From 104e786a794b8e1c994bc2c9a6e5a5ba9e97f1ef Mon Sep 17 00:00:00 2001 From: "Sekan, Tobias" Date: Tue, 21 Apr 2020 10:02:18 +0200 Subject: [PATCH 1/2] cleanup user rights on forun facture card --- htdocs/fourn/facture/card.php | 109 +++++++++++++++++----------------- 1 file changed, 54 insertions(+), 55 deletions(-) diff --git a/htdocs/fourn/facture/card.php b/htdocs/fourn/facture/card.php index 697c8cb74f0..c49d4c6e76b 100644 --- a/htdocs/fourn/facture/card.php +++ b/htdocs/fourn/facture/card.php @@ -99,12 +99,16 @@ if (!empty($user->socid)) $socid = $user->socid; $isdraft = (($object->statut == FactureFournisseur::STATUS_DRAFT) ? 1 : 0); $result = restrictedArea($user, 'fournisseur', $id, 'facture_fourn', 'facture', 'fk_soc', 'rowid', $isdraft); +$usercanread = $user->rights->fournisseur->facture->lire; $usercancreate = $user->rights->fournisseur->facture->creer; +$usercandelete = $user->rights->fournisseur->facture->supprimer; +$usercanvalidate = ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && !empty($usercancreate)) || (!empty($conf->global->MAIN_USE_ADVANCED_PERMS) && !empty($user->rights->fournisseur->supplier_invoice_advance->validate))); +$usercansend = (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || $user->rights->fournisseur->supplier_invoice_advance->send); -$permissionnote = $user->rights->fournisseur->facture->creer; // Used by the include of actions_setnotes.inc.php -$permissiondellink = $user->rights->fournisseur->facture->creer; // Used by the include of actions_dellink.inc.php -$permissiontoedit = $user->rights->fournisseur->facture->creer; // Used by the include of actions_lineupdown.inc.php -$permissiontoadd = $user->rights->fournisseur->facture->creer; // Used by the include of actions_addupdatedelete.inc.php and actions_lineupdown.inc.php +$permissionnote = $usercancreate; // Used by the include of actions_setnotes.inc.php +$permissiondellink = $usercancreate; // Used by the include of actions_dellink.inc.php +$permissiontoedit = $usercancreate; // Used by the include of actions_lineupdown.inc.php +$permissiontoadd = $usercancreate; // Used by the include of actions_addupdatedelete.inc.php and actions_lineupdown.inc.php /* @@ -163,10 +167,7 @@ if (empty($reshook)) } } - elseif ($action == 'confirm_valid' && $confirm == 'yes' && - ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && !empty($user->rights->fournisseur->facture->creer)) - || (!empty($conf->global->MAIN_USE_ADVANCED_PERMS) && !empty($user->rights->fournisseur->supplier_invoice_advance->validate))) - ) + elseif ($action == 'confirm_valid' && $confirm == 'yes' && $usercanvalidate) { $idwarehouse = GETPOST('idwarehouse'); @@ -230,8 +231,7 @@ if (empty($reshook)) $isErasable = $object->is_erasable(); - if (($user->rights->fournisseur->facture->supprimer && $isErasable > 0) - || ($user->rights->fournisseur->facture->creer && $isErasable == 1)) + if (($usercandelete && $isErasable > 0) || ($usercancreate && $isErasable == 1)) { $result = $object->delete($user); if ($result > 0) @@ -247,7 +247,7 @@ if (empty($reshook)) } // Remove a product line - elseif ($action == 'confirm_deleteline' && $confirm == 'yes' && $user->rights->fournisseur->facture->creer) + elseif ($action == 'confirm_deleteline' && $confirm == 'yes' && $usercancreate) { $result = $object->deleteline($lineid); if ($result > 0) @@ -280,14 +280,14 @@ if (empty($reshook)) } // Delete link of credit note