lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix several security bugs on expense report

Browse Source
This commit is contained in:
Laurent Destailleur 2017-01-26 18:08:00 +01:00
parent 9889f0a4a2
commit c1b59b1950
8 changed files with 128 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
htdocs/core/class/html.form.class.php
View File

@ -1372,7 +1372,7 @@ class Form
* @param int $show_empty 0=list with no empty value, 1=add also an empty value into list
* @param array $exclude Array list of users id to exclude
* @param int $disabled If select list must be disabled
* @param array $include Array list of users id to include or 'hierarchy' to have only supervised users
* @param array|string $include Array list of users id to include or 'hierarchy' to have only supervised users or 'hierarchyme' to have supervised + me
* @param array $enableonly Array list of users id to be enabled. All other must be disabled
* @param int $force_entity 0 or Id of environment to force
* @param int $maxlength Maximum length of string into list (0=no limit)
@ -1396,24 +1396,20 @@ class Form
$includeUsers=null;
// Permettre l'exclusion d'utilisateurs
if (is_array($exclude)) $excludeUsers = implode("','",$exclude);
if (is_array($exclude)) $excludeUsers = implode(",",$exclude);
// Permettre l'inclusion d'utilisateurs
if (is_array($include)) $includeUsers = implode("','",$include);
if (is_array($include)) $includeUsers = implode(",",$include);
else if ($include == 'hierarchy')
{
// Build list includeUsers to have only hierarchy
$userid=$user->id;
$include=array();
if (empty($user->users) || ! is_array($user->users)) $user->get_full_tree();
foreach($user->users as $key => $val)
{
if (preg_match('/_'.$userid.'/',$val['fullpath'])) $include[]=$val['id'];
}
$includeUsers = implode("','",$include);
//var_dump($includeUsers);exit;
//var_dump($user->users);exit;
$includeUsers = implode(",",$user->getAllChildIds(0));
}
else if ($include == 'hierarchyme')
{
// Build list includeUsers to have only hierarchy and current user
$includeUsers = implode(",",$user->getAllChildIds(1));
}
$out='';
// On recherche les utilisateurs
@ -1443,8 +1439,8 @@ class Form
}
}
if (! empty($user->societe_id)) $sql.= " AND u.fk_soc = ".$user->societe_id;
if (is_array($exclude) && $excludeUsers) $sql.= " AND u.rowid NOT IN ('".$excludeUsers."')";
if (is_array($include) && $includeUsers) $sql.= " AND u.rowid IN ('".$includeUsers."')";
if (is_array($exclude) && $excludeUsers) $sql.= " AND u.rowid NOT IN (".$excludeUsers.")";
if ($includeUsers) $sql.= " AND u.rowid IN (".$includeUsers.")";
if (! empty($conf->global->USER_HIDE_INACTIVE_IN_COMBOBOX) || $noactive) $sql.= " AND u.statut <> 0";
if (! empty($morefilter)) $sql.=" ".$morefilter;
$sql.= " ORDER BY u.lastname ASC";

