lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Improving the use of permissions in opensurvey module

Browse Source
This commit is contained in:
Marcos García de La Fuente 2014-01-05 06:18:26 +01:00
parent 12c5a2c201
commit 6397b0b7aa
5 changed files with 88 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
htdocs/core/modules/modOpenSurvey.class.php
View File

@ -1,5 +1,6 @@
<?php
/* Copyright (C) 2013 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2014 Marcos García <marcosgdf@gmail.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -107,8 +108,7 @@ class modOpenSurvey extends DolibarrModules
$this->rights[$r][1] = 'Read surveys'; // Permission label
$this->rights[$r][2] = 'r'; // Permission by default for new user (0/1)
$this->rights[$r][3] = 0; // Permission by default for new user (0/1)
$this->rights[$r][4] = 'survey'; // In php code, permission will be checked by test if ($user->rights->permkey->level1->level2)
$this->rights[$r][5] = 'read'; // In php code, permission will be checked by test if ($user->rights->permkey->level1->level2)
$this->rights[$r][4] = 'read'; // In php code, permission will be checked by test if ($user->rights->permkey->level1->level2)
$r++;
// Add here list of permission defined by an id, a label, a boolean and two constant strings.
@ -117,8 +117,7 @@ class modOpenSurvey extends DolibarrModules
$this->rights[$r][1] = 'Create/modify surveys'; // Permission label
$this->rights[$r][2] = 'w'; // Permission by default for new user (0/1)
$this->rights[$r][3] = 0; // Permission by default for new user (0/1)
$this->rights[$r][4] = 'survey'; // In php code, permission will be checked by test if ($user->rights->permkey->level1->level2)
$this->rights[$r][5] = 'write'; // In php code, permission will be checked by test if ($user->rights->permkey->level1->level2)
$this->rights[$r][4] = 'write'; // In php code, permission will be checked by test if ($user->rights->permkey->level1->level2)
$r++;
@ -134,7 +133,7 @@ class modOpenSurvey extends DolibarrModules
'langs'=>'opensurvey',
'position'=>200,
'enabled'=>'$conf->opensurvey->enabled', // Define condition to show or hide menu entry. Use '$conf->NewsSubmitter->enabled' if entry must be visible if module is enabled.
'perms'=>'$user->rights->opensurvey->survey->read',
'perms'=>'$user->rights->opensurvey->read',
'target'=>'',
'user'=>0);
$r++;

32
htdocs/opensurvey/adminstuds.php
View File

@ -30,8 +30,7 @@ require_once(DOL_DOCUMENT_ROOT."/opensurvey/fonctions.php");
// Security check
if (!$user->admin) accessforbidden();
if (!$user->rights->opensurvey->read) accessforbidden();
// Initialisation des variables
$action=GETPOST('action');
@ -62,6 +61,9 @@ $expiredate=dol_mktime(0, 0, 0, GETPOST('expiremonth'), GETPOST('expireday'), GE
// Delete
if ($action == 'delete_confirm')
{
// Security check
if (!$user->rights->opensurvey->write) accessforbidden();
$result=$object->delete($user,'',$numsondage);
header('Location: '.dol_buildpath('/opensurvey/list.php',1));
@ -71,6 +73,9 @@ if ($action == 'delete_confirm')
// Update
if ($action == 'update')
{
// Security check
if (!$user->rights->opensurvey->write) accessforbidden();
$error=0;
if (! GETPOST('nouveautitre'))
@ -134,10 +139,19 @@ if (GETPOST('ajoutcomment'))
$idcomment=GETPOST('deletecomment','int');
if ($idcomment)
{
// Security check
if (!$user->rights->opensurvey->write) accessforbidden();
$sql = 'DELETE FROM '.MAIN_DB_PREFIX.'opensurvey_comments WHERE id_comment = '.$idcomment;
$resql = $db->query($sql);
}
if ($action == 'edit') {
// Security check
if (!$user->rights->opensurvey->write) accessforbidden();
}
/*
* View
@ -282,9 +296,14 @@ dol_fiche_end();
*/
print '<div class="tabsAction">';
if ($action != 'edit') print '<a class="butAction" href="'.$_SERVER["PHP_SELF"].'?action=edit&id=' . $numsondage . '">'.$langs->trans("Modify") . '</a>';
if ($action != 'edit' && $user->rights->opensurvey->write) {
//Modify button
print '<a class="butAction" href="'.$_SERVER["PHP_SELF"].'?action=edit&id=' . $numsondage . '">'.$langs->trans("Modify") . '</a>';
if ($action != 'edit') print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?suppressionsondage=1&id='.$numsondage.'&amp;action=delete">'.$langs->trans('Delete').'</a>';
//Delete button
print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?suppressionsondage=1&id='.$numsondage.'&amp;action=delete">'.$langs->trans('Delete').'</a>';
}
print '</div>';
@ -307,7 +326,10 @@ $comments = $object->getComments();
if ($comments) {
foreach ($comments as $comment) {
print '<a href="'.dol_buildpath('/opensurvey/adminstuds.php',1).'?deletecomment='.$comment->id_comment.'&id='.$numsondage.'"> '.img_picto('', 'delete.png').'</a> ';
if ($user->rights->opensurvey->write) {
print '<a href="'.dol_buildpath('/opensurvey/adminstuds.php',1).'?deletecomment='.$comment->id_comment.'&id='.$numsondage.'"> '.img_picto('', 'delete.png').'</a> ';
}
print htmlentities($comment->usercomment).': '.dol_nl2br(htmlentities($comment->comment))." <br>";
}
}

