';
print '| ';
if ($found > 0 && is_object($this->cache_objects[$modulepart.'_'.$id.'_'.$ref])) {
- print $this->cache_objects[$modulepart.'_'.$id.'_'.$ref]->getNomUrl(1, 'document');
+ $tmpobject = $this->cache_objects[$modulepart.'_'.$id.'_'.$ref];
+ //if (! in_array($tmpobject->element, array('expensereport'))) {
+ print $tmpobject->getNomUrl(1, 'document');
+ //} else {
+ // print $tmpobject->getNomUrl(1);
+ //}
} else {
print $langs->trans("ObjectDeleted", ($id ? $id : $ref));
}
diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php
index ce5e7129bcf..90796f402d4 100644
--- a/htdocs/core/lib/files.lib.php
+++ b/htdocs/core/lib/files.lib.php
@@ -2232,7 +2232,8 @@ function dol_most_recent_file($dir, $regexfilter = '', $excludefilter = array('(
}
/**
- * Security check when accessing to a document (used by document.php, viewimage.php and webservices)
+ * Security check when accessing to a document (used by document.php, viewimage.php and webservices to get documents).
+ * TODO Replace code that set $accesallowed by a call to restrictedArea()
*
* @param string $modulepart Module of document ('module', 'module_user_temp', 'module_user' or 'module_temp')
* @param string $original_file Relative path with filename, relative to modulepart.
@@ -2612,12 +2613,26 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity,
// Wrapping pour les projets
if ($fuser->rights->projet->{$lire} || preg_match('/^specimen/i', $original_file)) {
$accessallowed = 1;
+ // If we known $id of project, call checkUserAccessToObject to check permission on properties and contact of project
+ if ($refname && !preg_match('/^specimen/i', $original_file)) {
+ include_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
+ $tmpproject = new Project($db);
+ $tmpproject->fetch('', $refname);
+ $accessallowed = checkUserAccessToObject($user, array('projet'), $tmpproject->id, 'projet&project', '', '', 'rowid', '');
+ }
}
$original_file = $conf->projet->dir_output.'/'.$original_file;
$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."projet WHERE ref='".$db->escape($refname)."' AND entity IN (".getEntity('project').")";
} elseif ($modulepart == 'project_task' && !empty($conf->projet->dir_output)) {
if ($fuser->rights->projet->{$lire} || preg_match('/^specimen/i', $original_file)) {
$accessallowed = 1;
+ // If we known $id of project, call checkUserAccessToObject to check permission on properties and contact of project
+ if ($refname && !preg_match('/^specimen/i', $original_file)) {
+ include_once DOL_DOCUMENT_ROOT.'/projet/class/task.class.php';
+ $tmptask = new Task($db);
+ $tmptask->fetch('', $refname);
+ $accessallowed = checkUserAccessToObject($user, array('projet_task'), $tmptask->id, 'projet&project', '', '', 'rowid', '');
+ }
}
$original_file = $conf->projet->dir_output.'/'.$original_file;
$sqlprotectagainstexternals = "SELECT fk_soc as fk_soc FROM ".MAIN_DB_PREFIX."projet WHERE ref='".$db->escape($refname)."' AND entity IN (".getEntity('project').")";
diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
index 06baefed88e..598802ea574 100644
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -183,10 +183,11 @@ function dol_verifyHash($chain, $hash, $type = '0')
* @param string $dbt_keyfield Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional)
* @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optional)
* @param int $isdraft 1=The object with id=$objectid is a draft
- * @return int Always 1, die process if not allowed
+ * @param int $mode Mode (0=default, 1=return with not die)
+ * @return int If mode = 0 (default): Always 1, die process if not allowed. If mode = 1: Return 0 if access not allowed.
* @see dol_check_secure_access_document(), checkUserAccessToObject()
*/
-function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = 'fk_soc', $dbt_select = 'rowid', $isdraft = 0)
+function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = 'fk_soc', $dbt_select = 'rowid', $isdraft = 0, $mode = 0)
{
global $db, $conf;
global $hookmanager;
@@ -231,7 +232,11 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
if (isset($hookmanager->resArray['result'])) {
if ($hookmanager->resArray['result'] == 0) {
- accessforbidden(); // Module returns 0, so access forbidden
+ if ($mode) {
+ return 0;
+ } else {
+ accessforbidden(); // Module returns 0, so access forbidden
+ }
}
}
if ($reshook > 0) { // No other test done.
