From 342ca9cf039716246323a8e953208633b771c590 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis@dolibarr.fr>
Date: Sun, 30 Jan 2011 13:36:50 +0000
Subject: [PATCH] Fix: debug permissions

---
 htdocs/adherents/admin/adherent.php         |  2 +
 htdocs/adherents/fiche.php                  |  1 +
 htdocs/adherents/type.php                   |  4 +
 htdocs/admin/menus/edit.php                 |  3 +-
 htdocs/admin/menus/index.php                |  4 +-
 htdocs/core/class/html.formadmin.class.php  | 89 +++++++++++----------
 htdocs/includes/menus/init_menu_auguria.sql |  2 +-
 htdocs/includes/menus/init_menu_iphone.sql  |  2 +-
 8 files changed, 60 insertions(+), 47 deletions(-)

diff --git a/htdocs/adherents/admin/adherent.php b/htdocs/adherents/admin/adherent.php
index c703cc5bd00..a5daa628f3b 100644
--- a/htdocs/adherents/admin/adherent.php
+++ b/htdocs/adherents/admin/adherent.php
@@ -4,6 +4,8 @@
  * Copyright (C) 2004-2010 Laurent Destailleur  <eldy@users.sourceforge.net>
  * Copyright (C) 2004      Sebastien Di Cintio  <sdicintio@ressource-toi.org>
  * Copyright (C) 2004      Benoit Mortier       <benoit.mortier@opensides.be>
+ * Copyright (C) 2005-2011 Regis Houssin        <regis@dolibarr.fr>
+ * 
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
diff --git a/htdocs/adherents/fiche.php b/htdocs/adherents/fiche.php
index 900fe471d20..280af1fec54 100644
--- a/htdocs/adherents/fiche.php
+++ b/htdocs/adherents/fiche.php
@@ -2,6 +2,7 @@
 /* Copyright (C) 2001-2004 Rodolphe Quiedeville <rodolphe@quiedeville.org>
  * Copyright (C) 2002-2003 Jean-Louis Bergamo   <jlb@j1b.org>
  * Copyright (C) 2004-2010 Laurent Destailleur  <eldy@users.sourceforge.net>
+ * Copyright (C) 2005-2011 Regis Houssin        <regis@dolibarr.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
diff --git a/htdocs/adherents/type.php b/htdocs/adherents/type.php
index bc9d24a7928..0620571f1b4 100644
--- a/htdocs/adherents/type.php
+++ b/htdocs/adherents/type.php
@@ -2,6 +2,7 @@
 /* Copyright (C) 2001-2002 Rodolphe Quiedeville <rodolphe@quiedeville.org>
  * Copyright (C) 2003      Jean-Louis Bergamo   <jlb@j1b.org>
  * Copyright (C) 2004-2010 Laurent Destailleur  <eldy@users.sourceforge.net>
+ * Copyright (C) 2005-2011 Regis Houssin        <regis@dolibarr.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -33,6 +34,9 @@ $langs->load("members");
 
 $rowid=isset($_GET["rowid"])?$_GET["rowid"]:$_POST["rowid"];
 
+// Security check
+if (! $user->rights->adherent->lire) accessforbidden();
+
 if ($_REQUEST["button_removefilter"])
 {
     $_GET["search_nom"]="";
diff --git a/htdocs/admin/menus/edit.php b/htdocs/admin/menus/edit.php
index b4f6d107ef0..893c0f3b9de 100644
--- a/htdocs/admin/menus/edit.php
+++ b/htdocs/admin/menus/edit.php
@@ -1,7 +1,7 @@
 <?php
 /* Copyright (C) 2007      Patrick Raguin       <patrick.raguin@gmail.com>
  * Copyright (C) 2007-2010 Laurent Destailleur  <eldy@users.sourceforge.net>
- * Copyright (C) 2009-2010 Regis Houssin        <regis@dolibarr.fr>
+ * Copyright (C) 2009-2011 Regis Houssin        <regis@dolibarr.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -333,7 +333,6 @@ if (isset($_GET["action"]) && $_GET["action"] == 'create')
 
