| '; - $out .= $langs->trans("GroupEmails"); - $out .= ' | '; - $out .= ' withoptiononeemailperrecipient > 0 ? ' checked="checked"' : '').'> '; - $out .= ''; - $out .= ''; - $out .= ' - '; - $out .= $langs->trans("WarningIfYouCheckOneRecipientPerEmail"); - $out .= ''; - $out .= ' | ||||||
| '; + $out .= $langs->trans("GroupEmails"); + $out .= ' | '; + $out .= ' withoptiononeemailperrecipient > 0 ? ' checked="checked"' : '').'> '; + $out .= ''; + $out .= ''; + $out .= ' - '; + $out .= $langs->trans("WarningIfYouCheckOneRecipientPerEmail"); + $out .= ''; + $out .= ' | ||||||
| ' . $this->langs->trans("Parameter") . ' | '; + $out .= '' . $this->langs->trans("Parameter") . ' | '; $out .= '' . $this->langs->trans("Value") . ' | '; $out .= '|||||
'."\n";
- print $langs->trans('SelectMailModel').': '.$formmail->selectarray('modelmailselected', $modelmail_array, $this->param['models_id'], 1);
+ print $langs->trans('SelectMailModel').': '.$formmail->selectarray('modelmailselected', $modelmail_array, $this->param['models_id'], 1, 0, "", "", 0, 0, 0, '', 'minwidth200');
if ($user->admin) {
print info_admin($langs->trans("YouCanChangeValuesForThisListFromDictionarySetup"), 1);
}
diff --git a/htdocs/core/class/link.class.php b/htdocs/core/class/link.class.php
index eaf4804b213..f69dcb2874d 100644
--- a/htdocs/core/class/link.class.php
+++ b/htdocs/core/class/link.class.php
@@ -249,7 +249,7 @@ class Link extends CommonObject
$resql = $this->db->query($sql);
if ($resql) {
$num = $this->db->num_rows($resql);
- dol_syslog(get_class($this)."::fetchAll ".$num."records", LOG_DEBUG);
+ dol_syslog(get_class($this)."::fetchAll num=".((int) $num), LOG_DEBUG);
if ($num > 0) {
while ($obj = $this->db->fetch_object($resql)) {
$link = new Link($this->db);
diff --git a/htdocs/core/class/translate.class.php b/htdocs/core/class/translate.class.php
index c092690a505..f881447cd67 100644
--- a/htdocs/core/class/translate.class.php
+++ b/htdocs/core/class/translate.class.php
@@ -555,9 +555,9 @@ class Translate
* Return translated value of key for special keys ("Currency...", "Civility...", ...).
* Search in lang file, then into database. Key must be any complete entry into lang file: CurrencyEUR, ...
* If not found, return key.
- * The string return is not formated (translated with transnoentitiesnoconv)
- * NOTE: To avoid infinite loop (getLabelFromKey->transnoentities->getTradFromKey), if you modify this function,
- * check that getLabelFromKey is not called with same value than input.
+ * The string return is not formated (translated with transnoentitiesnoconv).
+ * NOTE: To avoid infinite loop (getLabelFromKey->transnoentities->getTradFromKey->getLabelFromKey), if you modify this function,
+ * check that getLabelFromKey is never called with the same value than $key.
*
* @param string $key Key to translate
* @return string Translated string (translated with transnoentitiesnoconv)
@@ -585,7 +585,7 @@ class Translate
$newstr = $this->getLabelFromKey($db, $reg[1], 'c_lead_status', 'code', 'label');
} elseif (preg_match('/^OrderSource([0-9A-Z]+)$/i', $key, $reg)) {
// TODO OrderSourceX must be replaced with content of table llx_c_input_reason or llx_c_input_method
- //$newstr=$this->getLabelFromKey($db,$reg[1],'c_ordersource','code','label');
+ //$newstr=$this->getLabelFromKey($db,$reg[1],'llx_c_input_reason','code','label');
}
/* Disabled. There is too many cases where translation of $newstr is not defined is normal (like when output with setEventMessage an already translated string)
@@ -945,9 +945,9 @@ class Translate
*
* @param DoliDB $db Database handler
* @param string $key Translation key to get label (key in language file)
- * @param string $tablename Table name without prefix
- * @param string $fieldkey Field for key
- * @param string $fieldlabel Field for label
+ * @param string $tablename Table name without prefix. This value must always be a hardcoded string and not a value coming from user input.
