From 6397b0b7aa26ac1f0a2f9e8f6f68115f5f27fb15 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcos=20Garci=CC=81a=20de=20La=20Fuente?=
 <marcosgdf@gmail.com>
Date: Sun, 5 Jan 2014 06:18:26 +0100
Subject: [PATCH] Improving the use of permissions in opensurvey module

---
 htdocs/core/modules/modOpenSurvey.class.php |  9 ++-
 htdocs/opensurvey/adminstuds.php            | 32 ++++++++--
 htdocs/opensurvey/adminstuds_preview.php    | 67 ++++++++++++++++-----
 htdocs/opensurvey/index.php                 |  3 +-
 htdocs/opensurvey/list.php                  |  3 +
 5 files changed, 88 insertions(+), 26 deletions(-)

diff --git a/htdocs/core/modules/modOpenSurvey.class.php b/htdocs/core/modules/modOpenSurvey.class.php
index 23452107958..cb174d2df9e 100644
--- a/htdocs/core/modules/modOpenSurvey.class.php
+++ b/htdocs/core/modules/modOpenSurvey.class.php
@@ -1,5 +1,6 @@
 <?php
 /* Copyright (C) 2013 Laurent Destailleur  <eldy@users.sourceforge.net>
+ * Copyright (C) 2014 Marcos García			<marcosgdf@gmail.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -107,8 +108,7 @@ class modOpenSurvey extends DolibarrModules
 		$this->rights[$r][1] = 'Read surveys';	// Permission label
 		$this->rights[$r][2] = 'r'; 					// Permission by default for new user (0/1)
 		$this->rights[$r][3] = 0; 					// Permission by default for new user (0/1)
-		$this->rights[$r][4] = 'survey';				// In php code, permission will be checked by test if ($user->rights->permkey->level1->level2)
-		$this->rights[$r][5] = 'read';				// In php code, permission will be checked by test if ($user->rights->permkey->level1->level2)
+		$this->rights[$r][4] = 'read';				// In php code, permission will be checked by test if ($user->rights->permkey->level1->level2)
 		$r++;
 
 		// Add here list of permission defined by an id, a label, a boolean and two constant strings.
@@ -117,8 +117,7 @@ class modOpenSurvey extends DolibarrModules
 		$this->rights[$r][1] = 'Create/modify surveys';	// Permission label
 		$this->rights[$r][2] = 'w'; 					// Permission by default for new user (0/1)
 		$this->rights[$r][3] = 0; 					// Permission by default for new user (0/1)
-		$this->rights[$r][4] = 'survey';				// In php code, permission will be checked by test if ($user->rights->permkey->level1->level2)
-		$this->rights[$r][5] = 'write';				// In php code, permission will be checked by test if ($user->rights->permkey->level1->level2)
+		$this->rights[$r][4] = 'write';				// In php code, permission will be checked by test if ($user->rights->permkey->level1->level2)
 		$r++;
 
 
@@ -134,7 +133,7 @@ class modOpenSurvey extends DolibarrModules
 								'langs'=>'opensurvey',
 								'position'=>200,
                 				'enabled'=>'$conf->opensurvey->enabled',         // Define condition to show or hide menu entry. Use '$conf->NewsSubmitter->enabled' if entry must be visible if module is enabled.
-								'perms'=>'$user->rights->opensurvey->survey->read',
+								'perms'=>'$user->rights->opensurvey->read',
 								'target'=>'',
 								'user'=>0);
 		$r++;
diff --git a/htdocs/opensurvey/adminstuds.php b/htdocs/opensurvey/adminstuds.php
index 1f107a7e1af..4f93bdff8d5 100644
--- a/htdocs/opensurvey/adminstuds.php
+++ b/htdocs/opensurvey/adminstuds.php
@@ -30,8 +30,7 @@ require_once(DOL_DOCUMENT_ROOT."/opensurvey/fonctions.php");
 
 
 // Security check
-if (!$user->admin) accessforbidden();
-
+if (!$user->rights->opensurvey->read) accessforbidden();
 
