From 43a6366f1b7752f919a2a0c663c83aa1c0e17e42 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 28 Feb 2017 11:48:46 +0100 Subject: [PATCH] Fix security audit was not triggered. --- .../interface_20_all_Logevents.class.php | 3 ++ htdocs/user/class/user.class.php | 50 +++++++++++------ htdocs/user/class/usergroup.class.php | 54 +++++++++++++------ htdocs/user/group/card.php | 26 ++++----- 4 files changed, 88 insertions(+), 45 deletions(-) diff --git a/htdocs/core/triggers/interface_20_all_Logevents.class.php b/htdocs/core/triggers/interface_20_all_Logevents.class.php index 48702607b77..466712260c6 100644 --- a/htdocs/core/triggers/interface_20_all_Logevents.class.php +++ b/htdocs/core/triggers/interface_20_all_Logevents.class.php @@ -175,6 +175,9 @@ class InterfaceLogevents extends DolibarrTriggers } */ + // Add more information into desc from the context property + if (! empty($desc) && ! empty($object->context['audit'])) $desc.=' - '.$object->context['audit']; + // Add entry in event table include_once DOL_DOCUMENT_ROOT.'/core/class/events.class.php'; diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php index 6e4d033e093..fd0be61ce12 100644 --- a/htdocs/user/class/user.class.php +++ b/htdocs/user/class/user.class.php @@ -379,12 +379,12 @@ class User extends CommonObject */ function addrights($rid, $allmodule='', $allperms='', $entity='') { - global $conf; + global $conf, $user, $langs; $entity = (! empty($entity)?$entity:$conf->entity); dol_syslog(get_class($this)."::addrights $rid, $allmodule, $allperms, $entity"); - $err=0; + $error=0; $whereforadd=''; $this->db->begin(); @@ -406,7 +406,7 @@ class User extends CommonObject $subperms=$obj->subperms; } else { - $err++; + $error++; dol_print_error($this->db); } @@ -444,23 +444,33 @@ class User extends CommonObject $nid = $obj->id; $sql = "DELETE FROM ".MAIN_DB_PREFIX."user_rights WHERE fk_user = ".$this->id." AND fk_id=".$nid; - if (! $this->db->query($sql)) $err++; + if (! $this->db->query($sql)) $error++; $sql = "INSERT INTO ".MAIN_DB_PREFIX."user_rights (fk_user, fk_id) VALUES (".$this->id.", ".$nid.")"; - if (! $this->db->query($sql)) $err++; + if (! $this->db->query($sql)) $error++; $i++; } } else { - $err++; + $error++; dol_print_error($this->db); } } - if ($err) { + if (! $error) + { + $this->context = array('audit'=>$langs->trans("PermissionsAdd")); + + // Call trigger + $result=$this->call_trigger('USER_MODIFY',$user); + if ($result < 0) { $error++; } + // End call triggers + } + + if ($error) { $this->db->rollback(); - return -$err; + return -$error; } else { $this->db->commit(); @@ -481,9 +491,9 @@ class User extends CommonObject */ function delrights($rid, $allmodule='', $allperms='', $entity='') { - global $conf; + global $conf, $user, $langs; - $err=0; + $error=0; $wherefordel=''; $entity = (! empty($entity)?$entity:$conf->entity); @@ -506,7 +516,7 @@ class User extends CommonObject $subperms=$obj->subperms; } else { - $err++; + $error++; dol_print_error($this->db); } @@ -544,21 +554,31 @@ class User extends CommonObject $sql = "DELETE FROM ".MAIN_DB_PREFIX."user_rights"; $sql.= " WHERE fk_user = ".$this->id." AND fk_id=".$nid; - if (! $this->db->query($sql)) $err++; + if (! $this->db->query($sql)) $error++; $i++; } } else { - $err++; + $error++; dol_print_error($this->db); } } - if ($err) { + if (! $error) + { + $this->context = array('audit'=>$langs->trans("PermissionsDelete")); + + // Call trigger + $result=$this->call_trigger('USER_MODIFY',$user); + if ($result < 0) { $error++; } + // End call triggers + } + + if ($error) { $this->db->rollback(); - return -$err; + return -$error; } else { $this->db->commit(); diff --git a/htdocs/user/class/usergroup.class.php b/htdocs/user/class/usergroup.class.php index 575fdadebe2..81c5e986444 100644 --- a/htdocs/user/class/usergroup.class.php +++ b/htdocs/user/class/usergroup.class.php @@ -249,7 +249,7 @@ class UserGroup extends CommonObject } /** - * Ajoute un droit a l'utilisateur + * Add a permission to a group * * @param int $rid id du droit a ajouter * @param string $allmodule Ajouter tous les droits du module allmodule @@ -258,10 +258,10 @@ class UserGroup extends CommonObject */ function addrights($rid,$allmodule='',$allperms='') { - global $conf; + global $conf, $user, $langs; dol_syslog(get_class($this)."::addrights $rid, $allmodule, $allperms"); - $err=0; + $error=0; $whereforadd=''; $this->db->begin(); @@ -283,7 +283,7 @@ class UserGroup extends CommonObject $subperms=$obj->subperms; } else { - $err++; + $error++; dol_print_error($this->db); } @@ -323,23 +323,33 @@ class UserGroup extends CommonObject $nid = $obj->id; $sql = "DELETE FROM ".MAIN_DB_PREFIX."usergroup_rights WHERE fk_usergroup = $this->id AND fk_id=".