+ * @param string $fieldkey Field for key. This value must always be a hardcoded string and not a value coming from user input.
+ * @param string $fieldlabel Field for label. This value must always be a hardcoded string and not a value coming from user input.
* @param string $keyforselect Use another value than the translation key for the where into select
* @param int $filteronentity Use a filter on entity
* @return string Label in UTF8 (but without entities)
@@ -959,10 +959,15 @@ class Translate
if ($key == '') {
return '';
}
+ // Test should be useless because the 3 variables are never set from user input but we keep it in case of.
+ if (preg_match('/[^0-9A-Z_]/i', $tablename) || preg_match('/[^0-9A-Z_]/i', $fieldkey) || preg_match('/[^0-9A-Z_]/i', $fieldlabel)) {
+ $this->error = 'Bad value for parameter tablename, fieldkey or fieldlabel';
+ return -1;
+ }
//print 'param: '.$key.'-'.$keydatabase.'-'.$this->trans($key); exit;
- // Check if a translation is available (this can call getTradFromKey)
+ // Check if a translation is available (Note: this can call getTradFromKey that can call getLabelFromKey)
$tmp = $this->transnoentitiesnoconv($key);
if ($tmp != $key && $tmp != 'ErrorBadValueForParamNotAString') {
return $tmp; // Found in language array
@@ -973,6 +978,7 @@ class Translate
return $this->cache_labels[$tablename][$key]; // Found in cache
}
+ // Not found in loaded language file nor in cache. So we will take the label into database.
$sql = "SELECT ".$fieldlabel." as label";
$sql .= " FROM ".MAIN_DB_PREFIX.$tablename;
$sql .= " WHERE ".$fieldkey." = '".$db->escape($keyforselect ? $keyforselect : $key)."'";
diff --git a/htdocs/core/class/utils.class.php b/htdocs/core/class/utils.class.php
index e081c59b14b..b408985a92d 100644
--- a/htdocs/core/class/utils.class.php
+++ b/htdocs/core/class/utils.class.php
@@ -399,21 +399,23 @@ class Utils
if ($execmethod == 2) { // With this method, there is no way to get the return code, only output
$handlein = popen($fullcommandclear, 'r');
$i = 0;
- while (!feof($handlein)) {
- $i++; // output line number
- $read = fgets($handlein);
- // Exclude warning line we don't want
- if ($i == 1 && preg_match('/Warning.*Using a password/i', $read)) {
- continue;
- }
- fwrite($handle, $read);
- if (preg_match('/'.preg_quote('-- Dump completed').'/i', $read)) {
- $ok = 1;
- } elseif (preg_match('/'.preg_quote('SET SQL_NOTES=@OLD_SQL_NOTES').'/i', $read)) {
- $ok = 1;
+ if ($handlein) {
+ while (!feof($handlein)) {
+ $i++; // output line number
+ $read = fgets($handlein);
+ // Exclude warning line we don't want
+ if ($i == 1 && preg_match('/Warning.*Using a password/i', $read)) {
+ continue;
+ }
+ fwrite($handle, $read);
+ if (preg_match('/'.preg_quote('-- Dump completed').'/i', $read)) {
+ $ok = 1;
+ } elseif (preg_match('/'.preg_quote('SET SQL_NOTES=@OLD_SQL_NOTES').'/i', $read)) {
+ $ok = 1;
+ }
}
+ pclose($handlein);
}
- pclose($handlein);
}
diff --git a/htdocs/core/class/validate.class.php b/htdocs/core/class/validate.class.php
index 389bb708e82..61251167c21 100644
--- a/htdocs/core/class/validate.class.php
+++ b/htdocs/core/class/validate.class.php
@@ -55,18 +55,17 @@ class Validate
{
global $langs;
- if ($outputLang) {
+ if (empty($outputLang)) {
$this->outputLang = $langs;
} else {
$this->outputLang = $outputLang;
}
- if (!is_object($this->outputLang) || !method_exists($outputLang, 'load')) {
+ if (!is_object($this->outputLang) || !method_exists($this->outputLang, 'load')) {
return false;
}
- /** @var Translate $outputLang */
- $outputLang->load('validate');
+ $this->outputLang->loadLangs(array('validate', 'errors'));
$this->db = $db;
}
@@ -229,6 +228,21 @@ class Validate
return true;
}
+ /**
