mirror of
https://github.com/Dolibarr/dolibarr.git
synced 2025-02-20 13:46:52 +01:00
Fix missing test on permissions
This commit is contained in:
Laurent Destailleur
parent
e3c9f1db7c
commit
2e2ab9d84d
|
|
@ -54,6 +54,12 @@ $warehousefound = 0;
|
|||
$warehouseid = 0;
|
||||
$objectreturn = array();
|
||||
|
||||
/*
|
||||
* Action
|
||||
*/
|
||||
|
||||
// None
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
|
|
@ -61,7 +67,7 @@ $objectreturn = array();
|
|||
|
||||
top_httphead('application/json');
|
||||
|
||||
if ($action == "existbarcode" && !empty($barcode)) {
|
||||
if ($action == "existbarcode" && !empty($barcode) && $user->hasRight('stock', 'lire')) {
|
||||
if (!empty($mode) && $mode == "lotserial") {
|
||||
$sql = "SELECT ps.fk_entrepot, ps.fk_product, p.barcode, ps.reel, pb.batch";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."product_batch as pb";
|
||||
|
|
|
|||
|
|
@ -36,8 +36,17 @@ $ref = GETPOST('ref', 'alpha');
|
|||
// Security check
|
||||
//$result=restrictedArea($user,'stock', $id, 'entrepot&stock');
|
||||
$result = restrictedArea($user, 'stock');
|
||||
|
||||
$usercancreate = $user->hasRight('stock', 'creer');
|
||||
|
||||
|
||||
/*
|
||||
* Actions
|
||||
*/
|
||||
|
||||
// None
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
*/
|
||||
|
|
|
|||
|
|
@ -145,9 +145,6 @@ if (isModEnabled('mrp')) {
|
|||
if (isModEnabled('eventorganization')) {
|
||||
$langs->load("eventorganization");
|
||||
}
|
||||
//if (isModEnabled('stocktransfer')) {
|
||||
// $langs->load("stockstransfer");
|
||||
//}
|
||||
|
||||
$id = GETPOSTINT('id');
|
||||
$ref = GETPOST('ref', 'alpha');
|
||||
|
|
@ -194,6 +191,13 @@ $hookmanager->initHooks(array('projectOverview'));
|
|||
$result = restrictedArea($user, 'projet', $object->id, 'projet&project');
|
||||
|
||||
|
||||
/*
|
||||
* Actions
|
||||
*/
|
||||
|
||||
// None
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
*/
|
||||
|
|
|
|||
|
|
@ -62,10 +62,16 @@ $result = "{}";
|
|||
* Actions
|
||||
*/
|
||||
|
||||
// None
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
*/
|
||||
|
||||
top_httphead('application/json');
|
||||
|
||||
|
||||
if ($action == 'verifyavailability') {
|
||||
if ($action == 'verifyavailability') { // Test on permission not required here (anonymous action protected by mitigation of /public/... urls)
|
||||
$response = array();
|
||||
if (empty($id)) {
|
||||
$error++;
|
||||
|
|
@ -176,8 +182,4 @@ if ($action == 'verifyavailability') {
|
|||
}
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
*/
|
||||
|
||||
echo json_encode($result);
|
||||
|
|
|
|||
|
|
@ -97,7 +97,7 @@ $max_day_in_prev_month = idate("t", dol_mktime(0, 0, 0, $prev_month, 1, $prev_ye
|
|||
$max_day_in_month = idate("t", dol_mktime(0, 0, 0, $month, 1, $year)); // Nb of days in next month
|
||||
// tmpday is a negative or null cursor to know how many days before the 1st to show on month view (if tmpday=0, 1st is monday)
|
||||
$tmpday = - idate("w", dol_mktime(12, 0, 0, $month, 1, $year, 'gmt')) + 2; // idate('w') is 0 for sunday
|
||||
$tmpday += ((isset($conf->global->MAIN_START_WEEK) ? $conf->global->MAIN_START_WEEK : 1) - 1);
|
||||
$tmpday += (getDolGlobalInt('MAIN_START_WEEK', 1) - 1);
|
||||
if ($tmpday >= 1) {
|
||||
$tmpday -= 7; // If tmpday is 0 we start with sunday, if -6, we start with monday of previous week.
|
||||
}
|
||||
|
|
@ -130,7 +130,7 @@ $errmsg = '';
|
|||
*/
|
||||
function llxHeaderVierge($title, $head = "", $disablejs = 0, $disablehead = 0, $arrayofjs = [], $arrayofcss = [])
|
||||
{
|
||||
global $user, $conf, $langs, $mysoc;
|
||||
global $conf, $langs, $mysoc;
|
||||
|
||||
top_htmlhead($head, $title, $disablejs, $disablehead, $arrayofjs, $arrayofcss); // Show html headers
|
||||
|
||||
|
|
@ -185,7 +185,7 @@ function llxHeaderVierge($title, $head = "", $disablejs = 0, $disablehead = 0, $
|
|||
* Actions
|
||||
*/
|
||||
|
||||
if ($action == 'add') {
|
||||
if ($action == 'add' ) { // Test on permission not required here (anonymous action protected by mitigation of /public/... urls)
|
||||
$error = 0;
|
||||
$idcontact = 0;
|
||||
$calendar = $object;
|
||||
|
|
|
|||
|
|
@ -115,7 +115,10 @@ if (!$action) {
|
|||
}
|
||||
}
|
||||
|
||||
if ($source == 'organizedeventregistration') {
|
||||
|
||||
// Load data required later for actions and view
|
||||
|
||||
if ($source == 'organizedeventregistration') { // Test on permission not required here (anonymous action protected by mitigation of /public/... urls)
|
||||
// Finding the Attendee
|
||||
$attendee = new ConferenceOrBoothAttendee($db);
|
||||
|
||||
|
|
@ -166,7 +169,7 @@ if ($source == 'organizedeventregistration') {
|
|||
}
|
||||
}
|
||||
}
|
||||
} elseif ($source == 'boothlocation') {
|
||||
} elseif ($source == 'boothlocation') { // Test on permission not required here (anonymous action protected by mitigation of /public/... urls)
|
||||
// Getting the amount to pay, the invoice, finding the thirdparty
|
||||
$invoiceid = GETPOST('ref');
|
||||
$invoice = new Facture($db);
|
||||
|
|
@ -361,7 +364,7 @@ $mesg = '';
|
|||
*/
|
||||
|
||||
// Action dopayment is called after clicking/choosing the payment mode
|
||||
if ($action == 'dopayment') {
|
||||
if ($action == 'dopayment') { // Test on permission not required here (anonymous action protected by mitigation of /public/... urls)
|
||||
dol_syslog("--- newpayment.php Execute action = ".$action." paymentmethod=".$paymentmethod.' amount='.$amount.' newamount='.GETPOST("newamount", 'alpha'), LOG_DEBUG, 0, '_payment');
|
||||
|
||||
if ($paymentmethod == 'paypal') {
|
||||
|
|
@ -488,7 +491,7 @@ if ($action == 'dopayment') {
|
|||
// Called when choosing Stripe mode.
