diff --git a/htdocs/admin/system/security.php b/htdocs/admin/system/security.php index c5c149d6b59..f2df395060b 100644 --- a/htdocs/admin/system/security.php +++ b/htdocs/admin/system/security.php @@ -95,7 +95,7 @@ print "PHP session.cookie_samesite = ".(ini_get('session.cookie print "PHP open_basedir = ".(ini_get('open_basedir') ? ini_get('open_basedir') : yn(0).'   ('.$langs->trans("RecommendedValueIs", $langs->transnoentitiesnoconv("ARestrictedPath").', '.$langs->transnoentitiesnoconv("Example").' '.$_SERVER["DOCUMENT_ROOT"]).')')."
\n"; print "PHP allow_url_fopen = ".(ini_get('allow_url_fopen') ? img_picto($langs->trans("YouShouldSetThisToOff"), 'warning').' '.ini_get('allow_url_fopen') : yn(0)).'   ('.$langs->trans("RecommendedValueIs", $langs->transnoentitiesnoconv("No")).")
\n"; print "PHP allow_url_include = ".(ini_get('allow_url_include') ? img_picto($langs->trans("YouShouldSetThisToOff"), 'warning').' '.ini_get('allow_url_include') : yn(0)).'   ('.$langs->trans("RecommendedValueIs", $langs->transnoentitiesnoconv("No")).")
\n"; -print "PHP safe_mode = ".(ini_get('safe_mode') ? ini_get('safe_mode') : yn(0)).'   '.$langs->trans("Deprecated")." (removed in PHP 5.4)
\n"; +//print "PHP safe_mode = ".(ini_get('safe_mode') ? ini_get('safe_mode') : yn(0)).'   '.$langs->trans("Deprecated")." (removed in PHP 5.4)
\n"; print "PHP disable_functions = "; $arrayoffunctionsdisabled = explode(',', ini_get('disable_functions')); $arrayoffunctionstodisable = explode(',', 'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals'); @@ -366,10 +366,10 @@ print '
'; print 'MAIN_SECURITY_ANTI_SSRF_SERVER_IP = '.(empty($conf->global->MAIN_SECURITY_ANTI_SSRF_SERVER_IP) ? ''.$langs->trans("Undefined").'   ('.$langs->trans("Recommended").': List of static IPs of server separated with coma - '.$langs->trans("Note").': common loopback ip like 127.*.*.*, [::1] are already added)' : $conf->global->MAIN_SECURITY_ANTI_SSRF_SERVER_IP)."
"; print '
'; -print 'MAIN_ALLOW_SVG_FILES_AS_IMAGES = '.(empty($conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES) ? '0   ('.$langs->trans("Recommended").': 0)' : $conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES)."
"; +print 'MAIN_ALLOW_SVG_FILES_AS_IMAGES = '.(empty($conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES) ? '0' : $conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES).'   ('.$langs->trans("Recommended").': 0)
'; print '
'; -print 'MAIN_ALWAYS_CREATE_LOCK_AFTER_LAST_UPGRADE = '.(empty($conf->global->MAIN_ALWAYS_CREATE_LOCK_AFTER_LAST_UPGRADE) ? ''.$langs->trans("Undefined").'   ('.$langs->trans("Recommended").': 1)' : $conf->global->MAIN_ALWAYS_CREATE_LOCK_AFTER_LAST_UPGRADE)."
"; +print 'MAIN_ALWAYS_CREATE_LOCK_AFTER_LAST_UPGRADE = '.(empty($conf->global->MAIN_ALWAYS_CREATE_LOCK_AFTER_LAST_UPGRADE) ? ''.$langs->trans("Undefined").'' : $conf->global->MAIN_ALWAYS_CREATE_LOCK_AFTER_LAST_UPGRADE).'   ('.$langs->trans("Recommended").': 1)
'; print '
'; print 'MAIN_RESTRICTHTML_ONLY_VALID_HTML = '.(empty($conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML) ? ''.$langs->trans("Undefined").'   ('.$langs->trans("Recommended").': 1)' : $conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML)."
