2008-04-29 23:13:49 +02:00
< ? php
2011-03-30 09:55:22 +02:00
/* Copyright ( C ) 2008 - 2011 Laurent Destailleur < eldy @ users . sourceforge . net >
2018-10-27 14:43:12 +02:00
* Copyright ( C ) 2008 - 2017 Regis Houssin < regis . houssin @ inodbox . com >
2020-08-03 11:17:30 +02:00
* Copyright ( C ) 2020 Ferran Marcet < fmarcet @ 2 byte . es >
2008-04-29 23:13:49 +02:00
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
2013-01-16 15:36:08 +01:00
* the Free Software Foundation ; either version 3 of the License , or
2008-04-29 23:13:49 +02:00
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License
2019-09-23 21:55:30 +02:00
* along with this program . If not , see < https :// www . gnu . org / licenses />.
* or see https :// www . gnu . org /
2008-04-29 23:13:49 +02:00
*/
/**
2011-10-24 10:45:06 +02:00
* \file htdocs / core / lib / security . lib . php
2011-09-24 15:44:04 +02:00
* \ingroup core
2012-02-12 17:41:28 +01:00
* \brief Set of function used for dolibarr security ( common function included into filefunc . inc . php )
2011-09-24 15:44:04 +02:00
* Warning , this file must not depends on other library files , except function . lib . php
* because it is used at low code level .
2008-11-17 01:02:57 +01:00
*/
2008-04-29 23:13:49 +02:00
/**
2018-04-19 12:03:42 +02:00
* Encode a string with base 64 algorithm + specific delta change .
2011-09-16 19:06:10 +02:00
*
2012-02-19 19:14:17 +01:00
* @ param string $chain string to encode
2018-04-19 12:03:42 +02:00
* @ param string $key rule to use for delta ( '0' , '1' or 'myownkey' )
2012-02-19 19:14:17 +01:00
* @ return string encoded string
2019-03-11 01:01:15 +01:00
* @ see dol_decode ()
2008-04-29 23:13:49 +02:00
*/
2019-01-27 15:20:16 +01:00
function dol_encode ( $chain , $key = '1' )
2008-04-29 23:13:49 +02:00
{
2018-04-19 12:03:42 +02:00
if ( is_numeric ( $key ) && $key == '1' ) // rule 1 is offset of 17 for char
2008-04-29 23:13:49 +02:00
{
2019-11-26 12:52:04 +01:00
$output_tab = array ();
$strlength = dol_strlen ( $chain );
for ( $i = 0 ; $i < $strlength ; $i ++ )
2018-04-19 12:03:42 +02:00
{
2019-11-26 12:52:04 +01:00
$output_tab [ $i ] = chr ( ord ( substr ( $chain , $i , 1 )) + 17 );
2018-04-19 12:03:42 +02:00
}
2019-01-27 11:55:16 +01:00
$chain = implode ( " " , $output_tab );
2018-04-19 12:03:42 +02:00
}
elseif ( $key )
{
2019-11-26 12:52:04 +01:00
$result = '' ;
$strlength = dol_strlen ( $chain );
for ( $i = 0 ; $i < $strlength ; $i ++ )
2018-04-19 12:03:42 +02:00
{
2019-11-26 12:52:04 +01:00
$keychar = substr ( $key , ( $i % strlen ( $key )) - 1 , 1 );
$result .= chr ( ord ( substr ( $chain , $i , 1 )) + ( ord ( $keychar ) - 65 ));
2018-04-19 12:03:42 +02:00
}
2019-11-26 12:52:04 +01:00
$chain = $result ;
2008-04-29 23:13:49 +02:00
}
2018-04-19 12:03:42 +02:00
return base64_encode ( $chain );
2008-04-29 23:13:49 +02:00
}
/**
2018-04-19 12:03:42 +02:00
* Decode a base 64 encoded + specific delta change .
2012-02-19 19:14:17 +01:00
* This function is called by filefunc . inc . php at each page call .
2011-09-16 19:06:10 +02:00
*
2012-02-19 19:14:17 +01:00
* @ param string $chain string to decode
2018-04-19 12:03:42 +02:00
* @ param string $key rule to use for delta ( '0' , '1' or 'myownkey' )
2012-02-19 19:14:17 +01:00
* @ return string decoded string
2019-03-11 01:01:15 +01:00
* @ see dol_encode ()
2008-04-29 23:13:49 +02:00
*/
2019-01-27 15:20:16 +01:00
function dol_decode ( $chain , $key = '1' )
2008-04-29 23:13:49 +02:00
{
$chain = base64_decode ( $chain );
2018-04-19 12:03:42 +02:00
if ( is_numeric ( $key ) && $key == '1' ) // rule 1 is offset of 17 for char
2008-04-29 23:13:49 +02:00
{
2019-11-26 12:52:04 +01:00
$output_tab = array ();
$strlength = dol_strlen ( $chain );
for ( $i = 0 ; $i < $strlength ; $i ++ )
2018-04-19 12:03:42 +02:00
{
2019-11-26 12:52:04 +01:00
$output_tab [ $i ] = chr ( ord ( substr ( $chain , $i , 1 )) - 17 );
2018-04-19 12:03:42 +02:00
}
2019-01-27 11:55:16 +01:00
$chain = implode ( " " , $output_tab );
2018-04-19 12:03:42 +02:00
}
elseif ( $key )
2008-04-29 23:13:49 +02:00
{
2019-11-26 12:52:04 +01:00
$result = '' ;
$strlength = dol_strlen ( $chain );
for ( $i = 0 ; $i < $strlength ; $i ++ )
2018-04-19 12:03:42 +02:00
{
2019-11-26 12:52:04 +01:00
$keychar = substr ( $key , ( $i % strlen ( $key )) - 1 , 1 );
$result .= chr ( ord ( substr ( $chain , $i , 1 )) - ( ord ( $keychar ) - 65 ));
2018-04-19 12:03:42 +02:00
}
2019-11-26 12:52:04 +01:00
$chain = $result ;
2008-04-29 23:13:49 +02:00
}
2018-04-19 12:03:42 +02:00
return $chain ;
2008-04-29 23:13:49 +02:00
}
2008-11-17 01:02:57 +01:00
2011-05-03 12:53:44 +02:00
/**
2013-11-06 16:32:25 +01:00
* Returns a hash of a string .
2018-02-23 14:38:41 +01:00
* If constant MAIN_SECURITY_HASH_ALGO is defined , we use this function as hashing function ( recommanded value is 'password_hash' )
* If constant MAIN_SECURITY_SALT is defined , we use it as a salt ( used only if hashing algorightm is something else than 'password_hash' ) .
2011-09-16 19:06:10 +02:00
*
* @ param string $chain String to hash
2020-02-23 23:37:46 +01:00
* @ param string $type Type of hash ( '0' : auto will use MAIN_SECURITY_HASH_ALGO else md5 , '1' : sha1 , '2' : sha1 + md5 , '3' : md5 , '4' : md5 for OpenLdap with no salt , '5' : sha256 ) . Use '3' here , if hash is not needed for security purpose , for security need , prefer '0' .
