diff --git a/htdocs/accountancy/bookkeeping/balance.php b/htdocs/accountancy/bookkeeping/balance.php index 92945c6c3a6..43ed4e3a09d 100644 --- a/htdocs/accountancy/bookkeeping/balance.php +++ b/htdocs/accountancy/bookkeeping/balance.php @@ -70,8 +70,9 @@ $sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOSTINT('pageplusone') - 1) : GETPOSTINT("page"); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { + // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $page = 0; -} // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action +} $offset = $limit * $page; $pageprev = $page - 1; $pagenext = $page + 1; diff --git a/htdocs/accountancy/bookkeeping/export.php b/htdocs/accountancy/bookkeeping/export.php index fa9c68fa598..4ab238ee4c8 100644 --- a/htdocs/accountancy/bookkeeping/export.php +++ b/htdocs/accountancy/bookkeeping/export.php @@ -459,7 +459,7 @@ if (empty($reshook)) { $param .= '&search_import_key='.urlencode($search_import_key); } - if ($action == 'setreexport') { + if ($action == 'setreexport' && $user->hasRight('accounting', 'mouvements', 'export')) { $setreexport = GETPOSTINT('value'); if (!dolibarr_set_const($db, "ACCOUNTING_REEXPORT", $setreexport, 'yesno', 0, '', $conf->entity)) { $error++; diff --git a/htdocs/accountancy/bookkeeping/list.php b/htdocs/accountancy/bookkeeping/list.php index 88b34e5cba1..5e286613815 100644 --- a/htdocs/accountancy/bookkeeping/list.php +++ b/htdocs/accountancy/bookkeeping/list.php @@ -229,6 +229,8 @@ if (!$user->hasRight('accounting', 'mouvements', 'lire')) { accessforbidden(); } +$permissiontoadd = $user->hasRight('accounting', 'mouvements', 'creer'); + /* * Actions @@ -545,8 +547,8 @@ if (empty($reshook)) { } // mass actions on lettering - if (!$error && getDolGlobalInt('ACCOUNTING_ENABLE_LETTERING') && $user->hasRight('accounting', 'mouvements', 'creer')) { - if ($massaction == 'letteringauto') { + if (!$error && getDolGlobalInt('ACCOUNTING_ENABLE_LETTERING')) { + if ($massaction == 'letteringauto' && $permissiontoadd) { $lettering = new Lettering($db); $nb_lettering = $lettering->bookkeepingLetteringAll($toselect); if ($nb_lettering < 0) { @@ -567,7 +569,7 @@ if (empty($reshook)) { header('Location: ' . $_SERVER['PHP_SELF'] . '?noreset=1' . $param); exit(); } - } elseif ($massaction == 'letteringmanual') { + } elseif ($massaction == 'letteringmanual' && $permissiontoadd) { $lettering = new Lettering($db); $result = $lettering->updateLettering($toselect); if ($result < 0) { @@ -577,7 +579,7 @@ if (empty($reshook)) { header('Location: ' . $_SERVER['PHP_SELF'] . '?noreset=1' . $param); exit(); } - } elseif ($action == 'unletteringauto' && $confirm == "yes") { + } elseif ($action == 'unletteringauto' && $confirm == "yes" && $permissiontoadd) { $lettering = new Lettering($db); $nb_lettering = $lettering->bookkeepingLetteringAll($toselect, true); if ($nb_lettering < 0) { @@ -598,7 +600,7 @@ if (empty($reshook)) { header('Location: ' . $_SERVER['PHP_SELF'] . '?noreset=1' . $param); exit(); } - } elseif ($action == 'unletteringmanual' && $confirm == "yes") { + } elseif ($action == 'unletteringmanual' && $confirm == "yes" && $permissiontoadd) { $lettering = new Lettering($db); $nb_lettering = $lettering->deleteLettering($toselect); if ($nb_lettering < 0) { diff --git a/htdocs/accountancy/bookkeeping/listbyaccount.php b/htdocs/accountancy/bookkeeping/listbyaccount.php index 4c2fad27f0d..1e101b2de63 100644 --- a/htdocs/accountancy/bookkeeping/listbyaccount.php +++ b/htdocs/accountancy/bookkeeping/listbyaccount.php @@ -214,6 +214,8 @@ if (!$user->hasRight('accounting', 'mouvements', 'lire')) { $error = 0; +$permissiontoadd = $user->hasRight('accounting', 'mouvements', 'creer'); + /* * Action @@ -506,8 +508,8 @@ if (empty($reshook)) { } // others mass actions - if (!$error && getDolGlobalInt('ACCOUNTING_ENABLE_LETTERING') && $user->hasRight('accounting', 'mouvements', 'creer')) { - if ($massaction == 'letteringauto') { + if (!$error && getDolGlobalInt('ACCOUNTING_ENABLE_LETTERING')) { + if ($massaction == 'letteringauto' && $permissiontoadd) { $lettering = new Lettering($db); $nb_lettering = $lettering->bookkeepingLetteringAll($toselect); if ($nb_lettering < 0) { @@ -528,7 +530,7 @@ if (empty($reshook)) { header('Location: ' . $_SERVER['PHP_SELF'] . '?noreset=1' . $param); exit(); } - } elseif ($massaction == 'letteringmanual') { + } elseif ($massaction == 'letteringmanual' && $permissiontoadd) { $lettering = new Lettering($db); $result = $lettering->updateLettering($toselect); if ($result < 0) { @@ -548,7 +550,7 @@ if (empty($reshook)) { header('Location: ' . $_SERVER['PHP_SELF'] . '?noreset=1' . $param); exit(); } - } elseif ($action == 'unletteringauto' && $confirm == "yes") { + } elseif ($action == 'unletteringauto' && $confirm == "yes" && $permissiontoadd) { $lettering = new Lettering($db); $nb_lettering = $lettering->bookkeepingLetteringAll($toselect, true); if ($nb_lettering < 0) { @@ -569,7 +571,7 @@ if (empty($reshook)) { header('Location: ' . $_SERVER['PHP_SELF'] . '?noreset=1' . $param); exit(); } - } elseif ($action == 'unletteringmanual' && $confirm == "yes") { + } elseif ($action == 'unletteringmanual' && $confirm == "yes" && $permissiontoadd) { $lettering = new Lettering($db); $nb_lettering = $lettering->deleteLettering($toselect); if ($result < 0) { diff --git a/htdocs/accountancy/customer/index.php b/htdocs/accountancy/customer/index.php index 59e31753f39..b1b82d35735 100644 --- a/htdocs/accountancy/customer/index.php +++ b/htdocs/accountancy/customer/index.php @@ -118,7 +118,7 @@ if (($action == 'clean' || $action == 'validatehistory') && $user->hasRight('acc // End clean database } -if ($action == 'validatehistory') { +if ($action == 'validatehistory' && $user->hasRight('accounting', 'bind', 'write')) { $error = 0; $nbbinddone = 0; $nbbindfailed = 0; diff --git a/htdocs/accountancy/expensereport/index.php b/htdocs/accountancy/expensereport/index.php index 1b272d2daee..f3dbc54f78a 100644 --- a/htdocs/accountancy/expensereport/index.php +++ b/htdocs/accountancy/expensereport/index.php @@ -100,7 +100,7 @@ if (($action == 'clean' || $action == 'validatehistory') && $user->hasRight('acc // End clean database } -if ($action == 'validatehistory') { +if ($action == 'validatehistory' && $user->hasRight('accounting', 'bind', 'write')) { $error = 0; $nbbinddone = 0; $nbbindfailed = 0; diff --git a/htdocs/accountancy/journal/bankjournal.php b/htdocs/accountancy/journal/bankjournal.php index a0a4b0ea48f..cddde9a1fb3 100644 --- a/htdocs/accountancy/journal/bankjournal.php +++ b/htdocs/accountancy/journal/bankjournal.php @@ -611,25 +611,6 @@ if ($result) { $tabtp[$obj->rowid]['NotDefined'] = $tabbq[$obj->rowid][$compta_bank]; } - // Check account number is ok - /*if ($action == 'writebookkeeping') // Make test now in such a case - { - reset($tabbq[$obj->rowid]); - $first_key_tabbq = key($tabbq[$obj->rowid]); - if (empty($first_key_tabbq)) - { - $error++; - setEventMessages($langs->trans('ErrorAccountancyCodeOnBankAccountNotDefined', $obj->baref), null, 'errors'); - } - reset($tabtp[$obj->rowid]); - $first_key_tabtp = key($tabtp[$obj->rowid]); - if (empty($first_key_tabtp)) - { - $error++; - setEventMessages($langs->trans('ErrorAccountancyCodeOnThirdPartyNotDefined'), null, 'errors'); - } - }*/ - // if($obj->socid)$tabtp[$obj->rowid][$compta_soc] += $amounttouse; $i++; @@ -646,7 +627,7 @@ if ($result) { //var_dump($tabtype); // Write bookkeeping -if (!$error && $action == 'writebookkeeping') { +if (!$error && $action == 'writebookkeeping' && $user->hasRight('accounting', 'bind', 'write')) { $now = dol_now(); $accountingaccountcustomer = new AccountingAccount($db); @@ -980,7 +961,7 @@ if (!$error && $action == 'writebookkeeping') { // Export -if ($action == 'exportcsv') { // ISO and not UTF8 ! +if ($action == 'exportcsv' && $user->hasRight('accounting', 'bind', 'write')) { // ISO and not UTF8 ! $sep = getDolGlobalString('ACCOUNTING_EXPORT_SEPARATORCSV'); $filename = 'journal'; diff --git a/htdocs/accountancy/journal/expensereportsjournal.php b/htdocs/accountancy/journal/expensereportsjournal.php index 4bafec08367..324b5e168a6 100644 --- a/htdocs/accountancy/journal/expensereportsjournal.php +++ b/htdocs/accountancy/journal/expensereportsjournal.php @@ -246,7 +246,7 @@ while ($i < $num) { } // Bookkeeping Write -if ($action == 'writebookkeeping' && !$error) { +if ($action == 'writebookkeeping' && !