104
htdocs/core/modules/modExpenseReport.class.php
View File

@ -111,54 +111,62 @@ class modExpenseReport extends DolibarrModules
$this->rights = array(); // Permission array used by this module
$this->rights_class = 'expensereport';
$this->rights[1][0] = 771;
$this->rights[1][1] = 'Read expense reports (yours and your subordinates)';
$this->rights[1][2] = 'r';
$this->rights[1][3] = 0;
$this->rights[1][4] = 'lire';
$this->rights[3][0] = 772;
$this->rights[3][1] = 'Create/modify expense reports';
$this->rights[3][2] = 'w';
$this->rights[3][3] = 0;
$this->rights[3][4] = 'creer';
$this->rights[4][0] = 773;
$this->rights[4][1] = 'Delete expense reports';
$this->rights[4][2] = 'd';
$this->rights[4][3] = 0;
$this->rights[4][4] = 'supprimer';
$this->rights[6][0] = 775;
$this->rights[6][1] = 'Approve expense reports';
$this->rights[6][2] = 'w';
$this->rights[6][3] = 0;
$this->rights[6][4] = 'approve';
$this->rights[7][0] = 776;
$this->rights[7][1] = 'Pay expense reports';
$this->rights[7][2] = 'w';
$this->rights[7][3] = 0;
$this->rights[7][4] = 'to_paid';
$this->rights[2][0] = 777;
$this->rights[2][1] = 'Read expense reports of everybody';
$this->rights[2][2] = 'r';
$this->rights[2][3] = 1;
$this->rights[2][4] = 'readall';
$this->rights[2][0] = 778;
$this->rights[2][1] = 'Create expense reports for everybody';
$this->rights[2][2] = 'w';
$this->rights[2][3] = 0;
$this->rights[2][4] = 'writeall_advance';
$this->rights[5][0] = 779;
$this->rights[5][1] = 'Export expense reports';
$this->rights[5][2] = 'r';
$this->rights[5][3] = 0;
$this->rights[5][4] = 'export';
$this->rights[$r][0] = 771;
$this->rights[$r][1] = 'Read expense reports (yours and your subordinates)';
$this->rights[$r][2] = 'r';
$this->rights[$r][3] = 0;
$this->rights[$r][4] = 'lire';
$r++;
$this->rights[$r][0] = 772;
$this->rights[$r][1] = 'Create/modify expense reports';
$this->rights[$r][2] = 'w';
$this->rights[$r][3] = 0;
$this->rights[$r][4] = 'creer';
$r++;
$this->rights[$r][0] = 773;
$this->rights[$r][1] = 'Delete expense reports';
$this->rights[$r][2] = 'd';
$this->rights[$r][3] = 0;
$this->rights[$r][4] = 'supprimer';
$r++;
$this->rights[$r][0] = 775;
$this->rights[$r][1] = 'Approve expense reports';
$this->rights[$r][2] = 'w';
$this->rights[$r][3] = 0;
$this->rights[$r][4] = 'approve';
$r++;
$this->rights[$r][0] = 776;
$this->rights[$r][1] = 'Pay expense reports';
$this->rights[$r][2] = 'w';
$this->rights[$r][3] = 0;
$this->rights[$r][4] = 'to_paid';
$r++;
$this->rights[$r][0] = 777;
$this->rights[$r][1] = 'Read expense reports of everybody';
$this->rights[$r][2] = 'r';
$this->rights[$r][3] = 1;
$this->rights[$r][4] = 'readall';
$r++;
$this->rights[$r][0] = 778;
$this->rights[$r][1] = 'Create expense reports for everybody';
$this->rights[$r][2] = 'w';
$this->rights[$r][3] = 0;
$this->rights[$r][4] = 'writeall_advance';
$r++;
$this->rights[$r][0] = 779;
$this->rights[$r][1] = 'Export expense reports';
$this->rights[$r][2] = 'r';
$this->rights[$r][3] = 0;
$this->rights[$r][4] = 'export';
$r++;
// Menus
//-------
$this->menu = 1; // This module add menu entries. They are coded into menu manager.

14
htdocs/expensereport/card.php
View File

@ -1,6 +1,6 @@
<?php
/* Copyright (C) 2003 Rodolphe Quiedeville <rodolphe@quiedeville.org>
* Copyright (C) 2004-2015 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2004-2017 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2005-2009 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2015-2016 Alexandre Spangaro <aspangaro.dolibarr@gmail.com>
*
@ -1228,8 +1228,8 @@ if ($action == 'create')
print '<td>';
$defaultselectuser=$user->id;
if (GETPOST('fk_user_author') > 0) $defaultselectuser=GETPOST('fk_user_author');
$include_users = array($user->id);
if (! empty($user->rights->expensereport->writeall)) $include_users=array();
$include_users = 'hierarchyme';
if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS) && ! empty($user->rights->expensereport->writeall_advance)) $include_users=array();
$s=$form->select_dolusers($defaultselectuser, "fk_user_author", 0, "", 0, $include_users);
print $s;
print '</td>';
@ -1313,10 +1313,10 @@ else
if ($result > 0)
{
if ($object->fk_user_author != $user->id)
if (! in_array($object->fk_user_author, $user->getAllChildIds(1)))
{
if (empty($user->rights->expensereport->readall) && empty($user->rights->expensereport->lire_tous)
&& empty($user->rights->expensereport->writeall_advance))
&& (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || empty($user->rights->expensereport->writeall_advance)))
{
print load_fiche_titre($langs->trans('TripCard'));
@ -2090,7 +2090,7 @@ if ($action != 'create' && $action != 'edit')
*/
if ($user->rights->expensereport->creer && $object->fk_statut==0)
{
if ($object->fk_user_author == $user->id)
if (in_array($object->fk_user_author, $user->getAllChildIds(1)))
{
// Modify
print '<div class="inline-block divButAction"><a class="butAction" href="'.$_SERVER["PHP_SELF"].'?action=edit&id='.$object->id.'">'.$langs->trans('Modify').'</a></div>';
@ -2138,7 +2138,7 @@ if ($action != 'create' && $action != 'edit')
*/
if ($object->fk_statut == 2)
{
if ($object->fk_user_author == $user->id)
if (in_array($object->fk_user_author, $user->getAllChildIds(1)))
{
// Brouillonner
print '<div class="inline-block divButAction"><a class="butAction" href="'.$_SERVER["PHP_SELF"].'?action=brouillonner&id='.$object->id.'">'.$langs->trans('SetToDraft').'</a></div>';

