From aa4c5ae839ff60961e47fb463febfb9e26c24121 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Thu, 14 Feb 2019 10:12:15 +0100 Subject: [PATCH 1/6] FIX missing access security checking with multicompany --- htdocs/core/lib/security.lib.php | 4 ++-- htdocs/product/stock/card.php | 2 +- htdocs/product/stock/info.php | 2 +- htdocs/product/stock/mouvement.php | 6 +++--- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index d12ee339909..65a4a5bdc93 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -451,12 +451,12 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh if ($feature == 'project') $feature='projet'; if ($feature == 'task') $feature='projet_task'; - $check = array('adherent','banque','don','user','usergroup','product','produit','service','produit|service','categorie','resource'); // Test on entity only (Objects with no link to company) + $check = array('adherent','banque','don','user','usergroup','product','produit','service','produit|service','stock','categorie','resource'); // Test on entity only (Objects with no link to company) $checksoc = array('societe'); // Test for societe object $checkother = array('contact','agenda'); // Test on entity and link to third party. Allowed if link is empty (Ex: contacts...). $checkproject = array('projet','project'); // Test for project object $checktask = array('projet_task'); - $nocheck = array('barcode','stock'); // No test + $nocheck = array('barcode'); // No test $checkdefault = 'all other not already defined'; // Test on entity and link to third party. Not allowed if link is empty (Ex: invoice, orders...). // If dbtablename not defined, we use same name for table than module name diff --git a/htdocs/product/stock/card.php b/htdocs/product/stock/card.php index 41e70a6fbf9..01529d33f35 100644 --- a/htdocs/product/stock/card.php +++ b/htdocs/product/stock/card.php @@ -52,7 +52,7 @@ if (! $sortorder) $sortorder="DESC"; $backtopage=GETPOST('backtopage','alpha'); // Security check -$result=restrictedArea($user,'stock'); +$result=restrictedArea($user,'stock', $id, 'entrepot&stock'); // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('warehousecard','globalcard')); diff --git a/htdocs/product/stock/info.php b/htdocs/product/stock/info.php index 4653a56495d..c8897412e04 100644 --- a/htdocs/product/stock/info.php +++ b/htdocs/product/stock/info.php @@ -33,7 +33,7 @@ $id = GETPOST('id','int'); $ref = GETPOST('ref','alpha'); // Security check -$result=restrictedArea($user,'stock'); +$result=restrictedArea($user,'stock', $id, 'entrepot&stock'); /* diff --git a/htdocs/product/stock/mouvement.php b/htdocs/product/stock/mouvement.php index 410396a152b..21aa103fafb 100644 --- a/htdocs/product/stock/mouvement.php +++ b/htdocs/product/stock/mouvement.php @@ -46,9 +46,6 @@ if (! empty($conf->projet->enabled)) $langs->loadLangs(array('products', 'stocks')); if (! empty($conf->productbatch->enabled)) $langs->load("productbatch"); -// Security check -$result=restrictedArea($user,'stock'); - $id=GETPOST('id','int'); $ref = GETPOST('ref','alpha'); $msid=GETPOST('msid','int'); @@ -57,6 +54,9 @@ $action=GETPOST('action','aZ09'); $cancel=GETPOST('cancel','alpha'); $contextpage=GETPOST('contextpage','aZ')?GETPOST('contextpage','aZ'):'movementlist'; +// Security check +$result=restrictedArea($user,'stock', $id, 'entrepot&stock'); + $idproduct = GETPOST('idproduct','int'); $year = GETPOST("year"); $month = GETPOST("month"); From 359318392fdcace0fc4ef6b6f589b12e0a0e9448 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Thu, 14 Feb 2019 10:47:07 +0100 Subject: [PATCH 2/6] FIX missing entity filter in function "build_filterField()" (export) --- htdocs/core/modules/modAdherent.class.php | 2 +- htdocs/core/modules/modCommande.class.php | 2 +- htdocs/core/modules/modProjet.class.php | 6 +++--- htdocs/core/modules/modSociete.class.php | 2 +- htdocs/core/modules/modStock.class.php | 18 +++++++++--------- htdocs/exports/class/export.class.php | 7 ++++++- 6 files changed, 21 insertions(+), 16 deletions(-) diff --git a/htdocs/core/modules/modAdherent.class.php b/htdocs/core/modules/modAdherent.class.php index c425ce9bd5d..3acd162bb03 100644 --- a/htdocs/core/modules/modAdherent.class.php +++ b/htdocs/core/modules/modAdherent.class.php @@ -279,7 +279,7 @@ class modAdherent extends DolibarrModules 'a.civility'=>"Text",'a.lastname'=>"Text",'a.firstname'=>"Text",'a.login'=>"Text",'a.morphy'=>'Text','a.societe'=>'Text','a.address'=>"Text", 'a.zip'=>"Text",'a.town'=>"Text",'d.nom'=>"Text",'co.code'=>'Text','co.label'=>"Text",'a.phone'=>"Text",'a.phone_perso'=>"Text",'a.phone_mobile'=>"Text", 'a.email'=>"Text",'a.birth'=>"Date",'a.statut'=>"Status",'a.note_public'=>"Text",'a.note_private'=>"Text",'a.datec'=>'Date','a.datevalid'=>'Date', - 'a.tms'=>'Date','a.datefin'=>'Date','ta.rowid'=>'List:adherent_type:libelle','ta.libelle'=>'Text','c.rowid'=>'Numeric','c.dateadh'=>'Date','c.subscription'=>'Numeric' + 'a.tms'=>'Date','a.datefin'=>'Date','ta.rowid'=>'List:adherent_type:libelle::member_type','ta.libelle'=>'Text','c.rowid'=>'Numeric','c.dateadh'=>'Date','c.subscription'=>'Numeric' ); $this->export_entities_array[$r]=array( 'a.rowid'=>'member','a.civility'=>"member",'a.lastname'=>"member",'a.firstname'=>"member",'a.login'=>"member",'a.morphy'=>'member', diff --git a/htdocs/core/modules/modCommande.class.php b/htdocs/core/modules/modCommande.class.php index 5285e0734e2..b366fc1c6b2 100644 --- a/htdocs/core/modules/modCommande.class.php +++ b/htdocs/core/modules/modCommande.class.php @@ -223,7 +223,7 @@ class modCommande extends DolibarrModules 'c.date_commande'=>"Date",'c.date_livraison'=>"Date",'c.amount_ht'=>"Numeric",'c.remise_percent'=>"Numeric",'c.total_ht'=>"Numeric", 'c.total_ttc'=>"Numeric",'c.facture'=>"Boolean",'c.fk_statut'=>'Status','c.note_public'=>"Text",'c.date_livraison'=>'Date','pj.ref'=>'Text', 'cd.description'=>"Text",'cd.product_type'=>'Boolean','cd.tva_tx'=>"Numeric",'cd.qty'=>"Numeric",'cd.total_ht'=>"Numeric",'cd.total_tva'=>"Numeric", - 'cd.total_ttc'=>"Numeric",'p.rowid'=>'List:product:ref','p.ref'=>'Text','p.label'=>'Text','d.nom'=>'Text' + 'cd.total_ttc'=>"Numeric",'p.rowid'=>'List:product:ref::product','p.ref'=>'Text','p.label'=>'Text','d.nom'=>'Text' ); $this->export_entities_array[$r]=array( 's.rowid'=>"company",'s.nom'=>'company','s.address'=>'company','s.zip'=>'company','s.town'=>'company','d.nom'=>'company','co.label'=>'company', diff --git a/htdocs/core/modules/modProjet.class.php b/htdocs/core/modules/modProjet.class.php index 8757909d1d5..220827843a9 100644 --- a/htdocs/core/modules/modProjet.class.php +++ b/htdocs/core/modules/modProjet.class.php @@ -216,9 +216,9 @@ class modProjet extends DolibarrModules $this->export_permission[$r]=array(array("projet","export")); $this->export_dependencies_array[$r]=array('projecttask'=>'pt.rowid', 'task_time'=>'ptt.rowid'); - $this->export_TypeFields_array[$r]=array('s.rowid'=>"List:societe:nom",'s.nom'=>'Text','s.address'=>'Text','s.zip'=>'Text','s.town'=>'Text','s.fk_pays'=>'List:c_country:label', + $this->export_TypeFields_array[$r]=array('s.rowid'=>"List:societe:nom::thirdparty",'s.nom'=>'Text','s.address'=>'Text','s.zip'=>'Text','s.town'=>'Text','s.fk_pays'=>'List:c_country:label', 's.phone'=>'Text','s.email'=>'Text','s.siren'=>'Text','s.siret'=>'Text','s.ape'=>'Text','s.idprof4'=>'Text','s.code_compta'=>'Text','s.code_compta_fournisseur'=>'Text', - 