Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Debug v20 Fix missing test on permissions

Browse Source
This commit is contained in:
Laurent Destailleur 2024-08-31 17:23:13 +02:00
parent 2c28d039e2
commit b8dadd4b6a
15 changed files with 71 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/comm/action/rapport/index.php
View File

@ -66,7 +66,7 @@ if (!$user->hasRight("agenda", "allactions", "read")) {
* Actions
*/
if ($action == 'builddoc') {
if ($action == 'builddoc' && $user->hasRight("agenda", "allactions", "read")) {
require_once DOL_DOCUMENT_ROOT.'/core/modules/action/doc/pdf_standard_actions.class.php';
$cat = new pdf_standard_actions($db, $month, $year);

8
htdocs/comm/card.php
View File

@ -160,7 +160,7 @@ if (empty($reshook)) {
}
// Set accountancy code
if ($action == 'setcustomeraccountancycode') {
if ($action == 'setcustomeraccountancycode' && $user->hasRight('societe', 'creer')) {
$result = $object->fetch($id);
$object->code_compta_client = GETPOST("customeraccountancycode");
$object->code_compta = $object->code_compta_client; // For Backward compatibility
@ -237,7 +237,7 @@ if (empty($reshook)) {
}
// set communication status
if ($action == 'setstcomm') {
if ($action == 'setstcomm' && $user->hasRight('societe', 'creer')) {
$object->fetch($id);
$object->stcomm_id = dol_getIdFromCode($db, GETPOST('stcomm', 'alpha'), 'c_stcomm');
$result = $object->update($object->id, $user);
@ -249,7 +249,7 @@ if (empty($reshook)) {
}
// update outstandng limit
if ($action == 'setoutstanding_limit') {
if ($action == 'setoutstanding_limit' && $user->hasRight('societe', 'creer')) {
$object->fetch($id);
$object->outstanding_limit = GETPOST('outstanding_limit');
$result = $object->update($object->id, $user);
@ -259,7 +259,7 @@ if (empty($reshook)) {
}
// update order min amount
if ($action == 'setorder_min_amount') {
if ($action == 'setorder_min_amount' && $user->hasRight('societe', 'creer')) {
$object->fetch($id);
$object->order_min_amount = price2num(GETPOST('order_min_amount', 'alpha'));
$result = $object->update($object->id, $user);

