From 7deccc97b1ae714a4c2b17c42498b6884f6012f9 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 5 Dec 2022 03:08:57 +0100 Subject: [PATCH] Fix #yogosha13774 --- htdocs/core/lib/security.lib.php | 71 ++++++++++--------- .../knowledgerecord_agenda.php | 3 +- .../knowledgerecord_card.php | 4 +- .../knowledgerecord_contact.php | 16 ++--- .../knowledgerecord_document.php | 3 +- .../knowledgerecord_list.php | 2 +- .../knowledgerecord_note.php | 10 +-- .../template/myobject_agenda.php | 2 +- .../modulebuilder/template/myobject_card.php | 2 +- .../template/myobject_contact.php | 2 +- .../template/myobject_document.php | 2 +- .../modulebuilder/template/myobject_list.php | 2 +- .../modulebuilder/template/myobject_note.php | 2 +- htdocs/user/perms.php | 52 ++++++++++---- 14 files changed, 102 insertions(+), 71 deletions(-) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 8e1ed6cebd1..3ec94953284 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -318,27 +318,32 @@ function dolGetLdapPasswordHash($password, $type = 'md5') * If GETPOST('action','aZ09') defined, we also check write and delete permission. * This method check permission on module then call checkUserAccessToObject() for permission on object (according to entity and socid of user). * - * @param User $user User to check - * @param string $features Features to check (it must be module $object->element. Can be a 'or' check with 'levela|levelb'. - * Examples: 'societe', 'contact', 'produit&service', 'produit|service', ...) - * This is used to check permission $user->rights->features->... - * @param int $objectid Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional). - * @param string $tableandshare 'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity for multicompany module. Param not used if objectid is null (optional). - * @param string $feature2 Feature to check, second level of permission (optional). Can be a 'or' check with 'sublevela|sublevelb'. - * This is used to check permission $user->rights->features->feature2... - * @param string $dbt_keyfield Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional) - * @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optional) - * @param int $isdraft 1=The object with id=$objectid is a draft - * @param int $mode Mode (0=default, 1=return without dieing) - * @return int If mode = 0 (default): Always 1, die process if not allowed. If mode = 1: Return 0 if access not allowed. + * @param User $user User to check + * @param string $features Features to check (it must be module $object->element. Can be a 'or' check with 'levela|levelb'. + * Examples: 'societe', 'contact', 'produit&service', 'produit|service', ...) + * This is used to check permission $user->rights->features->... + * @param int|string|object $object Object or Object ID or list of Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional). + * @param string $tableandshare 'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity for multicompany module. Param not used if objectid is null (optional). + * @param string $feature2 Feature to check, second level of permission (optional). Can be a 'or' check with 'sublevela|sublevelb'. + * This is used to check permission $user->rights->features->feature2... + * @param string $dbt_keyfield Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional). Can use '' if NA. + * @param string $dbt_select Field name for select if not "rowid". Not used if objectid is null (optional) + * @param int $isdraft 1=The object with id=$objectid is a draft + * @param int $mode Mode (0=default, 1=return without dieing) + * @return int If mode = 0 (default): Always 1, die process if not allowed. If mode = 1: Return 0 if access not allowed. * @see dol_check_secure_access_document(), checkUserAccessToObject() */ -function restrictedArea(User $user, $features, $objectid = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = 'fk_soc', $dbt_select = 'rowid', $isdraft = 0, $mode = 0) +function restrictedArea(User $user, $features, $object = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = 'fk_soc', $dbt_select = 'rowid', $isdraft = 0, $mode = 0) { global $db, $conf; global $hookmanager; - $objectid = ((int) $objectid); // For the case value is coming from a non sanitized user input + if (is_object($object)) { + $objectid = $object->id; + } else { + $objectid = $object; // $objectid can be X or 'X,Y,Z' + } + $objectid = preg_replace('/[^0-9\.