'p.rowid'=>"List:projet:ref",'p.ref'=>"Text",'p.title'=>"Text",'p.datec'=>"Date",'p.dateo'=>"Date",'p.datee'=>"Date",'p.fk_statut'=>'Status','cls.code'=>"Text",'p.opp_percent'=>'Numeric','p.opp_amount'=>'Numeric','p.description'=>"Text",'p.entity'=>'Numeric', + 'p.rowid'=>"List:projet:ref::project",'p.ref'=>"Text",'p.title'=>"Text",'p.datec'=>"Date",'p.dateo'=>"Date",'p.datee'=>"Date",'p.fk_statut'=>'Status','cls.code'=>"Text",'p.opp_percent'=>'Numeric','p.opp_amount'=>'Numeric','p.description'=>"Text",'p.entity'=>'Numeric', 'pt.rowid'=>'Text','pt.label'=>'Text','pt.dateo'=>"Date",'pt.datee'=>"Date",'pt.duration_effective'=>"Duree",'pt.planned_workload'=>"Numeric",'pt.progress'=>"Numeric",'pt.description'=>"Text", 'ptt.rowid'=>'Numeric','ptt.task_date'=>'Date','ptt.task_duration'=>"Duree",'ptt.fk_user'=>"List:user:CONCAT(lastname,' ',firstname)",'ptt.note'=>"Text"); $this->export_entities_array[$r]=array('s.rowid'=>"company",'s.nom'=>'company','s.address'=>'company','s.zip'=>'company','s.town'=>'company','s.fk_pays'=>'company', @@ -359,7 +359,7 @@ class modProjet extends DolibarrModules $sql[] ="INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity) VALUES('beluga','project',".$conf->entity.")"; $sql[] ="DELETE FROM ".MAIN_DB_PREFIX."document_model WHERE nom = 'baleine' AND type = 'project' AND entity = ".$conf->entity; $sql[] ="INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity) VALUES('baleine','project',".$conf->entity.")"; - + return $this->_init($sql,$options); } diff --git a/htdocs/core/modules/modSociete.class.php b/htdocs/core/modules/modSociete.class.php index 34f4dca8510..b41326a8e1d 100644 --- a/htdocs/core/modules/modSociete.class.php +++ b/htdocs/core/modules/modSociete.class.php @@ -336,7 +336,7 @@ class modSociete extends DolibarrModules $this->export_TypeFields_array[$r]=array( 'c.civility'=>"List:c_civility:label:code",'c.lastname'=>'Text','c.firstname'=>'Text','c.poste'=>'Text','c.datec'=>"Date",'c.priv'=>"Boolean", 'c.address'=>"Text",'c.zip'=>"Text",'c.town'=>"Text",'d.nom'=>'Text','co.label'=>"List:c_country:label:rowid",'co.code'=>"Text",'c.phone'=>"Text", - 'c.fax'=>"Text",'c.email'=>"Text",'s.rowid'=>"List:societe:nom",'s.nom'=>"Text",'s.status'=>"Status",'s.code_client'=>"Text",'s.code_fournisseur'=>"Text", + 'c.fax'=>"Text",'c.email'=>"Text",'s.rowid'=>"List:societe:nom::thirdparty",'s.nom'=>"Text",'s.status'=>"Status",'s.code_client'=>"Text",'s.code_fournisseur'=>"Text", 's.client'=>"Text",'s.fournisseur'=>"Text" ); $this->export_entities_array[$r]=array( diff --git a/htdocs/core/modules/modStock.class.php b/htdocs/core/modules/modStock.class.php index ff767dd3658..8f884c46646 100644 --- a/htdocs/core/modules/modStock.class.php +++ b/htdocs/core/modules/modStock.class.php @@ -72,9 +72,9 @@ class modStock extends DolibarrModules // Constants $this->const = array(); $r=0; - + $this->const[$r] = array('STOCK_ALLOW_NEGATIVE_TRANSFER','chaine','1','',1); - + $r++; $this->const[$r][0] = "STOCK_ADDON_PDF"; $this->const[$r][1] = "chaine"; @@ -197,7 +197,7 @@ class modStock extends DolibarrModules 'p.tms'=>'DateModification','p.pmp'=>'PMPValue','p.cost_price'=>'CostPrice' ); $this->export_TypeFields_array[$r]=array( - 'e.rowid'=>'List:entrepot:ref','e.ref'=>'Text','e.lieu'=>'Text','e.address'=>'Text','e.zip'=>'Text','e.town'=>'Text','p.rowid'=>"List:product:label", + 'e.rowid'=>'List:entrepot:ref::stock','e.ref'=>'Text','e.lieu'=>'Text','e.address'=>'Text','e.zip'=>'Text','e.town'=>'Text','p.rowid'=>"List:product:label::product", 'p.ref'=>"Text",'p.fk_product_type'=>"Text",'p.label'=>"Text",'p.description'=>"Text",'p.note'=>"Text",'p.price'=>"Numeric",'p.tva_tx'=>'Numeric', 