diff --git a/htdocs/compta/bank/account_statement_document.php b/htdocs/compta/bank/account_statement_document.php index 03209ad7673..0a979e01d39 100644 --- a/htdocs/compta/bank/account_statement_document.php +++ b/htdocs/compta/bank/account_statement_document.php @@ -120,6 +120,8 @@ if (GETPOST("rel") == 'prev') { $found = true; } +$permissiontoadd = $user->rights->banque->modifier; // Used by the include of actions_dellink.inc.php + /* * Actions diff --git a/htdocs/compta/bank/document.php b/htdocs/compta/bank/document.php index ec46002b031..7dce00005f3 100644 --- a/htdocs/compta/bank/document.php +++ b/htdocs/compta/bank/document.php @@ -74,6 +74,8 @@ if ($id > 0 || !empty($ref)) { $result = restrictedArea($user, 'banque', $object->id, 'bank_account', '', ''); +$permissiontoadd = $user->rights->banque->modifier; // Used by the include of actions_dellink.inc.php + /* * Actions diff --git a/htdocs/compta/bank/various_payment/document.php b/htdocs/compta/bank/various_payment/document.php index 5f55f4c2559..ad199caaf5a 100644 --- a/htdocs/compta/bank/various_payment/document.php +++ b/htdocs/compta/bank/various_payment/document.php @@ -69,6 +69,9 @@ $object->fetch($id, $ref); $upload_dir = $conf->bank->dir_output.'/'.dol_sanitizeFileName($object->id); $modulepart = 'banque'; +$permissiontoadd = $user->rights->banque->modifier; // Used by the include of actions_dellink.inc.php + + /* * Actions diff --git a/htdocs/compta/deplacement/document.php b/htdocs/compta/deplacement/document.php index cdb4b5f0f0f..2a16d6e4f49 100644 --- a/htdocs/compta/deplacement/document.php +++ b/htdocs/compta/deplacement/document.php @@ -42,12 +42,6 @@ $ref = GETPOST('ref', 'alpha'); $action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); -// Security check -if ($user->socid) { - $socid = $user->socid; -} -$result = restrictedArea($user, 'deplacement', $id, ''); - // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; @@ -74,6 +68,14 @@ $object->fetch($id, $ref); $upload_dir = $conf->deplacement->dir_output.'/'.dol_sanitizeFileName($object->ref); $modulepart = 'trip'; +// Security check +if ($user->socid) { + $socid = $user->socid; +} +$result = restrictedArea($user, 'deplacement', $id, ''); + +$permissiontoadd = $user->rights->deplacement->creer; // Used by the include of actions_dellink.inc.php + /* * Actions diff --git a/htdocs/compta/sociales/document.php b/htdocs/compta/sociales/document.php index 1fbfdfa296a..d0cf3a1f34c 100644 --- a/htdocs/compta/sociales/document.php +++ b/htdocs/compta/sociales/document.php @@ -78,6 +78,8 @@ if ($user->socid) { } $result = restrictedArea($user, 'tax', $object->id, 'chargesociales', 'charges'); +$permissiontoadd = $user->rights->tax->charges->creer; // Used by the include of actions_dellink.inc.php + /* * Actions diff --git a/htdocs/compta/tva/document.php b/htdocs/compta/tva/document.php index e2f0dcec96d..67de87d0c21 100644 --- a/htdocs/compta/tva/document.php +++ b/htdocs/compta/tva/document.php @@ -79,6 +79,8 @@ if ($user->socid) { } $result = restrictedArea($user, 'tax', '', 'tva', 'charges'); +$permissiontoadd = $user->rights->tax->charges->creer; // Used by the include of actions_dellink.inc.php + /* * Actions @@ -86,7 +88,7 @@ $result = restrictedArea($user, 'tax', '', 'tva', 'charges'); include DOL_DOCUMENT_ROOT.'/core/actions_linkedfiles.inc.php'; -if ($action == 'setlib' && $user->rights->tax->charges->creer) { +if ($action == 'setlib' && $permissiontoadd) { $object->fetch($id); $result = $object->setValueFrom('label', GETPOST('lib', 'alpha'), '', '', 'text', '', $user, 'TAX_MODIFY'); if ($result < 0) { diff --git a/htdocs/contact/document.php b/htdocs/contact/document.php index 3005c6b7827..1870e7b8d9c 100644 --- a/htdocs/contact/document.php +++ b/htdocs/contact/document.php @@ -49,12 +49,6 @@ if (!empty($canvas)) { $objcanvas->getCanvas('contact', 'contactcard', $canvas); } -// Security check -if ($user->socid) { - $socid = $user->socid; -} -$result = restrictedArea($user, 'contact', $id, 'socpeople&societe', '', '', 'rowid', 0); // If we create a contact with no