diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 57e3db85402..b6b71f6d8a6 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -563,6 +563,8 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand foreach ($featuresarray as $feature) { $sql = ''; + //var_dump($feature); + // For backward compatibility if ($feature == 'member') { $feature = 'adherent'; @@ -574,7 +576,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand $feature = 'projet_task'; } - $check = array('adherent', 'banque', 'bom', 'don', 'mrp', 'user', 'usergroup', 'payment', 'payment_supplier', 'product', 'produit', 'service', 'produit|service', 'categorie', 'resource', 'expensereport', 'holiday', 'website'); // Test on entity only (Objects with no link to company) + $check = array('adherent', 'banque', 'bom', 'don', 'mrp', 'user', 'usergroup', 'payment', 'payment_supplier', 'product', 'produit', 'service', 'produit|service', 'categorie', 'resource', 'expensereport', 'holiday', 'salary', 'website'); // Test on entity only (Objects with no link to company) $checksoc = array('societe'); // Test for societe object $checkother = array('contact', 'agenda'); // Test on entity + link to third party on field $dbt_keyfield. Allowed if link is empty (Ex: contacts...). $checkproject = array('projet', 'project'); // Test for project object diff --git a/htdocs/salaries/card.php b/htdocs/salaries/card.php index afd152fb785..323e2c74c5a 100755 --- a/htdocs/salaries/card.php +++ b/htdocs/salaries/card.php @@ -45,6 +45,7 @@ if (!empty($conf->projet->enabled)) { } $id = GETPOSTINT('id'); +$ref = GETPOST('ref', 'alpha'); $action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'aZ09'); $accountid = GETPOST('accountid', 'int') > 0 ? GETPOST('accountid', 'int') : 0; @@ -63,13 +64,6 @@ $dateep = dol_mktime(12, 0, 0, GETPOST("dateepmonth", 'int'), GETPOST("dateepday $label = GETPOST('label', 'alphanohtml'); $fk_user = GETPOSTINT('userid'); -// Security check -$socid = GETPOSTINT('socid'); -if ($user->socid) { - $socid = $user->socid; -} -$result = restrictedArea($user, 'salaries', '', '', ''); - $object = new Salary($db); $extrafields = new ExtraFields($db); @@ -79,6 +73,18 @@ $extrafields->fetch_name_optionals_label($object->table_element); // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('salarycard', 'globalcard')); +$object = new Salary($db); +if ($id > 0 || !empty($ref)) { + $object->fetch($id, $ref); +} + +// Security check +$socid = GETPOSTINT('socid'); +if ($user->socid) { + $socid = $user->socid; +} +restrictedArea($user, 'salaries', $object->id, 'salary', ''); + /** * Actions @@ -885,21 +891,22 @@ if ($id) { /* * Action bar */ + print '
'."\n"; if ($action != 'edit') { // Reopen if ($object->paye && $user->rights->salaries->write) { - print "
id&action=reopen\">".$langs->trans("ReOpen")."
"; + print "
'.$langs->trans("ReOpen")."
"; } // Edit if ($object->paye == 0 && $user->rights->salaries->write) { - print "
id&action=edit\">".$langs->trans("Modify")."
"; + print "
id.'&action=edit&token='.newToken().'">'.$langs->trans("Modify")."
"; } // Emit payment if ($object->paye == 0 && ((price2num($object->amount) < 0 && price2num($resteapayer, 'MT') < 0) || (price2num($object->amount) > 0 && price2num($resteapayer, 'MT') > 0)) && $user->rights->salaries->write) { - print "
id&action=create\">".$langs->trans("DoPayment")."
"; + print "
id.'&action=create&token='.newToken().'">'.$langs->trans("DoPayment")."
"; } // Classify 'paid' @@ -909,16 +916,16 @@ if ($id) { || (round($resteapayer) >= 0 && $object->amount < 0) ) && $user->rights->salaries->write) { - print "
id&action=paid\">".$langs->trans("ClassifyPaid")."
"; + print "
id.'&action=paid&token='.newToken().'">'.$langs->trans("ClassifyPaid")."
"; } // Clone if ($user->rights->salaries->write) { - print "
id&action=clone\">".$langs->trans("ToClone")."
"; + print "
id.'&action=clone&token='.newToken().'">'.$langs->trans("ToClone")."
"; } if (!empty($user->rights->salaries->delete) && empty($totalpaye)) { - print '
'.$langs->trans("Delete").'
'; + print '
'.$langs->trans("Delete").'
'; } else { print '
'.$langs->trans("Delete").'
