lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix: uniformize user rights check

Browse Source
This commit is contained in:
Regis Houssin 2018-02-11 13:27:02 +01:00
parent 01b3b8e09e
commit 86df1ddd0a
1 changed files with 22 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
htdocs/product/card.php
View File

@ -124,6 +124,9 @@ $hookmanager->initHooks(array('productcard','globalcard'));
if ($cancel) $action = '';
$usercanread = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->lire) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->lire));
$usercancreate = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->creer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->creer));
$usercandelete = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->supprimer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->supprimer));
$createbarcode=empty($conf->barcode->enabled)?0:1;
if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty($user->rights->barcode->creer_advance)) $createbarcode=0;
@ -134,7 +137,7 @@ if ($reshook < 0) setEventMessages($hookmanager->error, $hookmanager->errors, 'e
if (empty($reshook))
{
// Type
if ($action == 'setfk_product_type' && $user->rights->produit->creer)
if ($action == 'setfk_product_type' && $usercancreate)
{
$result = $object->setValueFrom('fk_product_type', GETPOST('fk_product_type'), '', null, 'text', '', $user, 'PRODUCT_MODIFY');
header("Location: ".$_SERVER['PHP_SELF']."?id=".$object->id);
@ -143,7 +146,7 @@ if (empty($reshook))
// Actions to build doc
$upload_dir = $conf->produit->dir_output;
$permissioncreate = $user->rights->produit->creer;
$permissioncreate = $usercancreate;
include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php';
include DOL_DOCUMENT_ROOT.'/core/actions_printing.inc.php';
@ -181,7 +184,7 @@ if (empty($reshook))
}
// Add a product or service
if ($action == 'add' && ($user->rights->produit->creer || $user->rights->service->creer))
if ($action == 'add' && $usercancreate)
{
$error=0;
@ -360,7 +363,7 @@ if (empty($reshook))
}
// Update a product or service
if ($action == 'update' && ($user->rights->produit->creer || $user->rights->service->creer))
if ($action == 'update' && $usercancreate)
{
if (GETPOST('cancel','alpha'))
{
@ -477,7 +480,7 @@ if (empty($reshook))
// Action clone object
if ($action == 'confirm_clone' && $confirm != 'yes') { $action=''; }
if ($action == 'confirm_clone' && $confirm == 'yes' && ($user->rights->produit->creer || $user->rights->service->creer))
if ($action == 'confirm_clone' && $confirm == 'yes' && $usercancreate)
{
if (! GETPOST('clone_content') && ! GETPOST('clone_prices') )
{
@ -565,12 +568,9 @@ if (empty($reshook))
// Delete a product
if ($action == 'confirm_delete' && $confirm != 'yes') { $action=''; }
if ($action == 'confirm_delete' && $confirm == 'yes')
{
if (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->supprimer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->supprimer))
{
$result = $object->delete($user);
}
if ($action == 'confirm_delete' && $confirm == 'yes' && $usercandelete)
{
$result = $object->delete($user);
if ($result > 0)
{
@ -887,7 +887,7 @@ else
// -----------------------------------------
// When used in standard mode
// -----------------------------------------
if ($action == 'create' && ($user->rights->produit->creer || $user->rights->service->creer))
if ($action == 'create' && $usercancreate)
{
//WYSIWYG Editor
require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php';
@ -1240,7 +1240,7 @@ else
else if ($object->id > 0)
{
// Fiche en mode edition
if ($action == 'edit' && ((($object->type == Product::TYPE_PRODUCT && $user->rights->produit->creer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->creer))))
if ($action == 'edit' && $usercancreate)
{
//WYSIWYG Editor
require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php';
@ -1593,8 +1593,7 @@ else
{
// TODO change for compatibility with edit in place
$typeformat='select;0:'.$langs->trans("Product").',1:'.$langs->trans("Service");
