From a7c809d0dd36e69c06320348cc955a99c889ba12 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 30 May 2010 12:21:32 +0000 Subject: [PATCH] More fix on project permission. There is still errors on task (too many task shown) but project lists are ok. --- htdocs/core/class/html.form.class.php | 27 +++++++++++++++---------- htdocs/lib/project.lib.php | 2 +- htdocs/projet/activity/index.php | 10 ++++----- htdocs/projet/activity/list.php | 4 ++-- htdocs/projet/class/project.class.php | 29 ++++++++++++++++++--------- htdocs/projet/contact.php | 10 +++------ htdocs/projet/document.php | 16 +++++---------- htdocs/projet/element.php | 12 ++++------- htdocs/projet/fiche.php | 12 ++++------- htdocs/projet/ganttview.php | 12 ++++------- htdocs/projet/index.php | 4 ++-- htdocs/projet/liste.php | 4 +++- htdocs/projet/note.php | 12 ++++------- htdocs/projet/tasks/contact.php | 3 ++- htdocs/projet/tasks/document.php | 11 ++++++---- htdocs/projet/tasks/fiche.php | 18 ++++++----------- htdocs/projet/tasks/index.php | 8 +++++--- htdocs/projet/tasks/note.php | 3 ++- htdocs/projet/tasks/task.php | 8 ++++++-- htdocs/projet/tasks/time.php | 4 ++++ 20 files changed, 104 insertions(+), 105 deletions(-) diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index 023c623e0cd..fc021fca1ca 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -2377,10 +2377,11 @@ class Form * @param form_name Nom du formulaire de provenance. Utilise pour les dates en popup. * @param d 1=Affiche aussi les jours, mois, annees * @param addnowbutton Add a button "Now" - * @param nooutput Do not output zone but return it + * @param nooutput Do not output html string but return it + * @param disabled Disable input fields * @return nothing or string if nooutput is 1 */ - function select_date($set_time='', $prefix='re', $h=0, $m=0, $empty=0, $form_name="", $d=1, $addnowbutton=0, $nooutput=0) + function select_date($set_time='', $prefix='re', $h=0, $m=0, $empty=0, $form_name="", $d=1, $addnowbutton=0, $nooutput=0, $disabled=0) { global $conf,$langs; @@ -2440,13 +2441,17 @@ class Form { // Zone de saisie manuelle de la date $retstring.='format_date_short_java.'\'); "'; $retstring.='>'; // Icone calendrier - $retstring.=''; + if (! $disabled) + { + $retstring.=''; + } $retstring.=''."\n"; $retstring.=''."\n"; @@ -2489,7 +2494,7 @@ class Form if (! $conf->use_javascript_ajax || ! $conf->use_popup_calendar) { // Jour - $retstring.='"; - $retstring.=''; + $retstring.=''; } else { - $retstring.=''; + $retstring.=''; if ($empty) $retstring.=''; for ($hour = 0; $hour < 24; $hour++) { @@ -2585,7 +2590,7 @@ class Form /* * Affiche min en select */ - $retstring.=''; diff --git a/htdocs/projet/activity/index.php b/htdocs/projet/activity/index.php index 18fa0c7e2dd..f2eb598999a 100644 --- a/htdocs/projet/activity/index.php +++ b/htdocs/projet/activity/index.php @@ -33,11 +33,11 @@ require_once(DOL_DOCUMENT_ROOT."/lib/project.lib.php"); $mine = $_REQUEST['mode']=='mine' ? 1 : 0; // Security check +$socid=0; +if ($user->societe_id > 0) $socid=$user->societe_id; +//$result = restrictedArea($user, 'projet', $projectid); if (!$user->rights->projet->lire) accessforbidden(); -if ($user->societe_id > 0) -{ - $socid = $user->societe_id; -} + $langs->load("projects"); @@ -46,7 +46,7 @@ $langs->load("projects"); * View */ -$now = gmmktime(); +$now = dol_now(); $projectstatic=new Project($db); diff --git a/htdocs/projet/activity/list.php b/htdocs/projet/activity/list.php index 29585268ba0..52d514bd3dc 100644 --- a/htdocs/projet/activity/list.php +++ b/htdocs/projet/activity/list.php @@ -40,7 +40,7 @@ $projectid=isset($_GET["id"])?