From 84ce31b8f88c5a2835a99a59a8a15f0737a4f852 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 1 Sep 2024 14:04:10 +0200 Subject: [PATCH] Fix missing test on permissions --- htdocs/core/multicompany_page.php | 8 ++++---- htdocs/core/search_page.php | 2 +- htdocs/cron/card.php | 5 +---- htdocs/ecm/ajax/ecmdatabase.php | 11 ++++++++++- htdocs/expedition/card.php | 15 +++++++-------- htdocs/public/recruitment/view.php | 4 ++-- htdocs/resource/card.php | 6 +++--- htdocs/societe/card.php | 28 ++++++++++++++-------------- htdocs/societe/notify/card.php | 11 +++++++---- htdocs/societe/paymentmodes.php | 2 +- 10 files changed, 50 insertions(+), 42 deletions(-) diff --git a/htdocs/core/multicompany_page.php b/htdocs/core/multicompany_page.php index 6ef07a97011..21e582957f6 100644 --- a/htdocs/core/multicompany_page.php +++ b/htdocs/core/multicompany_page.php @@ -1,6 +1,6 @@ - * Copyright (C) 2024 MDW + * Copyright (C) 2024 MDW * * This file is a modified version of datepicker.php from phpBSM to fix some * bugs, to add new features and to dramatically increase speed. @@ -20,8 +20,8 @@ */ /** - * \file htdocs/core/multicompany_page.php - * \brief File to return a page with the list of all entities user can switch to + * \file htdocs/core/multicompany_page.php + * \brief File to return a page with the list of all entities user can switch to */ //if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER','1'); // Not disabled cause need to load personalized language @@ -67,7 +67,7 @@ if (!isModEnabled('multicompany')) { * Actions */ -if ($action == 'switchentity') { +if ($action == 'switchentity') { // Test on permission not required here. Test will be done on the targeted page. if (is_object($mc)) { $mc->switchEntity($entityid); } diff --git a/htdocs/core/search_page.php b/htdocs/core/search_page.php index 77746652771..375ad2c171f 100644 --- a/htdocs/core/search_page.php +++ b/htdocs/core/search_page.php @@ -57,7 +57,7 @@ $left = ($langs->trans("DIRECTION") == 'rtl' ? 'right' : 'left');*/ * Actions */ -if ($action == 'redirect') { +if ($action == 'redirect') { // Test on permission not required here. Test will be done on the targeted page. global $dolibarr_main_url_root; $url = GETPOST('url'); diff --git a/htdocs/cron/card.php b/htdocs/cron/card.php index 7e132cc0a37..ff37c535252 100644 --- a/htdocs/cron/card.php +++ b/htdocs/cron/card.php @@ -250,7 +250,6 @@ if ($action == 'confirm_clone' && $confirm == 'yes' && $permissiontoadd) { } - /* * View */ @@ -560,9 +559,7 @@ if (($action == "create") || ($action == "edit")) { print "\n"; } else { - /* - * view card - */ + // view card $now = dol_now(); print dol_get_fiche_head($head, 'card', $langs->trans("CronTask"), -1, 'cron'); diff --git a/htdocs/ecm/ajax/ecmdatabase.php b/htdocs/ecm/ajax/ecmdatabase.php index ad3586d5463..4bfe57283c8 100644 --- a/htdocs/ecm/ajax/ecmdatabase.php +++ b/htdocs/ecm/ajax/ecmdatabase.php @@ -41,6 +41,15 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; $action = GETPOST('action', 'aZ09'); $element = GETPOST('element', 'alpha'); +$permissiontoread = $user->hasRight('ecm', 'read'); + + +/* + * Actions + */ + +// None + /* * View @@ -54,7 +63,7 @@ top_httphead(); if (isset($action) && !empty($action)) { $error = 0; - if ($action == 'build' && !empty($element)) { + if ($action == 'build' && !empty($element) && $permissiontoread) { require_once DOL_DOCUMENT_ROOT.'