company (shared contacts), no check on write permission - // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST("sortfield", 'alpha'); @@ -91,6 +85,15 @@ $modulepart = 'contact'; // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('contactdocument')); +// Security check +if ($user->socid) { + $socid = $user->socid; +} +$result = restrictedArea($user, 'contact', $id, 'socpeople&societe', '', '', 'rowid', 0); // If we create a contact with no company (shared contacts), no check on write permission + +$permissiontoadd = $user->rights->societe->contact->creer; // Used by the include of actions_dellink.inc.php + + /* * Actions */ diff --git a/htdocs/contrat/document.php b/htdocs/contrat/document.php index 690b5432a1b..c54823ee142 100644 --- a/htdocs/contrat/document.php +++ b/htdocs/contrat/document.php @@ -84,6 +84,8 @@ $modulepart = 'contract'; // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('contractcard', 'globalcard')); +$permissiontoadd = $user->rights->contrat->creer; // Used by the include of actions_dellink.inc.php + /* * Actions diff --git a/htdocs/don/document.php b/htdocs/don/document.php index 52e33a26cb4..51227a07ef4 100644 --- a/htdocs/don/document.php +++ b/htdocs/don/document.php @@ -80,6 +80,8 @@ $object->fetch($id, $ref); $upload_dir = $conf->don->dir_output.'/'.get_exdir($filename, 0, 0, 0, $object, 'donation').'/'.dol_sanitizeFileName($object->ref); $modulepart = 'don'; +$permissiontoadd = $user->rights->don->creer; // Used by the include of actions_dellink.inc.php + /* * Actions diff --git a/htdocs/expedition/card.php b/htdocs/expedition/card.php index ba8547726b8..03938003dfb 100644 --- a/htdocs/expedition/card.php +++ b/htdocs/expedition/card.php @@ -122,7 +122,7 @@ if ($user->socid) { $result = restrictedArea($user, 'expedition', $object->id, ''); $permissiondellink = $user->rights->expedition->delivery->creer; // Used by the include of actions_dellink.inc.php -//var_dump($object->lines[0]->detail_batch); +$permissiontoadd = $user->rights->expedition->creer; /* @@ -152,7 +152,6 @@ if (empty($reshook)) { // Actions to build doc $upload_dir = $conf->expedition->dir_output.'/sending'; - $permissiontoadd = $user->rights->expedition->creer; include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php'; // Reopen diff --git a/htdocs/expedition/document.php b/htdocs/expedition/document.php index ee0014a2f8d..df88cbe7a3f 100644 --- a/htdocs/expedition/document.php +++ b/htdocs/expedition/document.php @@ -76,6 +76,8 @@ if ($user->socid) { } $result = restrictedArea($user, 'expedition', $object->id, ''); +$permissiontoadd = $user->rights->expedition->creer; // Used by the include of actions_dellink.inc.php + /* * Actions diff --git a/htdocs/expensereport/card.php b/htdocs/expensereport/card.php index fca9d9b9681..92c12f74e6d 100644 --- a/htdocs/expensereport/card.php +++ b/htdocs/expensereport/card.php @@ -139,6 +139,8 @@ if ($user->socid) { } $result = restrictedArea($user, 'expensereport', $object->id, 'expensereport'); +$permissiontoadd = $user->rights->expensereport->creer; // Used by the include of actions_dellink.inc.php + /* * Actions @@ -1339,7 +1341,6 @@ if (empty($reshook)) { // Actions to build doc $upload_dir = $conf->expensereport->dir_output; - $permissiontoadd = $user->rights->expensereport->creer; include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php'; } diff --git a/htdocs/expensereport/document.php b/htdocs/expensereport/document.php index d7ecea8fcc9..8c3b5f56549 100644 --- a/htdocs/expensereport/document.php +++ b/htdocs/expensereport/document.php @@ -44,13 +44,6 @@ $confirm = GETPOST('confirm', 'alpha'); $childids = $user->getAllChildIds(1); -// Security check -if ($user->socid) { - $socid = $user->socid; -} -$result = restrictedArea($user, 'expensereport', $id, 'expensereport'); - - // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'aZ09comma'); @@ -81,6 +74,12 @@ $modulepart = 'trip'; // Load object //include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be include, not include_once // Must be include, not include_once. Include