+ * Check numeric validity
+ *
+ * @param mixed $string to validate
+ * @return boolean Validity is ok or not
+ */
+ public function isNumeric($string)
+ {
+ if (!is_numeric($string)) {
+ $this->error = $this->outputLang->trans('RequireValidNumeric');
+ return false;
+ }
+ return true;
+ }
+
/**
* Check for boolean validity
*
diff --git a/htdocs/core/customreports.php b/htdocs/core/customreports.php
index e380dea8403..fafd1c015e8 100644
--- a/htdocs/core/customreports.php
+++ b/htdocs/core/customreports.php
@@ -56,7 +56,7 @@ if (!defined('USE_CUSTOM_REPORT_AS_INCLUDE')) {
}
$search_yaxis = GETPOST('search_yaxis', 'array');
- $search_graph = GETPOST('search_graph', 'none');
+ $search_graph = GETPOST('search_graph', 'restricthtml');
// Load variable for pagination
$limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit;
diff --git a/htdocs/core/db/DoliDB.class.php b/htdocs/core/db/DoliDB.class.php
index daa5f657549..4476228d509 100644
--- a/htdocs/core/db/DoliDB.class.php
+++ b/htdocs/core/db/DoliDB.class.php
@@ -62,11 +62,26 @@ abstract class DoliDB implements Database
/** @var string Last error number. For example: 'DB_ERROR_RECORD_ALREADY_EXISTS', '12345', ... */
public $lasterrno;
+ /** @var string If we need to set a prefix specific to the database so it can be reused (when defined instead of MAIN_DB_PREFIX) to forge requests */
+ public $prefix_db;
+
/** @var bool Status */
public $ok;
/** @var string */
public $error;
+
+
+ /**
+ * Return the DB prefix
+ *
+ * @return string The DB prefix
+ */
+ public function prefix()
+ {
+ return (empty($this->prefix_db) ? MAIN_DB_PREFIX : $this->prefix_db);
+ }
+
/**
* Format a SQL IF
*
diff --git a/htdocs/core/get_menudiv.php b/htdocs/core/get_menudiv.php
index 77b0416956b..597031945f1 100644
--- a/htdocs/core/get_menudiv.php
+++ b/htdocs/core/get_menudiv.php
@@ -121,12 +121,13 @@ print '
display: none;
}
- a.alilevel0 {
+ a.alilevel0, span.spanlilevel0 {
background-image: url(\''.DOL_URL_ROOT.'/theme/'.urlencode($conf->theme).'/img/next.png\') !important;
background-repeat: no-repeat !important;
background-position-x: 10px;
background-position-y: 16px;
padding: 1em 15px 1em 40px;
+ display: block;
}
li.lilevel0 font.vsmenudisabled {
background-repeat: no-repeat !important;
diff --git a/htdocs/core/js/lib_notification.js.php b/htdocs/core/js/lib_notification.js.php
index f4a4e59526a..af5952f6026 100644
--- a/htdocs/core/js/lib_notification.js.php
+++ b/htdocs/core/js/lib_notification.js.php
@@ -64,7 +64,7 @@ print "jQuery(document).ready(function () {\n";
//print " console.log('referrer=".dol_escape_js($_SERVER['HTTP_REFERER'])."');\n";
print ' var nowtime = Date.now();';
-print ' var time_auto_update = '.$conf->global->MAIN_BROWSER_NOTIFICATION_FREQUENCY.';'."\n"; // Always defined
+print ' var time_auto_update = '.max(1, getDolGlobalInt('MAIN_BROWSER_NOTIFICATION_FREQUENCY')).';'."\n"; // Always defined
print ' var time_js_next_test;'."\n";
?>
diff --git a/htdocs/core/lib/admin.lib.php b/htdocs/core/lib/admin.lib.php
index e806d9b5957..448677002df 100644
--- a/htdocs/core/lib/admin.lib.php
+++ b/htdocs/core/lib/admin.lib.php
@@ -240,6 +240,7 @@ function run_sql($sqlfile, $silent = 1, $entity = '', $usesavepoint = 1, $handle
if (empty($nocommentremoval)) {
$buf = preg_replace('/([,;ERLT\)])\s*--.*$/i', '\1', $buf); //remove comment from a line that not start with -- before add it to the buffer
}
+ if ($buffer) $buffer .= ' ';
$buffer .= trim($buf);
}
@@ -639,7 +640,7 @@ function modules_prepare_head($nbofactivatedmodules, $nboftotalmodules)
if ($nbofactivatedmodules <= (empty($conf->global->MAIN_MIN_NB_ENABLED_MODULE_FOR_WARNING) ? 1 : $conf->global->MAIN_MIN_NB_ENABLED_MODULE_FOR_WARNING)) { // If only minimal initial modules enabled)