$error && $user->hasRight('accounting', 'bind', 'write')) { $now = dol_now(); $error = 0; diff --git a/htdocs/accountancy/journal/purchasesjournal.php b/htdocs/accountancy/journal/purchasesjournal.php index 6b19752351b..f5f41f05fab 100644 --- a/htdocs/accountancy/journal/purchasesjournal.php +++ b/htdocs/accountancy/journal/purchasesjournal.php @@ -392,7 +392,7 @@ while ($i < $num) { // Bookkeeping Write -if ($action == 'writebookkeeping' && !$error) { +if ($action == 'writebookkeeping' && !$error && $user->hasRight('accounting', 'bind', 'write')) { $now = dol_now(); $error = 0; diff --git a/htdocs/accountancy/journal/sellsjournal.php b/htdocs/accountancy/journal/sellsjournal.php index 37327508d78..070a0c828e6 100644 --- a/htdocs/accountancy/journal/sellsjournal.php +++ b/htdocs/accountancy/journal/sellsjournal.php @@ -419,7 +419,7 @@ if ($resql) { //var_dump($errorforinvoice);exit; // Bookkeeping Write -if ($action == 'writebookkeeping' && !$error) { +if ($action == 'writebookkeeping' && !$error && $user->hasRight('accounting', 'bind', 'write')) { $now = dol_now(); $error = 0; diff --git a/htdocs/accountancy/journal/variousjournal.php b/htdocs/accountancy/journal/variousjournal.php index 78a38fac98e..5ba196ae95d 100644 --- a/htdocs/accountancy/journal/variousjournal.php +++ b/htdocs/accountancy/journal/variousjournal.php @@ -114,7 +114,7 @@ $reshook = $hookmanager->executeHooks('doActions', $parameters, $user, $action); $reload = false; // Bookkeeping Write -if ($action == 'writebookkeeping') { +if ($action == 'writebookkeeping' && $user->hasRight('accounting', 'bind', 'write')) { $error = 0; $result = $object->writeIntoBookkeeping($user, $journal_data); @@ -133,7 +133,7 @@ if ($action == 'writebookkeeping') { } $reload = true; -} elseif ($action == 'exportcsv') { +} elseif ($action == 'exportcsv' && $user->hasRight('accounting', 'bind', 'write')) { // Export CSV $result = $object->exportCsv($journal_data, $date_end); if ($result < 0) { diff --git a/htdocs/accountancy/supplier/index.php b/htdocs/accountancy/supplier/index.php index 12618d74181..bb9572bc879 100644 --- a/htdocs/accountancy/supplier/index.php +++ b/htdocs/accountancy/supplier/index.php @@ -105,7 +105,7 @@ if (($action == 'clean' || $action == 'validatehistory') && $user->hasRight('acc // End clean database } -if ($action == 'validatehistory') { +if ($action == 'validatehistory' && $user->hasRight('accounting', 'bind', 'write')) { $error = 0; $nbbinddone = 0; $nbbindfailed = 0; diff --git a/htdocs/adherents/card.php b/htdocs/adherents/card.php index e9a5b94e0e9..a063e079345 100644 --- a/htdocs/adherents/card.php +++ b/htdocs/adherents/card.php @@ -57,6 +57,7 @@ $langs->loadLangs(array("companies", "bills", "members", "users", "other", "payp $action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $backtopage = GETPOST('backtopage', 'alpha'); +$backtopageforcancel = GETPOST('backtopageforcancel', 'alpha'); // if not set, $backtopage will be used $confirm = GETPOST('confirm', 'alpha'); $rowid = GETPOSTINT('rowid'); $id = GETPOST('id') ? GETPOSTINT('id') : $rowid; @@ -182,7 +183,7 @@ if (empty($reshook)) { } } - if ($action == 'setsocid') { + if ($action == 'setsocid' && $caneditfieldmember) { $error = 0; if (!$error) { if ($socid != $object->socid) { // If link differs from currently in database diff --git a/htdocs/adherents/type_translation.php b/htdocs/adherents/type_translation.php index e8b20ff6afe..d4a3324b3cc 100644 --- a/htdocs/adherents/type_translation.php +++ b/htdocs/adherents/type_translation.php @@ -60,7 +60,7 @@ if ($cancel == $langs->trans("Cancel")) { $action = ''; } -if ($action == 'delete' && GETPOST('langtodelete', 'alpha')) { +if ($action == 'delete' && GETPOST('langtodelete', 'alpha') && $user->hasRight('adherent', 'configurer')) { $object = new AdherentType($db); $object->fetch($id); $result = $object->delMultiLangs(GETPOST('langtodelete', 'alpha'), $user); diff --git a/htdocs/asset/accountancy_codes.php b/htdocs/asset/accountancy_codes.php index 3a784387e0c..d24a6200fbc 100644 --- a/htdocs/asset/accountancy_codes.php +++ b/htdocs/asset/accountancy_codes.php @@ -116,7 +116,7 @@ if (empty($reshook)) { $action = ''; } - if ($action == "update") { + if ($action == "update" && $permissiontoadd) { $assetaccountancycodes->setAccountancyCodesFromPost(); $result = $assetaccountancycodes->updateAccountancyCodes($user, $object->id); diff --git a/htdocs/asset/card.php b/htdocs/asset/card.php index 75b72fb03a7..2be78c16820 100644 --- a/htdocs/asset/card.php +++ b/htdocs/asset/card.php @@ -135,7 +135,7 @@ if (empty($reshook)) { setEventMessages($object->error, $object->errors, 'errors'); } $action = ''; - } elseif ($action == "add") { + } elseif ($action == "add" && $permissiontoadd) { $object->supplier_invoice_id = GETPOSTINT('supplier_invoice_id'); } diff --git a/htdocs/asset/depreciation_options.php b/htdocs/asset/depreciation_options.php index 7fe8e940b4e..91fb456c22c 100644 --- a/htdocs/asset/depreciation_options.php +++ b/htdocs/asset/depreciation_options.php @@ -110,7 +110,7 @@ if (empty($reshook)) { $action = ''; } - if ($action == "update") { + if ($action == "update" && $permissiontoadd) { $result = $assetdepreciationoptions->setDeprecationOptionsFromPost(); if ($result > 0) { $result = $assetdepreciationoptions->updateDeprecationOptions($user, $object->id); diff --git a/htdocs/asset/model/accountancy_codes.php b/htdocs/asset/model/accountancy_codes.php index b19b5c0e889..a990d772ba8 100644 --- a/htdocs/asset/model/accountancy_codes.php +++ b/htdocs/asset/model/accountancy_codes.php @@ -108,7 +108,7 @@ if (empty($reshook)) { $action = ''; } - if ($action == "update") { + if ($action == "update" && $permissiontoadd) { $assetaccountancycodes->setAccountancyCodesFromPost(); $result = $assetaccountancycodes->updateAccountancyCodes($user, 0, $object->id); diff --git a/htdocs/asset/model/depreciation_options.php b/htdocs/asset/model/depreciation_options.php index 5919450549a..02e37b83242 100644 --- a/htdocs/asset/model/depreciation_options.php +++ b/htdocs/asset/model/depreciation_options.php @@ -110,7 +110,7 @@ if (empty($reshook)) { $action = ''; } - if ($action == "update") { + if ($action == "update" && $permissiontoadd) { $result = $assetdepreciationoptions->setDeprecationOptionsFromPost(1); if ($result > 0) { $result = $assetdepreciationoptions->updateDeprecationOptions($user, 0, $object->id); diff --git a/htdocs/barcode/codeinit.php b/htdocs/barcode/codeinit.php index dd11e60e242..2beb45caee2 100644 --- a/htdocs/barcode/codeinit.php +++ b/htdocs/barcode/codeinit.php @@ -96,7 +96,7 @@ if (getDolGlobalString('BARCODE_THIRDPARTY_ADDON_NUM')) { } } -if ($action == 'initbarcodethirdparties') { +if ($action == 'initbarcodethirdparties' && $user->hasRight('societe', 'lire')) { if (!is_object($modBarCodeThirdparty)) { $error++; setEventMessages($langs->trans("NoBarcodeNumberingTemplateDefined"), null, 'errors'); @@ -202,7 +202,7 @@ if (getDolGlobalString('BARCODE_PRODUCT_ADDON_NUM')) { } } -if ($action == 'initbarcodeproducts') { +if ($action == 'initbarcodeproducts' && $user->hasRight('produit', 'lire')) { if (!is_object($modBarCodeProduct)) { $error++; setEventMessages($langs->trans("NoBarcodeNumberingTemplateDefined"), null, 'errors'); diff --git a/htdocs/barcode/printsheet.php b/htdocs/barcode/printsheet.php index a59a19155fd..f594b3f9253 100644 --- a/htdocs/barcode/printsheet.php +++ b/htdocs/barcode/printsheet.php @@ -122,7 +122,7 @@ if (empty($reshook)) { } } - if ($action == 'builddoc') { + if ($action == 'builddoc' && $user->hasRight('barcode', 'read')) { $result = 0; $error = 0; diff --git a/htdocs/bom/bom_net_needs.php b/htdocs/bom/bom_net_needs.php index 52e2e0e1340..d55fde762e4 100644 --- a/htdocs/bom/bom_net_needs.php +++ b/htdocs/bom/bom_net_needs.php @@ -115,13 +115,6 @@ if (empty($reshook)) { } } } - - $TChildBom = array(); - if ($action == 'treeview') { - $object->getNetNeedsTree($TChildBom, 1); - } else { - $object->getNetNeeds($TChildBom, 1); - } } @@ -134,9 +127,18 @@ $formfile = new FormFile($db); $title = $langs->trans('BOM'); $help_url ='EN:Module_BOM'; + llxHeader('', $title, $help_url, '', 0, 0, '', '', '', 'mod-bom page-net_needs'); +$TChildBom = array(); +if ($action == 'treeview') { + $object->getNetNeedsTree($TChildBom, 1); +} else { + $object->getNetNeeds($TChildBom, 1); +} + + // Part to show record if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'create'))) { $head = bomPrepareHead($object); diff --git a/htdocs/bookmarks/card.php b/htdocs/bookmarks/card.php index 47eece588dd..85e2fb7daa3 100644 --- a/htdocs/bookmarks/card.php +++ b/htdocs/bookmarks/card.php @@ -64,8 +64,8 @@ $permissiontodelete = $user->hasRight('bookmark', 'supprimer'); * Actions */ -if ($action == 'add' || $action == 'addproduct' || $action == 'update') { - if ($action == 'update') { +if (($action == 'add' || $action == 'addproduct' || $action == 'update') && $permissiontoadd) { + if ($action == 'update') { // Test on permission already done $invertedaction = 'edit'; } else { $invertedaction = 'create'; @@ -81,7 +81,7 @@ if ($action == 'add' || $action == 'addproduct' || $action == 'update') { exit; } - if ($action == 'update') { + if ($action == 'update') { // Test on permission already done $object->fetch(GETPOSTINT("id")); } // Check if null because user not admin can't set an user and send empty value here. @@ -106,7 +106,7 @@ if ($action == 'add' || $action == 'addproduct' || $action == 'update') { if (!