22
htdocs/comm/mailing/advtargetemailing.php
View File

@ -101,12 +101,15 @@ if (!$user->hasRight('mailing', 'lire') || (!getDolGlobalString('EXTERNAL_USERS_
}
//$result = restrictedArea($user, 'mailing');
$permissiontoread = $user->hasRight('mailing', 'lire');
$permissiontoadd = $user->hasRight('mailing', 'creer');
/*
* Actions
*/
if ($action == 'loadfilter') {
if ($action == 'loadfilter' && $permissiontoread) {
if (!empty($template_id)) {
$result = $advTarget->fetch($template_id);
if ($result < 0) {
@ -119,7 +122,7 @@ if ($action == 'loadfilter') {
}
}
if ($action == 'add') {
if ($action == 'add' && $permissiontoadd) {
$user_contact_query = false;
$array_query = array();
@ -255,7 +258,7 @@ if ($action == 'add') {
}
}
if ($action == 'clear') {
if ($action == 'clear' && $permissiontoadd) {
// Load a new class instance
$classname = "MailingTargets";
$obj = new $classname($db);
@ -265,11 +268,11 @@ if ($action == 'clear') {
exit();
}
if ($action == 'savefilter' || $action == 'createfilter') {
if (($action == 'savefilter' || $action == 'createfilter') && $permissiontoadd) {
$template_name = GETPOST('template_name');
$error = 0;
if ($action == 'createfilter' && empty($template_name)) {
if ($action == 'createfilter' && empty($template_name) && $permissiontoadd) {
setEventMessages($langs->trans('ErrorFieldRequired', $langs->transnoentitiesnoconv('AdvTgtOrCreateNewFilter')), null, 'errors');
$error++;
}
@ -353,13 +356,13 @@ if ($action == 'savefilter' || $action == 'createfilter') {
}
$advTarget->filtervalue = json_encode($array_query);
if ($action == 'createfilter') {
if ($action == 'createfilter') { // Test on permission already done
$advTarget->name = $template_name;
$result = $advTarget->create($user);
if ($result < 0) {
setEventMessages($advTarget->error, $advTarget->errors, 'errors');
}
} elseif ($action == 'savefilter') {
} elseif ($action == 'savefilter') { // Test on permission already done
$result = $advTarget->update($user);
if ($result < 0) {
setEventMessages($advTarget->error, $advTarget->errors, 'errors');
@ -369,7 +372,7 @@ if ($action == 'savefilter' || $action == 'createfilter') {
}
}
if ($action == 'deletefilter') {
if ($action == 'deletefilter' && $permissiontoadd) {
$result = $advTarget->delete($user);
if ($result < 0) {
setEventMessages($advTarget->error, $advTarget->errors, 'errors');
@ -378,7 +381,7 @@ if ($action == 'deletefilter') {
exit();
}
if ($action == 'delete') {
if ($action == 'delete' && $permissiontoadd) {
// Ici, rowid indique le destinataire et id le mailing
$sql = "DELETE FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE rowid = ".((int) $rowid);
$resql = $db->query($sql);
@ -405,6 +408,7 @@ if (GETPOST("button_removefilter")) {
$search_email = '';
}
/*
* View
*/

20
htdocs/comm/mailing/card.php
View File

@ -588,19 +588,19 @@ if (empty($reshook)) {
if (($action == 'settitle' || $action == 'setemail_from' || $action == 'setemail_replyto' || $action == 'setreplyto' || $action == 'setemail_errorsto' || $action == 'setevenunsubscribe') && $permissiontovalidatesend) {
$upload_dir = $conf->mailing->dir_output."/".get_exdir($object->id, 2, 0, 1, $object, 'mailing');
if ($action == 'settitle') {
if ($action == 'settitle') { // Test on permission already done
$object->title = trim(GETPOST('title', 'alpha'));
} elseif ($action == 'setemail_from') {
} elseif ($action == 'setemail_from') { // Test on permission already done
$object->email_from = trim(GETPOST('email_from', 'alphawithlgt')); // Must allow 'name <email>'
} elseif ($action == 'setemail_replyto') {
} elseif ($action == 'setemail_replyto') { // Test on permission already done
$object->email_replyto = trim(GETPOST('email_replyto', 'alphawithlgt')); // Must allow 'name <email>'
} elseif ($action == 'setemail_errorsto') {
} elseif ($action == 'setemail_errorsto') { // Test on permission already done
$object->email_errorsto = trim(GETPOST('email_errorsto', 'alphawithlgt')); // Must allow 'name <email>'
} elseif ($action == 'settitle' && empty($object->title)) {
} elseif ($action == 'settitle' && empty($object->title)) { // Test on permission already done
$mesg = $langs->trans("ErrorFieldRequired", $langs->transnoentities("MailTitle"));
} elseif ($action == 'setfrom' && empty($object->email_from)) {
} elseif ($action == 'setfrom' && empty($object->email_from)) { // Test on permission already done
$mesg = $langs->trans("ErrorFieldRequired", $langs->transnoentities("MailFrom"));
} elseif ($action == 'setevenunsubscribe') {
} elseif ($action == 'setevenunsubscribe') { // Test on permission already done
$object->evenunsubscribe = (GETPOST('evenunsubscribe') ? 1 : 0);
}
@ -771,7 +771,7 @@ llxHeader(
);
if ($action == 'create') {
if ($action == 'create') { // aaa
// EMailing in creation mode
print '<form name="new_mailing" action="'.$_SERVER['PHP_SELF'].'" method="POST">'."\n";
print '<input type="hidden" name="token" value="'.newToken().'">';
@ -908,9 +908,7 @@ if ($action == 'create') {
if ($action != 'edit' && $action != 'edittxt' && $action != 'edithtml') {
print dol_get_fiche_head($head, 'card', $langs->trans("Mailing"), -1, 'email');
/*
* View mode mailing
*/
// View mode mailing
if ($action == 'sendall') {
// Define message to recommend from command line
$sendingmode = getDolGlobalString('EMAILING_MAIL_SENDMODE');

