From c0b269b9ee80e2b65af199a8354e5c4dc80c47a3 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 18 Jun 2020 01:09:30 +0200 Subject: [PATCH] Fix Permissions on MO and API for MO --- htdocs/api/index.php | 16 +- htdocs/core/lib/functions2.lib.php | 62 ++- .../template/class/api_mymodule.class.php | 6 +- htdocs/mrp/class/api_mos.class.php | 354 ++++++++++++++++++ htdocs/mrp/mo_agenda.php | 10 +- htdocs/mrp/mo_card.php | 4 +- htdocs/mrp/mo_document.php | 11 +- htdocs/mrp/mo_movements.php | 4 +- htdocs/mrp/mo_note.php | 11 +- htdocs/mrp/mo_production.php | 4 +- 10 files changed, 413 insertions(+), 69 deletions(-) create mode 100644 htdocs/mrp/class/api_mos.class.php diff --git a/htdocs/api/index.php b/htdocs/api/index.php index 2f3c0b9236b..112eb58059f 100644 --- a/htdocs/api/index.php +++ b/htdocs/api/index.php @@ -238,19 +238,19 @@ if (!empty($reg[1]) && $reg[1] == 'explorer' && ($reg[2] == '/swagger.json' || $ $regbis = array(); if (!empty($reg[1]) && ($reg[1] != 'explorer' || ($reg[2] != '/swagger.json' && $reg[2] != '/resources.json' && preg_match('/^\/(swagger|resources)\.json\/(.+)$/', $reg[2], $regbis) && $regbis[2] != 'root'))) { - $module = $reg[1]; - if ($module == 'explorer') // If we call page to explore details of a service + $moduleobject = $reg[1]; + if ($moduleobject == 'explorer') // If we call page to explore details of a service { - $module = $regbis[2]; + $moduleobject = $regbis[2]; } - $module = strtolower($module); - $moduledirforclass = getModuleDirForApiClass($module); + $moduleobject = strtolower($moduleobject); + $moduledirforclass = getModuleDirForApiClass($moduleobject); // Load a dedicated API file - dol_syslog("Load a dedicated API file module=".$module." moduledirforclass=".$moduledirforclass); + dol_syslog("Load a dedicated API file moduleobject=".$moduleobject." moduledirforclass=".$moduledirforclass); - $tmpmodule = $module; + $tmpmodule = $moduleobject; if ($tmpmodule != 'api') $tmpmodule = preg_replace('/api$/i', '', $tmpmodule); $classfile = str_replace('_', '', $tmpmodule); @@ -267,7 +267,7 @@ if (!empty($reg[1]) && ($reg[1] != 'explorer' || ($reg[2] != '/swagger.json' && $dir_part_file = dol_buildpath('/'.$moduledirforclass.'/class/api_'.$classfile.'.class.php', 0, 2); - $classname = ucwords($module); + $classname = ucwords($moduleobject); dol_syslog('Search api file /'.$moduledirforclass.'/class/api_'.$classfile.'.class.php => dir_part_file='.$dir_part_file.' classname='.$classname); diff --git a/htdocs/core/lib/functions2.lib.php b/htdocs/core/lib/functions2.lib.php index 531e0fe242c..b50090ee2cf 100644 --- a/htdocs/core/lib/functions2.lib.php +++ b/htdocs/core/lib/functions2.lib.php @@ -2289,82 +2289,70 @@ function cartesianArray(array $input) /** * Get name of directory where the api_...class.php file is stored * - * @param string $module Module name - * @return string Directory name + * @param string $moduleobject Module object name + * @return string Directory name */ -function getModuleDirForApiClass($module) +function getModuleDirForApiClass($moduleobject) { - $moduledirforclass = $module; + $moduledirforclass = $moduleobject; if ($moduledirforclass != 'api') $moduledirforclass = preg_replace('/api$/i', '', $moduledirforclass); - if ($module == 'contracts') { + if ($moduleobject == 'contracts') { $moduledirforclass = 'contrat'; } - elseif (in_array($module, array('admin', 'login', 'setup', 'access', 'status', 'tools', 'documents'))) { + elseif (in_array($moduleobject, array('admin', 'login', 'setup', 'access', 'status', 'tools', 'documents'))) { $moduledirforclass = 'api'; } - elseif ($module == 'contact' || $module == 'contacts' || $module == 'customer' || $module == 'thirdparty' || $module == 'thirdparties') { + elseif ($moduleobject == 'contact' || $moduleobject == 'contacts' || $moduleobject == 'customer' || $moduleobject == 'thirdparty' || $moduleobject == 'thirdparties') { $moduledirforclass = 'societe'; } - elseif ($module == 'propale' || $module == 'proposals') { + elseif ($moduleobject == 'propale' || $moduleobject == 'proposals') { $moduledirforclass = 'comm/propal'; } - elseif ($module == 'agenda' || $module == 'agendaevents') { + elseif ($moduleobject == 'agenda' || $moduleobject == 'agendaevents') { $moduledirforclass = 'comm/action'; } - elseif ($module == 'adherent' || $module == 'members' || $module == 'memberstypes' || $module == 'subscriptions') { + elseif ($moduleobject == 'adherent' || $moduleobject == 'members' || $moduleobject == 'memberstypes' || $moduleobject == 'subscriptions') { $moduledirforclass = 'adherents'; } - elseif ($module == 'don' || $module == 'donations') { + elseif ($moduleobject == 'don' || $moduleobject == 'donations') { $moduledirforclass = 'don'; } - elseif ($module == 'banque' || $module == 'bankaccounts') { + elseif ($moduleobject == 'banque' || $moduleobject == 'bankaccounts') { $moduledirforclass = 'compta/bank'; } - elseif ($module == 'category' || $module == 'categorie') { + elseif ($moduleobject == 'category' || $moduleobject == 'categorie') { $moduledirforclass = 'categories'; } - elseif ($module == 'order' || $module == 'orders') { + elseif ($moduleobject == 'order' || $moduleobject == 'orders') { $moduledirforclass = 'commande'; } - elseif ($module == 'shipments') { + elseif ($moduleobject == 'shipments') { $moduledirforclass = 'expedition'; } - elseif ($module == 'facture' || $module == 'invoice' || $module == 'invoices') { + elseif ($moduleobject == 'facture' || $moduleobject == 'invoice' || $moduleobject == 'invoices') { $moduledirforclass = 'compta/facture'; } - elseif ($module == 'products') { - $moduledirforclass = 'product'; - } - elseif ($module == 'project' || $module == 'projects' || $module == 'tasks') { + elseif ($moduleobject == 'project' || $moduleobject == 'projects' || $moduleobject == 'task' || $moduleobject == 'tasks') { $moduledirforclass = 'projet'; } - elseif ($module == 'task') { - $moduledirforclass = 'projet'; - } - elseif ($module == 'stock' || $module == 'stockmovements' || $module == 'warehouses') { + elseif ($moduleobject == 'stock' || $moduleobject == 'stockmovements' || $moduleobject == 'warehouses') { $moduledirforclass = 'product/stock'; } - elseif ($module == 'supplierproposals' || $module == 'supplierproposal' || $module == 'supplier_proposal') { + elseif ($moduleobject == 'supplierproposals' || $moduleobject == 'supplierproposal' || $moduleobject == 'supplier_proposal') { $moduledirforclass = 'supplier_proposal'; } - elseif ($module == 'fournisseur' || $module == 'supplierinvoices' || $module == 'supplierorders') { + elseif ($moduleobject == 'fournisseur' || $moduleobject == 'supplierinvoices' || $moduleobject == 'supplierorders') { $moduledirforclass = 'fourn'; } - elseif ($module == 'expensereports') { - $moduledirforclass = 'expensereport'; - } - elseif ($module == 'users') { - $moduledirforclass = 'user'; - } - elseif ($module == 'ficheinter' || $module == 'interventions') { + elseif ($moduleobject == 'ficheinter' || $moduleobject == 'interventions') { $moduledirforclass = 'fichinter'; } - elseif ($module == 'tickets') { - $moduledirforclass = 'ticket'; + elseif ($moduleobject == 'mos') { + $moduledirforclass = 'mrp'; } - elseif ($module == 'boms') { - $moduledirforclass = 'bom'; + elseif (in_array($moduleobject, array('products', 'expensereports', 'users', 'tickets', 'boms'))) { + $moduledirforclass = preg_replace('/s$/', '', $moduleobject); } return $moduledirforclass; diff --git a/htdocs/modulebuilder/template/class/api_mymodule.class.php b/htdocs/modulebuilder/template/class/api_mymodule.class.php index 8498fc4a636..f8699dc7568 100644 --- a/htdocs/modulebuilder/template/class/api_mymodule.class.php +++ b/htdocs/modulebuilder/template/class/api_mymodule.class.php @@ -165,9 +165,9 @@ class MyModuleApi extends DolibarrApi while ($i < $num) { $obj = $db->fetch_object($result); - $myobject_static = new MyObject($db); - if ($myobject_static->fetch($obj->rowid)) { - $obj_ret[] = $this->_cleanObjectDatas($myobject_static); + $tmp_object = new MyObject($db); + if ($tmp_object->fetch($obj->rowid)) { + $obj_ret[] = $this->_cleanObjectDatas($tmp_object); } $i++; } diff --git a/htdocs/mrp/class/api_mos.class.php b/htdocs/mrp/class/api_mos.class.php new file mode 100644 index 00000000000..963da439180 --- /dev/null +++ b/htdocs/mrp/class/api_mos.class.php @@ -0,0 +1,354 @@ + + * Copyright (C) 2019 Maxime Kohlhaas + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +use Luracast\Restler\RestException; + +require_once DOL_DOCUMENT_ROOT.'/mrp/class/mo.class.php'; + + +/** + * \file mrp/class/api_mo.class.php + * \ingroup mrp + * \brief File for API management of MO. + */ + +/** + * API class for MO + * + * @access protected + * @class DolibarrApiAccess {@requires user,external} + */ +class Mos extends DolibarrApi +{ + /** + * @var Mo $mo {@type Mo} + */ + public $mo; + + /** + * Constructor + */ + public function __construct() + { + global $db, $conf; + $this->db = $db; + $this->mo = new Mo($this->db); + } + + /** + * Get properties of a MO object + * + * Return an array with MO informations + * + * @param int $id ID of MO + * @return array|mixed data without useless information + * + * @url GET {id} + * @throws RestException + */ + public function get($id) + { + if (!DolibarrApiAccess::$user->rights->mrp->read) { + throw new RestException(401); + } + + $result = $this->mo->fetch($id); + if (!$result) { + throw new RestException(404, 'MO not found'); + } + + if (!DolibarrApi::_checkAccessToResource('mrp', $this->mo->id, 'mrp_mo')) { + throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); + } + + return $this->_cleanObjectDatas($this->mo); + } + + + /** + * List Mos + * + * Get a list of MOs + * + * @param string $sortfield Sort field + * @param string $sortorder Sort order + * @param int $limit Limit for list + * @param int $page Page number + * @param string $sqlfilters Other criteria to filter answers separated by a comma. Syntax example "(t.ref:like:'SO-%') and (t.date_creation:<:'20160101')" + * @return array Array of order objects + * + * @throws RestException + */ + public function index($sortfield = "t.rowid", $sortorder = 'ASC', $limit = 100, $page = 0, $sqlfilters = '') + { + global $db, $conf; + + $obj_ret = array(); + $tmpobject = new Mo($db); + + $socid = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : ''; + + $restrictonsocid = 0; // Set to 1 if there is a field socid in table of object + + // If the internal user must only see his customers, force searching by him + $search_sale = 0; + if ($restrictonsocid && !DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) $search_sale = DolibarrApiAccess::$user->id; + + $sql = "SELECT t.rowid"; + if ($restrictonsocid && (!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql .= ", sc.fk_soc, sc.fk_user"; // We need these fields in order to filter by sale (including the case where the user can only see his prospects) + $sql .= " FROM ".MAIN_DB_PREFIX.$tmpobject->table_element." as t"; + + if ($restrictonsocid && (!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; // We need this table joined to the select in order to filter by sale + $sql .= " WHERE 1 = 1"; + + // Example of use $mode + //if ($mode == 1) $sql.= " AND s.client IN (1, 3)"; + //if ($mode == 2) $sql.= " AND s.client IN (2, 3)"; + + if ($tmpobject->ismultientitymanaged) $sql .= ' AND t.entity IN ('.getEntity($tmpobject->element).')'; + if ($restrictonsocid && (!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql .= " AND t.fk_soc = sc.fk_soc"; + if ($restrictonsocid && $socid) $sql .= " AND t.fk_soc = ".$socid; + if ($restrictonsocid && $search_sale > 0) $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale + // Insert sale filter + if ($restrictonsocid && $search_sale > 0) + { + $sql .= " AND sc.fk_user = ".