lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix: Permissions to see project

Browse Source 
Conflicts:
	htdocs/projet/fiche.php
This commit is contained in:
Laurent Destailleur 2012-05-23 14:34:44 +02:00
parent c6c9861bff
commit 1fec3b56d9
9 changed files with 79 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/core/lib/security.lib.php
View File

@ -373,7 +373,7 @@ function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature
{
include_once(DOL_DOCUMENT_ROOT."/projet/class/project.class.php");
$projectstatic=new Project($db);
$tmps=$projectstatic->getProjectsAuthorizedForUser($user,0,1,$user->societe_id);
$tmps=$projectstatic->getProjectsAuthorizedForUser($user,0,1,0);
$tmparray=explode(',',$tmps);
if (! in_array($objectid,$tmparray)) accessforbidden();
}

19
htdocs/projet/class/project.class.php
View File

@ -791,12 +791,13 @@ class Project extends CommonObject
if ($mode == 'write' && $user->rights->projet->creer) $userAccess++;
if ($mode == 'delete' && $user->rights->projet->supprimer) $userAccess++;
}
if ($source == 'external' && preg_match('/PROJECT/', $userRole[$nblinks]['code']) && $user->contact_id == $userRole[$nblinks]['id'])
// Permission are supported on users only. To have an external thirdparty contact to see a project, its user must allowed to contacts of projects.
/*if ($source == 'external' && preg_match('/PROJECT/', $userRole[$nblinks]['code']) && $user->contact_id == $userRole[$nblinks]['id'])
{
if ($mode == 'read' && $user->rights->projet->lire) $userAccess++;
if ($mode == 'write' && $user->rights->projet->creer) $userAccess++;
if ($mode == 'delete' && $user->rights->projet->supprimer) $userAccess++;
}
}*/
$nblinks++;
}
}
@ -840,18 +841,24 @@ class Project extends CommonObject
if ($mode == 0)
{
$sql.= " AND ec.element_id = p.rowid AND ( p.public = 1";
$sql.= " AND ec.element_id = p.rowid";
$sql.= " AND ( p.public = 1";
//$sql.= " OR p.fk_user_creat = ".$user->id;
$sql.= " OR ( ctc.rowid = ec.fk_c_type_contact";
$sql.= " AND ctc.element = '" . $this->element . "'";
$sql.= " AND ec.fk_socpeople = " . $user->contact_id . " ) )";
$sql.= " AND ( (ctc.source = 'internal' AND ec.fk_socpeople = ".$user->id.")";
//$sql.= " OR (ctc.source = 'external' AND ec.fk_socpeople = ".($user->contact_id?$user->contact_id:0).")"; // Permission are supported on users only. To have an external thirdparty contact to see a project, its user must allowed to contacts of projects.
$sql.= " )";
$sql.= " ))";
}
if ($mode == 1)
{
$sql.= " AND ec.element_id = p.rowid";
$sql.= " AND ctc.rowid = ec.fk_c_type_contact";
$sql.= " AND ctc.element = '" . $this->element . "'";
$sql.= " AND ec.fk_socpeople = " . $user->contact_id;
$sql.= " AND ( (ctc.source = 'internal' AND ec.fk_socpeople = ".$user->id.")";
//$sql.= " OR (ctc.source = 'external' AND ec.fk_socpeople = ".($user->contact_id?$user->contact_id:0).")"; // Permission are supported on users only. To have an external thirdparty contact to see a project, its user must allowed to contacts of projects.
$sql.= " )";
}
if ($mode == 2)
{
@ -1204,4 +1211,4 @@ class Project extends CommonObject
}
?>
?>