16
htdocs/comm/mailing/cibles.php
View File

@ -231,22 +231,22 @@ if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter.x'
}
// Action update description of emailing
if ($action == 'settitle' || $action == 'setemail_from' || $action == 'setreplyto' || $action == 'setemail_errorsto' || $action == 'setevenunsubscribe') {
if (($action == 'settitle' || $action == 'setemail_from' || $action == 'setreplyto' || $action == 'setemail_errorsto' || $action == 'setevenunsubscribe') && $permissiontocreate) {
$upload_dir = $conf->mailing->dir_output."/".get_exdir($object->id, 2, 0, 1, $object, 'mailing');
if ($action == 'settitle') {
if ($action == 'settitle') { // Test on permission already done
$object->title = trim(GETPOST('title', 'alpha'));
} elseif ($action == 'setemail_from') {
} elseif ($action == 'setemail_from') { // Test on permission already done
$object->email_from = trim(GETPOST('email_from', 'alphawithlgt')); // Must allow 'name <email>'
} elseif ($action == 'setemail_replyto') {
} elseif ($action == 'setemail_replyto') { // Test on permission already done
$object->email_replyto = trim(GETPOST('email_replyto', 'alphawithlgt')); // Must allow 'name <email>'
} elseif ($action == 'setemail_errorsto') {
} elseif ($action == 'setemail_errorsto') { // Test on permission already done
$object->email_errorsto = trim(GETPOST('email_errorsto', 'alphawithlgt')); // Must allow 'name <email>'
} elseif ($action == 'settitle' && empty($object->title)) {
} elseif ($action == 'settitle' && empty($object->title)) { // Test on permission already done
$mesg = $langs->trans("ErrorFieldRequired", $langs->transnoentities("MailTitle"));
} elseif ($action == 'setfrom' && empty($object->email_from)) {
} elseif ($action == 'setfrom' && empty($object->email_from)) { // Test on permission already done
$mesg = $langs->trans("ErrorFieldRequired", $langs->transnoentities("MailFrom"));
} elseif ($action == 'setevenunsubscribe') {
} elseif ($action == 'setevenunsubscribe') { // Test on permission already done
$object->evenunsubscribe = (GETPOST('evenunsubscribe') ? 1 : 0);
}

13
htdocs/comm/propal/card.php
View File

@ -838,10 +838,7 @@ if (empty($reshook)) {
$db->rollback();
}
}
} elseif ($action == 'import_lines_from_object'
&& $user->hasRight('propal', 'creer')
&& $object->statut == Propal::STATUS_DRAFT
) {
} elseif ($action == 'import_lines_from_object' && $usercancreate && $object->statut == Propal::STATUS_DRAFT) {
// add lines from objectlinked
$fromElement = GETPOST('fromelement');
$fromElementid = GETPOST('fromelementid');
@ -1713,8 +1710,8 @@ if (empty($reshook)) {
}
}
if (getDolGlobalString('MAIN_DISABLE_CONTACTS_TAB') && $usercancreate) {
if ($action == 'addcontact') {
if (getDolGlobalString('MAIN_DISABLE_CONTACTS_TAB')) {
if ($action == 'addcontact' && $usercancreate) {
if ($object->id > 0) {
$contactid = (GETPOST('userid') ? GETPOST('userid') : GETPOST('contactid'));
$typeid = (GETPOST('typecontact') ? GETPOST('typecontact') : GETPOST('type'));
@ -1732,14 +1729,14 @@ if (empty($reshook)) {
setEventMessages($object->error, $object->errors, 'errors');
}
}
} elseif ($action == 'swapstatut') {
} elseif ($action == 'swapstatut' && $usercancreate) {
// Toggle the status of a contact
if ($object->fetch($id) > 0) {
$result = $object->swapContactStatus(GETPOSTINT('ligne'));
} else {
dol_print_error($db);
}
} elseif ($action == 'deletecontact') {
} elseif ($action == 'deletecontact' && $usercancreate) {
// Delete a contact
$object->fetch($id);
$result = $object->delete_contact($lineid);

