From 4c90e931083c41b99a8e95905884d8ed57e0c564 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 27 Mar 2021 15:49:18 +0100 Subject: [PATCH] Fix permissions --- htdocs/reception/card.php | 46 ++++++++++++++++---------------- htdocs/reception/contact.php | 24 ++++++++++++----- htdocs/reception/index.php | 10 ++++++- htdocs/reception/list.php | 14 +++++----- htdocs/reception/note.php | 34 ++++++++++++----------- htdocs/reception/stats/index.php | 14 +++++----- htdocs/reception/stats/month.php | 6 +++++ 7 files changed, 88 insertions(+), 60 deletions(-) diff --git a/htdocs/reception/card.php b/htdocs/reception/card.php index bbfccb3b945..9392844adf2 100644 --- a/htdocs/reception/card.php +++ b/htdocs/reception/card.php @@ -86,25 +86,6 @@ if (empty($origin_id)) { $ref = GETPOST('ref', 'alpha'); $line_id = GETPOST('lineid', 'int') ?GETPOST('lineid', 'int') : ''; -// Security check -$socid = ''; -if ($user->socid) { - $socid = $user->socid; -} - -if ($origin == 'reception') { - $result = restrictedArea($user, $origin, $id); -} else { - $result = restrictedArea($user, 'reception'); - if ($origin == 'supplierorder') { - if (empty($user->rights->fournisseur->commande->lire) && empty($user->rights->fournisseur->commande->read)) { - accessforbidden(); - } - } elseif (empty($user->rights->{$origin}->lire) && empty($user->rights->{$origin}->read)) { - accessforbidden(); - } -} - $action = GETPOST('action', 'alpha'); //Select mail models is same action as presend if (GETPOST('modelselected')) { @@ -136,6 +117,25 @@ $permissiondellink = $user->rights->reception->creer; // Used by the include of $date_delivery = dol_mktime(GETPOST('date_deliveryhour', 'int'), GETPOST('date_deliverymin', 'int'), 0, GETPOST('date_deliverymonth', 'int'), GETPOST('date_deliveryday', 'int'), GETPOST('date_deliveryyear', 'int')); +// Security check +$socid = ''; +if ($user->socid) { + $socid = $user->socid; +} + +if ($origin == 'reception') { + $result = restrictedArea($user, $origin, $id); +} else { + $result = restrictedArea($user, 'reception'); + if ($origin == 'supplierorder') { + if (empty($user->rights->fournisseur->commande->lire) && empty($user->rights->fournisseur->commande->read)) { + accessforbidden(); + } + } elseif (empty($user->rights->{$origin}->lire) && empty($user->rights->{$origin}->read)) { + accessforbidden(); + } +} + /* * Actions @@ -784,7 +784,7 @@ if ($action == 'create') { print ''; print ''.$langs->trans("Project").''; $numprojet = $formproject->select_projects($soc->id, $projectid, 'projectid', 0); - print '   id).'">'.$langs->trans("AddProject").''; + print '   id).'">'; print ''; print ''; } @@ -1122,12 +1122,12 @@ if ($action == 'create') { if (!empty($product->status_batch)) { print ''; if (empty($conf->global->PRODUCT_DISABLE_EATBY)) { - print ''; + print ''; print $form->selectDate($dispatchLines[$indiceAsked]['DLC'], 'dlc'.$indiceAsked, '', '', 1, ""); print ''; } if (empty($conf->global->PRODUCT_DISABLE_SELLBY)) { - print ''; + print ''; print $form->selectDate($dispatchLines[$indiceAsked]['DLUO'], 'dluo'.$indiceAsked, '', '', 1, ""); print ''; } @@ -1798,7 +1798,7 @@ if ($action == 'create') { print ''.$formproduct->selectWarehouses($lines[$i]->fk_entrepot, 'entl'.$line_id, '', 1, 0, $lines[$i]->fk_product, '', 1).''; // Batch number managment if ($conf->productbatch->enabled && !empty($lines[$i]->product->status_batch)) { - print '
'; + print '
'; if (empty($conf->global->PRODUCT_DISABLE_EATBY)) { print $langs->trans('EatByDate').' : '; print $form->selectDate($lines[$i]->eatby, 'dlc'.$line_id, '', '', 1, "").'