|
||||
// When using the old Charge API architecture, this code is called after clicking the 'dopayment' with the Charge API architecture.
|
||||
// When using the PaymentIntent API architecture, the Stripe customer was already created when creating PaymentIntent when showing payment page, and the payment is already ok when action=charge.
|
||||
if ($action == 'charge' && isModEnabled('stripe')) {
|
||||
if ($action == 'charge' && isModEnabled('stripe')) { // Test on permission not required here (anonymous action protected by mitigation of /public/... urls)
|
||||
$amountstripe = (float) $amount;
|
||||
|
||||
// Correct the amount according to unit of currency
|
||||
|
|
|
|||
|
|
@ -94,7 +94,7 @@ if ($cancel) {
|
|||
$action = 'view';
|
||||
}
|
||||
|
||||
if ($action == "view" || $action == "presend" || $action == "dosubmit") {
|
||||
if ($action == "view" || $action == "presend" || $action == "dosubmit") { // Test on permission not required here (anonymous action protected by mitigation of /public/... urls)
|
||||
$error = 0;
|
||||
$display_ticket = false;
|
||||
if (!strlen($ref)) {
|
||||
|
|
|
|||
|
|
@ -228,7 +228,7 @@ if ($action == 'setbankaccount' && $permissiontoadd) {
|
|||
}
|
||||
}
|
||||
|
||||
if ($action == 'add' && empty($cancel)) {
|
||||
if ($action == 'add' && empty($cancel) && $permissiontoadd) {
|
||||
$error = 0;
|
||||
|
||||
if (empty($datev)) {
|
||||
|
|
@ -344,7 +344,7 @@ if ($action == 'add' && empty($cancel)) {
|
|||
$action = 'create';
|
||||
}
|
||||
|
||||
if ($action == 'confirm_delete') {
|
||||
if ($action == 'confirm_delete' && $permissiontodelete) {
|
||||
$result = $object->fetch($id);
|
||||
$totalpaid = $object->getSommePaiement();
|
||||
|
||||
|
|
@ -389,7 +389,7 @@ if ($action == 'update' && !GETPOST("cancel") && $permissiontoadd) {
|
|||
}
|
||||
}
|
||||
|
||||
if ($action == 'confirm_clone' && $confirm != 'yes') {
|
||||
if ($action == 'confirm_clone' && $confirm != 'yes') { // Test on permission not required here
|
||||
$action = '';
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -74,7 +74,6 @@ if ($user->socid) {
|
|||
}
|
||||
|
||||
|
||||
|
||||
$object = new Salary($db);
|
||||
$extrafields = new ExtraFields($db);
|
||||
|
||||
|
|
@ -153,7 +152,7 @@ if ($reshook < 0) {
|
|||
}
|
||||
|
||||
|
||||
if ($action == "new") {
|
||||
if ($action == "add" && $permissiontoadd) {
|
||||
//var_dump($object);exit;
|
||||
if ($object->id > 0) {
|
||||
$db->begin();
|
||||
|
|
@ -187,8 +186,6 @@ if ($action == "delete" && $permissiontodelete) {
|
|||
}
|
||||
|
||||
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
*/
|
||||
|
|
@ -475,7 +472,7 @@ if ($object->paye == 0 && $hadRequest == 0) {
|
|||
print '<input type="hidden" name="token" value="'.newToken().'" />';
|
||||
print '<input type="hidden" name="id" value="'.$object->id.'" />';
|
||||
print '<input type="hidden" name="type" value="'.$type.'" />';
|
||||
print '<input type="hidden" name="action" value="new" />';
|
||||
print '<input type="hidden" name="action" value="add" />';
|
||||
print '<label for="withdraw_request_amount">'.$langs->trans('BankTransferAmount').' </label>';
|
||||
print '<input type="text" id="withdraw_request_amount" name="request_transfer" value="'.price($resteapayer, 0, $langs, 1, -1, -1).'" size="9" />';
|
||||
print '<input type="submit" class="butAction" value="'.$buttonlabel.'" />';
|
||||
|
|
@ -490,7 +487,7 @@ if ($object->paye == 0 && $hadRequest == 0) {
|
|||
print '<input type="hidden" name="token" value="'.newToken().'" />';
|
||||
print '<input type="hidden" name="id" value="'.$object->id.'" />';
|
||||
print '<input type="hidden" name="type" value="'.$type.'" />';
|
||||
print '<input type="hidden" name="action" value="new" />';
|
||||
print '<input type="hidden" name="action" value="add" />';
|
||||
print '<input type="hidden" name="paymenservice" value="stripesepa" />';
|
||||
print '<label for="withdraw_request_amount">'.$langs->trans('BankTransferAmount').' </label>';
|
||||
print '<input type="text" id="withdraw_request_amount" name="request_transfer" value="'.price($resteapayer, 0, $langs, 1, -1, -1).'" size="9" />';
|
||||
|
|
@ -520,14 +517,8 @@ print '</div>';
|
|||
print '<div>';
|
||||
|
||||
|
||||
/*
|
||||
* Withdraw receipts
|
||||
*/
|
||||
$bprev = new BonPrelevement($db);
|
||||
|
||||
/*
|
||||
* Withdrawals
|
||||
*/
|
||||
|
||||
print '<div class="div-table-responsive-no-min">';
|
||||
print '<table class="noborder centpercent">';
|
||||
|
|
|
|||
|
|
@ -328,6 +328,8 @@ if ($user->socid) {
|
|||
}
|
||||
$result = restrictedArea($user, 'societe', $socid, '');
|
||||
|
||||
$permissiontoadd = $user->hasRight('societe', 'lire');
|
||||
|
||||
|
||||
/*
|
||||
* Actions
|
||||
|
|
@ -463,7 +465,7 @@ if (empty($reshook)) {
|
|||
$uploaddir = $conf->societe->dir_output;
|
||||
include DOL_DOCUMENT_ROOT.'/core/actions_massactions.inc.php';
|
||||
|
||||
if ($action == 'setstcomm') {
|
||||
if ($action == 'setstcomm' && $permissiontoadd) {
|
||||
$object = new Client($db);
|
||||
$result = $object->fetch(GETPOST('stcommsocid'));
|
||||
$object->stcomm_id = dol_getIdFromCode($db, GETPOST('stcomm', 'alpha'), 'c_stcomm');
|
||||
|
|
|
|||
|
|
@ -136,7 +136,7 @@ if (empty($reshook)) {
|
|||
}
|
||||
}
|
||||
|
||||
if ($action == 'update') {
|
||||
if ($action == 'update' && $permissiontoaddupdatepaymentinformation) {
|
||||
// Update the bank account
|
||||
if (!GETPOST('label', 'alpha') || !(GETPOST('bank', 'alpha') || (getDolGlobalInt('WITHDRAWAL_WITHOUT_BIC')!=0))) {