2011-09-16 19:06:10 +02:00
* @ return string Hash of string
2019-04-22 14:12:58 +02:00
* @ see getRandomPassword ()
2011-05-03 12:53:44 +02:00
*/
2019-01-27 15:20:16 +01:00
function dol_hash ( $chain , $type = '0' )
2011-05-03 12:53:44 +02:00
{
2013-11-04 10:45:43 +01:00
global $conf ;
2013-11-06 16:32:25 +01:00
2018-01-15 00:33:25 +01:00
// No need to add salt for password_hash
2019-11-26 12:52:04 +01:00
if (( $type == '0' || $type == 'auto' ) && ! empty ( $conf -> global -> MAIN_SECURITY_HASH_ALGO ) && $conf -> global -> MAIN_SECURITY_HASH_ALGO == 'password_hash' && function_exists ( 'password_hash' ))
2018-02-23 14:38:41 +01:00
{
return password_hash ( $chain , PASSWORD_DEFAULT );
}
2018-01-15 00:33:25 +01:00
2013-11-04 10:47:24 +01:00
// Salt value
2020-03-12 12:45:44 +01:00
if ( ! empty ( $conf -> global -> MAIN_SECURITY_SALT ) && $type != '4' && $type !== 'md5openldap' ) $chain = $conf -> global -> MAIN_SECURITY_SALT . $chain ;
2013-11-06 16:32:25 +01:00
2017-11-03 20:04:18 +01:00
if ( $type == '1' || $type == 'sha1' ) return sha1 ( $chain );
2019-01-27 10:49:34 +01:00
elseif ( $type == '2' || $type == 'sha1md5' ) return sha1 ( md5 ( $chain ));
elseif ( $type == '3' || $type == 'md5' ) return md5 ( $chain );
2019-01-27 23:23:38 +01:00
elseif ( $type == '4' || $type == 'md5openldap' ) return '{md5}' . base64_encode ( mhash ( MHASH_MD5 , $chain )); // For OpenLdap with md5 (based on an unencrypted password in base)
elseif ( $type == '5' ) return hash ( 'sha256' , $chain );
2019-11-26 12:52:04 +01:00
elseif ( ! empty ( $conf -> global -> MAIN_SECURITY_HASH_ALGO ) && $conf -> global -> MAIN_SECURITY_HASH_ALGO == 'sha1' ) return sha1 ( $chain );
elseif ( ! empty ( $conf -> global -> MAIN_SECURITY_HASH_ALGO ) && $conf -> global -> MAIN_SECURITY_HASH_ALGO == 'sha1md5' ) return sha1 ( md5 ( $chain ));
2014-10-18 16:08:15 +02:00
2017-11-03 20:04:18 +01:00
// No particular encoding defined, use default
2014-10-18 16:08:15 +02:00
return md5 ( $chain );
2011-05-03 12:53:44 +02:00
}
2018-01-15 00:33:25 +01:00
/**
* Compute a hash and compare it to the given one
* For backward compatibility reasons , if the hash is not in the password_hash format , we will try to match against md5 and sha1md5
* If constant MAIN_SECURITY_HASH_ALGO is defined , we use this function as hashing function .
* If constant MAIN_SECURITY_SALT is defined , we use it as a salt .
*
2018-12-04 18:07:02 +01:00
* @ param string $chain String to hash ( not hashed string )
2018-01-15 00:33:25 +01:00
* @ param string $hash hash to compare
* @ param string $type Type of hash ( '0' : auto , '1' : sha1 , '2' : sha1 + md5 , '3' : md5 , '4' : md5 for OpenLdap , '5' : sha256 ) . Use '3' here , if hash is not needed for security purpose , for security need , prefer '0' .
* @ return bool True if the computed hash is the same as the given one
*/
2019-01-27 15:20:16 +01:00
function dol_verifyHash ( $chain , $hash , $type = '0' )
2018-01-15 00:33:25 +01:00
{
global $conf ;
2019-11-26 12:52:04 +01:00
if ( $type == '0' && ! empty ( $conf -> global -> MAIN_SECURITY_HASH_ALGO ) && $conf -> global -> MAIN_SECURITY_HASH_ALGO == 'password_hash' && function_exists ( 'password_verify' )) {
2018-01-15 00:33:25 +01:00
if ( $hash [ 0 ] == '$' ) return password_verify ( $chain , $hash );
2019-11-26 12:52:04 +01:00
elseif ( strlen ( $hash ) == 32 ) return dol_verifyHash ( $chain , $hash , '3' ); // md5
elseif ( strlen ( $hash ) == 40 ) return dol_verifyHash ( $chain , $hash , '2' ); // sha1md5
2018-01-15 00:33:25 +01:00
return false ;
}
return dol_hash ( $chain , $type ) == $hash ;
}
2012-02-12 17:41:28 +01:00
/**
* Check permissions of a user to show a page and an object . Check read permission .
2017-05-16 13:27:32 +02:00
* If GETPOST ( 'action' , 'aZ09' ) defined , we also check write and delete permission .
2012-02-12 17:41:28 +01:00
*
* @ param User $user User to check
2020-02-07 11:53:09 +01:00
* @ param string $features Features to check ( it must be module $object -> element . Examples : 'societe' , 'contact' , 'produit&service' , 'produit|service' , ... )
2014-03-05 09:57:36 +01:00
* @ param int $objectid Object ID if we want to check a particular record ( optional ) is linked to a owned thirdparty ( optional ) .
2017-03-02 11:46:31 +01:00
* @ param string $tableandshare 'TableName&SharedElement' with Tablename is table where object is stored . SharedElement is an optional key to define where to check entity for multicompany modume . Param not used if objectid is null ( optional ) .
2020-01-31 14:53:47 +01:00
* @ param string $feature2 Feature to check , second level of permission ( optional ) . Can be a 'or' check with 'sublevela|sublevelb' .