to invoice - elseif ($action == 'unlinkdiscount' && $user->rights->fournisseur->facture->creer) + elseif ($action == 'unlinkdiscount' && $usercancreate) { $discount = new DiscountAbsolute($db); $result = $discount->fetch(GETPOST("discountid")); $discount->unlink_invoice(); } - elseif ($action == 'confirm_paid' && $confirm == 'yes' && $user->rights->fournisseur->facture->creer) + elseif ($action == 'confirm_paid' && $confirm == 'yes' && $usercancreate) { $object->fetch($id); $result = $object->set_paid($user); @@ -298,7 +298,7 @@ if (empty($reshook)) } // Set supplier ref - if ($action == 'setref_supplier' && $user->rights->fournisseur->facture->creer) + if ($action == 'setref_supplier' && $usercancreate) { $object->ref_supplier = GETPOST('ref_supplier', 'alpha'); @@ -328,7 +328,7 @@ if (empty($reshook)) } // payments conditions - if ($action == 'setconditions' && $user->rights->fournisseur->facture->creer) + if ($action == 'setconditions' && $usercancreate) { $result = $object->setPaymentTerms(GETPOST('cond_reglement_id', 'int')); } @@ -340,35 +340,35 @@ if (empty($reshook)) } // payment mode - elseif ($action == 'setmode' && $user->rights->fournisseur->facture->creer) + elseif ($action == 'setmode' && $usercancreate) { $result = $object->setPaymentMethods(GETPOST('mode_reglement_id', 'int')); } // Multicurrency Code - elseif ($action == 'setmulticurrencycode' && $user->rights->fournisseur->facture->creer) { + elseif ($action == 'setmulticurrencycode' && $usercancreate) { $result = $object->setMulticurrencyCode(GETPOST('multicurrency_code', 'alpha')); } // Multicurrency rate - elseif ($action == 'setmulticurrencyrate' && $user->rights->fournisseur->facture->creer) { + elseif ($action == 'setmulticurrencyrate' && $usercancreate) { $result = $object->setMulticurrencyRate(price2num(GETPOST('multicurrency_tx', 'alpha'))); } // bank account - elseif ($action == 'setbankaccount' && $user->rights->fournisseur->facture->creer) { + elseif ($action == 'setbankaccount' && $usercancreate) { $result = $object->setBankAccount(GETPOST('fk_account', 'int')); } // Set label - elseif ($action == 'setlabel' && $user->rights->fournisseur->facture->creer) + elseif ($action == 'setlabel' && $usercancreate) { $object->fetch($id); $object->label = GETPOST('label'); $result = $object->update($user); if ($result < 0) dol_print_error($db); } - elseif ($action == 'setdatef' && $user->rights->fournisseur->facture->creer) + elseif ($action == 'setdatef' && $usercancreate) { $newdate = dol_mktime(0, 0, 0, $_POST['datefmonth'], $_POST['datefday'], $_POST['datefyear']); if ($newdate > (dol_now() + (empty($conf->global->INVOICE_MAX_OFFSET_IN_FUTURE) ? 0 : $conf->global->INVOICE_MAX_OFFSET_IN_FUTURE))) @@ -393,7 +393,7 @@ if (empty($reshook)) $result = $object->update($user); if ($result < 0) dol_print_error($db, $object->error); } - elseif ($action == 'setdate_lim_reglement' && $user->rights->fournisseur->facture->creer) + elseif ($action == 'setdate_lim_reglement' && $usercancreate) { $object->fetch($id); $object->date_echeance = dol_mktime(12, 0, 0, $_POST['date_lim_reglementmonth'], $_POST['date_lim_reglementday'], $_POST['date_lim_reglementyear']); @@ -614,7 +614,7 @@ if (empty($reshook)) // Delete payment - elseif ($action == 'confirm_delete_paiement' && $confirm == 'yes' && $user->rights->fournisseur->facture->creer) + elseif ($action == 'confirm_delete_paiement' && $confirm == 