/ecm/class/ecmdirectory.class.php'; $ecmdirstatic = new EcmDirectory($db); diff --git a/htdocs/expedition/card.php b/htdocs/expedition/card.php index 1a6541a18c1..1b3072f8402 100644 --- a/htdocs/expedition/card.php +++ b/htdocs/expedition/card.php @@ -159,7 +159,7 @@ if (empty($reshook)) { include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php'; // Back to draft - if ($action == 'setdraft' && $user->hasRight('expedition', 'creer')) { + if ($action == 'setdraft' && $permissiontoadd) { $object->fetch($id); $result = $object->setDraft($user, 0); if ($result < 0) { @@ -170,7 +170,7 @@ if (empty($reshook)) { } } // Reopen - if ($action == 'reopen' && $user->hasRight('expedition', 'creer')) { + if ($action == 'reopen' && $permissiontoadd) { $object->fetch($id); $result = $object->reOpen(); if ($result < 0) { @@ -182,11 +182,11 @@ if (empty($reshook)) { } // Set incoterm - if ($action == 'set_incoterms' && isModEnabled('incoterm')) { + if ($action == 'set_incoterms' && isModEnabled('incoterm') && $permissiontoadd) { $result = $object->setIncoterms(GETPOSTINT('incoterm_id'), GETPOSTINT('location_incoterms')); } - if ($action == 'setref_customer') { + if ($action == 'setref_customer' && $permissiontoadd) { $result = $object->fetch($id); if ($result < 0) { setEventMessages($object->error, $object->errors, 'errors'); @@ -202,7 +202,7 @@ if (empty($reshook)) { } } - if ($action == 'update_extras' && $user->hasRight('expedition', 'creer')) { + if ($action == 'update_extras' && $permissiontoadd) { $object->oldcopy = dol_clone($object, 2); $attribute_name = GETPOST('attribute', 'restricthtml'); @@ -227,7 +227,7 @@ if (empty($reshook)) { } // Create shipment - if ($action == 'add' && $user->hasRight('expedition', 'creer')) { + if ($action == 'add' && $permissiontoadd) { $error = 0; $db->begin(); @@ -477,8 +477,7 @@ if (empty($reshook)) { setEventMessages($object->error, $object->errors, 'errors'); } - } elseif ($action == 'confirm_valid' && $confirm == 'yes' && - ((!getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && $user->hasRight('expedition', 'creer')) + } elseif ($action == 'confirm_valid' && $confirm == 'yes' && ((!getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && $user->hasRight('expedition', 'creer')) || (getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && $user->hasRight('expedition', 'shipping_advance', 'validate'))) ) { $object->fetch_thirdparty(); diff --git a/htdocs/public/recruitment/view.php b/htdocs/public/recruitment/view.php index 1875782ad5d..4294223915c 100644 --- a/htdocs/public/recruitment/view.php +++ b/htdocs/public/recruitment/view.php @@ -119,7 +119,7 @@ if ($action == "view" || $action == "presend" || $action == "dosubmit") { // Tes } /* - if (!$error && $action == "dosubmit") + if (!$error && $action == "dosubmit") // Test on permission not required here (anonymous action protected by mitigation of /public/... urls) { // Test MAIN_SECURITY_MAX_POST_ON_PUBLIC_PAGES_BY_IP_ADDRESS @@ -136,7 +136,7 @@ if ($action == "view" || $action == "presend" || $action == "dosubmit") { // Tes if ($error || $errors) { setEventMessages($object->error, $object->errors, 'errors'); - if ($action == "dosubmit") { + if ($action == "dosubmit") { // Test on permission not required here $action = 'presend'; } else { $action = ''; diff --git a/htdocs/resource/card.php b/htdocs/resource/card.php index cde20c6e4d1..d97ff6d6988 100644 --- a/htdocs/resource/card.php +++ b/htdocs/resource/card.php @@ -100,7 +100,7 @@ if (empty($reshook)) { $action = ''; } - if ($action == 'add' && $user->hasRight('resource', 'write')) { + if ($action == 'add' && $permissiontoadd) { if (!