From 8df083c95537967278af88bfeb34717be0312094 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 20 Mar 2021 18:43:44 +0100 Subject: [PATCH 1/5] Look and feel v14 --- ChangeLog | 4 +- htdocs/user/info.php | 2 + htdocs/user/notify/card.php | 268 ++++++++++++++++++++---------------- 3 files changed, 151 insertions(+), 123 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7537a891c9b..d4a8b55625f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,8 +19,8 @@ WARNING: Following changes may create regressions for some external modules, but were necessary to make Dolibarr better: * The ICS value for direct debit or credit transfer is now store on each bank account instead of into the global setup. * API /setup/shipment_methods has been replaced with API /setup/shipping_methods -* Field "tva" renamed into "total_tva" in llx_propal, llx_supplier_proposal, llx_commande, llx_commande_fournisseur for better field name consistency -* Field "total" renamed into "total_ttc" in llx_propal, llx_supplier_proposal for better field name consistency +* Field "tva" renamed into "total_tva" for table llx_propal, llx_supplier_proposal, llx_commande, llx_commande_fournisseur for better field name consistency +* Field "total" renamed into "total_ttc" for table lx_propal, llx_supplier_proposal for better field name consistency * If your database is PostgreSql, you must use version 9.1.0 or more (Dolibarr need the SQL function CONCAT) * If your database is MySql or MariaDB, you need at least version 5.1 diff --git a/htdocs/user/info.php b/htdocs/user/info.php index 74b7e70e582..f6a0c731e14 100644 --- a/htdocs/user/info.php +++ b/htdocs/user/info.php @@ -32,6 +32,8 @@ $langs->load("users"); // Security check $id = GETPOST('id', 'int'); +$ref = GETPOST('ref', 'alpha'); + $object = new User($db); if ($id > 0 || !empty($ref)) { $result = $object->fetch($id, $ref, '', 1); diff --git a/htdocs/user/notify/card.php b/htdocs/user/notify/card.php index fa2cf5a5d41..228bbd7882e 100644 --- a/htdocs/user/notify/card.php +++ b/htdocs/user/notify/card.php @@ -32,9 +32,11 @@ require_once DOL_DOCUMENT_ROOT.'/user/class/user.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/triggers/interface_50_modNotification_Notification.class.php'; // Load translation files required by page -$langs->loadLangs(array('companies', 'mails', 'admin', 'other')); +$langs->loadLangs(array('companies', 'mails', 'admin', 'other', 'errors')); $id = GETPOST("id", 'int'); +$ref = GETPOST('ref', 'alpha'); + $action = GETPOST('action', 'aZ09'); $actionid = GETPOST('actionid'); @@ -63,11 +65,24 @@ $pagenext = $page + 1; $now = dol_now(); +// Security check +$object = new User($db); +if ($id > 0 || !empty($ref)) { + $result = $object->fetch($id, $ref, '', 1); + $object->getrights(); +} + +$permissiontoadd = (($object->id == $user->id) || (!empty($user->rights->user->user->lire))); + /* * Actions */ +if (GETPOST('cancel', 'alpha')) { + $action = 'list'; +} + // Add a notification if ($action == 'add') { $error = 0; @@ -75,6 +90,7 @@ if ($action == 'add') { if ($actionid <= 0) { setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Action")), null, 'errors'); $error++; + $action = 'create'; } if (!$error) { @@ -98,6 +114,7 @@ if ($action == 'add') { $db->commit(); } else { $db->rollback(); + $action = 'create'; } } } @@ -185,7 +202,7 @@ if ($result > 0) { // Add notification form - print load_fiche_titre($langs->trans("AddNewNotification"), '', ''); + // print load_fiche_titre($langs->trans("AddNewNotification"), '', ''); print '
'; print ''; @@ -194,7 +211,7 @@ if ($result > 0) { $param = "&id=".$id; // Line with titles - print ''; + /* print '