 // Initialisation des variables
 $action=GETPOST('action');
@@ -62,6 +61,9 @@ $expiredate=dol_mktime(0, 0, 0, GETPOST('expiremonth'), GETPOST('expireday'), GE
 // Delete
 if ($action == 'delete_confirm')
 {
+	// Security check
+	if (!$user->rights->opensurvey->write) accessforbidden();
+	
 	$result=$object->delete($user,'',$numsondage);
 
 	header('Location: '.dol_buildpath('/opensurvey/list.php',1));
@@ -71,6 +73,9 @@ if ($action == 'delete_confirm')
 // Update
 if ($action == 'update')
 {
+	// Security check
+	if (!$user->rights->opensurvey->write) accessforbidden();
+
 	$error=0;
 
 	if (! GETPOST('nouveautitre'))
@@ -134,10 +139,19 @@ if (GETPOST('ajoutcomment'))
 $idcomment=GETPOST('deletecomment','int');
 if ($idcomment)
 {
+	// Security check
+	if (!$user->rights->opensurvey->write) accessforbidden();
+	
 	$sql = 'DELETE FROM '.MAIN_DB_PREFIX.'opensurvey_comments WHERE id_comment = '.$idcomment;
 	$resql = $db->query($sql);
 }
 
+if ($action == 'edit') {
+	
+	// Security check
+	if (!$user->rights->opensurvey->write) accessforbidden();
+}
+
 
 /*
  * View
@@ -282,9 +296,14 @@ dol_fiche_end();
  */
 print '<div class="tabsAction">';
 
-if ($action != 'edit') print '<a class="butAction" href="'.$_SERVER["PHP_SELF"].'?action=edit&id=' . $numsondage . '">'.$langs->trans("Modify") . '</a>';
+if ($action != 'edit' && $user->rights->opensurvey->write) {
+	
+	//Modify button
+	print '<a class="butAction" href="'.$_SERVER["PHP_SELF"].'?action=edit&id=' . $numsondage . '">'.$langs->trans("Modify") . '</a>';
 
-if ($action != 'edit') print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?suppressionsondage=1&id='.$numsondage.'&amp;action=delete">'.$langs->trans('Delete').'</a>';
+	//Delete button
+	print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?suppressionsondage=1&id='.$numsondage.'&amp;action=delete">'.$langs->trans('Delete').'</a>';
+}
 
 print '</div>';
 
@@ -307,7 +326,10 @@ $comments = $object->getComments();
 
 if ($comments) {
 	foreach ($comments as $comment) {
-		print '<a href="'.dol_buildpath('/opensurvey/adminstuds.php',1).'?deletecomment='.$comment->id_comment.'&id='.$numsondage.'"> '.img_picto('', 'delete.png').'</a> ';
+		if ($user->rights->opensurvey->write) {
+			print '<a href="'.dol_buildpath('/opensurvey/adminstuds.php',1).'?deletecomment='.$comment->id_comment.'&id='.$numsondage.'"> '.img_picto('', 'delete.png').'</a> ';
+		}
+		
 		print htmlentities($comment->usercomment).': '.dol_nl2br(htmlentities($comment->comment))." <br>";
 	}
 }
diff --git a/htdocs/opensurvey/adminstuds_preview.php b/htdocs/opensurvey/adminstuds_preview.php
index 13767fe086f..d103f75fddb 100644
--- a/htdocs/opensurvey/adminstuds_preview.php
+++ b/htdocs/opensurvey/adminstuds_preview.php
@@ -31,7 +31,7 @@ require_once(DOL_DOCUMENT_ROOT."/opensurvey/fonctions.php");
 
 
 // Security check
-if (!$user->admin) accessforbidden();
+if (!$user->rights->opensurvey->read) accessforbidden();
 
 
 // Init vars
@@ -119,7 +119,10 @@ for ($i=0; $i<$nblignes; $i++)
 }
 if ($testmodifier)
 {
-	//var_dump($_POST);exit;
+
+	// Security check
+	if (!$user->rights->opensurvey->write) accessforbidden();
+	
 	$nouveauchoix = '';
 	for ($i = 0; $i < $nbcolonnes; $i++)
 	{
@@ -150,6 +153,9 @@ if ($testmodifier)
 // Add column (not for date)
 if (GETPOST("ajoutercolonne") && GETPOST('nouvellecolonne') && ($object->format == "A" || $object->format == "A+"))
 {
+	// Security check
+	if (!$user->rights->opensurvey->write) accessforbidden();
+	
 	$nouveauxsujets=$object->sujet;
 