$_GET["id"]:$_POST["projectid"]; // Security check $socid=0; -if ($user->societe_id) $socid=$user->societe_id; +if ($user->societe_id > 0) $socid=$user->societe_id; $result = restrictedArea($user, 'projet', $projectid); /* @@ -81,7 +81,7 @@ if ($_POST["action"] == 'addtime' && $user->rights->projet->creer) $task->timespent_duration = $_POST[$id."hour"]*60*60; // We store duration in seconds $task->timespent_duration+= $_POST[$id."min"]*60; // We store duration in seconds $task->timespent_date = dol_mktime(12,0,0,$_POST["$id"."month"],$_POST["$id"."day"],$_POST["$id"."year"]); - + $task->addTimeSpent($user); } else diff --git a/htdocs/projet/class/project.class.php b/htdocs/projet/class/project.class.php index 7d5c3aa9bff..56c38c70fda 100644 --- a/htdocs/projet/class/project.class.php +++ b/htdocs/projet/class/project.class.php @@ -692,13 +692,15 @@ class Project extends CommonObject } /** - * \brief Check permissions + * \brief Check permissions + * @param user Object user to evaluate + * @param noprint 0=Print forbidden message if no permission, 1=Return -1 if no permission */ - function restrictedProjectArea($user,$list=0) + function restrictedProjectArea($user,$noprint=0) { // To verify role of users $userAccess = 0; - if ((!empty($this->user_author_id) && $this->user_author_id == $user->id) || $user->rights->projet->all->lire) + if ($user->rights->projet->all->lire) { $userAccess = 1; } @@ -713,21 +715,28 @@ class Project extends CommonObject $userRole = $this->liste_contact(4,$source); $num=sizeof($userRole); - $i = 0; - while ($i < $num) + $nblinks = 0; + while ($nblinks < $num) { - if ($userRole[$i]['code'] == 'PROJECTLEADER' && $user->id == $userRole[$i]['id']) + if (preg_match('/PROJECT/',$userRole[$nblinks]['code']) && $user->id == $userRole[$nblinks]['id']) { $userAccess++; } - $i++; + $nblinks++; } } + //if (empty($nblinks)) // If nobody has permission, we grant creator + //{ + // if ((!empty($this->user_author_id) && $this->user_author_id == $user->id)) + // { + // $userAccess = 1; + // } + //} } - if (!$userAccess && !$this->public) + if (! $userAccess) { - if (!$list) + if (!$noprint) { accessforbidden('',0); } @@ -776,7 +785,7 @@ class Project extends CommonObject if ($mode == 0) { $sql.= " AND ( p.public = 1"; - $sql.= " OR p.fk_user_creat = ".$user->id; + //$sql.= " OR p.fk_user_creat = ".$user->id; $sql.= " OR ( ec.element_id = p.rowid"; $sql.= " AND ctc.rowid = ec.fk_c_type_contact"; $sql.= " AND ctc.element = '".$this->element."'"; diff --git a/htdocs/projet/contact.php b/htdocs/projet/contact.php index 24de6cea62e..10d2b1798a4 100644 --- a/htdocs/projet/contact.php +++ b/htdocs/projet/contact.php @@ -34,15 +34,11 @@ $langs->load("companies"); $projectid = isset($_GET["id"])?$_GET["id"]:''; -// Security check -if (empty($user->rights->projet->all->lire)) -{ - $_GET["mode"]='mine'; - $_POST["mode"]='mine'; - $_REQUEST["mode"]='mine'; -} $mine = $_REQUEST['mode']=='mine' ? 1 : 0; //if (! $user->rights->projet->all->lire) $mine=1; // Special for projects + +// Security check +$socid=0; if ($user->societe_id) $socid=$user->societe_id; $result = restrictedArea($user, 'projet', $projectid); diff --git a/htdocs/projet/document.php b/htdocs/projet/document.php index 272936e5568..db64340449b 100644 --- a/htdocs/projet/document.php +++ b/htdocs/projet/document.php @@ -32,20 +32,14 @@ require_once(DOL_DOCUMENT_ROOT."