Fix: [ bug #618 ] External accounts can access confidential informations
(a lot)
This commit is contained in:
Laurent Destailleur
parent
380d036d5c
commit
96416735df
@ -46,7 +46,7 @@ $rowid=GETPOST('rowid','int');
|
||||
$typeid=GETPOST('typeid','int');
|
||||
|
||||
// Security check
|
||||
$result=restrictedArea($user,'adherent',$rowid);
|
||||
$result=restrictedArea($user,'adherent',$rowid,'','cotisation');
|
||||
|
||||
$object = new Adherent($db);
|
||||
$extrafields = new ExtraFields($db);
|
||||
|
||||
@ -46,8 +46,8 @@ if (! $sortfield) { $sortfield="c.dateadh"; }
|
||||
$msg='';
|
||||
$date_select=isset($_GET["date_select"])?$_GET["date_select"]:$_POST["date_select"];
|
||||
|
||||
if (! $user->rights->adherent->cotisation->lire)
|
||||
accessforbidden();
|
||||
// Security check
|
||||
$result=restrictedArea($user,'adherent','','','cotisation');
|
||||
|
||||
|
||||
/*
|
||||
|
||||
@ -28,10 +28,12 @@ require '../main.inc.php';
|
||||
require_once DOL_DOCUMENT_ROOT.'/adherents/class/adherent.class.php';
|
||||
require_once DOL_DOCUMENT_ROOT.'/adherents/class/adherent_type.class.php';
|
||||
|
||||
|
||||
$langs->load("companies");
|
||||
$langs->load("members");
|
||||
|
||||
// Security check
|
||||
$result=restrictedArea($user,'adherent');
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
|
||||
@ -31,6 +31,9 @@ require_once DOL_DOCUMENT_ROOT.'/adherents/class/adherent_type.class.php';
|
||||
$langs->load("members");
|
||||
$langs->load("companies");
|
||||
|
||||
// Security check
|
||||
$result=restrictedArea($user,'adherent');
|
||||
|
||||
$action=GETPOST("action");
|
||||
$filter=GETPOST("filter");
|
||||
$statut=GETPOST("statut");
|
||||
@ -70,7 +73,6 @@ if (GETPOST("button_removefilter"))
|
||||
}
|
||||
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
*/
|
||||
|
||||
@ -35,11 +35,10 @@ $mode=GETPOST('mode')?GETPOST('mode'):'';
|
||||
// Security check
|
||||
if ($user->societe_id > 0)
|
||||
{
|
||||
$action = '';
|
||||
$socid = $user->societe_id;
|
||||
$action = '';
|
||||
$socid = $user->societe_id;
|
||||
}
|
||||
if (! $user->rights->adherent->cotisation->lire)
|
||||
accessforbidden();
|
||||
$result=restrictedArea($user,'adherent','','','cotisation');
|
||||
|
||||
$year = strftime("%Y", time());
|
||||
$startyear=$year-2;
|
||||
|
||||
@ -37,8 +37,7 @@ if ($user->societe_id > 0)
|
||||
$action = '';
|
||||
$socid = $user->societe_id;
|
||||
}
|
||||
if (! $user->rights->adherent->cotisation->lire)
|
||||
accessforbidden();
|
||||
$result=restrictedArea($user,'adherent','','','cotisation');
|
||||
|
||||
$year = strftime("%Y", time());
|
||||
$startyear=$year-2;
|
||||
|
||||
@ -33,12 +33,14 @@ $HEIGHT=200;
|
||||
|
||||
$userid=GETPOST('userid','int'); if ($userid < 0) $userid=0;
|
||||
$socid=GETPOST('socid','int'); if ($socid < 0) $socid=0;
|
||||
|
||||
// Security check
|
||||
if ($user->societe_id > 0)
|
||||
{
|
||||
$action = '';
|
||||
$socid = $user->societe_id;
|
||||
}
|
||||
$result=restrictedArea($user,'adherent','','','cotisation');
|
||||
|
||||
$year = strftime("%Y", time());
|
||||
$startyear=$year-2;
|
||||
|
||||
@ -206,9 +206,8 @@ if ($mode==='expdev') print $langs->trans("ModuleFamilyExperimental")."<br>
|
||||
$nbofactivatedmodules=count($conf->modules);
|
||||
print $langs->trans("TotalNumberOfActivatedModules",($nbofactivatedmodules-1));
|
||||
if ($nbofactivatedmodules <= 1) print ' '.img_warning($langs->trans("YouMustEnableOneModule"));
|
||||
print '<br>'."\n";
|
||||
print '<br>'."\n";
|
||||
|
||||
print "<br>\n";
|
||||
|
||||
$h = 0;
|
||||
|
||||
@ -266,6 +265,11 @@ $head[$h][2] = 'marketplace';
