lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

FIX Protection on agenda view for a thirdparty id that does not exist

Browse Source
This commit is contained in:
Laurent Destailleur 2023-03-15 09:44:50 +01:00
parent dc1ba8f447
commit 765b1a858a
1 changed files with 94 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

185
htdocs/societe/agenda.php
View File

@ -79,9 +79,16 @@ $socid = GETPOST('socid', 'int');
if ($user->socid) {
$socid = $user->socid;
}
$result = $object->fetch($socid);
if ($result <= 0) {
accessforbidden('Third party not found');
}
$result = restrictedArea($user, 'societe', $socid, '&societe');
/*
* Actions
*/
@ -114,108 +121,104 @@ if (empty($reshook)) {
$form = new Form($db);
if ($socid > 0) {
$result = $object->fetch($socid);
$title = $langs->trans("Agenda");
if (!empty($conf->global->MAIN_HTML_TITLE) && preg_match('/thirdpartynameonly/', $conf->global->MAIN_HTML_TITLE) && $object->name) {
$title = $object->name." - ".$title;
}
$help_url = '';
llxHeader('', $title, $help_url);
$title = $langs->trans("Agenda");
if (!empty($conf->global->MAIN_HTML_TITLE) && preg_match('/thirdpartynameonly/', $conf->global->MAIN_HTML_TITLE) && $object->name) {
$title = $object->name." - ".$title;
if (isModEnabled('notification')) {
$langs->load("mails");
}
$head = societe_prepare_head($object);
print dol_get_fiche_head($head, 'agenda', $langs->trans("ThirdParty"), -1, $object->picto);
$linkback = '<a href="'.DOL_URL_ROOT.'/societe/list.php?restore_lastsearch_values=1">'.$langs->trans("BackToList").'</a>';
$morehtmlref = '';
dol_banner_tab($object, 'socid', $linkback, ($user->socid ? 0 : 1), 'rowid', 'nom', $morehtmlref);
print '<div class="fichecenter">';
print '<div class="underbanner clearboth"></div>';
$object->info($socid);
dol_print_object_info($object, 1);
print '</div>';
print dol_get_fiche_end();
// Actions buttons
$objthirdparty = $object;
$objcon = new stdClass();
$out = '';
$permok = $user->hasRight('agenda', 'myactions', 'create');
if ((!empty($objthirdparty->id) || !empty($objcon->id)) && $permok) {
if (is_object($objthirdparty) && get_class($objthirdparty) == 'Societe') {
$out .= '&amp;originid='.$objthirdparty->id.($objthirdparty->id > 0 ? '&amp;socid='.$objthirdparty->id : '').'&amp;backtopage='.urlencode($_SERVER['PHP_SELF'].($objthirdparty->id > 0 ? '?socid='.$objthirdparty->id : ''));
}
$help_url = '';
llxHeader('', $title, $help_url);
$out .= (!empty($objcon->id) ? '&amp;contactid='.$objcon->id : '').'&amp;percentage=-1';
$out .= '&amp;datep='.dol_print_date(dol_now(), 'dayhourlog');
}
if (isModEnabled('notification')) {
$langs->load("mails");
$morehtmlright = '';
$messagingUrl = DOL_URL_ROOT.'/societe/messaging.php?socid='.$object->id;
$morehtmlright .= dolGetButtonTitle($langs->trans('ShowAsConversation'), '', 'fa fa-comments imgforviewmode', $messagingUrl, '', 1);
$messagingUrl = DOL_URL_ROOT.'/societe/agenda.php?socid='.$object->id;
$morehtmlright .= dolGetButtonTitle($langs->trans('MessageListViewType'), '', 'fa fa-bars imgforviewmode', $messagingUrl, '', 2);
// // Show link to send an email (if read and not closed)
// $btnstatus = $object->status < Ticket::STATUS_CLOSED && $action != "presend" && $action != "presend_addmessage";