2014-03-05 09:57:36 +01:00
* @ param string $dbt_keyfield Field name for socid foreign key if not fk_soc . Not used if objectid is null ( optional )
* @ param string $dbt_select Field name for select if not rowid . Not used if objectid is null ( optional )
2018-10-29 18:19:40 +01:00
* @ param int $isdraft 1 = The object with id = $objectid is a draft
2012-02-12 17:41:28 +01:00
* @ return int Always 1 , die process if not allowed
2019-03-11 01:01:15 +01:00
* @ see dol_check_secure_access_document ()
2012-02-12 17:41:28 +01:00
*/
2019-01-27 15:20:16 +01:00
function restrictedArea ( $user , $features , $objectid = 0 , $tableandshare = '' , $feature2 = '' , $dbt_keyfield = 'fk_soc' , $dbt_select = 'rowid' , $isdraft = 0 )
2012-02-12 17:41:28 +01:00
{
2018-05-10 11:30:27 +02:00
global $db , $conf ;
global $hookmanager ;
2012-02-12 17:41:28 +01:00
2018-10-29 18:19:40 +01:00
//dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename,$feature2,$dbt_socfield,$dbt_select");
//print "user_id=".$user->id.", features=".$features.", feature2=".$feature2.", objectid=".$objectid;
//print ", dbtablename=".$dbtablename.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select;
//print ", perm: ".$features."->".$feature2."=".($user->rights->$features->$feature2->lire)."<br>";
2012-02-12 17:41:28 +01:00
2020-02-07 11:53:09 +01:00
if ( $features == 'facturerec' ) $features = 'facture' ;
if ( $features == 'mo' ) $features = 'mrp' ;
2020-02-08 13:44:31 +01:00
if ( $features == 'member' ) $features = 'adherent' ;
if ( $features == 'subscription' ) { $features = 'adherent' ; $feature2 = 'cotisation' ; };
2020-02-07 11:53:09 +01:00
2018-05-10 11:30:27 +02:00
// Get more permissions checks from hooks
2019-11-26 12:52:04 +01:00
$parameters = array ( 'features' => $features , 'objectid' => $objectid , 'idtype' => $dbt_select );
$reshook = $hookmanager -> executeHooks ( 'restrictedArea' , $parameters );
2020-03-08 18:26:41 +01:00
if ( isset ( $hookmanager -> resArray [ 'result' ])) {
2020-03-12 12:45:44 +01:00
if ( $hookmanager -> resArray [ 'result' ] == 0 ) accessforbidden (); // Module returns 0, so access forbidden
2020-03-08 18:26:41 +01:00
}
if ( $reshook > 0 ) { // No other test done.
return 1 ;
}
2018-05-10 12:29:58 +02:00
2018-05-10 12:34:23 +02:00
if ( $dbt_select != 'rowid' && $dbt_select != 'id' ) $objectid = " ' " . $objectid . " ' " ;
// Features/modules to check
2018-10-29 18:19:40 +01:00
$featuresarray = array ( $features );
if ( preg_match ( '/&/' , $features )) $featuresarray = explode ( " & " , $features );
2019-01-27 10:49:34 +01:00
elseif ( preg_match ( '/\|/' , $features )) $featuresarray = explode ( " | " , $features );
2012-02-12 17:41:28 +01:00
2018-10-29 18:19:40 +01:00
// More subfeatures to check
2019-11-26 12:52:04 +01:00
if ( ! empty ( $feature2 )) $feature2 = explode ( " | " , $feature2 );
2013-04-26 16:07:35 +02:00
2018-10-29 18:19:40 +01:00
// More parameters
$params = explode ( '&' , $tableandshare );
2019-11-26 12:52:04 +01:00
$dbtablename = ( ! empty ( $params [ 0 ]) ? $params [ 0 ] : '' );
$sharedelement = ( ! empty ( $params [ 1 ]) ? $params [ 1 ] : $dbtablename );
2012-02-12 17:41:28 +01:00
2019-11-26 12:52:04 +01:00
$listofmodules = explode ( ',' , $conf -> global -> MAIN_MODULES_FOR_EXTERNAL );
2013-01-02 18:43:59 +01:00
// Check read permission from module
2019-11-26 12:52:04 +01:00
$readok = 1 ; $nbko = 0 ;
2020-06-29 13:48:00 +02:00
foreach ( $featuresarray as $feature ) { // first we check nb of test ko
2019-11-26 12:52:04 +01:00
$featureforlistofmodule = $feature ;
if ( $featureforlistofmodule == 'produit' ) $featureforlistofmodule = 'product' ;
2020-06-29 13:48:00 +02:00
if ( ! empty ( $user -> socid ) && ! empty ( $conf -> global -> MAIN_MODULES_FOR_EXTERNAL ) && ! in_array ( $featureforlistofmodule , $listofmodules )) { // If limits on modules for external users, module must be into list of modules for external users
2019-11-26 12:52:04 +01:00
$readok = 0 ; $nbko ++ ;
2018-10-29 18:19:40 +01:00
continue ;
}
2012-02-12 17:41:28 +01:00
2020-06-28 22:05:55 +02:00
if ( $feature == 'societe' ) {
2019-11-26 12:52:04 +01:00
if ( ! $user -> rights -> societe -> lire && ! $user -> rights -> fournisseur -> lire ) { $readok = 0 ; $nbko ++ ; }
2020-06-29 13:48:00 +02:00
} elseif ( $feature == 'contact' ) {
2019-11-26 12:52:04 +01:00
if ( ! $user -> rights -> societe -> contact -> lire ) { $readok = 0 ; $nbko ++ ; }
2020-06-29 13:48:00 +02:00
} elseif ( $feature == 'produit|service' ) {
2019-11-26 12:52:04 +01:00
if ( ! $user -> rights -> produit -> lire && ! $user -> rights -> service -> lire ) { $readok = 0 ; $nbko ++ ; }
2020-06-29 13:48:00 +02:00
} elseif ( $feature == 'prelevement' ) {
2019-11-26 12:52:04 +01:00
if ( ! $user -> rights -> prelevement -> bons -> lire ) { $readok = 0 ; $nbko ++ ; }
2020-06-29 13:48:00 +02:00
} elseif ( $feature == 'cheque' ) {
2019-11-26 12:52:04 +01:00
if ( ! $user -> rights -> banque -> cheque ) { $readok = 0 ; $nbko ++ ; }
2020-06-29 13:48:00 +02:00
} elseif ( $feature == 'projet' ) {
2019-11-26 12:52:04 +01:00
if ( ! $user -> rights -> projet -> lire && ! $user -> rights -> projet -> all -> lire ) { $readok = 0 ; $nbko ++ ; }
2020-06-29 13:48:00 +02:00
} elseif ( ! empty ( $feature2 )) { // This is for permissions on 2 levels
2019-11-26 12:52:04 +01:00
$tmpreadok = 1 ;
2020-06-29 13:48:00 +02:00
foreach ( $feature2 as $subfeature ) {
2019-01-16 19:13:21 +01:00
if ( $subfeature == 'user' && $user -> id == $objectid ) continue ; // A user can always read its own card
2019-11-26 12:52:04 +01:00
if ( ! empty ( $subfeature ) && empty ( $user -> rights -> $feature -> $subfeature -> lire ) && empty ( $user -> rights -> $feature -> $subfeature -> read )) { $tmpreadok = 0 ; }
elseif ( empty ( $subfeature ) && empty ( $user -> rights -> $feature -> lire ) && empty ( $user -> rights -> $feature -> read )) { $tmpreadok = 0 ; }
else { $tmpreadok = 1 ; break ; } // Break is to bypass second test if the first is ok
2018-10-29 18:19:40 +01:00
}
2020-06-29 13:48:00 +02:00
if ( ! $tmpreadok ) { // We found a test on feature that is ko
2019-11-26 12:52:04 +01:00
$readok = 0 ; // All tests are ko (we manage here the and, the or will be managed later using $nbko).