\,]/', '', $objectid); // For the case value is coming from a non sanitized user input //dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename, $feature2, $dbt_socfield, $dbt_select, $isdraft"); //print "user_id=".$user->id.", features=".$features.", feature2=".$feature2.", objectid=".$objectid; @@ -391,11 +396,6 @@ function restrictedArea(User $user, $features, $objectid = 0, $tableandshare = ' return 1; } - // To avoid access forbidden with numeric ref - if ($dbt_select != 'rowid' && $dbt_select != 'id') { - $objectid = "'".$objectid."'"; - } - // Features/modules to check $featuresarray = array($features); if (preg_match('/&/', $features)) { @@ -426,7 +426,7 @@ function restrictedArea(User $user, $features, $objectid = 0, $tableandshare = ' } if ($feature == 'societe') { - if (!$user->hasRight('societe', 'lire') && empty($user->rights->fournisseur->lire)) { + if (!$user->hasRight('societe', 'lire') && !$user->hasRight('fournisseur', 'lire')) { $readok = 0; $nbko++; } @@ -436,12 +436,12 @@ function restrictedArea(User $user, $features, $objectid = 0, $tableandshare = ' $nbko++; } } elseif ($feature == 'produit|service') { - if (!$user->rights->produit->lire && !$user->rights->service->lire) { + if (empty($user->rights->produit->lire) && empty($user->rights->service->lire)) { $readok = 0; $nbko++; } } elseif ($feature == 'prelevement') { - if (!$user->rights->prelevement->bons->lire) { + if (empty($user->rights->prelevement->bons->lire)) { $readok = 0; $nbko++; } @@ -451,12 +451,12 @@ function restrictedArea(User $user, $features, $objectid = 0, $tableandshare = ' $nbko++; } } elseif ($feature == 'projet') { - if (!$user->rights->projet->lire && empty($user->rights->projet->all->lire)) { + if (empty($user->rights->projet->lire) && empty($user->rights->projet->all->lire)) { $readok = 0; $nbko++; } } elseif ($feature == 'payment') { - if (!$user->rights->facture->lire) { + if (empty($user->rights->facture->lire)) { $readok = 0; $nbko++; } @@ -716,7 +716,7 @@ function restrictedArea(User $user, $features, $objectid = 0, $tableandshare = ' // If we have a particular object to check permissions on, we check if $user has permission // for this given object (link to company, is contact for project, ...) if (!empty($objectid) && $objectid > 0) { - $ok = checkUserAccessToObject($user, $featuresarray, $objectid, $tableandshare, $feature2, $dbt_keyfield, $dbt_select, $parentfortableentity); + $ok = checkUserAccessToObject($user, $featuresarray, $object, $tableandshare, $feature2, $dbt_keyfield, $dbt_select, $parentfortableentity); $params = array('objectid' => $objectid, 'features' => join(',', $featuresarray), 'features2' => $feature2); //print 'checkUserAccessToObject ok='.$ok; if ($mode) { @@ -737,9 +737,9 @@ function restrictedArea(User $user, $features, $objectid = 0, $tableandshare = ' * @param array $featuresarray Features/modules to check. Example: ('user','service','member','project','task',...) * @param int|string|Object $object Full object or object ID or list of object id. For example if we want to check a particular record (optional) is linked to a owned thirdparty (optional). * @param string $tableandshare 'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity for multicompany modume. Param not used if objectid is null (optional). - * @param string $feature2 Feature to check, second level of permission (optional). Can be or check with 'level1|level2'. - * @param string $dbt_keyfield Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional) - * @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optional) + * @param array|string $feature2 Feature to check, second level of permission (optional). Can be or check with 'level1|level2'. + * @param string $dbt_keyfield Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional). Can use '' if NA. + * @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optional). * @param string $parenttableforentity Parent table for entity. Example 'fk_website@website' * @return bool True if user has access, False otherwise * @see restrictedArea() @@ -753,9 +753,10 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl } else { $objectid = $object; // $objectid can be X or 'X,Y,Z' } + $objectid = preg_replace('/[^0-9\.