lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix: security

Browse Source
This commit is contained in:
Regis Houssin 2009-04-28 06:49:44 +00:00
parent a62306dc42
commit 7708f967f8
4 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
htdocs/core/menubase.class.php
View File

@ -426,7 +426,7 @@ class Menubase
if ($menu['enabled'])
{
$enabled = $this->verifCond($menu['enabled']);
//print "verifCond rowid=".$menu['rowid']." ".$menu['action'].":".$constraint."<br>\n";
//print "verifCond rowid=".$menu['rowid']." ".$menu['enabled'].":".$enabled."<br>\n";
}
if ($menu['rowid'] != $oldrowid && $oldrowid) $b++; // Break on new entry
@ -461,12 +461,14 @@ class Menubase
// Get menutopid
$menutopid='';
$sql = "SELECT m.rowid, m.titre, m.type";
$sql.= " FROM " . MAIN_DB_PREFIX . "menu as m";
$sql.= " WHERE m.mainmenu = '".$mainmenu."'";
$sql.= " AND m.menu_handler in('".$menu_handler."','all')";
$sql.= " AND m.entity = ".$conf->entity;
$sql.= " AND type = 'top'";
// It should have only one response
$resql = $this->db->query($sql);
$menutop = $this->db->fetch_object($resql);
@ -546,7 +548,7 @@ class Menubase
{
$rights = true;
}
return $rights;
}

4
htdocs/ecm/index.php
View File

@ -41,6 +41,10 @@ $langs->load("propal");
$langs->load("bills");
$langs->load("contracts");
// Security check
if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user, 'ecm','');
// Load permissions
$user->getrights('ecm');

4
htdocs/lib/functions.lib.php
View File

@ -1357,6 +1357,10 @@ function restrictedArea($user, $feature='societe', $objectid=0, $dbtablename='',
{
if (! $user->rights->banque->cheque) $readok=0;
}
else if ($feature == 'ecm')
{
if (! $user->rights->ecm->download) $readok=0;
}
else if (! empty($feature2)) // This should be used for future changes
{
if (empty($user->rights->$feature->$feature2->lire)

7
htdocs/user.class.php
View File

@ -490,9 +490,12 @@ class User extends CommonObject
// D'abord les droits utilisateurs
$sql = "SELECT r.module, r.perms, r.subperms";
$sql.= " FROM ".MAIN_DB_PREFIX."user_rights as ur, ".MAIN_DB_PREFIX."rights_def as r";
$sql.= " WHERE r.id = ur.fk_id AND ur.fk_user= ".$this->id." AND r.perms IS NOT NULL";
$sql.= " FROM ".MAIN_DB_PREFIX."user_rights as ur";
$sql.= ", ".MAIN_DB_PREFIX."rights_def as r";
$sql.= " WHERE r.id = ur.fk_id";
$sql.= " AND r.entity = ".$conf->entity;
$sql.= " AND ur.fk_user= ".$this->id;
$sql.= " AND r.perms IS NOT NULL";
if ($moduletag) $sql.= " AND r.module = '".addslashes($moduletag)."'";
dol_syslog('User::getRights sql='.$sql, LOG_DEBUG);