|
||||
$h++;
|
||||
|
||||
|
||||
// Show warning about external users
|
||||
print showModulesExludedForExternal($modules).'<br>'."\n";
|
||||
print "<br>\n";
|
||||
|
||||
|
||||
dol_fiche_head($head, $mode, $langs->trans("Modules"));
|
||||
|
||||
$var=true;
|
||||
@ -495,9 +499,6 @@ else
|
||||
|
||||
dol_fiche_end();
|
||||
|
||||
// Pour eviter bug mise en page IE
|
||||
print '<div class="tabsAction">';
|
||||
print '</div>';
|
||||
|
||||
llxFooter();
|
||||
|
||||
|
||||
@ -68,8 +68,12 @@ print_fiche_titre($langs->trans("SecuritySetup"),'','setup');
|
||||
|
||||
print $langs->trans("DefaultRightsDesc");
|
||||
print " ".$langs->trans("OnlyActiveElementsAreShown")."<br>\n";
|
||||
|
||||
// Show warning about external users
|
||||
print showModulesExludedForExternal($modules).'<br>'."\n";
|
||||
print "<br>\n";
|
||||
|
||||
|
||||
$head=security_prepare_head();
|
||||
|
||||
dol_fiche_head($head, 'default', $langs->trans("Security"));
|
||||
|
||||
@ -30,7 +30,9 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
|
||||
$langs->load("commercial");
|
||||
$langs->load("orders");
|
||||
|
||||
if (! $user->rights->mailing->lire || $user->societe_id > 0) accessforbidden();
|
||||
|
||||
// Security check
|
||||
$result=restrictedArea($user,'mailing');
|
||||
|
||||
|
||||
/*
|
||||
|
||||
@ -27,14 +27,8 @@ require_once DOL_DOCUMENT_ROOT.'/comm/mailing/class/mailing.class.php';
|
||||
|
||||
$langs->load("mails");
|
||||
|
||||
if (!$user->rights->mailing->lire) accessforbidden();
|
||||
|
||||
// Securite acces client
|
||||
if ($user->societe_id > 0)
|
||||
{
|
||||
$action = '';
|
||||
$socid = $user->societe_id;
|
||||
}
|
||||
// Security check
|
||||
$result=restrictedArea($user,'mailing');
|
||||
|
||||
$sortfield = GETPOST("sortfield",'alpha');
|
||||
$sortorder = GETPOST("sortorder",'alpha');
|
||||
|
||||
@ -34,12 +34,16 @@ $HEIGHT=200;
|
||||
|
||||
$userid=GETPOST('userid','int'); if ($userid < 0) $userid=0;
|
||||
$socid=GETPOST('socid','int'); if ($socid < 0) $socid=0;
|
||||
// Securite acces client
|
||||
$id = GETPOST('id','int');
|
||||
|
||||
// Security check
|
||||
if ($user->societe_id > 0)
|
||||
{
|
||||
$action = '';
|
||||
$socid = $user->societe_id;
|
||||
}
|
||||
if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user, 'deplacement', $id,'');
|
||||
|
||||
$nowyear=strftime("%Y", dol_now());
|
||||
$year = GETPOST('year')>0?GETPOST('year'):$nowyear;
|
||||
|
||||
@ -1,68 +0,0 @@
|
||||
<?php
|
||||
/* Copyright (C) 2007-2010 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2007-2010 Jean Heimburger <jean@tiaris.info>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 2 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
require '../../main.inc.php';
|
||||
|
||||
|
||||
$langs->load("companies");
|
||||
$langs->load("other");
|
||||
$langs->load("compta");
|
||||
|
||||
// Protection if external user
|
||||
if ($user->societe_id > 0)
|
||||
{
|
||||
accessforbidden();
|
||||
}
|
||||
|
||||
|
||||
/*******************************************************************
|
||||
* ACTIONS
|
||||
*
|
||||
* Put here all code to do according to value of "action" parameter
|
||||
********************************************************************/
|
||||
|
||||
|
||||
/***************************************************
|
||||
* PAGE
|
||||
*
|
||||
* Put here all code to build page
|
||||
****************************************************/
|
||||
|
||||
llxHeader('','MyPageName','');
|
||||
|
||||
$form=new Form($db);
|
||||
|
||||
|
||||
// Put here content of your page
|
||||
// ...