/core/class/html.formfile.class.php"); $langs->load('projects'); $langs->load('other'); -$id=empty($_GET['id']) ? 0 : intVal($_GET['id']); - -// Security check -if (empty($user->rights->projet->all->lire)) -{ - $_GET["mode"]='mine'; - $_POST["mode"]='mine'; - $_REQUEST["mode"]='mine'; -} $mine = $_REQUEST['mode']=='mine' ? 1 : 0; //if (! $user->rights->projet->all->lire) $mine=1; // Special for projects -$socid=0; + $id = isset($_GET["id"])?$_GET["id"]:''; -if ($user->societe_id) $socid=$user->societe_id; + +// Security check +$socid=0; +if ($user->societe_id > 0) $socid=$user->societe_id; $result=restrictedArea($user,'projet',$id,''); // Get parameters diff --git a/htdocs/projet/element.php b/htdocs/projet/element.php index 3efd230d1e3..a653eb7d8a4 100644 --- a/htdocs/projet/element.php +++ b/htdocs/projet/element.php @@ -56,16 +56,12 @@ if ($projectid == '' && $ref == '') exit; } -// Security check -if (empty($user->rights->projet->all->lire)) -{ - $_GET["mode"]='mine'; - $_POST["mode"]='mine'; - $_REQUEST["mode"]='mine'; -} $mine = $_REQUEST['mode']=='mine' ? 1 : 0; //if (! $user->rights->projet->all->lire) $mine=1; // Special for projects -if ($user->societe_id) $socid=$user->societe_id; + +// Security check +$socid=0; +if ($user->societe_id > 0) $socid=$user->societe_id; $result = restrictedArea($user, 'projet', $projectid); diff --git a/htdocs/projet/fiche.php b/htdocs/projet/fiche.php index 7c830b398c8..30068a8a286 100644 --- a/htdocs/projet/fiche.php +++ b/htdocs/projet/fiche.php @@ -47,16 +47,12 @@ if (! empty($_REQUEST['socid_id'])) if ($projectid == '' && $projectref == '' && ($_GET['action'] != "create" && $_POST['action'] != "add" && $_POST["action"] != "update" && !$_POST["cancel"])) accessforbidden(); -// Security check -if (empty($user->rights->projet->all->lire)) -{ - $_GET["mode"]='mine'; - $_POST["mode"]='mine'; - $_REQUEST["mode"]='mine'; -} $mine = $_REQUEST['mode']=='mine' ? 1 : 0; //if (! $user->rights->projet->all->lire) $mine=1; // Special for projects -if ($user->societe_id) $socid=$user->societe_id; + +// Security check +$socid=0; +if ($user->societe_id > 0) $socid=$user->societe_id; $result = restrictedArea($user, 'projet', $projectid); diff --git a/htdocs/projet/ganttview.php b/htdocs/projet/ganttview.php index 0fa9dcb3ae2..d8dcdc76ba8 100644 --- a/htdocs/projet/ganttview.php +++ b/htdocs/projet/ganttview.php @@ -38,16 +38,12 @@ require_once(DOL_DOCUMENT_ROOT."/core/class/html.formother.class.php"); $projectid=isset($_REQUEST["id"])?$_REQUEST["id"]:$_POST["id"]; -// Security check -if (empty($user->rights->projet->all->lire)) -{ - $_GET["mode"]='mine'; - $_POST["mode"]='mine'; - $_REQUEST["mode"]='mine'; -} $mine = $_REQUEST['mode']=='mine' ? 1 : 0; //if (! $user->rights->projet->all->lire) $mine=1; // Special for projects -if ($user->societe_id) $socid=$user->societe_id; + +// Security check +$socid=0; +if ($user->societe_id > 0) $socid=$user->societe_id; $result = restrictedArea($user, 'projet', $projectid); $userAccess=0; diff --git a/htdocs/projet/index.php b/htdocs/projet/index.php index 76325a52eb5..c215dfdfd3e 100644 --- a/htdocs/projet/index.php +++ b/htdocs/projet/index.php @@ -35,8 +35,8 @@ $langs->load("projects"); $mine = $_REQUEST['mode']=='mine' ? 1 : 0; // Security check -//if (! $user->rights->projet->all->lire) $mine=1; // Special for projects -if ($user->societe_id > 0) $socid = $user->societe_id; +$socid=0; +if ($user->societe_id > 0) $socid=$user->societe_id; if (!