$error) { $object->favicon = 'none'; - if ($action == 'update') { + if ($action == 'update') { // Test on permission already done $res = $object->update(); } else { $res = $object->create(); diff --git a/htdocs/categories/card.php b/htdocs/categories/card.php index 16df2233d80..9e16855c396 100644 --- a/htdocs/categories/card.php +++ b/htdocs/categories/card.php @@ -100,6 +100,7 @@ $error = 0; /* * Actions */ + $parameters = array('socid' => $socid, 'origin' => $origin, 'catorigin' => $catorigin, 'type' => $type, 'urlfrom' => $urlfrom, 'backtopage' => $backtopage, 'label' => $label, 'description' => $description, 'color' => $color, 'position' => $position, 'visible' => $visible, 'parent' => $parent); // Note that $action and $object may be modified by some hooks $reshook = $hookmanager->executeHooks('doActions', $parameters, $object, $action); @@ -174,42 +175,40 @@ if (empty($reshook)) { } } } - // Confirm action - if (($action == 'add' || $action == 'confirmed') && $user->hasRight('categorie', 'creer')) { - // Action confirmation of creation category - if ($action == 'confirmed') { - if ($urlfrom) { - header("Location: ".$urlfrom); - exit; - } elseif ($backtopage) { - header("Location: ".$backtopage); - exit; - } elseif ($idProdOrigin) { - header("Location: ".DOL_URL_ROOT.'/categories/viewcat.php?id='.$idProdOrigin.'&type='.$type.'&mesg='.urlencode($langs->trans("CatCreated"))); - exit; - } elseif ($idCompanyOrigin) { - header("Location: ".DOL_URL_ROOT.'/categories/viewcat.php?id='.$idCompanyOrigin.'&type='.$type.'&mesg='.urlencode($langs->trans("CatCreated"))); - exit; - } elseif ($idSupplierOrigin) { - header("Location: ".DOL_URL_ROOT.'/categories/viewcat.php?id='.$idSupplierOrigin.'&type='.$type.'&mesg='.urlencode($langs->trans("CatCreated"))); - exit; - } elseif ($idMemberOrigin) { - header("Location: ".DOL_URL_ROOT.'/categories/viewcat.php?id='.$idMemberOrigin.'&type='.$type.'&mesg='.urlencode($langs->trans("CatCreated"))); - exit; - } elseif ($idContactOrigin) { - header("Location: ".DOL_URL_ROOT.'/categories/viewcat.php?id='.$idContactOrigin.'&type='.$type.'&mesg='.urlencode($langs->trans("CatCreated"))); - exit; - } elseif ($idProjectOrigin) { - header("Location: ".DOL_URL_ROOT.'/categories/viewcat.php?id='.$idProjectOrigin.'&type='.$type.'&mesg='.urlencode($langs->trans("CatCreated"))); - exit; - } - - header("Location: ".DOL_URL_ROOT.'/categories/viewcat.php?id='.$result.'&type='.$type); + // Action confirmation of creation category + if ($action == 'confirmed' && $user->hasRight('categorie', 'creer')) { + if ($urlfrom) { + header("Location: ".$urlfrom); + exit; + } elseif ($backtopage) { + header("Location: ".$backtopage); + exit; + } elseif ($idProdOrigin) { + header("Location: ".DOL_URL_ROOT.'/categories/viewcat.php?id='.$idProdOrigin.'&type='.$type.'&mesg='.urlencode($langs->trans("CatCreated"))); + exit; + } elseif ($idCompanyOrigin) { + header("Location: ".DOL_URL_ROOT.'/categories/viewcat.php?id='.$idCompanyOrigin.'&type='.$type.'&mesg='.urlencode($langs->trans("CatCreated"))); + exit; + } elseif ($idSupplierOrigin) { + header("Location: ".DOL_URL_ROOT.'/categories/viewcat.php?id='.$idSupplierOrigin.'&type='.$type.'&mesg='.urlencode($langs->trans("CatCreated"))); + exit; + } elseif ($idMemberOrigin) { + header("Location: ".DOL_URL_ROOT.'/categories/viewcat.php?id='.$idMemberOrigin.'&type='.$type.'&mesg='.urlencode($langs->trans("CatCreated"))); + exit; + } elseif ($idContactOrigin) { + header("Location: ".DOL_URL_ROOT.'/categories/viewcat.php?id='.$idContactOrigin.'&type='.$type.'&mesg='.urlencode($langs->trans("CatCreated"))); + exit; + } elseif ($idProjectOrigin) { + header("Location: ".DOL_URL_ROOT.'/categories/viewcat.php?id='.$idProjectOrigin.'&type='.$type.'&mesg='.urlencode($langs->trans("CatCreated"))); exit; } + + header("Location: ".DOL_URL_ROOT.'/categories/viewcat.php?id='.$result.'&type='.$type); + exit; } } + /* * View */ diff --git a/htdocs/categories/photos.php b/htdocs/categories/photos.php index b3680e517a5..67007b7dad3 100644 --- a/htdocs/categories/photos.php +++ b/htdocs/categories/photos.php @@ -51,9 +51,6 @@ if ($id == '' && $label == '') { // Initialize a technical object to manage hooks. Note that conf->hooks_modules contains array array $hookmanager->initHooks(array('categorycard')); -// Security check -$result = restrictedArea($user, 'categorie', $id, '&category'); - $object = new Categorie($db); $result = $object->fetch($id, $label); if ($result <= 0) { @@ -68,9 +65,16 @@ if (is_numeric($type)) { $upload_dir = $conf->categorie->multidir_output[$object->entity]; +// Security check +$result = restrictedArea($user, 'categorie', $id, '&category'); + +$permissiontoadd = $user->hasRight('categorie', 'creer'); + + /* * Actions */ + $parameters = array('id' => $id, 'label' => $label, 'confirm' => $confirm, 'type' => $type, 'uploaddir' => $upload_dir, 'sendfile' => (GETPOST("sendit") ? true : false)); // Note that $action and $object may be modified by some hooks $reshook = $hookmanager->executeHooks('doActions', $parameters, $object, $action); @@ -97,11 +101,11 @@ if (empty($reshook)) { } } - if ($action == 'confirm_delete' && GETPOST("file") && $confirm == 'yes' && $user->hasRight('categorie', 'creer')) { + if ($action == 'confirm_delete' && GETPOST("file") && $confirm == 'yes' && $permissiontoadd) { $object->delete_photo($upload_dir."/".GETPOST("file")); } - if ($action == 'addthumb' && GETPOST("file")) { + if ($action == 'addthumb' && GETPOST("file") && $permissiontoadd) { $object->addThumbs($upload_dir."/".GETPOST("file")); } } diff --git a/htdocs/categories/traduction.php b/htdocs/categories/traduction.php index 4690a5f8048..8ecd22e6c19 100644 --- a/htdocs/categories/traduction.php +++ b/htdocs/categories/traduction.php @@ -46,9 +46,6 @@ if ($id == '' && $label == '') { exit(); } -// Security check -$result = restrictedArea($user, 'categorie', $id, '&category'); - $object = new Categorie($db); $result = $object->fetch($id, $label); if ($result <= 0) { @@ -61,6 +58,11 @@ if (is_numeric($type)) { $type = Categorie::$MAP_ID_TO_CODE[$type]; // For backward compatibility } +// Security check +$result = restrictedArea($user, 'categorie', $id, '&category'); + +$permissiontoadd = $user->hasRight('categorie', 'creer'); + /* * Actions @@ -75,9 +77,7 @@ if ($cancel == $langs->trans("Cancel")) { // validation of addition -if ($action == 'vadd' && -$cancel != $langs->trans("Cancel") && -($user->hasRight('categorie', 'creer'))) { +if ($action == 'vadd' && $cancel != $langs->trans("Cancel") && $permissiontoadd) { $object->fetch($id); $current_lang = $langs->getDefaultLang(); @@ -124,9 +124,7 @@ $cancel != $langs->trans("Cancel") && } // validation of the edition -if ($action == 'vedit' && -$cancel != $langs->trans("Cancel") && -($user->hasRight('categorie', 'creer'))) { +if ($action == 'vedit' && $cancel != $langs->trans("Cancel") && $permissiontoadd) { $object->fetch($id); $current_lang = $langs->getDefaultLang(); diff --git a/htdocs/collab/index.php b/htdocs/collab/index.php index 8b8b8f5df1a..c9fd48dd5e7 100644 --- a/htdocs/collab/index.php +++ b/htdocs/collab/index.php @@ -77,7 +77,8 @@ if (empty($action)) { $action = 'preview'; } - +$permissiontoadd = $user->hasRight('collab', 'read'); +$permissiontodelete = $user->hasRight('collab', 'delete'); /* @@ -93,7 +94,7 @@ if (GETPOST('refreshpage')) { // Add a collab page -if ($action == 'add') { +if ($action == 'add' && $permissiontoadd) { $db->begin(); $objectpage->title = GETPOST('WEBSITE_TITLE'); @@ -126,7 +127,7 @@ if ($action == 'add') { } // Update page -if ($action == 'delete') { +if ($action == 'delete' && $permissiontodelete) { $db->begin(); $res = $object->fetch(0, $website); diff --git a/htdocs/comm/action/card.php b/htdocs/comm/action/card.php index 4833d12081a..6f1d416c2c9 100644 --- a/htdocs/comm/action/card.php +++ b/htdocs/comm/action/card.php @@ -185,10 +185,10 @@ if (empty($reshook) && (GETPOST('removedassigned') || GETPOST('removedassigned') $_SESSION['assignedtouser'] = json_encode($tmpassigneduserids); $donotclearsession = 1; - if ($action == 'add') { + if ($action == 'add' && $usercancreate) { $action = 'create'; } - if ($action == 'update') { + if ($action == 'update' && $usercancreate) { $action = 'edit'; } @@ -212,10 +212,10 @@ if (empty($reshook) && (GETPOST('removedassignedresource') || GETPOST('removedas $_SESSION['assignedtoresource'] = json_encode($tmpassignedresourceids); $donotclearsessionresource = 1; - if ($action == 'add') { + if ($action == 'add' && $usercancreate) { $action = 'create'; } - if ($action == 'update') { + if ($action == 'update' && $usercancreate) { $action = 'edit'; } @@ -234,10 +234,10 @@ if (empty($reshook) && (GETPOST('addassignedtouser') || GETPOST('updateassignedt $_SESSION['assignedtouser'] = json_encode($assignedtouser); } $donotclearsession = 1; - if ($action == 'add') { + if ($action == 'add' && $usercancreate) { $action = 'create'; } - if ($action == 'update') { + if ($action == 'update' && $usercancreate) { $action = 'edit'; } @@ -256,10 +256,10 @@ if (empty($reshook) && (GETPOST('addassignedtoresource') || GETPOST('updateassig $_SESSION['assignedtoresource'] = json_encode($assignedtoresource); } $donotclearsession = 1; - if ($action == 'add') { + if ($action == 'add' && $usercancreate) { $action = 'create'; } - if ($action == 'update') { + if ($action == 'update' && $usercancreate) { $action = 'edit'; } @@ -274,7 +274,7 @@ if (empty($reshook) && $action == 'classin' && ($user->hasRight('agenda', 'allac } // Action clone object -if (empty($reshook) && $action == 'confirm_clone' && $confirm == 'yes') { +if (empty($reshook) && $action == 'confirm_clone' && $confirm == 'yes' && $usercancreate) { if (1 == 0 && !GETPOST('clone_content') && !GETPOST('clone_receivers')) { setEventMessages($langs->trans("NoCloneOptionsSpecified"), null, 'errors'); } else { @@ -297,7 +297,7 @@ if (empty($reshook) && $action == 'confirm_clone' && $confirm == 'yes') { } // Add event -if (empty($reshook) && $action == 'add') { +if (empty($reshook) && $action == 'add' && $usercancreate) { $error = 0; if (empty($backtopage)) { @@ -735,10 +735,8 @@ if (empty($reshook) && $action == 'add') { } } -/* - * Action update event - */ -if (empty($reshook) && $action == 'update') { +// Action update event +if (empty($reshook) && $action == 'update' && $usercancreate) { if (empty($cancel)) { $fulldayevent = GETPOST('fullday'); $aphour = GETPOSTINT('aphour'); diff --git a/htdocs/comm/action/rapport/index.php b/htdocs/comm/action/rapport/index.php index 89a8d5f87e8..5c0b8b4d821 100644 --- a/htdocs/comm/action/rapport/index.php +++ b/htdocs/comm/action/rapport/index.php @@ -66,7 +66,7 @@ if (!$user->hasRight("agenda", "allactions", "read")) { * Actions */ -if ($action == 'builddoc') { +if ($action == 'builddoc' && $user->hasRight("agenda", "allactions", "read")) { require_once DOL_DOCUMENT_ROOT.'/core/modules/action/doc/pdf_standard_actions.class.php'; $cat = new pdf_standard_actions($db, $month, $year); diff --git a/htdocs/comm/card.php b/htdocs/comm/card.php index b1cdf0c7da4..96b99cc7f00 100644 --- a/htdocs/comm/card.php +++ b/htdocs/comm/card.php @@ -162,7 +162,7 @@ if (empty($reshook)) { } // Set accountancy code - if ($action == 'setcustomeraccountancycode') { + if ($action == 'setcustomeraccountancycode' && $user->hasRight('societe', 'creer')) { $result = $object->fetch($id); $object->code_compta_client = GETPOST("customeraccountancycode"); $object->code_compta = $object->code_compta_client; // For Backward compatibility @@ -239,7 +239,7 @@ if (empty($reshook)) { } // set communication status - if ($action == 'setstcomm') { + if ($action == 'setstcomm' && $user->hasRight('societe', 'creer')) { $object->fetch($id); $object->stcomm_id = dol_getIdFromCode($db, GETPOST('stcomm', 'alpha'), 'c_stcomm'); $result = $object->update($object->id, $user); @@ -251,7 +251,7 @@ if (empty($reshook)) { } // update outstandng limit - if ($action == 'setoutstanding_limit') { + if ($action == 'setoutstanding_limit' && $user->hasRight('societe', 'creer')) { $object->fetch($id); $object->outstanding_limit = GETPOST('outstanding_limit'); $result = $object->update($object->id, $user); @@ -261,7 +261,7 @@ if (empty($reshook)) { } // update order min amount - if ($action == 'setorder_min_amount') { + if ($action == 'setorder_min_amount' && $user->hasRight('societe', 'creer')) { $object->fetch($id); $object->order_min_amount = price2num(GETPOST('order_min_amount', 'alpha')); $result = $object->update($object->id, $user); diff --git a/htdocs/comm/mailing/advtargetemailing.php b/htdocs/comm/mailing/advtargetemailing.php index 57a6e5221a1..f769b19ba90 100644 --- a/htdocs/comm/mailing/advtargetemailing.php +++ b/htdocs/comm/mailing/advtargetemailing.php @@ -103,12 +103,15 @@ if (!$user->hasRight('mailing', 'lire') || (!getDolGlobalString('EXTERNAL_USERS_ } //$result = restrictedArea($user, 'mailing'); +$permissiontoread = $user->hasRight('mailing', 'lire'); +$permissiontoadd = $user->hasRight('mailing', 'creer'); + /* * Actions */ -if ($action == 'loadfilter') { +if ($action == 'loadfilter' && $permissiontoread) { if (!empty($template_id)) { $result = $advTarget->fetch($template_id); if ($result < 0) { @@ -121,7 +124,7 @@ if ($action == 'loadfilter') { } } -if ($action == 'add') { +if ($action == 'add' && $permissiontoadd) { $user_contact_query = false; $array_query = array(); @@ -258,7 +261,7 @@ if ($action == 'add') { } } -if ($action == 'clear') { +if ($action == 'clear' && $permissiontoadd) { $mailingtargets = new MailingTargets($db); $mailingtargets->clear_target($id); @@ -266,11 +269,11 @@ if ($action == 'clear') { exit(); } -if ($action == 'savefilter' || $action == 'createfilter') { +if (($action == 'savefilter' || $action == 'createfilter') && $permissiontoadd) { $template_name = GETPOST('template_name'); $error = 0; - if ($action == 'createfilter' && empty($template_name)) { + if ($action == 'createfilter' && empty($template_name) && $permissiontoadd) { setEventMessages($langs->trans('ErrorFieldRequired', $langs->transnoentitiesnoconv('AdvTgtOrCreateNewFilter')), null, 'errors'); $error++; } @@ -354,13 +357,13 @@ if ($action == 'savefilter' || $action == 'createfilter') { } $advTarget->filtervalue = json_encode($array_query); - if ($action == 'createfilter') { + if ($action == 'createfilter') { // Test on permission already done $advTarget->name = $template_name; $result = $advTarget->create($user); if ($result < 0) { setEventMessages($advTarget->error, $advTarget->errors, 'errors'); } - } elseif ($action == 'savefilter') { + } elseif ($action == 'savefilter') { // Test on permission already done $result = $advTarget->update($user); if ($result < 0) { setEventMessages($advTarget->error, $advTarget->errors, 'errors'); @@ -370,7 +373,7 @@ if ($action == 'savefilter' || $action == 'createfilter') { } } -if ($action == 'deletefilter') { +if ($action == 'deletefilter' && $permissiontoadd) { $result = $advTarget->delete($user); if ($result < 0) { setEventMessages($advTarget->error, $advTarget->errors, 'errors'); @@ -379,7 +382,7 @@ if ($action == 'deletefilter') { exit(); } -if ($action == 'delete') { +if ($action == 'delete' && $permissiontoadd) { // Ici, rowid indique le destinataire et id le mailing $sql = "DELETE FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE rowid = ".((int) $rowid); $resql = $db->query($sql); @@ -405,6 +408,7 @@ if (GETPOST("button_removefilter")) { $search_email = ''; } + /* * View */ diff --git a/htdocs/comm/mailing/card.php b/htdocs/comm/mailing/card.php index 30a33c53654..30f19ef128b 100644 --- a/htdocs/comm/mailing/card.php +++ b/htdocs/comm/mailing/card.php @@ -588,19 +588,19 @@ if (empty($reshook)) { if (($action == 'settitle' || $action == 'setemail_from' || $action == 'setemail_replyto' || $action == 'setreplyto' || $action == 'setemail_errorsto' || $action == 'setevenunsubscribe') && $permissiontovalidatesend) { $upload_dir = $conf->mailing->dir_output."/".get_exdir($object->id, 2, 0, 1, $object, 'mailing'); - if ($action == 'settitle') { + if ($action == 'settitle') { // Test on permission already done $object->title = trim(GETPOST('title', 'alpha')); - } elseif ($action == 'setemail_from') { + } elseif ($action == 'setemail_from') { // Test on permission already done $object->email_from = trim(GETPOST('email_from', 'alphawithlgt')); // Must allow 'name ' - } elseif ($action == 'setemail_replyto') { + } elseif ($action == 'setemail_replyto') { // Test on permission already done $object->email_replyto = trim(GETPOST('email_replyto', 'alphawithlgt')); // Must allow 'name ' - } elseif ($action == 'setemail_errorsto') { + } elseif ($action == 'setemail_errorsto') { // Test on permission already done $object->email_errorsto = trim(GETPOST('email_errorsto', 'alphawithlgt')); // Must allow 'name ' - } elseif ($action == 'settitle' && empty($object->title)) { + } elseif ($action == 'settitle' && empty($object->title)) { // Test on permission already done $mesg = $langs->trans("ErrorFieldRequired", $langs->transnoentities("MailTitle")); - } elseif ($action == 'setfrom' && empty($object->email_from)) { + } elseif ($action == 'setfrom' && empty($object->email_from)) { // Test on permission already done $mesg = $langs->trans("ErrorFieldRequired", $langs->transnoentities("MailFrom")); - } elseif ($action == 'setevenunsubscribe') { + } elseif ($action == 'setevenunsubscribe') { // Test on permission already done $object->evenunsubscribe = (GETPOST('evenunsubscribe') ? 1 : 0); } @@ -771,7 +771,7 @@ llxHeader( ); -if ($action == 'create') { +if ($action == 'create') { // aaa // EMailing in creation mode print '