'; } diff --git a/htdocs/salaries/document.php b/htdocs/salaries/document.php index 9534d074d5f..5772de8af3a 100644 --- a/htdocs/salaries/document.php +++ b/htdocs/salaries/document.php @@ -44,14 +44,6 @@ $ref = GETPOST('ref', 'alpha'); $action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); -// Security check -$socid = GETPOST("socid", "int"); -if ($user->socid) { - $socid = $user->socid; -} -$result = restrictedArea($user, 'salaries', '', '', ''); - - // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'aZ09comma'); @@ -70,13 +62,21 @@ if (!$sortfield) { $sortfield = "name"; } - $object = new Salary($db); -$object->fetch($id, $ref); +if ($id > 0 || !empty($ref)) { + $object->fetch($id, $ref); +} $upload_dir = $conf->salaries->dir_output.'/'.dol_sanitizeFileName($object->id); $modulepart = 'salaries'; +// Security check +$socid = GETPOSTINT('socid'); +if ($user->socid) { + $socid = $user->socid; +} +restrictedArea($user, 'salaries', $object->id, 'salary', ''); + /* * Actions diff --git a/htdocs/salaries/info.php b/htdocs/salaries/info.php index e0e6aec7f3c..1b81a80189f 100644 --- a/htdocs/salaries/info.php +++ b/htdocs/salaries/info.php @@ -33,14 +33,20 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php'; $langs->loadLangs(array("compta", "bills", "users", "salaries", "hrm")); $id = GETPOST('id', 'int'); +$ref = GETPOST('ref', 'alpha'); $action = GETPOST('action', 'aZ09'); +$object = new Salary($db); +if ($id > 0 || !empty($ref)) { + $object->fetch($id, $ref); +} + // Security check $socid = GETPOST('socid', 'int'); if ($user->socid) { $socid = $user->socid; } -$result = restrictedArea($user, 'salaries', '', '', ''); +restrictedArea($user, 'salaries', $object->id, 'salary', ''); /* diff --git a/htdocs/salaries/list.php b/htdocs/salaries/list.php index d60a583c3f8..7c4f0a2cec3 100644 --- a/htdocs/salaries/list.php +++ b/htdocs/salaries/list.php @@ -108,13 +108,6 @@ if (!GETPOST('search_type_id', 'int')) { $childids = $user->getAllChildIds(1); -// Security check -$socid = GETPOST("socid", "int"); -if ($user->socid) { - $socid = $user->socid; -} -$result = restrictedArea($user, 'salaries', '', '', ''); - // Initialize array of search criterias $search_all = GETPOST("search_all", 'alpha'); $search = array(); @@ -161,6 +154,13 @@ $permissiontoread = $user->rights->salaries->read; $permissiontoadd = $user->rights->salaries->write; $permissiontodelete = $user->rights->salaries->delete; +// Security check +$socid = GETPOST("socid", "int"); +if ($user->socid) { + $socid = $user->socid; +} +restrictedArea($user, 'salaries', '', 'salary', ''); + /* * Actions diff --git a/htdocs/salaries/paiement_salary.php b/htdocs/salaries/paiement_salary.php index 6c282eac94d..2f4a0c85905 100644 --- a/htdocs/salaries/paiement_salary.php +++ b/htdocs/salaries/paiement_salary.php @@ -18,9 +18,9 @@ */ /** - * \file htdocs/compta/paiement_charge.php - * \ingroup tax - * \brief Page to add payment of a tax + * \file htdocs/compta/paiement_salary.php + * \ingroup salary + * \brief Page to add payment of a salary */ require '../main.inc.php'; @@ -31,16 +31,25 @@ require_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php'; // Load translation files required by the page $langs->load("bills"); -$chid = GETPOST("id", 'int'); $action = GETPOST('action', 'alpha'); $cancel = GETPOST('cancel', 'alpha'); +$confirm = GETPOST('confirm', 'alpha'); + +$id = GETPOSTINT('id'); +$ref = GETPOST('ref', 'alpha'); $amounts = array(); +$object = new Salary($db); +if ($id > 0 || !empty($ref)) { + $object->fetch($id, $ref); +} + // Security check -$socid = 0; +$socid = GETPOST("socid", "int"); if ($user->socid > 0) { $socid = $user->socid; } +restrictedArea($user, 'salaries', $object->id, 'salary', ''); /* @@ -51,7 +60,7 @@ if ($action == 'add_payment' || ($action == 'confirm_paiement' && $confirm == 'y $error = 0; if ($cancel) { - $loc = DOL_URL_ROOT.'