// $url = 'card.php?track_id='.$object->track_id.'&action=presend_addmessage&mode=init&private_message=0&send_email=1&backtopage='.urlencode($_SERVER["PHP_SELF"].'?track_id='.$object->track_id).'#formmailbeforetitle';
// $morehtmlright .= dolGetButtonTitle($langs->trans('SendMail'), '', 'fa fa-paper-plane', $url, 'email-title-button', $btnstatus);
// // Show link to add a private message (if read and not closed)
// $btnstatus = $object->status < Ticket::STATUS_CLOSED && $action != "presend" && $action != "presend_addmessage";
// $url = 'card.php?track_id='.$object->track_id.'&action=presend_addmessage&mode=init&backtopage='.urlencode($_SERVER["PHP_SELF"].'?track_id='.$object->track_id).'#formmailbeforetitle';
// $morehtmlright .= dolGetButtonTitle($langs->trans('TicketAddMessage'), '', 'fa fa-comment-dots', $url, 'add-new-ticket-title-button', $btnstatus);
if (isModEnabled('agenda')) {
if (!empty($user->rights->agenda->myactions->create) || !empty($user->rights->agenda->allactions->create)) {
$morehtmlright .= dolGetButtonTitle($langs->trans('AddAction'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/comm/action/card.php?action=create'.$out);
}
$head = societe_prepare_head($object);
}
if (isModEnabled('agenda') && (!empty($user->rights->agenda->myactions->read) || !empty($user->rights->agenda->allactions->read))) {
print '<br>';
print dol_get_fiche_head($head, 'agenda', $langs->trans("ThirdParty"), -1, $object->picto);
$linkback = '<a href="'.DOL_URL_ROOT.'/societe/list.php?restore_lastsearch_values=1">'.$langs->trans("BackToList").'</a>';
$morehtmlref = '';
dol_banner_tab($object, 'socid', $linkback, ($user->socid ? 0 : 1), 'rowid', 'nom', $morehtmlref);
print '<div class="fichecenter">';
print '<div class="underbanner clearboth"></div>';
$object->info($socid);
dol_print_object_info($object, 1);
print '</div>';
print dol_get_fiche_end();
// Actions buttons
$objthirdparty = $object;
$objcon = new stdClass();
$out = '';
$permok = $user->hasRight('agenda', 'myactions', 'create');
if ((!empty($objthirdparty->id) || !empty($objcon->id)) && $permok) {
if (is_object($objthirdparty) && get_class($objthirdparty) == 'Societe') {
$out .= '&amp;originid='.$objthirdparty->id.($objthirdparty->id > 0 ? '&amp;socid='.$objthirdparty->id : '').'&amp;backtopage='.urlencode($_SERVER['PHP_SELF'].($objthirdparty->id > 0 ? '?socid='.$objthirdparty->id : ''));
}
$out .= (!empty($objcon->id) ? '&amp;contactid='.$objcon->id : '').'&amp;percentage=-1';
$out .= '&amp;datep='.dol_print_date(dol_now(), 'dayhourlog');
$param = '&socid='.urlencode($socid);
if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) {
$param .= '&contextpage='.urlencode($contextpage);
}
if ($limit > 0 && $limit != $conf->liste_limit) {
$param .= '&limit='.urlencode($limit);
}
$morehtmlright = '';
// Try to know count of actioncomm from cache
require_once DOL_DOCUMENT_ROOT.'/core/lib/memory.lib.php';
$cachekey = 'count_events_thirdparty_'.$object->id;
$nbEvent = dol_getcache($cachekey);
$messagingUrl = DOL_URL_ROOT.'/societe/messaging.php?socid='.$object->id;
$morehtmlright .= dolGetButtonTitle($langs->trans('ShowAsConversation'), '', 'fa fa-comments imgforviewmode', $messagingUrl, '', 1);
$messagingUrl = DOL_URL_ROOT.'/societe/agenda.php?socid='.$object->id;
$morehtmlright .= dolGetButtonTitle($langs->trans('MessageListViewType'), '', 'fa fa-bars imgforviewmode', $messagingUrl, '', 2);