//$head[$h][1] = $form->textwithpicto($langs->trans("AvailableModules"), $desc);
$head[$h][1] = $langs->trans("AvailableModules");
- $head[$h][1] .= $form->textwithpicto('', $langs->trans("YouMustEnableOneModule").'. '.$desc.'', 1, warning); + $head[$h][1] .= $form->textwithpicto('', $langs->trans("YouMustEnableOneModule").'. '.$desc.'', 1, 'warning'); } else { //$head[$h][1] = $langs->trans("AvailableModules").$form->textwithpicto(''.$nbofactivatedmodules.' / '.$nboftotalmodules.'', $desc, 1, 'help', '', 1, 3); $head[$h][1] = $langs->trans("AvailableModules").''.$nbofactivatedmodules.' / '.$nboftotalmodules.''; diff --git a/htdocs/core/lib/company.lib.php b/htdocs/core/lib/company.lib.php index 4ce7d4691a4..2902430bf82 100644 --- a/htdocs/core/lib/company.lib.php +++ b/htdocs/core/lib/company.lib.php @@ -916,8 +916,8 @@ function show_contacts($conf, $langs, $db, $object, $backtopage = '') $form = new Form($db); $optioncss = GETPOST('optioncss', 'alpha'); - $sortfield = GETPOST("sortfield", 'alpha'); - $sortorder = GETPOST("sortorder", 'alpha'); + $sortfield = GETPOST('sortfield', 'aZ09comma'); + $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); $search_status = GETPOST("search_status", 'int'); diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index 7b5cc92c75d..c70ea041e0a 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -2270,13 +2270,13 @@ function dol_most_recent_file($dir, $regexfilter = '', $excludefilter = array('( /** * Security check when accessing to a document (used by document.php, viewimage.php and webservices to get documents). - * TODO Replace code that set $accesallowed by a call to restrictedArea() + * TODO Replace code that set $accessallowed by a call to restrictedArea() * * @param string $modulepart Module of document ('module', 'module_user_temp', 'module_user' or 'module_temp'). Exemple: 'medias', 'invoice', 'logs', 'tax-vat', ... * @param string $original_file Relative path with filename, relative to modulepart. * @param string $entity Restrict onto entity (0=no restriction) * @param User $fuser User object (forced) - * @param string $refname Ref of object to check permission for external users (autodetect if not provided) + * @param string $refname Ref of object to check permission for external users (autodetect if not provided) or for hierarchy * @param string $mode Check permission for 'read' or 'write' * @return mixed Array with access information : 'accessallowed' & 'sqlprotectagainstexternals' & 'original_file' (as a full path name) * @see restrictedArea() @@ -2423,6 +2423,30 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity, $accessallowed = 1; } $original_file = $conf->fournisseur->facture->dir_output.'/'.$original_file; + } elseif (($modulepart == 'holiday') && !empty($conf->holiday->dir_output)) { + if ($fuser->rights->holiday->{$read} || preg_match('/^specimen/i', $original_file)) { + $accessallowed = 1; + // If we known $id of holiday, call checkUserAccessToObject to check permission on properties and hierarchy of leave request + if ($refname && !preg_match('/^specimen/i', $original_file)) { + include_once DOL_DOCUMENT_ROOT.'/holiday/class/holiday.class.php'; + $tmpholiday = new Holiday($db); + $tmpholiday->fetch('', $refname); + $accessallowed = checkUserAccessToObject($user, array('holiday'), $tmpholiday, 'holiday', '', '', 'rowid', ''); + } + } + $original_file = $conf->holiday->dir_output.'/'.$original_file; + } elseif (($modulepart == 'expensereport') && !empty($conf->expensereport->dir_output)) { + if ($fuser->rights->expensereport->{$lire} || preg_match('/^specimen/i', $original_file)) { + $accessallowed = 1; + // If we known $id of expensereport, call checkUserAccessToObject to check permission on properties and hierarchy of expense report + if ($refname && !preg_match('/^specimen/i', $original_file)) { + include_once DOL_DOCUMENT_ROOT.'