|
||||
|
||||
/***************************************************
|
||||
* LINKED OBJECT BLOCK
|
||||
*
|
||||
* Put here code to view linked object
|
||||
****************************************************/
|
||||
/*
|
||||
|
||||
$somethingshown=$myobject->showLinkedObjectBlock();
|
||||
|
||||
*/
|
||||
|
||||
// End of page
|
||||
$db->close();
|
||||
llxFooter();
|
||||
?>
|
||||
@ -41,11 +41,10 @@ $date_endmonth=GETPOST('date_endmonth');
|
||||
$date_endday=GETPOST('date_endday');
|
||||
$date_endyear=GETPOST('date_endyear');
|
||||
|
||||
// Protection if external user
|
||||
if ($user->societe_id > 0)
|
||||
accessforbidden();
|
||||
|
||||
$result = restrictedArea($user, 'societe&facture');
|
||||
// Security check
|
||||
if ($user->societe_id > 0) $socid = $user->societe_id;
|
||||
if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat');
|
||||
if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport');
|
||||
|
||||
|
||||
/*
|
||||
|
||||
@ -42,11 +42,10 @@ $date_endmonth=GETPOST('date_endmonth');
|
||||
$date_endday=GETPOST('date_endday');
|
||||
$date_endyear=GETPOST('date_endyear');
|
||||
|
||||
// Protection if external user
|
||||
if ($user->societe_id > 0)
|
||||
accessforbidden();
|
||||
|
||||
$result = restrictedArea($user, 'societe&facture');
|
||||
// Security check
|
||||
if ($user->societe_id > 0) $socid = $user->societe_id;
|
||||
if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat');
|
||||
if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport');
|
||||
|
||||
/*
|
||||
* Actions
|
||||
|
||||
@ -25,7 +25,11 @@ require '../../main.inc.php';
|
||||
require_once DOL_DOCUMENT_ROOT.'/compta/tva/class/tva.class.php';
|
||||
require_once DOL_DOCUMENT_ROOT.'/compta/sociales/class/chargesociales.class.php';
|
||||
|
||||
if (!$user->rights->compta->resultat->lire) accessforbidden();
|
||||
// Security check
|
||||
$socid = GETPOST('socid','int');
|
||||
if ($user->societe_id > 0) $socid = $user->societe_id;
|
||||
if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat');
|
||||
if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport');
|
||||
|
||||
|
||||
/*
|
||||
|
||||
@ -42,8 +42,8 @@ $date_endyear=GETPOST('date_endyear');
|
||||
// Security check
|
||||
$socid = GETPOST('socid','int');
|
||||
if ($user->societe_id > 0) $socid = $user->societe_id;
|
||||
if (! $user->rights->compta->resultat->lire && ! $user->rights->accounting->comptarapport->lire)
|
||||
accessforbidden();
|
||||
if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat');
|
||||
if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport');
|
||||
|
||||
// Date range
|
||||
$year=GETPOST("year");
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
<?php
|
||||
/* Copyright (C) 2004-2008 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
/* Copyright (C) 2004-2012 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@ -15,17 +15,22 @@
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
|
||||
require '../../main.inc.php';
|
||||