'; print ''; print_liste_field_titre("Target", $_SERVER["PHP_SELF"], "c.lastname,c.firstname", '', $param, 'width="45%"', $sortfield, $sortorder); print_liste_field_titre("Action", $_SERVER["PHP_SELF"], "", '', $param, 'width="35%"', $sortfield, $sortorder); @@ -202,48 +219,10 @@ if ($result > 0) { print_liste_field_titre(''); print "\n"; - - // $listofemails=$object->thirdparty_and_contact_email_array(); - if ($object->email) { - $actions = array(); - - // Load array of available notifications - $notificationtrigger = new InterfaceNotification($db); - $listofnotifiedevents = $notificationtrigger->getListOfManagedEvents(); - - foreach ($listofnotifiedevents as $notifiedevent) { - $label = ($langs->trans("Notify_".$notifiedevent['code']) != "Notify_".$notifiedevent['code'] ? $langs->trans("Notify_".$notifiedevent['code']) : $notifiedevent['label']); - $actions[$notifiedevent['rowid']] = $label; - } - print ''; - print ''; - print ''; - print ''; - print ''; - } else { - print ''; - } - print '
'; - print $object->getNomUrl(1); - if (isValidEmail($object->email)) { - print ' <'.$object->email.'>'; - } else { - $langs->load("errors"); - print '   '.img_warning().' '.$langs->trans("ErrorBadEMail", $object->email); - } - print ''; - print img_picto('', 'object_action', '', false, 0, 0, '', 'paddingright').$form->selectarray("actionid", $actions, '', 1); - print ''; - $type = array('email'=>$langs->trans("EMail")); - print $form->selectarray("typeid", $type); - print '
'; - print $langs->trans("YouMustAssignUserMailFirst"); - print '
'; - print '
'; print '
'; - + */ // List of notifications enabled for contacts $sql = "SELECT n.rowid, n.type,"; $sql .= " a.code, a.label,"; @@ -262,8 +241,13 @@ if ($result > 0) { dol_print_error($db); } + $newcardbutton = dolGetButtonTitle($langs->trans('New'), '', 'fa fa-plus-circle', $_SERVER["PHP_SELF"].'?id='.$object->id.'&action=create&backtopage='.urlencode($_SERVER['PHP_SELF']), '', $permissiontoadd); + + $title = $langs->trans("ListOfActiveNotifications"); + // List of active notifications - print load_fiche_titre($langs->trans("ListOfActiveNotifications").' ('.$num.')', '', ''); + //print load_fiche_titre($langs->trans("ListOfActiveNotifications").' ('.$num.')', '', ''); + print_barre_liste($title, $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, '', $num, $num, 'email', 0, $newcardbutton, '', $limit, 0, 0, 1); // Line with titles print ''; @@ -274,99 +258,141 @@ if ($result > 0) { print_liste_field_titre('', '', ''); print ''; - $langs->load("errors"); - $langs->load("other"); - if ($num) { - $i = 0; + if ($action == 'create') { + // $listofemails=$object->thirdparty_and_contact_email_array(); + if ($object->email) { + $actions = array(); - $userstatic = new user($db); + // Load array of available notifications + $notificationtrigger = new InterfaceNotification($db); + $listofnotifiedevents = $notificationtrigger->getListOfManagedEvents(); - while ($i < $num) { - $obj = $db->fetch_object($resql); + foreach ($listofnotifiedevents as $notifiedevent) { + $label = ($langs->trans("Notify_".$notifiedevent['code']) != "Notify_".$notifiedevent['code'] ? $langs->trans("Notify_".$notifiedevent['code']) : $notifiedevent['label']); + $actions[$notifiedevent['rowid']] = $label; + } + print ''; + print ''; + print ''; + print ''; + print ''; + } else { + print ''; + } + } else { + if ($num) { + $i = 0; - $userstatic->id = $obj->userid; - $userstatic->lastname = $obj->lastname; - $userstatic->firstname = $obj->firstname; - print ''; + print ''; + print ''; + print ''; + print ''; + $i++; + } + $db->free($resql); + } + + // List of notifications enabled for fixed email + /* + foreach($conf->global as $key => $val) { + if (! preg_match('/^NOTIFICATION_FIXEDEMAIL_(.