From 86df1ddd0a3ce89470af4afca54b648c38904ee6 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Sun, 11 Feb 2018 13:27:02 +0100 Subject: [PATCH] Fix: uniformize user rights check --- htdocs/product/card.php | 47 +++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 25 deletions(-) diff --git a/htdocs/product/card.php b/htdocs/product/card.php index 9ab1632439d..80366d7fde8 100644 --- a/htdocs/product/card.php +++ b/htdocs/product/card.php @@ -124,6 +124,9 @@ $hookmanager->initHooks(array('productcard','globalcard')); if ($cancel) $action = ''; +$usercanread = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->lire) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->lire)); +$usercancreate = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->creer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->creer)); +$usercandelete = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->supprimer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->supprimer)); $createbarcode=empty($conf->barcode->enabled)?0:1; if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty($user->rights->barcode->creer_advance)) $createbarcode=0; @@ -134,7 +137,7 @@ if ($reshook < 0) setEventMessages($hookmanager->error, $hookmanager->errors, 'e if (empty($reshook)) { // Type - if ($action == 'setfk_product_type' && $user->rights->produit->creer) + if ($action == 'setfk_product_type' && $usercancreate) { $result = $object->setValueFrom('fk_product_type', GETPOST('fk_product_type'), '', null, 'text', '', $user, 'PRODUCT_MODIFY'); header("Location: ".$_SERVER['PHP_SELF']."?id=".$object->id); @@ -143,7 +146,7 @@ if (empty($reshook)) // Actions to build doc $upload_dir = $conf->produit->dir_output; - $permissioncreate = $user->rights->produit->creer; + $permissioncreate = $usercancreate; include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php'; include DOL_DOCUMENT_ROOT.'/core/actions_printing.inc.php'; @@ -181,7 +184,7 @@ if (empty($reshook)) } // Add a product or service - if ($action == 'add' && ($user->rights->produit->creer || $user->rights->service->creer)) + if ($action == 'add' && $usercancreate) { $error=0; @@ -360,7 +363,7 @@ if (empty($reshook)) } // Update a product or service - if ($action == 'update' && ($user->rights->produit->creer || $user->rights->service->creer)) + if ($action == 'update' && $usercancreate) { if (GETPOST('cancel','alpha')) { @@ -477,7 +480,7 @@ if (empty($reshook)) // Action clone object if ($action == 'confirm_clone' && $confirm != 'yes') { $action=''; } - if ($action == 'confirm_clone' && $confirm == 'yes' && ($user->rights->produit->creer || $user->rights->service->creer)) + if ($action == 'confirm_clone' && $confirm == 'yes' && $usercancreate) { if (! GETPOST('clone_content') && ! GETPOST('clone_prices') ) { @@ -565,12 +568,9 @@ if (empty($reshook)) // Delete a product if ($action == 'confirm_delete' && $confirm != 'yes') { $action=''; } - if ($action == 'confirm_delete' && $confirm == 'yes') - { - if (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->supprimer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->supprimer)) - { - $result = $object->delete($user); - } + if ($action == 'confirm_delete' && $confirm == 'yes' && $usercandelete) + { + $result = $object->delete($user); if ($result > 0) { @@ -887,7 +887,7 @@ else // ----------------------------------------- // When used in standard mode // ----------------------------------------- - if ($action == 'create' && ($user->rights->produit->creer || $user->rights->service->creer)) + if ($action == 'create' && $usercancreate) { //WYSIWYG Editor require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php'; @@ -1240,7 +1240,7 @@ else else if ($object->id > 0) { // Fiche en mode edition - if ($action == 'edit' && ((($object->type == Product::TYPE_PRODUCT && $user->rights->produit->creer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->creer)))) + if ($action == 'edit' && $usercancreate) { //WYSIWYG Editor require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php'; @@ -1593,8 +1593,7 @@ else { // TODO change for compatibility with edit in place $typeformat='select;0:'.$langs->trans("Product").',1:'.$langs->trans("Service"); - $perm = ($object->type==Product::TYPE_PRODUCT && $user->rights->produit->creer) || ($object->type==Product::TYPE_SERVICE && $user->rights->service->creer); - print ''.$form->editfieldkey("Type", 'fk_product_type', $object->type, $object, $perm, $typeformat).''; + print ''.$form->editfieldkey("Type", 'fk_product_type', $object->type, $object, $usercancreate, $typeformat).''; print $form->editfieldval("Type", 'fk_product_type', $object->type, $object, $perm, $typeformat); print ''; } @@ -1606,7 +1605,7 @@ else print ''; - if (($action != 'editbarcodetype') && ! empty($user->rights->produit->creer) && $createbarcode) print ''; + if (($action != 'editbarcodetype') && $usercancreate && $createbarcode) print ''; print '
'; print $langs->trans("BarcodeType"); print 'id.'">'.img_edit($langs->trans('Edit'),1).'id.'">'.img_edit($langs->trans('Edit'),1).'
'; print ''; if ($action == 'editbarcodetype' || $action == 'editbarcode') @@ -1630,7 +1629,7 @@ else print ''; - if (($action != 'editbarcode') && ! empty($user->rights->produit->creer) && $createbarcode) print ''; + if (($action != 'editbarcode') && $usercancreate && $createbarcode) print ''; print '
'; print $langs->trans("BarcodeValue"); print 'id.'">'.img_edit($langs->trans('Edit'),1).'id.'">'.img_edit($langs->trans('Edit'),1).'
'; print ''; if ($action == 'editbarcode') @@ -1742,7 +1741,7 @@ else // Batch number management (to batch) if (! empty($conf->productbatch->enabled)) { print ''.$langs->trans("ManageLotSerial").''; - if (! empty($conf->use_javascript_ajax) && $user->rights->produit->creer && ! empty($conf->global->MAIN_DIRECT_STATUS_UPDATE)) { + if (! empty($conf->use_javascript_ajax) && $usercancreate && ! empty($conf->global->MAIN_DIRECT_STATUS_UPDATE)) { print ajax_object_onoff($object, 'status_batch', 'tobatch', 'ProductStatusOnBatch', 'ProductStatusNotOnBatch'); } else { print $object->getLibStatut(0,2); @@ -1975,9 +1974,8 @@ if ($action != 'create' && $action != 'edit') $parameters=array(); $reshook=$hookmanager->executeHooks('addMoreActionsButtons',$parameters,$object,$action); // Note that $action and $object may have been modified by hook if (empty($reshook)) - { - if (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->creer ) || - ($object->type == Product::TYPE_SERVICE && $user->rights->service->creer)) + { + if ($usercancreate) { if (! isset($object->no_button_edit) || $object->no_button_edit <> 1) print '
id.'">'.$langs->trans("Modify").'
'; @@ -1995,8 +1993,7 @@ if ($action != 'create' && $action != 'edit') } $object_is_used = $object->isObjectUsed($object->id); - if (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->supprimer) - || ($object->type == Product::TYPE_SERVICE && $user->rights->service->supprimer)) + if ($usercandelete) { if (empty($object_is_used) && (! isset($object->no_button_delete) || $object->no_button_delete <> 1)) { @@ -2152,8 +2149,8 @@ if ($action != 'create' && $action != 'edit' && $action != 'delete') $relativepath = $comref . '/' . $objectref . '.pdf'; $filedir = $conf->produit->dir_output . '/' . $objectref; $urlsource=$_SERVER["PHP_SELF"]."?id=".$object->id; - $genallowed=$user->rights->produit->lire; - $delallowed=$user->rights->produit->creer; + $genallowed=$usercanread; + $delallowed=$usercandelete; $var=true;