@@ -346,7 +351,11 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
}
if (!$readok) {
- accessforbidden();
+ if ($mode) {
+ return 0;
+ } else {
+ accessforbidden();
+ }
}
//print "Read access is ok";
@@ -435,7 +444,11 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
}
if ($wemustcheckpermissionforcreate && !$createok) {
- accessforbidden();
+ if ($mode) {
+ return 0;
+ } else {
+ accessforbidden();
+ }
}
//print "Write access is ok";
}
@@ -448,7 +461,11 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
}
if (!$createuserok) {
- accessforbidden();
+ if ($mode) {
+ return 0;
+ } else {
+ accessforbidden();
+ }
}
//print "Create user access is ok";
}
@@ -523,26 +540,34 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
}
if (!$deleteok && !($isdraft && $createok)) {
- accessforbidden();
+ if ($mode) {
+ return 0;
+ } else {
+ accessforbidden();
+ }
}
//print "Delete access is ok";
}
- // If we have a particular object to check permissions on, we check this object
- // is linked to a company allowed to $user.
+ // If we have a particular object to check permissions on, we check if $user has permission
+ // for this given object (link to company, is contact for project, ...)
if (!empty($objectid) && $objectid > 0) {
$ok = checkUserAccessToObject($user, $featuresarray, $objectid, $tableandshare, $feature2, $dbt_keyfield, $dbt_select, $parentfortableentity);
$params = array('objectid' => $objectid, 'features' => join(',', $featuresarray), 'features2' => $feature2);
//print 'checkUserAccessToObject ok='.$ok;
- return $ok ? 1 : accessforbidden('', 1, 1, 0, $params);
+ if ($mode) {
+ return $ok ? 1 : 0;
+ } else {
+ return $ok ? 1 : accessforbidden('', 1, 1, 0, $params);
+ }
}
return 1;
}
/**
- * Check access by user to object.
- * This function is also called by restrictedArea that check before if module is enabled and permissions of user compared to $action.
+ * Check access by user to object is ok.
+ * This function is also called by restrictedArea that check before if module is enabled and if permission of user for $action is ok.
*
* @param User $user User to check
* @param array $featuresarray Features/modules to check. Example: ('user','service','member','project','task',...)
@@ -555,7 +580,7 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
* @return bool True if user has access, False otherwise
* @see restrictedArea()
*/
-function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = '', $dbt_select = 'rowid', $parenttableforentity = '')
+function checkUserAccessToObject($user, array $featuresarray, $objectid = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = '', $dbt_select = 'rowid', $parenttableforentity = '')
{
global $db, $conf;
@@ -689,6 +714,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand
include_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
$projectstatic = new Project($db);
$tmps = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1, 0);
+
$tmparray = explode(',', $tmps);
if (!in_array($objectid, $tmparray)) {
return false;
diff --git a/htdocs/ecm/index_auto.php b/htdocs/ecm/index_auto.php
index bcfff8aa2da..d54dcf14d1e 100644
--- a/htdocs/ecm/index_auto.php
+++ b/htdocs/ecm/index_auto.php
@@ -440,15 +440,13 @@ if (empty($action) || $action == 'file_manager' || preg_match('/refresh/i', $act
continue; // If condition to show is ok
}
- $var = false;
-
print '';
if (!empty($conf->use_javascript_ajax) && empty($conf->global->MAIN_ECM_DISABLE_JS)) {
- print '';
+ print '';
print $val['label'];
print '';
} else {
- print '';
+ print '';
print $val['label'];
print '';
}
@@ -456,7 +454,7 @@ if (empty($action) || $action == 'file_manager' || preg_match('/refresh/i', $act
print ' ';
// Info
$htmltooltip = ''.$langs->trans("ECMSection").': '.$val['label'].'