26
htdocs/projet/contact.php
View File

@ -1,5 +1,6 @@
<?php
/* Copyright (C) 2010 Regis Houssin <regis@dolibarr.fr>
/* Copyright (C) 2010 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2012 Laurent Destailleur <eldy@users.sourceforge.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -31,14 +32,21 @@ $langs->load("projects");
$langs->load("companies");
$id = GETPOST('id','int');
$ref= GETPOST('ref');
$ref= GETPOST('ref','alpha');
$mine = $_REQUEST['mode']=='mine' ? 1 : 0;
//if (! $user->rights->projet->all->lire) $mine=1; // Special for projects
$project = new Project($db);
if ($ref)
{
$project->fetch(0,$ref);
$id=$project->id;
}
// Security check
$socid=0;
if ($user->societe_id) $socid=$user->societe_id;
if ($user->societe_id > 0) $socid=$user->societe_id;
$result = restrictedArea($user, 'projet', $id);
@ -49,9 +57,7 @@ $result = restrictedArea($user, 'projet', $id);
// Add new contact
if ($_POST["action"] == 'addcontact' && $user->rights->projet->creer)
{
$result = 0;
$project = new Project($db);
$result = $project->fetch($id);
if ($result > 0 && $id > 0)
@ -81,7 +87,6 @@ if ($_POST["action"] == 'addcontact' && $user->rights->projet->creer)
// bascule du statut d'un contact
if ($_GET["action"] == 'swapstatut' && $user->rights->projet->creer)
{
$project = new Project($db);
if ($project->fetch($id))
{
$result=$project->swapContactStatus(GETPOST('ligne'));
@ -95,7 +100,6 @@ if ($_GET["action"] == 'swapstatut' && $user->rights->projet->creer)
// Efface un contact
if ($_GET["action"] == 'deleteline' && $user->rights->projet->creer)
{
$project = new Project($db);
$project->fetch($id);
$result = $project->delete_contact($_GET["lineid"]);
@ -133,8 +137,6 @@ dol_htmloutput_mesg($mesg);
if ($id > 0 || ! empty($ref))
{
$project = new Project($db);
if ( $project->fetch($id,$ref) > 0)
{
if ($project->societe->id > 0) $result=$project->societe->fetch($project->societe->id);
@ -211,14 +213,14 @@ if ($id > 0 || ! empty($ref))
$var = false;
print '<form action="'.$_SERVER["PHP_SELF"].'?id='.$id.'" method="POST">';
print '<form action="'.$_SERVER["PHP_SELF"].'?id='.$project->id.'" method="POST">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="addcontact">';
print '<input type="hidden" name="source" value="internal">';
print '<input type="hidden" name="id" value="'.$id.'">';
print '<input type="hidden" name="id" value="'.$project->id.'">';
// Ligne ajout pour contact interne
print "<tr $bc[$var]>";
print "<tr ".$bc[$var].">";
print '<td nowrap="nowrap">';
print img_object('','user').' '.$langs->trans("Users");

17
htdocs/projet/document.php
View File

@ -1,5 +1,6 @@
<?php
/* Copyright (C) 2010 Regis Houssin <regis@dolibarr.fr>
/* Copyright (C) 2010 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2012 Laurent Destailleur <eldy@users.sourceforge.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -36,6 +37,14 @@ $mine = $_REQUEST['mode']=='mine' ? 1 : 0;
$id = GETPOST('id','int');
$ref= GETPOST('ref');
$project = new Project($db);
if (! $project->fetch($id,$ref) > 0)
{
dol_print_error($db);
exit;
}
else $id=$project->id;
// Security check
$socid=0;
if ($user->societe_id > 0) $socid=$user->societe_id;
@ -52,12 +61,6 @@ $pagenext = $page + 1;
if (! $sortorder) $sortorder="ASC";
if (! $sortfield) $sortfield="name";
$project = new Project($db);
if (! $project->fetch($id,$ref) > 0)
{
dol_print_error($db);
exit;
}
/*

13
htdocs/projet/element.php
View File

@ -46,10 +46,8 @@ if ($conf->commande->enabled) $langs->load("orders");
if ($conf->propal->enabled) $langs->load("propal");
if ($conf->ficheinter->enabled) $langs->load("interventions");
$projectid='';
$ref='';
if (isset($_GET["id"])) { $projectid=$_GET["id"]; }
if (isset($_GET["ref"])) { $ref=$_GET["ref"]; }
$projectid=GETPOST('id');
$ref=GETPOST('ref');
if ($projectid == '' && $ref == '')
{
dol_print_error('','Bad parameter');
@ -59,6 +57,13 @@ if ($projectid == '' && $ref == '')
$mine = $_REQUEST['mode']=='mine' ? 1 : 0;
//if (! $user->rights->projet->all->lire) $mine=1; // Special for projects
$project = new Project($db);
if ($ref)
{
$project->fetch(0,$ref);
$projectid=$project->id;
}
// Security check
$socid=0;
if ($user->societe_id > 0) $socid=$user->societe_id;