'."\n"; print ''; @@ -908,9 +908,7 @@ if ($action == 'create') { if ($action != 'edit' && $action != 'edittxt' && $action != 'edithtml') { print dol_get_fiche_head($head, 'card', $langs->trans("Mailing"), -1, 'email'); - /* - * View mode mailing - */ + // View mode mailing if ($action == 'sendall') { // Define message to recommend from command line $sendingmode = getDolGlobalString('EMAILING_MAIL_SENDMODE'); diff --git a/htdocs/comm/mailing/cibles.php b/htdocs/comm/mailing/cibles.php index a077f9c8125..b6629f3b87c 100644 --- a/htdocs/comm/mailing/cibles.php +++ b/htdocs/comm/mailing/cibles.php @@ -268,22 +268,22 @@ if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter.x' } // Action update description of emailing -if ($action == 'settitle' || $action == 'setemail_from' || $action == 'setreplyto' || $action == 'setemail_errorsto' || $action == 'setevenunsubscribe') { +if (($action == 'settitle' || $action == 'setemail_from' || $action == 'setreplyto' || $action == 'setemail_errorsto' || $action == 'setevenunsubscribe') && $permissiontocreate) { $upload_dir = $conf->mailing->dir_output."/".get_exdir($object->id, 2, 0, 1, $object, 'mailing'); - if ($action == 'settitle') { + if ($action == 'settitle') { // Test on permission already done $object->title = trim(GETPOST('title', 'alpha')); - } elseif ($action == 'setemail_from') { + } elseif ($action == 'setemail_from') { // Test on permission already done $object->email_from = trim(GETPOST('email_from', 'alphawithlgt')); // Must allow 'name ' - } elseif ($action == 'setemail_replyto') { + } elseif ($action == 'setemail_replyto') { // Test on permission already done $object->email_replyto = trim(GETPOST('email_replyto', 'alphawithlgt')); // Must allow 'name ' - } elseif ($action == 'setemail_errorsto') { + } elseif ($action == 'setemail_errorsto') { // Test on permission already done $object->email_errorsto = trim(GETPOST('email_errorsto', 'alphawithlgt')); // Must allow 'name ' - } elseif ($action == 'settitle' && empty($object->title)) { + } elseif ($action == 'settitle' && empty($object->title)) { // Test on permission already done $mesg = $langs->trans("ErrorFieldRequired", $langs->transnoentities("MailTitle")); - } elseif ($action == 'setfrom' && empty($object->email_from)) { + } elseif ($action == 'setfrom' && empty($object->email_from)) { // Test on permission already done $mesg = $langs->trans("ErrorFieldRequired", $langs->transnoentities("MailFrom")); - } elseif ($action == 'setevenunsubscribe') { + } elseif ($action == 'setevenunsubscribe') { // Test on permission already done $object->evenunsubscribe = (GETPOST('evenunsubscribe') ? 1 : 0); } diff --git a/htdocs/comm/propal/card.php b/htdocs/comm/propal/card.php index 091ce9db948..35fceb38b3e 100644 --- a/htdocs/comm/propal/card.php +++ b/htdocs/comm/propal/card.php @@ -839,10 +839,7 @@ if (empty($reshook)) { $db->rollback(); } } - } elseif ($action == 'import_lines_from_object' - && $user->hasRight('propal', 'creer') - && $object->statut == Propal::STATUS_DRAFT - ) { + } elseif ($action == 'import_lines_from_object' && $usercancreate && $object->statut == Propal::STATUS_DRAFT) { // add lines from objectlinked $fromElement = GETPOST('fromelement'); $fromElementid = GETPOST('fromelementid'); @@ -1714,8 +1711,8 @@ if (empty($reshook)) { } } - if (getDolGlobalString('MAIN_DISABLE_CONTACTS_TAB') && $usercancreate) { - if ($action == 'addcontact') { + if (getDolGlobalString('MAIN_DISABLE_CONTACTS_TAB')) { + if ($action == 'addcontact' && $usercancreate) { if ($object->id > 0) { $contactid = (GETPOST('userid') ? GETPOST('userid') : GETPOST('contactid')); $typeid = (GETPOST('typecontact') ? GETPOST('typecontact') : GETPOST('type')); @@ -1733,14 +1730,14 @@ if (empty($reshook)) { setEventMessages($object->error, $object->errors, 'errors'); } } - } elseif ($action == 'swapstatut') { + } elseif ($action == 'swapstatut' && $usercancreate) { // Toggle the status of a contact if ($object->fetch($id) > 0) { $result = $object->swapContactStatus(GETPOSTINT('ligne')); } else { dol_print_error($db); } - } elseif ($action == 'deletecontact') { + } elseif ($action == 'deletecontact' && $usercancreate) { // Delete a contact $object->fetch($id); $result = $object->delete_contact($lineid); diff --git a/htdocs/comm/remise.php b/htdocs/comm/remise.php index f02f67465f2..a3ef0f8d38f 100644 --- a/htdocs/comm/remise.php +++ b/htdocs/comm/remise.php @@ -62,7 +62,7 @@ if ($cancel) { } } -if ($action == 'setremise') { +if ($action == 'setremise' && $user->hasRight('societe', 'lire')) { $object = new Societe($db); $object->fetch($id); diff --git a/htdocs/commande/card.php b/htdocs/commande/card.php index c7aa9292337..cce09b30dcd 100644 --- a/htdocs/commande/card.php +++ b/htdocs/commande/card.php @@ -1628,7 +1628,7 @@ if (empty($reshook)) { if (!$error && getDolGlobalString('MAIN_DISABLE_CONTACTS_TAB') && $usercancreate) { - if ($action == 'addcontact') { + if ($action == 'addcontact' && $usercancreate) { if ($object->id > 0) { $contactid = (GETPOST('userid') ? GETPOST('userid') : GETPOST('contactid')); $typeid = (GETPOST('typecontact') ? GETPOST('typecontact') : GETPOST('type')); @@ -1646,14 +1646,14 @@ if (empty($reshook)) { setEventMessages($object->error, $object->errors, 'errors'); } } - } elseif ($action == 'swapstatut') { + } elseif ($action == 'swapstatut' && $usercancreate) { // bascule du statut d'un contact if ($object->id > 0) { $result = $object->swapContactStatus(GETPOSTINT('ligne')); } else { dol_print_error($db); } - } elseif ($action == 'deletecontact') { + } elseif ($action == 'deletecontact' && $usercancreate) { // Efface un contact $result = $object->delete_contact($lineid); diff --git a/htdocs/compta/bank/card.php b/htdocs/compta/bank/card.php index af980e35abc..bb9eb6a6478 100644 --- a/htdocs/compta/bank/card.php +++ b/htdocs/compta/bank/card.php @@ -118,7 +118,7 @@ if (empty($reshook)) { $action = ''; } - if ($action == 'add') { + if ($action == 'add' && $user->hasRight('banque', 'configurer')) { $error = 0; $db->begin(); @@ -237,7 +237,7 @@ if (empty($reshook)) { } } - if ($action == 'update') { + if ($action == 'update' && $user->hasRight('banque', 'configurer')) { $error = 0; // Update account diff --git a/htdocs/compta/bank/categ.php b/htdocs/compta/bank/categ.php index c01b8fa02b7..89c1020f9ca 100644 --- a/htdocs/compta/bank/categ.php +++ b/htdocs/compta/bank/categ.php @@ -77,7 +77,7 @@ if ($categid) { $bankcateg->update($user); } //Delete category - if ($action == 'delete') { + if ($action == 'delete' && $user->hasRight('banque', 'configurer')) { $bankcateg->delete($user); } } diff --git a/htdocs/contact/card.php b/htdocs/contact/card.php index a60d69ffcbc..012ad228916 100644 --- a/htdocs/contact/card.php +++ b/htdocs/contact/card.php @@ -178,7 +178,7 @@ if (empty($reshook)) { // Confirmation deactivation - if ($action == 'disable' && !empty($permissiontoadd)) { + if ($action == 'disable' && $permissiontoadd) { $object->fetch($id); if ($object->setstatus(0) < 0) { setEventMessages($object->error, $object->errors, 'errors'); @@ -189,7 +189,7 @@ if (empty($reshook)) { } // Confirmation activation - if ($action == 'enable' && !empty($permissiontoadd)) { + if ($action == 'enable' && $permissiontoadd) { $object->fetch($id); if ($object->setstatus(1) < 0) { setEventMessages($object->error, $object->errors, 'errors'); @@ -200,7 +200,7 @@ if (empty($reshook)) { } // Add contact - if ($action == 'add' && !empty($permissiontoadd)) { + if ($action == 'add' && $permissiontoadd) { $db->begin(); if ($canvas) { @@ -337,7 +337,7 @@ if (empty($reshook)) { } } - if ($action == 'update' && empty($cancel) && !empty($permissiontoadd)) { + if ($action == 'update' && empty($cancel) && $permissiontoadd) { if (!GETPOST("lastname", 'alpha')) { $error++; $errors = array($langs->trans("ErrorFieldRequired", $langs->transnoentities("Name").' / '.