require_once DOL_DOCUMENT_ROOT.'/compta/tva/class/tva.class.php';
|
||||
require_once DOL_DOCUMENT_ROOT.'/compta/sociales/class/chargesociales.class.php';
|
||||
|
||||
|
||||
if (!$user->rights->compta->resultat->lire) accessforbidden();
|
||||
// Security check
|
||||
$socid = GETPOST('socid','int');
|
||||
if ($user->societe_id > 0) $socid = $user->societe_id;
|
||||
if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat');
|
||||
if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport');
|
||||
|
||||
|
||||
|
||||
/*
|
||||
* Views
|
||||
*/
|
||||
* Views
|
||||
*/
|
||||
llxHeader();
|
||||
|
||||
$year=$_GET["year"];
|
||||
|
||||
@ -40,8 +40,9 @@ else {
|
||||
// Security check
|
||||
$socid = GETPOST('socid','int');
|
||||
if ($user->societe_id > 0) $socid = $user->societe_id;
|
||||
if (! $user->rights->compta->resultat->lire && ! $user->rights->accounting->comptarapport->lire)
|
||||
accessforbidden();
|
||||
if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat');
|
||||
if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport');
|
||||
|
||||
|
||||
// Define modecompta ('CREANCES-DETTES' or 'RECETTES-DEPENSES')
|
||||
$modecompta=(GETPOST("modecompta")?GETPOST("modecompta"):$conf->global->COMPTA_MODE);
|
||||
|
||||
@ -27,11 +27,12 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/report.lib.php';
|
||||
require_once DOL_DOCUMENT_ROOT.'/core/lib/tax.lib.php';
|
||||
require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php';
|
||||
|
||||
$socid = GETPOST('socid','int');
|
||||
|
||||
// Security check
|
||||
$socid = isset($_REQUEST["socid"])?$_REQUEST["socid"]:'';
|
||||
if ($user->societe_id > 0) $socid = $user->societe_id;
|
||||
if (!$user->rights->compta->resultat->lire && !$user->rights->accounting->comptarapport->lire)
|
||||
accessforbidden();
|
||||
if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat');
|
||||
if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport');
|
||||
|
||||
// Define modecompta ('CREANCES-DETTES' or 'RECETTES-DEPENSES')
|
||||
$modecompta = $conf->global->COMPTA_MODE;
|
||||
|
||||
@ -39,10 +39,12 @@ $sortfield=isset($_GET["sortfield"])?$_GET["sortfield"]:$_POST["sortfield"];
|
||||
if (! $sortorder) $sortorder="asc";
|
||||
if (! $sortfield) $sortfield="nom";
|
||||
|
||||
$socid = GETPOST('socid','int');
|
||||
|
||||
// Security check
|
||||
$socid = isset($_REQUEST["socid"])?$_REQUEST["socid"]:'';
|
||||
if ($user->societe_id > 0) $socid = $user->societe_id;
|
||||
if (!$user->rights->compta->resultat->lire && !$user->rights->accounting->comptarapport->lire) accessforbidden();
|
||||
if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat');
|
||||
if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport');
|
||||
|
||||
// Date range
|
||||
$year=GETPOST("year");
|
||||
|
||||
@ -25,27 +25,28 @@
|
||||
require '../../main.inc.php';
|
||||
require_once DOL_DOCUMENT_ROOT.'/core/lib/report.lib.php';
|
||||
|
||||
|
||||
$year_start=GETPOST("year_start");
|
||||