3
htdocs/expensereport/class/expensereport.class.php
View File

@ -1674,11 +1674,14 @@ class ExpenseReport extends CommonObject
$now=dol_now();
$userchildids = $user->getAllChildIds(1);
$sql = "SELECT ex.rowid, ex.date_valid";
$sql.= " FROM ".MAIN_DB_PREFIX."expensereport as ex";
if ($option == 'toapprove') $sql.= " WHERE ex.fk_statut = 2";
else $sql.= " WHERE ex.fk_statut = 5";
$sql.= " AND ex.entity IN (".getEntity('expensereport', 1).")";
$sql.= " AND ex.fk_user_author IN (".join(',',$userchildids).")";
$resql=$this->db->query($sql);
if ($resql)

2
htdocs/expensereport/list.php
View File

@ -240,7 +240,7 @@ if ($search_status != '' && $search_status >= 0)
}
// RESTRICT RIGHTS
if (empty($user->rights->expensereport->readall) && empty($user->rights->expensereport->lire_tous)
&& empty($user->rights->expensereport->writeall_advance))
&& (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || empty($user->rights->expensereport->writeall_advance)))
{
$childids = $user->getAllChildIds();
$childids[]=$user->id;

32
htdocs/index.php
View File

@ -178,8 +178,8 @@ if (empty($user->societe_id))
! empty($conf->supplier_order->enabled) && $user->rights->fournisseur->commande->lire && empty($conf->global->SOCIETE_DISABLE_SUPPLIERS_ORDERS_STATS),
! empty($conf->supplier_invoice->enabled) && $user->rights->fournisseur->facture->lire && empty($conf->global->SOCIETE_DISABLE_SUPPLIERS_INVOICES_STATS),
! empty($conf->supplier_proposal->enabled) && $user->rights->supplier_proposal->lire && empty($conf->global->SOCIETE_DISABLE_SUPPLIERS_PROPOSAL_STATS),
! empty($conf->expensereport->enabled) && $user->rights->expensereport->lire,
! empty($conf->projet->enabled) && $user->rights->projet->lire
! empty($conf->projet->enabled) && $user->rights->projet->lire,
! empty($conf->expensereport->enabled) && $user->rights->expensereport->lire
);
// Class file containing the method load_state_board for each line
$includes=array(
@ -199,8 +199,8 @@ if (empty($user->societe_id))
DOL_DOCUMENT_ROOT."/fourn/class/fournisseur.commande.class.php",
DOL_DOCUMENT_ROOT."/fourn/class/fournisseur.facture.class.php",
DOL_DOCUMENT_ROOT."/supplier_proposal/class/supplier_proposal.class.php",
DOL_DOCUMENT_ROOT."/expensereport/class/expensereport.class.php",
DOL_DOCUMENT_ROOT."/projet/class/project.class.php"
DOL_DOCUMENT_ROOT."/projet/class/project.class.php",
DOL_DOCUMENT_ROOT."/expensereport/class/expensereport.class.php"
);
// Name class containing the method load_state_board for each line
$classes=array('User',
@ -219,8 +219,8 @@ if (empty($user->societe_id))
'CommandeFournisseur',
'FactureFournisseur',
'SupplierProposal',
'ExpenseReport',
'Project'
'Project',
'ExpenseReport'
);
// Cle array returned by the method load_state_board for each line
$keys=array('users',
@ -239,8 +239,8 @@ if (empty($user->societe_id))
'supplier_orders',
'supplier_invoices',
'askprice',
'expensereports',
'projects'
'projects',
'expensereports'
);
// Dashboard Icon lines
