Fix: [ bug #1208 ] Users without read permission on the tasks can still
see all project tasks Fix: function clean_orhpelins was reporting wrong number of cleaned orphelins.
This commit is contained in:
Laurent Destailleur
parent
7afdad60a0
commit
7fd34e5ff6
@ -207,7 +207,7 @@ function project_admin_prepare_head()
|
||||
* @param string $var Color
|
||||
* @param int $showproject Show project columns
|
||||
* @param int &$taskrole Array of roles of user for each tasks
|
||||
* @param int $projectsListId List of id of project allowed to user (separated with comma)
|
||||
* @param int $projectsListId List of id of project allowed to user (string separated with comma)
|
||||
* @param int $addordertick Add a tick to move task
|
||||
* @return void
|
||||
*/
|
||||
@ -261,15 +261,15 @@ function projectLinesa(&$inc, $parent, &$lines, &$level, $var, $showproject, &$t
|
||||
{
|
||||
// Caller did not ask to filter on tasks of a specific user (this probably means he want also tasks of all users, into public project
|
||||
// or into all other projects if user has permission to).
|
||||
if (empty($user->rights->project->all->lire))
|
||||
if (empty($user->rights->projet->all->lire))
|
||||
{
|
||||
// User is not allowed on this project and project is not public, so we hide line
|
||||
if (! in_array($lines[$i]->fk_project, $projectsArrayId))
|
||||
{
|
||||
// TODO
|
||||
// If user is assigned to a task into a private project user has no permission on, we must use showlinegray=1 (to show task without showing project)
|
||||
// if user is not assigned to any task into tree, we must use showline=0
|
||||
$showline=0;
|
||||
// Note that having a user assigned to a task into a project user has no permission on, should not be possible
|
||||
// because assignement on task can be done only on contact of project.
|
||||
// If assignement was done and after, was removed from contact of project, then we can hide the line.
|
||||
$showline=0;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -1281,7 +1281,7 @@ class Project extends CommonObject
|
||||
}
|
||||
|
||||
/**
|
||||
* Clean task not linked to a parent
|
||||
* Clean tasks not linked to an existing parent
|
||||
*
|
||||
* @return int Nb of records deleted
|
||||
*/
|
||||
@ -1292,7 +1292,7 @@ class Project extends CommonObject
|
||||
// There is orphelins. We clean that
|
||||
$listofid=array();
|
||||
|
||||
// Get list of id in array listofid
|
||||
// Get list of all id in array listofid
|
||||
$sql='SELECT rowid FROM '.MAIN_DB_PREFIX.'projet_task';
|
||||
$resql = $this->db->query($sql);
|
||||
if ($resql)
|
||||
@ -1313,19 +1313,24 @@ class Project extends CommonObject
|
||||
|
||||
if (count($listofid))
|
||||
{
|
||||
// Removed orphelins records
|
||||
print 'Some orphelins were found and restored to be parents so records are visible again: ';
|
||||
print join(',',$listofid);
|
||||
print 'Code asked to check and clean orphelins.';
|
||||
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."projet_task";
|
||||
$sql.= " SET fk_task_parent = 0";
|
||||
$sql.= " WHERE fk_task_parent NOT IN (".join(',',$listofid).")";
|
||||
$sql.= " WHERE fk_task_parent NOT IN (".join(',',$listofid).")"; // So we update only records linked to a non existing parent
|
||||
|
||||
$resql = $this->db->query($sql);
|
||||
if ($resql)
|
||||
{
|
||||
$nb=$this->db->affected_rows($sql);
|
||||
|
||||
if ($nb > 0)
|
||||
{
|
||||
// Removed orphelins records
|
||||
print 'Some orphelins were found and modified to be parent so records are visible again: ';
|
||||
print join(',',$listofid);
|
||||
}
|
||||
|
||||
return $nb;
|
||||
}
|
||||
else
|
||||
|
||||
@ -79,7 +79,7 @@ $userAccess=0;
|
||||
|
||||
/*
|
||||
* Actions
|
||||
*/
|
||||
*/
|
||||
|
||||
if ($action == 'createtask' && $user->rights->projet->creer)
|
||||
{
|
||||
@ -396,8 +396,7 @@ else
|
||||
print '</td></tr></table>';
|
||||
|
||||
// Get list of tasks in tasksarray and taskarrayfiltered
|
||||
// We need all tasks (even not limited to a user because a task to user
|
||||
// can have a parent that is not affected to him).
|
||||
// We need all tasks (even not limited to a user because a task to user can have a parent that is not affected to him).
|
||||
$tasksarray=$taskstatic->getTasksArray(0, 0, $object->id, $socid, 0);
|
||||
// We load also tasks limited to a particular user
|
||||
$tasksrole=($mode=='mine' ? $taskstatic->getUserRolesForProjectsOrTasks(0,$user,$object->id,0) : '');
|
||||
@ -426,7 +425,7 @@ else
|
||||
{
|
||||
// Show all lines in taskarray (recursive function to go down on tree)
|
||||
$j=0;
|
||||
$nboftaskshown=projectLinesa($j, 0, $tasksarray, $level, true, 0, $tasksrole, '', 1);
|
||||
$nboftaskshown=projectLinesa($j, 0, $tasksarray, $level, true, 0, $tasksrole, $id, 1);
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -437,13 +436,16 @@ else
|
||||
|
||||
// Test if database is clean. If not we clean it.
|
||||
//print 'mode='.$_REQUEST["mode"].' $nboftaskshown='.$nboftaskshown.' count($tasksarray)='.count($tasksarray).' count($tasksrole)='.count($tasksrole).'<br>';
|
||||
if ($mode=='mine')
|
||||
if (! empty($user->rights->projet->all->lire)) // We make test to clean only if user has permission to see all (test may report false positive otherwise)
|
||||
{
|
||||
if ($nboftaskshown < count($tasksrole)) $object->clean_orphelins();
|
||||
}
|
||||
else
|
||||
{
|
||||
if ($nboftaskshown < count($tasksarray)) $object->clean_orphelins();
|
||||
if ($mode=='mine')
|
||||
{
|
||||
if ($nboftaskshown < count($tasksrole)) $object->clean_orphelins();
|
||||
}
|
||||
else
|
||||
{
|
||||
if ($nboftaskshown < count($tasksarray)) $object->clean_orphelins();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user