|
||||
if (!GETPOST('label', 'alpha')) {
|
||||
|
|
@ -221,7 +221,7 @@ if (empty($reshook)) {
|
|||
}
|
||||
}
|
||||
|
||||
if ($action == 'updatecard') {
|
||||
if ($action == 'updatecard' && $permissiontoaddupdatepaymentinformation) {
|
||||
// Update credit card
|
||||
if (!GETPOST('label', 'alpha') || !GETPOST('proprio', 'alpha') || !GETPOST('exp_date_month', 'alpha') || !GETPOST('exp_date_year', 'alpha')) {
|
||||
if (!GETPOST('label', 'alpha')) {
|
||||
|
|
@ -284,7 +284,7 @@ if (empty($reshook)) {
|
|||
}
|
||||
|
||||
// Add bank account
|
||||
if ($action == 'add') {
|
||||
if ($action == 'add' && $permissiontoaddupdatepaymentinformation) {
|
||||
$error = 0;
|
||||
|
||||
if (!GETPOST('label', 'alpha')) {
|
||||
|
|
@ -380,7 +380,7 @@ if (empty($reshook)) {
|
|||
}
|
||||
|
||||
// Add credit card
|
||||
if ($action == 'addcard') {
|
||||
if ($action == 'addcard' && $permissiontoaddupdatepaymentinformation) {
|
||||
$error = 0;
|
||||
|
||||
if (!GETPOST('label', 'alpha') || !GETPOST('proprio', 'alpha') || !GETPOST('exp_date_month', 'alpha') || !GETPOST('exp_date_year', 'alpha')) {
|
||||
|
|
@ -447,7 +447,7 @@ if (empty($reshook)) {
|
|||
}
|
||||
}
|
||||
|
||||
if ($action == 'setasbankdefault' && GETPOSTINT('ribid') > 0) {
|
||||
if ($action == 'setasbankdefault' && GETPOSTINT('ribid') > 0 && $permissiontoaddupdatepaymentinformation) {
|
||||
$companybankaccount = new CompanyBankAccount($db);
|
||||
$res = $companybankaccount->setAsDefault(GETPOSTINT('ribid'));
|
||||
if ($res) {
|
||||
|
|
@ -459,7 +459,7 @@ if (empty($reshook)) {
|
|||
}
|
||||
}
|
||||
|
||||
if ($action == 'confirm_deletecard' && GETPOST('confirm', 'alpha') == 'yes') {
|
||||
if ($action == 'confirm_deletecard' && GETPOST('confirm', 'alpha') == 'yes' && $permissiontoaddupdatepaymentinformation) {
|
||||
// Delete the credi card
|
||||
$companypaymentmode = new CompanyPaymentMode($db);
|
||||
if ($companypaymentmode->fetch($ribid ? $ribid : $id)) {
|
||||
|
|
@ -486,7 +486,7 @@ if (empty($reshook)) {
|
|||
setEventMessages($companypaymentmode->error, $companypaymentmode->errors, 'errors');
|
||||
}
|
||||
}
|
||||
if ($action == 'confirm_deletebank' && GETPOST('confirm', 'alpha') == 'yes') {
|
||||
if ($action == 'confirm_deletebank' && GETPOST('confirm', 'alpha') == 'yes' && $permissiontoaddupdatepaymentinformation) {
|
||||
// Delete the bank account
|
||||
$companybankaccount = new CompanyBankAccount($db);
|
||||
if ($companybankaccount->fetch($ribid ? $ribid : $id) > 0) {
|
||||
|
|
@ -518,7 +518,7 @@ if (empty($reshook)) {
|
|||
$savid = $id;
|
||||
|
||||
// Actions to build doc
|
||||
if ($action == 'builddocrib') {
|
||||
if ($action == 'builddocrib' && $permissiontoread) {
|
||||
$action = 'builddoc';
|
||||
$moreparams = array(
|
||||
'use_companybankid' => GETPOST('companybankid'),
|
||||
|
|
@ -536,7 +536,7 @@ if (empty($reshook)) {
|
|||
|
||||
// Action for stripe
|
||||
if (isModEnabled('stripe') && class_exists('Stripe')) {
|
||||
if ($action == 'synccustomertostripe' || $action == 'synccustomertostripetest') {
|
||||
if (($action == 'synccustomertostripe' || $action == 'synccustomertostripetest') && $permissiontoaddupdatepaymentinformation) {
|
||||
if ($object->client == 0) {
|
||||
$error++;
|
||||
setEventMessages('ThisThirdpartyIsNotACustomer', null, 'errors');
|
||||
|
|
@ -565,7 +565,7 @@ if (empty($reshook)) {
|
|||
}
|
||||
}
|
||||
}
|
||||
if ($action == 'synccardtostripe') {
|
||||
if ($action == 'synccardtostripe' && $permissiontoaddupdatepaymentinformation) {
|
||||
// Create the credit card on current Stripe env
|
||||
$companypaymentmode = new CompanyPaymentMode($db);
|
||||
$companypaymentmode->fetch($id);
|
||||
|
|
@ -593,7 +593,7 @@ if (empty($reshook)) {
|
|||
}
|
||||
}
|
||||
}
|
||||
if ($action == 'syncsepatostripe') {
|
||||
if ($action == 'syncsepatostripe' && $permissiontoaddupdatepaymentinformation) {
|
||||
// Create the bank account on current Stripe env
|
||||
$companypaymentmode = new CompanyPaymentMode($db); // Get record in llx_societe_rib
|
||||
$companypaymentmode->fetch($id);
|
||||
|
|
@ -625,7 +625,7 @@ if (empty($reshook)) {
|
|||
}
|
||||
|
||||
// Set the customer Stripe account (for Live or Test env)
|
||||
if ($action == 'setkey_account' || $action == 'setkey_accounttest') {
|
||||
if (($action == 'setkey_account' || $action == 'setkey_accounttest') && $permissiontoaddupdatepaymentinformation) {
|
||||
$error = 0;
|
||||
|
||||
$tmpservice = 'StripeTest';
|
||||
|
|
@ -692,7 +692,7 @@ if (empty($reshook)) {
|
|||
}
|
||||
|
||||
// Set the supplier Stripe account (for Live or Test env)
|
||||
if ($action == 'setkey_account_supplier' || $action == 'setkey_account_suppliertest') {
|
||||
if (($action == 'setkey_account_supplier' || $action == 'setkey_account_suppliertest') && $permissiontoaddupdatepaymentinformation) {
|
||||
$error = 0;
|
||||
|
||||
$tmpservice = 'StripeTest';
|
||||
|
|
@ -762,7 +762,7 @@ if (empty($reshook)) {
|
|||
}
|
||||
}
|
||||
|
||||
if ($action == 'setlocalassourcedefault') { // Set as default when payment mode defined locally (and may be also remotely)
|
||||
if ($action == 'setlocalassourcedefault' && $permissiontoaddupdatepaymentinformation) { // Set as default when payment mode defined locally (and may be also remotely)
|
||||
try {
|
||||
$companypaymentmode->setAsDefault($id);
|
||||
|
||||
|
|
@ -773,7 +773,7 @@ if (empty($reshook)) {
|
|||