'p.tosell'=>"Boolean",'p.tobuy'=>"Boolean",'p.duration'=>"Duree",'p.datec'=>'Date','p.tms'=>'Date','p.pmp'=>'Numeric','p.cost_price'=>'Numeric', 'ps.reel'=>'Numeric' @@ -236,8 +236,8 @@ class modStock extends DolibarrModules 'p.tms'=>'DateModification','pb.rowid'=>'Id','pb.batch'=>'Batch','pb.qty'=>'Qty','pl.eatby'=>'EatByDate','pl.sellby'=>'SellByDate' ); $this->export_TypeFields_array[$r]=array( - 'e.rowid'=>'List:entrepot:ref','e.ref'=>'Text','e.lieu'=>'Text','e.description'=>'Text','e.address'=>'Text','e.zip'=>'Text','e.town'=>'Text', - 'p.rowid'=>"List:product:label",'p.ref'=>"Text",'p.fk_product_type'=>"Text",'p.label'=>"Text",'p.description'=>"Text",'p.note'=>"Text", + 'e.rowid'=>'List:entrepot:ref::stock','e.ref'=>'Text','e.lieu'=>'Text','e.description'=>'Text','e.address'=>'Text','e.zip'=>'Text','e.town'=>'Text', + 'p.rowid'=>"List:product:label::product",'p.ref'=>"Text",'p.fk_product_type'=>"Text",'p.label'=>"Text",'p.description'=>"Text",'p.note'=>"Text", 'p.price'=>"Numeric",'p.tva_tx'=>'Numeric','p.tosell'=>"Boolean",'p.tobuy'=>"Boolean",'p.duration'=>"Duree",'p.datec'=>'Date','p.tms'=>'Date', 'pb.batch'=>'Text','pb.qty'=>'Numeric','pl.eatby'=>'Date','pl.sellby'=>'Date' ); @@ -274,8 +274,8 @@ class modStock extends DolibarrModules 'sm.inventorycode'=>'InventoryCode' ); $this->export_TypeFields_array[$r]=array( - 'e.rowid'=>'List:entrepot:ref','e.ref'=>'Text','e.description'=>'Text','e.lieu'=>'Text','e.address'=>'Text','e.zip'=>'Text','e.town'=>'Text', - 'p.rowid'=>"List:product:label",'p.ref'=>"Text",'p.fk_product_type'=>"Text",'p.label'=>"Text",'p.description'=>"Text",'p.note'=>"Text", + 'e.rowid'=>'List:entrepot:ref::stock','e.ref'=>'Text','e.description'=>'Text','e.lieu'=>'Text','e.address'=>'Text','e.zip'=>'Text','e.town'=>'Text', + 'p.rowid'=>"List:product:label::product",'p.ref'=>"Text",'p.fk_product_type'=>"Text",'p.label'=>"Text",'p.description'=>"Text",'p.note'=>"Text", 'p.price'=>"Numeric",'p.tva_tx'=>'Numeric','p.tosell'=>"Boolean",'p.tobuy'=>"Boolean",'p.duration'=>"Duree",'p.datec'=>'Date','p.tms'=>'Date', 'sm.rowid'=>'Numeric','sm.value'=>'Numeric','sm.datem'=>'Date','sm.batch'=>'Text','sm.label'=>'Text','sm.inventorycode'=>'Text' ); @@ -347,8 +347,8 @@ class modStock extends DolibarrModules ); } - - + + /** * Function called when module is enabled. * The init function add constants, boxes, permissions and menus (defined in constructor) into Dolibarr database. diff --git a/htdocs/exports/class/export.class.php b/htdocs/exports/class/export.class.php index 050318944d6..02abe88600a 100644 --- a/htdocs/exports/class/export.class.php +++ b/htdocs/exports/class/export.class.php @@ -411,7 +411,9 @@ class Export // 1 : Nom de la table // 2 : Nom du champ contenant le libelle // 3 : Name of field with key (if it is not "rowid"). Used this field as key for combo list. - if (count($InfoFieldList)==4) + // 4 : Name of element for getEntity(). + + if (! empty($InfoFieldList[3])) $keyList=$InfoFieldList[3]; else $keyList='rowid'; @@ -419,6 +421,9 @@ class Export if ($InfoFieldList[1] == 'c_stcomm') $sql = 'SELECT id as id, '.$keyList.' as rowid, '.$InfoFieldList[2].' as label'.(empty($InfoFieldList[3])?'':', '.$InfoFieldList[3].' as code'); if ($InfoFieldList[1] == 'c_country') $sql = 'SELECT '.$keyList.' as rowid, '.$InfoFieldList[2].' as label, code as code'; $sql.= ' FROM '.MAIN_DB_PREFIX .$InfoFieldList[1]; + if (! empty($InfoFieldList[4])) { + $sql.= ' WHERE entity IN ('.getEntity($InfoFieldList[4]).')'; + } $resql = $this->db->query($sql); if ($resql) From d2ee00d4bb70d1682a5fe9098bf2247448c3e2d4 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 14 Feb 2019 15:21:01 +0100 Subject: [PATCH 3/6] Update security.lib.php Avoid regression on test of restrictArea --- htdocs/core/lib/security.lib.