/expensereport/class/expensereport.class.php'; + $tmpexpensereport = new ExpenseReport($db); + $tmpexpensereport->fetch('', $refname); + $accessallowed = checkUserAccessToObject($user, array('expensereport'), $tmpexpensereport, 'expensereport', '', '', 'rowid', ''); + } + } + $original_file = $conf->expensereport->dir_output.'/'.$original_file; } elseif (($modulepart == 'apercuexpensereport') && !empty($conf->expensereport->dir_output)) { // Wrapping pour les apercu supplier invoice if ($fuser->rights->expensereport->{$lire}) { @@ -2686,7 +2710,7 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity, include_once DOL_DOCUMENT_ROOT.'/projet/class/task.class.php'; $tmptask = new Task($db); $tmptask->fetch('', $refname); - $accessallowed = checkUserAccessToObject($user, array('projet_task'), $tmptask->id, 'projet&project', '', '', 'rowid', ''); + $accessallowed = checkUserAccessToObject($user, array('projet_task'), $tmptask->id, 'projet_task&project', '', '', 'rowid', ''); } } $original_file = $conf->projet->dir_output.'/'.$original_file; @@ -2971,9 +2995,9 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity, } $ret = array( - 'accessallowed' => $accessallowed, - 'sqlprotectagainstexternals'=>$sqlprotectagainstexternals, - 'original_file'=>$original_file + 'accessallowed' => ($accessallowed ? 1 : 0), + 'sqlprotectagainstexternals' => $sqlprotectagainstexternals, + 'original_file' => $original_file ); return $ret; diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index ed871204cae..2eb1802d303 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -17,6 +17,7 @@ * Copyright (C) 2019 Thibault Foucart '; - print ' '."\n";
+ print ' '."\n";
if ($addformmessage) {
print '';
print ' '; diff --git a/htdocs/core/lib/price.lib.php b/htdocs/core/lib/price.lib.php index 28723ab87db..4375d14430b 100644 --- a/htdocs/core/lib/price.lib.php +++ b/htdocs/core/lib/price.lib.php @@ -404,7 +404,7 @@ function calcul_price_total($qty, $pu, $remise_percent_ligne, $txtva, $uselocalt } } - // Recal function using the multicurrency price as reference price. We must set param $multicurrency_tx to 1 to avoid infinite loop. + // Recall function using the multicurrency price as reference price. We must set param $multicurrency_tx to 1 to avoid infinite loop. $newresult = calcul_price_total($qty, $pu_devise, $remise_percent_ligne, $txtva, $uselocaltax1_rate, $uselocaltax2_rate, $remise_percent_global, $price_base_type, $info_bits, $type, $seller, $localtaxes_array, $progress, 1, 0, ''); if ($multicurrency_code) { diff --git a/htdocs/core/lib/project.lib.php b/htdocs/core/lib/project.lib.php index e9e06708f7c..90a67991413 100644 --- a/htdocs/core/lib/project.lib.php +++ b/htdocs/core/lib/project.lib.php @@ -679,22 +679,23 @@ function projectLinesa(&$inc, $parent, &$lines, &$level, $var, $showproject, &$t // Title of task if (count($arrayfields) > 0 && !empty($arrayfields['t.label']['checked'])) { - print ' ';
+ $labeltoshow = '';
if ($showlineingray) {
- print '';
+ $labeltoshow .= '';
}
//else print '';
for ($k = 0; $k < $level; $k++) {
- print ' | ';
+ $labeltoshow .= ' ';
}
if ($showlineingray) {
- print '';
+ $labeltoshow .= '';
}
- //else print '';
+ print '';
}
- print $lines[$i]->label;
+ $labeltoshow .= dol_escape_htmltag($lines[$i]->label);
for ($k = 0; $k < $level; $k++) {
- print ' ';
+ $labeltoshow .= '';
+ print $labeltoshow;
print " | \n";
}
@@ -822,29 +823,7 @@ function projectLinesa(&$inc, $parent, &$lines, &$level, $var, $showproject, &$t