$langs->transnoentities("Label"))); @@ -482,7 +482,7 @@ if (empty($reshook)) { } } - if ($action == 'setprospectcontactlevel' && !empty($permissiontoadd)) { + if ($action == 'setprospectcontactlevel' && $permissiontoadd) { $object->fetch($id); $object->fk_prospectlevel = GETPOST('prospect_contact_level_id', 'alpha'); $result = $object->update($object->id, $user); @@ -492,7 +492,7 @@ if (empty($reshook)) { } // set communication status - if ($action == 'setstcomm' && !empty($permissiontoadd)) { + if ($action == 'setstcomm' && $permissiontoadd) { $object->fetch($id); $object->stcomm_id = dol_getIdFromCode($db, GETPOST('stcomm', 'alpha'), 'c_stcommcontact'); $result = $object->update($object->id, $user); @@ -502,7 +502,7 @@ if (empty($reshook)) { } // Update extrafields - if ($action == "update_extras" && !empty($permissiontoadd)) { + if ($action == "update_extras" && $permissiontoadd) { $object->fetch(GETPOSTINT('id')); $attributekey = GETPOST('attribute', 'alpha'); diff --git a/htdocs/product/card.php b/htdocs/product/card.php index 0bee0ac2500..5636c7e4733 100644 --- a/htdocs/product/card.php +++ b/htdocs/product/card.php @@ -202,7 +202,7 @@ if ($object->id > 0) { } // Permissions -$usercanread = (($object->type == Product::TYPE_PRODUCT && $user->hasRight('produit', 'read')) || ($object->type == Product::TYPE_SERVICE && $user->hasRight('service', 'lire'))); +$usercanread = (($object->type == Product::TYPE_PRODUCT && $user->hasRight('produit', 'lire')) || ($object->type == Product::TYPE_SERVICE && $user->hasRight('service', 'lire'))); $usercancreate = (($object->type == Product::TYPE_PRODUCT && $user->hasRight('produit', 'creer')) || ($object->type == Product::TYPE_SERVICE && $user->hasRight('service', 'creer'))); $usercandelete = (($object->type == Product::TYPE_PRODUCT && $user->hasRight('produit', 'supprimer')) || ($object->type == Product::TYPE_SERVICE && $user->hasRight('service', 'supprimer'))); diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php index b75dc62bf22..4d77495dcfc 100644 --- a/htdocs/product/class/product.class.php +++ b/htdocs/product/class/product.class.php @@ -5524,7 +5524,16 @@ class Product extends CommonObject return ['optimize' => $langs->trans("ShowProduct")]; } - if (!empty($this->entity)) { + // Does user has permission to read product/service + $permissiontoreadproduct = 0; + if ($this->type == self::TYPE_PRODUCT && $user->hasRight('product', 'read')) { + $permissiontoreadproduct = 1; + } + if ($this->type == self::TYPE_SERVICE && $user->hasRight('service', 'read')) { + $permissiontoreadproduct = 1; + } + + if (!empty($this->entity) && $permissiontoreadproduct) { $tmpphoto = $this->show_photos('product', $conf->product->multidir_output[$this->entity], 1, 1, 0, 0, 0, 80, 0, 0, 0, 0, 1); if ($this->nbphoto > 0) { $datas['photo'] = '
'."\n" . $tmpphoto . '
'; @@ -5546,90 +5555,93 @@ class Product extends CommonObject if (!empty($this->label)) { $datas['label'] = '
'.$langs->trans('ProductLabel').': '.$this->label; } - if (!empty($this->description)) { - $datas['description'] = '
'.$langs->trans('ProductDescription').': '.dolGetFirstLineOfText($this->description, 5); - } - if ($this->isStockManaged()) { - if (isModEnabled('productbatch')) { - $langs->load("productbatch"); - $datas['batchstatus'] = "
".$langs->trans("ManageLotSerial").': '.$this->getLibStatut(0, 2); - } - } - if (isModEnabled('barcode')) { - $datas['barcode'] = '
'.$langs->trans('BarCode').': '.$this->barcode; - } - if ($this->isProduct()) { - if ($this->weight) { - $datas['weight'] = "
".$langs->trans("Weight").': '.$this->weight.' '.measuringUnitString(0, "weight", $this->weight_units); + if ($permissiontoreadproduct) { + if (!empty($this->description)) { + $datas['description'] = '
'.$langs->trans('ProductDescription').': '.dolGetFirstLineOfText($this->description, 5); } - $labelsize = ""; - if ($this->length) { - $labelsize .= ($labelsize ? " - " : "")."".$langs->trans("Length").': '.$this->length.' '.measuringUnitString(0, 'size', $this->length_units); - } - if ($this->width) { - $labelsize .= ($labelsize ? " - " : "")."".$langs->trans("Width").': '.$this->width.' '.measuringUnitString(0, 'size', $this->width_units); - } - if ($this->height) { - $labelsize .= ($labelsize ? " - " : "")."".$langs->trans("Height").': '.$this->height.' '.measuringUnitString(0, 'size', $this->height_units); - } - if ($labelsize) { - $datas['size'] = "
".$labelsize; - } - - $labelsurfacevolume = ""; - if ($this->surface) { - $labelsurfacevolume .= ($labelsurfacevolume ? " - " : "")."".$langs->trans("Surface").': '.$this->surface.' '.measuringUnitString(0, 'surface', $this->surface_units); - } - if ($this->volume) { - $labelsurfacevolume .= ($labelsurfacevolume ? " - " : "")."".$langs->trans("Volume").': '.$this->volume.' '.measuringUnitString(0, 'volume', $this->volume_units); - } - if ($labelsurfacevolume) { - $datas['surface'] = "
" . $labelsurfacevolume; - } - } - if ($this->isService() && !empty($this->duration_value)) { - // Duration - $datas['duration'] = '
'.$langs->trans("Duration").': '.$this->duration_value; - if ($this->duration_value > 1) { - $dur = array("i" => $langs->trans("Minutes"), "h" => $langs->trans("Hours"), "d" => $langs->trans("Days"), "w" => $langs->trans("Weeks"), "m" => $langs->trans("Months"), "y" => $langs->trans("Years")); - } elseif ($this->duration_value > 0) { - $dur = array("i" => $langs->trans("Minute"), "h" => $langs->trans("Hour"), "d" => $langs->trans("Day"), "w" => $langs->trans("Week"), "m" => $langs->trans("Month"), "y" => $langs->trans("Year")); - } - $datas['duration'] .= (!empty($this->duration_unit) && isset($dur[$this->duration_unit]) ? " ".$langs->trans($dur[$this->duration_unit]) : ''); - } - if (empty($user->socid)) { - if (!empty($this->pmp) && $this->pmp) { - $datas['pmp'] = "
".$langs->trans("PMPValue").': '.price($this->pmp, 0, '', 1, -1, -1, $conf->currency); - } - - if (isModEnabled('accounting')) { - if ($this->status && isset($this->accountancy_code_sell)) { - include_once DOL_DOCUMENT_ROOT.'/core/lib/accounting.lib.php'; - $selllabel = '
'; - $selllabel .= '
'.$langs->trans('ProductAccountancySellCode').': '.length_accountg($this->accountancy_code_sell); - $selllabel .= '
'.$langs->trans('ProductAccountancySellIntraCode').': '.length_accountg($this->accountancy_code_sell_intra); - $selllabel .= '
'.$langs->trans('ProductAccountancySellExportCode').': '.length_accountg($this->accountancy_code_sell_export); - $datas['accountancysell'] = $selllabel; + if ($this->isStockManaged()) { + if (isModEnabled('productbatch')) { + $langs->load("productbatch"); + $datas['batchstatus'] = "
".$langs->trans("ManageLotSerial").': '.$this->getLibStatut(0, 2); } - if ($this->status_buy && isset($this->accountancy_code_buy)) { - include_once DOL_DOCUMENT_ROOT.'/core/lib/accounting.lib.php'; - $buylabel = ''; - if (empty($this->status)) { - $buylabel .= '
'; + } + if (isModEnabled('barcode')) { + $datas['barcode'] = '
'.$langs->trans('BarCode').': '.$this->barcode; + } + + if ($this->isProduct()) { + if ($this->weight) { + $datas['weight'] = "
".$langs->trans("Weight").': '.$this->weight.' '.measuringUnitString(0, "weight", $this->weight_units); + } + $labelsize = ""; + if ($this->length) { + $labelsize .= ($labelsize ? " - " : "")."".$langs->trans("Length").': '.$this->length.' '.measuringUnitString(0, 'size', $this->length_units); + } + if ($this->width) { + $labelsize .= ($labelsize ? " - " : "")."".$langs->trans("Width").': '.$this->width.' '.measuringUnitString(0, 'size', $this->width_units); + } + if ($this->height) { + $labelsize .= ($labelsize ? " - " : "")."".$langs->trans("Height").': '.$this->height.' '.measuringUnitString(0, 'size', $this->height_units); + } + if ($labelsize) { + $datas['size'] = "
".$labelsize; + } + + $labelsurfacevolume = ""; + if ($this->surface) { + $labelsurfacevolume .= ($labelsurfacevolume ? " - " : "")."".$langs->trans("Surface").': '.$this->surface.' '.measuringUnitString(0, 'surface', $this->surface_units); + } + if ($this->volume) { + $labelsurfacevolume .= ($labelsurfacevolume ? " - " : "")."".$langs->trans("Volume").': '.$this->volume.' '.measuringUnitString(0, 'volume', $this->volume_units); + } + if ($labelsurfacevolume) { + $datas['surface'] = "