/salaries/card.php?id='.$chid; + $loc = DOL_URL_ROOT.'/salaries/card.php?id='.$id; header("Location: ".$loc); exit; } @@ -96,7 +105,7 @@ if ($action == 'add_payment' || ($action == 'confirm_paiement' && $confirm == 'y // Create a line of payments $paiement = new PaymentSalary($db); - $paiement->chid = $chid; + $paiement->chid = $id; $paiement->datepaye = $datepaye; $paiement->amounts = $amounts; // Tableau de montant $paiement->paiementtype = GETPOST("paiementtype", 'alphanohtml'); @@ -124,7 +133,7 @@ if ($action == 'add_payment' || ($action == 'confirm_paiement' && $confirm == 'y if (!$error) { $db->commit(); - $loc = DOL_URL_ROOT.'/salaries/card.php?id='.$chid; + $loc = DOL_URL_ROOT.'/salaries/card.php?id='.$id; header('Location: '.$loc); exit; } else { @@ -139,15 +148,16 @@ if ($action == 'add_payment' || ($action == 'confirm_paiement' && $confirm == 'y * View */ -llxHeader(); - $form = new Form($db); +$help_url = ''; + +llxHeader('', '', $help_url); + +$salary = $object; // Formulaire de creation d'un paiement de charge if ($action == 'create') { - $salary = new Salary($db); // Salary to pay - $salary->fetch($chid); $salary->accountid = $salary->fk_account ? $salary->fk_account : $salary->accountid; $salary->paiementtype = $salary->mode_reglement_id ? $salary->mode_reglement_id : $salary->paiementtype; @@ -171,15 +181,15 @@ if ($action == 'create') { print '
'; print ''; - print ''; - print ''; + print ''; + print ''; print ''; print dol_get_fiche_head(); print ''; - print ''; + print ''; print '\n"; print '\n"; print '\n"; @@ -188,7 +198,7 @@ if ($action == 'create') { $sql = "SELECT sum(p.amount) as total"; $sql .= " FROM ".MAIN_DB_PREFIX."payment_salary as p"; - $sql .= " WHERE p.fk_salary = ".((int) $chid); + $sql .= " WHERE p.fk_salary = ".((int) $id); $resql = $db->query($sql); if ($resql) { $obj = $db->fetch_object($resql); diff --git a/htdocs/salaries/payment_salary/card.php b/htdocs/salaries/payment_salary/card.php index 51f80b23efd..ae711719585 100644 --- a/htdocs/salaries/payment_salary/card.php +++ b/htdocs/salaries/payment_salary/card.php @@ -41,14 +41,13 @@ $id = GETPOST("id", 'int'); $action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm'); if ($user->socid) $socid = $user->socid; -// TODO ajouter regle pour restreindre acces paiement -//$result = restrictedArea($user, 'facture', $id,''); $object = new PaymentSalary($db); if ($id > 0) { $result = $object->fetch($id); if (!$result) dol_print_error($db, 'Failed to get payment id '.$id); } +restrictedArea($user, 'salaries', $object->fk_salary, 'salary', ''); // $object is payment of salary /* diff --git a/htdocs/salaries/payments.php b/htdocs/salaries/payments.php index 09c90854f22..d5b8f009707 100644 --- a/htdocs/salaries/payments.php +++ b/htdocs/salaries/payments.php @@ -97,11 +97,6 @@ if (!GETPOST('search_type_id', 'int')) { $childids = $user->getAllChildIds(1); -// Security check -$socid = GETPOST("socid", "int"); -if ($user->socid) $socid = $user->socid; -$result = restrictedArea($user, 'salaries', '', '', ''); - // Initialize array of search criterias $search_all = GETPOST("search_all", 'alpha'); $search = array(); @@ -119,6 +114,13 @@ $permissiontoread = $user->rights->salaries->read; $permissiontoadd = $user->rights->salaries->write; $permissiontodelete = $user->rights->salaries->delete; +// Security check +$socid = GETPOST("socid", "int"); +if ($user->socid > 0) { + $socid = $user->socid; +} +restrictedArea($user, 'salaries', 0, 'salary', ''); + /* * Actions
'.$langs->trans("Ref").''.$chid.'
'.$langs->trans("Ref").''.$id.'
'.$langs->trans("DateStart")."".dol_print_date($salary->datesp, 'day')."
'.$langs->trans("DateEnd")."".dol_print_date($salary->dateep, 'day')."
'.$langs->trans("Label").''.$salary->label."