 	print '</form>';
 }
-
 elseif (isset($_GET["action"]) && $_GET["action"] == 'edit')
 {
 	print_fiche_titre($langs->trans("ModifMenu"),'','setup');
diff --git a/htdocs/admin/menus/index.php b/htdocs/admin/menus/index.php
index 57ad0296eea..746411e49fb 100644
--- a/htdocs/admin/menus/index.php
+++ b/htdocs/admin/menus/index.php
@@ -1,7 +1,7 @@
 <?php
 /* Copyright (C) 2007      Patrick Raguin       <patrick.raguin@gmail.com>
- * Copyright (C) 2007-2010 Laurent Destailleur  <eldy@users.sourceforge.net>
- * Copyright (C) 2009-2010 Regis Houssin        <regis@dolibarr.fr>
+ * Copyright (C) 2007-2011 Laurent Destailleur  <eldy@users.sourceforge.net>
+ * Copyright (C) 2009-2011 Regis Houssin        <regis@dolibarr.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
diff --git a/htdocs/core/class/html.formadmin.class.php b/htdocs/core/class/html.formadmin.class.php
index e7e465a92a1..4b4f888552a 100644
--- a/htdocs/core/class/html.formadmin.class.php
+++ b/htdocs/core/class/html.formadmin.class.php
@@ -1,5 +1,6 @@
 <?php
-/* Copyright (C) 2004-2008 Laurent Destailleur  <eldy@users.sourceforge.net>
+/* Copyright (C) 2004-2011 Laurent Destailleur  <eldy@users.sourceforge.net>
+ * Copyright (C) 2005-2011 Regis Houssin        <regis@dolibarr.fr>
  * Copyright (C) 2007      Patrick Raguin 		<patrick.raguin@gmail.com>
  *
  * This program is free software; you can redistribute it and/or modify
@@ -137,30 +138,33 @@ class FormAdmin
         foreach ($conf->file->dol_document_root as $dirroot)
         {
             $dir=$dirroot.$dirmenu;
-            $handle=opendir($dir);
-            if (is_resource($handle))
+            if (is_dir($dir))
             {
-                while (($file = readdir($handle))!==false)
-                {
-                    if (is_file($dir."/".$file) && substr($file, 0, 1) <> '.' && substr($file, 0, 3) <> 'CVS')
-                    {
-                        if (preg_match('/lib\.php$/i',$file)) continue;	// We exclude library files
-                    	$filelib=preg_replace('/\.php$/i','',$file);
-        				$prefix='';
-        				if (preg_match('/^eldy|^iphone/i',$file)) $prefix='0';	// 0=Recommanded, 1=Experimental, 2=Other
-        				else $prefix='2';
-
-                        if ($file == $selected)
-                        {
-        					$menuarray[$prefix.'_'.$file]='<option value="'.$file.'" selected="selected">'.$filelib.'</option>';
-                        }
-                        else
-                        {
-                            $menuarray[$prefix.'_'.$file]='<option value="'.$file.'">'.$filelib.'</option>';
-                        }
-                    }
-                }
-                closedir($handle);
+	            $handle=opendir($dir);
+	            if (is_resource($handle))
+	            {
+	                while (($file = readdir($handle))!==false)
+	                {
+	                    if (is_file($dir."/".$file) && substr($file, 0, 1) <> '.' && substr($file, 0, 3) <> 'CVS')
+	                    {
+	                        if (preg_match('/lib\.php$/i',$file)) continue;	// We exclude library files
+	                    	$filelib=preg_replace('/\.php$/i','',$file);
+	        				$prefix='';
+	        				if (preg_match('/^eldy|^iphone/i',$file)) $prefix='0';	// 0=Recommanded, 1=Experimental, 2=Other
+	        				else $prefix='2';
+	
+	                        if ($file == $selected)
+	                        {
+	        					$menuarray[$prefix.'_'.$file]='<option value="'.$file.'" selected="selected">'.$filelib.'</option>';
+	                        }
+	                        else
+	                        {
+	                            $menuarray[$prefix.'_'.$file]='<option value="'.$file.'">'.$filelib.'</option>';
+	                        }
+	                    }
+	                }
+	                closedir($handle);
+	            }
             }
         }
 		ksort($menuarray);
@@ -206,24 +210,27 @@ class FormAdmin