" . $labelsurfacevolume; + } + } + if ($this->isService() && !empty($this->duration_value)) { + // Duration + $datas['duration'] = '
'.$langs->trans("Duration").': '.$this->duration_value; + if ($this->duration_value > 1) { + $dur = array("i" => $langs->trans("Minutes"), "h" => $langs->trans("Hours"), "d" => $langs->trans("Days"), "w" => $langs->trans("Weeks"), "m" => $langs->trans("Months"), "y" => $langs->trans("Years")); + } elseif ($this->duration_value > 0) { + $dur = array("i" => $langs->trans("Minute"), "h" => $langs->trans("Hour"), "d" => $langs->trans("Day"), "w" => $langs->trans("Week"), "m" => $langs->trans("Month"), "y" => $langs->trans("Year")); + } + $datas['duration'] .= (!empty($this->duration_unit) && isset($dur[$this->duration_unit]) ? " ".$langs->trans($dur[$this->duration_unit]) : ''); + } + if (empty($user->socid)) { + if (!empty($this->pmp) && $this->pmp) { + $datas['pmp'] = "
".$langs->trans("PMPValue").': '.price($this->pmp, 0, '', 1, -1, -1, $conf->currency); + } + + if (isModEnabled('accounting')) { + if ($this->status && isset($this->accountancy_code_sell)) { + include_once DOL_DOCUMENT_ROOT.'/core/lib/accounting.lib.php'; + $selllabel = '
'; + $selllabel .= '
'.$langs->trans('ProductAccountancySellCode').': '.length_accountg($this->accountancy_code_sell); + $selllabel .= '
'.$langs->trans('ProductAccountancySellIntraCode').': '.length_accountg($this->accountancy_code_sell_intra); + $selllabel .= '
'.$langs->trans('ProductAccountancySellExportCode').': '.length_accountg($this->accountancy_code_sell_export); + $datas['accountancysell'] = $selllabel; + } + if ($this->status_buy && isset($this->accountancy_code_buy)) { + include_once DOL_DOCUMENT_ROOT.'/core/lib/accounting.lib.php'; + $buylabel = ''; + if (empty($this->status)) { + $buylabel .= '
'; + } + $buylabel .= '
'.$langs->trans('ProductAccountancyBuyCode').': '.length_accountg($this->accountancy_code_buy); + $buylabel .= '
'.$langs->trans('ProductAccountancyBuyIntraCode').': '.length_accountg($this->accountancy_code_buy_intra); + $buylabel .= '
'.$langs->trans('ProductAccountancyBuyExportCode').': '.length_accountg($this->accountancy_code_buy_export); + $datas['accountancybuy'] = $buylabel; } - $buylabel .= '
'.$langs->trans('ProductAccountancyBuyCode').': '.length_accountg($this->accountancy_code_buy); - $buylabel .= '
'.$langs->trans('ProductAccountancyBuyIntraCode').': '.length_accountg($this->accountancy_code_buy_intra); - $buylabel .= '
'.$langs->trans('ProductAccountancyBuyExportCode').': '.length_accountg($this->accountancy_code_buy_export); - $datas['accountancybuy'] = $buylabel; } } - } - // show categories for this record only in ajax to not overload lists - if (isModEnabled('category') && !$nofetch) { - require_once DOL_DOCUMENT_ROOT . '/categories/class/categorie.class.php'; - $form = new Form($this->db); - $datas['categories'] = '
' . $form->showCategories($this->id, Categorie::TYPE_PRODUCT, 1); + // show categories for this record only in ajax to not overload lists + if (isModEnabled('category') && !$nofetch) { + require_once DOL_DOCUMENT_ROOT . '/categories/class/categorie.class.php'; + $form = new Form($this->db); + $datas['categories'] = '
' . $form->showCategories($this->id, Categorie::TYPE_PRODUCT, 1); + } } return $datas; diff --git a/htdocs/product/stock/product.php b/htdocs/product/stock/product.php index d9def15ac4e..7cd0fbbad2a 100644 --- a/htdocs/product/stock/product.php +++ b/htdocs/product/stock/product.php @@ -151,7 +151,7 @@ if ($reshook < 0) { setEventMessages($hookmanager->error, $hookmanager->errors, 'errors'); } -if ($action == 'setcost_price') { +if ($action == 'setcost_price' && $usercancreate) { if ($id) { $result = $object->fetch($id); $object->cost_price = (float) price2num($cost_price); @@ -166,7 +166,7 @@ if ($action == 'setcost_price') { } } -if ($action == 'addlimitstockwarehouse' && $user->hasRight('produit', 'creer')) { +if ($action == 'addlimitstockwarehouse' && $usercancreate) { $seuil_stock_alerte = GETPOST('seuil_stock_alerte'); $desiredstock = GETPOST('desiredstock'); @@ -208,7 +208,7 @@ if ($action == 'addlimitstockwarehouse' && $user->hasRight('produit', 'creer')) exit; } -if ($action == 'delete_productstockwarehouse' && $user->hasRight('produit', 'creer')) { +if ($action == 'delete_productstockwarehouse' && $usercancreate) { $pse = new ProductStockEntrepot($db); $pse->fetch(GETPOSTINT('fk_productstockwarehouse')); @@ -220,7 +220,7 @@ if ($action == 'delete_productstockwarehouse' && $user->hasRight('produit', 'cre } // Set stock limit -if ($action == 'setseuil_stock_alerte' && $user->hasRight('produit', 'creer')) { +if ($action == 'setseuil_stock_alerte' && $usercancreate) { $object = new Product($db); $result = $object->fetch($id); $object->seuil_stock_alerte = $stocklimit; @@ -234,7 +234,7 @@ if ($action == 'setseuil_stock_alerte' && $user->hasRight('produit', 'creer')) { } // Set desired stock -if ($action == 'setdesiredstock' && $user->hasRight('produit', 'creer')) { +if ($action == 'setdesiredstock' && $usercancreate) { $object = new Product($db); $result = $object->fetch($id); $object->desiredstock = $desiredstock; @@ -247,7 +247,7 @@ if ($action == 'setdesiredstock' && $user->hasRight('produit', 'creer')) { // Correct stock -if ($action == "correct_stock" && !$cancel) { +if ($action == "correct_stock" && !$cancel && $usercancreate) { if (!(GETPOSTINT("id_entrepot") > 0)) { setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Warehouse")), null, 'errors'); $error++; @@ -340,7 +340,7 @@ if ($action == "correct_stock" && !$cancel) { } // Transfer stock from a warehouse to another warehouse -if ($action == "transfert_stock" && !$cancel) { +if ($action == "transfert_stock" && !$cancel && $usercancreate) { if (!(GETPOSTINT("id_entrepot") > 0) || !(GETPOSTINT("id_entrepot_destination") > 0)) { setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Warehouse")), null, 'errors'); $error++; @@ -498,7 +498,7 @@ if ($action == "transfert_stock" && !$cancel) { } // Update batch information -if ($action == 'updateline' && GETPOST('save') == $langs->trans("Save")) { +if ($action == 'updateline' && GETPOST('save') == $langs->trans("Save") && $usercancreate) { $pdluo = new Productbatch($db); $result = $pdluo->fetch(GETPOSTINT('pdluoid')); @@ -528,7 +528,6 @@ if ($action == 'updateline' && GETPOST('save') == $langs->trans("Save")) { } - /* * View */ diff --git a/htdocs/variants/combinations.php b/htdocs/variants/combinations.php index 26f479e3ba5..a489523741c 100644 --- a/htdocs/variants/combinations.php +++ b/htdocs/variants/combinations.php @@ -114,11 +114,11 @@ if (!$object->isProduct() && !$object->isService()) { header('Location: '.dol_buildpath('/product/card.php?id='.$object->id, 2)); exit(); } -if ($action == 'add') { +if ($action == 'add') { // Test on permission not required unset($selectedvariant); unset($_SESSION['addvariant_'.$object->id]); } -if ($action == 'create' && GETPOST('selectvariant', 'alpha')) { // We click on select combination +if ($action == 'create' && GETPOST('selectvariant', 'alpha') && $usercancreate) { // We click on select combination $action = 'add'; $attribute_id = GETPOSTINT('attribute'); $attribute_value_id = GETPOSTINT('value'); @@ -128,7 +128,7 @@ if ($action == 'create' && GETPOST('selectvariant', 'alpha')) { // We click on s $_SESSION['addvariant_'.$object->id] = $selectedvariant; } } -if ($action == 'create' && $subaction == 'delete') { // We click on select combination +if ($action == 'create' && $subaction == 'delete' && $usercancreate) { // We click on select combination $action = 'add'; $feature = GETPOST('feature', 'intcomma'); if (isset($selectedvariant[$feature])) { @@ -143,12 +143,12 @@ $prodcomb2val = new ProductCombination2ValuePair($db); $productCombination2ValuePairs1 = array(); -if (($action == 'add' || $action == 'create') && empty($massaction) && !GETPOST('selectvariant', 'alpha') && empty($subaction)) { // We click on Create all defined combinations +if (($action == 'add' || $action == 'create') && $usercancreate && empty($massaction) && !GETPOST('selectvariant', 'alpha') && empty($subaction)) { // We click on Create all defined combinations //$features = GETPOST('features', 'array'); $features = !empty($_SESSION['addvariant_'.$object->id]) ? $_SESSION['addvariant_'.$object->id] : array(); if (!