$user->rights->projet->lire) accessforbidden(); diff --git a/htdocs/projet/liste.php b/htdocs/projet/liste.php index 0bdc1c882a2..5b79afdaf76 100644 --- a/htdocs/projet/liste.php +++ b/htdocs/projet/liste.php @@ -36,7 +36,9 @@ $socid = ( is_numeric($_GET["socid"]) ? $_GET["socid"] : 0 ); $title = $langs->trans("Projects"); // Security check -if ($user->societe_id > 0) $socid = $user->societe_id; +$socid=0; +if ($user->societe_id > 0) $socid=$user->societe_id; + if ($socid > 0) { diff --git a/htdocs/projet/note.php b/htdocs/projet/note.php index 1ebb7ac8eca..99bba94acd7 100644 --- a/htdocs/projet/note.php +++ b/htdocs/projet/note.php @@ -31,16 +31,12 @@ $langs->load('projects'); $id = isset($_GET["id"])?$_GET["id"]:''; -// Security check -if (empty($user->rights->projet->all->lire)) -{ - $_GET["mode"]='mine'; - $_POST["mode"]='mine'; - $_REQUEST["mode"]='mine'; -} $mine = $_REQUEST['mode']=='mine' ? 1 : 0; //if (! $user->rights->projet->all->lire) $mine=1; // Special for projects -if ($user->societe_id) $socid=$user->societe_id; + +// Security check +$socid=0; +if ($user->societe_id > 0) $socid=$user->societe_id; $result = restrictedArea($user, 'projet', $id); diff --git a/htdocs/projet/tasks/contact.php b/htdocs/projet/tasks/contact.php index 354be931de5..8c1106e531d 100644 --- a/htdocs/projet/tasks/contact.php +++ b/htdocs/projet/tasks/contact.php @@ -38,7 +38,8 @@ $langs->load("companies"); $taskid = isset($_GET["id"])?$_GET["id"]:''; // Security check -if ($user->societe_id) $socid=$user->societe_id; +$socid=0; +if ($user->societe_id > 0) $socid = $user->societe_id; //$result = restrictedArea($user, 'projet', $taskid, 'projet_task'); if (!$user->rights->projet->lire) accessforbidden(); diff --git a/htdocs/projet/tasks/document.php b/htdocs/projet/tasks/document.php index 86b1038b4c8..28ff56c6e77 100644 --- a/htdocs/projet/tasks/document.php +++ b/htdocs/projet/tasks/document.php @@ -30,19 +30,22 @@ require_once(DOL_DOCUMENT_ROOT.'/lib/project.lib.php'); require_once(DOL_DOCUMENT_ROOT."/lib/files.lib.php"); require_once(DOL_DOCUMENT_ROOT."/core/class/html.formfile.class.php"); -if (!$user->rights->projet->lire) accessforbidden(); $langs->load('projects'); $langs->load('other'); -$id=empty($_GET['id']) ? 0 : intVal($_GET['id']); $action=empty($_GET['action']) ? (empty($_POST['action']) ? '' : $_POST['action']) : $_GET['action']; +$mine = $_REQUEST['mode']=='mine' ? 1 : 0; +//if (! $user->rights->projet->all->lire) $mine=1; // Special for projects + +$id = isset($_GET["id"])?$_GET["id"]:''; + // Security check $socid=0; -$id = isset($_GET["id"])?$_GET["id"]:''; -if ($user->societe_id) $socid=$user->societe_id; +if ($user->societe_id > 0) $socid = $user->societe_id; //$result=restrictedArea($user,'projet',$id,''); +if (!$user->rights->projet->lire) accessforbidden(); // Get parameters $page=$_GET["page"]; diff --git a/htdocs/projet/tasks/fiche.php b/htdocs/projet/tasks/fiche.php index 5f15c6abb3d..95e183707fb 100644 --- a/htdocs/projet/tasks/fiche.php +++ b/htdocs/projet/tasks/fiche.php @@ -32,20 +32,14 @@ require_once(DOL_DOCUMENT_ROOT."/lib/project.lib.php"); require_once(DOL_DOCUMENT_ROOT."/lib/date.lib.php"); require_once(DOL_DOCUMENT_ROOT."/core/class/html.formother.class.php"); -$projectid=''; -$projectid=isset($_REQUEST["id"])?$_REQUEST["id"]:$_POST["id"]; - -// Security check -if (empty($user->rights->projet->all->lire)) -{ - $_GET["mode"]='mine'; - $_POST["mode"]='mine'; - $_REQUEST["mode"]='mine'; -} $mine = $_REQUEST['mode']=='mine' ? 