From a8ecce9e6d1d8e550833f69c285ebb9ce0f7bc54 Mon Sep 17 00:00:00 2001
From: altatof <christophe@altairis.fr>
Date: Sat, 5 May 2018 14:31:17 +0200
Subject: [PATCH 1/6] add hook for more permissions control

---
 htdocs/core/lib/security.lib.php | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
index 4cfc077f0be..15047b2f2d7 100644
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -331,10 +331,17 @@ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $featu
     // is linked to a company allowed to $user.
     if (! empty($objectid) && $objectid > 0)
     {
-    	$ok = checkUserAccessToObject($user, $featuresarray, $objectid, $tableandshare, $feature2, $dbt_keyfield, $dbt_select);
-		return $ok ? 1 : accessforbidden();
+    	if (!checkUserAccessToObject($user, $featuresarray, $objectid, $tableandshare, $feature2, $dbt_keyfield, $dbt_select))
+			accessforbidden();
     }
 
+	// get more permissions checks from hooks
+	global $hookmanager;
+	$hookmanager->initHooks(array('permissions'));
+	$parameters=array('features'=>$features,'objectid'=>preg_replace("/'/", '', $objectid),'idtype'=>$dbt_select);
+	$reshook=$hookmanager->executeHooks('restricted',$parameters);
+	if ($reshook < 0) accessforbidden();
+
     return 1;
 }
 

From ea4c48047a80e19ddc458cdf24795cd09c21b27c Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 10 May 2018 11:30:27 +0200
Subject: [PATCH 2/6] All new hooks must be addreplace hooks

---
 htdocs/core/lib/security.lib.php | 29 ++++++++++++-----------------
 1 file changed, 12 insertions(+), 17 deletions(-)

diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
index 15047b2f2d7..b599fac3cfb 100644
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -111,21 +111,23 @@ function dol_hash($chain,$type=0)
  */
 function restrictedArea($user, $features, $objectid=0, $tableandshare='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid', $objcanvas=null)
 {
-    global $db, $conf;
+	global $db, $conf;
+	global $hookmanager;
 
     //dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename,$feature2,$dbt_socfield,$dbt_select");
     //print "user_id=".$user->id.", features=".$features.", feature2=".$feature2.", objectid=".$objectid;
     //print ", dbtablename=".$dbtablename.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select;
     //print ", perm: ".$features."->".$feature2."=".($user->rights->$features->$feature2->lire)."<br>";
 
-    // If we use canvas, we try to use function that overlod restrictarea if provided with canvas
-    if (is_object($objcanvas))
-    {
-        if (method_exists($objcanvas->control,'restrictedArea')) return $objcanvas->control->restrictedArea($user,$features,$objectid,$dbtablename,$feature2,$dbt_keyfield,$dbt_select);
-    }
-
     if ($dbt_select != 'rowid' && $dbt_select != 'id') $objectid = "'".$objectid."'";
 
+	// Get more permissions checks from hooks
+	$hookmanager->initHooks(array('permissions'));
+	$parameters=array('features'=>$features, 'objectid'=>$objectid, 'idtype'=>$dbt_select);
+	$reshook=$hookmanager->executeHooks('restrictedArea',$parameters);
+	if (isset($hookmanager->resArray['result']) && empty($hookmanager->resArray['result']) return false;
+	if ($reshook > 0) return true;
+	
     // Features/modules to check
     $featuresarray = array($features);
     if (preg_match('/&/', $features)) $featuresarray = explode("&", $features);
@@ -206,7 +208,7 @@ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $featu
 
     // Check write permission from module
     $createok=1; $nbko=0;
-    if (GETPOST("action")  == 'create')
+    if (GETPOST("action","apha")  == 'create')
     {
         foreach ($featuresarray as $feature)
         {
@@ -261,7 +263,7 @@ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $featu
 
     // Check create user permission
     $createuserok=1;
-    if (GETPOST("action") == 'confirm_create_user' && GETPOST("confirm") == 'yes')
+    if (GETPOST("action","alpha") == 'confirm_create_user' && GETPOST("confirm","alpha") == 'yes')
     {
         if (! $user->rights->user->user->creer) $createuserok=0;
 