\,]/', '', $objectid); // For the case value is coming from a non sanitized user input //dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename, $feature2, $dbt_socfield, $dbt_select, $isdraft"); - //print "user_id=".$user->id.", features=".join(',', $featuresarray).", feature2=".$feature2.", objectid=".$objectid; + //print "user_id=".$user->id.", features=".join(',', $featuresarray).", objectid=".$objectid; //print ", tableandshare=".$tableandshare.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select."
"; // More parameters @@ -783,12 +784,13 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl // Array to define rules of checks to do $check = array('adherent', 'banque', 'bom', 'don', 'mrp', 'user', 'usergroup', 'payment', 'payment_supplier', 'product', 'produit', 'service', 'produit|service', 'categorie', 'resource', 'expensereport', 'holiday', 'salaries', 'website', 'recruitment'); // Test on entity only (Objects with no link to company) - $checksoc = array('societe'); // Test for societe object + $checksoc = array('societe'); // Test for object Societe $checkother = array('contact', 'agenda'); // Test on entity + link to third party on field $dbt_keyfield. Allowed if link is empty (Ex: contacts...). $checkproject = array('projet', 'project'); // Test for project object $checktask = array('projet_task'); // Test for task object - $checkhierarchy = array('expensereport', 'holiday'); + $checkhierarchy = array('expensereport', 'holiday'); // check permission among the hierarchy of user $nocheck = array('barcode', 'stock'); // No test + //$checkdefault = 'all other not already defined'; // Test on entity + link to third party on field $dbt_keyfield. Not allowed if link is empty (Ex: invoice, orders...). // If dbtablename not defined, we use same name for table than module name @@ -797,6 +799,11 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl $sharedelement = (!empty($params[1]) ? $params[1] : $dbtablename); // We change dbtablename, so we set sharedelement too. } + // To avoid an access forbidden with a numeric ref + if ($dbt_select != 'rowid' && $dbt_select != 'id') { + $objectid = "'".$objectid."'"; // Note: $objectid was already cast into int at begin of this method. + } + // Check permission for objectid on entity only if (in_array($feature, $check) && $objectid > 0) { // For $objectid = 0, no check $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb"; diff --git a/htdocs/knowledgemanagement/knowledgerecord_agenda.php b/htdocs/knowledgemanagement/knowledgerecord_agenda.php index 026e2fad51d..b293a2dbdd7 100644 --- a/htdocs/knowledgemanagement/knowledgerecord_agenda.php +++ b/htdocs/knowledgemanagement/knowledgerecord_agenda.php @@ -87,7 +87,8 @@ if ($id > 0 || !empty($ref)) { // Security check - Protection if external user //if ($user->socid > 0) accessforbidden(); //if ($user->socid > 0) $socid = $user->socid; -//$result = restrictedArea($user, 'knowledgemanagement', $object->id); +$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); +restrictedArea($user, $object->module, $object->id, $object->table_element, $object->element, '', 'rowid', $isdraft); $permissiontoadd = $user->rights->knowledgemanagement->knowledgerecord->write; // Used by the include of actions_addupdatedelete.inc.php diff --git a/htdocs/knowledgemanagement/knowledgerecord_card.php b/htdocs/knowledgemanagement/knowledgerecord_card.php index c28bc9e1c9c..908e13852f2 100644 --- a/htdocs/knowledgemanagement/knowledgerecord_card.php +++ b/htdocs/knowledgemanagement/knowledgerecord_card.php @@ -85,8 +85,8 @@ $upload_dir = $conf->knowledgemanagement->multidir_output[isset($object->entity) // Security check - Protection if external user //if ($user->socid > 0) accessforbidden(); //if ($user->socid > 0) $socid = $user->socid; -//$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); -//restrictedArea($user, $object->element, $object->id, '', '', 'fk_soc', 'rowid', $isdraft); +$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); +restrictedArea($user, $object->module, $object->id, $object->table_element, $object->element, '', 'rowid', $isdraft); //if (empty($conf->knowledgemanagement->enabled)) accessforbidden(); //if (empty($permissiontoread)) accessforbidden(); diff --git a/htdocs/knowledgemanagement/knowledgerecord_contact.php b/htdocs/knowledgemanagement/knowledgerecord_contact.php index e1c77ab0d7b..4e557a3e1ae 100644 --- a/htdocs/knowledgemanagement/knowledgerecord_contact.php +++ b/htdocs/knowledgemanagement/knowledgerecord_contact.php @@ -53,12 +53,14 @@ include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be includ // Security check - Protection if external user //if ($user->socid > 0) accessforbidden(); //if ($user->socid > 0) $socid = $user->socid; -//$result = restrictedArea($user, 'knowledgemanagement', $object->id); +$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); +restrictedArea($user, $object->module, $object->id, $object->table_element, $object->element, '', 'rowid', $isdraft); $permission = $user->rights->knowledgemanagement->knowledgerecord->write; + /* - * Add a new contact + * Actions */ if ($action == 'addcontact' && $permission) { @@ -108,16 +110,10 @@ $contactstatic = new Contact($db); $userstatic = new User($db); -/* *************************************************************************** */ -/* */ -/* View and edit mode */ -/* */ -/* *************************************************************************** */ +// View and edit mode if ($object->id) { - /* - * Show tabs - */ + // Show tabs $head = knowledgerecordPrepareHead($object); print dol_get_fiche_head($head, 'contact', $langs->trans("KnowledgeRecord"), -1, $object->picto); diff --git a/htdocs/knowledgemanagement/knowledgerecord_document.php b/htdocs/knowledgemanagement/knowledgerecord_document.php index fff7ad68601..7430de8a495 100644 --- a/htdocs/knowledgemanagement/knowledgerecord_document.php +++ b/htdocs/knowledgemanagement/knowledgerecord_document.php @@ -78,7 +78,8 @@ if ($id > 0 || !empty($ref)) { // Security check - Protection if external user //if ($user->socid > 0) accessforbidden(); //if ($user->socid > 0) $socid = $user->socid; -//$result = restrictedArea($user, 'knowledgemanagement', $object->id); +$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); +restrictedArea($user, $object->module, $object->id, $object->table_element, $object->element, '', 'rowid', $isdraft); $permissiontoadd = $user->rights->knowledgemanagement->knowledgerecord->write; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles.inc.php diff --git a/htdocs/knowledgemanagement/knowledgerecord_list.php b/htdocs/knowledgemanagement/knowledgerecord_list.php index c8df2018ae7..dffd3d63d7b 100644 --- a/htdocs/knowledgemanagement/knowledgerecord_list.php +++ b/htdocs/knowledgemanagement/knowledgerecord_list.php @@ -153,7 +153,7 @@ if ($user->socid > 0) { // Protection if external user //$socid = $user->socid; accessforbidden(); } -//$result = restrictedArea($user, 'knowledgemanagement'); +$result = restrictedArea($user, 'knowledgemanagement', 0, '', 'knowledgerecord'); //if (!$permissiontoread) accessforbidden(); diff --git a/htdocs/knowledgemanagement/knowledgerecord_note.php b/htdocs/knowledgemanagement/knowledgerecord_note.php index 3abc9e71866..28a2bcaa9d0 100644 --- a/htdocs/knowledgemanagement/knowledgerecord_note.php +++ b/htdocs/knowledgemanagement/knowledgerecord_note.php @@ -46,11 +46,6 @@ $hookmanager->initHooks(array('knowledgerecordnote', 'globalcard')); // Note tha // Fetch optionals attributes and labels $extrafields->fetch_name_optionals_label($object->table_element); -// Security check - Protection if external user -//if ($user->socid > 0) accessforbidden(); -//if ($user->socid > 0) $socid = $user->socid; -//$result = restrictedArea($user, 'knowledgemanagement', $id); - // Load object include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be include, not include_once // Must be include, not include_once. Include fetch and fetch_thirdparty but not fetch_optionals if ($id > 0 || !empty($ref)) { @@ -60,6 +55,11 @@ if ($id > 0 || !empty($ref)) { $permissionnote = $user->rights->knowledgemanagement->knowledgerecord->write; // Used by the include of actions_setnotes.inc.php $permissiontoadd = $user->rights->knowledgemanagement->knowledgerecord->write; // Used by the include of actions_addupdatedelete.inc.php +// Security check - Protection