mirror of
https://github.com/Dolibarr/dolibarr.git
synced 2025-02-20 13:46:52 +01:00
Fix missing test on permissions
This commit is contained in:
Laurent Destailleur
parent
2e2ab9d84d
commit
84ce31b8f8
|
|
@ -1,6 +1,6 @@
|
|||
<?php
|
||||
/* Copyright (C) 2005-2017 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2024 MDW <mdeweerd@users.noreply.github.com>
|
||||
* Copyright (C) 2024 MDW <mdeweerd@users.noreply.github.com>
|
||||
*
|
||||
* This file is a modified version of datepicker.php from phpBSM to fix some
|
||||
* bugs, to add new features and to dramatically increase speed.
|
||||
|
|
@ -20,8 +20,8 @@
|
|||
*/
|
||||
|
||||
/**
|
||||
* \file htdocs/core/multicompany_page.php
|
||||
* \brief File to return a page with the list of all entities user can switch to
|
||||
* \file htdocs/core/multicompany_page.php
|
||||
* \brief File to return a page with the list of all entities user can switch to
|
||||
*/
|
||||
|
||||
//if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER','1'); // Not disabled cause need to load personalized language
|
||||
|
|
@ -67,7 +67,7 @@ if (!isModEnabled('multicompany')) {
|
|||
* Actions
|
||||
*/
|
||||
|
||||
if ($action == 'switchentity') {
|
||||
if ($action == 'switchentity') { // Test on permission not required here. Test will be done on the targeted page.
|
||||
if (is_object($mc)) {
|
||||
$mc->switchEntity($entityid);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -57,7 +57,7 @@ $left = ($langs->trans("DIRECTION") == 'rtl' ? 'right' : 'left');*/
|
|||
* Actions
|
||||
*/
|
||||
|
||||
if ($action == 'redirect') {
|
||||
if ($action == 'redirect') { // Test on permission not required here. Test will be done on the targeted page.
|
||||
global $dolibarr_main_url_root;
|
||||
|
||||
$url = GETPOST('url');
|
||||
|
|
|
|||
|
|
@ -250,7 +250,6 @@ if ($action == 'confirm_clone' && $confirm == 'yes' && $permissiontoadd) {
|
|||
}
|
||||
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
*/
|
||||
|
|
@ -560,9 +559,7 @@ if (($action == "create") || ($action == "edit")) {
|
|||
|
||||
print "</form>\n";
|
||||
} else {
|
||||
/*
|
||||
* view card
|
||||
*/
|
||||
// view card
|
||||
$now = dol_now();
|
||||
|
||||
print dol_get_fiche_head($head, 'card', $langs->trans("CronTask"), -1, 'cron');
|
||||
|
|
|
|||
|
|
@ -41,6 +41,15 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
|
|||
$action = GETPOST('action', 'aZ09');
|
||||
$element = GETPOST('element', 'alpha');
|
||||
|
||||
$permissiontoread = $user->hasRight('ecm', 'read');
|
||||
|
||||
|
||||
/*
|
||||
* Actions
|
||||
*/
|
||||
|
||||
// None
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
|
|
@ -54,7 +63,7 @@ top_httphead();
|
|||
if (isset($action) && !empty($action)) {
|
||||
$error = 0;
|
||||
|
||||
if ($action == 'build' && !empty($element)) {
|
||||
if ($action == 'build' && !empty($element) && $permissiontoread) {
|
||||
require_once DOL_DOCUMENT_ROOT.'/ecm/class/ecmdirectory.class.php';
|
||||
|
||||
$ecmdirstatic = new EcmDirectory($db);
|
||||
|
|
|
|||
|
|
@ -159,7 +159,7 @@ if (empty($reshook)) {
|
|||
include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php';
|
||||
|
||||
// Back to draft
|
||||
if ($action == 'setdraft' && $user->hasRight('expedition', 'creer')) {
|
||||
if ($action == 'setdraft' && $permissiontoadd) {
|
||||
$object->fetch($id);
|
||||
$result = $object->setDraft($user, 0);
|
||||
if ($result < 0) {
|
||||
|
|
@ -170,7 +170,7 @@ if (empty($reshook)) {