*)/', $key, $reg)) continue; + print ''; print ''; print ''; - print ''; + print ''; print ''; - $i++; - } - $db->free($resql); + }*/ + /*if ($user->admin) + { + $var = ! $var; + print ''; + }*/ } - // List of notifications enabled for fixed email - /* - foreach($conf->global as $key => $val) { - if (! preg_match('/^NOTIFICATION_FIXEDEMAIL_(.*)/', $key, $reg)) continue; - print ''; - print ''; - print ''; - print ''; - print ''; - }*/ - /*if ($user->admin) - { - $var = ! $var; - print ''; - }*/ - print '
'; + print $object->getNomUrl(1); + if (isValidEmail($object->email)) { + print ' <'.$object->email.'>'; + } else { + $langs->load("errors"); + print '   '.img_warning().' '.$langs->trans("ErrorBadEMail", $object->email); + } + print ''; + print img_picto('', 'object_action', '', false, 0, 0, '', 'paddingright').$form->selectarray("actionid", $actions, '', 1); + print ''; + $type = array('email'=>$langs->trans("EMail")); + print $form->selectarray("typeid", $type); + print ''; + print ''; + print ' '; + print ''; + print '
'; + print $langs->trans("YouMustAssignUserMailFirst"); + print '
'.$userstatic->getNomUrl(1); - if ($obj->type == 'email') { - if (isValidEmail($obj->email)) { - print ' <'.$obj->email.'>'; - } else { - $langs->load("errors"); - print '   '.img_warning().' '.$langs->trans("ErrorBadEMail", $obj->email); + $userstatic = new user($db); + + while ($i < $num) { + $obj = $db->fetch_object($resql); + + $userstatic->id = $obj->userid; + $userstatic->lastname = $obj->lastname; + $userstatic->firstname = $obj->firstname; + print '
'.$userstatic->getNomUrl(1); + if ($obj->type == 'email') { + if (isValidEmail($obj->email)) { + print ' <'.$obj->email.'>'; + } else { + $langs->load("errors"); + print '   '.img_warning().' '.$langs->trans("ErrorBadEMail", $obj->email); + } + } + print ''; + $label = ($langs->trans("Notify_".$obj->code) != "Notify_".$obj->code ? $langs->trans("Notify_".$obj->code) : $obj->label); + print img_picto('', 'object_action', '', false, 0, 0, '', 'paddingright').$label; + print ''; + if ($obj->type == 'email') { + print $langs->trans("Email"); + } + if ($obj->type == 'sms') { + print $langs->trans("SMS"); + } + print ''.img_delete().'
'; + $listtmp=explode(',',$val); + $first=1; + foreach($listtmp as $keyemail => $valemail) + { + if (! $first) print ', '; + $first=0; + $valemail=trim($valemail); + //print $keyemail.' - '.$valemail.' - '.$reg[1].'
'; + if (isValidEmail($valemail, 1)) + { + if ($valemail == '__SUPERVISOREMAIL__') print $valemail; + else print ' <'.$valemail.'>'; + } + else + { + print ' '.img_warning().' '.$langs->trans("ErrorBadEMail",$valemail); } } print '		'; - $label = ($langs->trans("Notify_".$obj->code) != "Notify_".$obj->code ? $langs->trans("Notify_".$obj->code) : $obj->label); - print img_picto('', 'object_action', '', false, 0, 0, '', 'paddingright').$label; + $notifcode=preg_replace('/_THRESHOLD_.*$/','',$reg[1]); + $notifcodecond=preg_replace('/^.*_(THRESHOLD_)/','$1',$reg[1]); + $label=($langs->trans("Notify_".$notifcode)!="Notify_".$notifcode?$langs->trans("Notify_".$notifcode):$notifcode); + print $label; + if (preg_match('/^THRESHOLD_HIGHER_(.*)$/',$notifcodecond,$regcond) && ($regcond[1] > 0)) + { + print ' - '.$langs->trans("IfAmountHigherThan",$regcond[1]); + } print ''; - if ($obj->type == 'email') { - print $langs->trans("Email"); - } - if ($obj->type == 'sms') { - print $langs->trans("SMS"); - } + print $langs->trans("Email"); print ''.img_delete().''.$langs->trans("SeeModuleSetup", $langs->transnoentitiesnoconv("Module600Name")).'