2
htdocs/comm/remise.php
View File

@ -62,7 +62,7 @@ if ($cancel) {
}
}
if ($action == 'setremise') {
if ($action == 'setremise' && $user->hasRight('societe', 'lire')) {
$object = new Societe($db);
$object->fetch($id);

6
htdocs/commande/card.php
View File

@ -1627,7 +1627,7 @@ if (empty($reshook)) {
if (!$error && getDolGlobalString('MAIN_DISABLE_CONTACTS_TAB') && $usercancreate) {
if ($action == 'addcontact') {
if ($action == 'addcontact' && $usercancreate) {
if ($object->id > 0) {
$contactid = (GETPOST('userid') ? GETPOST('userid') : GETPOST('contactid'));
$typeid = (GETPOST('typecontact') ? GETPOST('typecontact') : GETPOST('type'));
@ -1645,14 +1645,14 @@ if (empty($reshook)) {
setEventMessages($object->error, $object->errors, 'errors');
}
}
} elseif ($action == 'swapstatut') {
} elseif ($action == 'swapstatut' && $usercancreate) {
// bascule du statut d'un contact
if ($object->id > 0) {
$result = $object->swapContactStatus(GETPOSTINT('ligne'));
} else {
dol_print_error($db);
}
} elseif ($action == 'deletecontact') {
} elseif ($action == 'deletecontact' && $usercancreate) {
// Efface un contact
$result = $object->delete_contact($lineid);

4
htdocs/compta/bank/card.php
View File

@ -118,7 +118,7 @@ if (empty($reshook)) {
$action = '';
}
if ($action == 'add') {
if ($action == 'add' && $user->hasRight('banque', 'configurer')) {
$error = 0;
$db->begin();
@ -237,7 +237,7 @@ if (empty($reshook)) {
}
}
if ($action == 'update') {
if ($action == 'update' && $user->hasRight('banque', 'configurer')) {
$error = 0;
// Update account

2
htdocs/compta/bank/categ.php
View File

@ -77,7 +77,7 @@ if ($categid) {
$bankcateg->update($user);
}
//Delete category
if ($action == 'delete') {
if ($action == 'delete' && $user->hasRight('banque', 'configurer')) {
$bankcateg->delete($user);
}
}

