diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index c275dd6cda3..f89bba09a76 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -178,21 +178,22 @@ function dol_verifyHash($chain, $hash, $type='0') */ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid', $objcanvas=null) { - global $db, $conf; + global $db, $conf; + global $hookmanager; //dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename,$feature2,$dbt_socfield,$dbt_select"); //print "user_id=".$user->id.", features=".$features.", feature2=".$feature2.", objectid=".$objectid; //print ", dbtablename=".$dbtablename.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select; //print ", perm: ".$features."->".$feature2."=".($user->rights->$features->$feature2->lire)."
"; - // If we use canvas, we try to use function that overlod restrictarea if provided with canvas - if (is_object($objcanvas)) - { - if (method_exists($objcanvas->control,'restrictedArea')) return $objcanvas->control->restrictedArea($user,$features,$objectid,$dbtablename,$feature2,$dbt_keyfield,$dbt_select); - } - if ($dbt_select != 'rowid' && $dbt_select != 'id') $objectid = "'".$objectid."'"; + // Get more permissions checks from hooks + $parameters=array('features'=>$features, 'objectid'=>$objectid, 'idtype'=>$dbt_select); + $reshook=$hookmanager->executeHooks('restrictedArea',$parameters); + if (! empty($hookmanager->resArray['result']) return true; + if ($reshook > 0) return false; + // Features/modules to check $featuresarray = array($features); if (preg_match('/&/', $features)) $featuresarray = explode("&", $features); @@ -331,7 +332,7 @@ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $featu // Check create user permission $createuserok=1; - if (GETPOST('action','aZ09') == 'confirm_create_user' && GETPOST("confirm") == 'yes') + if (GETPOST('action','aZ09') == 'confirm_create_user' && GETPOST("confirm",'aZ09') == 'yes') { if (! $user->rights->user->user->creer) $createuserok=0; @@ -341,7 +342,7 @@ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $featu // Check delete permission from module $deleteok=1; $nbko=0; - if ((GETPOST('action','aZ09') == 'confirm_delete' && GETPOST("confirm") == 'yes') || GETPOST('action','aZ09') == 'delete') + if ((GETPOST("action","aZ09") == 'confirm_delete' && GETPOST("confirm","aZ09") == 'yes') || GETPOST("action","aZ09") == 'delete') { foreach ($featuresarray as $feature) { @@ -408,8 +409,8 @@ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $featu // is linked to a company allowed to $user. if (! empty($objectid) && $objectid > 0) { - $ok = checkUserAccessToObject($user, $featuresarray, $objectid, $tableandshare, $feature2, $dbt_keyfield, $dbt_select); - return $ok ? 1 : accessforbidden(); + $ok = checkUserAccessToObject($user, $featuresarray, $objectid, $tableandshare, $feature2, $dbt_keyfield, $dbt_select); + return $ok ? 1 : accessforbidden(); } return 1;