if external user +//if ($user->socid > 0) accessforbidden(); +//if ($user->socid > 0) $socid = $user->socid; +$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); +restrictedArea($user, $object->module, $object->id, $object->table_element, $object->element, '', 'rowid', $isdraft); /* diff --git a/htdocs/modulebuilder/template/myobject_agenda.php b/htdocs/modulebuilder/template/myobject_agenda.php index 5b5860f6475..d7b84707b95 100644 --- a/htdocs/modulebuilder/template/myobject_agenda.php +++ b/htdocs/modulebuilder/template/myobject_agenda.php @@ -145,7 +145,7 @@ if ($enablepermissioncheck) { //if ($user->socid > 0) accessforbidden(); //if ($user->socid > 0) $socid = $user->socid; //$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); -//restrictedArea($user, $object->element, $object->id, $object->table_element, '', 'fk_soc', 'rowid', $isdraft); +//restrictedArea($user, $object->module, $object->id, $object->table_element, $object->element, 'fk_soc', 'rowid', $isdraft); if (!isModEnabled("mymodule")) { accessforbidden(); } diff --git a/htdocs/modulebuilder/template/myobject_card.php b/htdocs/modulebuilder/template/myobject_card.php index 95f10b5b90c..4e80c81a4df 100644 --- a/htdocs/modulebuilder/template/myobject_card.php +++ b/htdocs/modulebuilder/template/myobject_card.php @@ -145,7 +145,7 @@ $upload_dir = $conf->mymodule->multidir_output[isset($object->entity) ? $object- //if ($user->socid > 0) accessforbidden(); //if ($user->socid > 0) $socid = $user->socid; //$isdraft = (isset($object->status) && ($object->status == $object::STATUS_DRAFT) ? 1 : 0); -//restrictedArea($user, $object->element, $object->id, $object->table_element, '', 'fk_soc', 'rowid', $isdraft); +//restrictedArea($user, $object->module, $object->id, $object->table_element, $object->element, 'fk_soc', 'rowid', $isdraft); if (!isModEnabled("mymodule")) { accessforbidden(); } diff --git a/htdocs/modulebuilder/template/myobject_contact.php b/htdocs/modulebuilder/template/myobject_contact.php index b0f7b5cfb30..9568201238c 100644 --- a/htdocs/modulebuilder/template/myobject_contact.php +++ b/htdocs/modulebuilder/template/myobject_contact.php @@ -93,7 +93,7 @@ if ($enablepermissioncheck) { //if ($user->socid > 0) accessforbidden(); //if ($user->socid > 0) $socid = $user->socid; //$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); -//restrictedArea($user, $object->element, $object->id, $object->table_element, '', 'fk_soc', 'rowid', $isdraft); +//restrictedArea($user, $object->module, $object->id, $object->table_element, $object->element, 'fk_soc', 'rowid', $isdraft); if (!isModEnabled("mymodule")) { accessforbidden(); } diff --git a/htdocs/modulebuilder/template/myobject_document.php b/htdocs/modulebuilder/template/myobject_document.php index 6aed7382b7d..ff1756e2b15 100644 --- a/htdocs/modulebuilder/template/myobject_document.php +++ b/htdocs/modulebuilder/template/myobject_document.php @@ -137,7 +137,7 @@ if ($enablepermissioncheck) { //if ($user->socid > 0) accessforbidden(); //if ($user->socid > 0) $socid = $user->socid; //$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); -//restrictedArea($user, $object->element, $object->id, $object->table_element, '', 'fk_soc', 'rowid', $isdraft); +//restrictedArea($user, $object->module, $object->id, $object->table_element, $object->element, 'fk_soc', 'rowid', $isdraft); if (!isModEnabled("mymodule")) { accessforbidden(); } diff --git a/htdocs/modulebuilder/template/myobject_list.php b/htdocs/modulebuilder/template/myobject_list.php index e5718ef7d7f..06ad9a298ec 100644 --- a/htdocs/modulebuilder/template/myobject_list.php +++ b/htdocs/modulebuilder/template/myobject_list.php @@ -196,7 +196,7 @@ if ($user->socid > 0) accessforbidden(); //if ($user->socid > 0) accessforbidden(); //$socid = 0; if ($user->socid > 0) $socid = $user->socid; //$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); -//restrictedArea($user, $object->element, 0, $object->table_element, '', 'fk_soc', 'rowid', $isdraft); +//restrictedArea($user, $object->module, 0, $object->table_element, $object->element, 'fk_soc', 'rowid', $isdraft); if (!isModEnabled("mymodule")) { accessforbidden('Module mymodule not enabled'); } diff --git a/htdocs/modulebuilder/template/myobject_note.php