lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Works on enhancement of project tasks

Browse Source 
Fix: security check
This commit is contained in:
Regis Houssin 2010-02-04 15:30:42 +00:00
parent 3f7127839f
commit 0812ba2536
3 changed files with 89 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
htdocs/projet/index.php
View File

@ -41,7 +41,7 @@ if ($user->societe_id > 0)
* View
*/
$company=new Societe($db);
$socstatic=new Societe($db);
$projectstatic=new Project($db);
llxHeader("",$langs->trans("Projects"),"EN:Module_Projects|FR:Module_Projets|ES:Módulo_Proyectos");
@ -60,13 +60,10 @@ print_liste_field_titre($langs->trans("NbOpenTasks"),"","","","",'align="right"'
print_liste_field_titre($langs->trans("Status"),"","","","",'align="right"',$sortfield,$sortorder);
print "</tr>\n";
$sql = "SELECT p.title, p.rowid, p.fk_statut, count(t.rowid) as nb";
$sql = "SELECT p.rowid as projectid, p.ref, p.title, p.fk_user_creat, p.public, p.fk_statut, count(t.rowid) as nb";
$sql.= " FROM ".MAIN_DB_PREFIX."projet as p";
$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s on p.fk_soc = s.rowid";
if (!$user->rights->societe->client->voir && !$socid) $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."projet_task as t ON p.rowid = t.fk_projet";
$sql.= " WHERE p.entity = ".$conf->entity;
//if ($_REQUEST["mode"]=='mine') $sql.=' AND p.fk_user_resp='.$user->id;
if ($socid) $sql.= " AND p.fk_soc = ".$socid;
$sql.= " GROUP BY p.title, p.rowid";
@ -79,14 +76,24 @@ if ( $resql )
while ($i < $num)
{
$row = $db->fetch_object($resql);
$var=!$var;
print "<tr $bc[$var]>";
print '<td nowrap="nowrap"><a href="'.DOL_URL_ROOT.'/projet/fiche.php?id='.$row->rowid.'">'.img_object($langs->trans("ShowProject"),"project")." ".$row->title.'</a></td>';
print '<td align="right">'.$row->nb.'</td>';
$projectstatic->statut=$row->fk_statut;
print '<td align="right">'.$projectstatic->getLibStatut(3).'</td>';
print "</tr>\n";
$objp = $db->fetch_object($resql);
$projectstatic->id = $objp->projectid;
$projectstatic->user_author_id = $objp->fk_user_creat;
$projectstatic->public = $objp->public;
$userAccess = $projectstatic->restrictedProjectArea($user,1);
if ($userAccess >= 0)
{
$var=!$var;
print "<tr $bc[$var]>";
print '<td nowrap="nowrap"><a href="'.DOL_URL_ROOT.'/projet/fiche.php?id='.$objp->projectid.'">'.img_object($langs->trans("ShowProject"),"project")." ".$objp->title.'</a></td>';
print '<td align="right">'.$objp->nb.'</td>';
$projectstatic->statut = $objp->fk_statut;
print '<td align="right">'.$projectstatic->getLibStatut(3).'</td>';
print "</tr>\n";
}
$i++;
}
@ -108,12 +115,11 @@ print_liste_field_titre($langs->trans("Company"),"index.php","s.nom","","","",$s
print_liste_field_titre($langs->trans("NbOfProjects"),"","","","",'align="right"',$sortfield,$sortorder);
print "</tr>\n";
$sql = "SELECT count(p.rowid) as nb, s.nom, s.rowid as socid";
$sql = "SELECT count(p.rowid) as nb";
$sql.= ", s.nom, s.rowid as socid";
$sql.= " FROM ".MAIN_DB_PREFIX."projet as p";
$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s on p.fk_soc = s.rowid";
if (!$user->rights->societe->client->voir && !$socid) $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
$sql.= " WHERE p.entity = ".$conf->entity;
//if ($_REQUEST["mode"]=='mine') $sql.=' AND p.fk_user_resp='.$user->id;
if ($socid) $sql.= " AND s.rowid = ".$socid;
$sql.= " GROUP BY s.nom, s.rowid";
//$sql .= " ORDER BY $sortfield $sortorder " . $db->plimit($conf->liste_limit, $offset);
@ -133,9 +139,9 @@ if ( $resql )
print '<td nowrap="nowrap">';
if ($obj->socid)
{
$company->id=$obj->socid;
$company->nom=$obj->nom;
print $company->getNomUrl(1);
$socstatic->id=$obj->socid;
$socstatic->nom=$obj->nom;
print $socstatic->getNomUrl(1);
}
else
{