$year_current = strftime("%Y",time());
|
||||
$nbofyear=4;
|
||||
if (! $year_start) {
|
||||
$year_start = $year_current - ($nbofyear-1);
|
||||
$year_end = $year_current;
|
||||
$year_start = $year_current - ($nbofyear-1);
|
||||
$year_end = $year_current;
|
||||
}
|
||||
else {
|
||||
$year_end=$year_start + ($nbofyear-1);
|
||||
$year_end=$year_start + ($nbofyear-1);
|
||||
}
|
||||
|
||||
$userid=GETPOST('userid','int');
|
||||
$socid=GETPOST('socid','int');
|
||||
$socid = GETPOST('socid','int');
|
||||
// Define modecompta ('CREANCES-DETTES' or 'RECETTES-DEPENSES')
|
||||
$modecompta = $conf->global->COMPTA_MODE;
|
||||
if ($_GET["modecompta"]) $modecompta=$_GET["modecompta"];
|
||||
|
||||
// Security check
|
||||
if ($user->societe_id > 0) $socid = $user->societe_id;
|
||||
if (!$user->rights->compta->resultat->lire && !$user->rights->accounting->comptarapport->lire) accessforbidden();
|
||||
if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat');
|
||||
if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport');
|
||||
|
||||
|
||||
// Define modecompta ('CREANCES-DETTES' or 'RECETTES-DEPENSES')
|
||||
$modecompta = $conf->global->COMPTA_MODE;
|
||||
if ($_GET["modecompta"]) $modecompta=$_GET["modecompta"];
|
||||
|
||||
|
||||
/*
|
||||
|
||||
@ -233,7 +233,7 @@ if (! empty($conf->contrat->enabled) && $user->rights->contrat->lire)
|
||||
$sql.= " AND c.entity IN (".getEntity('contract').")";
|
||||
$sql.= " AND c.statut = 0";
|
||||
if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
|
||||
if ($socid) $sql.= " AND s.fk_soc = ".$socid;
|
||||
if ($socid) $sql.= " AND c.fk_soc = ".$socid;
|
||||
|
||||
$resql = $db->query($sql);
|
||||
|
||||
|
||||
@ -386,7 +386,7 @@ class Conf
|
||||
$this->mailing->email_from=$this->email_from;
|
||||
if (! empty($this->global->MAILING_EMAIL_FROM)) $this->mailing->email_from=$this->global->MAILING_EMAIL_FROM;
|
||||
|
||||
// Format for date (used by default when not found or searched in lang)
|
||||
// Format for date (used by default when not found or not searched in lang)
|
||||
$this->format_date_short="%d/%m/%Y"; // Format of day with PHP/C tags (strftime functions)
|
||||
$this->format_date_short_java="dd/MM/yyyy"; // Format of day with Java tags
|
||||
$this->format_hour_short="%H:%M";
|
||||
@ -406,7 +406,10 @@ class Conf
|
||||
if (! isset($this->global->MAIN_MAX_DECIMALS_SHOWN)) $this->global->MAIN_MAX_DECIMALS_SHOWN=8;
|
||||
|
||||
// Default max file size for upload
|
||||
$this->maxfilesize = (! empty($this->global->MAIN_UPLOAD_DOC) ? $this->global->MAIN_UPLOAD_DOC * 1024 : 0);
|
||||
$this->maxfilesize = (empty($this->global->MAIN_UPLOAD_DOC) ? 0 : $this->global->MAIN_UPLOAD_DOC * 1024);
|
||||
|
||||
// Define list of limited modules
|
||||
if (! isset($this->global->MAIN_MODULES_FOR_EXTERNAL)) $this->global->MAIN_MODULES_FOR_EXTERNAL='facture,commande,contact,propal,projet,contrat,societe,ficheinter,expedition,agenda'; // '' means 'all'. Note that contact is added here as it should be a module later.