'yes' && $usercancreate) { $object->fetch($id); if ($object->statut == FactureFournisseur::STATUS_VALIDATED && $object->paye == 0) @@ -1065,7 +1065,7 @@ if (empty($reshook)) } // Edit line - elseif ($action == 'updateline' && $user->rights->fournisseur->facture->creer) + elseif ($action == 'updateline' && $usercancreate) { $db->begin(); @@ -1162,7 +1162,7 @@ if (empty($reshook)) } } - elseif ($action == 'addline' && $user->rights->fournisseur->facture->creer) + elseif ($action == 'addline' && $usercancreate) { $db->begin(); @@ -1463,7 +1463,7 @@ if (empty($reshook)) $action = ''; } - elseif ($action == 'classin' && $user->rights->fournisseur->facture->creer) + elseif ($action == 'classin' && $usercancreate) { $object->fetch($id); $result = $object->setProject($projectid); @@ -1471,7 +1471,7 @@ if (empty($reshook)) // Set invoice to draft status - elseif ($action == 'confirm_edit' && $confirm == 'yes' && $user->rights->fournisseur->facture->creer) + elseif ($action == 'confirm_edit' && $confirm == 'yes' && $usercancreate) { $object->fetch($id); @@ -1538,7 +1538,7 @@ if (empty($reshook)) } // Set invoice to validated/unpaid status - elseif ($action == 'reopen' && $user->rights->fournisseur->facture->creer) + elseif ($action == 'reopen' && $usercancreate) { $result = $object->fetch($id); if ($object->statut == FactureFournisseur::STATUS_CLOSED @@ -1569,7 +1569,7 @@ if (empty($reshook)) // Actions to build doc $upload_dir = $conf->fournisseur->facture->dir_output; - $permissiontoadd = $user->rights->fournisseur->facture->creer; + $permissiontoadd = $usercancreate; include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php'; // Make calculation according to calculationrule @@ -1611,7 +1611,7 @@ if (empty($reshook)) $action = 'edit_extras'; } - if (!empty($conf->global->MAIN_DISABLE_CONTACTS_TAB) && $user->rights->fournisseur->facture->creer) + if (!empty($conf->global->MAIN_DISABLE_CONTACTS_TAB) && $usercancreate) { if ($action == 'addcontact') { @@ -2439,8 +2439,8 @@ else $morehtmlref = '
'; // Ref supplier - $morehtmlref .= $form->editfieldkey("RefSupplier", 'ref_supplier', $object->ref_supplier, $object, $user->rights->fournisseur->facture->creer, 'string', '', 0, 1); - $morehtmlref .= $form->editfieldval("RefSupplier", 'ref_supplier', $object->ref_supplier, $object, $user->rights->fournisseur->facture->creer, 'string', '', null, null, '', 1); + $morehtmlref .= $form->editfieldkey("RefSupplier", 'ref_supplier', $object->ref_supplier, $object, $usercancreate, 'string', '', 0, 1); + $morehtmlref .= $form->editfieldval("RefSupplier", 'ref_supplier', $object->ref_supplier, $object, $usercancreate, 'string', '', null, null, '', 1); // Thirdparty $morehtmlref .= '
'.$langs->trans('ThirdParty').' : '.$object->thirdparty->getNomUrl(1); if (empty($conf->global->MAIN_DISABLE_OTHER_LINK) && $object->thirdparty->id > 0) $morehtmlref .= ' ('.$langs->trans("OtherBills").')'; @@ -2449,7 +2449,7 @@ else { $langs->load("projects"); $morehtmlref .= '