"; diff --git a/htdocs/user/group/perms.php b/htdocs/user/group/perms.php index 3ccbcf94d05..b9da8187dd6 100644 --- a/htdocs/user/group/perms.php +++ b/htdocs/user/group/perms.php @@ -22,9 +22,13 @@ /** * \file htdocs/user/group/perms.php - * \brief Onglet user et permissions de la fiche utilisateur + * \brief Page to set permissions of a user group record */ +if (!defined('CSRFCHECK_WITH_TOKEN')) { + define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET +} + require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/user/class/usergroup.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/usergroups.lib.php'; @@ -41,6 +45,10 @@ $module = GETPOST('module', 'alpha'); $rights = GETPOST('rights', 'int'); $contextpage = GETPOST('contextpage', 'aZ') ?GETPOST('contextpage', 'aZ') : 'groupperms'; // To manage different context of search +if (!isset($id) || empty($id)) { + accessforbidden(); +} + // Define if user can read permissions $canreadperms = ($user->admin || $user->rights->user->user->lire); // Define if user can modify group permissions @@ -53,12 +61,15 @@ if (!empty($conf->global->MAIN_USE_ADVANCED_PERMS)) { $caneditperms = ($user->admin || $user->rights->user->group_advance->write); } +// Security check +//$result = restrictedArea($user, 'user', $id, 'usergroup', ''); if (!$canreadperms) { accessforbidden(); } $object = new Usergroup($db); $object->fetch($id); +$object->getrights(); $entity = $conf->entity; @@ -79,7 +90,7 @@ if ($reshook < 0) { if (empty($reshook)) { if ($action == 'addrights' && $caneditperms) { $editgroup = new Usergroup($db); - $result = $editgroup->fetch($id); + $result = $editgroup->fetch($object->id); if ($result > 0) { $result = $editgroup->addrights($rights, $module, '', $entity); if ($result < 0) { @@ -88,6 +99,9 @@ if (empty($reshook)) { } else { dol_print_error($db); } + + $object->clearrights(); + $object->getrights(); } if ($action == 'delrights' && $caneditperms) { @@ -101,11 +115,14 @@ if (empty($reshook)) { } else { dol_print_error($db); } + + $object->clearrights(); + $object->getrights(); } } -/** +/* * View */ @@ -114,11 +131,6 @@ $form = new Form($db); llxHeader('', $langs->trans("Permissions")); if ($object->id > 0) { - /* - * Affichage onglets - */ - $object->getrights(); // Reload permission - $head = group_prepare_head($object); $title = $langs->trans("Group"); print dol_get_fiche_head($head, 'rights', $title, -1, 'group'); @@ -165,8 +177,8 @@ if ($object->id > 0) { $sql .= " FROM ".MAIN_DB_PREFIX."rights_def as r,"; $sql .= " ".MAIN_DB_PREFIX."usergroup_rights as gr"; $sql .= " WHERE gr.fk_id = r.id"; - $sql .= " AND gr.entity = ".$entity; - $sql .= " AND gr.fk_usergroup = ".$object->id; + $sql .= " AND gr.entity = ".((int) $entity); + $sql .= " AND gr.fk_usergroup = ".((int) $object->id); dol_syslog("get user perms", LOG_DEBUG); $result = $db->query($sql); @@ -186,6 +198,10 @@ if ($object->id > 0) { dol_print_error($db); } + /* + * Part to add/remove permissions + */ + $linkback = ''.$langs->trans("BackToList").''; dol_banner_tab($object, 'id', $linkback, $user->rights->user->user->lire || $user->admin); @@ -193,9 +209,6 @@ if ($object->id > 0) { print '
'; print '
'; - /* - * Ecran ajout/suppression permission - */ print ''; @@ -235,26 +248,26 @@ if ($object->id > 0) { print ''; if ($caneditperms) { print ''; } print ''; print ''; if ($user->admin) { - print ''; + print ''; } print ''."\n"; - $sql = "SELECT r.id, r.libelle as label, r.module"; + $sql = "SELECT r.id, r.libelle as label, r.module, r.perms, r.subperms, r.module_position, r.bydefault"; $sql .= " FROM ".MAIN_DB_PREFIX."rights_def as r"; $sql .= " WHERE r.libelle NOT LIKE 'tou%'"; // On ignore droits "tous" - $sql .= " AND r.entity = ".$entity; + $sql .= " AND r.entity = ".((int) $entity); if (empty($conf->global->MAIN_USE_ADVANCED_PERMS)) { $sql .= " AND r.perms NOT LIKE '%_advance'"; // Hide advanced perms if option is disable } - $sql .= " ORDER BY r.module, r.id"; + $sql .= " ORDER BY r.family_position, r.module_position, r.module, r.id"; $result = $db->query($sql); if ($result) { @@ -265,13 +278,16 @@ if ($object->id > 0) { while ($i < $num) { $obj = $db->fetch_object($result); - // If line is for a module that doe snot existe anymore (absent of includes/module), we ignore it + // If line is for a module that does not exist anymore (absent of includes/module), we ignore it if (empty($modules[$obj->module])) { $i++; continue; } - if ($oldmod <> $obj->module) { + $objMod = $modules[$obj->module]; + + // Break found, it's a new module to catch + if (isset($obj->module) && ($oldmod <> $obj->module)) { $oldmod = $obj->module; // Break detected, we get objMod @@ -286,21 +302,22 @@ if ($object->id > 0) { print ''; if ($caneditperms) { print ''; } else { print ''; } - print ''; + print ''; + print ''; // Permission id if ($user->admin) { print ''; } - print ''; + print ''."