lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #8175 from hregis/7.0_bug

Browse Source 
Fix: check perms by type of product
This commit is contained in:
Laurent Destailleur 2018-02-12 03:25:08 +01:00 committed by GitHub
commit b23ef5fd8f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 30 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
htdocs/product/card.php
View File

@ -124,6 +124,9 @@ $hookmanager->initHooks(array('productcard','globalcard'));
if ($cancel) $action = ''; if ($cancel) $action = '';
$usercanread = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->lire) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->lire));
$usercancreate = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->creer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->creer));
$usercandelete = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->supprimer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->supprimer));
$createbarcode=empty($conf->barcode->enabled)?0:1; $createbarcode=empty($conf->barcode->enabled)?0:1;
if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty($user->rights->barcode->creer_advance)) $createbarcode=0; if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty($user->rights->barcode->creer_advance)) $createbarcode=0;
@ -134,7 +137,7 @@ if ($reshook < 0) setEventMessages($hookmanager->error, $hookmanager->errors, 'e
if (empty($reshook)) if (empty($reshook))
{ {
// Type // Type
if ($action == 'setfk_product_type' && $user->rights->produit->creer) if ($action == 'setfk_product_type' && $usercancreate)
{ {
$result = $object->setValueFrom('fk_product_type', GETPOST('fk_product_type'), '', null, 'text', '', $user, 'PRODUCT_MODIFY'); $result = $object->setValueFrom('fk_product_type', GETPOST('fk_product_type'), '', null, 'text', '', $user, 'PRODUCT_MODIFY');
header("Location: ".$_SERVER['PHP_SELF']."?id=".$object->id); header("Location: ".$_SERVER['PHP_SELF']."?id=".$object->id);
@ -143,7 +146,7 @@ if (empty($reshook))
// Actions to build doc // Actions to build doc
$upload_dir = $conf->produit->dir_output; $upload_dir = $conf->produit->dir_output;
$permissioncreate = $user->rights->produit->creer; $permissioncreate = $usercancreate;
include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php'; include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php';
include DOL_DOCUMENT_ROOT.'/core/actions_printing.inc.php'; include DOL_DOCUMENT_ROOT.'/core/actions_printing.inc.php';
@ -181,7 +184,7 @@ if (empty($reshook))
} }
// Add a product or service // Add a product or service
if ($action == 'add' && ($user->rights->produit->creer || $user->rights->service->creer)) if ($action == 'add' && $usercancreate)
{ {
$error=0; $error=0;
@ -360,7 +363,7 @@ if (empty($reshook))
} }
// Update a product or service // Update a product or service
if ($action == 'update' && ($user->rights->produit->creer || $user->rights->service->creer)) if ($action == 'update' && $usercancreate)
{ {
if (GETPOST('cancel','alpha')) if (GETPOST('cancel','alpha'))
{ {
@ -477,7 +480,7 @@ if (empty($reshook))
// Action clone object // Action clone object
if ($action == 'confirm_clone' && $confirm != 'yes') { $action=''; } if ($action == 'confirm_clone' && $confirm != 'yes') { $action=''; }
if ($action == 'confirm_clone' && $confirm == 'yes' && ($user->rights->produit->creer || $user->rights->service->creer)) if ($action == 'confirm_clone' && $confirm == 'yes' && $usercancreate)
{ {
if (! GETPOST('clone_content') && ! GETPOST('clone_prices') ) if (! GETPOST('clone_content') && ! GETPOST('clone_prices') )
{ {
@ -565,12 +568,9 @@ if (empty($reshook))
// Delete a product // Delete a product
if ($action == 'confirm_delete' && $confirm != 'yes') { $action=''; } if ($action == 'confirm_delete' && $confirm != 'yes') { $action=''; }