fetch and fetch_thirdparty but not fetch_optionals +// Security check +if ($user->socid) { + $socid = $user->socid; +} +$result = restrictedArea($user, 'expensereport', $id, 'expensereport'); + if ($object->id > 0) { // Check current user can read this expense report $canread = 0; @@ -95,6 +94,8 @@ if ($object->id > 0) { } } +$permissiontoadd = $user->rights->expensereport->creer; // Used by the include of actions_dellink.inc.php + /* * Actions diff --git a/htdocs/fichinter/card.php b/htdocs/fichinter/card.php index a9b85840bca..09fc151c8c1 100644 --- a/htdocs/fichinter/card.php +++ b/htdocs/fichinter/card.php @@ -71,12 +71,6 @@ $hidedetails = (GETPOST('hidedetails', 'int') ? GETPOST('hidedetails', 'int') : $hidedesc = (GETPOST('hidedesc', 'int') ? GETPOST('hidedesc', 'int') : (!empty($conf->global->MAIN_GENERATE_DOCUMENTS_HIDE_DESC) ? 1 : 0)); $hideref = (GETPOST('hideref', 'int') ? GETPOST('hideref', 'int') : (!empty($conf->global->MAIN_GENERATE_DOCUMENTS_HIDE_REF) ? 1 : 0)); -// Security check -if ($user->socid) { - $socid = $user->socid; -} -$result = restrictedArea($user, 'ficheinter', $id, 'fichinter'); - // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('interventioncard', 'globalcard')); @@ -96,6 +90,12 @@ if ($id > 0 || !empty($ref)) { } } +// Security check +if ($user->socid) { + $socid = $user->socid; +} +$result = restrictedArea($user, 'ficheinter', $id, 'fichinter'); + $permissionnote = $user->rights->ficheinter->creer; // Used by the include of actions_setnotes.inc.php $permissiondellink = $user->rights->ficheinter->creer; // Used by the include of actions_dellink.inc.php diff --git a/htdocs/fichinter/document.php b/htdocs/fichinter/document.php index 74ef0c57804..f3dae0d8318 100644 --- a/htdocs/fichinter/document.php +++ b/htdocs/fichinter/document.php @@ -78,6 +78,8 @@ $object->fetch($id, $ref); $upload_dir = $conf->ficheinter->dir_output.'/'.dol_sanitizeFileName($object->ref); $modulepart = 'fichinter'; +$permissiontoadd = $user->rights->ficheinter->creer; // Used by the include of actions_setnotes.inc.php + /* * Actions diff --git a/htdocs/fourn/commande/document.php b/htdocs/fourn/commande/document.php index aea8abed665..993830eb539 100644 --- a/htdocs/fourn/commande/document.php +++ b/htdocs/fourn/commande/document.php @@ -46,12 +46,6 @@ $ref = GETPOST('ref', 'alpha'); $action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); -// Security check -if ($user->socid) { - $socid = $user->socid; -} -$result = restrictedArea($user, 'fournisseur', $id, 'commande_fournisseur', 'commande'); - // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST("sortfield", 'alpha'); @@ -81,6 +75,15 @@ if ($object->fetch($id, $ref) < 0) { $upload_dir = $conf->fournisseur->commande->dir_output.'/'.dol_sanitizeFileName($object->ref); $object->fetch_thirdparty(); +// Security check +$socid = 0; +if ($user->socid) { + $socid = $user->socid; +} +$result = restrictedArea($user, 'fournisseur', $id, 'commande_fournisseur', 'commande'); + +$permissiontoadd = ($user->rights->fournisseur->commande->creer || $user->rights->supplier_order->creer); // Used by the include of actions_setnotes.inc.php + /* * Actions diff --git a/htdocs/fourn/facture/document.php b/htdocs/fourn/facture/document.php index f6954635db1..4c4e92315f4 100644 --- a/htdocs/fourn/facture/document.php +++ b/htdocs/fourn/facture/document.php @@ -77,6 +77,8 @@ if ($object->fetch($id, $ref)) { $upload_dir = $conf->fournisseur->facture->dir_output.'/'.get_exdir($object->id, 2, 0, 0, $object, 'invoice_supplier').$ref; } +$permissiontoadd = ($user->rights->fournisseur->facture->creer || $user->rights->supplier_invoice->creer); // Used by the include of actions_setnotes.inc.php + /* * Actions diff --git a/htdocs/fourn/paiement/document.php b/htdocs/fourn/paiement/document.php index 05a13d901da..a29e9b0713c 100644 --- a/htdocs/fourn/paiement/document.php +++ b/htdocs/fourn/paiement/document.php @@ -79,6 +79,9 @@ if ($object->fetch($id, $ref)) { $upload_dir = $conf->fournisseur->payment->dir_output.'