$error++;
|
||||
setEventMessages($e->getMessage(), null, 'errors');
|
||||
}
|
||||
} elseif ($action == 'setassourcedefault') { // Set as default when payment mode defined remotely only
|
||||
} elseif ($action == 'setassourcedefault' && $permissiontoaddupdatepaymentinformation) { // Set as default when payment mode defined remotely only
|
||||
try {
|
||||
$cu = $stripe->customerStripe($object, $stripeacc, $servicestatus);
|
||||
if (preg_match('/pm_|src_/', $source)) {
|
||||
|
|
@ -791,7 +791,7 @@ if (empty($reshook)) {
|
|||
$error++;
|
||||
setEventMessages($e->getMessage(), null, 'errors');
|
||||
}
|
||||
} elseif ($action == 'deletecard' && $source) {
|
||||
} elseif ($action == 'deletecard' && $source && $permissiontoaddupdatepaymentinformation) {
|
||||
// Delete the credit card on Stripe side
|
||||
try {
|
||||
if (preg_match('/pm_/', $source)) {
|
||||
|
|
@ -823,7 +823,7 @@ if (empty($reshook)) {
|
|||
$error++;
|
||||
setEventMessages($e->getMessage(), null, 'errors');
|
||||
}
|
||||
} elseif ($action == 'deletebank' && $source) {
|
||||
} elseif ($action == 'deletebank' && $source && $permissiontoaddupdatepaymentinformation) {
|
||||
// Delete the bank account on Stripe side
|
||||
try {
|
||||
if (preg_match('/pm_/', $source)) {
|
||||
|
|
|
|||
|
|
@ -67,7 +67,7 @@ $pricelevel = 1; // default price level if PRODUIT_MULTIPRICES. TODO Get price l
|
|||
|
||||
$thirdparty = new Societe($db);
|
||||
|
||||
if ($action == 'getProducts') {
|
||||
if ($action == 'getProducts' && $user->hasRight('takepos', 'run')) {
|
||||
$tosell = GETPOSTISSET('tosell') ? GETPOSTINT('tosell') : '';
|
||||
$limit = GETPOSTISSET('limit') ? GETPOSTINT('limit') : 0;
|
||||
$offset = GETPOSTISSET('offset') ? GETPOSTINT('offset') : 0;
|
||||
|
|
@ -122,7 +122,7 @@ if ($action == 'getProducts') {
|
|||
} else {
|
||||
echo 'Failed to load category with id='.dol_escape_htmltag($category);
|
||||
}
|
||||
} elseif ($action == 'search' && $term != '') {
|
||||
} elseif ($action == 'search' && $term != '' && $user->hasRight('takepos', 'run')) {
|
||||
top_httphead('application/json');
|
||||
|
||||
// Search barcode into thirdparties. If found, it means we want to change thirdparties.
|
||||
|
|
@ -395,7 +395,7 @@ if ($action == 'getProducts') {
|
|||
} else {
|
||||
echo 'Failed to search product : '.$db->lasterror();
|
||||
}
|
||||
} elseif ($action == "opendrawer" && $term != '') {
|
||||
} elseif ($action == "opendrawer" && $term != '' && $user->hasRight('takepos', 'run')) {
|
||||
top_httphead('application/html');
|
||||
require_once DOL_DOCUMENT_ROOT.'/core/class/dolreceiptprinter.class.php';
|
||||
$printer = new dolReceiptPrinter($db);
|
||||
|
|
@ -410,7 +410,7 @@ if ($action == 'getProducts') {
|
|||
print 'Failed to init printer with ID='.getDolGlobalInt('TAKEPOS_PRINTER_TO_USE'.$term);
|
||||
}
|
||||
}
|
||||
} elseif ($action == "printinvoiceticket" && $term != '' && $id > 0 && $user->hasRight('facture', 'lire')) {
|
||||
} elseif ($action == "printinvoiceticket" && $term != '' && $id > 0 && $user->hasRight('takepos', 'run') && $user->hasRight('facture', 'lire')) {
|
||||
top_httphead('application/html');
|
||||
|
||||
require_once DOL_DOCUMENT_ROOT.'/core/class/dolreceiptprinter.class.php';
|
||||
|
|
@ -422,7 +422,7 @@ if ($action == 'getProducts') {
|
|||
$object->fetch($id);
|
||||
$ret = $printer->sendToPrinter($object, getDolGlobalString('TAKEPOS_TEMPLATE_TO_USE_FOR_INVOICES'.$term), getDolGlobalString('TAKEPOS_PRINTER_TO_USE'.$term));
|
||||
}
|
||||
} elseif ($action == 'getInvoice') {
|
||||
} elseif ($action == 'getInvoice' && $user->hasRight('takepos', 'run')) {
|
||||
top_httphead('application/json');
|
||||
|
||||
require_once DOL_DOCUMENT_ROOT.'/compta/facture/class/facture.class.php';
|
||||
|
|
@ -433,7 +433,7 @@ if ($action == 'getProducts') {
|
|||
}
|
||||
|
||||
echo json_encode($object);
|
||||
} elseif ($action == 'thecheck') {
|
||||
} elseif ($action == 'thecheck' && $user->hasRight('takepos', 'run')) {
|
||||
top_httphead('application/html');
|
||||
|
||||
$place = GETPOST('place', 'alpha');
|
||||
|
|
|
|||
|
|
@ -583,7 +583,7 @@ if (empty($reshook)) {
|
|||
}
|
||||
|
||||
if (($action == 'history' || $action == 'creditnote') && $user->hasRight('takepos', 'run')) {
|
||||
if ($action == 'creditnote' && $creditnote->id > 0) {
|
||||
if ($action == 'creditnote' && $creditnote->id > 0) { // Test on permission already done
|
||||
$placeid = $creditnote->id;
|
||||
} else {
|
||||
$placeid = GETPOSTINT('placeid');
|
||||
|
|
|
|||
|
|
@ -139,7 +139,7 @@ if ($id > 0) {
|
|||
}
|
||||
|
||||
|
||||
/**
|
||||
/*
|
||||
* Actions
|
||||
*/
|
||||
|
||||
|
|
@ -385,10 +385,10 @@ if (empty($reshook)) {
|
|||
|
||||
$object->fetch($id);
|
||||
|
||||
if ($action == 'addgroup') {
|
||||
if ($action == 'addgroup') { // Test on permission already done
|
||||
$result = $object->SetInGroup($group, $editgroup->entity);
|
||||
}
|
||||
if ($action == 'removegroup') {
|
||||
if ($action == 'removegroup') { // Test on permission already done
|
||||
$result = $object->RemoveFromGroup($group, $editgroup->entity);
|
||||
}
|
||||
|
||||
|
|
@ -766,7 +766,6 @@ if (empty($reshook)) {
|
|||
|
||||
// Actions to build doc
|
||||
$upload_dir = $conf->user->dir_output;
|
||||
$permissiontoadd = $user->hasRight("user", "user", "write");
|
||||
include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php';
|
||||
}
|
||||
|
||||
|
|
@ -811,7 +810,6 @@ $help_url = '';
|
|||
|