}
}
- // Contacts of tasks. Disabled, because available by default just after
- /*
- if (!empty($conf->global->PROJECT_SHOW_CONTACTS_IN_LIST)) {
- print '';
- foreach (array('internal', 'external') as $source) {
- $tab = $lines[$i]->liste_contact(-1, $source);
- $num = count($tab);
- if (!empty($num)) {
- foreach ($tab as $contacttask) {
- //var_dump($contacttask);
- if ($source == 'internal') {
- $c = new User($db);
- } else {
- $c = new Contact($db);
- }
- $c->fetch($contacttask['id']);
- print $c->getNomUrl(1).' ('.$contacttask['libelle'].') | ';
- }*/
- if (count($arrayfields) > 0 && !empty($arrayfields['c.assigned']['checked'])) {
+ if (count($arrayfields) > 0 && !empty($arrayfields['t.budget_amount']['checked'])) {
print ''; - } - } - } - print ' ';
print price($lines[$i]->budget_amount, 0, $langs, 1, 0, 0, $conf->currency);
$total_budget_amount += $lines[$i]->budget_amount;
@@ -854,10 +833,11 @@ function projectLinesa(&$inc, $parent, &$lines, &$level, $var, $showproject, &$t
// Contacts of task
if (count($arrayfields) > 0 && !empty($arrayfields['c.assigned']['checked'])) {
print ' | ';
+ $ifisrt = 1;
foreach (array('internal', 'external') as $source) {
$tab = $lines[$i]->liste_contact(-1, $source);
- $num = count($tab);
- if (!empty($num)) {
+ $numcontact = count($tab);
+ if (!empty($numcontact)) {
foreach ($tab as $contacttask) {
//var_dump($contacttask);
if ($source == 'internal') {
@@ -867,14 +847,19 @@ function projectLinesa(&$inc, $parent, &$lines, &$level, $var, $showproject, &$t
}
$c->fetch($contacttask['id']);
if (!empty($c->photo)) {
- print $c->getNomUrl(-2).' ';
+ if (get_class($c) == 'User') {
+ print $c->getNomUrl(-2, '', 0, 0, 24, 1, '', ($ifisrt ? '' : 'notfirst'));
+ } else {
+ print $c->getNomUrl(-2, '', 0, '', -1, 0, ($ifisrt ? '' : 'notfirst'));
+ }
} else {
if (get_class($c) == 'User') {
- print $c->getNomUrl(2, '', 0, 0, 24, 1);//.' ';
+ print $c->getNomUrl(2, '', 0, 0, 24, 1, '', ($ifisrt ? '' : 'notfirst'));
} else {
- print $c->getNomUrl(2);//.' ';
+ print $c->getNomUrl(2, '', 0, '', -1, 0, ($ifisrt ? '' : 'notfirst'));
}
}
+ $ifisrt = 0;
}
}
}
diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
index 4f08f2a4141..4a20fbf96f2 100644
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -626,24 +626,30 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
}
/**
- * Check access by user to object is ok.
- * This function is also called by restrictedArea that check before if module is enabled and if permission of user for $action is ok.
+ * Check that access by a given user to an object is ok.
+ * This function is also called by restrictedArea() that check before if module is enabled and if permission of user for $action is ok.
*
- * @param User $user User to check
- * @param array $featuresarray Features/modules to check. Example: ('user','service','member','project','task',...)
- * @param int|string $objectid Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional).
- * @param string $tableandshare 'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity for multicompany modume. Param not used if objectid is null (optional).
- * @param string $feature2 Feature to check, second level of permission (optional). Can be or check with 'level1|level2'.
- * @param string $dbt_keyfield Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional)
- * @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optional)
- * @param string $parenttableforentity Parent table for entity. Example 'fk_website@website'
- * @return bool True if user has access, False otherwise
+ * @param User $user User to check
+ * @param array $featuresarray Features/modules to check. Example: ('user','service','member','project','task',...)