67
htdocs/opensurvey/adminstuds_preview.php
View File

@ -31,7 +31,7 @@ require_once(DOL_DOCUMENT_ROOT."/opensurvey/fonctions.php");
// Security check
if (!$user->admin) accessforbidden();
if (!$user->rights->opensurvey->read) accessforbidden();
// Init vars
@ -119,7 +119,10 @@ for ($i=0; $i<$nblignes; $i++)
}
if ($testmodifier)
{
//var_dump($_POST);exit;
// Security check
if (!$user->rights->opensurvey->write) accessforbidden();
$nouveauchoix = '';
for ($i = 0; $i < $nbcolonnes; $i++)
{
@ -150,6 +153,9 @@ if ($testmodifier)
// Add column (not for date)
if (GETPOST("ajoutercolonne") && GETPOST('nouvellecolonne') && ($object->format == "A" || $object->format == "A+"))
{
// Security check
if (!$user->rights->opensurvey->write) accessforbidden();
$nouveauxsujets=$object->sujet;
//on rajoute la valeur a la fin de tous les sujets deja entrés
@ -168,6 +174,9 @@ if (GETPOST("ajoutercolonne") && GETPOST('nouvellecolonne') && ($object->format
// Add column (with format date)
if (isset($_POST["ajoutercolonne"]) && ($object->format == "D" || $object->format == "D+"))
{
// Security check
if (!$user->rights->opensurvey->write) accessforbidden();
$nouveauxsujets=$object->sujet;
if (isset($_POST["nouveaujour"]) && $_POST["nouveaujour"] != "vide" &&
@ -268,6 +277,9 @@ for ($i = 0; $i < $nblignes; $i++)
{
if (isset($_POST["effaceligne$i"]) || isset($_POST['effaceligne'.$i.'_x']))
{
// Security check
if (!$user->rights->opensurvey->write) accessforbidden();
$compteur=0;
// Loop on each answer
@ -300,6 +312,9 @@ for ($i = 0; $i < $nbcolonnes; $i++)
{
if ((isset($_POST["effacecolonne$i"]) || isset($_POST['effacecolonne'.$i.'_x'])) && $nbcolonnes > 1)
{
// Security check
if (!$user->rights->opensurvey->write) accessforbidden();
$db->begin();
$toutsujet = explode(",",$object->sujet);
@ -459,6 +474,9 @@ showlogo();
// Add form to add a field
if (GETPOST('ajoutsujet'))
{
// Security check
if (!$user->rights->opensurvey->write) accessforbidden();
//on recupere les données et les sujets du sondage
print '<form name="formulaire" action="'.$_SERVER["PHP_SELF"].'" method="POST">'."\n";
print '<input type="hidden" name="id" value="'.$numsondage.'">';
@ -542,8 +560,9 @@ if (GETPOST('ajoutsujet'))
exit;
}
print $langs->trans("PollAdminDesc",img_picto('','cancel.png@opensurvey'),img_picto('','add-16.png@opensurvey')).'<br><br>';
if ($user->rights->opensurvey->write) {
print $langs->trans("PollAdminDesc",img_picto('','cancel.png@opensurvey'),img_picto('','add-16.png@opensurvey')).'<br><br>';
}
print '<div class="corps"> '."\n";
@ -586,8 +605,11 @@ print '<td></td>'."\n";
print '<td></td>'."\n";
//boucle pour l'affichage des boutons de suppression de colonne
for ($i = 0; isset($toutsujet[$i]); $i++) {
print '<td class=somme><input type="image" name="effacecolonne'.$i.'" value="Effacer la colonne" src="'.dol_buildpath('/opensurvey/img/cancel.png',1).'"></td>'."\n";
if ($user->rights->opensurvey->write) {
for ($i = 0; isset($toutsujet[$i]); $i++) {
print '<td class=somme><input type="image" name="effacecolonne'.$i.'" src="'.dol_buildpath('/opensurvey/img/cancel.png',1).'"></td>'."\n";
}
}
print '</tr>'."\n";
@ -626,7 +648,11 @@ if ($object->format=="D"||$object->format=="D+")
}
}
print '<td class="annee"><a href="'.$_SERVER["PHP_SELF"].'?ajoutsujet=1&id='.$object->id_sondage.'">'.$langs->trans("Add").'</a></td>'."\n";