||||
llxHeader('', $title, $help_url, '', 0, 0, '', '', '', 'mod-user page-card');
|
||||
|
||||
|
||||
if ($action == 'create' || $action == 'adduserldap') {
|
||||
print load_fiche_titre($title, '', 'user');
|
||||
|
||||
|
|
@ -1521,16 +1519,12 @@ if ($action == 'create' || $action == 'adduserldap') {
|
|||
print $form->formconfirm($_SERVER['PHP_SELF']."?id=$object->id", $langs->trans("EnableAUser"), $langs->trans("ConfirmEnableUser", $object->login), "confirm_enable", '', 0, 1);
|
||||
}
|
||||
|
||||
/*
|
||||
* Confirmation suppression
|
||||
*/
|
||||
// Confirmation delete
|
||||
if ($action == 'delete') {
|
||||
print $form->formconfirm($_SERVER['PHP_SELF']."?id=$object->id", $langs->trans("DeleteAUser"), $langs->trans("ConfirmDeleteUser", $object->login), "confirm_delete", '', 0, 1);
|
||||
}
|
||||
|
||||
/*
|
||||
* View mode
|
||||
*/
|
||||
// View mode
|
||||
if ($action != 'edit') {
|
||||
print dol_get_fiche_head($head, 'user', $title, -1, 'user');
|
||||
|
||||
|
|
|
|||
|
|
@ -34,18 +34,19 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/extrafields.class.php';
|
|||
require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php';
|
||||
|
||||
// Define if user can read permissions
|
||||
$canreadperms = ($user->admin || $user->hasRight("user", "user", "read"));
|
||||
$caneditperms = ($user->admin || $user->hasRight("user", "user", "write"));
|
||||
$candisableperms = ($user->admin || $user->hasRight("user", "user", "delete"));
|
||||
$permissiontoadd = ($user->admin || $user->hasRight("user", "user", "write"));
|
||||
$permissiontoread = ($user->admin || $user->hasRight("user", "user", "read"));
|
||||
$permissiontoedit = ($user->admin || $user->hasRight("user", "user", "write"));
|
||||
$permissiontodisable = ($user->admin || $user->hasRight("user", "user", "delete"));
|
||||
$feature2 = 'user';
|
||||
|
||||
// Advanced permissions
|
||||
$advancedpermsactive = false;
|
||||
if (getDolGlobalString('MAIN_USE_ADVANCED_PERMS')) {
|
||||
$advancedpermsactive = true;
|
||||
$canreadperms = ($user->admin || ($user->hasRight("user", "group_advance", "read") && $user->hasRight("user", "group_advance", "readperms")));
|
||||
$caneditperms = ($user->admin || $user->hasRight("user", "group_advance", "write"));
|
||||
$candisableperms = ($user->admin || $user->hasRight("user", "group_advance", "delete"));
|
||||
$permissiontoread = ($user->admin || ($user->hasRight("user", "group_advance", "read") && $user->hasRight("user", "group_advance", "readperms")));
|
||||
$permissiontoedit = ($user->admin || $user->hasRight("user", "group_advance", "write"));
|
||||
$permissiontodisable = ($user->admin || $user->hasRight("user", "group_advance", "delete"));
|
||||
$feature2 = 'group_advance';
|
||||
}
|
||||
|
||||
|
|
@ -86,7 +87,7 @@ if (isModEnabled('multicompany') && $conf->entity > 1 && $conf->global->MULTICOM
|
|||
* Actions
|
||||
*/
|
||||
|
||||
$parameters = array('id' => $id, 'userid' => $userid, 'caneditperms' => $caneditperms);
|
||||
$parameters = array('id' => $id, 'userid' => $userid, 'caneditperms' => $permissiontoedit);
|
||||
$reshook = $hookmanager->executeHooks('doActions', $parameters, $object, $action); // Note that $action and $object may have been modified by some hooks
|
||||
if ($reshook < 0) {
|
||||
setEventMessages($hookmanager->error, $hookmanager->errors, 'errors');
|
||||
|
|
@ -111,139 +112,118 @@ if (empty($reshook)) {
|
|||
}
|
||||
|
||||
// Action remove group
|
||||
if ($action == 'confirm_delete' && $confirm == "yes") {
|
||||
if ($caneditperms) {
|
||||
$object->fetch($id);
|
||||
$object->delete($user);
|
||||
header("Location: ".DOL_URL_ROOT."/user/group/list.php?restore_lastsearch_values=1");
|
||||
exit;
|
||||
} else {
|
||||
$langs->load("errors");
|
||||
setEventMessages($langs->trans('ErrorForbidden'), null, 'errors');
|
||||
}
|
||||
if ($action == 'confirm_delete' && $confirm == "yes" && $permissiontoedit) {
|
||||
$object->fetch($id);
|
||||
$object->delete($user);
|
||||
header("Location: ".DOL_URL_ROOT."/user/group/list.php?restore_lastsearch_values=1");
|
||||
exit;
|
||||
}
|
||||
|
||||
// Action add group
|
||||
if ($action == 'add') {
|
||||
if ($caneditperms) {
|
||||
if (!GETPOST("nom", "alphanohtml")) {
|
||||
setEventMessages($langs->trans("NameNotDefined"), null, 'errors');
|
||||
$action = "create"; // Go back to create page
|
||||
} else {
|
||||
$object->name = GETPOST("nom", 'alphanohtml');
|
||||
$object->note = dol_htmlcleanlastbr(trim(GETPOST("note", 'restricthtml')));
|
||||
|
||||
// Fill array 'array_options' with data from add form
|
||||
$ret = $extrafields->setOptionalsFromPost(null, $object);
|
||||
if ($ret < 0) {
|
||||
$error++;
|
||||
}
|
||||
|
||||
if (isModEnabled('multicompany') && getDolGlobalString('MULTICOMPANY_TRANSVERSE_MODE')) {
|
||||
$object->entity = 0;
|
||||
} else {
|
||||
if ($conf->entity == 1 && $user->admin && !$user->entity) { // Same permissions test than the one used to show the combo of entities into the form
|
||||
$object->entity = GETPOSTISSET("entity") ? GETPOST("entity") : $conf->entity;
|
||||
} else {
|
||||
$object->entity = $conf->entity;
|
||||
}
|
||||
}
|
||||
|
||||
$db->begin();
|
||||
|
||||
$id = $object->create();
|
||||
|
||||
if ($id > 0) {
|
||||
$db->commit();
|
||||
|
||||
header("Location: ".$_SERVER['PHP_SELF']."?id=".$object->id);
|
||||
exit;
|
||||
} else {
|
||||
$db->rollback();
|
||||
|
||||
$langs->load("errors");
|
||||