|
|||
}
|
||||
}
|
||||
// Reopen
|
||||
if ($action == 'reopen' && $user->hasRight('expedition', 'creer')) {
|
||||
if ($action == 'reopen' && $permissiontoadd) {
|
||||
$object->fetch($id);
|
||||
$result = $object->reOpen();
|
||||
if ($result < 0) {
|
||||
|
|
@ -182,11 +182,11 @@ if (empty($reshook)) {
|
|||
}
|
||||
|
||||
// Set incoterm
|
||||
if ($action == 'set_incoterms' && isModEnabled('incoterm')) {
|
||||
if ($action == 'set_incoterms' && isModEnabled('incoterm') && $permissiontoadd) {
|
||||
$result = $object->setIncoterms(GETPOSTINT('incoterm_id'), GETPOSTINT('location_incoterms'));
|
||||
}
|
||||
|
||||
if ($action == 'setref_customer') {
|
||||
if ($action == 'setref_customer' && $permissiontoadd) {
|
||||
$result = $object->fetch($id);
|
||||
if ($result < 0) {
|
||||
setEventMessages($object->error, $object->errors, 'errors');
|
||||
|
|
@ -202,7 +202,7 @@ if (empty($reshook)) {
|
|||
}
|
||||
}
|
||||
|
||||
if ($action == 'update_extras' && $user->hasRight('expedition', 'creer')) {
|
||||
if ($action == 'update_extras' && $permissiontoadd) {
|
||||
$object->oldcopy = dol_clone($object, 2);
|
||||
$attribute_name = GETPOST('attribute', 'restricthtml');
|
||||
|
||||
|
|
@ -227,7 +227,7 @@ if (empty($reshook)) {
|
|||
}
|
||||
|
||||
// Create shipment
|
||||
if ($action == 'add' && $user->hasRight('expedition', 'creer')) {
|
||||
if ($action == 'add' && $permissiontoadd) {
|
||||
$error = 0;
|
||||
|
||||
$db->begin();
|
||||
|
|
@ -477,8 +477,7 @@ if (empty($reshook)) {
|
|||
|
||||
setEventMessages($object->error, $object->errors, 'errors');
|
||||
}
|
||||
} elseif ($action == 'confirm_valid' && $confirm == 'yes' &&
|
||||
((!getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && $user->hasRight('expedition', 'creer'))
|
||||
} elseif ($action == 'confirm_valid' && $confirm == 'yes' && ((!getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && $user->hasRight('expedition', 'creer'))
|
||||
|| (getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && $user->hasRight('expedition', 'shipping_advance', 'validate')))
|
||||
) {
|
||||
$object->fetch_thirdparty();
|
||||
|
|
|
|||
|
|
@ -119,7 +119,7 @@ if ($action == "view" || $action == "presend" || $action == "dosubmit") { // Tes
|
|||
}
|
||||
|
||||
/*
|
||||
if (!$error && $action == "dosubmit")
|
||||
if (!$error && $action == "dosubmit") // Test on permission not required here (anonymous action protected by mitigation of /public/... urls)
|
||||
{
|
||||
// Test MAIN_SECURITY_MAX_POST_ON_PUBLIC_PAGES_BY_IP_ADDRESS
|
||||
|
||||
|
|
@ -136,7 +136,7 @@ if ($action == "view" || $action == "presend" || $action == "dosubmit") { // Tes
|
|||
|
||||
if ($error || $errors) {
|
||||
setEventMessages($object->error, $object->errors, 'errors');
|
||||
if ($action == "dosubmit") {
|
||||
if ($action == "dosubmit") { // Test on permission not required here
|
||||
$action = 'presend';
|
||||
} else {
|
||||
$action = '';
|
||||
|
|
|
|||
|
|
@ -100,7 +100,7 @@ if (empty($reshook)) {
|
|||
$action = '';
|
||||
}
|
||||
|
||||
if ($action == 'add' && $user->hasRight('resource', 'write')) {
|
||||
if ($action == 'add' && $permissiontoadd) {
|
||||
if (!$cancel) {
|
||||
$error = '';
|
||||
|
||||
|
|
@ -145,7 +145,7 @@ if (empty($reshook)) {
|
|||
}
|
||||
}
|
||||
|
||||
if ($action == 'update' && !$cancel && $user->hasRight('resource', 'write')) {
|
||||
if ($action == 'update' && !$cancel && $permissiontoadd) {
|
||||
