Clean code
This commit is contained in:
Laurent Destailleur
parent
762de973eb
commit
7c253c7e28
@ -216,19 +216,19 @@ function dolGetLdapPasswordHash($password, $type = 'md5')
|
||||
* If GETPOST('action','aZ09') defined, we also check write and delete permission.
|
||||
* This method check permission on module then call checkUserAccessToObject() for permission on object (according to entity and socid of user).
|
||||
*
|
||||
* @param User $user User to check
|
||||
* @param string $features Features to check (it must be module $object->element. Can be a 'or' check with 'levela|levelb'.
|
||||
* Examples: 'societe', 'contact', 'produit&service', 'produit|service', ...)
|
||||
* This is used to check permission $user->rights->features->...
|
||||
* @param int $objectid Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional).
|
||||
* @param string $tableandshare 'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity for multicompany module. Param not used if objectid is null (optional).
|
||||
* @param string $feature2 Feature to check, second level of permission (optional). Can be a 'or' check with 'sublevela|sublevelb'.
|
||||
* This is used to check permission $user->rights->features->feature2...
|
||||
* @param string $dbt_keyfield Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional)
|
||||
* @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optional)
|
||||
* @param int $isdraft 1=The object with id=$objectid is a draft
|
||||
* @param int $mode Mode (0=default, 1=return with not die)
|
||||
* @return int If mode = 0 (default): Always 1, die process if not allowed. If mode = 1: Return 0 if access not allowed.
|
||||
* @param User $user User to check
|
||||
* @param string $features Features to check (it must be module $object->element. Can be a 'or' check with 'levela|levelb'.
|
||||
* Examples: 'societe', 'contact', 'produit&service', 'produit|service', ...)
|
||||
* This is used to check permission $user->rights->features->...
|
||||
* @param int $objectid Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional).
|
||||
* @param string $tableandshare 'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity for multicompany module. Param not used if objectid is null (optional).
|
||||
* @param string $feature2 Feature to check, second level of permission (optional). Can be a 'or' check with 'sublevela|sublevelb'.
|
||||
* This is used to check permission $user->rights->features->feature2...
|
||||
* @param string $dbt_keyfield Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional)
|
||||
* @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optional)
|
||||
* @param int $isdraft 1=The object with id=$objectid is a draft
|
||||
* @param int $mode Mode (0=default, 1=return with not die)
|
||||
* @return int If mode = 0 (default): Always 1, die process if not allowed. If mode = 1: Return 0 if access not allowed.
|
||||
* @see dol_check_secure_access_document(), checkUserAccessToObject()
|
||||
*/
|
||||
function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = 'fk_soc', $dbt_select = 'rowid', $isdraft = 0, $mode = 0)
|
||||
@ -236,6 +236,8 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
|
||||
global $db, $conf;
|
||||
global $hookmanager;
|
||||
|
||||
$objectid = ((int) $objectid); // For the case value is coming from a non sanitized user input
|
||||
|
||||
//dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename, $feature2, $dbt_socfield, $dbt_select, $isdraft");
|
||||
//print "user_id=".$user->id.", features=".$features.", feature2=".$feature2.", objectid=".$objectid;
|
||||
//print ", dbtablename=".$dbtablename.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select;
|
||||
@ -270,7 +272,6 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
|
||||
$features = 'produit';
|
||||
}
|
||||
|
||||
|
||||
// Get more permissions checks from hooks
|
||||
$parameters = array('features'=>$features, 'originalfeatures'=>$originalfeatures, 'objectid'=>$objectid, 'dbt_select'=>$dbt_select, 'idtype'=>$dbt_select, 'isdraft'=>$isdraft);
|
||||
$reshook = $hookmanager->executeHooks('restrictedArea', $parameters);
|
||||
@ -288,10 +289,6 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
|
||||
return 1;
|
||||
}
|
||||
|
||||
if ($dbt_select != 'rowid' && $dbt_select != 'id') {
|
||||
$objectid = "'".$db->escape($objectid)."'";
|
||||
}
|
||||
|
||||
// Features/modules to check
|
||||
$featuresarray = array($features);
|
||||
if (preg_match('/&/', $features)) {
|
||||
|
||||
@ -46,11 +46,6 @@ $hookmanager->initHooks(array('workstationnote', 'globalcard')); // Note that co
|
||||
// Fetch optionals attributes and labels
|
||||
$extrafields->fetch_name_optionals_label($object->table_element);
|
||||
|
||||
// Security check - Protection if external user
|
||||
//if ($user->socid > 0) accessforbidden();
|
||||
//if ($user->socid > 0) $socid = $user->socid;
|
||||
//$result = restrictedArea($user, 'workstation', $id);
|
||||
|
||||
// Load object
|
||||
include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be include, not include_once // Must be include, not include_once. Include fetch and fetch_thirdparty but not fetch_optionals
|
||||
if ($id > 0 || !empty($ref)) {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user