@@ -271,7 +273,7 @@ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $featu
 
     // Check delete permission from module
     $deleteok=1; $nbko=0;
-    if ((GETPOST("action")  == 'confirm_delete' && GETPOST("confirm") == 'yes') || GETPOST("action")  == 'delete')
+    if ((GETPOST("action","alpha")  == 'confirm_delete' && GETPOST("confirm","alpha") == 'yes') || GETPOST("action","alpha")  == 'delete')
     {
         foreach ($featuresarray as $feature)
         {
@@ -335,13 +337,6 @@ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $featu
 			accessforbidden();
     }
 
-	// get more permissions checks from hooks
-	global $hookmanager;
-	$hookmanager->initHooks(array('permissions'));
-	$parameters=array('features'=>$features,'objectid'=>preg_replace("/'/", '', $objectid),'idtype'=>$dbt_select);
-	$reshook=$hookmanager->executeHooks('restricted',$parameters);
-	if ($reshook < 0) accessforbidden();
-
     return 1;
 }
 

From 0891766a3e631068e17363be7d8a5b532dc5b226 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 10 May 2018 11:31:27 +0200
Subject: [PATCH 3/6] Update security.lib.php

---
 htdocs/core/lib/security.lib.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
index b599fac3cfb..86226587416 100644
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -333,8 +333,8 @@ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $featu
     // is linked to a company allowed to $user.
     if (! empty($objectid) && $objectid > 0)
     {
-    	if (!checkUserAccessToObject($user, $featuresarray, $objectid, $tableandshare, $feature2, $dbt_keyfield, $dbt_select))
-			accessforbidden();
+		$ok = checkUserAccessToObject($user, $featuresarray, $objectid, $tableandshare, $feature2, $dbt_keyfield, $dbt_select);	+    	if (!checkUserAccessToObject($user, $featuresarray, $objectid, $tableandshare, $feature2, $dbt_keyfield, $dbt_select))
+		return $ok ? 1 : accessforbidden();
     }
 
     return 1;

From 7be804dcf552f62639bd29ff494e08ad70c8381c Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 10 May 2018 11:32:08 +0200
Subject: [PATCH 4/6] Update security.lib.php

---
 htdocs/core/lib/security.lib.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
index 86226587416..14c9be76abe 100644
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -333,8 +333,8 @@ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $featu
     // is linked to a company allowed to $user.
     if (! empty($objectid) && $objectid > 0)
     {
-		$ok = checkUserAccessToObject($user, $featuresarray, $objectid, $tableandshare, $feature2, $dbt_keyfield, $dbt_select);	+    	if (!checkUserAccessToObject($user, $featuresarray, $objectid, $tableandshare, $feature2, $dbt_keyfield, $dbt_select))
-		return $ok ? 1 : accessforbidden();
+        $ok = checkUserAccessToObject($user, $featuresarray, $objectid, $tableandshare, $feature2, $dbt_keyfield, $dbt_select);
+        return $ok ? 1 : accessforbidden();
     }
 
     return 1;

From bc9eaaab8407f2b640b04fb43d6a383111ce4ff8 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 10 May 2018 11:34:20 +0200
Subject: [PATCH 5/6] Update security.lib.php

---
 htdocs/core/lib/security.lib.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
index 14c9be76abe..ceebdd63681 100644
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -125,8 +125,8 @@ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $featu
 	$hookmanager->initHooks(array('permissions'));
 	$parameters=array('features'=>$features, 'objectid'=>$objectid, 'idtype'=>$dbt_select);
 	$reshook=$hookmanager->executeHooks('restrictedArea',$parameters);
-	if (isset($hookmanager->resArray['result']) && empty($hookmanager->resArray['result']) return false;
-	if ($reshook > 0) return true;
+	if (! empty($hookmanager->resArray['result']) return true;
+	if ($reshook > 0) return false;
 	
     // Features/modules to check
     $featuresarray = array($features);

From 9077f18dd683c43896096353bfd16575b34186c5 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 10 May 2018 11:37:22 +0200
Subject: [PATCH 6/6] Update security.lib.php

---
 htdocs/core/lib/security.lib.php | 1 -
 1 file changed, 1 deletion(-)

diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
index 5101772ac66..f89bba09a76 100644
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -189,7 +189,6 @@ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $featu
     if ($dbt_select != 'rowid' && $dbt_select != 'id') $objectid = "'".$objectid."'";
 
 	// Get more permissions checks from hooks
-	$hookmanager->initHooks(array('permissions'));
 	$parameters=array('features'=>$features, 'objectid'=>$objectid, 'idtype'=>$dbt_select);
 	$reshook=$hookmanager->executeHooks('restrictedArea',$parameters);
 	if (! empty($hookmanager->resArray['result']) return true;