 	//on rajoute la valeur a la fin de tous les sujets deja entrés
@@ -168,6 +174,9 @@ if (GETPOST("ajoutercolonne") && GETPOST('nouvellecolonne') && ($object->format
 // Add column (with format date)
 if (isset($_POST["ajoutercolonne"]) && ($object->format == "D" || $object->format == "D+"))
 {
+	// Security check
+	if (!$user->rights->opensurvey->write) accessforbidden();
+	
 	$nouveauxsujets=$object->sujet;
 
 	if (isset($_POST["nouveaujour"]) && $_POST["nouveaujour"] != "vide" &&
@@ -268,6 +277,9 @@ for ($i = 0; $i < $nblignes; $i++)
 {
 	if (isset($_POST["effaceligne$i"]) || isset($_POST['effaceligne'.$i.'_x']))
 	{
+		// Security check
+		if (!$user->rights->opensurvey->write) accessforbidden();
+	
 		$compteur=0;
 
 		// Loop on each answer
@@ -300,6 +312,9 @@ for ($i = 0; $i < $nbcolonnes; $i++)
 {
 	if ((isset($_POST["effacecolonne$i"]) || isset($_POST['effacecolonne'.$i.'_x'])) && $nbcolonnes > 1)
 	{
+		// Security check
+		if (!$user->rights->opensurvey->write) accessforbidden();
+	
 		$db->begin();
 
 		$toutsujet = explode(",",$object->sujet);
@@ -459,6 +474,9 @@ showlogo();
 // Add form to add a field
 if (GETPOST('ajoutsujet'))
 {
+	// Security check
+	if (!$user->rights->opensurvey->write) accessforbidden();
+		
 	//on recupere les données et les sujets du sondage
 	print '<form name="formulaire" action="'.$_SERVER["PHP_SELF"].'" method="POST">'."\n";
 	print '<input type="hidden" name="id" value="'.$numsondage.'">';
@@ -542,8 +560,9 @@ if (GETPOST('ajoutsujet'))
 	exit;
 }
 
-
-print $langs->trans("PollAdminDesc",img_picto('','cancel.png@opensurvey'),img_picto('','add-16.png@opensurvey')).'<br><br>';
+if ($user->rights->opensurvey->write) {
+	print $langs->trans("PollAdminDesc",img_picto('','cancel.png@opensurvey'),img_picto('','add-16.png@opensurvey')).'<br><br>';
+}
 
 print '<div class="corps"> '."\n";
 
@@ -586,8 +605,11 @@ print '<td></td>'."\n";
 print '<td></td>'."\n";
 
 //boucle pour l'affichage des boutons de suppression de colonne
-for ($i = 0; isset($toutsujet[$i]); $i++) {
-	print '<td class=somme><input type="image" name="effacecolonne'.$i.'" value="Effacer la colonne" src="'.dol_buildpath('/opensurvey/img/cancel.png',1).'"></td>'."\n";
+if ($user->rights->opensurvey->write) {
+	for ($i = 0; isset($toutsujet[$i]); $i++) {
+
+		print '<td class=somme><input type="image" name="effacecolonne'.$i.'" src="'.dol_buildpath('/opensurvey/img/cancel.png',1).'"></td>'."\n";
+	}
 }
 
 print '</tr>'."\n";
@@ -626,7 +648,11 @@ if ($object->format=="D"||$object->format=="D+")
 		}
 	}
 
-	print '<td class="annee"><a href="'.$_SERVER["PHP_SELF"].'?ajoutsujet=1&id='.$object->id_sondage.'">'.$langs->trans("Add").'</a></td>'."\n";
+	if ($user->rights->opensurvey->write) {
+		print '<td class="annee">';
+		print '<a href="'.$_SERVER["PHP_SELF"].'?ajoutsujet=1&id='.$object->id_sondage.'">'.$langs->trans("Add").'</a></td>'."\n";
+	}
+	
 	print '</tr>'."\n";
 	print '<tr>'."\n";
 	print '<td></td>'."\n";
@@ -652,7 +678,10 @@ if ($object->format=="D"||$object->format=="D+")
 		}
 	}
 
