Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX missing check permissions for clone user action (#31944)

Browse Source 
* FIX missing check permissions for clone action

* FIX missing permission for the action
This commit is contained in:
Regis Houssin 2024-11-16 14:45:30 +01:00 committed by GitHub
parent c496df7dfe
commit af6a487178
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 21 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
htdocs/user/card.php
View File

@ -134,6 +134,16 @@ if (getDolGlobalString('MAIN_USE_ADVANCED_PERMS')) {
$permissiontoeditgroup = (!empty($user->admin) || $user->hasRight("user", "group_advance", "write"));
}
$permissiontoclonesuperadmin = ($permissiontoadd && empty($user->entity));
$permissiontocloneadmin = ($permissiontoadd && !empty($user->admin));
$permissiontocloneuser = $permissiontoadd;
// Can clone only in master entity if transverse mode is used
if (getDolGlobalString('MULTICOMPANY_TRANSVERSE_MODE') && $conf->entity > 1) {
$permissiontoclonesuperadmin = false;
$permissiontocloneadmin = false;
$permissiontocloneuser = false;
}
if ($user->id != $id && !$permissiontoread) {
accessforbidden();
}
@ -774,7 +784,7 @@ if (empty($reshook)) {
if ($action == 'confirm_clone' && $confirm != 'yes') {
$action = '';
}
if ($action == 'confirm_clone' && $confirm == 'yes' && $user->hasRight("user", "user", "write")) {
if ($action == 'confirm_clone' && $confirm == 'yes' && $permissiontocloneuser) {
if (!GETPOST('clone_name')) {
setEventMessages($langs->trans('ErrorNoCloneWithoutName'), null, 'errors');
} elseif (getDolGlobalString('USER_MAIL_REQUIRED') && !GETPOST('new_email')) {
@ -786,7 +796,6 @@ if (empty($reshook)) {
$clone->id = 0;
$clone->email = (getDolGlobalString('USER_MAIL_REQUIRED') ? GETPOST('new_email', 'alphanohtml') : '');
$clone->entity = 1;
$clone->api_key = '';
$parts = explode(' ', GETPOST('clone_name'), 2);
@ -2132,15 +2141,18 @@ if ($action == 'create' || $action == 'adduserldap') {
'class' => 'classfortooltip'
)
);
//clone user
$cloneButtonId = '';
$cloneUserUrl = '';
if (!empty($conf->use_javascript_ajax) && empty($conf->dol_use_jmobile)) {
// Clone user
// a simple user can not clone an admin or superadmin and a simple admin can not clone a superadmin
if ((empty($object->entity) && $permissiontoclonesuperadmin) || (!empty($object->admin) && !empty($object->entity) && $permissiontocloneadmin) || ($permissiontocloneuser && empty($object->admin) && !empty($object->entity))) {
$cloneButtonId = '';
$cloneUserUrl = '';
$cloneButtonId = 'action-clone';
}
if (!empty($conf->use_javascript_ajax) && empty($conf->dol_use_jmobile)) {
$cloneUserUrl = '';
$cloneButtonId = 'action-clone';
}
print dolGetButtonAction($langs->trans('ToClone'), '', 'default', $cloneUserUrl, $cloneButtonId, $user->hasRight('user', 'user', 'write'));
}
if (getDolGlobalString('USER_PASSWORD_GENERATED') != 'none') {
if ($object->status == $object::STATUS_DISABLED) {