From 1e65d24293c9092c973d1c27fab7aed953084a79 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 3 Jan 2023 19:16:38 +0100 Subject: [PATCH] Fix missing security check on payment --- htdocs/compta/payment_sc/card.php | 14 ++++++++++++-- htdocs/core/lib/security.lib.php | 9 +++++++++ 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/htdocs/compta/payment_sc/card.php b/htdocs/compta/payment_sc/card.php index 39bac75ba0c..238a2f9072d 100644 --- a/htdocs/compta/payment_sc/card.php +++ b/htdocs/compta/payment_sc/card.php @@ -46,8 +46,6 @@ $confirm = GETPOST('confirm', 'aZ09'); if ($user->socid) { $socid = $user->socid; } -// TODO ajouter regle pour restreindre acces paiement -//$result = restrictedArea($user, 'facture', $id,''); $object = new PaymentSocialContribution($db); if ($id > 0) { @@ -57,6 +55,8 @@ if ($id > 0) { } } +$result = restrictedArea($user, 'payment_sc', $id, ''); + /* * Actions @@ -77,6 +77,16 @@ if ($action == 'confirm_delete' && $confirm == 'yes' && $user->rights->tax->char } } +/*if ($action == 'setdatep' && GETPOST('datepday') && $user->hasRight('tax', 'charges', 'creer')) { + $datepaye = dol_mktime(GETPOST('datephour', 'int'), GETPOST('datepmin', 'int'), GETPOST('datepsec', 'int'), GETPOST('datepmonth', 'int'), GETPOST('datepday', 'int'), GETPOST('datepyear', 'int')); + $res = $object->update_date($datepaye); + if ($res === 0) { + setEventMessages($langs->trans('PaymentDateUpdateSucceeded'), null, 'mesgs'); + } else { + setEventMessages($langs->trans('PaymentDateUpdateFailed'), null, 'errors'); + } +}*/ + /* * View diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 0a7e9615a70..5f521fd63de 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -466,6 +466,11 @@ function restrictedArea(User $user, $features, $object = 0, $tableandshare = '', $readok = 0; $nbko++; } + } elseif ($feature == 'payment_sc') { + if (empty($user->rights->tax->charges->lire)) { + $readok = 0; + $nbko++; + } } elseif (!empty($feature2)) { // This is for permissions on 2 levels $tmpreadok = 1; foreach ($feature2 as $subfeature) { @@ -648,6 +653,10 @@ function restrictedArea(User $user, $features, $object = 0, $tableandshare = '', if (!$user->rights->facture->paiement) { $deleteok = 0; } + } elseif ($feature == 'payment_sc') { + if (!$user->rights->tax->charges->creer) { + $deleteok = 0; + } } elseif ($feature == 'banque') { if (empty($user->rights->banque->modifier)) { $deleteok = 0;