-	print '<td class="mois"><a href="'.$_SERVER["PHP_SELF"].'?ajoutsujet=1&id='.$object->id_sondage.'">'.$langs->trans("Add").'</a></td>'."\n";
+	if ($user->rights->opensurvey->write) {
+		print '<td class="mois"><a href="'.$_SERVER["PHP_SELF"].'?ajoutsujet=1&id='.$object->id_sondage.'">'.$langs->trans("Add").'</a></td>'."\n";
+	}
+	
 	print '</tr>'."\n";
 	print '<tr>'."\n";
 	print '<td></td>'."\n";
@@ -676,7 +705,9 @@ if ($object->format=="D"||$object->format=="D+")
 		}
 	}
 
-	print '<td class="jour"><a href="'.$_SERVER["PHP_SELF"].'?ajoutsujet=1&id='.$object->id_sondage.'">'.$langs->trans("Add").'</a></td>'."\n";
+	if ($user->rights->opensurvey->write) {
+		print '<td class="jour"><a href="'.$_SERVER["PHP_SELF"].'?ajoutsujet=1&id='.$object->id_sondage.'">'.$langs->trans("Add").'</a></td>'."\n";
+	}
 	print '</tr>'."\n";
 
 	//affichage des horaires
@@ -694,7 +725,10 @@ if ($object->format=="D"||$object->format=="D+")
 			}
 		}
 
-		print '<td class="heure"><a href="'.$_SERVER["PHP_SELF"].'?ajoutsujet=1&id='.$object->id_sondage.'">'.$langs->trans("Add").'</a></td>'."\n";
+		if ($user->rights->opensurvey->write) {
+			print '<td class="heure"><a href="'.$_SERVER["PHP_SELF"].'?ajoutsujet=1&id='.$object->id_sondage.'">'.$langs->trans("Add").'</a></td>'."\n";
+		}
+		
 		print '</tr>'."\n";
 	}
 }
@@ -737,11 +771,14 @@ while ($compteur < $num)
 
 	$ensemblereponses = $obj->reponses;
 
-	print '<tr>'."\n";
-	print '<td><input type="image" name="effaceligne'.$compteur.'" value="Effacer" src="'.dol_buildpath('/opensurvey/img/cancel.png',1).'"></td>'."\n";
-
+	print '<tr><td>'."\n";
+	
+	if ($user->rights->opensurvey->write) {
+		print '<input type="image" name="effaceligne'.$compteur.'" src="'.dol_buildpath('/opensurvey/img/cancel.png',1).'">'."\n";
+	}
+	
 	// Name
-	print '<td class="nom">'.htmlentities($obj->nom).'</td>'."\n";
+	print '</td><td class="nom">'.htmlentities($obj->nom).'</td>'."\n";
 
 	// si la ligne n'est pas a changer, on affiche les données
 	if (! $testligneamodifier)
@@ -851,7 +888,7 @@ while ($compteur < $num)
 	}
 
 	// Button edit at end of line
-	if ($compteur != $ligneamodifier)
+	if ($compteur != $ligneamodifier && ($user->rights->opensurvey->write))
 	{
 		print '<td class="casevide"><input type="submit" class="button" name="modifierligne'.$compteur.'" value="'.dol_escape_htmltag($langs->trans("Edit")).'"></td>'."\n";
 	}
diff --git a/htdocs/opensurvey/index.php b/htdocs/opensurvey/index.php
index a7f88631dd8..47beea912c0 100644
--- a/htdocs/opensurvey/index.php
+++ b/htdocs/opensurvey/index.php
@@ -25,7 +25,8 @@ require_once('../main.inc.php');
 require_once(DOL_DOCUMENT_ROOT."/core/lib/admin.lib.php");
 require_once(DOL_DOCUMENT_ROOT."/core/lib/files.lib.php");
 
-
+// Security check
+if (!$user->rights->opensurvey->read) accessforbidden();
 
 /*
  * View
diff --git a/htdocs/opensurvey/list.php b/htdocs/opensurvey/list.php
index 1ecd93265de..8450b82ea3e 100644
--- a/htdocs/opensurvey/list.php
+++ b/htdocs/opensurvey/list.php
@@ -26,6 +26,9 @@ require_once('../main.inc.php');
 require_once(DOL_DOCUMENT_ROOT."/core/lib/admin.lib.php");
 require_once(DOL_DOCUMENT_ROOT."/core/lib/files.lib.php");
 
+// Security check
+if (!$user->rights->opensurvey->read) accessforbidden();
+
 $action=GETPOST('action');
 $id=GETPOST('id');
 $numsondage= $id;