$icons=array('user',
@ -259,8 +259,8 @@ if (empty($user->societe_id))
'order',
'bill',
'propal',
'trip',
'project'
'project',
'trip'
);
// Translation keyword
$titres=array("Users",
@ -279,8 +279,8 @@ if (empty($user->societe_id))
"SuppliersOrders",
"SuppliersInvoices",
"SupplierProposalShort",
"ExpenseReports",
"Projects"
"Projects",
"ExpenseReports"
);
// Dashboard Link lines
$links=array(
@ -300,8 +300,8 @@ if (empty($user->societe_id))
DOL_URL_ROOT.'/fourn/commande/list.php',
DOL_URL_ROOT.'/fourn/facture/list.php',
DOL_URL_ROOT.'/supplier_proposal/list.php',
DOL_URL_ROOT.'/expensereport/list.php?mainmenu=hrm',
DOL_URL_ROOT.'/projet/list.php?mainmenu=project'
DOL_URL_ROOT.'/projet/list.php?mainmenu=project',
DOL_URL_ROOT.'/expensereport/list.php?mainmenu=hrm'
);
// Translation lang files
$langfile=array("users",
@ -318,8 +318,8 @@ if (empty($user->societe_id))
"supplier_proposal",
"contracts",
"interventions",
"trips",
"projects"
"projects",
"trips"
);

5
htdocs/user/card.php
View File

@ -752,9 +752,10 @@ if (($action == 'create') || ($action == 'adduserldap'))
print '</td></tr>';
// Employee
$defaultemployee=1;
print '<tr>';
print '<td>'.fieldLabel('Employee','employee',0).'</td><td>';
print $form->selectyesno("employee",(GETPOST('employee')?GETPOST('employee'):0),1);
print '<td>'.$langs->trans('Employee').'</td><td>';
print $form->selectyesno("employee",(GETPOST('employee')!=''?GETPOST('employee'):$defaultemployee),1);
print '</td></tr>';
// Position/Job

45
htdocs/user/class/user.class.php
View File

@ -127,6 +127,9 @@ class User extends CommonObject
public $dateemployment; // Define date of employment by company
private $cache_childids;
/**
* Constructor de la classe
*
@ -2600,26 +2603,38 @@ class User extends CommonObject
}
/**
* Return list of all child users id in herarchy (all sublevels).
* Return list of all child users id in herarchy of current user (all sublevels).
*
* @return int $addcurrentuser 1=Add also current user id to the list.
* @return array Array of user id lower than user. This overwrite this->users.
* @see get_children
*/
function getAllChildIds()
function getAllChildIds($addcurrentuser=0)
{
// Init this->users
$this->get_full_tree();
$idtoscan=$this->id;
$childids=array();
dol_syslog("Build childid for id = ".$idtoscan);
foreach($this->users as $id => $val)
{
//var_dump($val['fullpath']);
if (preg_match('/_'.$idtoscan.'_/', $val['fullpath'])) $childids[$val['id']]=$val['id'];
}
$childids=array();
if (isset($this->cache_childids[$this->id]))
{
$childids = $this->cache_childids[$this->id];
}
else
{
// Init this->users
$this->get_full_tree();
$idtoscan=$this->id;
dol_syslog("Build childid for id = ".$idtoscan);
foreach($this->users as $id => $val)
{
//var_dump($val['fullpath']);
if (preg_match('/_'.$idtoscan.'_/', $val['fullpath'])) $childids[$val['id']]=$val['id'];
}
}
$this->cache_childids[$this->id] = $childids;
if ($addcurrentuser) $childids[$this->id]=$this->id;
return $childids;
}