setEventMessages($langs->trans("ErrorGroupAlreadyExists", $object->name), null, 'errors');
|
||||
$action = "create"; // Go back to create page
|
||||
}
|
||||
}
|
||||
if ($action == 'add' && $permissiontoedit) {
|
||||
if (!GETPOST("nom", "alphanohtml")) {
|
||||
setEventMessages($langs->trans("NameNotDefined"), null, 'errors');
|
||||
$action = "create"; // Go back to create page
|
||||
} else {
|
||||
$langs->load("errors");
|
||||
setEventMessages($langs->trans('ErrorForbidden'), null, 'errors');
|
||||
}
|
||||
}
|
||||
|
||||
// Add/Remove user into group
|
||||
if ($action == 'adduser' || $action == 'removeuser') {
|
||||
if ($caneditperms) {
|
||||
if ($userid > 0) {
|
||||
$object->fetch($id);
|
||||
$object->oldcopy = clone $object;
|
||||
|
||||
$edituser = new User($db);
|
||||
$edituser->fetch($userid);
|
||||
if ($action == 'adduser') {
|
||||
$result = $edituser->SetInGroup($object->id, $object->entity);
|
||||
}
|
||||
if ($action == 'removeuser') {
|
||||
$result = $edituser->RemoveFromGroup($object->id, $object->entity);
|
||||
}
|
||||
|
||||
if ($result > 0) {
|
||||
header("Location: ".$_SERVER['PHP_SELF']."?id=".$object->id);
|
||||
exit;
|
||||
} else {
|
||||
setEventMessages($edituser->error, $edituser->errors, 'errors');
|
||||
}
|
||||
}
|
||||
} else {
|
||||
$langs->load("errors");
|
||||
setEventMessages($langs->trans('ErrorForbidden'), null, 'errors');
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if ($action == 'update') {
|
||||
if ($caneditperms) {
|
||||
$db->begin();
|
||||
|
||||
$object->fetch($id);
|
||||
|
||||
$object->oldcopy = clone $object;
|
||||
|
||||
$object->name = GETPOST("nom", 'alphanohtml');
|
||||
$object->note = dol_htmlcleanlastbr(trim(GETPOST("note", 'restricthtml')));
|
||||
$object->tms = dol_now();
|
||||
$object->name = GETPOST("nom", 'alphanohtml');
|
||||
$object->note = dol_htmlcleanlastbr(trim(GETPOST("note", 'restricthtml')));
|
||||
|
||||
// Fill array 'array_options' with data from add form
|
||||
$ret = $extrafields->setOptionalsFromPost(null, $object, '@GETPOSTISSET');
|
||||
$ret = $extrafields->setOptionalsFromPost(null, $object);
|
||||
if ($ret < 0) {
|
||||
$error++;
|
||||
}
|
||||
|
||||
if (isModEnabled('multicompany') && getDolGlobalString('MULTICOMPANY_TRANSVERSE_MODE')) {
|
||||
$object->entity = 0;
|
||||
} elseif (GETPOSTISSET("entity")) {
|
||||
$object->entity = GETPOSTINT("entity");
|
||||
}
|
||||
|
||||
$ret = $object->update();
|
||||
|
||||
if ($ret >= 0 && !count($object->errors)) {
|
||||
setEventMessages($langs->trans("GroupModified"), null, 'mesgs');
|
||||
$db->commit();
|
||||
} else {
|
||||
setEventMessages($object->error, $object->errors, 'errors');
|
||||
$db->rollback();
|
||||
if ($conf->entity == 1 && $user->admin && !$user->entity) { // Same permissions test than the one used to show the combo of entities into the form
|
||||
$object->entity = GETPOSTISSET("entity") ? GETPOST("entity") : $conf->entity;
|
||||
} else {
|
||||
$object->entity = $conf->entity;
|
||||
}
|
||||
}
|
||||
|
||||
$db->begin();
|
||||
|
||||
$id = $object->create();
|
||||
|
||||
if ($id > 0) {
|
||||
$db->commit();
|
||||
|
||||
header("Location: ".$_SERVER['PHP_SELF']."?id=".$object->id);
|
||||
exit;
|
||||
} else {
|
||||
$db->rollback();
|
||||
|
||||
$langs->load("errors");
|
||||
setEventMessages($langs->trans("ErrorGroupAlreadyExists", $object->name), null, 'errors');
|
||||
$action = "create"; // Go back to create page
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Add/Remove user into group
|
||||
if (($action == 'adduser' || $action == 'removeuser') && $permissiontoedit) {
|
||||
if ($userid > 0) {
|
||||
$object->fetch($id);
|
||||
$object->oldcopy = clone $object;
|
||||
|
||||
$edituser = new User($db);
|
||||
$edituser->fetch($userid);
|
||||
if ($action == 'adduser') { // Test on permission already done
|
||||
$result = $edituser->SetInGroup($object->id, $object->entity);
|
||||
}
|
||||
if ($action == 'removeuser') { // Test on permission already done
|
||||
$result = $edituser->RemoveFromGroup($object->id, $object->entity);
|
||||
}
|
||||
|
||||
if ($result > 0) {
|
||||
header("Location: ".$_SERVER['PHP_SELF']."?id=".$object->id);
|
||||
exit;
|
||||
} else {
|
||||
setEventMessages($edituser->error, $edituser->errors, 'errors');
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if ($action == 'update' && $permissiontoedit) {
|
||||
$db->begin();
|
||||
|
||||
$object->fetch($id);
|
||||
|
||||
$object->oldcopy = clone $object;
|
||||
|
||||
$object->name = GETPOST("nom", 'alphanohtml');
|
||||
$object->note = dol_htmlcleanlastbr(trim(GETPOST("note", 'restricthtml')));
|
||||
$object->tms = dol_now();
|
||||
|
||||
// Fill array 'array_options' with data from add form
|
||||
$ret = $extrafields->setOptionalsFromPost(null, $object, '@GETPOSTISSET');
|
||||
if ($ret < 0) {
|
||||
$error++;
|
||||
}
|
||||
|
||||
if (isModEnabled('multicompany') && getDolGlobalString('MULTICOMPANY_TRANSVERSE_MODE')) {
|
||||
$object->entity = 0;
|
||||
} elseif (GETPOSTISSET("entity")) {
|
||||
$object->entity = GETPOSTINT("entity");
|
||||
}
|
||||
|
||||
$ret = $object->update();
|
||||
|
||||
if ($ret >= 0 && !count($object->errors)) {
|
||||
setEventMessages($langs->trans("GroupModified"), null, 'mesgs');
|
||||
$db->commit();
|
||||
} else {
|
||||
$langs->load("errors");
|
||||
setEventMessages($langs->trans('ErrorForbidden'), null, 'mesgs');
|
||||
setEventMessages($object->error, $object->errors, 'errors');
