mirror of
https://github.com/Dolibarr/dolibarr.git
synced 2025-02-20 13:46:52 +01:00
Sec: Fix security permission check
This commit is contained in:
Laurent Destailleur
parent
379d29e867
commit
3d8dc0b7e7
|
|
@ -1,6 +1,6 @@
|
|||
<?php
|
||||
/* Copyright (C) 2001-2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
|
||||
* Copyright (C) 2004-2009 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2004-2010 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2005-2009 Regis Houssin <regis@dolibarr.fr>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
|
|
@ -51,11 +51,15 @@ $offset = $limit * $_GET["page"] ;
|
|||
$helpurl='EN:Module_Shipments|FR:Module_Expéditions|ES:Módulo_Expediciones';
|
||||
llxHeader('',$langs->trans('ListOfSendings'),$helpurl);
|
||||
|
||||
$sql = "SELECT e.rowid, e.ref,".$db->pdate("e.date_expedition")." as date_expedition, e.fk_statut";
|
||||
$sql = "SELECT e.rowid, e.ref, e.date_expedition, e.fk_statut";
|
||||
$sql.= ", s.nom as socname, s.rowid as socid";
|
||||
$sql.= ", ori.ref as origin_ref, ori.rowid as origin_id";
|
||||
$sql.= " FROM ".MAIN_DB_PREFIX."expedition as e";
|
||||
$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."element_element as el ON e.rowid = el.fk_target";
|
||||
$sql.= " FROM (".MAIN_DB_PREFIX."expedition as e";
|
||||
if (!$user->rights->societe->client->voir && !$socid) // Internal user with no permission to see all
|
||||
{
|
||||
$sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc";
|
||||
}
|
||||
$sql.= ") LEFT JOIN ".MAIN_DB_PREFIX."element_element as el ON e.rowid = el.fk_target";
|
||||
if ($conf->commande->enabled)
|
||||
{
|
||||
$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."commande as ori ON el.fk_source = ori.rowid";
|
||||
|
|
@ -68,9 +72,9 @@ else
|
|||
}
|
||||
$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = e.fk_soc";
|
||||
$sql.= " WHERE e.entity = ".$conf->entity;
|
||||
if (!$user->rights->societe->client->voir && !$socid)
|
||||
if (!$user->rights->societe->client->voir && !$socid) // Internal user with no permission to see all
|
||||
{
|
||||
$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON e.fk_soc = sc.fk_soc";
|
||||
$sql.= " AND e.fk_soc = sc.fk_soc";
|
||||
$sql.= " AND sc.fk_user = " .$user->id;
|
||||
}
|
||||
if ($socid)
|
||||
|
|
@ -134,7 +138,7 @@ if ($resql)
|
|||
$now = time();
|
||||
$lim = 3600 * 24 * 15 ;
|
||||
|
||||
if ( ($now - $objp->date_expedition) > $lim && $objp->statutid == 1 )
|
||||
if ( ($now - $db->jdate($objp->date_expedition)) > $lim && $objp->statutid == 1 )
|
||||
{
|
||||
print "<td><b> > 15 jours</b></td>";
|
||||
}
|
||||
|
|
@ -144,10 +148,10 @@ if ($resql)
|
|||
}
|
||||
|
||||
print "<td align=\"right\">";
|
||||
$y = dol_print_date($objp->date_expedition,"%Y");
|
||||
$m = dol_print_date($objp->date_expedition,"%m");
|
||||
$mt = dol_print_date($objp->date_expedition,"%b");
|
||||
$d = dol_print_date($objp->date_expedition,"%d");
|
||||
$y = dol_print_date($db->jdate($objp->date_expedition),"%Y");
|
||||
$m = dol_print_date($db->jdate($objp->date_expedition),"%m");
|
||||
$mt = dol_print_date($db->jdate($objp->date_expedition),"%b");
|
||||
$d = dol_print_date($db->jdate($objp->date_expedition),"%d");
|
||||
print $d."\n";
|
||||
print " <a href=\"propal.php?year=$y&month=$m\">";
|
||||
print $b."</a>\n";
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
<?php
|
||||
/* Copyright (C) 2001-2006 Rodolphe Quiedeville <rodolphe@quiedeville.org>
|
||||
* Copyright (C) 2004-2009 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2004-2010 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2005-2009 Regis Houssin <regis@dolibarr.fr>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
|
|
@ -28,8 +28,14 @@
|
|||
require("./pre.inc.php");
|
||||
require_once(DOL_DOCUMENT_ROOT.'/product.class.php');
|
||||