$search_sale; + } + if ($sqlfilters) + { + if (!DolibarrApi::_checkFilters($sqlfilters)) + { + throw new RestException(503, 'Error when validating parameter sqlfilters '.$sqlfilters); + } + $regexstring = '\(([^:\'\(\)]+:[^:\'\(\)]+:[^:\(\)]+)\)'; + $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; + } + + $sql .= $db->order($sortfield, $sortorder); + if ($limit) { + if ($page < 0) + { + $page = 0; + } + $offset = $limit * $page; + + $sql .= $db->plimit($limit + 1, $offset); + } + + $result = $db->query($sql); + if ($result) + { + $num = $db->num_rows($result); + $i = 0; + while ($i < $num) + { + $obj = $db->fetch_object($result); + $tmp_object = new Mo($db); + if ($tmp_object->fetch($obj->rowid)) { + $obj_ret[] = $this->_cleanObjectDatas($tmp_object); + } + $i++; + } + } + else { + throw new RestException(503, 'Error when retrieve MO list'); + } + if (!count($obj_ret)) { + throw new RestException(404, 'No MO found'); + } + return $obj_ret; + } + + /** + * Create MO object + * + * @param array $request_data Request datas + * @return int ID of MO + */ + public function post($request_data = null) + { + if (!DolibarrApiAccess::$user->rights->mrp->write) { + throw new RestException(401); + } + // Check mandatory fields + $result = $this->_validate($request_data); + + foreach ($request_data as $field => $value) { + $this->mo->$field = $value; + } + if (!$this->mo->create(DolibarrApiAccess::$user)) { + throw new RestException(500, "Error creating MO", array_merge(array($this->mo->error), $this->mo->errors)); + } + return $this->mo->id; + } + + /** + * Update MO + * + * @param int $id Id of MO to update + * @param array $request_data Datas + * + * @return int + */ + public function put($id, $request_data = null) + { + if (!DolibarrApiAccess::$user->rights->mrp->write) { + throw new RestException(401); + } + + $result = $this->mo->fetch($id); + if (!$result) { + throw new RestException(404, 'MO not found'); + } + + if (!DolibarrApi::_checkAccessToResource('mrp', $this->mo->id, 'mrp_mo')) { + throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); + } + + foreach ($request_data as $field => $value) { + if ($field == 'id') continue; + $this->mo->$field = $value; + } + + if ($this->mo->update($id, DolibarrApiAccess::$user) > 0) + { + return $this->get($id); + } + else + { + throw new RestException(500, $this->mo->error); + } + } + + /** + * Delete MO + * + * @param int $id MO ID + * @return array + */ + public function delete($id) + { + if (!DolibarrApiAccess::$user->rights->mrp->delete) { + throw new RestException(401); + } + $result = $this->mo->fetch($id); + if (!$result) { + throw new RestException(404, 'MO not found'); + } + + if (!DolibarrApi::_checkAccessToResource('mrp', $this->mo->id, 'mrp_mo')) { + throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); + } + + if (!$this->mo->delete(DolibarrApiAccess::$user)) + { + throw new RestException(500, 'Error when deleting MO : '.$this->mo->error); + } + + return array( + 'success' => array( + 'code' => 200, + 'message' => 'MO deleted' + ) + ); + } + + + // phpcs:disable PEAR.NamingConventions.ValidFunctionName.PublicUnderscore + /** + * Clean sensible object datas + * + * @param object $object Object to clean + * @return array Array of cleaned object properties + */ + protected function _cleanObjectDatas($object) + { + // phpcs:enable + $object = parent::_cleanObjectDatas($object); + + unset($object->rowid); + unset($object->canvas); + + unset($object->name); + unset($object->lastname); + unset($object->firstname); + unset($object->civility_id); + unset($object->statut); + unset($object->state); + unset($object->state_id); + unset($object->state_code); + unset($object->region); + unset($object->region_code); + unset($object->country); + unset($object->country_id); + unset($object->country_code); + unset($object->barcode_type); + unset($object->barcode_type_code); + unset($object->barcode_type_label); + unset($object->barcode_type_coder); + unset($object->total_ht); + unset($object->total_tva); + unset($object->total_localtax1); + unset($object->total_localtax2); + unset($object->total_ttc); + unset($object->fk_account); + unset($object->comments); + unset($object->note); + unset($object->mode_reglement_id); + unset($object->cond_reglement_id); + unset($object->cond_reglement); + unset($object->shipping_method_id); + unset($object->fk_incoterms); + unset($object->label_incoterms); + unset($object->location_incoterms); + + // If