1 : 0; //if (! $user->rights->projet->all->lire) $mine=1; // Special for projects -if ($user->societe_id) $socid=$user->societe_id; -$result = restrictedArea($user, 'projet', $projectid); + +// Security check +$socid=0; +if ($user->societe_id > 0) $socid = $user->societe_id; +//$result = restrictedArea($user, 'projet', $projectid); +if (!$user->rights->projet->lire) accessforbidden(); $userAccess=0; diff --git a/htdocs/projet/tasks/index.php b/htdocs/projet/tasks/index.php index 348035bbb89..2b23b7e5ce9 100644 --- a/htdocs/projet/tasks/index.php +++ b/htdocs/projet/tasks/index.php @@ -35,8 +35,8 @@ $langs->load('projects'); // Security check $socid=0; -if (!$user->rights->projet->lire) accessforbidden(); if ($user->societe_id > 0) $socid = $user->societe_id; +if (!$user->rights->projet->lire) accessforbidden(); $sortfield = isset($_GET["sortfield"])?$_GET["sortfield"]:$_POST["sortfield"]; $sortorder = isset($_GET["sortorder"])?$_GET["sortorder"]:$_POST["sortorder"]; @@ -44,13 +44,13 @@ $page = isset($_GET["page"])? $_GET["page"]:$_POST["page"]; $page = is_numeric($page) ? $page : 0; $page = $page == -1 ? 0 : $page; +$mine = $_REQUEST['mode']=='mine' ? 1 : 0; + /* * View */ -$mine = $_REQUEST['mode']=='mine' ? 1 : 0; - $title=$langs->trans("Activities"); if ($mine) $title=$langs->trans("MyActivities"); @@ -78,6 +78,8 @@ else } +//$projectsListId = $project->getProjectsAuthorizedForUser($user,$mine,1); + // Get list of tasks in tasksarray and taskarrayfiltered // We need all tasks (even not limited to a user because a task to user // can have a parent that is not affected to him). diff --git a/htdocs/projet/tasks/note.php b/htdocs/projet/tasks/note.php index 7aa3b7e2e7c..351d238db0f 100644 --- a/htdocs/projet/tasks/note.php +++ b/htdocs/projet/tasks/note.php @@ -33,7 +33,8 @@ $langs->load('projects'); $id = isset($_GET["id"])?$_GET["id"]:''; // Security check -if ($user->societe_id) $socid=$user->societe_id; +$socid=0; +if ($user->societe_id > 0) $socid = $user->societe_id; if (!$user->rights->projet->lire) accessforbidden(); //$result = restrictedArea($user, 'projet', $id, '', 'task'); // TODO ameliorer la verification diff --git a/htdocs/projet/tasks/task.php b/htdocs/projet/tasks/task.php index bf380aa2c8b..76c15fa93f4 100644 --- a/htdocs/projet/tasks/task.php +++ b/htdocs/projet/tasks/task.php @@ -34,8 +34,12 @@ require_once(DOL_DOCUMENT_ROOT."/core/class/html.formother.class.php"); $taskid = (isset($_GET["id"])?$_GET["id"]:(isset($_POST["id"])?$_POST["id"]:'')); $taskref = (isset($_GET["ref"])?$_GET["ref"]:''); +// Security check +$socid=0; +if ($user->societe_id > 0) $socid = $user->societe_id; if (!$user->rights->projet->lire) accessforbidden(); + /* * Actions */ @@ -121,12 +125,12 @@ if ($taskid) { $result=$projectstatic->fetch($task->fk_project); if (! empty($projectstatic->socid)) $projectstatic->societe->fetch($projectstatic->socid); - + // To verify role of users $userAccess = $projectstatic->restrictedProjectArea($user); if ($mesg) print $mesg; - + $head=task_prepare_head($task); dol_fiche_head($head, 'task', $langs->trans("Task"),0,'projecttask'); diff --git a/htdocs/projet/tasks/time.php b/htdocs/projet/tasks/time.php index 00c8cffc082..38fde85ce6d 100644 --- a/htdocs/projet/tasks/time.php +++ b/htdocs/projet/tasks/time.php @@ -33,8 +33,12 @@ require_once(DOL_DOCUMENT_ROOT."/lib/date.lib.php"); $langs->load('projects'); +// Security check +$socid=0; +if ($user->societe_id > 0) $socid = $user->societe_id; if (!$user->rights->projet->lire) accessforbidden(); + /* * Actions */