'; + print '+ '.$langs->trans("SeeModuleSetup", $langs->transnoentitiesnoconv("Module600Name")).''; + print '
'; - $listtmp=explode(',',$val); - $first=1; - foreach($listtmp as $keyemail => $valemail) - { - if (! $first) print ', '; - $first=0; - $valemail=trim($valemail); - //print $keyemail.' - '.$valemail.' - '.$reg[1].'
'; - if (isValidEmail($valemail, 1)) - { - if ($valemail == '__SUPERVISOREMAIL__') print $valemail; - else print ' <'.$valemail.'>'; - } - else - { - print ' '.img_warning().' '.$langs->trans("ErrorBadEMail",$valemail); - } - } - print '		'; - $notifcode=preg_replace('/_THRESHOLD_.*$/','',$reg[1]); - $notifcodecond=preg_replace('/^.*_(THRESHOLD_)/','$1',$reg[1]); - $label=($langs->trans("Notify_".$notifcode)!="Notify_".$notifcode?$langs->trans("Notify_".$notifcode):$notifcode); - print $label; - if (preg_match('/^THRESHOLD_HIGHER_(.*)$/',$notifcodecond,$regcond) && ($regcond[1] > 0)) - { - print ' - '.$langs->trans("IfAmountHigherThan",$regcond[1]); - } - print ''; - print $langs->trans("Email"); - print ''.$langs->trans("SeeModuleSetup", $langs->transnoentitiesnoconv("Module600Name")).'
'; - print '+ '.$langs->trans("SeeModuleSetup", $langs->transnoentitiesnoconv("Module600Name")).''; - print '
'; + print ''; + print '

'."\n"; @@ -422,7 +448,7 @@ if ($result > 0) { print ''; // List of notifications done - print_barre_liste($langs->trans("ListOfNotificationsDone"), $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, '', $num, $nbtotalofrecords, '', 0, '', '', $limit); + print_barre_liste($langs->trans("ListOfNotificationsDone"), $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, '', $num, $nbtotalofrecords, 'email', 0, '', '', $limit); // Line with titles print ''; From f6145a119f9074a74f4c5ae310fffc5c06383580 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 20 Mar 2021 18:58:34 +0100 Subject: [PATCH 2/5] Fix #yogosha5679 --- htdocs/variants/admin/admin.php | 2 +- htdocs/variants/ajax/getCombinations.php | 19 ++++++++++++++++++- htdocs/variants/ajax/get_attribute_values.php | 19 ++++++++++++++++++- htdocs/variants/ajax/orderAttribute.php | 12 ++++++++++++ htdocs/variants/card.php | 12 ++++++++++++ htdocs/variants/combinations.php | 12 ++++++++++++ htdocs/variants/create.php | 12 ++++++++++++ htdocs/variants/create_val.php | 12 ++++++++++++ htdocs/variants/list.php | 12 ++++++++++++ 9 files changed, 109 insertions(+), 3 deletions(-) diff --git a/htdocs/variants/admin/admin.php b/htdocs/variants/admin/admin.php index f5467760a89..ade64ea6a7b 100644 --- a/htdocs/variants/admin/admin.php +++ b/htdocs/variants/admin/admin.php @@ -25,7 +25,7 @@ $langs->loadLangs(array("admin", "products")); $action = GETPOST('action', 'alphanohtml'); // Security check -if (!$user->admin || (empty($conf->product->enabled) && empty($conf->service->enabled))) { +if (!$user->admin || empty($conf->variants->enabled)) { accessforbidden(); } diff --git a/htdocs/variants/ajax/getCombinations.php b/htdocs/variants/ajax/getCombinations.php index adb227c2fd6..9c670fa07cc 100644 --- a/htdocs/variants/ajax/getCombinations.php +++ b/htdocs/variants/ajax/getCombinations.php @@ -36,7 +36,24 @@ require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php'; require_once DOL_DOCUMENT_ROOT.'