'; diff --git a/htdocs/reception/contact.php b/htdocs/reception/contact.php index f814bbbf64a..f925388f0b6 100644 --- a/htdocs/reception/contact.php +++ b/htdocs/reception/contact.php @@ -43,12 +43,6 @@ $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); $action = GETPOST('action', 'aZ09'); -// Security check -if ($user->socid) { - $socid = $user->socid; -} -$result = restrictedArea($user, 'reception', $id, ''); - $object = new Reception($db); if ($id > 0 || !empty($ref)) { $object->fetch($id, $ref); @@ -69,6 +63,24 @@ if ($id > 0 || !empty($ref)) { } +// Security check +if ($user->socid > 0) { + $socid = $user->socid; +} +if ($origin == 'reception') { + $result = restrictedArea($user, $origin, $object->id); +} else { + $result = restrictedArea($user, 'reception'); + if ($origin == 'supplierorder') { + if (empty($user->rights->fournisseur->commande->lire) && empty($user->rights->fournisseur->commande->read)) { + accessforbidden(); + } + } elseif (empty($user->rights->{$origin}->lire) && empty($user->rights->{$origin}->read)) { + accessforbidden(); + } +} + + /* * Actions */ diff --git a/htdocs/reception/index.php b/htdocs/reception/index.php index 3aa6b8af754..a54eea592c0 100644 --- a/htdocs/reception/index.php +++ b/htdocs/reception/index.php @@ -36,13 +36,21 @@ $hookmanager->initHooks(array('receptionindex')); $langs->loadLangs(array("orders", "receptions")); +$reception = new Reception($db); + +// Security check +if ($user->socid) { + $socid = $user->socid; +} +$result = restrictedArea($user, 'reception', 0, ''); + + /* * View */ $orderstatic = new CommandeFournisseur($db); $companystatic = new Societe($db); -$reception = new Reception($db); $helpurl = 'EN:Module_Receptions|FR:Module_Receptions|ES:Módulo_Receptiones'; llxHeader('', $langs->trans("Reception"), $helpurl); diff --git a/htdocs/reception/list.php b/htdocs/reception/list.php index b77742dd71d..bdc65fb301b 100644 --- a/htdocs/reception/list.php +++ b/htdocs/reception/list.php @@ -40,13 +40,6 @@ $socid = GETPOST('socid', 'int'); $massaction = GETPOST('massaction', 'alpha'); $toselect = GETPOST('toselect', 'array'); -// Security check -$receptionid = GETPOST('id', 'int'); -if ($user->socid) { - $socid = $user->socid; -} -$result = restrictedArea($user, 'reception', $receptionid, ''); - $diroutputmassaction = $conf->reception->dir_output.'/temp/massgeneration/'.$user->id; $search_ref_rcp = GETPOST("search_ref_rcp"); @@ -129,6 +122,13 @@ $arrayfields = dol_sort_array($arrayfields, 'position'); $error = 0; +// Security check +$receptionid = GETPOST('id', 'int'); +if ($user->socid) { + $socid = $user->socid; +} +$result = restrictedArea($user, 'reception', $receptionid, ''); + /* * Actions diff --git a/htdocs/reception/note.php b/htdocs/reception/note.php index b1588a07b14..a3a2b31589c 100644 --- a/htdocs/reception/note.php +++ b/htdocs/reception/note.php @@ -33,26 +33,12 @@ if (!empty($conf->projet->enabled)) { require_once DOL_DOCUMENT_ROOT.'/core/class/html.formprojet.class.php'; } -$langs->load("receptions"); -$langs->load("companies"); -$langs->load("bills"); -$langs->load('deliveries'); -$langs->load('orders'); -$langs->load('stocks'); -$langs->load('other'); -$langs->load('propal'); +$langs->loadLangs(array("receptions", "companies", "bills", 'deliveries', 'orders', 'stocks', 'other', 'propal')); $id = (GETPOST('id', 'int') ?GETPOST('id', 'int') : GETPOST('facid', 'int')); // For backward compatibility $ref = GETPOST('ref', 'alpha'); $action = GETPOST('action', 'aZ09'); -// Security check -$socid = ''; -if ($user->socid) { - $socid = $user->socid; -} -$result = restrictedArea($user, $origin, $origin_id); - $object = new Reception($db); if ($id > 0 || !empty($ref)) { $object->fetch($id, $ref); @@ -77,6 +63,24 @@ if ($id > 0 || !empty($ref)) { $permissionnote = $user->rights->reception->creer; // Used by the include of actions_setnotes.inc.php +// Security check +if ($user->socid > 0) { + $socid = $user->socid; +} +if ($origin == 'reception') { + $result = restrictedArea($user, $origin, $object->id); +} else { + $result = restrictedArea($user, 'reception'); + if ($origin == 'supplierorder') { + if (empty($user->rights->fournisseur->commande->lire) && empty($user->rights->fournisseur->commande->read)) { + accessforbidden(); + } + } elseif (empty($user->rights->{$origin}->lire) && empty($user->rights->{$origin}->read)) { + accessforbidden(); + } +} + + /* * Actions diff --git a/htdocs/reception/stats/index.php b/htdocs/reception/stats/index.php index 0b118c5d733..1fe3397ef66 100644 --- a/htdocs/reception/stats/index.php +++ b/htdocs/reception/stats/index.php @@ -34,11 +34,6 @@ $HEIGHT = DolGraph::getDefaultGraphSizeForStats('height'); $userid = GETPOST('userid', 'int'); $socid = GETPOST('socid', 'int'); -// Security check -if ($user->socid > 0) { - $action = ''; - $socid = $user->socid; -} $nowyear = strftime("%Y", dol_now()); $year = GETPOST('year') > 0 ?GETPOST('year') : $nowyear; @@ -46,10 +41,13 @@ $year = GETPOST('year') > 0 ?GETPOST('year') : $nowyear; $startyear = $year - 1; $endyear = $year; -$langs->load("reception"); -$langs->load("other"); -$langs->load("companies"); +$langs->loadLangs(array("reception", "other", "companies")); +// Security check +if ($user->socid) { + $socid = $user->socid; +} +$result = restrictedArea($user, 'reception', 0, ''); /* diff --git a/htdocs/reception/stats/month.php b/htdocs/reception/stats/month.php index 25c6b16e116..806006394df 100644 --- a/htdocs/reception/stats/month.php +++ b/htdocs/reception/stats/month.php @@ -29,6 +29,12 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/dolgraph.class.php'; $year = GETPOST("year", 'int'); +// Security check +if ($user->socid) { + $socid = $user->socid; +} +$result = restrictedArea($user, 'reception', 0, ''); + /* * View