From 78d5520741746af4874f0a628d48996a83e95094 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Thu, 15 Jun 2017 21:23:35 +0200 Subject: [PATCH 1/3] Fix: missing _cleanObjectDatas function --- htdocs/admin/agenda.php | 3 +- htdocs/admin/agenda_other.php | 1 + .../action/class/api_agendaevents.class.php | 58 +++++++++++++++++++ 3 files changed, 61 insertions(+), 1 deletion(-) diff --git a/htdocs/admin/agenda.php b/htdocs/admin/agenda.php index 22679ca697b..a30ebad4703 100644 --- a/htdocs/admin/agenda.php +++ b/htdocs/admin/agenda.php @@ -33,6 +33,7 @@ if (!$user->admin) $langs->load("admin"); $langs->load("other"); +$langs->load("agenda"); $action = GETPOST('action','alpha'); $cancel = GETPOST('cancel','alpha'); @@ -172,7 +173,7 @@ if (! empty($triggers)) if ($trigger['code'] == 'FICHINTER_CLASSIFY_BILLED' && empty($conf->global->FICHINTER_CLASSIFY_BILLED)) continue; if ($trigger['code'] == 'FICHINTER_CLASSIFY_UNBILLED' && empty($conf->global->FICHINTER_CLASSIFY_BILLED)) continue; - + print ''; print ''.$trigger['code'].''; print ''.$trigger['label'].''; diff --git a/htdocs/admin/agenda_other.php b/htdocs/admin/agenda_other.php index 44ec3ade889..31bcf1077e6 100644 --- a/htdocs/admin/agenda_other.php +++ b/htdocs/admin/agenda_other.php @@ -36,6 +36,7 @@ if (!$user->admin) $langs->load("admin"); $langs->load("other"); +$langs->load("agenda"); $action = GETPOST('action','alpha'); $value = GETPOST('value','alpha'); diff --git a/htdocs/comm/action/class/api_agendaevents.class.php b/htdocs/comm/action/class/api_agendaevents.class.php index f32c721a826..40737a83799 100644 --- a/htdocs/comm/action/class/api_agendaevents.class.php +++ b/htdocs/comm/action/class/api_agendaevents.class.php @@ -111,8 +111,11 @@ class AgendaEvents extends DolibarrApi if (! DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) $search_sale = DolibarrApiAccess::$user->id; $sql = "SELECT t.id as rowid"; + if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) || $search_sale > 0) $sql .= ", sc.fk_soc, sc.fk_user"; // We need these fields in order to filter by sale (including the case where the user can only see his prospects) $sql.= " FROM ".MAIN_DB_PREFIX."actioncomm as t"; + if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) || $search_sale > 0) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; // We need this table joined to the select in order to filter by sale $sql.= ' WHERE t.entity IN ('.getEntity('agenda').')'; + if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) || $search_sale > 0) $sql.= " AND t.fk_soc = sc.fk_soc"; if ($user_ids) $sql.=" AND t.fk_user_action IN (".$user_ids.")"; if ($socid > 0) $sql.= " AND t.fk_soc = ".$socid; // Insert sale filter @@ -298,4 +301,59 @@ class AgendaEvents extends DolibarrApi } return $event; } + + /** + * Clean sensible object datas + * + * @param object $object Object to clean + * @return array Array of cleaned object properties + */ + function _cleanObjectDatas($object) { + + $object = parent::_cleanObjectDatas($object); + + unset($object->import_key); + unset($object->array_options); + unset($object->linkedObjectsIds); + unset($object->context); + unset($object->canvas); + unset($object->fk_project); + unset($object->contact); + unset($object->contact_id); + unset($object->thirdparty); + unset($object->user); + unset($object->origin); + unset($object->origin_id); + unset($object->ref_ext); + unset($object->statut); + unset($object->country); + unset($object->country_id); + unset($object->country_code); + unset($object->barcode_type); + unset($object->barcode_type_code); + unset($object->barcode_type_label); + unset($object->barcode_type_coder); + unset($object->mode_reglement_id); + unset($object->cond_reglement_id); + unset($object->cond_reglement); + unset($object->fk_delivery_address); + unset($object->shipping_method_id); + unset($object->fk_account); + unset($object->total_ht); + unset($object->total_tva); + unset($object->total_localtax1); + unset($object->total_localtax2); + unset($object->total_ttc); + unset($object->fk_incoterms); + unset($object->libelle_incoterms); + unset($object->location_incoterms); + unset($object->name); + unset($object->lastname); + unset($object->firstname); + unset($object->civility_id); + unset($object->contact); + unset($object->societe); + + return $object; + } } From 9410466d727f94f6e2b99c390f43a2e4a4bc8e00 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Thu, 15 Jun 2017 21:51:31 +0200 Subject: [PATCH 2/3] Fix: better check and security --- .../action/class/api_agendaevents.class.php | 31 ++++++++++--------- htdocs/core/lib/security.lib.php | 4 +-- htdocs/societe/class/api_contacts.class.php | 10 +++--- 3 files changed, 25 insertions(+), 20 deletions(-) diff --git a/htdocs/comm/action/class/api_agendaevents.class.php b/htdocs/comm/action/class/api_agendaevents.class.php index 40737a83799..40fce1fd640 100644 --- a/htdocs/comm/action/class/api_agendaevents.class.php +++ b/htdocs/comm/action/class/api_agendaevents.class.php @@ -63,20 +63,20 @@ class AgendaEvents extends DolibarrApi */ function get($id) { - if(! DolibarrApiAccess::$user->rights->agenda->myactions->read) { + if (! DolibarrApiAccess::$user->rights->agenda->myactions->read) { throw new RestException(401, "Insuffisant rights to read an event"); } $result = $this->actioncomm->fetch($id); - if( ! $result ) { + if ( ! $result ) { throw new RestException(404, 'Agenda Events not found'); } - if(! DolibarrApiAccess::$user->rights->agenda->allactions->read && $this->actioncomm->ownerid != DolibarrApiAccess::$user->id) { + if (! DolibarrApiAccess::$user->rights->agenda->allactions->read && $this->actioncomm->ownerid != DolibarrApiAccess::$user->id) { throw new RestException(401, "Insuffisant rights to read event for owner id ".$request_data['userownerid'].' Your id is '.DolibarrApiAccess::$user->id); } - if( ! DolibarrApi::_checkAccessToResource('agenda',$this->actioncomm->id)) { + if ( ! DolibarrApi::_checkAccessToResource('agenda',$this->actioncomm->id)) { throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); } @@ -102,6 +102,10 @@ class AgendaEvents extends DolibarrApi $obj_ret = array(); + if (! DolibarrApiAccess::$user->rights->agenda->myactions->read) { + throw new RestException(401, "Insuffisant rights to read events"); + } + // case of external user $socid = 0; if (! empty(DolibarrApiAccess::$user->socid)) $socid = DolibarrApiAccess::$user->socid; @@ -155,7 +159,7 @@ class AgendaEvents extends DolibarrApi { $obj = $db->fetch_object($result); $actioncomm_static = new ActionComm($db); - if($actioncomm_static->fetch($obj->rowid)) { + if ($actioncomm_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($actioncomm_static); } $i++; @@ -164,7 +168,7 @@ class AgendaEvents extends DolibarrApi else { throw new RestException(503, 'Error when retrieve Agenda Event list : '.$db->lasterror()); } - if( ! count($obj_ret)) { + if ( ! count($obj_ret)) { throw new RestException(404, 'No Agenda Event found'); } return $obj_ret; @@ -178,10 +182,10 @@ class AgendaEvents extends DolibarrApi */ function post($request_data = NULL) { - if(! DolibarrApiAccess::$user->rights->agenda->myactions->create) { + if (! DolibarrApiAccess::$user->rights->agenda->myactions->create) { throw new RestException(401, "Insuffisant rights to create your Agenda Event"); } - if(! DolibarrApiAccess::$user->rights->agenda->allactions->create && DolibarrApiAccess::$user->id != $request_data['userownerid']) { + if (! DolibarrApiAccess::$user->rights->agenda->allactions->create && DolibarrApiAccess::$user->id != $request_data['userownerid']) { throw new RestException(401, "Insuffisant rights to create an Agenda Event for owner id ".$request_data['userownerid'].' Your id is '.DolibarrApiAccess::$user->id); } @@ -216,19 +220,19 @@ class AgendaEvents extends DolibarrApi */ /* function put($id, $request_data = NULL) { - if(! DolibarrApiAccess::$user->rights->agenda->myactions->create) { + if (! DolibarrApiAccess::$user->rights->agenda->myactions->create) { throw new RestException(401, "Insuffisant rights to create your Agenda Event"); } - if(! DolibarrApiAccess::$user->rights->agenda->allactions->create && DolibarrApiAccess::$user->id != $request_data['userownerid']) { + if (! DolibarrApiAccess::$user->rights->agenda->allactions->create && DolibarrApiAccess::$user->id != $request_data['userownerid']) { throw new RestException(401, "Insuffisant rights to create an Agenda Event for owner id ".