91
htdocs/projet/liste.php
View File

@ -66,9 +66,9 @@ $pagenext = $page + 1;
llxHeader("",$langs->trans("Projects"),"EN:Module_Projects|FR:Module_Projets|ES:M&oacute;dulo_Proyectos");
$projectstatic = new Project($db);
$staticsoc=new Societe($db);
$socstatic = new Societe($db);
$sql = "SELECT p.rowid as projectid, p.ref, p.title, p.fk_statut, p.public";
$sql = "SELECT p.rowid as projectid, p.ref, p.title, p.fk_statut, p.public, p.fk_user_creat";
$sql.= ", p.datec as date_create, p.dateo as date_start, p.datee as date_end";
$sql.= ", s.nom, s.rowid as socid";
$sql.= " FROM ".MAIN_DB_PREFIX."projet as p";
@ -128,46 +128,57 @@ if ($resql)
while ($i < $num)
{
$objp = $db->fetch_object($resql);
$var=!$var;
print "<tr $bc[$var]>";
print "<td>";
$projectstatic->id=$objp->projectid;
$projectstatic->ref=$objp->ref;
print $projectstatic->getNomUrl(1);
print "</td>";
// Title
print '<td>';
print dol_trunc($objp->title,24);
print '</td>';
// Company
print '<td>';
if ($objp->socid)
$projectstatic->id = $objp->projectid;
$projectstatic->user_author_id = $objp->fk_user_creat;
$projectstatic->public = $objp->public;
$userAccess = $projectstatic->restrictedProjectArea($user,1);
if ($userAccess >= 0)
{
$staticsoc->id=$objp->socid;
$staticsoc->nom=$objp->nom;
print $staticsoc->getNomUrl(1);
$var=!$var;
print "<tr $bc[$var]>";
// Project url
print "<td>";
$projectstatic->ref = $objp->ref;
print $projectstatic->getNomUrl(1);
print "</td>";
// Title
print '<td>';
print dol_trunc($objp->title,24);
print '</td>';
// Company
print '<td>';
if ($objp->socid)
{
$socstatic->id=$objp->socid;
$socstatic->nom=$objp->nom;
print $socstatic->getNomUrl(1);
}
else
{
print '&nbsp;';
}
print '</td>';
// Visibility
print '<td align="left">';
if ($objp->public) print $langs->trans('SharedProject');
else print $langs->trans('Private');
print '</td>';
// Status
$projectstatic->statut = $objp->fk_statut;
print '<td align="right">'.$projectstatic->getLibStatut(3).'</td>';
print "</tr>\n";
}
else
{
print '&nbsp;';
}
print '</td>';
// Visibility
print '<td align="left">';
if ($objp->public) print $langs->trans('SharedProject');
else print $langs->trans('Private');
print '</td>';
// Status
$projectstatic->statut=$objp->fk_statut;
print '<td align="right">'.$projectstatic->getLibStatut(3).'</td>';
print "</tr>\n";
$i++;
}

15
htdocs/projet/project.class.php
View File

@ -608,7 +608,7 @@ class Project extends CommonObject
/**
* \brief Check permissions
*/
function restrictedProjectArea($user)
function restrictedProjectArea($user,$list=0)
{
// To verify role of users
$userAccess = 0;
@ -635,7 +635,18 @@ class Project extends CommonObject
}
}
if (!$userAccess && !$this->public) accessforbidden('',0);
if (!$userAccess && !$this->public)
{
if (!$list)
{
accessforbidden('',0);
}
else
{
return -1;
}
}
return $userAccess;
}