lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix: big security problem with multicompany

Browse Source
This commit is contained in:
Regis Houssin 2013-04-26 16:07:35 +02:00
parent 016b4a2baa
commit 36e6269b24
5 changed files with 28 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/comm/action/class/actioncomm.class.php
View File

@ -35,7 +35,7 @@ class ActionComm extends CommonObject
public $element='action';
public $table_element = 'actioncomm';
public $table_rowid = 'id';
protected $ismultientitymanaged = 2; // 0=No test on entity, 1=Test with field entity, 2=Test with link by societe
protected $ismultientitymanaged = 1; // 0=No test on entity, 1=Test with field entity, 2=Test with link by societe
var $id;
var $type_id;

2
htdocs/comm/action/document.php
View File

@ -51,6 +51,8 @@ if ($user->societe_id > 0)
$socid = $user->societe_id;
}
$result = restrictedArea($user, 'agenda', $objectid, 'actioncomm&societe', 'myactions&allactions', '', 'id');
$act = new ActionComm($db);
if ($objectid > 0)

2
htdocs/comm/action/fiche.php
View File

@ -53,7 +53,7 @@ $contactid=GETPOST('contactid','int');
$socid = GETPOST('socid','int');
$id = GETPOST('id','int');
if ($user->societe_id) $socid=$user->societe_id;
//$result = restrictedArea($user, 'agenda', $id, 'actioncomm', 'actions', '', 'id');
$result = restrictedArea($user, 'agenda', $id, 'actioncomm&societe', 'myactions&allactions', '', 'id');
$error=GETPOST("error");
$mesg='';

7
htdocs/comm/action/info.php
View File

@ -31,6 +31,8 @@ require_once DOL_DOCUMENT_ROOT.'/comm/action/class/actioncomm.class.php';
$langs->load("commercial");
$id = GETPOST('id','int');
// Security check
if ($user->societe_id > 0)
{
@ -38,6 +40,7 @@ if ($user->societe_id > 0)
$socid = $user->societe_id;
}
$result = restrictedArea($user, 'agenda', $id, 'actioncomm&societe', 'myactions&allactions', '', 'id');
/*
@ -48,8 +51,8 @@ $help_url='EN:Module_Agenda_En|FR:Module_Agenda|ES:M&omodulodulo_Agenda';
llxHeader('',$langs->trans("Agenda"),$help_url);
$act = new ActionComm($db);
$act->fetch($_GET["id"]);
$act->info($_GET["id"]);
$act->fetch($id);
$act->info($act->id);
$head=actions_prepare_head($act);
dol_fiche_head($head, 'info', $langs->trans("Action"),0,'action');

26
htdocs/core/lib/security.lib.php
View File

@ -112,11 +112,14 @@ function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature
if (method_exists($objcanvas->control,'restrictedArea')) return $objcanvas->control->restrictedArea($user,$features,$objectid,$dbtablename,$feature2,$dbt_keyfield,$dbt_select);
}
if ($dbt_select != 'rowid') $objectid = "'".$objectid."'";
if ($dbt_select != 'rowid' && $dbt_select != 'id') $objectid = "'".$objectid."'";
// More features to check
$features = explode("&", $features);
// More subfeatures to check
$feature2 = explode("&", $feature2);
// More parameters
$params = explode('&', $dbtablename);
$dbtablename=(! empty($params[0]) ? $params[0] : '');
@ -164,8 +167,11 @@ function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature
}
else if (! empty($feature2)) // This should be used for future changes
{
if (empty($user->rights->$feature->$feature2->lire)
&& empty($user->rights->$feature->$feature2->read)) $readok=0;
foreach($feature2 as $subfeature)
{
if (empty($user->rights->$feature->$subfeature->lire) && empty($user->rights->$feature->$subfeature->read)) $readok=0;
else $readok=1;
}
}
else if (! empty($feature) && ($feature!='user' && $feature!='usergroup')) // This is for old permissions
{
@ -210,8 +216,11 @@ function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature
}
else if (! empty($feature2)) // This should be used for future changes
{
if (empty($user->rights->$feature->$feature2->creer)
&& empty($user->rights->$feature->$feature2->write)) $createok=0;
foreach($feature2 as $subfeature)
{
if (empty($user->rights->$feature->$subfeature->creer) && empty($user->rights->$feature->$subfeature->write)) $createok=0;
else $createok=1;
}
}
else if (! empty($feature)) // This is for old permissions
{
@ -271,8 +280,11 @@ function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature
}
else if (! empty($feature2)) // This should be used for future changes
{
if (empty($user->rights->$feature->$feature2->supprimer)
&& empty($user->rights->$feature->$feature2->delete)) $deleteok=0;
foreach($feature2 as $subfeature)
{
if (empty($user->rights->$feature->$subfeature->supprimer) && empty($user->rights->$feature->$subfeature->delete)) $deleteok=0;
else $deleteok=1;
}
}
else if (! empty($feature)) // This is for old permissions
{