$request_data['userownerid'].' Your id is '.DolibarrApiAccess::$user->id); } $result = $this->expensereport->fetch($id); - if( ! $result ) { + if ( ! $result ) { throw new RestException(404, 'expensereport not found'); } - if( ! DolibarrApi::_checkAccessToResource('expensereport',$this->expensereport->id)) { + if ( ! DolibarrApi::_checkAccessToResource('expensereport',$this->expensereport->id)) { throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); } foreach($request_data as $field => $value) { @@ -236,7 +240,7 @@ class AgendaEvents extends DolibarrApi $this->expensereport->$field = $value; } - if($this->expensereport->update($id, DolibarrApiAccess::$user,1,'','','update')) + if ($this->expensereport->update($id, DolibarrApiAccess::$user,1,'','','update')) return $this->get($id); return false; @@ -314,7 +318,6 @@ class AgendaEvents extends DolibarrApi unset($object->import_key); unset($object->array_options); - unset($object->linkedObjectsIds); unset($object->context); unset($object->canvas); unset($object->fk_project); diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 9a9e78513c3..d3250263a6f 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -403,9 +403,9 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh else if (in_array($feature,$checksoc)) // We check feature = checksoc { // If external user: Check permission for external users - if ($user->societe_id > 0) + if ($user->socid > 0) { - if ($user->societe_id <> $objectid) return false; + if ($user->socid <> $objectid) return false; } // If internal user: Check permission for internal users that are restricted on their objects else if (! empty($conf->societe->enabled) && ($user->rights->societe->lire && ! $user->rights->societe->client->voir)) diff --git a/htdocs/societe/class/api_contacts.class.php b/htdocs/societe/class/api_contacts.class.php index 58fe15cf282..f136d6895b2 100644 --- a/htdocs/societe/class/api_contacts.class.php +++ b/htdocs/societe/class/api_contacts.class.php @@ -43,7 +43,8 @@ class Contacts extends DolibarrApi /** * Constructor */ - function __construct() { + function __construct() + { global $db, $conf; $this->db = $db; $this->contact = new Contact($this->db); @@ -59,7 +60,8 @@ class Contacts extends DolibarrApi * * @throws RestException */ - function get($id) { + function get($id) + { if (!DolibarrApiAccess::$user->rights->societe->contact->lire) { throw new RestException(401, 'No permission to read contacts'); @@ -105,7 +107,7 @@ class Contacts extends DolibarrApi } // case of external user, $thirdparty_ids param is ignored and replaced by user's socid - $socids = DolibarrApiAccess::$user->societe_id ? DolibarrApiAccess::$user->societe_id : $thirdparty_ids; + $socids = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : $thirdparty_ids; // If the internal user must only see his customers, force searching by him $search_sale = 0; @@ -171,7 +173,7 @@ class Contacts extends DolibarrApi } } else { - throw new RestException(503, 'Error when retreive contacts : ' . $sql); + throw new RestException(503, 'Error when retrieve contacts : ' . $sql); } if (!count($obj_ret)) { From c2901ae8cda0ec59b5ff61327e60112077eb1558 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Fri, 16 Jun 2017 11:01:58 +0200 Subject: [PATCH 3/3] Fix: add/remove unset unsused fields --- htdocs/comm/action/class/api_agendaevents.class.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/htdocs/comm/action/class/api_agendaevents.class.php b/htdocs/comm/action/class/api_agendaevents.class.php index 40fce1fd640..a607998cfa8 100644 --- a/htdocs/comm/action/class/api_agendaevents.class.php +++ b/htdocs/comm/action/class/api_agendaevents.class.php @@ -316,11 +316,12 @@ class AgendaEvents extends DolibarrApi $object = parent::_cleanObjectDatas($object); + unset($object->usermod); + unset($object->libelle); unset($object->import_key); unset($object->array_options); unset($object->context); unset($object->canvas); - unset($object->fk_project); unset($object->contact); unset($object->contact_id); unset($object->thirdparty);