lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix: security

Browse Source
This commit is contained in:
Regis Houssin 2012-10-20 09:40:50 +02:00
parent 99fa385602
commit ac9dea1c19
1 changed files with 12 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
htdocs/user/class/usergroup.class.php
View File

@ -239,13 +239,13 @@ class UserGroup extends CommonObject
$this->db->begin();
if ($rid)
if (! empty($rid))
{
// Si on a demande ajout d'un droit en particulier, on recupere
// les caracteristiques (module, perms et subperms) de ce droit.
$sql = "SELECT module, perms, subperms";
$sql.= " FROM ".MAIN_DB_PREFIX."rights_def";
$sql.= " WHERE id = '".$rid."'";
$sql.= " WHERE id = '".$this->escape($rid)."'";
$sql.= " AND entity = ".$conf->entity;
$result=$this->db->query($sql);
@ -261,7 +261,7 @@ class UserGroup extends CommonObject
}
// Where pour la liste des droits a ajouter
$whereforadd="id=".$rid;
$whereforadd="id=".$this->escape($rid);
// Ajout des droits induits
if ($subperms) $whereforadd.=" OR (module='$module' AND perms='$perms' AND (subperms='lire' OR subperms='read'))";
else if ($perms) $whereforadd.=" OR (module='$module' AND (perms='lire' OR perms='read') AND subperms IS NULL)";
@ -272,12 +272,12 @@ class UserGroup extends CommonObject
}
else {
// Where pour la liste des droits a ajouter
if ($allmodule) $whereforadd="module='$allmodule'";
if ($allperms) $whereforadd=" AND perms='$allperms'";
if (! empty($allmodule)) $whereforadd="module='".$this->escape($allmodule)."'";
if (! empty($allperms)) $whereforadd=" AND perms='".$this->escape($allperms)."'";
}
// Ajout des droits de la liste whereforadd
if ($whereforadd)
if (! empty($whereforadd))
{
//print "$module-$perms-$subperms";
$sql = "SELECT id";
@ -339,13 +339,13 @@ class UserGroup extends CommonObject
$this->db->begin();
if ($rid)
if (! empty($rid))
{
// Si on a demande supression d'un droit en particulier, on recupere
// les caracteristiques module, perms et subperms de ce droit.
$sql = "SELECT module, perms, subperms";
$sql.= " FROM ".MAIN_DB_PREFIX."rights_def";
$sql.= " WHERE id = '".$rid."'";
$sql.= " WHERE id = '".$this->escape($rid)."'";
$sql.= " AND entity = ".$conf->entity;
$result=$this->db->query($sql);
@ -361,7 +361,7 @@ class UserGroup extends CommonObject
}
// Where pour la liste des droits a supprimer
$wherefordel="id=".$rid;
$wherefordel="id=".$this->escape($rid);
// Suppression des droits induits
if ($subperms=='lire' || $subperms=='read') $wherefordel.=" OR (module='$module' AND perms='$perms' AND subperms IS NOT NULL)";
if ($perms=='lire' || $perms=='read') $wherefordel.=" OR (module='$module')";
@ -372,12 +372,12 @@ class UserGroup extends CommonObject
}
else {
// Where pour la liste des droits a supprimer
if ($allmodule) $wherefordel="module='$allmodule'";
if ($allperms) $wherefordel=" AND perms='$allperms'";
if (! empty($allmodule)) $wherefordel="module='".$this->escape($allmodule)."'";
if (! empty($allperms)) $wherefordel=" AND perms='".$this->escape($allperms)."'";
}
// Suppression des droits de la liste wherefordel
if ($wherefordel)
if (! empty($wherefordel))
{
//print "$module-$perms-$subperms";
$sql = "SELECT id";