15
htdocs/projet/fiche.php
View File

@ -43,6 +43,13 @@ if ($id == '' && $ref == '' && ($action != "create" && $action != "add" && $acti
$mine = GETPOST('mode')=='mine' ? 1 : 0;
//if (! $user->rights->projet->all->lire) $mine=1; // Special for projects
$project = new Project($db);
if ($ref)
{
$project->fetch(0,$ref);
$id=$project->id;
}
// Security check
$socid=0;
if ($user->societe_id > 0) $socid=$user->societe_id;
@ -116,8 +123,6 @@ if ($action == 'add' && $user->rights->projet->creer)
$db->begin();
$project = new Project($db);
$project->ref = GETPOST('ref','alpha');
$project->title = GETPOST('title','alpha');
$project->socid = GETPOST('socid','int');
@ -184,7 +189,6 @@ if ($action == 'update' && ! $_POST["cancel"] && $user->rights->projet->creer)
}
if (! $error)
{
$project = new Project($db);
$project->fetch($id);
$old_start_date = $project->date_start;
@ -220,7 +224,6 @@ if ($action == 'update' && ! $_POST["cancel"] && $user->rights->projet->creer)
// Build doc
if ($action == 'builddoc' && $user->rights->projet->creer)
{
$project = new Project($db);
$project->fetch($id);
if (GETPOST('model'))
{
@ -249,7 +252,6 @@ if ($action == 'builddoc' && $user->rights->projet->creer)
if ($action == 'confirm_validate' && GETPOST('confirm') == 'yes')
{
$project = new Project($db);
$project->fetch($id);
$result = $project->setValid($user);
@ -261,7 +263,6 @@ if ($action == 'confirm_validate' && GETPOST('confirm') == 'yes')
if ($action == 'confirm_close' && GETPOST('confirm') == 'yes')
{
$project = new Project($db);
$project->fetch($id);
$result = $project->setClose($user);
if ($result <= 0)
@ -272,7 +273,6 @@ if ($action == 'confirm_close' && GETPOST('confirm') == 'yes')
if ($action == 'confirm_reopen' && GETPOST('confirm') == 'yes')
{
$project = new Project($db);
$project->fetch($id);
$result = $project->setValid($user);
if ($result <= 0)
@ -283,7 +283,6 @@ if ($action == 'confirm_reopen' && GETPOST('confirm') == 'yes')
if ($action == 'confirm_delete' && GETPOST("confirm") == "yes" && $user->rights->projet->supprimer)
{
$project = new Project($db);
$project->fetch($id);
$result=$project->delete($user);
if ($result > 0)

7
htdocs/projet/ganttview.php
View File

@ -35,6 +35,13 @@ $ref=GETPOST('ref','alpha');
$mine = $_REQUEST['mode']=='mine' ? 1 : 0;
//if (! $user->rights->projet->all->lire) $mine=1; // Special for projects
$object = new Project($db);
if ($ref)
{
$object->fetch(0,$ref);
$id=$object->id;
}
// Security check
$socid=0;
if ($user->societe_id > 0) $socid=$user->societe_id;

15
htdocs/projet/note.php
View File

@ -1,5 +1,6 @@
<?php
/* Copyright (C) 2010 Regis Houssin <regis@dolibarr.fr>
/* Copyright (C) 2010 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2012 Laurent Destailleur <eldy@users.sourceforge.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -34,6 +35,13 @@ $ref= GETPOST('ref');
$mine = $_REQUEST['mode']=='mine' ? 1 : 0;
//if (! $user->rights->projet->all->lire) $mine=1; // Special for projects
$project = new Project($db);
if ($ref)
{
$project->fetch(0,$ref);
$id=$project->id;
}
// Security check
$socid=0;
if ($user->societe_id > 0) $socid=$user->societe_id;
@ -47,7 +55,6 @@ $result = restrictedArea($user, 'projet', $id);
if ($action == 'update_public' && $user->rights->projet->creer)
{
$project = new Project($db);
$project->fetch($_GET['id']);
$db->begin();
@ -66,7 +73,6 @@ if ($action == 'update_public' && $user->rights->projet->creer)
if ($action == 'update_private' && $user->rights->projet->creer)
{
$project = new Project($db);
$project->fetch($_GET['id']);
$db->begin();
@ -99,8 +105,7 @@ $now=dol_now();
if ($id > 0 || ! empty($ref))
{
if ($mesg) print $mesg;
dol_htmloutput_mesg($mesg);
if ($project->fetch($id, $ref))
{

11
htdocs/projet/tasks.php
View File

@ -42,11 +42,17 @@ $mode = GETPOST('mode', 'alpha');
$mine = ($mode == 'mine' ? 1 : 0);
//if (! $user->rights->projet->all->lire) $mine=1; // Special for projects
$object = new Project($db);
if ($ref)
{
$object->fetch(0,$ref);
$id=$object->id;
}
// Security check
$socid=0;
if ($user->societe_id > 0) $socid = $user->societe_id;
//$result = restrictedArea($user, 'projet', $projectid);
if (!$user->rights->projet->lire) accessforbidden();
$result = restrictedArea($user, 'projet', $id);
$progress=GETPOST('progress', 'int');
$label=GETPOST('label', 'alpha');
@ -54,7 +60,6 @@ $description=GETPOST('description', 'alpha');
$userAccess=0;
$object = new Project($db);
/*