/variants/class/ProductCombination.class.php'; -header('Content-Type: application/json'); +$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire; + +// Security check +if (empty($conf->variants->enabled)) { + accessforbidden('Module not enabled'); +} +if ($user->socid > 0) { // Protection if external user + accessforbidden(); +} +//$result = restrictedArea($user, 'variant'); +if (!$permissiontoread) accessforbidden(); + + +/* + * View + */ + +top_httphead('application/json'); $id = GETPOST('id', 'int'); diff --git a/htdocs/variants/ajax/get_attribute_values.php b/htdocs/variants/ajax/get_attribute_values.php index e61676339ee..1d4eab49773 100644 --- a/htdocs/variants/ajax/get_attribute_values.php +++ b/htdocs/variants/ajax/get_attribute_values.php @@ -36,7 +36,24 @@ require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php'; require_once DOL_DOCUMENT_ROOT.'/variants/class/ProductAttribute.class.php'; require_once DOL_DOCUMENT_ROOT.'/variants/class/ProductAttributeValue.class.php'; -header('Content-Type: application/json'); +$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire; + +// Security check +if (empty($conf->variants->enabled)) { + accessforbidden('Module not enabled'); +} +if ($user->socid > 0) { // Protection if external user + accessforbidden(); +} +//$result = restrictedArea($user, 'variant'); +if (!$permissiontoread) accessforbidden(); + + +/* + * View + */ + +top_httphead('application/json'); $id = GETPOST('id', 'int'); diff --git a/htdocs/variants/ajax/orderAttribute.php b/htdocs/variants/ajax/orderAttribute.php index c787517e5c7..1d9e1b8e892 100644 --- a/htdocs/variants/ajax/orderAttribute.php +++ b/htdocs/variants/ajax/orderAttribute.php @@ -37,6 +37,18 @@ if (!defined('NOREQUIRETRAN')) { require '../../main.inc.php'; +$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire; + +// Security check +if (empty($conf->variants->enabled)) { + accessforbidden('Module not enabled'); +} +if ($user->socid > 0) { // Protection if external user + accessforbidden(); +} +//$result = restrictedArea($user, 'variant'); +if (!$permissiontoread) accessforbidden(); + /* * View diff --git a/htdocs/variants/card.php b/htdocs/variants/card.php index 7a15a4ede97..ed70c6325e3 100644 --- a/htdocs/variants/card.php +++ b/htdocs/variants/card.php @@ -36,6 +36,18 @@ if ($object->fetch($id) < 1) { exit(); } +$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire; + +// Security check +if (empty($conf->variants->enabled)) { + accessforbidden('Module not enabled'); +} +if ($user->socid > 0) { // Protection if external user + accessforbidden(); +} +//$result = restrictedArea($user, 'variant'); +if (!$permissiontoread) accessforbidden(); + /* * Actions diff --git a/htdocs/variants/combinations.php b/htdocs/variants/combinations.php index 218ee874bd6..979ec261663 100644 --- a/htdocs/variants/combinations.php +++ b/htdocs/variants/combinations.php @@ -64,6 +64,18 @@ if ($id > 0 || $ref) { $selectedvariant = $_SESSION['addvariant_'.$object->id]; +$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire; + +// Security check +if (empty($conf->variants->enabled)) { + accessforbidden('Module not enabled'); +} +if ($user->socid > 0) { // Protection if external user + accessforbidden(); +} +//$result = restrictedArea($user, 'variant'); +if (!