$error = 0;
|
||||
|
||||
if (empty($ref)) {
|
||||
|
|
@ -194,7 +194,7 @@ if (empty($reshook)) {
|
|||
}
|
||||
}
|
||||
|
||||
if ($action == 'confirm_delete_resource' && $user->hasRight('resource', 'delete') && $confirm === 'yes') {
|
||||
if ($action == 'confirm_delete_resource' && $permissiontodelete && $confirm === 'yes') {
|
||||
$res = $object->fetch($id);
|
||||
if ($res > 0) {
|
||||
$result = $object->delete($user);
|
||||
|
|
|
|||
|
|
@ -201,7 +201,7 @@ if (empty($reshook)) {
|
|||
$action = '';
|
||||
}
|
||||
|
||||
if ($action == 'confirm_merge' && $confirm == 'yes' && $user->hasRight('societe', 'creer')) {
|
||||
if ($action == 'confirm_merge' && $confirm == 'yes' && $permissiontoadd) {
|
||||
$soc_origin_id = GETPOSTINT('soc_origin');
|
||||
$soc_origin = new Societe($db); // The thirdparty that we will delete
|
||||
|
||||
|
|
@ -235,20 +235,20 @@ if (empty($reshook)) {
|
|||
$_POST["supplier_code"] = "Acompleter";
|
||||
}
|
||||
|
||||
if ($action == 'set_localtax1' && $user->hasRight('societe', 'creer')) {
|
||||
if ($action == 'set_localtax1' && $permissiontoadd) {
|
||||
//get selected from combobox
|
||||
$value = GETPOST('lt1');
|
||||
$object->fetch($socid);
|
||||
$res = $object->setValueFrom('localtax1_value', $value, '', null, 'text', '', $user, 'COMPANY_MODIFY');
|
||||
}
|
||||
if ($action == 'set_localtax2' && $user->hasRight('societe', 'creer')) {
|
||||
if ($action == 'set_localtax2' && $permissiontoadd) {
|
||||
//get selected from combobox
|
||||
$value = GETPOST('lt2');
|
||||
$object->fetch($socid);
|
||||
$res = $object->setValueFrom('localtax2_value', $value, '', null, 'text', '', $user, 'COMPANY_MODIFY');
|
||||
}
|
||||
|
||||
if ($action == 'update_extras' && $user->hasRight('societe', 'creer')) {
|
||||
if ($action == 'update_extras' && $permissiontoadd) {
|
||||
$object->fetch($socid);
|
||||
|
||||
$object->oldcopy = dol_clone($object, 2);
|
||||
|
|
@ -275,7 +275,7 @@ if (empty($reshook)) {
|
|||
}
|
||||
|
||||
// Add new or update third party
|
||||
if ((!GETPOST('getcustomercode') && !GETPOST('getsuppliercode')) && ($action == 'add' || $action == 'update') && $user->hasRight('societe', 'creer')) {
|
||||
if ((!GETPOST('getcustomercode') && !GETPOST('getsuppliercode')) && ($action == 'add' || $action == 'update') && $permissiontoadd) {
|
||||
require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
|
||||
|
||||
if (!GETPOST('name')) {
|
||||
|
|
@ -306,7 +306,7 @@ if (empty($reshook)) {
|
|||
}
|
||||
|
||||
if (!$error) {
|
||||
if ($action == 'update') {
|
||||
if ($action == 'update') { // Test on permission not required here
|
||||
$ret = $object->fetch($socid);
|
||||
$object->oldcopy = clone $object;
|
||||
} else {
|
||||
|
|
@ -480,7 +480,7 @@ if (empty($reshook)) {
|
|||
}
|
||||
|
||||
if (!$error) {
|
||||
if ($action == 'add') {
|
||||
if ($action == 'add' && $permissiontoadd) {
|
||||
$error = 0;
|
||||
|
||||
$db->begin();
|
||||
|
|
@ -634,7 +634,7 @@ if (empty($reshook)) {
|
|||
}
|
||||
}
|
||||
|
||||
if ($action == 'update') {
|
||||
if ($action == 'update' && $permissiontoadd) {
|
||||
$error = 0;
|
||||
|
||||
if (GETPOST('cancel', 'alpha')) {
|
||||
|
|
@ -811,31 +811,31 @@ if (empty($reshook)) {
|
|||
}
|
||||
|
||||
// Set third-party type
|
||||
if ($action == 'set_thirdpartytype' && $user->hasRight('societe', 'creer')) {
|
||||
if ($action == 'set_thirdpartytype' && $permissiontoadd) {
|
||||
$object->fetch($socid);
|
||||