$nid; - if (! $this->db->query($sql)) $err++; + if (! $this->db->query($sql)) $error++; $sql = "INSERT INTO ".MAIN_DB_PREFIX."usergroup_rights (fk_usergroup, fk_id) VALUES ($this->id, $nid)"; - if (! $this->db->query($sql)) $err++; + if (! $this->db->query($sql)) $error++; $i++; } } else { - $err++; + $error++; dol_print_error($this->db); } + + if (! $error) + { + $this->context = array('audit'=>$langs->trans("PermissionsAdd")); + + // Call trigger + $result=$this->call_trigger('GROUP_MODIFY',$user); + if ($result < 0) { $error++; } + // End call triggers + } } - if ($err) { + if ($error) { $this->db->rollback(); - return -$err; + return -$error; } else { $this->db->commit(); @@ -350,7 +360,7 @@ class UserGroup extends CommonObject /** - * Retire un droit a l'utilisateur + * Remove a permission from group * * @param int $rid id du droit a retirer * @param string $allmodule Retirer tous les droits du module allmodule @@ -359,9 +369,9 @@ class UserGroup extends CommonObject */ function delrights($rid,$allmodule='',$allperms='') { - global $conf; + global $conf, $user, $langs; - $err=0; + $error=0; $wherefordel=''; $this->db->begin(); @@ -383,7 +393,7 @@ class UserGroup extends CommonObject $subperms=$obj->subperms; } else { - $err++; + $error++; dol_print_error($this->db); } @@ -424,21 +434,31 @@ class UserGroup extends CommonObject $sql = "DELETE FROM ".MAIN_DB_PREFIX."usergroup_rights"; $sql.= " WHERE fk_usergroup = $this->id AND fk_id=".$nid; - if (! $this->db->query($sql)) $err++; + if (! $this->db->query($sql)) $error++; $i++; } } else { - $err++; + $error++; dol_print_error($this->db); } + + if (! $error) + { + $this->context = array('audit'=>$langs->trans("PermissionsDelete")); + + // Call trigger + $result=$this->call_trigger('GROUP_MODIFY',$user); + if ($result < 0) { $error++; } + // End call triggers + } } - if ($err) { + if ($error) { $this->db->rollback(); - return -$err; + return -$error; } else { $this->db->commit(); diff --git a/htdocs/user/group/card.php b/htdocs/user/group/card.php index 5d78cfde279..5094165fb8e 100644 --- a/htdocs/user/group/card.php +++ b/htdocs/user/group/card.php @@ -311,15 +311,15 @@ else print ''; // Ref - print ''; - print ''; + print ''; print ''; // Name - print ''; - print ''; + print '".''; - print '\n"; } // Note - print ''; + print ''; print ''; print "\n"; @@ -397,8 +397,8 @@ else print ''; print ''; print '
'.$langs->trans("Ref").''; + print '
'.$langs->trans("Ref").''; print $form->showrefnav($object,'id','',$user->rights->user->user->lire || $user->admin); print '
'.$langs->trans("Name").''.$object->name; + print '
'.$langs->trans("Name").''.$object->name; if (empty($object->entity)) { print img_picto($langs->trans("GlobalGroup"),'redstar'); @@ -331,12 +331,12 @@ else { $mc->getInfo($object->entity); print "
'.$langs->trans("Entity").''.$mc->label; + print ''.$mc->label; print "
'.$langs->trans("Description").'
'.$langs->trans("Description").''.dol_htmlentitiesbr($object->note).' 
'."\n"; - print ''."\n"; - print ''."\n"; + print ''; + print ''; } print "
'.$langs->trans("NonAffectedUsers").''; + print '
'.$langs->trans("NonAffectedUsers").''; print $form->select_dolusers('', 'user', 1, $exclude, 0, '', '', $object->entity, 0, 0, '', 0, '', 'maxwidth300'); print '   '; // Multicompany @@ -491,7 +491,7 @@ else } else { - print '
'.$langs->trans("None").'
'.$langs->trans("None").'
"; print "
"; @@ -509,8 +509,8 @@ else dol_fiche_head($head, 'group', $title, 0, 'group'); print ''; - print ''; - print ''; + print '\n"; // Multicompany @@ -528,7 +528,7 @@ else } } - print ''; + print ''; print ''; print "\n"; // Other attributes - $parameters=array('colspan' => ' colspan="2"'); + $parameters=array(); $reshook=$hookmanager->executeHooks('formObjectOptions',$parameters,$object,$action); // Note that $action and $object may have been modified by hook if (empty($reshook) && ! empty($extrafields->attribute_label)) {
'.$langs->trans("Name").''; + print '
'.$langs->trans("Name").''; print "
'.$langs->trans("Description").'
'.$langs->trans("Description").''; require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php'; $doleditor=new DolEditor('note',$object->note,'',240,'dolibarr_notes','',true,false,$conf->global->FCKEDITOR_ENABLE_SOCIETE,ROWS_8,'90%'); @@ -536,7 +536,7 @@ else print '