From fb0002a38ee7efdbbf35791f4bbeb2098aa1097e Mon Sep 17 00:00:00 2001
From: Alexandre SPANGARO <aspangaro.dolibarr@gmail.com>
Date: Tue, 2 Nov 2021 04:51:18 +0100
Subject: [PATCH] Factorize user rights

---
 htdocs/societe/paymentmodes.php | 61 ++++++++++++++++-----------------
 1 file changed, 30 insertions(+), 31 deletions(-)

diff --git a/htdocs/societe/paymentmodes.php b/htdocs/societe/paymentmodes.php
index 9cb0eadecf5..18d560f6d9f 100644
--- a/htdocs/societe/paymentmodes.php
+++ b/htdocs/societe/paymentmodes.php
@@ -1,12 +1,13 @@
 <?php
-/* Copyright (C) 2002-2004 Rodolphe Quiedeville <rodolphe@quiedeville.org>
- * Copyright (C) 2003      Jean-Louis Bergamo   <jlb@j1b.org>
- * Copyright (C) 2004-2018 Laurent Destailleur  <eldy@users.sourceforge.net>
- * Copyright (C) 2005-2009 Regis Houssin        <regis.houssin@inodbox.com>
- * Copyright (C) 2013      Peter Fontaine       <contact@peterfontaine.fr>
- * Copyright (C) 2015-2016 Marcos García        <marcosgdf@gmail.com>
- * Copyright (C) 2017      Ferran Marcet        <fmarcet@2byte.es>
- * Copyright (C) 2018 -2021Thibault FOUCART     <support@ptibogxiv.net>
+/* Copyright (C) 2002-2004  Rodolphe Quiedeville <rodolphe@quiedeville.org>
+ * Copyright (C) 2003       Jean-Louis Bergamo   <jlb@j1b.org>
+ * Copyright (C) 2004-2018  Laurent Destailleur  <eldy@users.sourceforge.net>
+ * Copyright (C) 2005-2009  Regis Houssin        <regis.houssin@inodbox.com>
+ * Copyright (C) 2013       Peter Fontaine       <contact@peterfontaine.fr>
+ * Copyright (C) 2015-2016  Marcos García        <marcosgdf@gmail.com>
+ * Copyright (C) 2017       Ferran Marcet        <fmarcet@2byte.es>
+ * Copyright (C) 2018-2021  Thibault FOUCART     <support@ptibogxiv.net>
+ * Copyright (C) 2021       Alexandre Spangaro   <aspangaro@open-dsi.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -41,7 +42,6 @@ require_once DOL_DOCUMENT_ROOT.'/stripe/class/stripe.class.php';
 
 $langs->loadLangs(array("companies", "commercial", "banks", "bills", 'paypal', 'stripe', 'withdrawals'));
 
-
 // Security check
 $socid = GETPOST("socid", "int");
 if ($user->socid) {
@@ -70,6 +70,10 @@ $extrafields->fetch_name_optionals_label($object->table_element);
 // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
 $hookmanager->initHooks(array('thirdpartybancard', 'globalcard'));
 
+$permissiontoread = $user->rights->societe->lire;
+$permissiontoadd = $user->rights->societe->creer; // Used by the include of actions_addupdatedelete.inc.php and actions_builddoc.inc.php
+
+$permissiontoaddupdatepaymentinformation = ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && $permissiontoadd) || (!empty($conf->global->MAIN_USE_ADVANCED_PERMS) && !empty($user->rights->societe->addupdate_thirdparty_payment_information->write)));
 
 if (!empty($conf->stripe->enabled)) {
 	$service = 'StripeTest';
@@ -455,7 +459,6 @@ if (empty($reshook)) {
 
 	$id = $socid;
 	$upload_dir = $conf->societe->multidir_output[$object->entity];
-	$permissiontoadd = $user->rights->societe->creer;
 	include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php';
 
 	$id = $savid;
@@ -703,7 +706,7 @@ if (empty($companybankaccount->socid)) {
 	$companybankaccount->socid = $object->id;
 }
 
-if ($socid && ($action == 'edit' || $action == 'editcard') && $user->rights->societe->creer) {
+if ($socid && ($action == 'edit' || $action == 'editcard') && $permissiontoadd) {
 	print '<form action="'.$_SERVER["PHP_SELF"].'?socid='.$object->id.'" method="post">';
 	print '<input type="hidden" name="token" value="'.newToken().'">';
 	$actionforadd = 'update';
@@ -713,7 +716,7 @@ if ($socid && ($action == 'edit' || $action == 'editcard') && $user->rights->soc
 	print '<input type="hidden" name="action" value="'.$actionforadd.'">';
 	print '<input type="hidden" name="id" value="'.GETPOST("id", "int").'">';
 }
-if ($socid && ($action == 'create' || $action == 'createcard') && $user->rights->societe->creer) {
+if ($socid && ($action == 'create' || $action == 'createcard') && $permissiontoadd) {
 	print '<form action="'.$_SERVER["PHP_SELF"].'?socid='.$object->id.'" method="post">';
 	print '<input type="hidden" name="token" value="'.newToken().'">';
 	$actionforadd = 'add';
@@ -787,12 +790,11 @@ if ($socid && $action != 'edit' && $action != 'create' && $action != 'editcard'
 		}
 