|
||||
$db->rollback();
|
||||
}
|
||||
}
|
||||
|
||||
// Actions to build doc
|
||||
$upload_dir = $conf->user->dir_output.'/usergroups';
|
||||
$permissiontoadd = $user->hasRight("user", "user", "write");
|
||||
include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php';
|
||||
}
|
||||
|
||||
|
|
@ -388,11 +368,11 @@ if ($action == 'create') {
|
|||
setEventMessages($hookmanager->error, $hookmanager->errors, 'errors');
|
||||
}
|
||||
|
||||
if ($caneditperms) {
|
||||
if ($permissiontoedit) {
|
||||
print '<a class="butAction" href="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'&action=edit&token='.newToken().'">'.$langs->trans("Modify").'</a>';
|
||||
}
|
||||
|
||||
if ($candisableperms) {
|
||||
if ($permissiontodisable) {
|
||||
print '<a class="butActionDelete" href="'.$_SERVER['PHP_SELF'].'?action=delete&token='.newToken().'&id='.$object->id.'">'.$langs->trans("DeleteGroup").'</a>';
|
||||
}
|
||||
|
||||
|
|
@ -412,12 +392,12 @@ if ($action == 'create') {
|
|||
}
|
||||
|
||||
// Other form for add user to group
|
||||
$parameters = array('caneditperms' => $caneditperms, 'exclude' => $exclude);
|
||||
$parameters = array('caneditperms' => $permissiontoedit, 'exclude' => $exclude);
|
||||
$reshook = $hookmanager->executeHooks('formAddUserToGroup', $parameters, $object, $action); // Note that $action and $object may have been modified by hook
|
||||
print $hookmanager->resPrint;
|
||||
|
||||
if (empty($reshook)) {
|
||||
if ($caneditperms) {
|
||||
if ($permissiontoedit) {
|
||||
print '<form action="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'" method="POST">'."\n";
|
||||
print '<input type="hidden" name="token" value="'.newToken().'">';
|
||||
print '<input type="hidden" name="action" value="adduser">';
|
||||
|
|
@ -517,7 +497,7 @@ if ($action == 'create') {
|
|||
* Card in edit mode
|
||||
*/
|
||||
|
||||
if ($action == 'edit' && $caneditperms) {
|
||||
if ($action == 'edit' && $permissiontoedit) {
|
||||
print '<form action="'.$_SERVER['PHP_SELF'].'" method="post" name="updategroup" enctype="multipart/form-data">';
|
||||
print '<input type="hidden" name="token" value="'.newToken().'">';
|
||||
print '<input type="hidden" name="action" value="update">';
|
||||
|
|
|
|||
|
|
@ -51,9 +51,9 @@ if (isModEnabled('multicompany') && $conf->entity > 1 && getDolGlobalString('MUL
|
|||
accessforbidden();
|
||||
}
|
||||
|
||||
$canreadperms = true;
|
||||
$permissiontoread = true;
|
||||
if (getDolGlobalString('MAIN_USE_ADVANCED_PERMS')) {
|
||||
$canreadperms = (!empty($user->admin) || $user->hasRight('user', 'group_advance', 'read'));
|
||||
$permissiontoread = (!empty($user->admin) || $user->hasRight('user', 'group_advance', 'read'));
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -51,15 +51,15 @@ if (!isset($id) || empty($id)) {
|
|||
}
|
||||
|
||||
// Define if user can read permissions
|
||||
$canreadperms = ($user->admin || $user->hasRight("user", "user", "read"));
|
||||
$permissiontoread = ($user->admin || $user->hasRight("user", "user", "read"));
|
||||
// Define if user can modify group permissions
|
||||
$caneditperms = ($user->admin || $user->hasRight("user", "user", "write"));
|
||||
$permissiontoedit = ($user->admin || $user->hasRight("user", "user", "write"));
|
||||
// Advanced permissions
|
||||
$advancedpermsactive = false;
|
||||
if (getDolGlobalString('MAIN_USE_ADVANCED_PERMS')) {
|
||||
$advancedpermsactive = true;
|
||||
$canreadperms = ($user->admin || ($user->hasRight("user", "group_advance", "read") && $user->hasRight("user", "group_advance", "readperms")));
|
||||
$caneditperms = ($user->admin || $user->hasRight("user", "group_advance", "write"));
|
||||
$permissiontoread = ($user->admin || ($user->hasRight("user", "group_advance", "read") && $user->hasRight("user", "group_advance", "readperms")));
|
||||
$permissiontoedit = ($user->admin || $user->hasRight("user", "group_advance", "write"));
|
||||
}
|
||||
|
||||
// Security check
|
||||
|
|
@ -68,7 +68,7 @@ if (isset($user->socid) && $user->socid > 0) {
|
|||
$socid = $user->socid;
|
||||
}
|
||||
//$result = restrictedArea($user, 'user', $id, 'usergroup', '');
|
||||
if (!$canreadperms) {
|
||||
if (!$permissiontoread) {
|
||||
accessforbidden();
|
||||
}
|
||||
|
||||
|
|
@ -93,7 +93,7 @@ if ($reshook < 0) {
|
|||
}
|
||||
|
||||
if (empty($reshook)) {
|
||||
if ($action == 'addrights' && $caneditperms) {
|
||||
if ($action == 'addrights' && $permissiontoedit) {
|
||||
$editgroup = new UserGroup($db);
|
||||
$result = $editgroup->fetch($object->id);
|
||||
if ($result > 0) {
|
||||
|
|
@ -109,7 +109,7 @@ if (empty($reshook)) {
|
|||
$user->loadRights();
|
||||
}
|
||||
|
||||
if ($action == 'delrights' && $caneditperms) {
|
||||
if ($action == 'delrights' && $permissiontoedit) {
|
||||
$editgroup = new UserGroup($db);
|
||||
$result = $editgroup->fetch($id);
|
||||
if ($result > 0) {
|
||||
|
|
@ -268,7 +268,7 @@ if ($object->id > 0) {
|
|||
print '<table class="noborder centpercent">';
|
||||
print '<tr class="liste_titre">';
|
||||
print '<td>'.$langs->trans("Module").'</td>';
|
||||
if ($caneditperms) {
|
||||
if ($permissiontoedit) {
|
||||
print '<td class="center nowrap">';
|
||||
print '<a class="reposition commonlink" title="'.dol_escape_htmltag($langs->trans("All")).'" alt="'.dol_escape_htmltag($langs->trans("All")).'" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=addrights&token='.newToken().'&entity='.$entity.'&module=allmodules&confirm=yes">'.$langs->trans("All")."</a>";