\n"; } print ''."\n"; @@ -315,7 +332,7 @@ if ($object->id > 0) { if (in_array($obj->id, $permsgroupbyentity[$entity])) { // Own permission by group if ($caneditperms) { - print ''; @@ -326,7 +343,7 @@ if ($object->id > 0) { } else { // Do not own permission if ($caneditperms) { - print ''; @@ -336,7 +353,7 @@ if ($object->id > 0) { } else { // Do not own permission if ($caneditperms) { - print ''; @@ -344,12 +361,25 @@ if ($object->id > 0) { print ''; } - $permlabel = ($conf->global->MAIN_USE_ADVANCED_PERMS && ($langs->trans("PermissionAdvanced".$obj->id) != ("PermissionAdvanced".$obj->id)) ? $langs->trans("PermissionAdvanced".$obj->id) : (($langs->trans("Permission".$obj->id) != ("Permission".$obj->id)) ? $langs->trans("Permission".$obj->id) : $langs->trans($obj->label))); - print ''; + // Description of permission + $permlabel = (!empty($conf->global->MAIN_USE_ADVANCED_PERMS) && ($langs->trans("PermissionAdvanced".$obj->id) != ("PermissionAdvanced".$obj->id)) ? $langs->trans("PermissionAdvanced".$obj->id) : (($langs->trans("Permission".$obj->id) != ("Permission".$obj->id)) ? $langs->trans("Permission".$obj->id) : $langs->trans($obj->label))); + print ''; // Permission id if ($user->admin) { - print ''; + print ''; } print ''."\n"; diff --git a/htdocs/user/perms.php b/htdocs/user/perms.php index 957c7a3a819..5e96a76119c 100644 --- a/htdocs/user/perms.php +++ b/htdocs/user/perms.php @@ -90,7 +90,7 @@ $hookmanager->initHooks(array('usercard', 'userperms', 'globalcard')); * Actions */ -$parameters = array('id'=>$socid); +$parameters = array('socid'=>$socid); $reshook = $hookmanager->executeHooks('doActions', $parameters, $object, $action); // Note that $action and $object may have been modified by some hooks if ($reshook < 0) { setEventMessages($hookmanager->error, $hookmanager->errors, 'errors'); @@ -193,7 +193,7 @@ $permsuser = array(); $sql = "SELECT DISTINCT ur.fk_id"; $sql .= " FROM ".MAIN_DB_PREFIX."user_rights as ur"; -$sql .= " WHERE ur.entity = ".$entity; +$sql .= " WHERE ur.entity = ".((int) $entity); $sql .= " AND ur.fk_user = ".((int) $object->id); dol_syslog("get user perms", LOG_DEBUG); @@ -386,7 +386,7 @@ if ($result) { // Picto and label of module print ''; // Permission and tick
'.$langs->trans("Module").''; - print ''.$langs->trans("All").""; + print ''.$langs->trans("All").""; print '/'; - print ''.$langs->trans("None").""; + print ''.$langs->trans("None").""; print ' '.$langs->trans("Permissions").''.$langs->trans("ID").'
'; - print 'module.'&token='.newToken().'">'.$langs->trans("All").""; + print 'module.'&token='.newToken().'">'.$langs->trans("All").""; print '/'; - print 'module.'&token='.newToken().'">'.$langs->trans("None").""; + print 'module.'&token='.newToken().'">'.$langs->trans("None").""; print '    
id.'&token='.newToken().'">'; + print 'id.'&confirm=yes&token='.newToken().'">'; //print img_edit_remove($langs->trans("Remove")); print img_picto($langs->trans("Remove"), 'switch_on'); print 'id.'&token='.newToken().'">'; + print 'id.'&confirm=yes&token='.newToken().'">'; //print img_edit_add($langs->trans("Add")); print img_picto($langs->trans("Add"), 'switch_off'); print 'id.'&token='.newToken().'">'; + print 'id.'&confirm=yes&token='.newToken().'">'; //print img_edit_add($langs->trans("Add")); print img_picto($langs->trans("Add"), 'switch_off'); print ' '.$permlabel.''; + print $permlabel; + if (!empty($conf->global->MAIN_USE_ADVANCED_PERMS)) { + if (preg_match('/_advance$/', $obj->perms)) { + print ' ('.$langs->trans("AdvancedModeOnly").')'; + } + } + print ''.$obj->id.''; + $htmltext = $langs->trans("ID").': '.$obj->id; + $htmltext .= '
'.$langs->trans("Permission").': user->rights->'.$obj->module.'->'.$obj->perms.($obj->subperms ? '->'.$obj->subperms : ''); + print $form->textwithpicto('', $htmltext); + //print ''.$obj->id.''; + print '
'; - //print img_object('', $picto, 'class="pictoobjectwidth"').' '.$objMod->getName(); + //print img_object('', $picto, 'class="inline-block pictoobjectwidth"').' '.$objMod->getName(); print '