$result = $object->setThirdpartyType(GETPOSTINT('typent_id'));
|
||||
}
|
||||
|
||||
// Set incoterm
|
||||
if ($action == 'set_incoterms' && $user->hasRight('societe', 'creer') && isModEnabled('incoterm')) {
|
||||
if ($action == 'set_incoterms' && $permissiontoadd && isModEnabled('incoterm')) {
|
||||
$object->fetch($socid);
|
||||
$result = $object->setIncoterms(GETPOSTINT('incoterm_id'), GETPOSTINT('location_incoterms'));
|
||||
}
|
||||
|
||||
// Set parent company
|
||||
if ($action == 'set_thirdparty' && $user->hasRight('societe', 'creer')) {
|
||||
if ($action == 'set_thirdparty' && $permissiontoadd) {
|
||||
$object->fetch($socid);
|
||||
$result = $object->setParent(GETPOSTINT('parent_id'));
|
||||
}
|
||||
|
||||
// Set sales representatives
|
||||
if ($action == 'set_salesrepresentatives' && $user->hasRight('societe', 'creer')) {
|
||||
if ($action == 'set_salesrepresentatives' && $permissiontoadd) {
|
||||
$object->fetch($socid);
|
||||
$result = $object->setSalesRep(GETPOST('commercial', 'array'));
|
||||
}
|
||||
|
||||
// warehouse
|
||||
if ($action == 'setwarehouse' && $user->hasRight('societe', 'creer')) {
|
||||
if ($action == 'setwarehouse' && $permissiontoadd) {
|
||||
$result = $object->setWarehouse(GETPOSTINT('fk_warehouse'));
|
||||
}
|
||||
|
||||
|
|
@ -863,7 +863,7 @@ if (empty($reshook)) {
|
|||
|
||||
|
||||
/*
|
||||
* View
|
||||
* View
|
||||
*/
|
||||
|
||||
$form = new Form($db);
|
||||
|
|
|
|||
|
|
@ -71,6 +71,9 @@ $now = dol_now();
|
|||
|
||||
$object = new Societe($db);
|
||||
|
||||
$permissiontoadd = $user->hasRight('societe', 'lire');
|
||||
|
||||
|
||||
/*
|
||||
* Actions
|
||||
*/
|
||||
|
|
@ -89,7 +92,7 @@ if (empty($reshook)) {
|
|||
}
|
||||
|
||||
// Add a notification
|
||||
if ($action == 'add') {
|
||||
if ($action == 'add' && $permissiontoadd) {
|
||||
if (empty($contactid)) {
|
||||
setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Contact")), null, 'errors');
|
||||
$error++;
|
||||
|
|
@ -103,7 +106,7 @@ if (empty($reshook)) {
|
|||
$db->begin();
|
||||
|
||||
$sql = "DELETE FROM ".MAIN_DB_PREFIX."notify_def";
|
||||
$sql .= " WHERE fk_soc=".((int) $socid)." AND fk_contact=".((int) $contactid)." AND fk_action=".((int) $actionid);
|
||||
$sql .= " WHERE fk_soc=".((int) $socid)." AND fk_contact=".((int) $contactid)." AND fk_action = ".((int) $actionid);
|
||||
if ($db->query($sql)) {
|
||||
$sql = "INSERT INTO ".MAIN_DB_PREFIX."notify_def (datec,fk_soc, fk_contact, fk_action)";
|
||||
$sql .= " VALUES ('".$db->idate($now)."',".((int) $socid).",".((int) $contactid).",".((int) $actionid).")";
|
||||
|
|
@ -125,8 +128,8 @@ if (empty($reshook)) {
|
|||
}
|
||||
|
||||
// Remove a notification
|
||||
if ($action == 'delete') {
|
||||
$sql = "DELETE FROM ".MAIN_DB_PREFIX."notify_def where rowid=".GETPOSTINT('actid');
|
||||
if ($action == 'delete' && $permissiontoadd) {
|
||||
$sql = "DELETE FROM ".MAIN_DB_PREFIX."notify_def where rowid = ".GETPOSTINT('actid');
|
||||
$db->query($sql);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -541,7 +541,7 @@ if (empty($reshook)) {
|
|||
$error++;
|
||||
setEventMessages('ThisThirdpartyIsNotACustomer', null, 'errors');
|
||||
} else {
|
||||
if ($action == 'synccustomertostripe') {
|
||||
if ($action == 'synccustomertostripe') { // Test on permission already done
|
||||
$tmpservicestatus = 1;
|
||||
$tmpservice = 'StripeLive';
|
||||
} else {
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user