+ * @param int|string|Object $object Full object or object ID or list of object id. For example if we want to check a particular record (optional) is linked to a owned thirdparty (optional).
+ * @param string $tableandshare 'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity for multicompany modume. Param not used if objectid is null (optional).
+ * @param string $feature2 Feature to check, second level of permission (optional). Can be or check with 'level1|level2'.
+ * @param string $dbt_keyfield Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional)
+ * @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optional)
+ * @param string $parenttableforentity Parent table for entity. Example 'fk_website@website'
+ * @return bool True if user has access, False otherwise
* @see restrictedArea()
*/
-function checkUserAccessToObject($user, array $featuresarray, $objectid = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = '', $dbt_select = 'rowid', $parenttableforentity = '')
+function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = '', $dbt_select = 'rowid', $parenttableforentity = '')
{
global $db, $conf;
+ if (is_object($object)) {
+ $objectid = $object->id;
+ } else {
+ $objectid = $object; // $objectid can be X or 'X,Y,Z'
+ }
+
//dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename, $feature2, $dbt_socfield, $dbt_select, $isdraft");
//print "user_id=".$user->id.", features=".join(',', $featuresarray).", feature2=".$feature2.", objectid=".$objectid;
//print ", tableandshare=".$tableandshare.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select." | "; @@ -656,7 +662,7 @@ function checkUserAccessToObject($user, array $featuresarray, $objectid = 0, $ta foreach ($featuresarray as $feature) { $sql = ''; - //var_dump($feature); + //var_dump($feature);exit; // For backward compatibility if ($feature == 'member') { @@ -669,11 +675,15 @@ function checkUserAccessToObject($user, array $featuresarray, $objectid = 0, $ta $feature = 'projet_task'; } + $checkonentitydone = 0; + + // Array to define rules of checks to do $check = array('adherent', 'banque', 'bom', 'don', 'mrp', 'user', 'usergroup', 'payment', 'payment_supplier', 'product', 'produit', 'service', 'produit|service', 'categorie', 'resource', 'expensereport', 'holiday', 'salaries', 'website'); // Test on entity only (Objects with no link to company) $checksoc = array('societe'); // Test for societe object $checkother = array('contact', 'agenda'); // Test on entity + link to third party on field $dbt_keyfield. Allowed if link is empty (Ex: contacts...). $checkproject = array('projet', 'project'); // Test for project object $checktask = array('projet_task'); // Test for task object + $checkhierarchy = array('expensereport', 'holiday'); $nocheck = array('barcode', 'stock'); // No test //$checkdefault = 'all other not already defined'; // Test on entity + link to third party on field $dbt_keyfield. Not allowed if link is empty (Ex: invoice, orders...). @@ -714,10 +724,12 @@ function checkUserAccessToObject($user, array $featuresarray, $objectid = 0, $ta $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; } } - } elseif (in_array($feature, $checksoc)) { // We check feature = checksoc + $checkonentitydone = 1; + } + if (in_array($feature, $checksoc)) { // We check feature = checksoc // If external user: Check permission for external users if ($user->socid > 0) { - if ($user->socid <> $objectid) { + if ($user->socid != $objectid) { return false; } } elseif (!empty($conf->societe->enabled) && ($user->rights->societe->lire && empty($user->rights->societe->client->voir))) { @@ -736,7 +748,10 @@ function checkUserAccessToObject($user, array $featuresarray, $objectid = 0, $ta $sql .= " WHERE s.rowid IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND s.entity IN (".getEntity($sharedelement, 1).")"; } - } elseif (in_array($feature, $checkother)) { // Test on entity + link to thirdparty. Allowed if link is empty (Ex: contacts...). + + $checkonentitydone = 1; + } + if (in_array($feature, $checkother)) { // Test on entity + link to thirdparty. Allowed if link is empty (Ex: contacts...). // If external user: Check permission for external users if ($user->socid > 0) { $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb"; @@ -758,25 +773,19 @@ function checkUserAccessToObject($user, array $featuresarray, $objectid = 0, $ta $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; } - if ($feature == 'agenda') { - // Also check owner or attendee for users without allactions->read - if ($objectid > 0 && empty($user->rights->agenda->allactions->read)) { - require_once DOL_DOCUMENT_ROOT.'