/'.dol_sanitizeFileName($object->ref); } +$permissiontoadd = ($user->rights->fournisseur->facture->creer || $user->rights->supplier_invoice->creer); // Used by the include of actions_setnotes.inc.php + + /* * Actions */ diff --git a/htdocs/holiday/document.php b/htdocs/holiday/document.php index 959543f436b..7dc086a113f 100644 --- a/htdocs/holiday/document.php +++ b/htdocs/holiday/document.php @@ -120,6 +120,7 @@ if ($user->socid) { } $result = restrictedArea($user, 'holiday', $object->id, 'holiday'); +$permissiontoadd = $user->rights->holiday->write; // Used by the include of actions_setnotes.inc.php /* diff --git a/htdocs/knowledgemanagement/knowledgerecord_document.php b/htdocs/knowledgemanagement/knowledgerecord_document.php index f3d23fba4bd..90bb9f736cc 100644 --- a/htdocs/knowledgemanagement/knowledgerecord_document.php +++ b/htdocs/knowledgemanagement/knowledgerecord_document.php @@ -80,7 +80,7 @@ if ($id > 0 || !empty($ref)) { //if ($user->socid > 0) $socid = $user->socid; //$result = restrictedArea($user, 'knowledgemanagement', $object->id); -$permissiontoadd = $user->rights->knowledgemanagement->knowledgerecord->write; // Used by the include of actions_addupdatedelete.inc.php +$permissiontoadd = $user->rights->knowledgemanagement->knowledgerecord->write; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles.inc.php diff --git a/htdocs/loan/document.php b/htdocs/loan/document.php index 2d6bfef3079..a151615bd35 100644 --- a/htdocs/loan/document.php +++ b/htdocs/loan/document.php @@ -71,6 +71,8 @@ if ($id > 0) { $upload_dir = $conf->loan->dir_output.'/'.dol_sanitizeFileName($object->ref); $modulepart = 'loan'; +$permissiontoadd = $user->rights->loan->write; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles.inc.php + /* * Actions diff --git a/htdocs/mrp/mo_document.php b/htdocs/mrp/mo_document.php index 7e297206b3d..c81ed1f995e 100644 --- a/htdocs/mrp/mo_document.php +++ b/htdocs/mrp/mo_document.php @@ -83,12 +83,14 @@ if ($id > 0 || !empty($ref)) { $isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); $result = restrictedArea($user, 'mrp', $object->id, 'mrp_mo', '', 'fk_soc', 'rowid', $isdraft); +$permissiontoadd = $user->rights->mrp->write; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles.inc.php + /* * Actions */ -include DOL_DOCUMENT_ROOT.'/core/actions_linkedfiles.inc.php'; +include DOL_DOCUMENT_ROOT.'/core/actions_linkedfiles.inc.php'; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles.inc.php /* diff --git a/htdocs/product/card.php b/htdocs/product/card.php index 75d11aee3b9..919931d34ce 100644 --- a/htdocs/product/card.php +++ b/htdocs/product/card.php @@ -179,6 +179,9 @@ if ($object->id > 0) { // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('productcard', 'globalcard')); +$usercanread = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->lire) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->lire)); +$usercancreate = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->creer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->creer)); +$usercandelete = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->supprimer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->supprimer)); /* @@ -189,9 +192,6 @@ if ($cancel) { $action = ''; } -$usercanread = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->lire) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->lire)); -$usercancreate = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->creer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->creer)); -$usercandelete = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->supprimer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->supprimer)); $createbarcode = empty($conf->barcode->enabled) ? 