From 63b15dd1b643d01235685220712499ae6f54f320 Mon Sep 17 00:00:00 2001 From: Ferran Marcet Date: Mon, 3 Aug 2020 11:17:30 +0200 Subject: [PATCH 01/10] Fix: User can see events that are not assigned to it --- htdocs/core/lib/security.lib.php | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 1a8045df014..ed0424d8968 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -1,6 +1,7 @@ * Copyright (C) 2008-2017 Regis Houssin + * Copyright (C) 2020 Ferran Marcet * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -247,6 +248,26 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f { if (! $user->rights->projet->lire && ! $user->rights->projet->all->lire) { $readok=0; $nbko++; } } + elseif ($feature == 'agenda') + { + if ($objectid > 0) { + require_once DOL_DOCUMENT_ROOT . '/comm/action/class/actioncomm.class.php'; + $action = new ActionComm($db); + $action->fetch($objectid); + if (empty($user->rights->agenda->allactions->read) && (($action->authorid != $user->id && $action->userownerid != $user->id && !(array_key_exists($user->id, + $action->userassigned))) || empty($user->rights->agenda->myactions->read))) { + $readok = 0; + $nbko++; + } + } + else{ + if (empty($user->rights->agenda->myactions->read) && empty($user->rights->agenda->allactions->read)) { + $readok = 0; + $nbko++; + } + } + + } elseif (! empty($feature2)) // This is for permissions on 2 levels { $tmpreadok=1; From 9926eac1926877bc97e3ceab8376053e48a098f0 Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Mon, 3 Aug 2020 09:26:36 +0000 Subject: [PATCH 02/10] Fixing style errors. --- htdocs/core/lib/security.lib.php | 1 - 1 file changed, 1 deletion(-) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index ed0424d8968..e4dde96b464 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -266,7 +266,6 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f $nbko++; } } - } elseif (! empty($feature2)) // This is for permissions on 2 levels { From 7a077a2d9934e2cdababc6c610c7b8b2d1d21dc5 Mon Sep 17 00:00:00 2001 From: Ferran Marcet Date: Tue, 4 Aug 2020 16:45:04 +0200 Subject: [PATCH 03/10] Fix: User can see events that are not assigned to it --- htdocs/core/lib/security.lib.php | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index e4dde96b464..41534d8aac3 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -576,6 +576,18 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand $sql.= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; $sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; } + + if ($feature == 'agenda')// Also check myactions rights + { + if ($objectid > 0 && empty($user->rights->agenda->allactions->read)) { + require_once DOL_DOCUMENT_ROOT . '/comm/action/class/actioncomm.class.php'; + $action = new ActionComm($db); + $action->fetch($objectid); + if ($action->authorid != $user->id && $action->userownerid != $user->id && !(array_key_exists($user->id,$action->userassigned))) { + return false; + } + } + } } elseif (in_array($feature, $checkproject)) { From 70ad2fcee074bbd1947f067d508d3e5c1fe4eb85 Mon Sep 17 00:00:00 2001 From: Ferran Marcet Date: Tue, 4 Aug 2020 16:45:57 +0200 Subject: [PATCH 04/10] Fix: User can see events that are not assigned to it --- htdocs/core/lib/security.lib.php | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 41534d8aac3..f9db2a0e796 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -248,25 +248,6 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f { if (! $user->rights->projet->lire && ! $user->rights->projet->all->lire) { $readok=0; $nbko++; } } - elseif ($feature == 'agenda') - { - if ($objectid > 0) { - require_once DOL_DOCUMENT_ROOT . '/comm/action/class/actioncomm.class.php'; - $action = new ActionComm($db); - $action->fetch($objectid); - if (empty($user->rights->agenda->allactions->read) && (($action->authorid != $user->id && $action->userownerid != $user->id && !(array_key_exists($user->id, - $action->userassigned))) || empty($user->rights->agenda->myactions->read))) { - $readok = 0; - $nbko++; - } - } - else{ - if (empty($user->rights->agenda->myactions->read) && empty($user->rights->agenda->allactions->read)) { - $readok = 0; - $nbko++; - } - } - } elseif (! empty($feature2)) // This is for permissions on 2 levels { $tmpreadok=1; From 8d8821743471e1359bd9f5d6da720c0f6ed4d2a9 Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Tue, 4 Aug 2020 14:48:15 +0000 Subject: [PATCH 05/10] Fixing style errors. --- htdocs/core/lib/security.