2018-10-29 18:19:40 +01:00
$nbko ++ ;
}
2020-06-29 13:48:00 +02:00
} elseif ( ! empty ( $feature ) && ( $feature != 'user' && $feature != 'usergroup' )) { // This is permissions on 1 level
2018-10-29 18:19:40 +01:00
if ( empty ( $user -> rights -> $feature -> lire )
&& empty ( $user -> rights -> $feature -> read )
2019-11-26 12:52:04 +01:00
&& empty ( $user -> rights -> $feature -> run )) { $readok = 0 ; $nbko ++ ; }
2018-10-29 18:19:40 +01:00
}
}
2014-05-10 18:57:04 +02:00
2018-10-29 18:19:40 +01:00
// If a or and at least one ok
2019-11-26 12:52:04 +01:00
if ( preg_match ( '/\|/' , $features ) && $nbko < count ( $featuresarray )) $readok = 1 ;
2012-02-12 17:41:28 +01:00
2019-11-26 12:52:04 +01:00
if ( ! $readok ) accessforbidden ();
2018-10-29 18:19:40 +01:00
//print "Read access is ok";
2012-02-12 17:41:28 +01:00
2020-06-17 13:29:43 +02:00
// Check write permission from module (we need to know write permission to create but also to delete drafts record or to upload files)
2019-11-26 12:52:04 +01:00
$createok = 1 ; $nbko = 0 ;
2020-06-17 13:29:43 +02:00
$wemustcheckpermissionforcreate = ( GETPOST ( 'sendit' , 'alpha' ) || GETPOST ( 'linkit' , 'alpha' ) || GETPOST ( 'action' , 'aZ09' ) == 'create' || GETPOST ( 'action' , 'aZ09' ) == 'update' );
$wemustcheckpermissionfordeletedraft = (( GETPOST ( " action " , " aZ09 " ) == 'confirm_delete' && GETPOST ( " confirm " , " aZ09 " ) == 'yes' ) || GETPOST ( " action " , " aZ09 " ) == 'delete' );
if ( $wemustcheckpermissionforcreate || $wemustcheckpermissionfordeletedraft )
2018-10-29 18:19:40 +01:00
{
foreach ( $featuresarray as $feature )
{
2020-06-28 22:05:55 +02:00
if ( $feature == 'contact' ) {
2019-11-26 12:52:04 +01:00
if ( ! $user -> rights -> societe -> contact -> creer ) { $createok = 0 ; $nbko ++ ; }
2020-06-29 13:48:00 +02:00
} elseif ( $feature == 'produit|service' ) {
2019-11-26 12:52:04 +01:00
if ( ! $user -> rights -> produit -> creer && ! $user -> rights -> service -> creer ) { $createok = 0 ; $nbko ++ ; }
2020-06-29 13:48:00 +02:00
} elseif ( $feature == 'prelevement' ) {
2019-11-26 12:52:04 +01:00
if ( ! $user -> rights -> prelevement -> bons -> creer ) { $createok = 0 ; $nbko ++ ; }
2020-06-29 13:48:00 +02:00
} elseif ( $feature == 'commande_fournisseur' ) {
2019-11-26 12:52:04 +01:00
if ( ! $user -> rights -> fournisseur -> commande -> creer ) { $createok = 0 ; $nbko ++ ; }
2020-06-29 13:48:00 +02:00
} elseif ( $feature == 'banque' ) {
2019-11-26 12:52:04 +01:00
if ( ! $user -> rights -> banque -> modifier ) { $createok = 0 ; $nbko ++ ; }
2020-06-29 13:48:00 +02:00
} elseif ( $feature == 'cheque' ) {
2019-11-26 12:52:04 +01:00
if ( ! $user -> rights -> banque -> cheque ) { $createok = 0 ; $nbko ++ ; }
2020-06-29 18:07:51 +02:00
} elseif ( $feature == 'import' ) {
if ( ! $user -> rights -> import -> run ) { $createok = 0 ; $nbko ++ ; }
2020-06-29 13:48:00 +02:00
} elseif ( $feature == 'ecm' ) {
2020-06-28 22:05:55 +02:00
if ( ! $user -> rights -> ecm -> upload ) { $createok = 0 ; $nbko ++ ; }
}
2020-06-29 13:48:00 +02:00
elseif ( ! empty ( $feature2 )) { // This is for permissions on one level
foreach ( $feature2 as $subfeature ) {
2020-02-12 17:28:18 +01:00
if ( $subfeature == 'user' && $user -> id == $objectid && $user -> rights -> user -> self -> creer ) continue ; // User can edit its own card
if ( $subfeature == 'user' && $user -> id == $objectid && $user -> rights -> user -> self -> password ) continue ; // User can edit its own password
2018-10-29 18:19:40 +01:00
if ( empty ( $user -> rights -> $feature -> $subfeature -> creer )
2019-10-27 11:53:20 +01:00
&& empty ( $user -> rights -> $feature -> $subfeature -> write )
&& empty ( $user -> rights -> $feature -> $subfeature -> create )) {
2019-11-26 12:52:04 +01:00
$createok = 0 ;
2019-10-27 11:53:20 +01:00
$nbko ++ ;
} else {
2019-11-26 12:52:04 +01:00
$createok = 1 ;
2019-10-27 11:53:20 +01:00
// Break to bypass second test if the first is ok
break ;
}
2018-10-29 18:19:40 +01:00
}
2020-06-29 13:48:00 +02:00
} elseif ( ! empty ( $feature )) { // This is for permissions on 2 levels ('creer' or 'write')
//print '<br>feature='.$feature.' creer='.$user->rights->$feature->creer.' write='.$user->rights->$feature->write; exit;
2018-10-29 18:19:40 +01:00
if ( empty ( $user -> rights -> $feature -> creer )
2019-10-27 11:53:20 +01:00
&& empty ( $user -> rights -> $feature -> write )
&& empty ( $user -> rights -> $feature -> create )) {
2019-11-26 12:52:04 +01:00
$createok = 0 ;
2019-10-27 11:53:20 +01:00
$nbko ++ ;
}
2018-10-29 18:19:40 +01:00
}
}
2012-02-12 17:41:28 +01:00
2018-10-29 18:19:40 +01:00
// If a or and at least one ok
2019-11-26 12:52:04 +01:00
if ( preg_match ( '/\|/' , $features ) && $nbko < count ( $featuresarray )) $createok = 1 ;
2012-02-12 17:41:28 +01:00
2020-06-17 13:29:43 +02:00
if ( $wemustcheckpermissionforcreate && ! $createok ) accessforbidden ();
2018-10-29 18:19:40 +01:00
//print "Write access is ok";
}
2012-02-12 17:41:28 +01:00
2018-10-29 18:19:40 +01:00
// Check create user permission
2019-11-26 12:52:04 +01:00
$createuserok = 1 ;
2019-01-27 11:55:16 +01:00
if ( GETPOST ( 'action' , 'aZ09' ) == 'confirm_create_user' && GETPOST ( " confirm " , 'aZ09' ) == 'yes' )
2018-10-29 18:19:40 +01:00
{
2019-11-26 12:52:04 +01:00
if ( ! $user -> rights -> user -> user -> creer ) $createuserok = 0 ;