$permissiontoread) accessforbidden(); + /* * Actions diff --git a/htdocs/variants/create.php b/htdocs/variants/create.php index 8f3a1d28d9f..f87ad3ef504 100644 --- a/htdocs/variants/create.php +++ b/htdocs/variants/create.php @@ -24,6 +24,18 @@ $label = GETPOST('label', 'alpha'); $backtopage = GETPOST('backtopage', 'alpha'); $action = GETPOST('action', 'alpha'); +$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire; + +// Security check +if (empty($conf->variants->enabled)) { + accessforbidden('Module not enabled'); +} +if ($user->socid > 0) { // Protection if external user + accessforbidden(); +} +//$result = restrictedArea($user, 'variant'); +if (!$permissiontoread) accessforbidden(); + /* * Actions diff --git a/htdocs/variants/create_val.php b/htdocs/variants/create_val.php index 22dc2a1a110..1ca647960e2 100644 --- a/htdocs/variants/create_val.php +++ b/htdocs/variants/create_val.php @@ -36,6 +36,18 @@ if ($object->fetch($id) < 1) { exit(); } +$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire; + +// Security check +if (empty($conf->variants->enabled)) { + accessforbidden('Module not enabled'); +} +if ($user->socid > 0) { // Protection if external user + accessforbidden(); +} +//$result = restrictedArea($user, 'variant'); +if (!$permissiontoread) accessforbidden(); + /* * Actions diff --git a/htdocs/variants/list.php b/htdocs/variants/list.php index dde43397671..bfe4dd0aa72 100644 --- a/htdocs/variants/list.php +++ b/htdocs/variants/list.php @@ -21,6 +21,18 @@ require DOL_DOCUMENT_ROOT.'/variants/class/ProductAttribute.class.php'; $action = GETPOST('action', 'aZ09'); $object = new ProductAttribute($db); +$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire; + +// Security check +if (empty($conf->variants->enabled)) { + accessforbidden('Module not enabled'); +} +if ($user->socid > 0) { // Protection if external user + accessforbidden(); +} +//$result = restrictedArea($user, 'variant'); +if (!$permissiontoread) accessforbidden(); + /* From 46aa01aea0cfafcb435f3c71ced044b2247e9813 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 20 Mar 2021 19:15:15 +0100 Subject: [PATCH 3/5] Fix permission on export of BOM and website --- htdocs/core/modules/modBom.class.php | 1 + htdocs/core/modules/modWebsite.class.php | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/htdocs/core/modules/modBom.class.php b/htdocs/core/modules/modBom.class.php index b040e4cec99..1c12b6c9f45 100644 --- a/htdocs/core/modules/modBom.class.php +++ b/htdocs/core/modules/modBom.class.php @@ -286,6 +286,7 @@ class modBom extends DolibarrModules $langs->load("mrp"); $this->export_code[$r] = $this->rights_class.'_'.$r; $this->export_label[$r] = 'BomAndBomLines'; // Translation key (used only if key ExportDataset_xxx_z not found) + $this->export_permission[$r] = array(array("bom", "read")); $this->export_icon[$r] = 'bom'; $keyforclass = 'BOM'; $keyforclassfile = '/bom/class/bom.class.php'; diff --git a/htdocs/core/modules/modWebsite.class.php b/htdocs/core/modules/modWebsite.class.php index f16a29728be..1d53ee4e15a 100644 --- a/htdocs/core/modules/modWebsite.class.php +++ b/htdocs/core/modules/modWebsite.class.php @@ -109,6 +109,12 @@ class modWebsite extends DolibarrModules $this->rights[$r][4] = 'delete'; $r++; + $this->rights[$r][0] = 10008; + $this->rights[$r][1] = 'Export website content'; + $this->rights[$r][3] = 0; + $this->rights[$r][4] = 'export'; + $r++; + // Main menu entries $r = 0; $this->menu[$r] = array('fk_menu'=>'0', // Use 'fk_mainmenu=xxx' or 'fk_mainmenu=xxx,fk_leftmenu=yyy' where xxx is mainmenucode and yyy is a leftmenucode @@ -130,6 +136,7 @@ class modWebsite extends DolibarrModules $this->export_code[$r] = $this->rights_class.'