Fix: Wrong permission test

2008-05-27 00:31:56 +00:00 · 2008-05-27 00:31:56 +00:00 · 194b985440
commit 194b985440
parent 6e3737139c
4 changed files with 13 additions and 10 deletions
--- a/htdocs/comm/action/index.php
+++ b/htdocs/comm/action/index.php
@ -48,7 +48,7 @@ $status=isset($_GET["status"])?$_GET["status"]:$_POST["status"];
 // Security check
 $socid = isset($_GET["socid"])?$_GET["socid"]:'';
 if ($user->societe_id) $socid=$user->societe_id;
-$result = restrictedArea($user, 'societe', $socid,'');
+$result = restrictedArea($user, 'agenda', $socid, '', 'myactions');

 $canedit=1;
 if (! $user->rights->agenda->myactions->read) accessforbidden();
--- a/htdocs/comm/action/listactions.php
+++ b/htdocs/comm/action/listactions.php
@ -47,7 +47,7 @@ $status=isset($_GET["status"])?$_GET["status"]:$_POST["status"];
 // Security check
 $socid = isset($_GET["socid"])?$_GET["socid"]:'';
 if ($user->societe_id) $socid=$user->societe_id;
-$result = restrictedArea($user, 'societe', $socid,'');
+$result = restrictedArea($user, 'agenda', $socid, '', 'myactions');

 $canedit=1;
 if (! $user->rights->agenda->myactions->read) accessforbidden();
--- a/htdocs/comm/action/rapport/index.php
+++ b/htdocs/comm/action/rapport/index.php
@ -38,12 +38,10 @@ $offset = $limit * $page ;
 if (! $sortorder) $sortorder="DESC";
 if (! $sortfield) $sortfield="a.datep";

-// Sécurité accés client
-if ($user->societe_id > 0) 
-{
-	$action = '';
-	$socid = $user->societe_id;
-}
+// Security check
+$socid = isset($_GET["socid"])?$_GET["socid"]:'';
+if ($user->societe_id) $socid=$user->societe_id;
+$result = restrictedArea($user, 'agenda', $socid, '', 'myactions');



--- a/htdocs/lib/functions.lib.php
+++ b/htdocs/lib/functions.lib.php
@ -1273,8 +1273,9 @@ function info_admin($texte,$infoonimgalt=0)
 \param      feature		Feature to check (in most cases, it's module name)
 \param      objectid      	Object ID if we want to check permission on on object (optionnal)
 \param      dbtable       	Table name where object is stored. Not used if objectid is null (optionnel)
+ \param      feature		Feature to check (second level of permission)
 */
-function restrictedArea($user, $feature='societe', $objectid=0, $dbtablename='')
+function restrictedArea($user, $feature='societe', $objectid=0, $dbtablename='',$feature2='')
 {
 	global $db;

@ -1303,7 +1304,11 @@ function restrictedArea($user, $feature='societe', $objectid=0, $dbtablename='')
 	{
 		if (! $user->rights->banque->cheque) $readok=0;
 	}
-	else if (! empty($feature))
+	else if (! empty($feature2))	// This should be used for future changes
+	{
+		if (! $user->rights->$feature->$feature2->read) $readok=0;
+	}
+	else if (! empty($feature))		// This is for old permissions
 	{
 		if (! $user->rights->$feature->lire) $readok=0;
 	}