|
||||
|
||||
// Timeouts
|
||||
if (empty($this->global->MAIN_USE_CONNECT_TIMEOUT)) $this->global->MAIN_USE_CONNECT_TIMEOUT=10;
|
||||
|
||||
@ -1133,6 +1133,38 @@ function form_constantes($tableau)
|
||||
print '</table>';
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Show array with constants to edit
|
||||
*
|
||||
* @param array $modules Array of all modules
|
||||
* @return string HTML string with warning
|
||||
*/
|
||||
function showModulesExludedForExternal($modules)
|
||||
{
|
||||
global $conf,$langs;
|
||||
|
||||
$text=$langs->trans("OnlyFollowingModulesAreOpenedToExternalUsers");
|
||||
$listofmodules=explode(',',$conf->global->MAIN_MODULES_FOR_EXTERNAL);
|
||||
$i=0;
|
||||
foreach($modules as $module)
|
||||
{
|
||||
$moduleconst=$module->const_name;
|
||||
$modulename=strtolower($module->name);
|
||||
//print 'modulename='.$modulename;
|
||||
|
||||
//if (empty($conf->global->$moduleconst)) continue;
|
||||
if (! in_array($modulename,$listofmodules)) continue;
|
||||
|
||||
if ($i > 0) $text.=', ';
|
||||
else $text.=' ';
|
||||
$i++;
|
||||
$text.=$langs->trans($module->name);
|
||||
}
|
||||
return img_picto($langs->trans('InfoAdmin'), 'star').' '.$text;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Add document model used by doc generator
|
||||
*
|
||||
|
||||
@ -2040,9 +2040,10 @@ function img_phone($alt = 'default', $option = 0)
|
||||
*
|
||||
* @param string $text Text info
|
||||
* @param string $infoonimgalt Info is shown only on alt of star picto, otherwise it is show on output after the star picto
|
||||
* @param int $nodiv No div
|
||||
* @return string String with info text
|
||||
*/
|
||||
function info_admin($text, $infoonimgalt = 0)
|
||||
function info_admin($text, $infoonimgalt = 0, $nodiv=0)
|
||||
{
|
||||
global $conf, $langs;
|
||||
|
||||
@ -2051,7 +2052,7 @@ function info_admin($text, $infoonimgalt = 0)
|
||||
return img_picto($text, 'star');
|
||||
}
|
||||
|
||||
return '<div class="info">'.img_picto($langs->trans('InfoAdmin'), 'star').' '.$text.'</div>';
|
||||
return ($nodiv?'':'<div class="info">').img_picto($langs->trans('InfoAdmin'), 'star').' '.$text.($nodiv?'':'</div>');
|
||||
}
|
||||
|
||||
|
||||
|
||||
@ -88,12 +88,12 @@ function dol_hash($chain,$type=0)
|
||||
* If GETPOST('action') defined, we also check write and delete permission.
|
||||
*
|
||||
* @param User $user User to check
|
||||
* @param string $features Features to check (in most cases, it's module name. Examples: 'societe', 'contact', 'produit|service', ...)
|
||||
* @param string $features Features to check (it must be module name. Examples: 'societe', 'contact', 'produit&service', ...)
|
||||
* @param int $objectid Object ID if we want to check a particular record (optionnal) is linked to a owned thirdparty (optionnal).
|
||||
* @param string $dbtablename 'TableName&SharedElement' with Tablename is table where object is stored, SharedElement is key to define where to check entity. Not used if objectid is null (optionnal)
|
||||
* @param string $dbtablename 'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optionnal key to define where to check entity. Not used if objectid is null (optionnal)
|
||||
* @param string $feature2 Feature to check, second level of permission (optionnal)
|
||||
* @param string $dbt_keyfield Field name for socid foreign key if not fk_soc (optionnal)
|
||||
* @param string $dbt_select Field name for select if not rowid (optionnal)
