From 7fd34e5ff6a7633bb04542a880971f5803ffaf6f Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 6 Jan 2014 13:02:20 +0100 Subject: [PATCH] Fix: [ bug #1208 ] Users without read permission on the tasks can still see all project tasks Fix: function clean_orhpelins was reporting wrong number of cleaned orphelins. --- htdocs/core/lib/project.lib.php | 12 ++++++------ htdocs/projet/class/project.class.php | 17 +++++++++++------ htdocs/projet/tasks.php | 22 ++++++++++++---------- 3 files changed, 29 insertions(+), 22 deletions(-) diff --git a/htdocs/core/lib/project.lib.php b/htdocs/core/lib/project.lib.php index 1fc2592c6a5..751ebbdfc5f 100644 --- a/htdocs/core/lib/project.lib.php +++ b/htdocs/core/lib/project.lib.php @@ -207,7 +207,7 @@ function project_admin_prepare_head() * @param string $var Color * @param int $showproject Show project columns * @param int &$taskrole Array of roles of user for each tasks - * @param int $projectsListId List of id of project allowed to user (separated with comma) + * @param int $projectsListId List of id of project allowed to user (string separated with comma) * @param int $addordertick Add a tick to move task * @return void */ @@ -261,15 +261,15 @@ function projectLinesa(&$inc, $parent, &$lines, &$level, $var, $showproject, &$t { // Caller did not ask to filter on tasks of a specific user (this probably means he want also tasks of all users, into public project // or into all other projects if user has permission to). - if (empty($user->rights->project->all->lire)) + if (empty($user->rights->projet->all->lire)) { // User is not allowed on this project and project is not public, so we hide line if (! in_array($lines[$i]->fk_project, $projectsArrayId)) { - // TODO - // If user is assigned to a task into a private project user has no permission on, we must use showlinegray=1 (to show task without showing project) - // if user is not assigned to any task into tree, we must use showline=0 - $showline=0; + // Note that having a user assigned to a task into a project user has no permission on, should not be possible + // because assignement on task can be done only on contact of project. + // If assignement was done and after, was removed from contact of project, then we can hide the line. + $showline=0; } } } diff --git a/htdocs/projet/class/project.class.php b/htdocs/projet/class/project.class.php index cea067d67e5..9924dddf4f4 100644 --- a/htdocs/projet/class/project.class.php +++ b/htdocs/projet/class/project.class.php @@ -1281,7 +1281,7 @@ class Project extends CommonObject } /** - * Clean task not linked to a parent + * Clean tasks not linked to an existing parent * * @return int Nb of records deleted */ @@ -1292,7 +1292,7 @@ class Project extends CommonObject // There is orphelins. We clean that $listofid=array(); - // Get list of id in array listofid + // Get list of all id in array listofid $sql='SELECT rowid FROM '.MAIN_DB_PREFIX.'projet_task'; $resql = $this->db->query($sql); if ($resql) @@ -1313,19 +1313,24 @@ class Project extends CommonObject if (count($listofid)) { - // Removed orphelins records - print 'Some orphelins were found and restored to be parents so records are visible again: '; - print join(',',$listofid); + print 'Code asked to check and clean orphelins.'; $sql = "UPDATE ".MAIN_DB_PREFIX."projet_task"; $sql.= " SET fk_task_parent = 0"; - $sql.= " WHERE fk_task_parent NOT IN (".join(',',$listofid).")"; + $sql.= " WHERE fk_task_parent NOT IN (".join(',',$listofid).")"; // So we update only records linked to a non existing parent $resql = $this->db->query($sql); if ($resql) { $nb=$this->db->affected_rows($sql); + if ($nb > 0) + { + // Removed orphelins records + print 'Some orphelins were found and modified to be parent so records are visible again: '; + print join(',',$listofid); + } + return $nb; } else diff --git a/htdocs/projet/tasks.php b/htdocs/projet/tasks.php index c45248db741..794a1198c35 100644 --- a/htdocs/projet/tasks.php +++ b/htdocs/projet/tasks.php @@ -79,7 +79,7 @@ $userAccess=0; /* * Actions -*/ + */ if ($action == 'createtask' && $user->rights->projet->creer) { @@ -396,8 +396,7 @@ else print ''; // Get list of tasks in tasksarray and taskarrayfiltered - // We need all tasks (even not limited to a user because a task to user - // can have a parent that is not affected to him). + // We need all tasks (even not limited to a user because a task to user can have a parent that is not affected to him). $tasksarray=$taskstatic->getTasksArray(0, 0, $object->id, $socid, 0); // We load also tasks limited to a particular user $tasksrole=($mode=='mine' ? $taskstatic->getUserRolesForProjectsOrTasks(0,$user,$object->id,0) : ''); @@ -426,7 +425,7 @@ else { // Show all lines in taskarray (recursive function to go down on tree) $j=0; - $nboftaskshown=projectLinesa($j, 0, $tasksarray, $level, true, 0, $tasksrole, '', 1); + $nboftaskshown=projectLinesa($j, 0, $tasksarray, $level, true, 0, $tasksrole, $id, 1); } else { @@ -437,13 +436,16 @@ else // Test if database is clean. If not we clean it. //print 'mode='.$_REQUEST["mode"].' $nboftaskshown='.$nboftaskshown.' count($tasksarray)='.count($tasksarray).' count($tasksrole)='.count($tasksrole).'
'; - if ($mode=='mine') + if (! empty($user->rights->projet->all->lire)) // We make test to clean only if user has permission to see all (test may report false positive otherwise) { - if ($nboftaskshown < count($tasksrole)) $object->clean_orphelins(); - } - else - { - if ($nboftaskshown < count($tasksarray)) $object->clean_orphelins(); + if ($mode=='mine') + { + if ($nboftaskshown < count($tasksrole)) $object->clean_orphelins(); + } + else + { + if ($nboftaskshown < count($tasksarray)) $object->clean_orphelins(); + } } }