2018-10-29 18:19:40 +01:00
2019-11-26 12:52:04 +01:00
if ( ! $createuserok ) accessforbidden ();
2018-10-29 18:19:40 +01:00
//print "Create user access is ok";
}
// Check delete permission from module
2019-11-26 12:52:04 +01:00
$deleteok = 1 ; $nbko = 0 ;
if (( GETPOST ( " action " , " aZ09 " ) == 'confirm_delete' && GETPOST ( " confirm " , " aZ09 " ) == 'yes' ) || GETPOST ( " action " , " aZ09 " ) == 'delete' )
2018-10-29 18:19:40 +01:00
{
foreach ( $featuresarray as $feature )
{
if ( $feature == 'contact' )
{
2019-11-26 12:52:04 +01:00
if ( ! $user -> rights -> societe -> contact -> supprimer ) $deleteok = 0 ;
2018-10-29 18:19:40 +01:00
}
2019-01-27 10:49:34 +01:00
elseif ( $feature == 'produit|service' )
2018-10-29 18:19:40 +01:00
{
2019-11-26 12:52:04 +01:00
if ( ! $user -> rights -> produit -> supprimer && ! $user -> rights -> service -> supprimer ) $deleteok = 0 ;
2018-10-29 18:19:40 +01:00
}
2019-01-27 10:49:34 +01:00
elseif ( $feature == 'commande_fournisseur' )
2018-10-29 18:19:40 +01:00
{
2019-11-26 12:52:04 +01:00
if ( ! $user -> rights -> fournisseur -> commande -> supprimer ) $deleteok = 0 ;
2018-10-29 18:19:40 +01:00
}
2019-01-27 10:49:34 +01:00
elseif ( $feature == 'banque' )
2018-10-29 18:19:40 +01:00
{
2019-11-26 12:52:04 +01:00
if ( ! $user -> rights -> banque -> modifier ) $deleteok = 0 ;
2018-10-29 18:19:40 +01:00
}
2019-01-27 10:49:34 +01:00
elseif ( $feature == 'cheque' )
2018-10-29 18:19:40 +01:00
{
2019-11-26 12:52:04 +01:00
if ( ! $user -> rights -> banque -> cheque ) $deleteok = 0 ;
2018-10-29 18:19:40 +01:00
}
2019-01-27 10:49:34 +01:00
elseif ( $feature == 'ecm' )
2018-10-29 18:19:40 +01:00
{
2019-11-26 12:52:04 +01:00
if ( ! $user -> rights -> ecm -> upload ) $deleteok = 0 ;
2018-10-29 18:19:40 +01:00
}
2019-01-27 10:49:34 +01:00
elseif ( $feature == 'ftp' )
2018-10-29 18:19:40 +01:00
{
2019-11-26 12:52:04 +01:00
if ( ! $user -> rights -> ftp -> write ) $deleteok = 0 ;
2019-01-27 10:49:34 +01:00
} elseif ( $feature == 'salaries' )
2018-10-29 18:19:40 +01:00
{
2019-11-26 12:52:04 +01:00
if ( ! $user -> rights -> salaries -> delete ) $deleteok = 0 ;
2018-10-29 18:19:40 +01:00
}
2019-01-27 10:49:34 +01:00
elseif ( $feature == 'salaries' )
2018-10-29 18:19:40 +01:00
{
2019-11-26 12:52:04 +01:00
if ( ! $user -> rights -> salaries -> delete ) $deleteok = 0 ;
2018-10-29 18:19:40 +01:00
}
2019-11-26 12:52:04 +01:00
elseif ( ! empty ( $feature2 )) // This is for permissions on 2 levels
2018-10-29 18:19:40 +01:00
{
2019-11-26 12:52:04 +01:00
foreach ( $feature2 as $subfeature )
2018-10-29 18:19:40 +01:00
{
2019-11-26 12:52:04 +01:00
if ( empty ( $user -> rights -> $feature -> $subfeature -> supprimer ) && empty ( $user -> rights -> $feature -> $subfeature -> delete )) $deleteok = 0 ;
else { $deleteok = 1 ; break ; } // For bypass the second test if the first is ok
2018-10-29 18:19:40 +01:00
}
}
2019-11-26 12:52:04 +01:00
elseif ( ! empty ( $feature )) // This is used for permissions on 1 level
2018-10-29 18:19:40 +01:00
{
//print '<br>feature='.$feature.' creer='.$user->rights->$feature->supprimer.' write='.$user->rights->$feature->delete;
if ( empty ( $user -> rights -> $feature -> supprimer )
&& empty ( $user -> rights -> $feature -> delete )
2019-11-26 12:52:04 +01:00
&& empty ( $user -> rights -> $feature -> run )) $deleteok = 0 ;
2018-10-29 18:19:40 +01:00
}
}
2012-02-12 17:41:28 +01:00
2018-10-29 18:19:40 +01:00
// If a or and at least one ok
2019-11-26 12:52:04 +01:00
if ( preg_match ( '/\|/' , $features ) && $nbko < count ( $featuresarray )) $deleteok = 1 ;
2018-10-29 18:19:40 +01:00
2019-11-26 12:52:04 +01:00
if ( ! $deleteok && ! ( $isdraft && $createok )) accessforbidden ();
2018-10-29 18:19:40 +01:00
//print "Delete access is ok";
}
// If we have a particular object to check permissions on, we check this object
// is linked to a company allowed to $user.
2019-11-26 12:52:04 +01:00
if ( ! empty ( $objectid ) && $objectid > 0 )
2018-10-29 18:19:40 +01:00
{
$ok = checkUserAccessToObject ( $user , $featuresarray , $objectid , $tableandshare , $feature2 , $dbt_keyfield , $dbt_select );
2019-11-26 12:52:04 +01:00
$params = array ( 'objectid' => $objectid , 'features' => join ( ',' , $featuresarray ), 'features2' => $feature2 );
2019-11-22 16:13:22 +01:00
return $ok ? 1 : accessforbidden ( '' , 1 , 1 , 0 , $params );
2018-10-29 18:19:40 +01:00
}
return 1 ;
2012-02-12 17:41:28 +01:00
}
2015-05-03 14:41:51 +02:00
/**
2017-01-29 16:42:59 +01:00
* Check access by user to object .
* This function is also called by restrictedArea
2015-05-31 03:30:38 +02:00
*
2017-12-18 15:39:40 +01:00
* @ param User $user User to check
* @ param array $featuresarray Features / modules to check . Example : ( 'user' , 'service' , 'member' , 'project' , 'task' , ... )
* @ param int | string $objectid Object ID if we want to check a particular record ( optional ) is linked to a owned thirdparty ( optional ) .
* @ param string $tableandshare 'TableName&SharedElement' with Tablename is table where object is stored . SharedElement is an optional key to define where to check entity for multicompany modume . Param not used if objectid is null ( optional ) .
* @ param string $feature2 Feature to check , second level of permission ( optional ) . Can be or check with 'level1|level2' .