|
||||
* @param string $dbt_keyfield Field name for socid foreign key if not fk_soc. Not used if objectid is null (optionnal)
|
||||
* @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optionnal)
|
||||
* @param Canvas $objcanvas Object canvas
|
||||
* @return int Always 1, die process if not allowed
|
||||
*/
|
||||
@ -122,11 +122,18 @@ function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature
|
||||
$dbtablename=(! empty($params[0]) ? $params[0] : '');
|
||||
$sharedelement=(! empty($params[1]) ? $params[1] : '');
|
||||
|
||||
// Check read permission from module
|
||||
// TODO Replace "feature" param into caller by first level of permission
|
||||
$listofmodules=explode(',',$conf->global->MAIN_MODULES_FOR_EXTERNAL);
|
||||
|
||||
// Check read permission from module
|
||||
$readok=1;
|
||||
foreach ($features as $feature)
|
||||
{
|
||||
if (! empty($user->societe_id) && ! empty($conf->global->MAIN_MODULES_FOR_EXTERNAL) && ! in_array($feature,$listofmodules)) // If limits on modules for external users, module must be into list of modules for external users
|
||||
{
|
||||
$readok=0;
|
||||
continue;
|
||||
}
|
||||
|
||||
if ($feature == 'societe')
|
||||
{
|
||||
if (! $user->rights->societe->lire && ! $user->rights->fournisseur->lire) $readok=0;
|
||||
|
||||
@ -26,7 +26,9 @@ require_once DOL_DOCUMENT_ROOT.'/exports/class/export.class.php';
|
||||
|
||||
$langs->load("exports");
|
||||
|
||||
if (! $user->rights->export->lire) accessforbidden();
|
||||
|
||||
// Security check
|
||||
$result=restrictedArea($user,'export');
|
||||
|
||||
|
||||
|
||||
|
||||
@ -36,7 +36,6 @@ $langs->load("exports");
|
||||
$langs->load("errors");
|
||||
|
||||
// Security check
|
||||
if (! empty($user->societe_id)) $socid=$user->societe_id;
|
||||
$result=restrictedArea($user, 'import');
|
||||
|
||||
$entitytoicon=array(
|
||||
|
||||
@ -929,6 +929,7 @@ TotalNumberOfActivatedModules=Total number of activated feature modules: <b>%s</
|
||||
YouMustEnableOneModule=You must at least enable 1 module
|
||||
ClassNotFoundIntoPathWarning=Class %s not found into PHP path
|
||||
YesInSummer=Yes in summer
|
||||
OnlyFollowingModulesAreOpenedToExternalUsers=Note, only following modules are opened to external users( whatever are permission of such users):
|
||||
|
||||
##### Module password generation
|
||||
PasswordGenerationStandard=Return a password generated according to internal Dolibarr algorithm: 8 characters containing shared numbers and characters in lowercase.
|
||||
|
||||
@ -936,6 +936,7 @@ TranslationSetup=Translation setup
|
||||
TranslationDesc=Le choix de la langue affichée à l'écran se modifie:<br>* Soit de manière globale depuis le menu <strong>Accueil - Configuration - Affichage</strong><br>* Soit de manière spécifique à l'utilisateur depuis l'onglet <strong>Interface utilisateur</strong> de sa fiche utilisateur (cliquer sur le login en haut de l'écran).
|
||||
ClassNotFoundIntoPathWarning=La class %s n'a pas été trouvée dans le path PHP
|
||||
YesInSummer=Oui en été
|
||||
OnlyFollowingModulesAreOpenedToExternalUsers=Remarque, seuls les modules suivants sont ouverts aux utilisateurs externes (quelquesoit les permissions de ces utilisateurs):
|
||||
|
||||
##### Module password generation= undefined
|
||||
PasswordGenerationStandard= Renvoie un mot de passe généré selon algorithme interne Dolibarr: 8 caractères, chiffres et caractères en minuscules mélangés.