object has lines, remove $db property + if (isset($object->lines) && is_array($object->lines) && count($object->lines) > 0) { + $nboflines = count($object->lines); + for ($i = 0; $i < $nboflines; $i++) + { + $this->_cleanObjectDatas($object->lines[$i]); + + unset($object->lines[$i]->lines); + unset($object->lines[$i]->note); + } + } + + return $object; + } + + /** + * Validate fields before create or update object + * + * @param array $data Array of data to validate + * @return array + * + * @throws RestException + */ + private function _validate($data) + { + $myobject = array(); + foreach ($this->mo->fields as $field => $propfield) { + if (in_array($field, array('rowid', 'entity', 'date_creation', 'tms', 'fk_user_creat')) || $propfield['notnull'] != 1) continue; // Not a mandatory field + if (!isset($data[$field])) + throw new RestException(400, "$field field missing"); + $myobject[$field] = $data[$field]; + } + return $myobject; + } +} diff --git a/htdocs/mrp/mo_agenda.php b/htdocs/mrp/mo_agenda.php index eee839c8a83..20c2cbfe290 100644 --- a/htdocs/mrp/mo_agenda.php +++ b/htdocs/mrp/mo_agenda.php @@ -55,11 +55,6 @@ else } $search_agenda_label = GETPOST('search_agenda_label'); -// Security check - Protection if external user -//if ($user->socid > 0) accessforbidden(); -//if ($user->socid > 0) $socid = $user->socid; -//$result = restrictedArea($user, 'mrp', $id); - $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST("sortfield", 'alpha'); $sortorder = GETPOST("sortorder", 'alpha'); @@ -84,6 +79,11 @@ $extrafields->fetch_name_optionals_label($object->table_element); include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be include, not include_once // Must be include, not include_once. Include fetch and fetch_thirdparty but not fetch_optionals if ($id > 0 || !empty($ref)) $upload_dir = $conf->mrp->multidir_output[$object->entity]."/".$object->id; +// Security check - Protection if external user +//if ($user->socid > 0) accessforbidden(); +//if ($user->socid > 0) $socid = $user->socid; +$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); +$result = restrictedArea($user, 'mrp', $object->id, 'mrp_mo', '', 'fk_soc', 'rowid', $isdraft); /* diff --git a/htdocs/mrp/mo_card.php b/htdocs/mrp/mo_card.php index 0e2cc09e811..30a577ba85b 100644 --- a/htdocs/mrp/mo_card.php +++ b/htdocs/mrp/mo_card.php @@ -107,8 +107,8 @@ if (GETPOST('fk_bom', 'int')) // Security check - Protection if external user //if ($user->socid > 0) accessforbidden(); //if ($user->socid > 0) $socid = $user->socid; -//$isdraft = (($object->statut == $object::STATUS_DRAFT) ? 1 : 0); -//$result = restrictedArea($user, 'mrp', $object->id, '', '', 'fk_soc', 'rowid', $isdraft); +$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); +$result = restrictedArea($user, 'mrp', $object->id, 'mrp_mo', '', 'fk_soc', 'rowid', $isdraft); $permissionnote = $user->rights->mrp->write; // Used by the include of actions_setnotes.inc.php $permissiondellink = $user->rights->mrp->write; // Used by the include of actions_dellink.inc.php diff --git a/htdocs/mrp/mo_document.php b/htdocs/mrp/mo_document.php index 48031b6f372..afc7ef58819 100644 --- a/htdocs/mrp/mo_document.php +++ b/htdocs/mrp/mo_document.php @@ -42,11 +42,6 @@ $confirm = GETPOST('confirm'); $id = (GETPOST('socid', 'int') ? GETPOST('socid', 'int') : GETPOST('id', 'int')); $ref = GETPOST('ref', 'alpha'); -// Security check - Protection if external user -//if ($user->socid > 0) accessforbidden(); -//if ($user->socid > 0) $socid = $user->socid; -//$result = restrictedArea($user, 'mrp', $id); - // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST("sortfield", 'alpha'); @@ -75,6 +70,12 @@ include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be includ //if ($id > 0 || ! empty($ref)) $upload_dir = $conf->mrp->multidir_output[$object->entity?