/comm/action/class/actioncomm.class.php'; - $action = new ActionComm($db); - $action->fetch($objectid); - if ($action->authorid != $user->id && $action->userownerid != $user->id && !(array_key_exists($user->id, $action->userassigned))) { - return false; - } - } - } - } elseif (in_array($feature, $checkproject)) { + + $checkonentitydone = 1; + } + if (in_array($feature, $checkproject)) { if (!empty($conf->projet->enabled) && empty($user->rights->projet->all->lire)) { + $projectid = $objectid; + include_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php'; $projectstatic = new Project($db); $tmps = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1, 0); $tmparray = explode(',', $tmps); - if (!in_array($objectid, $tmparray)) { + if (!in_array($projectid, $tmparray)) { return false; } } else { @@ -785,16 +794,21 @@ function checkUserAccessToObject($user, array $featuresarray, $objectid = 0, $ta $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; } - } elseif (in_array($feature, $checktask)) { + + $checkonentitydone = 1; + } + if (in_array($feature, $checktask)) { if (!empty($conf->projet->enabled) && empty($user->rights->projet->all->lire)) { $task = new Task($db); $task->fetch($objectid); + $projectid = $task->fk_project; include_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php'; $projectstatic = new Project($db); $tmps = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1, 0); + $tmparray = explode(',', $tmps); - if (!in_array($task->fk_project, $tmparray)) { + if (!in_array($projectid, $tmparray)) { return false; } } else { @@ -803,7 +817,10 @@ function checkUserAccessToObject($user, array $featuresarray, $objectid = 0, $ta $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; } - } elseif (!in_array($feature, $nocheck)) { // By default (case of $checkdefault), we check on object entity + link to third party on field $dbt_keyfield + + $checkonentitydone = 1; + } + if (!$checkonentitydone && !in_array($feature, $nocheck)) { // By default (case of $checkdefault), we check on object entity + link to third party on field $dbt_keyfield // If external user: Check permission for external users if ($user->socid > 0) { if (empty($dbt_keyfield)) { @@ -845,11 +862,47 @@ function checkUserAccessToObject($user, array $featuresarray, $objectid = 0, $ta } //print $sql; + // For events, check on users assigned to event + if ($feature === 'agenda') { + // Also check owner or attendee for users without allactions->read + if ($objectid > 0 && empty($user->rights->agenda->allactions->read)) { + require_once DOL_DOCUMENT_ROOT.'/comm/action/class/actioncomm.class.php'; + $action = new ActionComm($db); + $action->fetch($objectid); + if ($action->authorid != $user->id && $action->userownerid != $user->id && !(array_key_exists($user->id, $action->userassigned))) { + return false; + } + } + } + + // For some object, we also have to check it is in the user hierarchy + // Param $object must be the full object and not a simple id to have this test possible. + if (in_array($feature, $checkhierarchy) && is_object($object)) { + $childids = $user->getAllChildIds(1); + $useridtocheck = 0; + if ($feature == 'holiday') { + $useridtocheck = $object->fk_user; + if (!in_array($useridtocheck, $childids)) { + return false; + } + $useridtocheck = $object->fk_validator; + if (!in_array($useridtocheck, $childids)) { + return false; + } + } + if ($feature == 'expensereport') { + $useridtocheck = $object->fk_user_author; + if (!in_array($useridtocheck, $childids)) { + return false; + } + } + } + if ($sql) { $resql = $db->query($sql); if ($resql) { $obj = $db->fetch_object($resql); - if (!$obj || $obj->nb < count(explode(',', $objectid))) { + if (!$obj || $obj->nb < count(explode(',', $objectid))) { // error if we found 0 or less record than nb of id provided return false; } } else { diff --git a/htdocs/core/login/functions_dolibarr.php b/htdocs/core/login/functions_dolibarr.php index f102cd2f358..292ce1b44f5 100644 --- a/htdocs/core/login/functions_dolibarr.php +++ b/htdocs/core/login/functions_dolibarr.php @@ -2,6 +2,7 @@ /* Copyright (C) 2007-2015 Laurent Destailleur | ||