 		if (!empty($conf->stripe->enabled)) {
-			$permissiontowrite = $user->rights->societe->creer;
 			// Stripe customer key 'cu_....' stored into llx_societe_account
 			print '<tr><td class="titlefield">';
-			print $form->editfieldkey("StripeCustomerId", 'key_account', $stripecu, $object, $permissiontowrite, 'string', '', 0, 2, 'socid');
+			print $form->editfieldkey("StripeCustomerId", 'key_account', $stripecu, $object, $permissiontoadd, 'string', '', 0, 2, 'socid');
 			print '</td><td>';
-			print $form->editfieldval("StripeCustomerId", 'key_account', $stripecu, $object, $permissiontowrite, 'string', '', null, null, '', 2, '', 'socid');
+			print $form->editfieldval("StripeCustomerId", 'key_account', $stripecu, $object, $permissiontoadd, 'string', '', null, null, '', 2, '', 'socid');
 			if (!empty($conf->stripe->enabled) && $stripecu && $action != 'editkey_account') {
 				$connect = '';
 				if (!empty($stripeacc)) {
@@ -849,14 +851,13 @@ if ($socid && $action != 'edit' && $action != 'create' && $action != 'editcard'
 	}
 
 	if (!empty($conf->stripe->enabled) && !empty($conf->stripeconnect->enabled) && $conf->global->MAIN_FEATURES_LEVEL >= 2) {
-		$permissiontowrite = $user->rights->societe->creer;
 		$stripesupplieracc = $stripe->getStripeAccount($service, $object->id); // Get Stripe OAuth connect account (no network access here)
 
 		// Stripe customer key 'cu_....' stored into llx_societe_account
 		print '<tr><td class="titlefield">';
-		print $form->editfieldkey("StripeConnectAccount", 'key_account_supplier', $stripesupplieracc, $object, $permissiontowrite, 'string', '', 0, 2, 'socid');
+		print $form->editfieldkey("StripeConnectAccount", 'key_account_supplier', $stripesupplieracc, $object, $permissiontoadd, 'string', '', 0, 2, 'socid');
 		print '</td><td>';
-		print $form->editfieldval("StripeConnectAccount", 'key_account_supplier', $stripesupplieracc, $object, $permissiontowrite, 'string', '', null, null, '', 2, '', 'socid');
+		print $form->editfieldval("StripeConnectAccount", 'key_account_supplier', $stripesupplieracc, $object, $permissiontoadd, 'string', '', null, null, '', 2, '', 'socid');
 		if (!empty($conf->stripe->enabled) && $stripesupplieracc && $action != 'editkey_account_supplier') {
 			$connect = '';
 
@@ -1061,7 +1062,7 @@ if ($socid && $action != 'edit' && $action != 'create' && $action != 'editcard'
 							print $hookmanager->resPrint;
 							// Action column
 							print '<td class="right nowraponall">';
-							if ($user->rights->societe->creer) {
+							if ($permissiontoadd) {
 								if ($stripecu && empty($companypaymentmodetemp->stripe_card_ref)) {
 									print '<a href="'.$_SERVER['PHP_SELF'].'?action=synccardtostripe&socid='.$object->id.'&id='.$companypaymentmodetemp->id.'" class="paddingrightonly marginrightonly">'.$langs->trans("CreateCardOnStripe").'</a>';
 								}
@@ -1214,7 +1215,7 @@ if ($socid && $action != 'edit' && $action != 'create' && $action != 'editcard'
 				print $hookmanager->resPrint;
 				// Action column
 				print '<td class="right nowraponall">';
-				if ($user->rights->societe->creer) {
+				if ($permissiontoadd) {
 					print '<a href="'.DOL_URL_ROOT.'/societe/paymentmodes.php?socid='.$object->id.'&source='.$src->id.'&action=deletecard&token='.newToken().'">';
 					print img_picto($langs->trans("Delete"), 'delete');
 					print '</a>';
@@ -1288,7 +1289,7 @@ if ($socid && $action != 'edit' && $action != 'create' && $action != 'editcard'
 