|
||||
|
||||
@ -31,6 +31,8 @@ $langs->load("stocks");
|
||||
$langs->load("companies");
|
||||
$mesg = '';
|
||||
|
||||
// Security check
|
||||
$result=restrictedArea($user,'stock');
|
||||
|
||||
|
||||
/*
|
||||
|
||||
@ -44,6 +44,10 @@ if (! $sortorder) $sortorder="DESC";
|
||||
|
||||
$mesg = '';
|
||||
|
||||
// Security check
|
||||
$result=restrictedArea($user,'stock');
|
||||
|
||||
|
||||
|
||||
/*
|
||||
* Actions
|
||||
|
||||
@ -29,8 +29,8 @@ require_once DOL_DOCUMENT_ROOT.'/product/stock/class/entrepot.class.php';
|
||||
|
||||
$langs->load("stocks");
|
||||
|
||||
if (!$user->rights->stock->lire)
|
||||
accessforbidden();
|
||||
// Security check
|
||||
$result=restrictedArea($user,'stock');
|
||||
|
||||
|
||||
/*
|
||||
|
||||
@ -28,6 +28,10 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/stock.lib.php';
|
||||
|
||||
$langs->load("stocks");
|
||||
|
||||
// Security check
|
||||
$result=restrictedArea($user,'stock');
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
*/
|
||||
|
||||
@ -28,8 +28,8 @@ require_once DOL_DOCUMENT_ROOT.'/product/stock/class/entrepot.class.php';
|
||||
|
||||
$langs->load("stocks");
|
||||
|
||||
if (!$user->rights->stock->lire)
|
||||
accessforbidden();
|
||||
// Security check
|
||||
$result=restrictedArea($user,'stock');
|
||||
|
||||
$sref=isset($_GET["sref"])?$_GET["sref"]:$_POST["sref"];
|
||||
$snom=isset($_GET["snom"])?$_GET["snom"]:$_POST["snom"];
|
||||
|
||||
@ -35,7 +35,8 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php';
|
||||
$langs->load("products");
|
||||
$langs->load("stocks");
|
||||
|
||||
if (!$user->rights->produit->lire) accessforbidden();
|
||||
// Security check
|
||||
$result=restrictedArea($user,'stock');
|
||||
|
||||
$id=GETPOST('id','int');
|
||||
$product_id=GETPOST("product_id");
|
||||
|
||||
@ -28,8 +28,8 @@ require_once DOL_DOCUMENT_ROOT.'/product/stock/class/entrepot.class.php';
|
||||
|
||||
$langs->load("stocks");
|
||||
|
||||
if (!$user->rights->stock->lire)
|
||||
accessforbidden();
|
||||
// Security check
|
||||
$result=restrictedArea($user,'stock');
|
||||
|
||||
$sref=isset($_GET["sref"])?$_GET["sref"]:$_POST["sref"];
|
||||
$snom=isset($_GET["snom"])?$_GET["snom"]:$_POST["snom"];
|
||||
|
||||
@ -27,7 +27,8 @@
|
||||
|
||||
require '../main.inc.php';
|
||||
require_once DOL_DOCUMENT_ROOT.'/core/lib/usergroups.lib.php';
|
||||
require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
|
||||
require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
|
||||
require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php';
|
||||
|
||||
$langs->load("users");
|
||||
$langs->load("admin");
|
||||
@ -253,19 +254,22 @@ print $form->showrefnav($fuser,'id','',$user->rights->user->user->lire || $user-
|
||||
print '</td>';
|
||||
print '</tr>'."\n";
|
||||
|
||||
// Nom
|
||||
// Lastname
|
||||
print '<tr><td width="25%" valign="top">'.$langs->trans("Lastname").'</td>';
|
||||
print '<td>'.$fuser->nom.'</td>';
|
||||
print '</tr>'."\n";
|
||||
|
||||
// Prenom
|
||||
// Firstname
|
||||
print '<tr><td width="25%" valign="top">'.$langs->trans("Firstname").'</td>';
|
||||
print '<td>'.$fuser->prenom.'</td>';
|
||||
print '</tr>'."\n";
|
||||
|
||||
print '</table><br>';
|
||||
|
||||
if ($user->admin) print info_admin($langs->trans("WarningOnlyPermissionOfActivatedModules"));
|
||||
if ($user->admin) print info_admin($langs->trans("WarningOnlyPermissionOfActivatedModules"), 0, 1).'<br>';
|
||||
// Show warning about external users
|
||||
print showModulesExludedForExternal($modules).'<br>'."\n";
|
||||
print "<br>\n";
|
||||
|
||||
// For multicompany transversal mode
|
||||
if (! empty($conf->multicompany->enabled) && ! empty($conf->multicompany->transverse_mode))
|
||||
@ -366,7 +370,7 @@ if ($result)
|
||||
print img_picto($langs->trans("Active"),'tick');
|
||||
print '</td>';
|
||||
}
|
||||
|
||||
|
||||
else if (is_array($permsgroupbyentity[$entity]))
|
||||
{
|
||||
if (in_array($obj->id, $permsgroupbyentity[$entity])) // Permission own by group
|
||||
|
||||
Loading…
Reference in New Issue
Block a user