diff --git a/htdocs/bookmarks/card.php b/htdocs/bookmarks/card.php index 245161ed253..e8075833d22 100644 --- a/htdocs/bookmarks/card.php +++ b/htdocs/bookmarks/card.php @@ -51,12 +51,12 @@ if ($id > 0) { $object->fetch($id); } - // Security check -if (empty($user->rights->bookmark->lire)) { - restrictedArea($user, 'bookmarks'); -} +restrictedArea($user, 'bookmark', $object); +$permissiontoread = $user->hasRight('bookmark', 'lire'); +$permissiontoadd = $user->hasRight('bookmark', 'creer'); +$permissiontodelete = $user->hasRight('bookmark', 'supprimer'); @@ -326,12 +326,12 @@ if ($id > 0 && !preg_match('/^add/i', $action)) { print "
\n"; // Edit - if ($user->rights->bookmark->creer && $action != 'edit') { + if ($permissiontoadd && $action != 'edit') { print ''.$langs->trans("Edit").''."\n"; } // Remove - if ($user->rights->bookmark->supprimer && $action != 'edit') { + if ($permissiontodelete && $action != 'edit') { print ''.$langs->trans("Delete").''."\n"; } diff --git a/htdocs/bookmarks/class/bookmark.class.php b/htdocs/bookmarks/class/bookmark.class.php index ffc0b24619b..7e1e3825b39 100644 --- a/htdocs/bookmarks/class/bookmark.class.php +++ b/htdocs/bookmarks/class/bookmark.class.php @@ -60,7 +60,7 @@ class Bookmark extends CommonObject public $id; /** - * @var int User ID + * @var int User ID. If > 0, bookmark of one user. If == 0, bookmark public (for everybody) */ public $fk_user; @@ -233,15 +233,14 @@ class Bookmark extends CommonObject /** * Removes the bookmark * - * @param int $id Id removed bookmark - * @return int <0 si ko, >0 si ok + * @param User $user User deleting + * @return int <0 if KO, >0 if OK */ - public function remove($id) + public function delete($user) { $sql = "DELETE FROM ".MAIN_DB_PREFIX."bookmark"; - $sql .= " WHERE rowid = ".((int) $id); + $sql .= " WHERE rowid = ".((int) $this->id); - dol_syslog("Bookmark::remove", LOG_DEBUG); $resql = $this->db->query($sql); if ($resql) { return 1; diff --git a/htdocs/bookmarks/list.php b/htdocs/bookmarks/list.php index 3eae08bb60a..3e80dcb4eae 100644 --- a/htdocs/bookmarks/list.php +++ b/htdocs/bookmarks/list.php @@ -63,14 +63,17 @@ if (!$sortorder) { // Initialize Objects $object = new Bookmark($db); +if ($id > 0) { + $object->fetch($id); +} // Security check -restrictedArea($user, 'bookmark'); +restrictedArea($user, 'bookmark', $object); // Permissions -$permissiontoread = !empty($user->rights->bookmark->lire); -$permissiontoadd = !empty($user->rights->bookmark->creer); -$permissiontodelete = !empty($user->rights->bookmark->supprimer); +$permissiontoread = $user->hasRight('bookmark', 'lire'); +$permissiontoadd = $user->hasRight('bookmark', 'creer'); +$permissiontodelete = ($user->hasRight('bookmark', 'supprimer') || ($permissiontoadd && $object->fk_user == $user->id)); /* @@ -85,13 +88,15 @@ if (!GETPOST('confirmmassaction', 'alpha') && $massaction != 'presend' && $massa $massaction = ''; } -if ($action == 'delete') { - $res = $object->remove($id); +if ($action == 'delete' && $permissiontodelete) { + $object->fetch($id); + $res = $object->delete($user); if ($res > 0) { header("Location: ".$_SERVER["PHP_SELF"]); exit; } else { setEventMessages($object->error, $object->errors, 'errors'); + $action = ''; } } @@ -196,7 +201,7 @@ print ''; print ''; $newcardbutton = ''; -$newcardbutton .= dolGetButtonTitle($langs->trans('New'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/bookmarks/card.php?action=create&backtopage='.urlencode(DOL_URL_ROOT.'/bookmarks/list.php'), '', !empty($user->rights->bookmark->creer)); +$newcardbutton .= dolGetButtonTitle($langs->trans('New'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/bookmarks/card.php?action=create&backtopage='.urlencode(DOL_URL_ROOT.'/bookmarks/list.php'), '', $permissiontoadd); print_barre_liste($title, $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, $massactionbutton, $num, $nbtotalofrecords, 'bookmark', 0, $newcardbutton, '', $limit, 0, 0, 1); @@ -235,8 +240,8 @@ while ($i < min($num, $limit)) { } $title = $obj->title; $link = $obj->url; - $canedit = $user->rights->bookmark->supprimer; - $candelete = $user->rights->bookmark->creer; + $canedit = $permissiontoadd; + $candelete = $permissiontodelete; // Title print ''; @@ -268,7 +273,7 @@ while ($i < min($num, $limit)) { // Author print ''; - if ($obj->fk_user) { + if ($obj->fk_user > 0) { if (empty($conf->cache['users'][$obj->fk_user])) { $tmpuser = new User($db); $tmpuser->fetch($obj->fk_user); @@ -294,10 +299,10 @@ while ($i < min($num, $limit)) { // Actions print ''; if ($canedit) { - print ''.img_edit().""; + print ''.img_edit().""; } if ($candelete) { - print 'rowid.'">'.img_delete().''; + print 'rowid.'">'.img_delete().''; } print ""; print "\n"; diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index c372f617237..e3a4eb23b18 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -635,7 +635,13 @@ function restrictedArea(User $user, $features, $object = 0, $tableandshare = '', $nbko = 0; if ((GETPOST("action", "aZ09") == 'confirm_delete' && GETPOST("confirm", "aZ09") == 'yes') || GETPOST("action", "aZ09") == 'delete') { foreach ($featuresarray as $feature) { - if ($feature == 'contact') { + if ($feature == 'bookmark') { + if (!$user->rights->bookmark->supprimer) { + if ($user->id != $object->fk_user || empty($user->rights->bookmark->creer)) { + $deleteok = 0; + } + } + } elseif ($feature == 'contact') { if (!$user->rights->societe->contact->supprimer) { $deleteok = 0; }