diff --git a/htdocs/exports/export.php b/htdocs/exports/export.php
index 117cb7968d4..b3d0cf49a32 100644
--- a/htdocs/exports/export.php
+++ b/htdocs/exports/export.php
@@ -154,6 +154,9 @@ $upload_dir = $conf->export->dir_temp.'/'.$user->id;
//$usefilters=($conf->global->MAIN_FEATURES_LEVEL > 1);
$usefilters = 1;
+// Security check
+$result = restrictedArea($user, 'export');
+
/*
* Actions
diff --git a/htdocs/exports/index.php b/htdocs/exports/index.php
index 22b1729550d..3ba5e0a3591 100644
--- a/htdocs/exports/index.php
+++ b/htdocs/exports/index.php
@@ -27,11 +27,12 @@ require_once DOL_DOCUMENT_ROOT.'/exports/class/export.class.php';
// Load translation files required by the page
$langs->load("exports");
+$export = new Export($db);
+$export->load_arrays($user);
+
// Security check
$result = restrictedArea($user, 'export');
-$export = new Export($db);
-$export->load_arrays($user);
/*
* View
diff --git a/htdocs/website/index.php b/htdocs/website/index.php
index 034583d3440..021edc52920 100644
--- a/htdocs/website/index.php
+++ b/htdocs/website/index.php
@@ -477,7 +477,7 @@ if ($massaction == 'setcategory' && GETPOST('confirmmassaction', 'alpha') && $us
}
// Replacement of string into pages
-if ($massaction == 'replace' && GETPOST('confirmmassaction', 'alpha')) {
+if ($massaction == 'replace' && GETPOST('confirmmassaction', 'alpha') && $usercanedit) {
$replacestring = GETPOST('replacestring', 'none');
if (empty($user->rights->website->writephp)) {
@@ -567,7 +567,7 @@ if ($action == 'adddir' && $permtouploadfile)
*/
// Add site
-if ($action == 'addsite') {
+if ($action == 'addsite' && $usercanedit) {
$db->begin();
if (GETPOST('virtualhost', 'alpha') && !preg_match('/^http/', GETPOST('virtualhost', 'alpha'))) {
@@ -625,7 +625,7 @@ if ($action == 'addsite') {
}
// Add page/container
-if ($action == 'addcontainer') {
+if ($action == 'addcontainer' && $usercanedit) {
dol_mkdir($pathofwebsite);
$db->begin();
@@ -1148,7 +1148,7 @@ if ($action == 'addcontainer') {
}
// Delete site
-if ($action == 'confirm_deletesite' && $confirm == 'yes') {
+if ($action == 'confirm_deletesite' && $confirm == 'yes' && $permissiontodelete) {
$error = 0;
$db->begin();
@@ -1276,7 +1276,7 @@ if (!GETPOSTISSET('pageid')) {
}
// Update css Update site properties
-if ($action == 'updatecss') {
+if ($action == 'updatecss' && $usercanedit) {
// If we tried to reload another site/page, we stay on editcss mode.
if (GETPOST('refreshsite') || GETPOST('refreshsite_x') || GETPOST('refreshsite.x') || GETPOST('refreshpage') || GETPOST('refreshpage_x') || GETPOST('refreshpage.x')) {
$action = 'editcss';
@@ -1523,7 +1523,7 @@ if ($action == 'updatecss') {
}
// Update page
-if ($action == 'setashome') {
+if ($action == 'setashome' && $usercanedit) {
$db->begin();
$object->fetch(0, $websitekey);
$website = $object;
@@ -1556,7 +1556,7 @@ if ($action == 'setashome') {
}
// Update page properties (meta)
-if ($action == 'updatemeta') {
+if ($action == 'updatemeta' && $usercanedit) {
$db->begin();
$result = $object->fetch(0, $websitekey);
@@ -1778,8 +1778,8 @@ if ($action == 'updatemeta') {
}
// Update page
-if (($action == 'updatesource' || $action == 'updatecontent' || $action == 'confirm_createfromclone' || $action == 'confirm_createpagefromclone')
- || ($action == 'preview' && (GETPOST('refreshsite') || GETPOST('refreshpage') || GETPOST('preview')))) {
+if ($usercanedit && (($action == 'updatesource' || $action == 'updatecontent' || $action == 'confirm_createfromclone' || $action == 'confirm_createpagefromclone')
+ || ($action == 'preview' && (GETPOST('refreshsite') || GETPOST('refreshpage') || GETPOST('preview'))))) {
$object->fetch(0, $websitekey);
$website = $object;
@@ -2041,7 +2041,7 @@ if (($action == 'updatesource' || $action == 'updatecontent' || $action == 'conf
}
// Export site
-if ($action == 'exportsite') {
+if ($action == 'exportsite' && !empty($user->rights->website->export)) {
$fileofzip = $object->exportWebSite();
if ($fileofzip) {
@@ -2060,7 +2060,7 @@ if ($action == 'exportsite') {
}
// Regenerate site
-if ($action == 'regeneratesite') {
+if ($action == 'regeneratesite' && $usercanedit) {
// Check symlink to medias and restore it if ko. Recreate also dir of website if not found.
$pathtomedias = DOL_DATA_ROOT.'/medias';
$pathtomediasinwebsite = $pathofwebsite.'/medias';
@@ -2085,7 +2085,7 @@ if ($action == 'regeneratesite') {
}
// Import site
-if ($action == 'importsiteconfirm') {
+if ($action == 'importsiteconfirm' && $usercanedit) {
if (empty($_FILES) && !GETPOSTISSET('templateuserfile')) {
setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("File")), null, 'errors');
$action = 'importsite';
@@ -2162,7 +2162,7 @@ $domainname = '0.0.0.0:8080';
$tempdir = $conf->website->dir_output.'/'.$websitekey.'/';
// Generate web site sitemaps
-if ($action == 'generatesitemaps') {
+if ($action == 'generatesitemaps' && $usercanedit) {
$domtree = new DOMDocument('1.0', 'UTF-8');
$root = $domtree->createElementNS('http://www.sitemaps.org/schemas/sitemap/0.9', 'urlset');
$domtree->formatOutput = true;
@@ -2331,6 +2331,10 @@ if (!GETPOST('hide_websitemenu')) {
if (empty($user->rights->website->write)) {
$disabled = ' disabled="disabled"';
}
+ $disabledexport = '';
+ if (empty($user->rights->website->export)) {
+ $disabledexport = ' disabled="disabled"';
+ }
if ($websitekey) {
$virtualurl = '';
@@ -2446,7 +2450,7 @@ if (!GETPOST('hide_websitemenu')) {
}
//print '';
- print '';
+ print '';
print '';