             foreach ($conf->file->dol_document_root as $dirroot)
             {
                 $dir=$dirroot.$dirmenu;
-    		    $handle=opendir($dir);
-                if (is_resource($handle))
+                if (is_dir($dir))
                 {
-        			while (($file = readdir($handle))!==false)
-        			{
-        				if (is_file($dir."/".$file) && substr($file, 0, 1) <> '.' && substr($file, 0, 3) <> 'CVS')
-        				{
-        					$filelib=preg_replace('/(_backoffice|_frontoffice)?\.php$/i','',$file);
-        					if (preg_match('/^default/i',$filelib)) continue;
-        					if (preg_match('/^empty/i',$filelib)) continue;
-        					if (preg_match('/\.lib/i',$filelib)) continue;
-        					if (empty($conf->global->MAIN_FEATURES_LEVEL) && in_array($file,$expdevmenu)) continue;
-
-        					$menuarray[$filelib]=1;
-        				}
-        				$menuarray['all']=1;
-        			}
-        			closedir($handle);
+	                $handle=opendir($dir);
+	                if (is_resource($handle))
+	                {
+	        			while (($file = readdir($handle))!==false)
+	        			{
+	        				if (is_file($dir."/".$file) && substr($file, 0, 1) <> '.' && substr($file, 0, 3) <> 'CVS')
+	        				{
+	        					$filelib=preg_replace('/(_backoffice|_frontoffice)?\.php$/i','',$file);
+	        					if (preg_match('/^default/i',$filelib)) continue;
+	        					if (preg_match('/^empty/i',$filelib)) continue;
+	        					if (preg_match('/\.lib/i',$filelib)) continue;
+	        					if (empty($conf->global->MAIN_FEATURES_LEVEL) && in_array($file,$expdevmenu)) continue;
+	
+	        					$menuarray[$filelib]=1;
+	        				}
+	        				$menuarray['all']=1;
+	        			}
+	        			closedir($handle);
+	                }
                 }
             }
 		}
diff --git a/htdocs/includes/menus/init_menu_auguria.sql b/htdocs/includes/menus/init_menu_auguria.sql
index 4996516c86e..6cef8146342 100644
--- a/htdocs/includes/menus/init_menu_auguria.sql
+++ b/htdocs/includes/menus/init_menu_auguria.sql
@@ -21,7 +21,7 @@ insert into llx_menu (enabled, rowid, menu_handler, type, mainmenu, leftmenu, fk
 insert into llx_menu (enabled, rowid, menu_handler, type, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('$conf->projet->enabled', 7__+MAX_llx_menu__, __HANDLER__, 'top', 'project',     '', 0, '/projet/index.php?mainmenu=project&amp;leftmenu=', 'Projects', -1, 'projects', '$user->rights->projet->lire', '', 0, 7, __ENTITY__);
 insert into llx_menu (enabled, rowid, menu_handler, type, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('$conf->mailing->enabled || $conf->export->enabled || $conf->global->MAIN_MODULE_IMPORT || $conf->global->MAIN_MODULE_DOMAIN', 8__+MAX_llx_menu__, __HANDLER__, 'top', 'tools',       '', 0, '/index.php?mainmenu=tools&amp;leftmenu=', 'Tools', -1, 'other', '$user->rights->mailing->lire || $user->rights->bookmark->lire || $user->rights->export->lire', '', 2, 8, __ENTITY__);
 insert into llx_menu (enabled, rowid, menu_handler, type, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('! empty($conf->boutique->enabled)', 11__+MAX_llx_menu__, __HANDLER__, 'top', 'shop',        '', 0, '/boutique/index.php?mainmenu=shop&amp;leftmenu=', 'OSCommerce', -1, 'shop', '', '', 0, 11, __ENTITY__);
-insert into llx_menu (enabled, rowid, menu_handler, type, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('$conf->adherent->enabled', 13__+MAX_llx_menu__, __HANDLER__, 'top', 'members',     '', 0, '/adherents/index.php?mainmenu=members&amp;leftmenu=', 'Members', -1, 'members', '', '', 2, 15, __ENTITY__);
+insert into llx_menu (enabled, rowid, menu_handler, type, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('$conf->adherent->enabled', 13__+MAX_llx_menu__, __HANDLER__, 'top', 'members',     '', 0, '/adherents/index.php?mainmenu=members&amp;leftmenu=', 'Members', -1, 'members', '$user->rights->adherent->lire', '', 2, 15, __ENTITY__);
 
