Sec: Missing permission tests
This commit is contained in:
Laurent Destailleur
parent
0e9477167d
commit
85436f871c
@ -1,7 +1,7 @@
|
||||
<?php
|
||||
/* Copyright (C) 2002-2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
|
||||
* Copyright (C) 2004 Eric Seigne <eric.seigne@ryxeo.com>
|
||||
* Copyright (C) 2004-2012 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2004-2014 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2005-2012 Regis Houssin <regis.houssin@capnetworks.com>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
@ -38,12 +38,13 @@ $id = (GETPOST('facid','int') ? GETPOST('facid','int') : GETPOST('id','int'));
|
||||
$action = GETPOST('action','alpha');
|
||||
$option = GETPOST('option');
|
||||
|
||||
$diroutputpdf=$conf->facture->dir_output . '/unpaid/temp';
|
||||
|
||||
// Security check
|
||||
if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user,'facture',$id,'');
|
||||
|
||||
$diroutputpdf=$conf->facture->dir_output . '/unpaid/temp';
|
||||
if (! $user->rights->societe->client->voir || $socid) $diroutputpdf.='/private/'.$user->id; // If user has no permission to see all, output dir is specific to user
|
||||
|
||||
|
||||
/*
|
||||
* Action
|
||||
@ -221,7 +222,7 @@ if ($search_societe) $sql .= " AND s.nom LIKE '%".$db->escape($search_societ
|
||||
if ($search_montant_ht) $sql .= " AND f.total = '".$db->escape($search_montant_ht)."'";
|
||||
if ($search_montant_ttc) $sql .= " AND f.total_ttc = '".$db->escape($search_montant_ttc)."'";
|
||||
if (GETPOST('sf_ref')) $sql .= " AND f.facnumber LIKE '%".$db->escape(GETPOST('sf_ref'))."%'";
|
||||
$sql.= " GROUP BY s.nom, s.rowid, f.facnumber, f.increment, f.total, f.tva, f.total_ttc, f.datef, f.date_lim_reglement, f.paye, f.rowid, f.fk_statut, f.type ";
|
||||
$sql.= " GROUP BY s.nom, s.rowid, f.rowid, f.facnumber, f.increment, f.total, f.tva, f.total_ttc, f.localtax1, f.localtax2, f.revenuestamp, f.datef, f.date_lim_reglement, f.paye, f.fk_statut, f.type ";
|
||||
if (! $user->rights->societe->client->voir && ! $socid) $sql .= ", sc.fk_soc, sc.fk_user ";
|
||||
$sql.= " ORDER BY ";
|
||||
$listfield=explode(',',$sortfield);
|
||||
|
||||
@ -29,6 +29,7 @@ require_once DOL_DOCUMENT_ROOT.'/compta/paiement/class/paiement.class.php';
|
||||
require_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php';
|
||||
|
||||
$langs->load("bills");
|
||||
$langs->load("compta");
|
||||
|
||||
// Security check
|
||||
$facid =GETPOST('facid','int');
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
<?php
|
||||
/* Copyright (C) 2003-2006 Rodolphe Quiedeville <rodolphe@quiedeville.org>
|
||||
* Copyright (C) 2004-2011 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2004-2014 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@ -32,16 +32,16 @@ if (! $user->rights->facture->lire) accessforbidden();
|
||||
|
||||
$action=GETPOST('action');
|
||||
|
||||
$dir = $conf->facture->dir_output.'/payments';
|
||||
|
||||
$socid=0;
|
||||
if ($user->societe_id > 0)
|
||||
{
|
||||
$action = '';
|
||||
$socid = $user->societe_id;
|
||||
$dir = $conf->facture->dir_output.'/payments/private/'.$user->id;
|
||||
}
|
||||
|
||||
$dir = $conf->facture->dir_output.'/payments';
|
||||
if (! $user->rights->societe->client->voir || $socid) $dir.='/private/'.$user->id; // If user has no permission to see all, output dir is specific to user
|
||||
|
||||
$year = $_GET["year"];
|
||||
if (! $year) { $year=date("Y"); }
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
<?php
|
||||
/* Copyright (C) 2003-2006 Rodolphe Quiedeville <rodolphe@quiedeville.org>
|
||||
* Copyright (C) 2006-2009 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2006-2014 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@ -93,6 +93,9 @@ class pdf_paiement
|
||||
|
||||
global $user,$langs,$conf;
|
||||
|
||||
$socid=0;
|
||||
if ($user->societe_id) $socid=$user->societe_id;
|
||||
|
||||
if (! is_object($outputlangs)) $outputlangs=$langs;
|
||||
// For backward compatibility with FPDF, force output charset to ISO, because FPDF expect text to be encoded in ISO
|
||||
if (! empty($conf->global->MAIN_USE_FPDF)) $outputlangs->charset_output='ISO-8859-1';
|
||||
@ -136,11 +139,21 @@ class pdf_paiement
|
||||
$sql.= ", pf.amount as pf_amount ";
|
||||
$sql.= ", p.rowid as prowid";
|
||||
$sql.= " FROM ".MAIN_DB_PREFIX."paiement as p, ".MAIN_DB_PREFIX."facture as f,";
|
||||
$sql.= " ".MAIN_DB_PREFIX."c_paiement as c, ".MAIN_DB_PREFIX."paiement_facture as pf";
|
||||
$sql.= " WHERE pf.fk_facture = f.rowid AND pf.fk_paiement = p.rowid";
|
||||
$sql.= " ".MAIN_DB_PREFIX."c_paiement as c, ".MAIN_DB_PREFIX."paiement_facture as pf,";
|
||||
$sql.= " ".MAIN_DB_PREFIX."societe as s";
|
||||
if (! $user->rights->societe->client->voir && ! $socid)
|
||||
{
|
||||
$sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc";
|
||||
}
|
||||
$sql.= " WHERE f.fk_soc = s.rowid AND pf.fk_facture = f.rowid AND pf.fk_paiement = p.rowid";
|
||||
$sql.= " AND f.entity = ".$conf->entity;
|
||||
$sql.= " AND p.fk_paiement = c.id ";
|
||||
$sql.= " AND p.datep BETWEEN '".$this->db->idate(dol_get_first_day($year,$month))."' AND '".$this->db->idate(dol_get_last_day($year,$month))."'";
|
||||
if (! $user->rights->societe->client->voir && ! $socid)
|
||||
{
|
||||
$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
|
||||
}
|
||||
if (! empty($socid)) $sql .= " AND s.rowid = ".$socid;
|
||||
$sql.= " ORDER BY p.datep ASC, pf.fk_paiement ASC";
|
||||
|
||||
dol_syslog(get_class($this)."::write_file sql=".$sql);
|
||||
|
||||
@ -66,6 +66,14 @@ $entity=GETPOST('entity')?GETPOST('entity','int'):$conf->entity;
|
||||
// Security check
|
||||
if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart');
|
||||
|
||||
$socid=0;
|
||||
if ($user->societe_id > 0) $socid = $user->societe_id;
|
||||
|
||||
// For some module part, dir may be privates
|
||||
if (in_array($modulepart,array('facture_paiement','unpaid')))
|
||||
{
|
||||
if (! $user->rights->societe->client->voir || $socid) $original_file='private/'.$user->id.'/'.$original_file; // If user has no permission to see all, output dir is specific to user
|
||||
}
|
||||
|
||||
/*
|
||||
* Action
|
||||
|
||||
Loading…
Reference in New Issue
Block a user