From 194b98544018872169a9893996f6b6d295c51536 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 27 May 2008 00:31:56 +0000 Subject: [PATCH] Fix: Wrong permission test --- htdocs/comm/action/index.php | 2 +- htdocs/comm/action/listactions.php | 2 +- htdocs/comm/action/rapport/index.php | 10 ++++------ htdocs/lib/functions.lib.php | 9 +++++++-- 4 files changed, 13 insertions(+), 10 deletions(-) diff --git a/htdocs/comm/action/index.php b/htdocs/comm/action/index.php index 079c45ad5ec..04db4f91010 100644 --- a/htdocs/comm/action/index.php +++ b/htdocs/comm/action/index.php @@ -48,7 +48,7 @@ $status=isset($_GET["status"])?$_GET["status"]:$_POST["status"]; // Security check $socid = isset($_GET["socid"])?$_GET["socid"]:''; if ($user->societe_id) $socid=$user->societe_id; -$result = restrictedArea($user, 'societe', $socid,''); +$result = restrictedArea($user, 'agenda', $socid, '', 'myactions'); $canedit=1; if (! $user->rights->agenda->myactions->read) accessforbidden(); diff --git a/htdocs/comm/action/listactions.php b/htdocs/comm/action/listactions.php index 03852e277ea..e51b4cf7d77 100644 --- a/htdocs/comm/action/listactions.php +++ b/htdocs/comm/action/listactions.php @@ -47,7 +47,7 @@ $status=isset($_GET["status"])?$_GET["status"]:$_POST["status"]; // Security check $socid = isset($_GET["socid"])?$_GET["socid"]:''; if ($user->societe_id) $socid=$user->societe_id; -$result = restrictedArea($user, 'societe', $socid,''); +$result = restrictedArea($user, 'agenda', $socid, '', 'myactions'); $canedit=1; if (! $user->rights->agenda->myactions->read) accessforbidden(); diff --git a/htdocs/comm/action/rapport/index.php b/htdocs/comm/action/rapport/index.php index 66834fe1fdd..f05729390ba 100644 --- a/htdocs/comm/action/rapport/index.php +++ b/htdocs/comm/action/rapport/index.php @@ -38,12 +38,10 @@ $offset = $limit * $page ; if (! $sortorder) $sortorder="DESC"; if (! $sortfield) $sortfield="a.datep"; -// Sécurité accés client -if ($user->societe_id > 0) -{ - $action = ''; - $socid = $user->societe_id; -} +// Security check +$socid = isset($_GET["socid"])?$_GET["socid"]:''; +if ($user->societe_id) $socid=$user->societe_id; +$result = restrictedArea($user, 'agenda', $socid, '', 'myactions'); diff --git a/htdocs/lib/functions.lib.php b/htdocs/lib/functions.lib.php index 81a2847894e..cfd4ce7137e 100644 --- a/htdocs/lib/functions.lib.php +++ b/htdocs/lib/functions.lib.php @@ -1273,8 +1273,9 @@ function info_admin($texte,$infoonimgalt=0) \param feature Feature to check (in most cases, it's module name) \param objectid Object ID if we want to check permission on on object (optionnal) \param dbtable Table name where object is stored. Not used if objectid is null (optionnel) + \param feature Feature to check (second level of permission) */ -function restrictedArea($user, $feature='societe', $objectid=0, $dbtablename='') +function restrictedArea($user, $feature='societe', $objectid=0, $dbtablename='',$feature2='') { global $db; @@ -1303,7 +1304,11 @@ function restrictedArea($user, $feature='societe', $objectid=0, $dbtablename='') { if (! $user->rights->banque->cheque) $readok=0; } - else if (! empty($feature)) + else if (! empty($feature2)) // This should be used for future changes + { + if (! $user->rights->$feature->$feature2->read) $readok=0; + } + else if (! empty($feature)) // This is for old permissions { if (! $user->rights->$feature->lire) $readok=0; }