$cancel) { $error = ''; @@ -145,7 +145,7 @@ if (empty($reshook)) { } } - if ($action == 'update' && !$cancel && $user->hasRight('resource', 'write')) { + if ($action == 'update' && !$cancel && $permissiontoadd) { $error = 0; if (empty($ref)) { @@ -194,7 +194,7 @@ if (empty($reshook)) { } } - if ($action == 'confirm_delete_resource' && $user->hasRight('resource', 'delete') && $confirm === 'yes') { + if ($action == 'confirm_delete_resource' && $permissiontodelete && $confirm === 'yes') { $res = $object->fetch($id); if ($res > 0) { $result = $object->delete($user); diff --git a/htdocs/societe/card.php b/htdocs/societe/card.php index a4194dc3544..ac4b23fb4b3 100644 --- a/htdocs/societe/card.php +++ b/htdocs/societe/card.php @@ -201,7 +201,7 @@ if (empty($reshook)) { $action = ''; } - if ($action == 'confirm_merge' && $confirm == 'yes' && $user->hasRight('societe', 'creer')) { + if ($action == 'confirm_merge' && $confirm == 'yes' && $permissiontoadd) { $soc_origin_id = GETPOSTINT('soc_origin'); $soc_origin = new Societe($db); // The thirdparty that we will delete @@ -235,20 +235,20 @@ if (empty($reshook)) { $_POST["supplier_code"] = "Acompleter"; } - if ($action == 'set_localtax1' && $user->hasRight('societe', 'creer')) { + if ($action == 'set_localtax1' && $permissiontoadd) { //get selected from combobox $value = GETPOST('lt1'); $object->fetch($socid); $res = $object->setValueFrom('localtax1_value', $value, '', null, 'text', '', $user, 'COMPANY_MODIFY'); } - if ($action == 'set_localtax2' && $user->hasRight('societe', 'creer')) { + if ($action == 'set_localtax2' && $permissiontoadd) { //get selected from combobox $value = GETPOST('lt2'); $object->fetch($socid); $res = $object->setValueFrom('localtax2_value', $value, '', null, 'text', '', $user, 'COMPANY_MODIFY'); } - if ($action == 'update_extras' && $user->hasRight('societe', 'creer')) { + if ($action == 'update_extras' && $permissiontoadd) { $object->fetch($socid); $object->oldcopy = dol_clone($object, 2); @@ -275,7 +275,7 @@ if (empty($reshook)) { } // Add new or update third party - if ((!GETPOST('getcustomercode') && !GETPOST('getsuppliercode')) && ($action == 'add' || $action == 'update') && $user->hasRight('societe', 'creer')) { + if ((!GETPOST('getcustomercode') && !GETPOST('getsuppliercode')) && ($action == 'add' || $action == 'update') && $permissiontoadd) { require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php'; if (!GETPOST('name')) { @@ -306,7 +306,7 @@ if (empty($reshook)) { } if (!$error) { - if ($action == 'update') { + if ($action == 'update') { // Test on permission not required here $ret = $object->fetch($socid); $object->oldcopy = clone $object; } else { @@ -480,7 +480,7 @@ if (empty($reshook)) { } if (!