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 65a4a5bdc93..d12ee339909 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -451,12 +451,12 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh if ($feature == 'project') $feature='projet'; if ($feature == 'task') $feature='projet_task'; - $check = array('adherent','banque','don','user','usergroup','product','produit','service','produit|service','stock','categorie','resource'); // Test on entity only (Objects with no link to company) + $check = array('adherent','banque','don','user','usergroup','product','produit','service','produit|service','categorie','resource'); // Test on entity only (Objects with no link to company) $checksoc = array('societe'); // Test for societe object $checkother = array('contact','agenda'); // Test on entity and link to third party. Allowed if link is empty (Ex: contacts...). $checkproject = array('projet','project'); // Test for project object $checktask = array('projet_task'); - $nocheck = array('barcode'); // No test + $nocheck = array('barcode','stock'); // No test $checkdefault = 'all other not already defined'; // Test on entity and link to third party. Not allowed if link is empty (Ex: invoice, orders...). // If dbtablename not defined, we use same name for table than module name From 173d28cf5aeaeb74e9feecebfa5a0523f34c33bb Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 14 Feb 2019 15:22:22 +0100 Subject: [PATCH 4/6] Update mouvement.php Avoid regression on restrictArea --- htdocs/product/stock/mouvement.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/htdocs/product/stock/mouvement.php b/htdocs/product/stock/mouvement.php index 21aa103fafb..331d39efccb 100644 --- a/htdocs/product/stock/mouvement.php +++ b/htdocs/product/stock/mouvement.php @@ -55,7 +55,8 @@ $cancel=GETPOST('cancel','alpha'); $contextpage=GETPOST('contextpage','aZ')?GETPOST('contextpage','aZ'):'movementlist'; // Security check -$result=restrictedArea($user,'stock', $id, 'entrepot&stock'); +//$result=restrictedArea($user,'stock', $id, 'entrepot&stock'); +$result=restrictedArea($user,'stock'); $idproduct = GETPOST('idproduct','int'); $year = GETPOST("year"); From 4ac086ab70acb8813f9c1dfb2f4530898e54dc16 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 14 Feb 2019 15:23:07 +0100 Subject: [PATCH 5/6] Update info.php --- htdocs/product/stock/info.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/htdocs/product/stock/info.php b/htdocs/product/stock/info.php index c8897412e04..77e06d76eb1 100644 --- a/htdocs/product/stock/info.php +++ b/htdocs/product/stock/info.php @@ -33,7 +33,8 @@ $id = GETPOST('id','int'); $ref = GETPOST('ref','alpha'); // Security check -$result=restrictedArea($user,'stock', $id, 'entrepot&stock'); +//$result=restrictedArea($user,'stock', $id, 'entrepot&stock'); +$result=restrictedArea($user,'stock'); /* From 2c2052d11310e49205bfa9d3f78080612441cc6b Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 14 Feb 2019 15:23:34 +0100 Subject: [PATCH 6/6] Update card.php Avoid regression on restrictArea --- htdocs/product/stock/card.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/htdocs/product/stock/card.php b/htdocs/product/stock/card.php index 01529d33f35..5dca091c56b 100644 --- a/htdocs/product/stock/card.php +++ b/htdocs/product/stock/card.php @@ -52,7 +52,8 @@ if (! $sortorder) $sortorder="DESC"; $backtopage=GETPOST('backtopage','alpha'); // Security check -$result=restrictedArea($user,'stock', $id, 'entrepot&stock'); +//$result=restrictedArea($user,'stock', $id, 'entrepot&stock'); +$result=restrictedArea($user,'stock'); // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('warehousecard','globalcard'));