0 : 1; if (!empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty($user->rights->barcode->creer_advance)) { $createbarcode = 0; diff --git a/htdocs/product/document.php b/htdocs/product/document.php index 0b15ad7a85c..230f8375538 100644 --- a/htdocs/product/document.php +++ b/htdocs/product/document.php @@ -96,8 +96,6 @@ if ($id > 0 || !empty($ref)) { $modulepart = 'produit'; -$permissiontoadd = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->creer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->creer)); - if ($object->id > 0) { if ($object->type == $object::TYPE_PRODUCT) { restrictedArea($user, 'produit', $object->id, 'product&product', '', ''); @@ -109,6 +107,8 @@ if ($object->id > 0) { restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); } +$permissiontoadd = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->creer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->creer)); + /* * Actions diff --git a/htdocs/product/stock/card.php b/htdocs/product/stock/card.php index 7b81b147b1d..e485ea3d543 100644 --- a/htdocs/product/stock/card.php +++ b/htdocs/product/stock/card.php @@ -87,6 +87,10 @@ if ($id > 0 || !empty($ref)) { } } +$usercanread = (($user->rights->stock->lire)); +$usercancreate = (($user->rights->stock->creer)); +$usercandelete = (($user->rights->stock->supprimer)); + /* * Actions @@ -94,10 +98,6 @@ if ($id > 0 || !empty($ref)) { $error = 0; -$usercanread = (($user->rights->stock->lire)); -$usercancreate = (($user->rights->stock->creer)); -$usercandelete = (($user->rights->stock->supprimer)); - $parameters = array('id'=>$id, 'ref'=>$ref); $reshook = $hookmanager->executeHooks('doActions', $parameters, $object, $action); // Note that $action and $object may have been modified by some hooks if ($reshook < 0) { diff --git a/htdocs/product/stock/productlot_document.php b/htdocs/product/stock/productlot_document.php index 08b565c90a0..c6e72c6f0da 100644 --- a/htdocs/product/stock/productlot_document.php +++ b/htdocs/product/stock/productlot_document.php @@ -100,6 +100,7 @@ if (empty($upload_dir)) { $permissiontoread = $usercanread; $permissiontoadd = $usercancreate; +$permtoedit = $user->rights->produit->creer; //$permissiontodelete = $usercandelete; // Security check @@ -130,8 +131,6 @@ if (empty($reshook)) { include DOL_DOCUMENT_ROOT.'/core/actions_linkedfiles.inc.php'; } -$permtoedit = $user->rights->produit->creer; - /* * View diff --git a/htdocs/projet/document.php b/htdocs/projet/document.php index db1f63fe8de..1bfbb9aa4a6 100644 --- a/htdocs/projet/document.php +++ b/htdocs/projet/document.php @@ -82,6 +82,7 @@ $socid = 0; //if ($user->socid > 0) $socid = $user->socid; // For external user, no check is done on company because readability is managed by public status of project and assignement. $result = restrictedArea($user, 'projet', $id, 'projet&project'); +$permissiontoadd = $user->rights->projet->creer; /* diff --git a/htdocs/projet/tasks/document.php b/htdocs/projet/tasks/document.php index a1e708b6a46..c60e3324741 100644 --- a/htdocs/projet/tasks/document.php +++ b/htdocs/projet/tasks/document.php @@ -74,6 +74,7 @@ $socid = 0; restrictedArea($user, 'projet', $object->fk_project, 'projet&project'); +$permissiontoadd = $$user->rights->mrp->write; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles.inc.php /* diff --git a/htdocs/resource/agenda.php b/htdocs/resource/agenda.php index 6f9cfa8ce34..bf300141bc4 100644 --- a/htdocs/resource/agenda.php +++ b/htdocs/resource/agenda.php @@ -71,14 +71,18 @@ if (!$sortorder) { $sortorder = 'DESC,DESC'; } -$object = new DolResource($db); -$object->fetch($id, $ref); - // Initialize technical objects //$object=new MyObject($db); $extrafields = new ExtraFields($db); $hookmanager->initHooks(array('agendaresource')); +$object = new DolResource($db); + +// Load object +include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be include, not include_once. + +$result = restrictedArea($user, 'resource', $object->id, 'resource'); + // Security check if (!$user->rights->resource->read) { accessforbidden(); diff --git a/htdocs/resource/card.php b/htdocs/resource/card.php index 989aa4ccf91..f89e16da3f9 100644 --- a/htdocs/resource/card.php +++ b/htdocs/resource/card.php @@ -48,10 +48,6 @@ if ($user->socid > 0) { accessforbidden(); } -if (!