* @ param string $dbt_keyfield Field name for socid foreign key if not fk_soc . Not used if objectid is null ( optional )
* @ param string $dbt_select Field name for select if not rowid . Not used if objectid is null ( optional )
* @ return bool True if user has access , False otherwise
2019-03-11 01:01:15 +01:00
* @ see restrictedArea ()
2015-05-03 14:41:51 +02:00
*/
2019-01-27 15:20:16 +01:00
function checkUserAccessToObject ( $user , $featuresarray , $objectid = 0 , $tableandshare = '' , $feature2 = '' , $dbt_keyfield = '' , $dbt_select = 'rowid' )
2015-05-03 14:41:51 +02:00
{
global $db , $conf ;
2015-05-31 03:30:38 +02:00
2015-05-03 14:41:51 +02:00
// More parameters
2015-05-13 09:32:54 +02:00
$params = explode ( '&' , $tableandshare );
2019-11-26 12:52:04 +01:00
$dbtablename = ( ! empty ( $params [ 0 ]) ? $params [ 0 ] : '' );
$sharedelement = ( ! empty ( $params [ 1 ]) ? $params [ 1 ] : $dbtablename );
2015-05-31 03:30:38 +02:00
2015-05-03 14:41:51 +02:00
foreach ( $featuresarray as $feature )
{
2019-11-26 12:52:04 +01:00
$sql = '' ;
2015-05-03 14:41:51 +02:00
2017-02-03 11:42:49 +01:00
// For backward compatibility
2019-11-26 12:52:04 +01:00
if ( $feature == 'member' ) $feature = 'adherent' ;
if ( $feature == 'project' ) $feature = 'projet' ;
if ( $feature == 'task' ) $feature = 'projet_task' ;
2020-06-07 23:03:58 +02:00
$check = array ( 'adherent' , 'banque' , 'bom' , 'don' , 'mrp' , 'user' , 'usergroup' , 'product' , 'produit' , 'service' , 'produit|service' , 'categorie' , 'resource' , 'expensereport' , 'holiday' ); // Test on entity only (Objects with no link to company)
2019-11-26 12:52:04 +01:00
$checksoc = array ( 'societe' ); // Test for societe object
$checkother = array ( 'contact' , 'agenda' ); // Test on entity and link to third party. Allowed if link is empty (Ex: contacts...).
$checkproject = array ( 'projet' , 'project' ); // Test for project object
2017-06-01 19:53:12 +02:00
$checktask = array ( 'projet_task' );
2019-11-26 12:52:04 +01:00
$nocheck = array ( 'barcode' , 'stock' ); // No test
2019-03-15 11:00:00 +01:00
//$checkdefault = 'all other not already defined'; // Test on entity and link to third party. Not allowed if link is empty (Ex: invoice, orders...).
2015-05-03 14:41:51 +02:00
2017-10-17 12:58:26 +02:00
// If dbtablename not defined, we use same name for table than module name
if ( empty ( $dbtablename ))
{
$dbtablename = $feature ;
2019-11-26 12:52:04 +01:00
$sharedelement = ( ! empty ( $params [ 1 ]) ? $params [ 1 ] : $dbtablename ); // We change dbtablename, so we set sharedelement too.
2017-10-17 12:58:26 +02:00
}
2015-05-03 14:41:51 +02:00
// Check permission for object with entity
2019-01-27 11:55:16 +01:00
if ( in_array ( $feature , $check ))
2015-05-03 14:41:51 +02:00
{
2017-12-18 15:39:40 +01:00
$sql = " SELECT COUNT(dbt. " . $dbt_select . " ) as nb " ;
2019-11-26 12:52:04 +01:00
$sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt " ;
if (( $feature == 'user' || $feature == 'usergroup' ) && ! empty ( $conf -> multicompany -> enabled ))
2015-05-03 14:41:51 +02:00
{
2019-11-26 12:52:04 +01:00
if ( ! empty ( $conf -> global -> MULTICOMPANY_TRANSVERSE_MODE ))
2018-07-02 10:09:56 +02:00
{
2019-11-26 12:52:04 +01:00
if ( $conf -> entity == 1 && $user -> admin && ! $user -> entity )
2018-07-02 10:09:56 +02:00
{
2019-11-26 12:52:04 +01:00
$sql .= " WHERE dbt. " . $dbt_select . " IN ( " . $objectid . " ) " ;
$sql .= " AND dbt.entity IS NOT NULL " ;
2018-07-02 10:09:56 +02:00
}
else
{
2019-11-26 12:52:04 +01:00
$sql .= " , " . MAIN_DB_PREFIX . " usergroup_user as ug " ;
$sql .= " WHERE dbt. " . $dbt_select . " IN ( " . $objectid . " ) " ;
$sql .= " AND ((ug.fk_user = dbt.rowid " ;
$sql .= " AND ug.entity IN ( " . getEntity ( 'usergroup' ) . " )) " ;
$sql .= " OR dbt.entity = 0) " ; // Show always superadmin
2018-07-02 10:09:56 +02:00
}
}
else {
2019-11-26 12:52:04 +01:00
$sql .= " WHERE dbt. " . $dbt_select . " IN ( " . $objectid . " ) " ;
$sql .= " AND dbt.entity IN ( " . getEntity ( $sharedelement , 1 ) . " ) " ;
2018-07-02 10:09:56 +02:00
}
2015-05-03 14:41:51 +02:00
}
else
{
2019-11-26 12:52:04 +01:00
$sql .= " WHERE dbt. " . $dbt_select . " IN ( " . $objectid . " ) " ;
$sql .= " AND dbt.entity IN ( " . getEntity ( $sharedelement , 1 ) . " ) " ;
2015-05-03 14:41:51 +02:00
}
}
2019-01-27 23:23:38 +01:00
elseif ( in_array ( $feature , $checksoc )) // We check feature = checksoc
2015-05-03 14:41:51 +02:00
{
// If external user: Check permission for external users
2017-06-15 21:51:31 +02:00
if ( $user -> socid > 0 )
2015-05-03 14:41:51 +02:00
{
2017-06-15 21:51:31 +02:00
if ( $user -> socid <> $objectid ) return false ;
2015-05-03 14:41:51 +02:00
}
// If internal user: Check permission for internal users that are restricted on their objects
2019-11-26 12:52:04 +01:00
elseif ( ! empty ( $conf -> societe -> enabled ) && ( $user -> rights -> societe -> lire && ! $user -> rights -> societe -> client -> voir ))
2015-05-03 14:41:51 +02:00
{
2017-12-18 15:39:40 +01:00
$sql = " SELECT COUNT(sc.fk_soc) as nb " ;
2019-11-26 12:52:04 +01:00
$sql .= " FROM ( " . MAIN_DB_PREFIX . " societe_commerciaux as sc " ;
$sql .= " , " . MAIN_DB_PREFIX . " societe as s) " ;
$sql .= " WHERE sc.fk_soc IN ( " . $objectid . " ) " ;
$sql .= " AND sc.fk_user = " . $user -> id ;
$sql .= " AND sc.fk_soc = s.rowid " ;
$sql .= " AND s.entity IN ( " . getEntity ( $sharedelement , 1 ) . " ) " ;
2015-05-03 14:41:51 +02:00
}
// If multicompany and internal users with all permissions, check user is in correct entity
2019-11-26 12:52:04 +01:00
elseif ( ! empty ( $conf -> multicompany -> enabled ))
2015-05-03 14:41:51 +02:00
{
2017-12-18 15:39:40 +01:00
$sql = " SELECT COUNT(s.rowid) as nb " ;
2019-11-26 12:52:04 +01:00
$sql .= " FROM " . MAIN_DB_PREFIX . " societe as s " ;
$sql .= " WHERE s.rowid IN ( " . $objectid . " ) " ;
$sql .= " AND s.entity IN ( " . getEntity ( $sharedelement , 1 ) . " ) " ;
2015-05-03 14:41:51 +02:00
}
}
2019-01-27 23:23:38 +01:00
elseif ( in_array ( $feature , $checkother )) // Test on entity and link to societe. Allowed if link is empty (Ex: contacts...).
