FIX: task time screen: prevent users with access to all project from assigning to tasks they're not allowed to do

2018-10-30 12:28:04 +01:00 · 2018-10-30 12:28:04 +01:00 · 8911d72be8
commit 8911d72be8
parent 7c81124e66
3 changed files with 24 additions and 17 deletions
--- a/htdocs/core/class/html.formprojet.class.php
+++ b/htdocs/core/class/html.formprojet.class.php
@ -295,22 +295,29 @@ class FormProjets
 	/**
 	 *	Output a combo list with projects qualified for a third party
 	 *
-	 *	@param	int		$socid      	Id third party (-1=all, 0=only projects not linked to a third party, id=projects not linked or linked to third party id)
-	 *	@param  int		$selected   	Id task preselected
-	 *	@param  string	$htmlname   	Name of HTML select
-	 *	@param	int		$maxlength		Maximum length of label
-	 *	@param	int		$option_only	Return only html options lines without the select tag
-	 *	@param	string	$show_empty		Add an empty line ('1' or string to show for empty line)
-	 *  @param	int		$discard_closed Discard closed projects (0=Keep,1=hide completely,2=Disable)
-     *  @param	int		$forcefocus		Force focus on field (works with javascript only)
-     *  @param	int		$disabled		Disabled
-	 *  @param	string	$morecss        More css added to the select component
-	 *	@return int         			Nbr of project if OK, <0 if KO
+	 *  @param	int		$socid				Id third party (-1=all, 0=only projects not linked to a third party, id=projects not linked or linked to third party id)
+	 *  @param	int		$selected			Id task preselected
+	 *  @param	string	$htmlname			Name of HTML select
+	 *  @param	int		$maxlength			Maximum length of label
+	 *  @param	int		$option_only		Return only html options lines without the select tag
+	 *  @param	string	$show_empty			Add an empty line ('1' or string to show for empty line)
+	 *  @param	int		$discard_closed		Discard closed projects (0=Keep,1=hide completely,2=Disable)
+	 *  @param	int		$forcefocus			Force focus on field (works with javascript only)
+	 *  @param	int		$disabled			Disabled
+	 *  @param	string	$morecss			More css added to the select component
+	 *  @param	User	$usertofilter		User object to use for filtering
+	 *  @param	int		$forceuserfilter	1=Force individual task user rights even if user has right to see all
+	 *  @return	int							Nbr of project if OK, <0 if KO
 	 */
-	function selectTasks($socid=-1, $selected='', $htmlname='taskid', $maxlength=24, $option_only=0, $show_empty='1', $discard_closed=0, $forcefocus=0, $disabled=0, $morecss='maxwidth500')
+	function selectTasks($socid=-1, $selected='', $htmlname='taskid', $maxlength=24, $option_only=0, $show_empty='1', $discard_closed=0, $forcefocus=0, $disabled=0, $morecss='maxwidth500', $usertofilter=null, $forceuserfilter=0)
 	{
 		global $user,$conf,$langs;

+		if(is_null($usertofilter))
+		{
+			$usertofilter = $user;
+		}
+
 		require_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';

 		$out='';
@ -319,10 +326,10 @@ class FormProjets
 		if (! empty($conf->global->PROJECT_HIDE_UNSELECTABLES)) $hideunselectables = true;

 		$projectsListId = false;
-		if (empty($user->rights->projet->all->lire))
+		if (empty($usertofilter->rights->projet->all->lire) || $forceuserfilter)
 		{
 			$projectstatic=new Project($this->db);
-			$projectsListId = $projectstatic->getProjectsAuthorizedForUser($user,0,1);
+			$projectsListId = $projectstatic->getProjectsAuthorizedForUser($usertofilter,0,1);
 		}

 		// Search all projects
@ -367,7 +374,7 @@ class FormProjets
 				{
 					$obj = $this->db->fetch_object($resql);
 					// If we ask to filter on a company and user has no permission to see all companies and project is linked to another company, we hide project.
-					if ($socid > 0 && (empty($obj->fk_soc) || $obj->fk_soc == $socid) && empty($user->rights->societe->lire))
+					if ($socid > 0 && (empty($obj->fk_soc) || $obj->fk_soc == $socid) && empty($usertofilter->rights->societe->lire))
 					{
 						// Do nothing
 					}
--- a/htdocs/projet/activity/perday.php
+++ b/htdocs/projet/activity/perday.php
@ -399,7 +399,7 @@ print '<div class="float valignmiddle">';
 $titleassigntask = $langs->trans("AssignTaskToMe");
 if ($usertoprocess->id != $user->id) $titleassigntask = $langs->trans("AssignTaskToUser", $usertoprocess->getFullName($langs));
 print '<div class="taskiddiv inline-block">';
-$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1);
+$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1, 0, 0, '', $usertoprocess, 1);
 print '</div>';
 print ' ';
 print $formcompany->selectTypeContact($object, '', 'type','internal','rowid', 0, 'maxwidth200');
--- a/htdocs/projet/activity/perweek.php
+++ b/htdocs/projet/activity/perweek.php
@ -402,7 +402,7 @@ print '<div class="float valignmiddle">';
 $titleassigntask = $langs->trans("AssignTaskToMe");
 if ($usertoprocess->id != $user->id) $titleassigntask = $langs->trans("AssignTaskToUser", $usertoprocess->getFullName($langs));
 print '<div class="taskiddiv inline-block">';
-$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1);
+$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1, 0, 0, '', $usertoprocess, 1);
 print '</div>';
 print ' ';
 print $formcompany->selectTypeContact($object, '', 'type','internal','rowid', 0, 'maxwidth200');