if ($user->rights->opensurvey->write) {
print '<td class="annee">';
print '<a href="'.$_SERVER["PHP_SELF"].'?ajoutsujet=1&id='.$object->id_sondage.'">'.$langs->trans("Add").'</a></td>'."\n";
}
print '</tr>'."\n";
print '<tr>'."\n";
print '<td></td>'."\n";
@ -652,7 +678,10 @@ if ($object->format=="D"||$object->format=="D+")
}
}
print '<td class="mois"><a href="'.$_SERVER["PHP_SELF"].'?ajoutsujet=1&id='.$object->id_sondage.'">'.$langs->trans("Add").'</a></td>'."\n";
if ($user->rights->opensurvey->write) {
print '<td class="mois"><a href="'.$_SERVER["PHP_SELF"].'?ajoutsujet=1&id='.$object->id_sondage.'">'.$langs->trans("Add").'</a></td>'."\n";
}
print '</tr>'."\n";
print '<tr>'."\n";
print '<td></td>'."\n";
@ -676,7 +705,9 @@ if ($object->format=="D"||$object->format=="D+")
}
}
print '<td class="jour"><a href="'.$_SERVER["PHP_SELF"].'?ajoutsujet=1&id='.$object->id_sondage.'">'.$langs->trans("Add").'</a></td>'."\n";
if ($user->rights->opensurvey->write) {
print '<td class="jour"><a href="'.$_SERVER["PHP_SELF"].'?ajoutsujet=1&id='.$object->id_sondage.'">'.$langs->trans("Add").'</a></td>'."\n";
}
print '</tr>'."\n";
//affichage des horaires
@ -694,7 +725,10 @@ if ($object->format=="D"||$object->format=="D+")
}
}
print '<td class="heure"><a href="'.$_SERVER["PHP_SELF"].'?ajoutsujet=1&id='.$object->id_sondage.'">'.$langs->trans("Add").'</a></td>'."\n";
if ($user->rights->opensurvey->write) {
print '<td class="heure"><a href="'.$_SERVER["PHP_SELF"].'?ajoutsujet=1&id='.$object->id_sondage.'">'.$langs->trans("Add").'</a></td>'."\n";
}
print '</tr>'."\n";
}
}
@ -737,11 +771,14 @@ while ($compteur < $num)
$ensemblereponses = $obj->reponses;
print '<tr>'."\n";
print '<td><input type="image" name="effaceligne'.$compteur.'" value="Effacer" src="'.dol_buildpath('/opensurvey/img/cancel.png',1).'"></td>'."\n";
print '<tr><td>'."\n";
if ($user->rights->opensurvey->write) {
print '<input type="image" name="effaceligne'.$compteur.'" src="'.dol_buildpath('/opensurvey/img/cancel.png',1).'">'."\n";
}
// Name
print '<td class="nom">'.htmlentities($obj->nom).'</td>'."\n";
print '</td><td class="nom">'.htmlentities($obj->nom).'</td>'."\n";
// si la ligne n'est pas a changer, on affiche les données
if (! $testligneamodifier)
@ -851,7 +888,7 @@ while ($compteur < $num)
}
// Button edit at end of line
if ($compteur != $ligneamodifier)
if ($compteur != $ligneamodifier && ($user->rights->opensurvey->write))
{
print '<td class="casevide"><input type="submit" class="button" name="modifierligne'.$compteur.'" value="'.dol_escape_htmltag($langs->trans("Edit")).'"></td>'."\n";
}

3
htdocs/opensurvey/index.php
View File

@ -25,7 +25,8 @@ require_once('../main.inc.php');
require_once(DOL_DOCUMENT_ROOT."/core/lib/admin.lib.php");
require_once(DOL_DOCUMENT_ROOT."/core/lib/files.lib.php");
// Security check
if (!$user->rights->opensurvey->read) accessforbidden();
/*
* View

3
htdocs/opensurvey/list.php
View File

@ -26,6 +26,9 @@ require_once('../main.inc.php');
require_once(DOL_DOCUMENT_ROOT."/core/lib/admin.lib.php");
require_once(DOL_DOCUMENT_ROOT."/core/lib/files.lib.php");
// Security check
if (!$user->rights->opensurvey->read) accessforbidden();
$action=GETPOST('action');
$id=GETPOST('id');
$numsondage= $id;