b/htdocs/modulebuilder/template/myobject_note.php index f7859cfb217..89e5e0ba76e 100644 --- a/htdocs/modulebuilder/template/myobject_note.php +++ b/htdocs/modulebuilder/template/myobject_note.php @@ -117,7 +117,7 @@ if ($enablepermissioncheck) { //if ($user->socid > 0) accessforbidden(); //if ($user->socid > 0) $socid = $user->socid; //$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); -//restrictedArea($user, $object->element, $object->id, $object->table_element, '', 'fk_soc', 'rowid', $isdraft); +//restrictedArea($user, $object->module, $object->id, $object->table_element, $object->element, 'fk_soc', 'rowid', $isdraft); if (!isModEnabled("mymodule")) { accessforbidden(); } diff --git a/htdocs/user/perms.php b/htdocs/user/perms.php index bd647af2a85..53b153ae025 100644 --- a/htdocs/user/perms.php +++ b/htdocs/user/perms.php @@ -307,6 +307,9 @@ if ($reshook < 0) { setEventMessages($hookmanager->error, $hookmanager->errors, 'errors'); } +$listofexpandedmodules = array(); + + print "\n"; print '
'; print ''; @@ -316,9 +319,9 @@ print ''; if (($caneditperms && empty($objMod->rights_admin_allowed)) || empty($object->admin)) { if ($caneditperms) { print ''; } else { print ''; @@ -329,7 +332,7 @@ if (($caneditperms && empty($objMod->rights_admin_allowed)) || empty($object->ad print ''; } -print ''; +print ''; print ''; if (($caneditperms && empty($objMod->rights_admin_allowed)) || empty($object->admin)) { if ($caneditperms) { - print ''; print ''; } else { @@ -507,9 +510,10 @@ if ($result) { } else { if ($caneditperms) { print ''; print ''; } else { @@ -550,7 +554,8 @@ if ($result) { print ''; } elseif (in_array($obj->id, $permsuser)) { // Permission granted by user if ($caneditperms) { - print ''; @@ -575,7 +580,8 @@ if ($result) { } else { // Do not own permission if ($caneditperms) { - print ''; @@ -587,7 +593,8 @@ if ($result) { } else { // Do not own permission if ($caneditperms) { - print ''; @@ -655,7 +662,26 @@ print '$(".trforbreakperms:not(.alink)").on("click", function(){ $(this).data("hidden-perms", 1); $("#idforbreakperms_"+moduletohide).val("1"); } -})'; +});'; +print "\n"; + + +// addexpandedmodulesinparamlist +print '$(".addexpandedmodulesinparamlist").on("click", function(){ + console.log("Click on a link with addexpandedmodulesinparamlist"); + //event.preventDefault(); + var oldUrl = $(this).attr("href"); // Get current url of clicked link + oldUrl = oldUrl.replace(/expandedmodulesinparamlist=[\d,]+$/, ""); + oldurl = oldUrl.replace(/&&+/, "&"); + + // Build list of expanded modules + + + var newUrl = oldUrl+"&expandedmodulesinparamlist="; + $(this).attr("href", newUrl); // Set herf value + console.log(newUrl); + event.preventDefault(); +});'; print "\n"; // Button expand / collapse all @@ -668,7 +694,7 @@ print '$(".showallperms").on("click", function(){ $(this).trigger("click"); } }) -}) +}); $(".hideallperms").on("click", function(){ console.log("Click on hideallperms"); @@ -679,7 +705,7 @@ $(".hideallperms").on("click", function(){ $(this).trigger("click"); } }) -})'; +});'; print "\n"; print '';
'.$langs->trans("Module").''; - print ''.$langs->trans("All").""; + print ''.$langs->trans("All").""; print ' / '; - print ''.$langs->trans("None").""; + print ''.$langs->trans("None").""; print '  '.$langs->trans("Permissions").''; print ''.img_picto('', 'folder-open', 'class="paddingright"').''.$langs->trans("ExpandAll").''; print ' | '; @@ -494,10 +497,10 @@ if ($result) { print 'id.'&confirm=yes&updatedmodulename='.$obj->module.'">'; + print ''; + print 'id.'&confirm=yes&updatedmodulename='.$obj->module.'">'; //print img_edit_remove($langs->trans("Remove")); print img_picto($langs->trans("Remove"), 'switch_on'); print 'id.'&confirm=yes&token='.newToken().'&updatedmodulename='.$obj->module.'">'; + print ''; + print 'id.'&confirm=yes&token='.newToken().'&updatedmodulename='.$obj->module.'">'; //print img_edit_add($langs->trans("Add")); print img_picto($langs->trans("Add"), 'switch_off'); print 'id.'&confirm=yes&token='.newToken().'&updatedmodulename='.$obj->module.'">'; + print ''; + print 'id.'&confirm=yes&token='.newToken().'&updatedmodulename='.$obj->module.'">'; //print img_edit_add($langs->trans("Add")); print img_picto($langs->trans("Add"), 'switch_off'); print '