'.$langs->trans('Project').' '; - if ($user->rights->fournisseur->facture->creer) + if ($usercancreate) { if ($action != 'classify') { $morehtmlref .= ''.img_edit($langs->transnoentitiesnoconv('SetProject')).' : '; @@ -2549,11 +2549,11 @@ else // Label print ''; - print ''.$form->editfieldkey("Label", 'label', $object->label, $object, ($user->rights->fournisseur->facture->creer)).''; - print ''.$form->editfieldval("Label", 'label', $object->label, $object, ($user->rights->fournisseur->facture->creer)).''; + print ''.$form->editfieldkey("Label", 'label', $object->label, $object, ($usercancreate)).''; + print ''.$form->editfieldval("Label", 'label', $object->label, $object, ($usercancreate)).''; print ''; - $form_permission = ($object->statut < FactureFournisseur::STATUS_CLOSED) && $user->rights->fournisseur->facture->creer && ($object->getSommePaiement() <= 0); + $form_permission = ($object->statut < FactureFournisseur::STATUS_CLOSED) && $usercancreate && ($object->getSommePaiement() <= 0); // Date print ''.$form->editfieldkey("DateInvoice", 'datef', $object->datep, $object, $form_permission, 'datepicker').''; @@ -2574,7 +2574,7 @@ else print ''; } print '
'; print $langs->trans('PaymentConditions'); print ''; - if ($action != 'editconditions' && $user->rights->fournisseur->facture->creer) { + if ($action != 'editconditions' && $usercancreate) { print 'id.'">'.img_edit($langs->trans('SetConditions'), 1).'
'; @@ -2596,7 +2596,7 @@ else print ''; - if ($action != 'editmode' && $user->rights->fournisseur->facture->creer) { + if ($action != 'editmode' && $usercancreate) { print ''; } print '
'; print $langs->trans('PaymentMode'); print 'id.'">'.img_edit($langs->trans('SetMode'), 1).'
'; @@ -2665,7 +2665,7 @@ else print ''; print '
'; print $langs->trans('BankAccount'); print ''; - if ($action != 'editbankaccount' && $user->rights->fournisseur->facture->creer) + if ($action != 'editbankaccount' && $usercancreate) print 'id.'">'.img_edit($langs->trans('SetBankAccount'), 1).'
'; print ''; @@ -2684,7 +2684,7 @@ else print '
'; print $langs->trans('IncotermLabel'); print ''; - if ($user->rights->fournisseur->facture->creer) print ''.img_edit().''; + if ($usercancreate) print ''.img_edit().''; else print ' '; print '
'; print ''; @@ -3077,7 +3077,7 @@ else $num = count($object->lines); // Form to add new line - if ($object->statut == FactureFournisseur::STATUS_DRAFT && $user->rights->fournisseur->facture->creer) + if ($object->statut == FactureFournisseur::STATUS_DRAFT && $usercancreate) { if ($action != 'editline') { @@ -3110,7 +3110,7 @@ else if (empty($reshook)) { // Modify a validated invoice with no payments - if ($object->statut == FactureFournisseur::STATUS_VALIDATED && $action != 'confirm_edit' && $object->getSommePaiement() == 0 && $user->rights->fournisseur->facture->creer) + if ($object->statut == FactureFournisseur::STATUS_VALIDATED && $action != 'confirm_edit' && $object->getSommePaiement() == 0 && $usercancreate) { // We check if lines of invoice are not already transfered into accountancy $ventilExportCompta = $object->getVentilExportCompta(); // Should be 0 since the sum of payments are zero. But we keep the protection. @@ -3133,13 +3133,13 @@ else || ($object->type == FactureFournisseur::TYPE_CREDIT_NOTE && empty($discount->id))) && ($object->statut == FactureFournisseur::STATUS_CLOSED || $object->statut == FactureFournisseur::STATUS_ABANDONED)) // A paid invoice (partially or completely) { - if (!$facidnext && $object->close_code != 'replaced' && $user->rights->fournisseur->facture->creer) // Not replaced by another invoice + if (!$facidnext && $object->close_code != 'replaced' && $usercancreate) // Not replaced by another invoice { print '
'.$langs->trans('ReOpen').'
'; } else { - if ($user->rights->fournisseur->facture->creer) { + if ($usercancreate) { print '
'.$langs->trans('ReOpen').'
