Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix: adjust security for external users

Browse Source
This commit is contained in:
Regis Houssin 2009-08-06 13:07:25 +00:00
parent 11e10a1c8c
commit 63fa194ff6
6 changed files with 36 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
htdocs/user/fiche.php
View File

@ -51,7 +51,10 @@ if ($_GET["id"])
}
// Security check
$result = restrictedArea($user, 'user', $_GET["id"], '', 'user');
$socid=0;
if ($user->societe_id > 0) $socid = $user->societe_id;
$feature2 = (($socid && $user->rights->user->self->creer)?'':'user');
$result = restrictedArea($user, 'user', $_GET["id"], '', $feature2);
if ($user->id <> $_GET["id"] && ! $canreadperms) accessforbidden();
$langs->load("users");

7
htdocs/user/info.php
View File

@ -35,6 +35,13 @@ $id = isset($_GET["id"])?$_GET["id"]:'';
$fuser = new User($db);
$fuser->id = $id;
$fuser->fetch();
// Security check
$socid=0;
if ($user->societe_id > 0) $socid = $user->societe_id;
$feature2 = (($socid && $user->rights->user->self->creer)?'':'user');
$result = restrictedArea($user, 'user', $_GET["id"], '', $feature2);
// If user is not user read and no permission to read other users, we stop
if (($fuser->id != $user->id) && (! $user->rights->user->user->lire))
accessforbidden();

8
htdocs/user/ldap.php
View File

@ -37,11 +37,11 @@ $langs->load("ldap");
// Protection quand utilisateur externe
$contactid = isset($_GET["id"])?$_GET["id"]:'';
// Security check
$socid=0;
if ($user->societe_id > 0)
{
$socid = $user->societe_id;
}
if ($user->societe_id > 0) $socid = $user->societe_id;
$feature2 = (($socid && $user->rights->user->self->creer)?'':'user');
$result = restrictedArea($user, 'user', $_GET["id"], '', $feature2);
$fuser = new User($db, $_GET["id"]);
$fuser->fetch();

6
htdocs/user/note.php
View File

@ -45,6 +45,12 @@ $fuser->fetch();
// If user is not user read and no permission to read other users, we stop
if (($fuser->id != $user->id) && (! $user->rights->user->user->lire))
accessforbidden();
// Security check
$socid=0;
if ($user->societe_id > 0) $socid = $user->societe_id;
$feature2 = (($socid && $user->rights->user->self->creer)?'':'user');
$result = restrictedArea($user, 'user', $_GET["id"], '', $feature2);

12
htdocs/user/param_ihm.php
View File

@ -41,10 +41,14 @@ if ($_REQUEST["id"])
$caneditfield=( (($user->id == $_REQUEST["id"]) && $user->rights->user->self->creer)
|| (($user->id != $_REQUEST["id"]) && $user->rights->user->user->creer));
}
if ($user->id <> $_REQUEST["id"] && ! $canreadperms)
{
accessforbidden();
}
// Security check
$socid=0;
if ($user->societe_id > 0) $socid = $user->societe_id;
$feature2 = (($socid && $user->rights->user->self->creer)?'':'user');
$result = restrictedArea($user, 'user', $_GET["id"], '', $feature2);
if ($user->id <> $_REQUEST["id"] && ! $canreadperms) accessforbidden();
$id=isset($_GET["id"])?$_GET["id"]:$_POST["id"];
$dirtop = "../includes/menus/barre_top";

10
htdocs/user/perms.php
View File

@ -32,16 +32,20 @@ require_once(DOL_DOCUMENT_ROOT."/lib/usergroups.lib.php");
$langs->load("users");
$langs->load("admin");
$form = new Form($db);
$module=isset($_GET["module"])?$_GET["module"]:$_POST["module"];
if (! isset($_GET["id"])) accessforbidden();
if (! isset($_GET["id"]) || empty($_GET["id"])) accessforbidden();
// Defini si peux modifier utilisateurs et permisssions
$caneditperms=($user->admin || $user->rights->user->user->creer);
// Security check
$socid=0;
if ($user->societe_id > 0) $socid = $user->societe_id;
$feature2 = (($socid && $user->rights->user->self->creer)?'':'user');
$result = restrictedArea($user, 'user', $_GET["id"], '', $feature2);
if ($user->id <> $_REQUEST["id"] && ! $canreadperms) accessforbidden();
/**