$error) { - if ($action == 'add') { + if ($action == 'add' && $permissiontoadd) { $error = 0; $db->begin(); @@ -634,7 +634,7 @@ if (empty($reshook)) { } } - if ($action == 'update') { + if ($action == 'update' && $permissiontoadd) { $error = 0; if (GETPOST('cancel', 'alpha')) { @@ -811,31 +811,31 @@ if (empty($reshook)) { } // Set third-party type - if ($action == 'set_thirdpartytype' && $user->hasRight('societe', 'creer')) { + if ($action == 'set_thirdpartytype' && $permissiontoadd) { $object->fetch($socid); $result = $object->setThirdpartyType(GETPOSTINT('typent_id')); } // Set incoterm - if ($action == 'set_incoterms' && $user->hasRight('societe', 'creer') && isModEnabled('incoterm')) { + if ($action == 'set_incoterms' && $permissiontoadd && isModEnabled('incoterm')) { $object->fetch($socid); $result = $object->setIncoterms(GETPOSTINT('incoterm_id'), GETPOSTINT('location_incoterms')); } // Set parent company - if ($action == 'set_thirdparty' && $user->hasRight('societe', 'creer')) { + if ($action == 'set_thirdparty' && $permissiontoadd) { $object->fetch($socid); $result = $object->setParent(GETPOSTINT('parent_id')); } // Set sales representatives - if ($action == 'set_salesrepresentatives' && $user->hasRight('societe', 'creer')) { + if ($action == 'set_salesrepresentatives' && $permissiontoadd) { $object->fetch($socid); $result = $object->setSalesRep(GETPOST('commercial', 'array')); } // warehouse - if ($action == 'setwarehouse' && $user->hasRight('societe', 'creer')) { + if ($action == 'setwarehouse' && $permissiontoadd) { $result = $object->setWarehouse(GETPOSTINT('fk_warehouse')); } @@ -863,7 +863,7 @@ if (empty($reshook)) { /* - * View + * View */ $form = new Form($db); diff --git a/htdocs/societe/notify/card.php b/htdocs/societe/notify/card.php index 19fe3cda5fd..a61e640b739 100644 --- a/htdocs/societe/notify/card.php +++ b/htdocs/societe/notify/card.php @@ -71,6 +71,9 @@ $now = dol_now(); $object = new Societe($db); +$permissiontoadd = $user->hasRight('societe', 'lire'); + + /* * Actions */ @@ -89,7 +92,7 @@ if (empty($reshook)) { } // Add a notification - if ($action == 'add') { + if ($action == 'add' && $permissiontoadd) { if (empty($contactid)) { setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Contact")), null, 'errors'); $error++; @@ -103,7 +106,7 @@ if (empty($reshook)) { $db->begin(); $sql = "DELETE FROM ".MAIN_DB_PREFIX."notify_def"; - $sql .= " WHERE fk_soc=".((int) $socid)." AND fk_contact=".((int) $contactid)." AND fk_action=".((int) $actionid); + $sql .= " WHERE fk_soc=".((int) $socid)." AND fk_contact=".((int) $contactid)." AND fk_action = ".((int) $actionid); if ($db->query($sql)) { $sql = "INSERT INTO ".MAIN_DB_PREFIX."notify_def (datec,fk_soc, fk_contact, fk_action)"; $sql .= " VALUES ('".$db->idate($now)."',".((int) $socid).",".((int) $contactid).",".((int) $actionid).")"; @@ -125,8 +128,8 @@ if (empty($reshook)) { } // Remove a notification - if ($action == 'delete') { - $sql = "DELETE FROM ".MAIN_DB_PREFIX."notify_def where rowid=".GETPOSTINT('actid'); + if ($action == 'delete' && $permissiontoadd) { + $sql = "DELETE FROM ".MAIN_DB_PREFIX."notify_def where rowid = ".GETPOSTINT('actid'); $db->query($sql); } } diff --git a/htdocs/societe/paymentmodes.php b/htdocs/societe/paymentmodes.php index 68fd3a89976..f0290bdd9ee 100644 --- a/htdocs/societe/paymentmodes.php +++ b/htdocs/societe/paymentmodes.php @@ -541,7 +541,7 @@ if (empty($reshook)) { $error++; setEventMessages('ThisThirdpartyIsNotACustomer', null, 'errors'); } else { - if ($action == 'synccustomertostripe') { + if ($action == 'synccustomertostripe') { // Test on permission already done $tmpservicestatus = 1; $tmpservice = 'StripeLive'; } else {