'; } elseif (empty($conf->global->MAIN_BUTTON_HIDE_UNAUTHORIZED)) { print '
'.$langs->trans('ReOpen').'
'; @@ -3151,7 +3151,7 @@ else if (empty($user->socid)) { if (($object->statut == FactureFournisseur::STATUS_VALIDATED || $object->statut == FactureFournisseur::STATUS_CLOSED)) { - if (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || $user->rights->fournisseur->supplier_invoice_advance->send) + if ($usercansend) { print '
'.$langs->trans('SendMail').'
'; } @@ -3190,18 +3190,18 @@ else } // For standard invoice with excess paid - if ($object->type == FactureFournisseur::TYPE_STANDARD && empty($object->paye) && ($object->total_ttc - $totalpaye - $totalcreditnotes - $totaldeposits) < 0 && $user->rights->fournisseur->facture->creer && empty($discount->id)) + if ($object->type == FactureFournisseur::TYPE_STANDARD && empty($object->paye) && ($object->total_ttc - $totalpaye - $totalcreditnotes - $totaldeposits) < 0 && $usercancreate && empty($discount->id)) { print '
'.$langs->trans('ConvertExcessPaidToReduc').'
'; } // For credit note - if ($object->type == FactureFournisseur::TYPE_CREDIT_NOTE && $object->statut == 1 && $object->paye == 0 && $user->rights->fournisseur->facture->creer + if ($object->type == FactureFournisseur::TYPE_CREDIT_NOTE && $object->statut == 1 && $object->paye == 0 && $usercancreate && (!empty($conf->global->SUPPLIER_INVOICE_ALLOW_REUSE_OF_CREDIT_WHEN_PARTIALLY_REFUNDED) || $object->getSommePaiement() == 0) ) { print '
'.$langs->trans('ConvertToReduc').'
'; } // For deposit invoice - if ($object->type == FactureFournisseur::TYPE_DEPOSIT && $object->paye == 1 && $resteapayer == 0 && $user->rights->fournisseur->facture->creer && empty($discount->id)) + if ($object->type == FactureFournisseur::TYPE_DEPOSIT && $object->paye == 1 && $resteapayer == 0 && $usercancreate && empty($discount->id)) { print '
'.$langs->trans('ConvertToReduc').'
'; } @@ -3212,8 +3212,7 @@ else { if (count($object->lines)) { - if ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && !empty($user->rights->fournisseur->facture->creer)) - || (!empty($conf->global->MAIN_USE_ADVANCED_PERMS) && !empty($user->rights->fournisseur->supplier_invoice_advance->validate))) + if ($usercanvalidate) { print '
'.$langs->trans('Validate').'
'; @@ -3233,13 +3232,13 @@ else }*/ // Clone - if ($action != 'edit' && $user->rights->fournisseur->facture->creer) + if ($action != 'edit' && $usercancreate) { print '
socid.'">'.$langs->trans('ToClone').'
