Fix parameters of accessforbidden

2019-06-04 12:21:27 +02:00 · 2019-06-04 12:21:27 +02:00 · 969e139d5c
commit 969e139d5c
parent 2c04a480a2
12 changed files with 18 additions and 105 deletions
--- a/htdocs/asset/document.php
+++ b/htdocs/asset/document.php
@ -145,7 +145,7 @@ if ($object->id)
 }
 else
 {
-	accessforbidden('', 0, 0);
+	accessforbidden('', 0, 1);
 }

 // End of page
--- a/htdocs/bom/bom_document.php
+++ b/htdocs/bom/bom_document.php
@ -143,7 +143,7 @@ if ($object->id)
 }
 else
 {
-	accessforbidden('', 0, 0);
+	accessforbidden('', 0, 1);
 }

 // End of page
--- a/htdocs/compta/facture/card.php
+++ b/htdocs/compta/facture/card.php
@ -3382,7 +3382,9 @@ elseif ($id > 0 || ! empty($ref))
 	$extralabels = $extrafields->fetch_name_optionals_label($object->table_element);

 	if ($user->societe_id > 0 && $user->societe_id != $object->socid)
-		accessforbidden('', 0);
+	{
+		accessforbidden('', 0, 1);
+	}

 	$result = $object->fetch_thirdparty();

--- a/htdocs/modulebuilder/template/myobject_document.php
+++ b/htdocs/modulebuilder/template/myobject_document.php
@ -158,7 +158,7 @@ if ($object->id)
 }
 else
 {
-	accessforbidden('', 0, 0);
+	accessforbidden('', 0, 1);
 }

 // End of page
--- a/htdocs/public/ifttt/index.php
+++ b/htdocs/public/ifttt/index.php
@ -1,88 +0,0 @@
-<?php
-/* Copyright (C) 2008-2010 Laurent Destailleur <eldy@users.sourceforge.net>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- */
-
-/**
- * 	\file       htdocs/public/ifttt/index.php
- * 	\ingroup    ifttt
- * 	\brief      Page to IFTTT endpoint agenda
- * 				http://127.0.0.1/dolibarr/public/ifttt/index.php?securekey=...
- */
-
-if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL', '1');
-if (! defined('NOREQUIREMENU'))  define('NOREQUIREMENU', '1'); // If there is no menu to show
-if (! defined('NOREQUIREHTML'))  define('NOREQUIREHTML', '1'); // If we don't need to load the html.form.class.php
-if (! defined('NOREQUIREAJAX'))  define('NOREQUIREAJAX', '1');
-if (! defined('NOLOGIN'))        define("NOLOGIN", 1);		// This means this output page does not require to be logged.
-if (! defined('NOCSRFCHECK'))    define("NOCSRFCHECK", 1);	// We accept to go on this page from external web site.
-
-// This is a wrapper, so header is empty
-
-/**
- * Header function
- *
- * @return	void
- */
-function llxHeaderIFTTT()
-{
-    print '<html><title>IFTTT API</title><body>';
-}
-/**
- * Footer function
- *
- * @return	void
- */
-function llxFooterIFTTT()
-{
-    print '</body></html>';
-}
-
-
-require '../../main.inc.php';
-
-// Security check
-if (empty($conf->ifttt->enabled)) accessforbidden('', 0, 0, 1);
-
-// Check config
-if (empty($conf->global->IFTTT_DOLIBARR_ENDPOINT_SECUREKEY))
-{
-	$user->getrights();
-
-	llxHeaderIFTTT();
-	print '<div class="error">Module Agenda was not configured properly.</div>';
-	llxFooterIFTTT();
-	exit;
-}
-
-// Check exportkey
-if (empty($_GET["securekey"]) || $conf->global->IFTTT_DOLIBARR_ENDPOINT_SECUREKEY != $_GET["securekey"])
-{
-	$user->getrights();
-
-	llxHeaderIFTTT();
-	print '<div class="error">Bad value for securekey.</div>';
-	llxFooterIFTTT();
-	exit;
-}
-
-
-// Initialize technical object to manage hooks. Note that conf->hooks_modules contains array of hooks
-$hookmanager->initHooks(array('iftttapi'));
-
-
-llxHeaderIFTTT();
-print '<div class="error">TODO</div>';
-llxFooterIFTTT();
--- a/htdocs/public/opensurvey/studs.php
+++ b/htdocs/public/opensurvey/studs.php
@ -62,7 +62,7 @@ $listofvoters=explode(',', $_SESSION["savevoter"]);
 // Add comment
 if (GETPOST('ajoutcomment', 'alpha'))
 {
-	if (!$canbemodified) accessforbidden();
+	if (!$canbemodified) accessforbidden('', 0, 0, 1);