';
- $htmltooltip = ''.$langs->trans("Type").': '.$langs->trans("ECMSectionAuto").'
';
+ $htmltooltip .= ''.$langs->trans("Type").': '.$langs->trans("ECMSectionAuto").'
';
$htmltooltip .= ''.$langs->trans("ECMCreationUser").': '.$langs->trans("ECMTypeAuto").'
';
$htmltooltip .= ''.$langs->trans("Description").': '.$val['desc'];
print $form->textwithpicto('', $htmltooltip, 1, 'info');
diff --git a/htdocs/expensereport/class/expensereport.class.php b/htdocs/expensereport/class/expensereport.class.php
index be09b670d84..25ee6072a90 100644
--- a/htdocs/expensereport/class/expensereport.class.php
+++ b/htdocs/expensereport/class/expensereport.class.php
@@ -1645,6 +1645,7 @@ class ExpenseReport extends CommonObject
* Return clicable name (with picto eventually)
*
* @param int $withpicto 0=No picto, 1=Include picto into link, 2=Only picto
+ * @param string $option Where point the link ('', 'document', ..)
* @param int $max Max length of shown ref
* @param int $short 1=Return just URL
* @param string $moretitle Add more text to title tooltip
@@ -1652,7 +1653,7 @@ class ExpenseReport extends CommonObject
* @param int $save_lastsearch_value -1=Auto, 0=No save of lastsearch_values when clicking, 1=Save lastsearch_values whenclicking
* @return string String with URL
*/
- public function getNomUrl($withpicto = 0, $max = 0, $short = 0, $moretitle = '', $notooltip = 0, $save_lastsearch_value = -1)
+ public function getNomUrl($withpicto = 0, $option = '', $max = 0, $short = 0, $moretitle = '', $notooltip = 0, $save_lastsearch_value = -1)
{
global $langs, $conf;
@@ -1684,17 +1685,16 @@ class ExpenseReport extends CommonObject
$label .= ' - '.$moretitle;
}
- //if ($option != 'nolink')
- //{
- // Add param to save lastsearch_values or not
+ if ($option != 'nolink') {
+ // Add param to save lastsearch_values or not
$add_save_lastsearch_values = ($save_lastsearch_value == 1 ? 1 : 0);
- if ($save_lastsearch_value == -1 && preg_match('/list\.php/', $_SERVER["PHP_SELF"])) {
- $add_save_lastsearch_values = 1;
+ if ($save_lastsearch_value == -1 && preg_match('/list\.php/', $_SERVER["PHP_SELF"])) {
+ $add_save_lastsearch_values = 1;
+ }
+ if ($add_save_lastsearch_values) {
+ $url .= '&save_lastsearch_values=1';
+ }
}
- if ($add_save_lastsearch_values) {
- $url .= '&save_lastsearch_values=1';
- }
- //}
$ref = $this->ref;
if (empty($ref)) {
@@ -1720,7 +1720,7 @@ class ExpenseReport extends CommonObject
$result .= img_object(($notooltip ? '' : $label), $this->picto, ($notooltip ? (($withpicto != 2) ? 'class="paddingright"' : '') : 'class="'.(($withpicto != 2) ? 'paddingright ' : '').'classfortooltip"'), 0, 0, $notooltip ? 0 : 1);
}
if ($withpicto != 2) {
- $result .= ($max ?dol_trunc($ref, $max) : $ref);
+ $result .= ($max ? dol_trunc($ref, $max) : $ref);
}
$result .= $linkend;
diff --git a/htdocs/projet/class/task.class.php b/htdocs/projet/class/task.class.php
index 0b8e21f5afd..3206953c791 100644
--- a/htdocs/projet/class/task.class.php
+++ b/htdocs/projet/class/task.class.php
@@ -274,7 +274,8 @@ class Task extends CommonObject
}
$sql .= " WHERE ";
if (!empty($ref)) {
- $sql .= "t.ref = '".$this->db->escape($ref)."'";
+ $sql .= "entity IN (".getEntity('project').")";
+ $sql .= " AND t.ref = '".$this->db->escape($ref)."'";
} else {
$sql .= "t.rowid = ".((int) $id);
}
|