18
htdocs/variants/combinations.php
View File

@ -109,11 +109,11 @@ if (!$object->isProduct() && !$object->isService()) {
header('Location: '.dol_buildpath('/product/card.php?id='.$object->id, 2));
exit();
}
if ($action == 'add') {
if ($action == 'add') { // Test on permission not required
unset($selectedvariant);
unset($_SESSION['addvariant_'.$object->id]);
}
if ($action == 'create' && GETPOST('selectvariant', 'alpha')) { // We click on select combination
if ($action == 'create' && GETPOST('selectvariant', 'alpha') && $usercancreate) { // We click on select combination
$action = 'add';
$attribute_id = GETPOSTINT('attribute');
$attribute_value_id = GETPOSTINT('value');
@ -123,7 +123,7 @@ if ($action == 'create' && GETPOST('selectvariant', 'alpha')) { // We click on s
$_SESSION['addvariant_'.$object->id] = $selectedvariant;
}
}
if ($action == 'create' && $subaction == 'delete') { // We click on select combination
if ($action == 'create' && $subaction == 'delete' && $usercancreate) { // We click on select combination
$action = 'add';
$feature = GETPOST('feature', 'intcomma');
if (isset($selectedvariant[$feature])) {
@ -138,12 +138,12 @@ $prodcomb2val = new ProductCombination2ValuePair($db);
$productCombination2ValuePairs1 = array();
if (($action == 'add' || $action == 'create') && empty($massaction) && !GETPOST('selectvariant', 'alpha') && empty($subaction)) { // We click on Create all defined combinations
if (($action == 'add' || $action == 'create') && $usercancreate && empty($massaction) && !GETPOST('selectvariant', 'alpha') && empty($subaction)) { // We click on Create all defined combinations
//$features = GETPOST('features', 'array');
$features = !empty($_SESSION['addvariant_'.$object->id]) ? $_SESSION['addvariant_'.$object->id] : array();
if (!$features) {
if ($action == 'create') {
if ($action == 'create') { // Test on permission already done
setEventMessages($langs->trans('ErrorFieldsRequired'), null, 'errors');
}
} else {
@ -270,7 +270,7 @@ if (($action == 'add' || $action == 'create') && empty($massaction) && !GETPOST(
$db->commit();
setEventMessages($langs->trans('RecordSaved'), null, 'mesgs');
}
} elseif ($action === 'update' && $combination_id > 0) {
} elseif ($action === 'update' && $combination_id > 0 && $usercancreate) {
if ($prodcomb->fetch($combination_id) < 0) {
dol_print_error($db, $langs->trans('ErrorRecordNotFound'));
exit();
@ -342,7 +342,7 @@ if (($action == 'add' || $action == 'create') && empty($massaction) && !GETPOST(
// Reload variants
$productCombinations = $prodcomb->fetchAllByFkProductParent($object->id, true);
if ($action === 'confirm_deletecombination') {
if ($action === 'confirm_deletecombination' && $usercancreate) {
if ($prodcomb->fetch($combination_id) > 0) {
$db->begin();
@ -357,7 +357,7 @@ if ($action === 'confirm_deletecombination') {
setEventMessages($langs->trans('ProductCombinationAlreadyUsed'), null, 'errors');
$action = '';
}
} elseif ($action === 'edit') {
} elseif ($action === 'edit' && $usercancreate) {
if ($prodcomb->fetch($combination_id) < 0) {
dol_print_error($db, $langs->trans('ErrorRecordNotFound'));
exit();
@ -371,7 +371,7 @@ if ($action === 'confirm_deletecombination') {
$price_impact_percent = $prodcomb->variation_price_percentage;
$productCombination2ValuePairs1 = $prodcomb2val->fetchByFkCombination($combination_id);
} elseif ($action === 'confirm_copycombination') {
} elseif ($action === 'confirm_copycombination' && $usercancreate) {
//Check destination product
$dest_product = GETPOST('dest_product');