 insert into llx_menu (enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('$user->admin', __HANDLER__, 'left', 100__+MAX_llx_menu__, 'home', '', 1__+MAX_llx_menu__, '/admin/index.php?leftmenu=setup', 'Setup', 0, 'admin', '', '', 2, 0, __ENTITY__);
 insert into llx_menu (enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('$leftmenu==\'setup\'', __HANDLER__, 'left', 101__+MAX_llx_menu__, 'home', '', 100__+MAX_llx_menu__, '/admin/company.php?leftmenu=setup', 'MenuCompanySetup', 1, 'admin', '', '', 2, 1, __ENTITY__);
diff --git a/htdocs/includes/menus/init_menu_iphone.sql b/htdocs/includes/menus/init_menu_iphone.sql
index 061670c6122..c7f95c46c43 100644
--- a/htdocs/includes/menus/init_menu_iphone.sql
+++ b/htdocs/includes/menus/init_menu_iphone.sql
@@ -21,7 +21,7 @@ insert into llx_menu (enabled, rowid, menu_handler, type, mainmenu, leftmenu, fk
 insert into llx_menu (enabled, rowid, menu_handler, type, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('$conf->projet->enabled', 7__+MAX_llx_menu__, __HANDLER__, 'top', 'project',     '', 0, '/projet/index.php?mainmenu=project&amp;leftmenu=', 'Projects', -1, 'projects', '$user->rights->projet->lire', '', 0, 7, __ENTITY__);
 insert into llx_menu (enabled, rowid, menu_handler, type, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('$conf->mailing->enabled || $conf->export->enabled || $conf->global->MAIN_MODULE_IMPORT || $conf->global->MAIN_MODULE_DOMAIN', 8__+MAX_llx_menu__, __HANDLER__, 'top', 'tools',       '', 0, '/index.php?mainmenu=tools&amp;leftmenu=', 'Tools', -1, 'other', '$user->rights->mailing->lire || $user->rights->bookmark->lire || $user->rights->export->lire', '', 2, 8, __ENTITY__);
 insert into llx_menu (enabled, rowid, menu_handler, type, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('! empty($conf->boutique->enabled)', 11__+MAX_llx_menu__, __HANDLER__, 'top', 'shop',        '', 0, '/boutique/index.php?mainmenu=shop&amp;leftmenu=', 'OSCommerce', -1, 'shop', '', '', 0, 11, __ENTITY__);
-insert into llx_menu (enabled, rowid, menu_handler, type, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('$conf->adherent->enabled', 13__+MAX_llx_menu__, __HANDLER__, 'top', 'members',     '', 0, '/adherents/index.php?mainmenu=members&amp;leftmenu=', 'Members', -1, 'members', '', '', 2, 15, __ENTITY__);
+insert into llx_menu (enabled, rowid, menu_handler, type, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('$conf->adherent->enabled', 13__+MAX_llx_menu__, __HANDLER__, 'top', 'members',     '', 0, '/adherents/index.php?mainmenu=members&amp;leftmenu=', 'Members', -1, 'members', '$user->rights->adherent->lire', '', 2, 15, __ENTITY__);
 
 insert into llx_menu (enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('$user->admin', __HANDLER__, 'left', 100__+MAX_llx_menu__, 'home', '', 1__+MAX_llx_menu__, '/admin/index.php?leftmenu=setup', 'Setup', 0, 'admin', '', '', 2, 0, __ENTITY__);
 insert into llx_menu (enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('1', __HANDLER__, 'left', 101__+MAX_llx_menu__, 'home', '', 100__+MAX_llx_menu__, '/admin/company.php?leftmenu=setup', 'MenuCompanySetup', 1, 'admin', '', '', 2, 1, __ENTITY__);