From aef2f1713e7e96a2066ff4ab3519b24a06153af9 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 19 Mar 2021 13:25:58 +0100 Subject: [PATCH] FIX #yogosha5673 --- htdocs/admin/mails_senderprofile_list.php | 32 ++++++++++--------- htdocs/admin/mails_ticket.php | 8 ++--- .../core/class/emailsenderprofile.class.php | 2 +- 3 files changed, 22 insertions(+), 20 deletions(-) diff --git a/htdocs/admin/mails_senderprofile_list.php b/htdocs/admin/mails_senderprofile_list.php index 9f766d76266..a24033637d1 100644 --- a/htdocs/admin/mails_senderprofile_list.php +++ b/htdocs/admin/mails_senderprofile_list.php @@ -76,14 +76,6 @@ if (!$sortorder) { $sortorder = "ASC"; } -// Security check -$socid = 0; -if ($user->socid > 0) { // Protection if external user - //$socid = $user->socid; - accessforbidden(); -} -//$result = restrictedArea($user, 'mymodule', $id, ''); - // Initialize array of search criterias $search_all = GETPOST("search_all", 'alpha'); $search = array(); @@ -133,6 +125,19 @@ if ($id > 0) { $object->fetch($id); } +// Security check +$socid = 0; +if ($user->socid > 0) { // Protection if external user + //$socid = $user->socid; + accessforbidden(); +} +// A non admin user can see profiles but limited to its own user +if (!$user->admin) { + if ($object->private != $user->id) { + accessforbidden(); + } +} + /* * Actions @@ -261,6 +266,10 @@ foreach ($search as $key => $val) { if ($search_all) { $sql .= natural_search(array_keys($fieldstosearchall), $search_all); } +// If non admin, restrict list to itself +if (empty($user->admin)) { + $sql .= " AND private = ".((int) $user->id); +} //$sql.= dolSqlDateFilter("t.field", $search_xxxday, $search_xxxmonth, $search_xxxyear); // Add where from extra fields include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_list_search_sql.tpl.php'; @@ -315,13 +324,6 @@ if (is_numeric($nbtotalofrecords) && ($limit > $nbtotalofrecords || empty($limit $num = $db->num_rows($resql); } -// Direct jump if only one record found -if ($num == 1 && !empty($conf->global->MAIN_SEARCH_DIRECT_OPEN_IF_ONLY_ONE) && $search_all && !$page) { - $obj = $db->fetch_object($resql); - $id = $obj->rowid; - header("Location: ".DOL_URL_ROOT.'/monmodule/emailsenderprofile_card.php?id='.$id); - exit; -} // Output page // -------------------------------------------------------------------- diff --git a/htdocs/admin/mails_ticket.php b/htdocs/admin/mails_ticket.php index 1d3faf71f1b..14960db11d7 100644 --- a/htdocs/admin/mails_ticket.php +++ b/htdocs/admin/mails_ticket.php @@ -32,10 +32,6 @@ $langs->loadLangs(array('companies', 'products', 'admin', 'mails', 'other', 'err $action = GETPOST('action', 'aZ09'); -if (!$user->admin) { - accessforbidden(); -} - $usersignature = $user->signature; // For action = test or send, we ensure that content is not html, even for signature, because this we want a test with NO html. if ($action == 'test' || $action == 'send') { @@ -53,6 +49,10 @@ $substitutionarrayfortest = array( ); complete_substitutions_array($substitutionarrayfortest, $langs); +// Security check +if (!$user->admin) { + accessforbidden(); +} /* diff --git a/htdocs/core/class/emailsenderprofile.class.php b/htdocs/core/class/emailsenderprofile.class.php index d4b9f0bd93e..7b9ee37225e 100644 --- a/htdocs/core/class/emailsenderprofile.class.php +++ b/htdocs/core/class/emailsenderprofile.class.php @@ -54,7 +54,7 @@ class EmailSenderProfile extends CommonObject /** * @var string String with name of icon for emailsenderprofile */ - public $picto = 'emailsenderprofile@monmodule'; + public $picto = 'emailsenderprofile'; const STATUS_DISABLED = 0;