|
||||
if (!$user->rights->produit->lire && !$user->rights->service->lire)
|
||||
accessforbidden();
|
||||
$type=isset($_GET["type"])?$_GET["type"]:(isset($_POST["type"])?$_POST["type"]:'');
|
||||
if ($type =='' && !$user->rights->produit->lire) $type='1'; // Force global page on service page only
|
||||
if ($type =='' && !$user->rights->service->lire) $type='0'; // Force global page on prpduct page only
|
||||
|
||||
// Security check
|
||||
if ($type=='0') $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);
|
||||
else if ($type=='1') $result=restrictedArea($user,'service',$id,'service','','',$fieldid);
|
||||
else $result=restrictedArea($user,'produit|service',$id,'service','','',$fieldid);
|
||||
|
||||
$product_static = new Product($db);
|
||||
|
||||
|
|
@ -130,11 +136,11 @@ if ($conf->service->enabled)
|
|||
$statServices.= '<td><a href="liste.php?type=1&envente=1">'.$langs->trans("ServicesOnSell").'</a></td><td align="right">'.round($prodser[1][1]).'</td>';
|
||||
$statServices.= "</tr>";
|
||||
}
|
||||
if (isset($_GET["type"]) && $_GET["type"] == 0)
|
||||
if ($type == '0')
|
||||
{
|
||||
print $statProducts;
|
||||
}
|
||||
else if (isset($_GET["type"]) && $_GET["type"] == 1)
|
||||
else if ($type == '1')
|
||||
{
|
||||
print $statServices;
|
||||
}
|
||||
|
|
@ -165,7 +171,7 @@ $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."product_subproduct as sp ON p.rowid = sp.fk
|
|||
$sql.= " WHERE sp.fk_product_subproduct IS NULL";
|
||||
$sql.= " AND p.entity = ".$conf->entity;
|
||||
if ($conf->categorie->enabled && !$user->rights->categorie->voir) $sql.= " AND COALESCE(c.visible,1)=1 ";
|
||||
if (isset($_GET["type"])) $sql.= " AND p.fk_product_type = ".$_GET["type"];
|
||||
if ($type != '') $sql.= " AND p.fk_product_type = ".$type;
|
||||
$sql.= " ORDER BY p.tms DESC ";
|
||||
$sql.= $db->plimit($max,0);
|
||||
$result = $db->query($sql) ;
|
||||
|
|
@ -199,7 +205,7 @@ if ($result)
|
|||
$sql.= " FROM ".MAIN_DB_PREFIX."product_lang";
|
||||
$sql.= " WHERE fk_product=".$objp->rowid;
|
||||
$sql.= " AND lang='". $langs->getDefaultLang() ."'";
|
||||
|
||||
|
||||
$resultd = $db->query($sql);
|
||||
if ($resultd)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
<?php
|
||||
/* Copyright (C) 2001-2006 Rodolphe Quiedeville <rodolphe@quiedeville.org>
|
||||
* Copyright (C) 2004-2009 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2004-2010 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2005-2009 Regis Houssin <regis@dolibarr.fr>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
|
|
@ -31,11 +31,6 @@ if ($conf->categorie->enabled) require_once(DOL_DOCUMENT_ROOT."/categories/categ
|
|||
|
||||
$langs->load("products");
|
||||
|
||||
// Security check
|
||||
if (!$user->rights->produit->lire && !$user->rights->service->lire)
|
||||
accessforbidden();
|
||||
|
||||
|
||||
$sref=isset($_GET["sref"])?$_GET["sref"]:$_POST["sref"];
|
||||
$sbarcode=isset($_GET["sbarcode"])?$_GET["sbarcode"]:$_POST["sbarcode"];
|
||||
$snom=isset($_GET["snom"])?$_GET["snom"]:$_POST["snom"];
|
||||
|
|
@ -55,6 +50,12 @@ $page = $_GET["page"];
|
|||
$limit = $conf->liste_limit;
|
||||
$offset = $limit * $page ;
|
||||
|
||||
// Security check
|
||||
if ($type=='0') $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);
|
||||
else if ($type=='1') $result=restrictedArea($user,'service',$id,'service','','',$fieldid);
|
||||
else $result=restrictedArea($user,'produit|service',$id,'service','','',$fieldid);
|
||||
|
||||
|
||||
|
||||
/*
|
||||
* Actions
|
||||
|
|
@ -313,7 +314,7 @@ if ($resql)
|
|||
$sql.= " WHERE fk_product=".$objp->rowid;
|
||||
$sql.= " AND lang='". $langs->getDefaultLang() ."'";
|
||||
$sql.= " LIMIT 1";
|
||||
|
||||
|
||||
$result = $db->query($sql);
|
||||
if ($result)
|
||||
{
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user