_'.$r; $this->export_label[$r] = 'MyWebsitePages'; // Translation key (used only if key ExportDataset_xxx_z not found) + $this->export_permission[$r] = array(array("website", "export")); $this->export_icon[$r] = 'globe'; $keyforclass = 'WebsitePage'; $keyforclassfile = '/website/class/websitepage.class.php'; From e5a94d9257576a6b4b6b6d8002f6d25ac27d84b5 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 20 Mar 2021 19:16:44 +0100 Subject: [PATCH 4/5] Fix export --- htdocs/exports/export.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/exports/export.php b/htdocs/exports/export.php index dc23a8ab362..117cb7968d4 100644 --- a/htdocs/exports/export.php +++ b/htdocs/exports/export.php @@ -449,7 +449,7 @@ if ($step == 1 || !$datatoexport) { if ($objexport->array_export_perms[$key]) { print ''.img_picto($langs->trans("NewExport"), 'next', 'class="fa-15x"').''; } else { - print $langs->trans("NotEnoughPermissions"); + print ''.$langs->trans("NotEnoughPermissions").''; } print ''; } From 6a8f4ac8927675d879979eac4f0f81e0a7ce989b Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 20 Mar 2021 19:30:08 +0100 Subject: [PATCH 5/5] NEW Add permission "export website" --- htdocs/exports/export.php | 3 +++ htdocs/exports/index.php | 5 +++-- htdocs/website/index.php | 32 ++++++++++++++++++-------------- 3 files changed, 24 insertions(+), 16 deletions(-) diff --git a/htdocs/exports/export.php b/htdocs/exports/export.php index 117cb7968d4..b3d0cf49a32 100644 --- a/htdocs/exports/export.php +++ b/htdocs/exports/export.php @@ -154,6 +154,9 @@ $upload_dir = $conf->export->dir_temp.'/'.$user->id; //$usefilters=($conf->global->MAIN_FEATURES_LEVEL > 1); $usefilters = 1; +// Security check +$result = restrictedArea($user, 'export'); + /* * Actions diff --git a/htdocs/exports/index.php b/htdocs/exports/index.php index 22b1729550d..3ba5e0a3591 100644 --- a/htdocs/exports/index.php +++ b/htdocs/exports/index.php @@ -27,11 +27,12 @@ require_once DOL_DOCUMENT_ROOT.'/exports/class/export.class.php'; // Load translation files required by the page $langs->load("exports"); +$export = new Export($db); +$export->load_arrays($user); + // Security check $result = restrictedArea($user, 'export'); -$export = new Export($db); -$export->load_arrays($user); /* * View diff --git a/htdocs/website/index.php b/htdocs/website/index.php index 034583d3440..021edc52920 100644 --- a/htdocs/website/index.php +++ b/htdocs/website/index.php @@ -477,7 +477,7 @@ if ($massaction == 'setcategory' && GETPOST('confirmmassaction', 'alpha') && $us } // Replacement of string into pages -if ($massaction == 'replace' && GETPOST('confirmmassaction', 'alpha')) { +if ($massaction == 'replace' && GETPOST('confirmmassaction', 'alpha') && $usercanedit) { $replacestring = GETPOST('replacestring', 'none'); if (empty($user->rights->website->writephp)) { @@ -567,7 +567,7 @@ if ($action == 'adddir' && $permtouploadfile) */ // Add site -if ($action == 'addsite') { +if ($action == 'addsite' && $usercanedit) { $db->begin(); if (GETPOST('virtualhost', 'alpha') && !preg_match('/^http/', GETPOST('virtualhost', 'alpha'))) { @@ -625,7 +625,7 @@ if ($action == 'addsite') { } // Add page/container -if ($action == 'addcontainer') { +if ($action == 'addcontainer' && $usercanedit) { dol_mkdir($pathofwebsite); $db->begin(); @@ -1148,7 +1148,7 @@ if ($action == 'addcontainer') { } // Delete site -if ($action == 'confirm_deletesite' && $confirm == 'yes') { +if ($action == 'confirm_deletesite' && $confirm == 'yes' && $permissiontodelete) { $error = 0; $db->begin(); @@ -1276,7 +1276,7 @@ if (!GETPOSTISSET('pageid')) { } // Update css Update site properties -if ($action == 'updatecss') { +if ($action == 'updatecss' && $usercanedit) { // If we tried to reload another site/page, we stay on editcss mode. if (GETPOST('refreshsite') || GETPOST('refreshsite_x') || GETPOST('refreshsite.x') || GETPOST('refreshpage') || GETPOST('refreshpage_x') || GETPOST('refreshpage.x')) { $action = 'editcss'; @@ -1523,7 +1523,7 @@ if ($action == 'updatecss') { } // Update page -if ($action == 'setashome') { +if ($action == 'setashome' && $usercanedit) { $db->begin(); $object->fetch(0, $websitekey); $website = $object; @@ -1556,7 +1556,7 @@ if ($action == 'setashome') { } // Update page properties (meta) -if ($action == 'updatemeta') { +if ($action == 'updatemeta' && $usercanedit) { $db->begin(); $result = $object->fetch(0, $websitekey); @@ -1778,8 +1778,8 @@ if ($action == 'updatemeta') { } // Update page -if (($action == 'updatesource' || $action == 'updatecontent' || $action == 'confirm_createfromclone' || $action == 'confirm_createpagefromclone') - || ($action == 'preview' && (GETPOST('refreshsite') || GETPOST('refreshpage') || GETPOST('preview')))) { +if ($usercanedit && (($action == 'updatesource' || $action == 'updatecontent' || $action == 'confirm_createfromclone' || $action == 'confirm_createpagefromclone') + || ($action == 'preview' && (GETPOST('refreshsite') || GETPOST('refreshpage') || GETPOST('preview'))))) { $object->fetch(0, $websitekey); $website = $object; @@ -2041,7 +2041,7 @@ if (($action == 'updatesource' || $action == 'updatecontent' || $action == 'conf } // Export site -if ($action == 'exportsite') { +if ($action == 'exportsite' && !empty($user->rights->website->export)) { $fileofzip = $object->exportWebSite(); if ($fileofzip) { @@ -2060,7 +2060,7 @@ if ($action == 'exportsite') { } // Regenerate site -if ($action == 'regeneratesite') { +if ($action == 'regeneratesite' && $usercanedit) { // Check symlink to medias and restore it if ko. Recreate also dir of website if not found. $pathtomedias = DOL_DATA_ROOT.'/medias'; $pathtomediasinwebsite = $pathofwebsite.'/medias'; @@ -2085,7 +2085,7 @@ if ($action == 'regeneratesite') { } // Import site -if ($action == 'importsiteconfirm') { +if ($action == 'importsiteconfirm' && $usercanedit) { if (empty($_FILES) && !GETPOSTISSET('templateuserfile')) { setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("File")), null, 'errors'); $action = 'importsite'; @@ -2162,7 +2162,7 @@ $domainname = '0.0.0.0:8080'; $tempdir = $conf->website->dir_output.'/'.$websitekey.'/'; // Generate web site sitemaps -if ($action == 'generatesitemaps') { +if ($action == 'generatesitemaps' && $usercanedit) { $domtree = new DOMDocument('1.0', 'UTF-8'); $root = $domtree->createElementNS('http://www.sitemaps.org/schemas/sitemap/0.9', 'urlset'); $domtree->formatOutput = true; @@ -2331,6 +2331,10 @@ if (!GETPOST('hide_websitemenu')) { if (empty($user->rights->website->write)) { $disabled = ' disabled="disabled"'; } + $disabledexport = ''; + if (empty($user->rights->website->export)) { + $disabledexport = ' disabled="disabled"'; + } if ($websitekey) { $virtualurl = ''; @@ -2446,7 +2450,7 @@ if (!GETPOST('hide_websitemenu')) { } //print ''; - print ''; + print ''; print '';