$object->entity:$conf->entity] . "/mo/" . dol_sanitizeFileName($object->id); if ($id > 0 || !empty($ref)) $upload_dir = $conf->mrp->multidir_output[$object->entity ? $object->entity : $conf->entity]."/mo/".dol_sanitizeFileName($object->ref); +// Security check - Protection if external user +//if ($user->socid > 0) accessforbidden(); +//if ($user->socid > 0) $socid = $user->socid; +$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); +$result = restrictedArea($user, 'mrp', $object->id, 'mrp_mo', '', 'fk_soc', 'rowid', $isdraft); + /* * Actions diff --git a/htdocs/mrp/mo_movements.php b/htdocs/mrp/mo_movements.php index 2448d43bda7..25d78c8c8e1 100644 --- a/htdocs/mrp/mo_movements.php +++ b/htdocs/mrp/mo_movements.php @@ -118,8 +118,8 @@ include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be includ // Security check - Protection if external user //if ($user->socid > 0) accessforbidden(); //if ($user->socid > 0) $socid = $user->socid; -//$isdraft = (($object->statut == $object::STATUS_DRAFT) ? 1 : 0); -//$result = restrictedArea($user, 'mrp', $object->id, '', '', 'fk_soc', 'rowid', $isdraft); +$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); +$result = restrictedArea($user, 'mrp', $object->id, 'mrp_mo', '', 'fk_soc', 'rowid', $isdraft); $objectlist = new MouvementStock($db); diff --git a/htdocs/mrp/mo_note.php b/htdocs/mrp/mo_note.php index d8b72fc348c..7d0fe785c58 100644 --- a/htdocs/mrp/mo_note.php +++ b/htdocs/mrp/mo_note.php @@ -48,15 +48,16 @@ $hookmanager->initHooks(array('monote', 'globalcard')); // Note that conf->hooks // Fetch optionals attributes and labels $extrafields->fetch_name_optionals_label($object->table_element); -// Security check - Protection if external user -//if ($user->socid > 0) accessforbidden(); -//if ($user->socid > 0) $socid = $user->socid; -//$result = restrictedArea($user, 'mrp', $id); - // Load object include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be include, not include_once // Must be include, not include_once. Include fetch and fetch_thirdparty but not fetch_optionals if ($id > 0 || !empty($ref)) $upload_dir = $conf->mrp->multidir_output[$object->entity]."/".$object->id; +// Security check - Protection if external user +//if ($user->socid > 0) accessforbidden(); +//if ($user->socid > 0) $socid = $user->socid; +$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); +$result = restrictedArea($user, 'mrp', $object->id, 'mrp_mo', '', 'fk_soc', 'rowid', $isdraft); + $permissionnote = 1; //$permissionnote=$user->rights->mrp->creer; // Used by the include of actions_setnotes.inc.php diff --git a/htdocs/mrp/mo_production.php b/htdocs/mrp/mo_production.php index 5f687b0bf7b..7ff2953def1 100644 --- a/htdocs/mrp/mo_production.php +++ b/htdocs/mrp/mo_production.php @@ -98,8 +98,8 @@ include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be includ // Security check - Protection if external user //if ($user->socid > 0) accessforbidden(); //if ($user->socid > 0) $socid = $user->socid; -//$isdraft = (($object->statut == $object::STATUS_DRAFT) ? 1 : 0); -//$result = restrictedArea($user, 'mrp', $object->id, '', '', 'fk_soc', 'rowid', $isdraft); +$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); +$result = restrictedArea($user, 'mrp', $object->id, 'mrp_mo', '', 'fk_soc', 'rowid', $isdraft); $permissionnote = $user->rights->mrp->write; // Used by the include of actions_setnotes.inc.php $permissiondellink = $user->rights->mrp->write; // Used by the include of actions_dellink.inc.php