2015-05-03 14:41:51 +02:00
{
// If external user: Check permission for external users
2018-07-02 10:09:56 +02:00
if ( $user -> socid > 0 )
2015-05-03 14:41:51 +02:00
{
2017-12-18 15:39:40 +01:00
$sql = " SELECT COUNT(dbt. " . $dbt_select . " ) as nb " ;
2019-11-26 12:52:04 +01:00
$sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt " ;
$sql .= " WHERE dbt. " . $dbt_select . " IN ( " . $objectid . " ) " ;
$sql .= " AND dbt.fk_soc = " . $user -> socid ;
2015-05-03 14:41:51 +02:00
}
// If internal user: Check permission for internal users that are restricted on their objects
2019-11-26 12:52:04 +01:00
elseif ( ! empty ( $conf -> societe -> enabled ) && ( $user -> rights -> societe -> lire && ! $user -> rights -> societe -> client -> voir ))
2015-05-03 14:41:51 +02:00
{
2017-12-18 15:39:40 +01:00
$sql = " SELECT COUNT(dbt. " . $dbt_select . " ) as nb " ;
2019-11-26 12:52:04 +01:00
$sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt " ;
$sql .= " LEFT JOIN " . MAIN_DB_PREFIX . " societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = ' " . $user -> id . " ' " ;
$sql .= " WHERE dbt. " . $dbt_select . " IN ( " . $objectid . " ) " ;
$sql .= " AND (dbt.fk_soc IS NULL OR sc.fk_soc IS NOT NULL) " ; // Contact not linked to a company or to a company of user
$sql .= " AND dbt.entity IN ( " . getEntity ( $sharedelement , 1 ) . " ) " ;
2015-05-03 14:41:51 +02:00
}
// If multicompany and internal users with all permissions, check user is in correct entity
2019-11-26 12:52:04 +01:00
elseif ( ! empty ( $conf -> multicompany -> enabled ))
2015-05-03 14:41:51 +02:00
{
2017-12-18 15:39:40 +01:00
$sql = " SELECT COUNT(dbt. " . $dbt_select . " ) as nb " ;
2019-11-26 12:52:04 +01:00
$sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt " ;
$sql .= " WHERE dbt. " . $dbt_select . " IN ( " . $objectid . " ) " ;
$sql .= " AND dbt.entity IN ( " . getEntity ( $sharedelement , 1 ) . " ) " ;
2015-05-03 14:41:51 +02:00
}
2020-08-04 16:45:04 +02:00
if ( $feature == 'agenda' ) // Also check myactions rights
{
if ( $objectid > 0 && empty ( $user -> rights -> agenda -> allactions -> read )) {
require_once DOL_DOCUMENT_ROOT . '/comm/action/class/actioncomm.class.php' ;
$action = new ActionComm ( $db );
$action -> fetch ( $objectid );
2020-08-04 16:48:15 +02:00
if ( $action -> authorid != $user -> id && $action -> userownerid != $user -> id && ! ( array_key_exists ( $user -> id , $action -> userassigned ))) {
2020-08-04 16:45:04 +02:00
return false ;
}
}
}
2015-05-03 14:41:51 +02:00
}
2019-01-27 23:23:38 +01:00
elseif ( in_array ( $feature , $checkproject ))
2015-05-03 14:41:51 +02:00
{
2019-11-26 12:52:04 +01:00
if ( ! empty ( $conf -> projet -> enabled ) && empty ( $user -> rights -> projet -> all -> lire ))
2015-05-03 14:41:51 +02:00
{
include_once DOL_DOCUMENT_ROOT . '/projet/class/project.class.php' ;
2019-11-26 12:52:04 +01:00
$projectstatic = new Project ( $db );
$tmps = $projectstatic -> getProjectsAuthorizedForUser ( $user , 0 , 1 , 0 );
$tmparray = explode ( ',' , $tmps );
if ( ! in_array ( $objectid , $tmparray )) return false ;
2015-05-03 14:41:51 +02:00
}
else
{
2017-12-18 15:39:40 +01:00
$sql = " SELECT COUNT(dbt. " . $dbt_select . " ) as nb " ;
2019-11-26 12:52:04 +01:00
$sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt " ;
$sql .= " WHERE dbt. " . $dbt_select . " IN ( " . $objectid . " ) " ;
$sql .= " AND dbt.entity IN ( " . getEntity ( $sharedelement , 1 ) . " ) " ;
2015-05-03 14:41:51 +02:00
}
}
2019-01-27 23:23:38 +01:00
elseif ( in_array ( $feature , $checktask ))
2017-06-01 19:53:12 +02:00
{
2019-11-26 12:52:04 +01:00
if ( ! empty ( $conf -> projet -> enabled ) && empty ( $user -> rights -> projet -> all -> lire ))
2017-06-01 19:53:12 +02:00
{
2018-10-29 18:19:40 +01:00
$task = new Task ( $db );
$task -> fetch ( $objectid );
2017-06-01 19:53:12 +02:00
include_once DOL_DOCUMENT_ROOT . '/projet/class/project.class.php' ;
2019-11-26 12:52:04 +01:00
$projectstatic = new Project ( $db );
$tmps = $projectstatic -> getProjectsAuthorizedForUser ( $user , 0 , 1 , 0 );
$tmparray = explode ( ',' , $tmps );
if ( ! in_array ( $task -> fk_project , $tmparray )) return false ;
2017-06-01 19:53:12 +02:00
}
else
{
2017-12-18 15:39:40 +01:00
$sql = " SELECT COUNT(dbt. " . $dbt_select . " ) as nb " ;
2019-11-26 12:52:04 +01:00
$sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt " ;
$sql .= " WHERE dbt. " . $dbt_select . " IN ( " . $objectid . " ) " ;
$sql .= " AND dbt.entity IN ( " . getEntity ( $sharedelement , 1 ) . " ) " ;
2015-05-03 14:41:51 +02:00
}
}
2019-11-26 12:52:04 +01:00
elseif ( ! in_array ( $feature , $nocheck )) // By default (case of $checkdefault), we check on object entity + link to third party on field $dbt_keyfield
2015-05-03 14:41:51 +02:00
{
// If external user: Check permission for external users
2018-07-02 10:09:56 +02:00
if ( $user -> socid > 0 )
2015-05-03 14:41:51 +02:00
{
2019-01-27 11:55:16 +01:00
if ( empty ( $dbt_keyfield )) dol_print_error ( '' , 'Param dbt_keyfield is required but not defined' );
2017-12-18 15:39:40 +01:00
$sql = " SELECT COUNT(dbt. " . $dbt_keyfield . " ) as nb " ;