 	$error=0;

@ -97,7 +97,7 @@ if (GETPOST('ajoutcomment', 'alpha'))
 // Add vote
 if (GETPOST("boutonp") || GETPOST("boutonp.x") || GETPOST("boutonp_x"))		// boutonp for chrome, boutonp_x for firefox
 {
-	if (!$canbemodified) accessforbidden();
+	if (!$canbemodified) accessforbidden('', 0, 0, 1);

 	//Si le nom est bien entré
 	if (GETPOST('nom', 'nohtml'))
@ -220,7 +220,7 @@ if ($testmodifier)
 		}
 	}

-	if (!$canbemodified) accessforbidden();
+	if (!$canbemodified) accessforbidden('', 0, 0, 1);

 	$idtomodify=$_POST["idtomodify".$modifier];
 	$sql = 'UPDATE '.MAIN_DB_PREFIX."opensurvey_user_studs";
@ -235,7 +235,7 @@ if ($testmodifier)
 $idcomment=GETPOST('deletecomment', 'int');
 if ($idcomment)
 {
-	if (!$canbemodified) accessforbidden();
+	if (!$canbemodified) accessforbidden('', 0, 0, 1);

 	$resql = $object->deleteComment($idcomment);
 }
--- a/htdocs/resource/card.php
+++ b/htdocs/resource/card.php
@ -237,8 +237,7 @@ if ($action == 'create' || $object->fetch($id) > 0)

 	if ($action == 'create' || $action == 'edit')
 	{
-		if ( ! $user->rights->resource->write )
-			accessforbidden('', 0);
+		if (! $user->rights->resource->write) accessforbidden('', 0, 1);

 		// Create/Edit object

--- a/htdocs/ticket/agenda.php
+++ b/htdocs/ticket/agenda.php
@ -86,11 +86,11 @@ if (!$user->rights->ticket->read) {
 // restrict access for externals users
 if ($user->societe_id > 0 && ($object->fk_soc != $user->societe_id))
 {
-	accessforbidden('', 0);
+	accessforbidden();
 }
 // or for unauthorized internals users
 if (!$user->societe_id && ($conf->global->TICKET_LIMIT_VIEW_ASSIGNED_ONLY && $object->fk_user_assign != $user->id) && !$user->rights->ticket->manage) {
-	accessforbidden('', 0);
+	accessforbidden();
 }


--- a/htdocs/ticket/card.php
+++ b/htdocs/ticket/card.php
@ -647,7 +647,7 @@ if (empty($action) || $action == 'view' || $action == 'addlink' || $action == 'd
    {
        // or for unauthorized internals users
        if (!$user->societe_id && ($conf->global->TICKET_LIMIT_VIEW_ASSIGNED_ONLY && $object->fk_user_assign != $user->id) && !$user->rights->ticket->manage) {
-            accessforbidden('', 0);
+            accessforbidden('', 0, 1);
        }

        // Confirmation close
--- a/htdocs/ticket/document.php
+++ b/htdocs/ticket/document.php
@ -196,7 +196,7 @@ if ($object->id)
 }
 else
 {
-    accessforbidden('', 0, 0);
+    accessforbidden('', 0, 1);
 }

 // End of page
--- a/htdocs/user/document.php
+++ b/htdocs/user/document.php
@ -174,7 +174,7 @@ if ($object->id)
 }
 else
 {
-	accessforbidden('', 0, 0);
+	accessforbidden('', 0, 1);
 }

 // End of page
--- a/htdocs/viewimage.php
+++ b/htdocs/viewimage.php
@ -170,7 +170,7 @@ if (GETPOST('type', 'alpha')) $type=GETPOST('type', 'alpha');
 else $type=dol_mimetype($original_file);

 // Security: This wrapper is for images. We do not allow type/html
-if (preg_match('/html/', $type)) accessforbidden('Error: Using the image wrapper to output a file with a mime type HTML is not possible.', 1, 1, 1);
+if (preg_match('/html/', $type)) accessforbidden('Error: Using the image wrapper to output a file with a mime type HTML is not possible.', 0, 0, 1);

 // Security: Delete string ../ into $original_file
 $original_file = str_replace("../", "/", $original_file);
@ -179,7 +179,7 @@ $original_file = str_replace("../", "/", $original_file);
 $refname=basename(dirname($original_file)."/");

 // Security check
-if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart', 1, 1, 1);
+if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart', 0, 0, 1);

 $check_access = dol_check_secure_access_document($modulepart, $original_file, $entity, $refname);
 $accessallowed              = $check_access['accessallowed'];