From 6ac65400c3f8c0e037e8fd38defb9340abb31987 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 3 Feb 2023 21:13:12 +0100 Subject: [PATCH] Fix permission on an inherited group inside entity 0 no visible --- htdocs/user/class/user.class.php | 4 +++- htdocs/user/perms.php | 38 +++++++++++++++++++++++++++----- 2 files changed, 35 insertions(+), 7 deletions(-) diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php index f8610a7ff85..1f3b67a3a60 100644 --- a/htdocs/user/class/user.class.php +++ b/htdocs/user/class/user.class.php @@ -1190,6 +1190,7 @@ class User extends CommonObject $sql .= " ".$this->db->prefix()."usergroup_user as gu,"; $sql .= " ".$this->db->prefix()."rights_def as r"; $sql .= " WHERE r.id = gr.fk_id"; + // A very strange business rules. Must be same than into user->getrights() user/perms.php and user/group/perms.php if (!empty($conf->global->MULTICOMPANY_BACKWARD_COMPATIBILITY)) { if (isModEnabled('multicompany') && !empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE)) { $sql .= " AND gu.entity IN (0,".$conf->entity.")"; @@ -1198,12 +1199,13 @@ class User extends CommonObject } } else { $sql .= " AND gr.entity = ".((int) $conf->entity); // Only groups created in current entity - // The entity on the table usergroup_user should be useless and shoumd never be used because it is alreay into gr and r. + // The entity on the table usergroup_user should be useless and should never be used because it is alreay into gr and r. // but when using MULTICOMPANY_TRANSVERSE_MODE, we may insert record that make rubbish result due to duplicate record of // other entities, so we are forced to add a filter here $sql .= " AND gu.entity IN (0,".$conf->entity.")"; $sql .= " AND r.entity = ".((int) $conf->entity); // Only permission of modules enabled in current entity } + // End of strange business rule $sql .= " AND gr.fk_usergroup = gu.fk_usergroup"; $sql .= " AND gu.fk_user = ".((int) $this->id); $sql .= " AND r.perms IS NOT NULL"; diff --git a/htdocs/user/perms.php b/htdocs/user/perms.php index ced95902444..a01c73d00af 100644 --- a/htdocs/user/perms.php +++ b/htdocs/user/perms.php @@ -216,13 +216,29 @@ if ($result) { dol_print_error($db); } -// Lecture des droits groupes +// Read the permissions of a user inherited by its groups $permsgroupbyentity = array(); -$sql = "SELECT DISTINCT gr.fk_id, gu.entity"; +$sql = "SELECT DISTINCT gr.fk_id, gu.entity"; // fk_id are permission id and entity is entity of the group $sql .= " FROM ".MAIN_DB_PREFIX."usergroup_rights as gr,"; -$sql .= " ".MAIN_DB_PREFIX."usergroup_user as gu"; -$sql .= " WHERE gr.entity = ".((int) $entity); +$sql .= " ".MAIN_DB_PREFIX."usergroup_user as gu"; // all groups of a user +$sql .= " WHERE 1 = 1"; +// A very strange business rules. Must be same than into user->getrights() user/perms.php and user/group/perms.php +if (!empty($conf->global->MULTICOMPANY_BACKWARD_COMPATIBILITY)) { + if (isModEnabled('multicompany') && !empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE)) { + $sql .= " AND gu.entity IN (0,".$conf->entity.")"; + } else { + //$sql .= " AND r.entity = ".((int) $conf->entity); + } +} else { + $sql .= " AND gr.entity = ".((int) $conf->entity); // Only groups created in current entity + // The entity on the table usergroup_user should be useless and should never be used because it is alreay into gr and r. + // but when using MULTICOMPANY_TRANSVERSE_MODE, we may insert record that make rubbish result due to duplicate record of + // other entities, so we are forced to add a filter here + $sql .= " AND gu.entity IN (0,".$conf->entity.")"; + //$sql .= " AND r.entity = ".((int) $conf->entity); // Only permission of modules enabled in current entity +} +// End of strange business rule $sql .= " AND gr.fk_usergroup = gu.fk_usergroup"; $sql .= " AND gu.fk_user = ".((int) $object->id); @@ -245,6 +261,7 @@ if ($result) { } + /* * Part to add/remove permissions */ @@ -499,6 +516,15 @@ if ($result) { $isexpanded = ! $ishidden; //var_dump("isexpanded=".$isexpanded); + $permsgroupbyentitypluszero = array(); + if (!empty($permsgroupbyentity[0])) { + $permsgroupbyentitypluszero = array_merge($permsgroupbyentitypluszero, $permsgroupbyentity[0]); + } + if (!empty($permsgroupbyentity[$entity])) { + $permsgroupbyentitypluszero = array_merge($permsgroupbyentitypluszero, $permsgroupbyentity[$entity]); + } + //var_dump($permsgroupbyentitypluszero); + // Break found, it's a new module to catch if (isset($obj->module) && ($oldmod <> $obj->module)) { $oldmod = $obj->module; @@ -606,8 +632,8 @@ if ($result) { //print img_picto($langs->trans("Active"), 'tick'); } print ''; - } elseif (isset($permsgroupbyentity[$entity]) && is_array($permsgroupbyentity[$entity])) { - if (in_array($obj->id, $permsgroupbyentity[$entity])) { // Permission granted by group + } elseif (isset($permsgroupbyentitypluszero) && is_array($permsgroupbyentitypluszero)) { + if (in_array($obj->id, $permsgroupbyentitypluszero)) { // Permission granted by group if ($caneditperms) { print ''; print $form->textwithtooltip($langs->trans("Inherited"), $langs->trans("PermissionInheritedFromAGroup"));