2019-11-26 12:52:04 +01:00
$sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt " ;
$sql .= " WHERE dbt.rowid IN ( " . $objectid . " ) " ;
$sql .= " AND dbt. " . $dbt_keyfield . " = " . $user -> socid ;
2015-05-03 14:41:51 +02:00
}
// If internal user: Check permission for internal users that are restricted on their objects
2019-11-26 12:52:04 +01:00
elseif ( ! empty ( $conf -> societe -> enabled ) && ( $user -> rights -> societe -> lire && ! $user -> rights -> societe -> client -> voir ))
2015-05-03 14:41:51 +02:00
{
2019-01-27 11:55:16 +01:00
if ( empty ( $dbt_keyfield )) dol_print_error ( '' , 'Param dbt_keyfield is required but not defined' );
2017-12-18 15:39:40 +01:00
$sql = " SELECT COUNT(sc.fk_soc) as nb " ;
2019-11-26 12:52:04 +01:00
$sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt " ;
$sql .= " , " . MAIN_DB_PREFIX . " societe as s " ;
$sql .= " , " . MAIN_DB_PREFIX . " societe_commerciaux as sc " ;
$sql .= " WHERE dbt. " . $dbt_select . " IN ( " . $objectid . " ) " ;
$sql .= " AND sc.fk_soc = dbt. " . $dbt_keyfield ;
$sql .= " AND dbt. " . $dbt_keyfield . " = s.rowid " ;
$sql .= " AND dbt.entity IN ( " . getEntity ( $sharedelement , 1 ) . " ) " ;
$sql .= " AND sc.fk_user = " . $user -> id ;
2015-05-03 14:41:51 +02:00
}
// If multicompany and internal users with all permissions, check user is in correct entity
2019-11-26 12:52:04 +01:00
elseif ( ! empty ( $conf -> multicompany -> enabled ))
2015-05-03 14:41:51 +02:00
{
2017-12-18 15:39:40 +01:00
$sql = " SELECT COUNT(dbt. " . $dbt_select . " ) as nb " ;
2019-11-26 12:52:04 +01:00
$sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt " ;
$sql .= " WHERE dbt. " . $dbt_select . " IN ( " . $objectid . " ) " ;
$sql .= " AND dbt.entity IN ( " . getEntity ( $sharedelement , 1 ) . " ) " ;
2015-05-03 14:41:51 +02:00
}
}
if ( $sql )
{
2019-11-26 12:52:04 +01:00
$resql = $db -> query ( $sql );
2015-05-03 14:41:51 +02:00
if ( $resql )
{
2017-12-18 15:39:40 +01:00
$obj = $db -> fetch_object ( $resql );
2019-11-26 12:52:04 +01:00
if ( ! $obj || $obj -> nb < count ( explode ( ',' , $objectid ))) return false ;
2015-05-03 14:41:51 +02:00
}
else
{
return false ;
}
}
}
return true ;
}
2012-02-12 17:41:28 +01:00
/**
* Show a message to say access is forbidden and stop program
* Calling this function terminate execution of PHP .
*
2019-11-22 16:13:22 +01:00
* @ param string $message Force error message
* @ param int $printheader Show header before
* @ param int $printfooter Show footer after
* @ param int $showonlymessage Show only message parameter . Otherwise add more information .
* @ param array | null $params Send params
2012-02-12 17:41:28 +01:00
* @ return void
*/
2019-11-22 16:13:22 +01:00
function accessforbidden ( $message = '' , $printheader = 1 , $printfooter = 1 , $showonlymessage = 0 , $params = null )
2012-02-12 17:41:28 +01:00
{
2019-06-04 12:48:06 +02:00
global $conf , $db , $user , $langs , $hookmanager ;
2019-11-26 12:52:04 +01:00
if ( ! is_object ( $langs ))
2012-02-12 17:41:28 +01:00
{
2012-08-23 02:04:35 +02:00
include_once DOL_DOCUMENT_ROOT . '/core/class/translate.class.php' ;
2019-11-26 12:52:04 +01:00
$langs = new Translate ( '' , $conf );
2018-09-09 11:59:38 +02:00
$langs -> setDefaultLang ();
2012-02-12 17:41:28 +01:00
}
2018-10-29 18:19:40 +01:00
$langs -> load ( " errors " );
2012-02-12 17:41:28 +01:00
2018-10-29 18:19:40 +01:00
if ( $printheader )
{
if ( function_exists ( " llxHeader " )) llxHeader ( '' );
2019-01-27 10:49:34 +01:00
elseif ( function_exists ( " llxHeaderVierge " )) llxHeaderVierge ( '' );
2018-10-29 18:19:40 +01:00
}
print '<div class="error">' ;
2019-11-26 12:52:04 +01:00
if ( ! $message ) print $langs -> trans ( " ErrorForbidden " );
2018-10-29 18:19:40 +01:00
else print $message ;
print '</div>' ;
print '<br>' ;
if ( empty ( $showonlymessage ))
{
2019-06-04 12:48:06 +02:00
global $action , $object ;
if ( empty ( $hookmanager ))
2018-10-29 18:19:40 +01:00
{
2019-06-04 12:48:06 +02:00
$hookmanager = new HookManager ( $db );
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
$hookmanager -> initHooks ( array ( 'main' ));
2018-10-29 18:19:40 +01:00
}
2019-11-22 16:13:22 +01:00
$parameters = array ( 'message' => $message , 'params' => $params );
2019-11-26 12:52:04 +01:00
$reshook = $hookmanager -> executeHooks ( 'getAccessForbiddenMessage' , $parameters , $object , $action ); // Note that $action and $object may have been modified by some hooks
2019-06-04 12:48:06 +02:00
print $hookmanager -> resPrint ;
if ( empty ( $reshook ))
2018-10-29 18:19:40 +01:00
{
2019-06-04 12:48:06 +02:00
if ( $user -> login )
{
print $langs -> trans ( " CurrentLogin " ) . ': <font class="error">' . $user -> login . '</font><br>' ;
2019-06-04 19:18:20 +02:00
print $langs -> trans ( " ErrorForbidden2 " , $langs -> transnoentitiesnoconv ( " Home " ), $langs -> transnoentitiesnoconv ( " Users " ));
2019-06-04 12:48:06 +02:00
}
else
{
print $langs -> trans ( " ErrorForbidden3 " );
}
2018-10-29 18:19:40 +01:00
}
}
if ( $printfooter && function_exists ( " llxFooter " )) llxFooter ();
exit ( 0 );
2012-02-12 17:41:28 +01:00
}