if ($action == 'confirm_delete' && $confirm == 'yes') if ($action == 'confirm_delete' && $confirm == 'yes' && $usercandelete)
{ {
if (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->supprimer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->supprimer)) $result = $object->delete($user);
{
$result = $object->delete($user);
}
if ($result > 0) if ($result > 0)
{ {
@ -887,7 +887,7 @@ else
// ----------------------------------------- // -----------------------------------------
// When used in standard mode // When used in standard mode
// ----------------------------------------- // -----------------------------------------
if ($action == 'create' && ($user->rights->produit->creer || $user->rights->service->creer)) if ($action == 'create' && $usercancreate)
{ {
//WYSIWYG Editor //WYSIWYG Editor
require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php';
@ -1240,7 +1240,7 @@ else
else if ($object->id > 0) else if ($object->id > 0)
{ {
// Fiche en mode edition // Fiche en mode edition
if ($action == 'edit' && ((($object->type == Product::TYPE_PRODUCT && $user->rights->produit->creer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->creer)))) if ($action == 'edit' && $usercancreate)
{ {
//WYSIWYG Editor //WYSIWYG Editor
require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php';
@ -1588,15 +1588,15 @@ else
print '<div class="underbanner clearboth"></div>'; print '<div class="underbanner clearboth"></div>';
print '<table class="border tableforfield" width="100%">'; print '<table class="border tableforfield" width="100%">';
// Type // Type
if (! empty($conf->produit->enabled) && ! empty($conf->service->enabled)) if (! empty($conf->produit->enabled) && ! empty($conf->service->enabled))
{ {
// TODO change for compatibility with edit in place // TODO change for compatibility with edit in place
$typeformat='select;0:'.$langs->trans("Product").',1:'.$langs->trans("Service"); $typeformat='select;0:'.$langs->trans("Product").',1:'.$langs->trans("Service");
print '<tr><td class="titlefield">'.$form->editfieldkey("Type",'fk_product_type',$object->type,$object,$user->rights->produit->creer||$user->rights->service->creer,$typeformat).'</td><td colspan="2">'; print '<tr><td class="titlefield">'.$form->editfieldkey("Type", 'fk_product_type', $object->type, $object, $usercancreate, $typeformat).'</td><td colspan="2">';
print $form->editfieldval("Type",'fk_product_type',$object->type,$object,$user->rights->produit->creer||$user->rights->service->creer,$typeformat); print $form->editfieldval("Type", 'fk_product_type', $object->type, $object, $usercancreate, $typeformat);
print '</td></tr>'; print '</td></tr>';
} }
if ($showbarcode) if ($showbarcode)
{ {
@ -1605,7 +1605,7 @@ else
print '<table width="100%" class="nobordernopadding"><tr><td class="nowrap">'; print '<table width="100%" class="nobordernopadding"><tr><td class="nowrap">';
print $langs->trans("BarcodeType"); print $langs->trans("BarcodeType");
print '</td>'; print '</td>';
if (($action != 'editbarcodetype') && ! empty($user->rights->produit->creer) && $createbarcode) print '<td align="right"><a href="'.$_SERVER["PHP_SELF"].'?action=editbarcodetype&amp;id='.$object->id.'">'.img_edit($langs->trans('Edit'),1).'</a></td>'; if (($action != 'editbarcodetype') && $usercancreate && $createbarcode) print '<td align="right"><a href="'.$_SERVER["PHP_SELF"].'?action=editbarcodetype&amp;id='.$object->id.'">'.img_edit($langs->trans('Edit'),1).'</a></td>';
print '</tr></table>'; print '</tr></table>';
print '</td><td colspan="2">'; print '</td><td colspan="2">';
if ($action == 'editbarcodetype' || $action == 'editbarcode') if ($action == 'editbarcodetype' || $action == 'editbarcode')
@ -1629,7 +1629,7 @@ else
print '<table width="100%" class="nobordernopadding"><tr><td class="nowrap">'; print '<table width="100%" class="nobordernopadding"><tr><td class="nowrap">';