|
||||
print '/';
|
||||
|
|
@ -352,7 +352,7 @@ if ($object->id > 0) {
|
|||
print '<a name="'.$objMod->getName().'"></a>';
|
||||
print '</td>';
|
||||
// Permission and tick (2 columns)
|
||||
if ($caneditperms) {
|
||||
if ($permissiontoedit) {
|
||||
print '<td class="center wraponsmartphone">';
|
||||
print '<span class="permtohide_'.$obj->module.'" '.(!$isexpanded ? ' style="display:none"' : '').'>';
|
||||
print '<a class="reposition alink addexpandedmodulesinparamlist" title="'.dol_escape_htmltag($langs->trans("All")).'" alt="'.dol_escape_htmltag($langs->trans("All")).'" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=addrights&token='.newToken().'&entity='.$entity.'&module='.$obj->module.'&confirm=yes&updatedmodulename='.$obj->module.'">'.$langs->trans("All")."</a>";
|
||||
|
|
@ -393,7 +393,7 @@ if ($object->id > 0) {
|
|||
if (!empty($permsgroupbyentity[$entity]) && is_array($permsgroupbyentity[$entity])) {
|
||||
if (in_array($obj->id, $permsgroupbyentity[$entity])) {
|
||||
// Own permission by group
|
||||
if ($caneditperms) {
|
||||
if ($permissiontoedit) {
|
||||
print '<td class="center"><a class="reposition" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=delrights&token='.newToken().'&entity='.$entity.'&rights='.$obj->id.'&confirm=yes">';
|
||||
//print img_edit_remove($langs->trans("Remove"));
|
||||
print img_picto($langs->trans("Remove"), 'switch_on');
|
||||
|
|
@ -404,7 +404,7 @@ if ($object->id > 0) {
|
|||
print '</td>';
|
||||
} else {
|
||||
// Do not own permission
|
||||
if ($caneditperms) {
|
||||
if ($permissiontoedit) {
|
||||
print '<td class="center"><a class="reposition" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=addrights&token='.newToken().'&entity='.$entity.'&rights='.$obj->id.'&confirm=yes">';
|
||||
//print img_edit_add($langs->trans("Add"));
|
||||
print img_picto($langs->trans("Add"), 'switch_off');
|
||||
|
|
@ -414,7 +414,7 @@ if ($object->id > 0) {
|
|||
}
|
||||
} else {
|
||||
// Do not own permission
|
||||
if ($caneditperms) {
|
||||
if ($permissiontoedit) {
|
||||
print '<td class="center"><a class="reposition" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=addrights&entity='.$entity.'&rights='.$obj->id.'&confirm=yes&token='.newToken().'">';
|
||||
//print img_edit_add($langs->trans("Add"));
|
||||
print img_picto($langs->trans("Add"), 'switch_off');
|
||||
|
|
|
|||
|
|
@ -38,9 +38,9 @@ if (!$user->hasRight('user', 'user', 'lire') && !$user->admin) {
|
|||
// Load translation files required by page
|
||||
$langs->load("users");
|
||||
|
||||
$canreadperms = true;
|
||||
$permissiontoreadgroup = true;
|
||||
if (getDolGlobalString('MAIN_USE_ADVANCED_PERMS')) {
|
||||
$canreadperms = (!empty($user->admin) || $user->hasRight("user", "group_advance", "read"));
|
||||
$permissiontoreadgroup = (!empty($user->admin) || $user->hasRight("user", "group_advance", "read"));
|
||||
}
|
||||
|
||||
// Security check (for external users)
|
||||
|
|
@ -98,7 +98,7 @@ $searchbox .= '<tr><td>';
|
|||
$searchbox .= $langs->trans("User").':</td><td><input class="flat inputsearch width200" type="text" name="search_user"></td></tr>';
|
||||
|
||||
// Search Group
|
||||
if ($canreadperms) {
|
||||
if ($permissiontoreadgroup) {
|
||||
$searchbox .= '<tr><td>';
|
||||
$searchbox .= $langs->trans("Group").':</td><td><input class="flat inputsearch width200" type="text" name="search_group"></td></tr>';
|
||||
}
|
||||
|
|
@ -231,7 +231,7 @@ if ($resql) {
|
|||
* Last groups created
|
||||
*/
|
||||
$lastgroupbox = '';
|
||||
if ($canreadperms) {
|
||||
if ($permissiontoreadgroup) {
|
||||
$sql = "SELECT g.rowid, g.nom as name, g.note, g.entity, g.datec";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."usergroup as g";
|
||||
if (isModEnabled('multicompany') && $conf->entity == 1 && (getDolGlobalInt('MULTICOMPANY_TRANSVERSE_MODE') || ($user->admin && !$user->entity))) {
|
||||
|
|
|
|||
|
|
@ -2338,10 +2338,10 @@ if ((($action == 'updatesource' || $action == 'updatecontent' || $action == 'con
|
|||
if ($res < 0) {
|
||||
$error++;
|
||||
setEventMessages($objectpage->error, $objectpage->errors, 'errors');
|
||||
if ($action == 'updatesource') {
|
||||
if ($action == 'updatesource') { // Test on permissions already done
|
||||
$action = 'editsource';
|
||||
}
|
||||
if ($action == 'updatecontent') {
|
||||
if ($action == 'updatecontent') { // Test on permissions already done
|
||||
$action = 'editcontent';
|
||||
}
|
||||
}
|
||||
|
|
@ -2400,10 +2400,10 @@ if ((($action == 'updatesource' || $action == 'updatecontent' || $action == 'con
|
|||
exit;
|
||||
}
|
||||
} else {
|
||||
if ($action == 'updatesource') {
|
||||
if ($action == 'updatesource') { // Test on permissions already done
|
||||
$action = 'editsource';
|
||||
}
|
||||
if ($action == 'updatecontent') {
|
||||
if ($action == 'updatecontent') { // Test on permissions already done
|
||||
$action = 'editcontent';
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -655,6 +655,7 @@ class CodingPhpTest extends CommonClassTest
|
|||
&& !preg_match('/\$canedit/', $val[0])
|
||||
&& !preg_match('/\$user->admin/', $val[0])
|
||||
&& !preg_match('/already done/i', $val[0])
|
||||
&& !preg_match('/done later/i', $val[0])
|
||||
&& !preg_match('/not required/i', $val[0])) {
|
||||
$ok = false;
|
||||
print "File ".$file['relativename']." - Line: ".$val[0]."\n";
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user