'; } // Create a credit note - if (($object->type == FactureFournisseur::TYPE_STANDARD || $object->type == FactureFournisseur::TYPE_DEPOSIT) && $object->statut > 0 && $user->rights->fournisseur->facture->creer) + if (($object->type == FactureFournisseur::TYPE_STANDARD || $object->type == FactureFournisseur::TYPE_DEPOSIT) && $object->statut > 0 && $usercancreate) { if (!$objectidnext) { @@ -3249,7 +3248,7 @@ else // Delete $isErasable = $object->is_erasable(); - if ($action != 'confirm_edit' && ($user->rights->fournisseur->facture->supprimer || ($user->rights->fournisseur->facture->creer && $isErasable == 1))) // isErasable = 1 means draft with temporary ref (draft can always be deleted with no need of permissions) + if ($action != 'confirm_edit' && ($user->rights->fournisseur->facture->supprimer || ($usercancreate && $isErasable == 1))) // isErasable = 1 means draft with temporary ref (draft can always be deleted with no need of permissions) { //var_dump($isErasable); if ($isErasable == -4) { @@ -3286,8 +3285,8 @@ else $subdir = get_exdir($object->id, 2, 0, 0, $object, 'invoice_supplier').$ref; $filedir = $conf->fournisseur->facture->dir_output.'/'.$subdir; $urlsource = $_SERVER['PHP_SELF'].'?id='.$object->id; - $genallowed = $user->rights->fournisseur->facture->lire; - $delallowed = $user->rights->fournisseur->facture->creer; + $genallowed = $usercanread; + $delallowed = $usercancreate; $modelpdf = (!empty($object->modelpdf) ? $object->modelpdf : (empty($conf->global->INVOICE_SUPPLIER_ADDON_PDF) ? '' : $conf->global->INVOICE_SUPPLIER_ADDON_PDF)); print $formfile->showdocuments('facture_fournisseur', $subdir, $filedir, $urlsource, $genallowed, $delallowed, $modelpdf, 1, 0, 0, 40, 0, '', '', '', $societe->default_lang); From 06556fe14c048901f02d0088b2cafd5dcf649464 Mon Sep 17 00:00:00 2001 From: "Sekan, Tobias" Date: Tue, 21 Apr 2020 12:25:44 +0200 Subject: [PATCH 2/2] indent + comments --- htdocs/fourn/facture/card.php | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/htdocs/fourn/facture/card.php b/htdocs/fourn/facture/card.php index c49d4c6e76b..828424b9f15 100644 --- a/htdocs/fourn/facture/card.php +++ b/htdocs/fourn/facture/card.php @@ -99,16 +99,20 @@ if (!empty($user->socid)) $socid = $user->socid; $isdraft = (($object->statut == FactureFournisseur::STATUS_DRAFT) ? 1 : 0); $result = restrictedArea($user, 'fournisseur', $id, 'facture_fourn', 'facture', 'fk_soc', 'rowid', $isdraft); -$usercanread = $user->rights->fournisseur->facture->lire; -$usercancreate = $user->rights->fournisseur->facture->creer; -$usercandelete = $user->rights->fournisseur->facture->supprimer; -$usercanvalidate = ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && !empty($usercancreate)) || (!empty($conf->global->MAIN_USE_ADVANCED_PERMS) && !empty($user->rights->fournisseur->supplier_invoice_advance->validate))); -$usercansend = (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || $user->rights->fournisseur->supplier_invoice_advance->send); +// Common permissions +$usercanread = $user->rights->fournisseur->facture->lire; +$usercancreate = $user->rights->fournisseur->facture->creer; +$usercandelete = $user->rights->fournisseur->facture->supprimer; -$permissionnote = $usercancreate; // Used by the include of actions_setnotes.inc.php -$permissiondellink = $usercancreate; // Used by the include of actions_dellink.inc.php -$permissiontoedit = $usercancreate; // Used by the include of actions_lineupdown.inc.php -$permissiontoadd = $usercancreate; // Used by the include of actions_addupdatedelete.inc.php and actions_lineupdown.inc.php +// Advanced permissions +$usercanvalidate = ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && !empty($usercancreate)) || (!empty($conf->global->MAIN_USE_ADVANCED_PERMS) && !empty($user->rights->fournisseur->supplier_invoice_advance->validate))); +$usercansend = (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || $user->rights->fournisseur->supplier_invoice_advance->send); + +// Permissions for includes +$permissionnote = $usercancreate; // Used by the include of actions_setnotes.inc.php +$permissiondellink = $usercancreate; // Used by the include of actions_dellink.inc.php +$permissiontoedit = $usercancreate; // Used by the include of actions_lineupdown.inc.php +$permissiontoadd = $usercancreate; // Used by the include of actions_addupdatedelete.inc.php and actions_lineupdown.inc.php /*