diff --git a/htdocs/ecm/dir_add_card.php b/htdocs/ecm/dir_add_card.php index 4cf557acde6..1416983e3a3 100644 --- a/htdocs/ecm/dir_add_card.php +++ b/htdocs/ecm/dir_add_card.php @@ -188,7 +188,7 @@ if ($action == 'add' && $permtoadd) { exit; } } -} elseif ($action == 'confirm_deletesection' && $confirm == 'yes') { +} elseif ($action == 'confirm_deletesection' && $confirm == 'yes' && $permtoadd) { // Deleting file $result = $ecmdir->delete($user); setEventMessages($langs->trans("ECMSectionWasRemoved", $ecmdir->label), null, 'mesgs'); diff --git a/htdocs/ecm/dir_card.php b/htdocs/ecm/dir_card.php index 4c93e005266..d84a7330e69 100644 --- a/htdocs/ecm/dir_card.php +++ b/htdocs/ecm/dir_card.php @@ -88,17 +88,23 @@ if ($module == 'ecm') { } // Permissions +$permtoread = 0; $permtoadd = 0; $permtoupload = 0; if ($module == 'ecm') { + $permtoread = $user->rights->ecm->read; $permtoadd = $user->rights->ecm->setup; $permtoupload = $user->rights->ecm->upload; } if ($module == 'medias') { + $permtoread = ($user->rights->mailing->lire || $user->rights->website->read); $permtoadd = ($user->rights->mailing->creer || $user->rights->website->write); $permtoupload = ($user->rights->mailing->creer || $user->rights->website->write); } +if (!$permtoread) { + accessforbidden(); +} /* @@ -106,7 +112,7 @@ if ($module == 'medias') { */ // Upload file -if (GETPOST("sendit") && !empty($conf->global->MAIN_UPLOAD_DOC)) { +if (GETPOST("sendit") && !empty($conf->global->MAIN_UPLOAD_DOC) && $permtoupload) { if (dol_mkdir($upload_dir) >= 0) { $resupload = dol_move_uploaded_file($_FILES['userfile']['tmp_name'], $upload_dir."/".dol_unescapefile($_FILES['userfile']['name']), 0, 0, $_FILES['userfile']['error']); if (is_numeric($resupload) && $resupload > 0) { @@ -131,7 +137,7 @@ if (GETPOST("sendit") && !empty($conf->global->MAIN_UPLOAD_DOC)) { } // Remove file -if ($action == 'confirm_deletefile' && $confirm == 'yes') { +if ($action == 'confirm_deletefile' && $confirm == 'yes' && $permtoupload) { $langs->load("other"); $file = $upload_dir."/".GETPOST('urlfile'); // Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP). $ret = dol_delete_file($file); @@ -145,7 +151,7 @@ if ($action == 'confirm_deletefile' && $confirm == 'yes') { } // Remove dir -if ($action == 'confirm_deletedir' && $confirm == 'yes') { +if ($action == 'confirm_deletedir' && $confirm == 'yes' && $permtoupload) { $backtourl = DOL_URL_ROOT."/ecm/index.php"; if ($module == 'medias') { $backtourl = DOL_URL_ROOT."/website/index.php?file_manager=1"; @@ -181,7 +187,7 @@ if ($action == 'confirm_deletedir' && $confirm == 'yes') { } // Update dirname or description -if ($action == 'update' && !GETPOST('cancel', 'alpha')) { +if ($action == 'update' && !GETPOST('cancel', 'alpha') && $permtoadd) { $error = 0; if ($module == 'ecm') { diff --git a/htdocs/ecm/file_card.php b/htdocs/ecm/file_card.php index 93885c2843a..14bc7e377f0 100644 --- a/htdocs/ecm/file_card.php +++ b/htdocs/ecm/file_card.php @@ -36,10 +36,6 @@ $action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $backtopage = GETPOST('backtopage', 'alpha'); -if (!$user->rights->ecm->setup) { - accessforbidden(); -} - // Get parameters $socid = GETPOST("socid", "int"); @@ -105,6 +101,14 @@ if ($result < 0) { exit; } +// Permissions +$permtoread = $user->rights->ecm->read; +$permtoadd = $user->rights->ecm->setup; +$permtoupload = $user->rights->ecm->upload; + +if (!$permtoread) { + accessforbidden(); +} /* @@ -123,7 +127,7 @@ if ($cancel) { } // Rename file -if ($action == 'update') { +if ($action == 'update' && $permtoadd) { $error = 0; $oldlabel = GETPOST('urlfile', 'alpha'); diff --git a/htdocs/ecm/file_note.php b/htdocs/ecm/file_note.php index d2f3f7b4792..505e432f982 100644 --- a/htdocs/ecm/file_note.php +++ b/htdocs/ecm/file_note.php @@ -22,7 +22,7 @@ /** * \file htdocs/ecm/file_note.php * \ingroup ecm - * \brief Fiche de notes sur une ecm file + * \brief Tab for notes on an ECM file */ require '../main.inc.php'; @@ -39,10 +39,6 @@ $ref = GETPOST('ref', 'alpha'); $socid = GETPOST('socid', 'int'); $action = GETPOST('action', 'aZ09'); -if (!$user->rights->ecm->setup) { - accessforbidden(); -} - // Get parameters $socid = GETPOST("socid", "int"); // Security check @@ -109,6 +105,13 @@ if ($result < 0) { $permissionnote = $user->rights->ecm->setup; // Used by the include of actions_setnotes.inc.php +$permtoread = $user->rights->ecm->read; + +if (!$permtoread) { + accessforbidden(); +} + + /* * Actions */ diff --git a/htdocs/ecm/index.php b/htdocs/ecm/index.php index 26bf242b0f2..3a8d33343c7 100644 --- a/htdocs/ecm/index.php +++ b/htdocs/ecm/index.php @@ -34,12 +34,6 @@ require_once DOL_DOCUMENT_ROOT.'/ecm/class/ecmdirectory.class.php'; // Load translation files required by the page $langs->loadLangs(array("ecm", "companies", "other", "users", "orders", "propal", "bills", "contracts")); -// Security check -if ($user->socid) { - $socid = $user->socid; -} -$result = restrictedArea($user, 'ecm', 0); - // Get parameters $socid = GETPOST('socid', 'int'); $action = GETPOST('action', 'aZ09'); @@ -81,6 +75,12 @@ $userstatic = new User($db); $error = 0; +// Security check +if ($user->socid) { + $socid = $user->socid; +} +$result = restrictedArea($user, 'ecm', 0); + /* * Actions diff --git a/htdocs/ecm/search.php b/htdocs/ecm/search.php index 979e1d3a417..aa792e0c9d7 100644 --- a/htdocs/ecm/search.php +++ b/htdocs/ecm/search.php @@ -84,6 +84,12 @@ if (!empty($section)) { } } +$permtoread = $user->rights->ecm->read; + +if (!$permtoread) { + accessforbidden(); +} + /* * Actions