FIX #yogosha5673
This commit is contained in:
Laurent Destailleur
parent
5a4ffc18b9
commit
aef2f1713e
@ -76,14 +76,6 @@ if (!$sortorder) {
|
||||
$sortorder = "ASC";
|
||||
}
|
||||
|
||||
// Security check
|
||||
$socid = 0;
|
||||
if ($user->socid > 0) { // Protection if external user
|
||||
//$socid = $user->socid;
|
||||
accessforbidden();
|
||||
}
|
||||
//$result = restrictedArea($user, 'mymodule', $id, '');
|
||||
|
||||
// Initialize array of search criterias
|
||||
$search_all = GETPOST("search_all", 'alpha');
|
||||
$search = array();
|
||||
@ -133,6 +125,19 @@ if ($id > 0) {
|
||||
$object->fetch($id);
|
||||
}
|
||||
|
||||
// Security check
|
||||
$socid = 0;
|
||||
if ($user->socid > 0) { // Protection if external user
|
||||
//$socid = $user->socid;
|
||||
accessforbidden();
|
||||
}
|
||||
// A non admin user can see profiles but limited to its own user
|
||||
if (!$user->admin) {
|
||||
if ($object->private != $user->id) {
|
||||
accessforbidden();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Actions
|
||||
@ -261,6 +266,10 @@ foreach ($search as $key => $val) {
|
||||
if ($search_all) {
|
||||
$sql .= natural_search(array_keys($fieldstosearchall), $search_all);
|
||||
}
|
||||
// If non admin, restrict list to itself
|
||||
if (empty($user->admin)) {
|
||||
$sql .= " AND private = ".((int) $user->id);
|
||||
}
|
||||
//$sql.= dolSqlDateFilter("t.field", $search_xxxday, $search_xxxmonth, $search_xxxyear);
|
||||
// Add where from extra fields
|
||||
include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_list_search_sql.tpl.php';
|
||||
@ -315,13 +324,6 @@ if (is_numeric($nbtotalofrecords) && ($limit > $nbtotalofrecords || empty($limit
|
||||
$num = $db->num_rows($resql);
|
||||
}
|
||||
|
||||
// Direct jump if only one record found
|
||||
if ($num == 1 && !empty($conf->global->MAIN_SEARCH_DIRECT_OPEN_IF_ONLY_ONE) && $search_all && !$page) {
|
||||
$obj = $db->fetch_object($resql);
|
||||
$id = $obj->rowid;
|
||||
header("Location: ".DOL_URL_ROOT.'/monmodule/emailsenderprofile_card.php?id='.$id);
|
||||
exit;
|
||||
}
|
||||
|
||||
// Output page
|
||||
// --------------------------------------------------------------------
|
||||
|
||||
@ -32,10 +32,6 @@ $langs->loadLangs(array('companies', 'products', 'admin', 'mails', 'other', 'err
|
||||
|
||||
$action = GETPOST('action', 'aZ09');
|
||||
|
||||
if (!$user->admin) {
|
||||
accessforbidden();
|
||||
}
|
||||
|
||||
$usersignature = $user->signature;
|
||||
// For action = test or send, we ensure that content is not html, even for signature, because this we want a test with NO html.
|
||||
if ($action == 'test' || $action == 'send') {
|
||||
@ -53,6 +49,10 @@ $substitutionarrayfortest = array(
|
||||
);
|
||||
complete_substitutions_array($substitutionarrayfortest, $langs);
|
||||
|
||||
// Security check
|
||||
if (!$user->admin) {
|
||||
accessforbidden();
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
|
||||
@ -54,7 +54,7 @@ class EmailSenderProfile extends CommonObject
|
||||
/**
|
||||
* @var string String with name of icon for emailsenderprofile
|
||||
*/
|
||||
public $picto = 'emailsenderprofile@monmodule';
|
||||
public $picto = 'emailsenderprofile';
|
||||
|
||||
|
||||
const STATUS_DISABLED = 0;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user