14
htdocs/webservices/demo_wsclient_thirdparty.php-NORUN
View File

@ -61,7 +61,7 @@ $authentication=array(
// Test URL
if ($action=='get')
if ($action == 'get')
{
$parameters = array('authentication'=>$authentication,'id'=>1,'name'=>'','ref_ext'=>'');
dol_syslog("Call method ".$WS_METHOD_GETTHIRDSPARTY);
@ -78,7 +78,7 @@ if ($action=='get')
}
// Test URL
if ($action=='getList')
if ($action == 'getList')
{
$filterthirdparty=array('category'=>'3');
$parameters = array('authentication'=>$authentication,$filterthirdparty);
@ -96,7 +96,7 @@ if ($action=='getList')
}
// Test URL
if ($action=='create')
if ($action == 'create')
{
$newthirdparty=array(
'ref'=>'Test WS Create Client',
@ -109,7 +109,7 @@ if ($action=='create')
'zip'=>'75000',
'town'=>'Paris',
'country_id'=>'1',//France
'customer_code'=>'-1',//Generate code regarding module configuration
'customer_code'=>'-1',//Generate code regarding module configuration
'supplier_code'=>'0',
'phone'=>'0141414141',
'fax'=>'0121212121',
@ -127,8 +127,8 @@ if ($action=='create')
//,'options_attr1'=>'Attr1 balbal', //Extra field example where field code is attr1
//'options_attr2'=>'Attr2 balbal' //Extra field example where field code is attr2
);
$parameters = array('authentication'=>$authentication,'thirdparty'=>$newthirdparty);
dol_syslog("Call method ".$WS_METHOD_CREATETHIRDSPARTY);
$result = $soapclient->call($WS_METHOD_CREATETHIRDSPARTY,$parameters,$ns,'');
@ -144,7 +144,7 @@ if ($action=='create')
}
// Test URL
if ($action=='update')
if ($action == 'update')
{
$thirdparty=array(
'id'=>'1',

6
htdocs/website/index.php
View File

@ -140,7 +140,7 @@ if (GETPOST('createpagefromclone', 'alpha')) {
if (empty($action) && $file_manager) {
$action = 'file_manager';
}
if ($action == 'replacesite' || (empty($action) && $replacesite)) {
if ($action == 'replacesite' || (empty($action) && $replacesite)) { // Test on permission not required
$mode = 'replacesite';
}
if (GETPOST('refreshsite') || GETPOST('refreshsite_x') || GETPOST('refreshsite.x')) {
@ -333,7 +333,7 @@ if (GETPOST('optionsitefiles')) {
}
if (empty($sortfield)) {
if ($action == 'file_manager') {
if ($action == 'file_manager') { // Test on permission not required
$sortfield = 'name';
$sortorder = 'ASC';
} else {
@ -344,7 +344,7 @@ if (empty($sortfield)) {
$searchkey = GETPOST('searchstring', 'restricthtml');
if ($action == 'replacesite' || $mode == 'replacesite') {
if ($action == 'replacesite' || $mode == 'replacesite') { // Test on permission not required
$containertype = GETPOST('optioncontainertype', 'aZ09') != '-1' ? GETPOST('optioncontainertype', 'aZ09') : '';
$langcode = GETPOST('optionlanguage', 'aZ09');
$otherfilters = array();

2
htdocs/website/websiteaccount_card.php
View File

@ -143,7 +143,7 @@ if ($reshook < 0) {
if (empty($reshook)) {
$backurlforlist = dol_buildpath('/societe/website.php', 1).'?id='.$object->fk_soc;
if ($action == 'add' && !GETPOST('site')) {
if ($action == 'add' && !GETPOST('site')) { // Test on permission not required
setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Website")), null, 'errors');
$action = 'create';
}

6
test/phpunit/CodingPhpTest.php
View File

@ -636,7 +636,8 @@ class CodingPhpTest extends CommonClassTest
&& !preg_match('/\.tpl\.php/', $file['fullname'])
&& !preg_match('/\.lib\.php/', $file['fullname'])
&& !preg_match('/\.inc\.php/', $file['fullname'])
&& !preg_match('/\.class\.php/', $file['fullname'])) {
&& !preg_match('/\.class\.php/', $file['fullname'])
&& !preg_match('/NORUN$/', $file['fullname'])) {
$ok = true;
$matches = array();
@ -654,7 +655,8 @@ class CodingPhpTest extends CommonClassTest
&& !preg_match('/\$permission/', $val[0])
&& !preg_match('/\$usercan/', $val[0])
&& !preg_match('/\$canedit/', $val[0])
&& !preg_match('/already done/', $val[0])) {
&& !preg_match('/already done/i', $val[0])
&& !preg_match('/not required/i', $val[0])) {
$ok = false;
print "Line: ".$val[0]."\n";
break;