print $langs->trans("BarcodeValue"); print $langs->trans("BarcodeValue");
print '</td>'; print '</td>';
if (($action != 'editbarcode') && ! empty($user->rights->produit->creer) && $createbarcode) print '<td align="right"><a href="'.$_SERVER["PHP_SELF"].'?action=editbarcode&amp;id='.$object->id.'">'.img_edit($langs->trans('Edit'),1).'</a></td>'; if (($action != 'editbarcode') && $usercancreate && $createbarcode) print '<td align="right"><a href="'.$_SERVER["PHP_SELF"].'?action=editbarcode&amp;id='.$object->id.'">'.img_edit($langs->trans('Edit'),1).'</a></td>';
print '</tr></table>'; print '</tr></table>';
print '</td><td colspan="2">'; print '</td><td colspan="2">';
if ($action == 'editbarcode') if ($action == 'editbarcode')
@ -1741,7 +1741,7 @@ else
// Batch number management (to batch) // Batch number management (to batch)
if (! empty($conf->productbatch->enabled)) { if (! empty($conf->productbatch->enabled)) {
print '<tr><td>'.$langs->trans("ManageLotSerial").'</td><td colspan="2">'; print '<tr><td>'.$langs->trans("ManageLotSerial").'</td><td colspan="2">';
if (! empty($conf->use_javascript_ajax) && $user->rights->produit->creer && ! empty($conf->global->MAIN_DIRECT_STATUS_UPDATE)) { if (! empty($conf->use_javascript_ajax) && $usercancreate && ! empty($conf->global->MAIN_DIRECT_STATUS_UPDATE)) {
print ajax_object_onoff($object, 'status_batch', 'tobatch', 'ProductStatusOnBatch', 'ProductStatusNotOnBatch'); print ajax_object_onoff($object, 'status_batch', 'tobatch', 'ProductStatusOnBatch', 'ProductStatusNotOnBatch');
} else { } else {
print $object->getLibStatut(0,2); print $object->getLibStatut(0,2);
@ -1974,9 +1974,8 @@ if ($action != 'create' && $action != 'edit')
$parameters=array(); $parameters=array();
$reshook=$hookmanager->executeHooks('addMoreActionsButtons',$parameters,$object,$action); // Note that $action and $object may have been modified by hook $reshook=$hookmanager->executeHooks('addMoreActionsButtons',$parameters,$object,$action); // Note that $action and $object may have been modified by hook
if (empty($reshook)) if (empty($reshook))
{ {
if (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->creer ) || if ($usercancreate)
($object->type == Product::TYPE_SERVICE && $user->rights->service->creer))
{ {
if (! isset($object->no_button_edit) || $object->no_button_edit <> 1) print '<div class="inline-block divButAction"><a class="butAction" href="'.$_SERVER["PHP_SELF"].'?action=edit&amp;id='.$object->id.'">'.$langs->trans("Modify").'</a></div>'; if (! isset($object->no_button_edit) || $object->no_button_edit <> 1) print '<div class="inline-block divButAction"><a class="butAction" href="'.$_SERVER["PHP_SELF"].'?action=edit&amp;id='.$object->id.'">'.$langs->trans("Modify").'</a></div>';
@ -1994,8 +1993,7 @@ if ($action != 'create' && $action != 'edit')
} }
$object_is_used = $object->isObjectUsed($object->id); $object_is_used = $object->isObjectUsed($object->id);
if (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->supprimer) if ($usercandelete)
|| ($object->type == Product::TYPE_SERVICE && $user->rights->service->supprimer))
{ {
if (empty($object_is_used) && (! isset($object->no_button_delete) || $object->no_button_delete <> 1)) if (empty($object_is_used) && (! isset($object->no_button_delete) || $object->no_button_delete <> 1))
{ {
@ -2151,8 +2149,8 @@ if ($action != 'create' && $action != 'edit' && $action != 'delete')
$relativepath = $comref . '/' . $objectref . '.pdf'; $relativepath = $comref . '/' . $objectref . '.pdf';
$filedir = $conf->produit->dir_output . '/' . $objectref; $filedir = $conf->produit->dir_output . '/' . $objectref;
$urlsource=$_SERVER["PHP_SELF"]."?id=".$object->id; $urlsource=$_SERVER["PHP_SELF"]."?id=".$object->id;
$genallowed=$user->rights->produit->lire; $genallowed=$usercanread;
$delallowed=$user->rights->produit->creer; $delallowed=$usercancreate;
$var=true; $var=true;