 	$rib_list = $object->get_all_rib();
 	if (is_array($rib_list)) {
-		print '<div class="div-table-responsive-no-min">'; // You can use div-table-responsive-no-min if you dont need reserved height for your table
+		print '<div class="div-table-responsive-no-min">'; // You can use div-table-responsive-no-min if you don't need reserved height for your table
 		print '<table class="liste centpercent">';
 
 		print '<tr class="liste_titre">';
@@ -1446,7 +1447,7 @@ if ($socid && $action != 'edit' && $action != 'create' && $action != 'editcard'
 
 			// Edit/Delete
 			print '<td class="right nowraponall">';
-			if ($user->rights->societe->creer) {
+			if ($permissiontoadd) {
 				print '<a class="editfielda" href="'.$_SERVER["PHP_SELF"].'?socid='.$object->id.'&id='.$rib->id.'&action=edit">';
 				print img_picto($langs->trans("Modify"), 'edit');
 				print '</a>';
@@ -1486,10 +1487,8 @@ if ($socid && $action != 'edit' && $action != 'create' && $action != 'editcard'
 		 */
 		$filedir = $conf->societe->multidir_output[$object->entity].'/'.$object->id;
 		$urlsource = $_SERVER["PHP_SELF"]."?socid=".$object->id;
-		$genallowed = $user->rights->societe->lire;
-		$delallowed = $user->rights->societe->creer;
 
-		print $formfile->showdocuments('company', $object->id, $filedir, $urlsource, $genallowed, $delallowed, $object->model_pdf, 0, 0, 0, 28, 0, 'entity='.$object->entity, 0, '', $object->default_lang);
+		print $formfile->showdocuments('company', $object->id, $filedir, $urlsource, $permissiontoread, $permissiontoadd, $object->model_pdf, 0, 0, 0, 28, 0, 'entity='.$object->entity, 0, '', $object->default_lang);
 
 		// Show direct download link
 		if (!empty($conf->global->BANK_ACCOUNT_ALLOW_EXTERNAL_DOWNLOAD)) {
@@ -1536,7 +1535,7 @@ if ($socid && $action != 'edit' && $action != 'create' && $action != 'editcard'
 }
 
 // Edit BAN
-if ($socid && $action == 'edit' && $user->rights->societe->creer) {
+if ($socid && $action == 'edit' && $permissiontoadd) {
 	print dol_get_fiche_head($head, 'rib', $langs->trans("ThirdParty"), 0, 'company');
 
 	$linkback = '<a href="'.DOL_URL_ROOT.'/societe/list.php?restore_lastsearch_values=1">'.$langs->trans("BackToList").'</a>';
@@ -1655,7 +1654,7 @@ if ($socid && $action == 'edit' && $user->rights->societe->creer) {
 }
 
 // Edit Card
-if ($socid && $action == 'editcard' && $user->rights->societe->creer) {
+if ($socid && $action == 'editcard' && $permissiontoadd) {
 	print dol_get_fiche_head($head, 'rib', $langs->trans("ThirdParty"), 0, 'company');
 
 	$linkback = '<a href="'.DOL_URL_ROOT.'/societe/list.php?restore_lastsearch_values=1">'.$langs->trans("BackToList").'</a>';
@@ -1698,7 +1697,7 @@ if ($socid && $action == 'editcard' && $user->rights->societe->creer) {
 
 
 // Create BAN
-if ($socid && $action == 'create' && $user->rights->societe->creer) {
+if ($socid && $action == 'create' && $permissiontoadd) {
 	print dol_get_fiche_head($head, 'rib', $langs->trans("ThirdParty"), 0, 'company');
 
 	$linkback = '<a href="'.DOL_URL_ROOT.'/societe/list.php?restore_lastsearch_values=1">'.$langs->trans("BackToList").'</a>';
@@ -1813,7 +1812,7 @@ if ($socid && $action == 'create' && $user->rights->societe->creer) {
 }
 
 // Create Card
-if ($socid && $action == 'createcard' && $user->rights->societe->creer) {
+if ($socid && $action == 'createcard' && $permissiontoadd) {
 	print dol_get_fiche_head($head, 'rib', $langs->trans("ThirdParty"), 0, 'company');
 
 	$linkback = '<a href="'.DOL_URL_ROOT.'/societe/list.php?restore_lastsearch_values=1">'.$langs->trans("BackToList").'</a>';
@@ -1857,10 +1856,10 @@ if ($socid && $action == 'createcard' && $user->rights->societe->creer) {
 	print $form->buttonsSaveCancel("Add");
 }
 
-if ($socid && ($action == 'edit' || $action == 'editcard') && $user->rights->societe->creer) {
+if ($socid && ($action == 'edit' || $action == 'editcard') && $permissiontoadd) {
 	print '</form>';
 }
-if ($socid && ($action == 'create' || $action == 'createcard') && $user->rights->societe->creer) {
+if ($socid && ($action == 'create' || $action == 'createcard') && $permissiontoadd) {
 	print '</form>';
 }