$user->rights->resource->read) { - accessforbidden(); -} - $object = new Dolresource($db); $extrafields = new ExtraFields($db); @@ -59,6 +55,14 @@ $extrafields = new ExtraFields($db); // fetch optionals attributes and labels $extrafields->fetch_name_optionals_label($object->table_element); +// Load object +include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be include, not include_once. + + +$result = restrictedArea($user, 'resource', $object->id, 'resource'); + +$permissiontoadd = $user->rights->resource->write; // Used by the include of actions_addupdatedelete.inc.php and actions_lineupdown.inc.php + /* diff --git a/htdocs/resource/contact.php b/htdocs/resource/contact.php index 811bb476430..aca47d49743 100644 --- a/htdocs/resource/contact.php +++ b/htdocs/resource/contact.php @@ -38,14 +38,21 @@ $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); $action = GETPOST('action', 'aZ09'); +$object = new DolResource($db); + +// Load object +include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be include, not include_once. + // Security check if ($user->socid) { $socid = $user->socid; } -$result = restrictedArea($user, 'resource', $id, 'resource'); +$result = restrictedArea($user, 'resource', $object->id, 'resource'); -$object = new DolResource($db); -$result = $object->fetch($id, $ref); +// Security check +if (!$user->rights->resource->read) { + accessforbidden(); +} /* diff --git a/htdocs/resource/document.php b/htdocs/resource/document.php index fec869d5620..001598d2023 100644 --- a/htdocs/resource/document.php +++ b/htdocs/resource/document.php @@ -70,11 +70,17 @@ if (!$sortfield) { $object = new DolResource($db); -$object->fetch($id, $ref); + +// Load object +include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be include, not include_once. $upload_dir = $conf->resource->dir_output.'/'.dol_sanitizeFileName($object->ref); $modulepart = 'resource'; +$result = restrictedArea($user, 'resource', $object->id, 'resource'); + +$permissiontoadd = $user->rights->resource->write; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles + /* * Actions diff --git a/htdocs/resource/element_resource.php b/htdocs/resource/element_resource.php index 4a51f1dfbb3..9f9ef7e54f2 100644 --- a/htdocs/resource/element_resource.php +++ b/htdocs/resource/element_resource.php @@ -76,6 +76,7 @@ if ($socid > 0) { // Special for thirdparty $element = 'societe'; } +// Permission is not permission on resources. We just make link here on objects. /* diff --git a/htdocs/resource/list.php b/htdocs/resource/list.php index 356df3a746e..4e7a5c57ae7 100644 --- a/htdocs/resource/list.php +++ b/htdocs/resource/list.php @@ -66,10 +66,10 @@ $filter = array(); $param = ''; if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) { - $param .= '&contextpage='.urlencode($contextpage); + $param .= '&contextpage='.urlencode($contextpage); } if ($limit > 0 && $limit != $conf->liste_limit) { - $param .= '&limit='.urlencode($limit); + $param .= '&limit='.urlencode($limit); } if ($search_ref != '') { @@ -126,9 +126,6 @@ $offset = $limit * $page; $pageprev = $page - 1; $pagenext = $page + 1; -if (!$user->rights->resource->read) { - accessforbidden(); -} $arrayfields = array( 't.ref' => array( 'label' => $langs->trans("Ref"), @@ -156,6 +153,10 @@ if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter.x' $filter = array(); } +if (empty($user->rights->resource->read)) { + accessforbidden(); +} + /* * Action diff --git a/htdocs/resource/note.php b/htdocs/resource/note.php index b43c9f8cb37..98efb72d55b 100644 --- a/htdocs/resource/note.php +++ b/htdocs/resource/note.php @@ -43,10 +43,12 @@ if ($user->socid) { // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('resourcenote')); -$result = restrictedArea($user, 'resource', $id, 'resource'); - $object = new DolResource($db); -$object->fetch($id, $ref); + +// Load object +include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be include, not include_once. + +$result = restrictedArea($user, 'resource', $object->id, 'resource'); $permissionnote = $user->rights->resource->write; // Used by the include of actions_setnotes.inc.php diff --git a/htdocs/salaries/document.php b/htdocs/salaries/document.php index 4f49858eb7a..47d03e62380 100644 --- a/htdocs/salaries/document.php +++ b/htdocs/salaries/document.php @@ -104,6 +104,8 @@ if ($user->socid) { } restrictedArea($user, 'salaries', $object->id, 'salary', ''); +$permissiontoadd = $user->rights->salaries->write; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles + /* * Actions diff --git a/htdocs/societe/document.php b/htdocs/societe/document.php index 23720ebd54c..9ce01c64638 100644 --- a/htdocs/societe/document.php +++ b/htdocs/societe/document.php @@ -85,6 +85,8 @@ if ($user->socid > 0) { } $result = restrictedArea($user, 'societe', $object->id, '&societe'); +$permissiontoadd = $user->rights->societe->creer; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles + /* * Actions diff --git a/htdocs/supplier_proposal/document.php b/htdocs/supplier_proposal/document.php index 2795c006723..3d5ce3fbb47 100644 --- a/htdocs/supplier_proposal/document.php +++ b/htdocs/supplier_proposal/document.php @@ -73,6 +73,15 @@ $object->fetch($id, $ref); if ($object->id > 0) { $object->fetch_thirdparty(); $upload_dir = $conf->supplier_proposal->dir_output.'/'.dol_sanitizeFileName($object->ref); +} + + + +/* + * Actions + */ + +if ($object->id > 0) { include DOL_DOCUMENT_ROOT.'/core/actions_linkedfiles.inc.php'; } @@ -80,6 +89,7 @@ if ($object->id > 0) { /* * View */ + $title = $langs->trans('CommRequest')." - ".$langs->trans('Documents'); $help_url = 'EN:Ask_Price_Supplier|FR:Demande_de_prix_fournisseur'; llxHeader('', $title, $help_url); diff --git a/htdocs/ticket/document.php b/htdocs/ticket/document.php index aa83b7c1038..e9f9dbbb145 100644 --- a/htdocs/ticket/document.php +++ b/htdocs/ticket/document.php @@ -70,7 +70,7 @@ if ($result < 0) { $upload_dir = $conf->ticket->dir_output."/".dol_sanitizeFileName($object->ref); } -$permissiontoadd = $user->rights->ticket->write; +$permissiontoadd = $user->rights->ticket->write; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles // Security check - Protection if external user $result = restrictedArea($user, 'ticket', $object->id); diff --git a/htdocs/user/document.php b/htdocs/user/document.php index a5d88d04c5d..9bd109ec5fb 100644 --- a/htdocs/user/document.php +++ b/htdocs/user/document.php @@ -60,7 +60,7 @@ if ($id) { || (($user->id != $id) && $user->rights->user->user->password)); } -$permissiontoadd = $caneditfield; +$permissiontoadd = $caneditfield; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles $permtoedit = $caneditfield; // Security check @@ -107,6 +107,7 @@ if ($id > 0 || !empty($ref)) { $hookmanager->initHooks(array('usercard', 'userdoc', 'globalcard')); + /* * Actions */ @@ -139,8 +140,6 @@ if ($object->id) { } $head = user_prepare_head($object); - $form = new Form($db); - print dol_get_fiche_head($head, 'document', $langs->trans("User"), -1, 'user'); $linkback = ''; diff --git a/htdocs/website/index.php b/htdocs/website/index.php index 78f3e3de232..7a6c24c58f7 100644 --- a/htdocs/website/index.php +++ b/htdocs/website/index.php @@ -339,6 +339,7 @@ if ($action == 'replacesiteconfirm') { } $usercanedit = $user->rights->website->write; +$permissiontoadd = $user->rights->website->write; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles $permissiontodelete = $user->rights->website->delete; diff --git a/htdocs/workstation/workstation_document.php b/htdocs/workstation/workstation_document.php index 7c5d654a7d9..22157106154 100755 --- a/htdocs/workstation/workstation_document.php +++ b/htdocs/workstation/workstation_document.php @@ -74,12 +74,12 @@ if ($id > 0 || !empty($ref)) { $upload_dir = $conf->workstation->multidir_output[$object->entity ? $object->entity : $conf->entity]."/workstation/".get_exdir(0, 0, 0, 1, $object); } -$permissiontoadd = $user->rights->workstation->workstation->write; // Used by the include of actions_addupdatedelete.inc.php - // Security check $isdraft = 0; restrictedArea($user, $object->element, $object->id, $object->table_element, 'workstation', 'fk_soc', 'rowid', $isdraft); +$permissiontoadd = $user->rights->workstation->workstation->write; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles + /* * Actions