$features) { - if ($action == 'create') { + if ($action == 'create') { // Test on permission already done setEventMessages($langs->trans('ErrorFieldsRequired'), null, 'errors'); } } else { @@ -272,7 +272,7 @@ if (($action == 'add' || $action == 'create') && empty($massaction) && !GETPOST( $db->commit(); setEventMessages($langs->trans('RecordSaved'), null, 'mesgs'); } -} elseif ($action === 'update' && $combination_id > 0) { +} elseif ($action === 'update' && $combination_id > 0 && $usercancreate) { if ($prodcomb->fetch($combination_id) < 0) { dol_print_error($db, $langs->trans('ErrorRecordNotFound')); exit(); @@ -342,7 +342,7 @@ if (($action == 'add' || $action == 'create') && empty($massaction) && !GETPOST( // Reload variants $productCombinations = $prodcomb->fetchAllByFkProductParent($object->id, true); -if ($action === 'confirm_deletecombination') { +if ($action === 'confirm_deletecombination' && $usercancreate) { if ($prodcomb->fetch($combination_id) > 0) { $db->begin(); @@ -357,7 +357,7 @@ if ($action === 'confirm_deletecombination') { setEventMessages($langs->trans('ProductCombinationAlreadyUsed'), null, 'errors'); $action = ''; } -} elseif ($action === 'edit') { +} elseif ($action === 'edit' && $usercancreate) { if ($prodcomb->fetch($combination_id) < 0) { dol_print_error($db, $langs->trans('ErrorRecordNotFound')); exit(); @@ -371,7 +371,7 @@ if ($action === 'confirm_deletecombination') { $price_impact_percent = $prodcomb->variation_price_percentage; $productCombination2ValuePairs1 = $prodcomb2val->fetchByFkCombination($combination_id); -} elseif ($action === 'confirm_copycombination') { +} elseif ($action === 'confirm_copycombination' && $usercancreate) { //Check destination product $dest_product = GETPOST('dest_product'); diff --git a/htdocs/webservices/demo_wsclient_thirdparty.php-NORUN b/htdocs/webservices/demo_wsclient_thirdparty.php-NORUN index 2650b696a75..f3822202b7e 100644 --- a/htdocs/webservices/demo_wsclient_thirdparty.php-NORUN +++ b/htdocs/webservices/demo_wsclient_thirdparty.php-NORUN @@ -61,7 +61,7 @@ $authentication=array( // Test URL -if ($action=='get') +if ($action == 'get') { $parameters = array('authentication'=>$authentication,'id'=>1,'name'=>'','ref_ext'=>''); dol_syslog("Call method ".$WS_METHOD_GETTHIRDSPARTY); @@ -78,7 +78,7 @@ if ($action=='get') } // Test URL -if ($action=='getList') +if ($action == 'getList') { $filterthirdparty=array('category'=>'3'); $parameters = array('authentication'=>$authentication,$filterthirdparty); @@ -96,7 +96,7 @@ if ($action=='getList') } // Test URL -if ($action=='create') +if ($action == 'create') { $newthirdparty=array( 'ref'=>'Test WS Create Client', @@ -109,7 +109,7 @@ if ($action=='create') 'zip'=>'75000', 'town'=>'Paris', 'country_id'=>'1',//France - 'customer_code'=>'-1',//Generate code regarding module configuration + 'customer_code'=>'-1',//Generate code regarding module configuration 'supplier_code'=>'0', 'phone'=>'0141414141', 'fax'=>'0121212121', @@ -127,8 +127,8 @@ if ($action=='create') //,'options_attr1'=>'Attr1 balbal', //Extra field example where field code is attr1 //'options_attr2'=>'Attr2 balbal' //Extra field example where field code is attr2 ); - - + + $parameters = array('authentication'=>$authentication,'thirdparty'=>$newthirdparty); dol_syslog("Call method ".$WS_METHOD_CREATETHIRDSPARTY); $result = $soapclient->call($WS_METHOD_CREATETHIRDSPARTY,$parameters,$ns,''); @@ -144,7 +144,7 @@ if ($action=='create') } // Test URL -if ($action=='update') +if ($action == 'update') { $thirdparty=array( 'id'=>'1', diff --git a/htdocs/website/index.php b/htdocs/website/index.php index 8d02af4bee9..95b9b3acdff 100644 --- a/htdocs/website/index.php +++ b/htdocs/website/index.php @@ -140,7 +140,7 @@ if (GETPOST('createpagefromclone', 'alpha')) { if (empty($action) && $file_manager) { $action = 'file_manager'; } -if ($action == 'replacesite' || (empty($action) && $replacesite)) { +if ($action == 'replacesite' || (empty($action) && $replacesite)) { // Test on permission not required $mode = 'replacesite'; } if (GETPOST('refreshsite') || GETPOST('refreshsite_x') || GETPOST('refreshsite.x')) { @@ -333,7 +333,7 @@ if (GETPOST('optionsitefiles')) { } if (empty($sortfield)) { - if ($action == 'file_manager') { + if ($action == 'file_manager') { // Test on permission not required $sortfield = 'name'; $sortorder = 'ASC'; } else { @@ -344,7 +344,7 @@ if (empty($sortfield)) { $searchkey = GETPOST('searchstring', 'restricthtml'); -if ($action == 'replacesite' || $mode == 'replacesite') { +if ($action == 'replacesite' || $mode == 'replacesite') { // Test on permission not required $containertype = GETPOST('optioncontainertype', 'aZ09') != '-1' ? GETPOST('optioncontainertype', 'aZ09') : ''; $langcode = GETPOST('optionlanguage', 'aZ09'); $otherfilters = array(); diff --git a/htdocs/website/websiteaccount_card.php b/htdocs/website/websiteaccount_card.php index b1fecfd0601..bef191ac5c2 100644 --- a/htdocs/website/websiteaccount_card.php +++ b/htdocs/website/websiteaccount_card.php @@ -143,7 +143,7 @@ if ($reshook < 0) { if (empty($reshook)) { $backurlforlist = dol_buildpath('/societe/website.php', 1).'?id='.$object->fk_soc; - if ($action == 'add' && !GETPOST('site')) { + if ($action == 'add' && !GETPOST('site')) { // Test on permission not required setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Website")), null, 'errors'); $action = 'create'; } diff --git a/htdocs/workstation/class/workstation.class.php b/htdocs/workstation/class/workstation.class.php index d0948ad4e74..9ec1781592e 100644 --- a/htdocs/workstation/class/workstation.class.php +++ b/htdocs/workstation/class/workstation.class.php @@ -236,7 +236,7 @@ class Workstation extends CommonObject $id = $this->createCommon($user, $notrigger); // Usergroups - $groups = GETPOST('groups', 'array:int'); + $groups = GETPOST('groups', 'array:int'); // FIXME We should not GETPOST but receive array as parameter if (empty($groups)) { $groups = $this->usergroups; // createFromClone } @@ -251,7 +251,7 @@ class Workstation extends CommonObject } // Resources - $resources = GETPOST('resources', 'array:int'); + $resources = GETPOST('resources', 'array:int'); // FIXME We should not GETPOST but receive array as parameter if (empty($resources)) { $resources = $this->resources; // createFromClone } diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php index e986ef76735..a63fdfd3533 100644 --- a/test/phpunit/CodingPhpTest.php +++ b/test/phpunit/CodingPhpTest.php @@ -129,10 +129,10 @@ class CodingPhpTest extends CommonClassTest { $this->nbLinesToShow = 1; //print 'Check php file '.$file['relativename']."\n"; - $filecontent = file_get_contents($file['fullname']); + $filecontentorigin = file_get_contents($file['fullname']); // We are not interested in the comments - $filecontent = $this->removePhpComments(file_get_contents($file['fullname'])); + $filecontent = $this->removePhpComments($filecontentorigin); // File path for reports $report_filepath = "htdocs/{$file['relativename']}"; @@ -627,6 +627,42 @@ class CodingPhpTest extends CommonClassTest break; } $this->assertTrue($ok, 'Found a CURDATE\(\) in code. Do not use this SQL method in file '.$file['relativename'].'. You must use the PHP function dol_now() instead.'); + + + // Test we don't have if ($action == 'xxx'... without test on permission + // We do not test on file into admin, protection is done on page on user->admin + if (!preg_match('/admin\//', $file['fullname']) + && !preg_match('/\.tpl\.php/', $file['fullname']) + && !preg_match('/\.lib\.php/', $file['fullname']) + && !preg_match('/\.inc\.php/', $file['fullname']) + && !preg_match('/\.class\.php/', $file['fullname']) + && !preg_match('/NORUN$/', $file['fullname'])) { + $ok = true; + $matches = array(); + + // Get to part of string to use for analysis + $reg = array(); + if (preg_match('/\*\s+Action(.*)\*\s+View/ims', $filecontentorigin, $reg)) { + $filecontentaction = $reg[1]; + } else { + $filecontentaction = $filecontent; + } + + preg_match_all('/if\s*\(\s*\$action\s*==\s*[\'"][a-z]+[\'"].*/', $filecontentaction, $matches, PREG_SET_ORDER); + foreach ($matches as $key => $val) { + if (!preg_match('/\$user->hasR/', $val[0]) + && !preg_match('/\$permission/', $val[0]) + && !preg_match('/\$usercan/', $val[0]) + && !preg_match('/\$canedit/', $val[0]) + && !preg_match('/already done/i', $val[0]) + && !preg_match('/not required/i', $val[0])) { + $ok = false; + print "Line: ".$val[0]."\n"; + break; + } + } + $this->assertTrue($ok, 'Found a test on action without check on permission and without comment to say this is expected, in file '.$file['relativename'].'.'); + } }