// print load_fiche_titre($langs->trans("ActionsOnCompany"), $newcardbutton, '');
print_barre_liste($langs->trans("ActionsOnCompany").(is_numeric($nbEvent) ? '<span class="opacitymedium colorblack paddingleft">('.$nbEvent.')</span>': ''), 0, $_SERVER["PHP_SELF"], '', $sortfield, $sortorder, '', 0, -1, '', 0, $morehtmlright, '', 0, 1, 1);
// // Show link to send an email (if read and not closed)
// $btnstatus = $object->status < Ticket::STATUS_CLOSED && $action != "presend" && $action != "presend_addmessage";
// $url = 'card.php?track_id='.$object->track_id.'&action=presend_addmessage&mode=init&private_message=0&send_email=1&backtopage='.urlencode($_SERVER["PHP_SELF"].'?track_id='.$object->track_id).'#formmailbeforetitle';
// $morehtmlright .= dolGetButtonTitle($langs->trans('SendMail'), '', 'fa fa-paper-plane', $url, 'email-title-button', $btnstatus);
// List of all actions
$filters = array();
$filters['search_agenda_label'] = $search_agenda_label;
$filters['search_rowid'] = $search_rowid;
// // Show link to add a private message (if read and not closed)
// $btnstatus = $object->status < Ticket::STATUS_CLOSED && $action != "presend" && $action != "presend_addmessage";
// $url = 'card.php?track_id='.$object->track_id.'&action=presend_addmessage&mode=init&backtopage='.urlencode($_SERVER["PHP_SELF"].'?track_id='.$object->track_id).'#formmailbeforetitle';
// $morehtmlright .= dolGetButtonTitle($langs->trans('TicketAddMessage'), '', 'fa fa-comment-dots', $url, 'add-new-ticket-title-button', $btnstatus);
if (isModEnabled('agenda')) {
if (!empty($user->rights->agenda->myactions->create) || !empty($user->rights->agenda->allactions->create)) {
$morehtmlright .= dolGetButtonTitle($langs->trans('AddAction'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/comm/action/card.php?action=create'.$out);
}
}
if (isModEnabled('agenda') && (!empty($user->rights->agenda->myactions->read) || !empty($user->rights->agenda->allactions->read))) {
print '<br>';
$param = '&socid='.urlencode($socid);
if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) {
$param .= '&contextpage='.urlencode($contextpage);
}
if ($limit > 0 && $limit != $conf->liste_limit) {
$param .= '&limit='.urlencode($limit);
}
// Try to know count of actioncomm from cache
require_once DOL_DOCUMENT_ROOT.'/core/lib/memory.lib.php';
$cachekey = 'count_events_thirdparty_'.$object->id;
$nbEvent = dol_getcache($cachekey);
// print load_fiche_titre($langs->trans("ActionsOnCompany"), $newcardbutton, '');
print_barre_liste($langs->trans("ActionsOnCompany").(is_numeric($nbEvent) ? '<span class="opacitymedium colorblack paddingleft">('.$nbEvent.')</span>': ''), 0, $_SERVER["PHP_SELF"], '', $sortfield, $sortorder, '', 0, -1, '', 0, $morehtmlright, '', 0, 1, 1);
// List of all actions
$filters = array();
$filters['search_agenda_label'] = $search_agenda_label;
$filters['search_rowid'] = $search_rowid;
// TODO Replace this with same code than into list.php
show_actions_done($conf, $langs, $db, $object, null, 0, $actioncode, '', $filters, $sortfield, $sortorder, $object->module);
}
// TODO Replace this with same code than into list.php
show_actions_done($conf, $langs, $db, $object, null, 0, $actioncode, '', $filters, $sortfield, $sortorder, $object->module);
}
// End of page