$perm = ($object->type==Product::TYPE_PRODUCT && $user->rights->produit->creer) || ($object->type==Product::TYPE_SERVICE && $user->rights->service->creer);
print '<tr><td class="titlefield">'.$form->editfieldkey("Type", 'fk_product_type', $object->type, $object, $perm, $typeformat).'</td><td colspan="2">';
print '<tr><td class="titlefield">'.$form->editfieldkey("Type", 'fk_product_type', $object->type, $object, $usercancreate, $typeformat).'</td><td colspan="2">';
print $form->editfieldval("Type", 'fk_product_type', $object->type, $object, $perm, $typeformat);
print '</td></tr>';
}
@ -1606,7 +1605,7 @@ else
print '<table width="100%" class="nobordernopadding"><tr><td class="nowrap">';
print $langs->trans("BarcodeType");
print '</td>';
if (($action != 'editbarcodetype') && ! empty($user->rights->produit->creer) && $createbarcode) print '<td align="right"><a href="'.$_SERVER["PHP_SELF"].'?action=editbarcodetype&amp;id='.$object->id.'">'.img_edit($langs->trans('Edit'),1).'</a></td>';
if (($action != 'editbarcodetype') && $usercancreate && $createbarcode) print '<td align="right"><a href="'.$_SERVER["PHP_SELF"].'?action=editbarcodetype&amp;id='.$object->id.'">'.img_edit($langs->trans('Edit'),1).'</a></td>';
print '</tr></table>';
print '</td><td colspan="2">';
if ($action == 'editbarcodetype' || $action == 'editbarcode')
@ -1630,7 +1629,7 @@ else
print '<table width="100%" class="nobordernopadding"><tr><td class="nowrap">';
print $langs->trans("BarcodeValue");
print '</td>';
if (($action != 'editbarcode') && ! empty($user->rights->produit->creer) && $createbarcode) print '<td align="right"><a href="'.$_SERVER["PHP_SELF"].'?action=editbarcode&amp;id='.$object->id.'">'.img_edit($langs->trans('Edit'),1).'</a></td>';
if (($action != 'editbarcode') && $usercancreate && $createbarcode) print '<td align="right"><a href="'.$_SERVER["PHP_SELF"].'?action=editbarcode&amp;id='.$object->id.'">'.img_edit($langs->trans('Edit'),1).'</a></td>';
print '</tr></table>';
print '</td><td colspan="2">';
if ($action == 'editbarcode')
@ -1742,7 +1741,7 @@ else
// Batch number management (to batch)
if (! empty($conf->productbatch->enabled)) {
print '<tr><td>'.$langs->trans("ManageLotSerial").'</td><td colspan="2">';
if (! empty($conf->use_javascript_ajax) && $user->rights->produit->creer && ! empty($conf->global->MAIN_DIRECT_STATUS_UPDATE)) {
if (! empty($conf->use_javascript_ajax) && $usercancreate && ! empty($conf->global->MAIN_DIRECT_STATUS_UPDATE)) {
print ajax_object_onoff($object, 'status_batch', 'tobatch', 'ProductStatusOnBatch', 'ProductStatusNotOnBatch');
} else {
print $object->getLibStatut(0,2);
@ -1975,9 +1974,8 @@ if ($action != 'create' && $action != 'edit')
$parameters=array();
$reshook=$hookmanager->executeHooks('addMoreActionsButtons',$parameters,$object,$action); // Note that $action and $object may have been modified by hook
if (empty($reshook))
{
if (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->creer ) ||
($object->type == Product::TYPE_SERVICE && $user->rights->service->creer))
{
if ($usercancreate)
{
if (! isset($object->no_button_edit) || $object->no_button_edit <> 1) print '<div class="inline-block divButAction"><a class="butAction" href="'.$_SERVER["PHP_SELF"].'?action=edit&amp;id='.$object->id.'">'.$langs->trans("Modify").'</a></div>';
@ -1995,8 +1993,7 @@ if ($action != 'create' && $action != 'edit')
}
$object_is_used = $object->isObjectUsed($object->id);
if (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->supprimer)
|| ($object->type == Product::TYPE_SERVICE && $user->rights->service->supprimer))
if ($usercandelete)
{
if (empty($object_is_used) && (! isset($object->no_button_delete) || $object->no_button_delete <> 1))
{
@ -2152,8 +2149,8 @@ if ($action != 'create' && $action != 'edit' && $action != 'delete')
$relativepath = $comref . '/' . $objectref . '.pdf';
$filedir = $conf->produit->dir_output . '/' . $objectref;
$urlsource=$_SERVER["PHP_SELF"]."?id=".$object->id;
$genallowed=$user->rights->produit->lire;
$delallowed=$user->rights->produit->creer;
$genallowed=$usercanread;
$delallowed=$usercandelete;
$var=true;