Merge pull request #8750 from altatof/permissions_hook

NEW add hook for more permissions control
2018-05-10 11:38:58 +02:00 · 2018-05-10 11:38:58 +02:00 · 13837fe850
commit 13837fe850
parent 5fe8249706 9077f18dd6
1 changed files with 12 additions and 11 deletions
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@ -178,21 +178,22 @@ function dol_verifyHash($chain, $hash, $type='0')
 */
 function restrictedArea($user, $features, $objectid=0, $tableandshare='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid', $objcanvas=null)
 {
-    global $db, $conf;
+	global $db, $conf;
+	global $hookmanager;

    //dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename,$feature2,$dbt_socfield,$dbt_select");
    //print "user_id=".$user->id.", features=".$features.", feature2=".$feature2.", objectid=".$objectid;
    //print ", dbtablename=".$dbtablename.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select;
    //print ", perm: ".$features."->".$feature2."=".($user->rights->$features->$feature2->lire)."<br>";

-    // If we use canvas, we try to use function that overlod restrictarea if provided with canvas
-    if (is_object($objcanvas))
-    {
-        if (method_exists($objcanvas->control,'restrictedArea')) return $objcanvas->control->restrictedArea($user,$features,$objectid,$dbtablename,$feature2,$dbt_keyfield,$dbt_select);
-    }
-
    if ($dbt_select != 'rowid' && $dbt_select != 'id') $objectid = "'".$objectid."'";

+	// Get more permissions checks from hooks
+	$parameters=array('features'=>$features, 'objectid'=>$objectid, 'idtype'=>$dbt_select);
+	$reshook=$hookmanager->executeHooks('restrictedArea',$parameters);
+	if (! empty($hookmanager->resArray['result']) return true;
+	if ($reshook > 0) return false;
+	
    // Features/modules to check
    $featuresarray = array($features);
    if (preg_match('/&/', $features)) $featuresarray = explode("&", $features);
@ -331,7 +332,7 @@ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $featu

    // Check create user permission
    $createuserok=1;
-    if (GETPOST('action','aZ09') == 'confirm_create_user' && GETPOST("confirm") == 'yes')
+    if (GETPOST('action','aZ09') == 'confirm_create_user' && GETPOST("confirm",'aZ09') == 'yes')
    {
        if (! $user->rights->user->user->creer) $createuserok=0;

@ -341,7 +342,7 @@ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $featu

    // Check delete permission from module
    $deleteok=1; $nbko=0;
-    if ((GETPOST('action','aZ09')  == 'confirm_delete' && GETPOST("confirm") == 'yes') || GETPOST('action','aZ09')  == 'delete')
+    if ((GETPOST("action","aZ09")  == 'confirm_delete' && GETPOST("confirm","aZ09") == 'yes') || GETPOST("action","aZ09")  == 'delete')
    {
        foreach ($featuresarray as $feature)
        {
@ -408,8 +409,8 @@ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $featu
    // is linked to a company allowed to $user.
    if (! empty($objectid) && $objectid > 0)
    {
-    	$ok = checkUserAccessToObject($user, $featuresarray, $objectid, $tableandshare, $feature2, $dbt_keyfield, $dbt_select);
-		return $ok ? 1 : accessforbidden();
+        $ok = checkUserAccessToObject($user, $featuresarray, $objectid, $tableandshare, $feature2, $dbt_keyfield, $dbt_select);
+        return $ok ? 1 : accessforbidden();
    }

    return 1;