Fix security to test access on a task
This commit is contained in:
Laurent Destailleur
parent
dd2d9f533a
commit
976c8e0752
@ -344,7 +344,7 @@ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $featu
|
||||
* This function is also called by restrictedArea
|
||||
*
|
||||
* @param User $user User to check
|
||||
* @param array $featuresarray Features/modules to check. Example: ('user','service')
|
||||
* @param array $featuresarray Features/modules to check. Example: ('user','service','member','project','task',...)
|
||||
* @param int $objectid Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional).
|
||||
* @param string $tableandshare 'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity for multicompany modume. Param not used if objectid is null (optional).
|
||||
* @param string $feature2 Feature to check, second level of permission (optional). Can be or check with 'level1|level2'.
|
||||
@ -368,11 +368,14 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh
|
||||
|
||||
// For backward compatibility
|
||||
if ($feature == 'member') $feature='adherent';
|
||||
if ($feature == 'project') $feature='projet';
|
||||
if ($feature == 'task') $feature='projet_task';
|
||||
|
||||
$check = array('adherent','banque','user','usergroup','produit','service','produit|service','categorie'); // Test on entity only (Objects with no link to company)
|
||||
$checksoc = array('societe'); // Test for societe object
|
||||
$checkother = array('contact'); // Test on entity and link to societe. Allowed if link is empty (Ex: contacts...).
|
||||
$checkproject = array('projet','project'); // Test for project object
|
||||
$checktask = array('projet_task');
|
||||
$nocheck = array('barcode','stock','fournisseur'); // No test
|
||||
$checkdefault = 'all other not already defined'; // Test on entity and link to third party. Not allowed if link is empty (Ex: invoice, orders...).
|
||||
|
||||
@ -452,7 +455,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh
|
||||
}
|
||||
else if (in_array($feature,$checkproject))
|
||||
{
|
||||
if (! empty($conf->projet->enabled) && ! $user->rights->projet->all->lire)
|
||||
if (! empty($conf->projet->enabled) && empty($user->rights->projet->all->lire))
|
||||
{
|
||||
include_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
|
||||
$projectstatic=new Project($db);
|
||||
@ -462,7 +465,27 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh
|
||||
}
|
||||
else
|
||||
{
|
||||
if ($dbtablename == 'project') $dbtablename='projet';
|
||||
$sql = "SELECT dbt.".$dbt_select;
|
||||
$sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
|
||||
$sql.= " WHERE dbt.".$dbt_select." = ".$objectid;
|
||||
$sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
|
||||
}
|
||||
}
|
||||
else if (in_array($feature,$checktask))
|
||||
{
|
||||
if (! empty($conf->projet->enabled) && empty($user->rights->projet->all->lire))
|
||||
{
|
||||
$task = new Task($db);
|
||||
$task->fetch($objectid);
|
||||
|
||||
include_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
|
||||
$projectstatic=new Project($db);
|
||||
$tmps=$projectstatic->getProjectsAuthorizedForUser($user,0,1,0);
|
||||
$tmparray=explode(',',$tmps);
|
||||
if (! in_array($task->fk_project,$tmparray)) return false;
|
||||
}
|
||||
else
|
||||
{
|
||||
$sql = "SELECT dbt.".$dbt_select;
|
||||
$sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
|
||||
$sql.= " WHERE dbt.".$dbt_select." = ".$objectid;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user