stop program
* Calling this function terminate execution of PHP .
*
2019-11-22 16:13:22 +01:00
* @ param string $message Force error message
* @ param int $printheader Show header before
* @ param int $printfooter Show footer after
* @ param int $showonlymessage Show only message parameter . Otherwise add more information .
2020-12-03 16:22:03 +01:00
* @ param array | null $params More parameters provided to hook
2012-02-12 17:41:28 +01:00
* @ return void
*/
2019-11-22 16:13:22 +01:00
function accessforbidden ( $message = '' , $printheader = 1 , $printfooter = 1 , $showonlymessage = 0 , $params = null )
2012-02-12 17:41:28 +01:00
{
2020-10-31 14:32:18 +01:00
global $conf , $db , $user , $langs , $hookmanager ;
2021-02-23 22:03:23 +01:00
if ( ! is_object ( $langs )) {
2020-10-31 14:32:18 +01:00
include_once DOL_DOCUMENT_ROOT . '/core/class/translate.class.php' ;
$langs = new Translate ( '' , $conf );
$langs -> setDefaultLang ();
}
2012-02-12 17:41:28 +01:00
2018-10-29 18:19:40 +01:00
$langs -> load ( " errors " );
2012-02-12 17:41:28 +01:00
2021-02-23 22:03:23 +01:00
if ( $printheader ) {
if ( function_exists ( " llxHeader " )) {
llxHeader ( '' );
} elseif ( function_exists ( " llxHeaderVierge " )) {
llxHeaderVierge ( '' );
}
2018-10-29 18:19:40 +01:00
}
print '<div class="error">' ;
2021-02-23 22:03:23 +01:00
if ( ! $message ) {
print $langs -> trans ( " ErrorForbidden " );
} else {
print $message ;
}
2018-10-29 18:19:40 +01:00
print '</div>' ;
print '<br>' ;
2021-02-23 22:03:23 +01:00
if ( empty ( $showonlymessage )) {
2019-06-04 12:48:06 +02:00
global $action , $object ;
2021-02-23 22:03:23 +01:00
if ( empty ( $hookmanager )) {
2019-06-04 12:48:06 +02:00
$hookmanager = new HookManager ( $db );
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
$hookmanager -> initHooks ( array ( 'main' ));
2018-10-29 18:19:40 +01:00
}
2019-11-22 16:13:22 +01:00
$parameters = array ( 'message' => $message , 'params' => $params );
2019-11-26 12:52:04 +01:00
$reshook = $hookmanager -> executeHooks ( 'getAccessForbiddenMessage' , $parameters , $object , $action ); // Note that $action and $object may have been modified by some hooks
2019-06-04 12:48:06 +02:00
print $hookmanager -> resPrint ;
2021-02-23 22:03:23 +01:00
if ( empty ( $reshook )) {
if ( $user -> login ) {
2019-06-04 12:48:06 +02:00
print $langs -> trans ( " CurrentLogin " ) . ': <font class="error">' . $user -> login . '</font><br>' ;
2019-06-04 19:18:20 +02:00
print $langs -> trans ( " ErrorForbidden2 " , $langs -> transnoentitiesnoconv ( " Home " ), $langs -> transnoentitiesnoconv ( " Users " ));
2020-05-21 15:05:19 +02:00
} else {
2019-06-04 12:48:06 +02:00
print $langs -> trans ( " ErrorForbidden3 " );
}
2018-10-29 18:19:40 +01:00
}
}
2021-02-23 22:03:23 +01:00
if ( $printfooter && function_exists ( " llxFooter " )) {
llxFooter ();
}
2018-10-29 18:19:40 +01:00
exit ( 0 );
2012-02-12 17:41:28 +01:00
}