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index f9db2a0e796..804414d04df 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -564,7 +564,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand require_once DOL_DOCUMENT_ROOT . '/comm/action/class/actioncomm.class.php'; $action = new ActionComm($db); $action->fetch($objectid); - if ($action->authorid != $user->id && $action->userownerid != $user->id && !(array_key_exists($user->id,$action->userassigned))) { + if ($action->authorid != $user->id && $action->userownerid != $user->id && !(array_key_exists($user->id, $action->userassigned))) { return false; } } From 10df9777b54154a30a64652c941e1e5176e60dce Mon Sep 17 00:00:00 2001 From: Ferran Marcet Date: Mon, 10 Aug 2020 09:53:20 +0200 Subject: [PATCH 06/10] FIX: Visualization rights correction on last modified contacts box --- htdocs/core/boxes/box_contacts.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/boxes/box_contacts.php b/htdocs/core/boxes/box_contacts.php index caea252c571..7141728c23d 100644 --- a/htdocs/core/boxes/box_contacts.php +++ b/htdocs/core/boxes/box_contacts.php @@ -94,7 +94,7 @@ class box_contacts extends ModeleBoxes $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON sp.fk_soc = s.rowid"; if (!$user->rights->societe->client->voir && !$user->socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql .= " WHERE sp.entity IN (".getEntity('socpeople').")"; - if (!$user->rights->societe->client->voir && !$user->socid) $sql .= " AND sp.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; + if (!$user->rights->societe->client->voir && !$user->socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; if ($user->socid) $sql .= " AND sp.fk_soc = ".$user->socid; $sql .= " ORDER BY sp.tms DESC"; $sql .= $this->db->plimit($max, 0); From f385e02c5317baa7464ef80c2d8eb018adc9e06b Mon Sep 17 00:00:00 2001 From: lvessiller Date: Thu, 13 Aug 2020 17:43:18 +0200 Subject: [PATCH 07/10] FIX title button attribute id empty --- htdocs/core/lib/functions.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 1f7c08c8d7a..97ad5d58969 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -8258,7 +8258,7 @@ function dolGetButtonTitle($label, $helpText = '', $iconClass = 'fa fa-file', $u $attr['class'] .= ' classfortooltip'; } - if(empty($id)){ + if(!empty($id)){ $attr['id'] = $id; } From 52f20a1047acda7d13dca7d8fe6fdbf69b560fdc Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 14 Aug 2020 11:52:21 +0200 Subject: [PATCH 08/10] Fix travis --- htdocs/categories/class/categorie.class.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/htdocs/categories/class/categorie.class.php b/htdocs/categories/class/categorie.class.php index 40c37d4dd93..fe44c7393ba 100644 --- a/htdocs/categories/class/categorie.class.php +++ b/htdocs/categories/class/categorie.class.php @@ -755,7 +755,8 @@ class Categorie extends CommonObject { $objs = array(); - $obj = new $this->MAP_OBJ_CLASS[$type]( $this->db ); + $classnameforobj = $this->MAP_OBJ_CLASS[$type]; + $obj = new $classnameforobj($this->db); $sql = "SELECT c.fk_" . $this->MAP_CAT_FK[$type]; $sql .= " FROM " . MAIN_DB_PREFIX . "categorie_" . $this->MAP_CAT_TABLE[$type] . " as c"; From fe0b1c5ee49b2f8e41a088cac8ac8138a4360f4c Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 14 Aug 2020 11:53:54 +0200 Subject: [PATCH 09/10] Fix travis --- htdocs/categories/class/categorie.class.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/htdocs/categories/class/categorie.class.php b/htdocs/categories/class/categorie.class.php index fe44c7393ba..b0bcbadc010 100644 --- a/htdocs/categories/class/categorie.class.php +++ b/htdocs/categories/class/categorie.class.php @@ -777,7 +777,9 @@ class Categorie extends CommonObject } else { - $obj = new $this->MAP_OBJ_CLASS[$type]( $this->db ); + $classnameforobj = $this->MAP_OBJ_CLASS[$type]; + + $obj = new $classnameforobj($this->db); $obj->fetch($rec['fk_' . $this->MAP_CAT_FK[$type]]); $objs[] = $obj; } From d5acc85ef08f8f4fd113ab441c5da13568f37d48 Mon Sep 17 00:00:00 2001 From: lvessiller Date: Fri, 14 Aug 2020 12:18:28 +0200 Subject: [PATCH 10/10] FIX param entity in html form file --- htdocs/core/class/html.formfile.class.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/htdocs/core/class/html.formfile.class.php b/htdocs/core/class/html.formfile.class.php index 2508ebce5ca..53e19a560f0 100644 --- a/htdocs/core/class/html.formfile.class.php +++ b/htdocs/core/class/html.formfile.class.php @@ -352,7 +352,9 @@ class FormFile // Add entity in $param if not already exists if (!preg_match('/entity\=[0-9]+/', $param)) { - $param.= 'entity='.(!empty($object->entity)?$object->entity:$conf->entity); + $paramEntity = 'entity='.(!empty($object->entity)?$object->entity:$conf->entity); + if (!empty($param)) $paramEntity = '&' .$paramEntity; + $param .= $paramEntity; } $printer=0;