Fix transversal URL #yogosha4513
This commit is contained in:
Laurent Destailleur
parent
801712b423
commit
c94b3f6584
@ -42,6 +42,8 @@ $ref = GETPOST('ref', 'alpha');
|
||||
$action = GETPOST('action', 'aZ09');
|
||||
$confirm = GETPOST('confirm', 'alpha');
|
||||
|
||||
$childids = $user->getAllChildIds(1);
|
||||
|
||||
// Security check
|
||||
if ($user->socid) $socid = $user->socid;
|
||||
$result = restrictedArea($user, 'expensereport', $id, 'expensereport');
|
||||
@ -61,7 +63,10 @@ if (!$sortfield) $sortfield = "position_name";
|
||||
|
||||
|
||||
$object = new ExpenseReport($db);
|
||||
$object->fetch($id, $ref);
|
||||
if (!$object->fetch($id, $ref) > 0)
|
||||
{
|
||||
dol_print_error($db);
|
||||
}
|
||||
|
||||
$upload_dir = $conf->expensereport->dir_output.'/'.dol_sanitizeFileName($object->ref);
|
||||
$modulepart = 'trip';
|
||||
@ -69,6 +74,18 @@ $modulepart = 'trip';
|
||||
// Load object
|
||||
//include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be include, not include_once // Must be include, not include_once. Include fetch and fetch_thirdparty but not fetch_optionals
|
||||
|
||||
if ($object->id > 0)
|
||||
{
|
||||
// Check current user can read this expense report
|
||||
$canread = 0;
|
||||
if (!empty($user->rights->expensereport->readall)) $canread = 1;
|
||||
if (!empty($user->rights->expensereport->lire) && in_array($object->fk_user_author, $childids)) $canread = 1;
|
||||
if (!$canread)
|
||||
{
|
||||
accessforbidden();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Actions
|
||||
|
||||
@ -31,11 +31,33 @@ require_once DOL_DOCUMENT_ROOT.'/expensereport/class/expensereport.class.php';
|
||||
// Load translation files required by the page
|
||||
$langs->load("trips");
|
||||
|
||||
// Security check
|
||||
$id = GETPOST('id', 'int');
|
||||
$ref = GETPOST('ref', 'alpha');
|
||||
|
||||
$childids = $user->getAllChildIds(1);
|
||||
|
||||
// Security check
|
||||
if ($user->socid) $socid = $user->socid;
|
||||
$result = restrictedArea($user, 'expensereport', $id, 'expensereport');
|
||||
|
||||
$object = new ExpenseReport($db);
|
||||
if (!$object->fetch($id, $ref) > 0)
|
||||
{
|
||||
dol_print_error($db);
|
||||
}
|
||||
|
||||
if ($object->id > 0)
|
||||
{
|
||||
// Check current user can read this expense report
|
||||
$canread = 0;
|
||||
if (!empty($user->rights->expensereport->readall)) $canread = 1;
|
||||
if (!empty($user->rights->expensereport->lire) && in_array($object->fk_user_author, $childids)) $canread = 1;
|
||||
if (!$canread)
|
||||
{
|
||||
accessforbidden();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
|
||||
@ -37,6 +37,8 @@ $ref = GETPOST('ref', 'alpha');
|
||||
$socid = GETPOST('socid', 'int');
|
||||
$action = GETPOST('action', 'aZ09');
|
||||
|
||||
$childids = $user->getAllChildIds(1);
|
||||
|
||||
// Security check
|
||||
$socid = 0;
|
||||
if ($user->socid) $socid = $user->socid;
|
||||
@ -51,6 +53,18 @@ if (!$object->fetch($id, $ref) > 0)
|
||||
|
||||
$permissionnote = $user->rights->expensereport->creer; // Used by the include of actions_setnotes.inc.php
|
||||
|
||||
if ($object->id > 0)
|
||||
{
|
||||
// Check current user can read this expense report
|
||||
$canread = 0;
|
||||
if (!empty($user->rights->expensereport->readall)) $canread = 1;
|
||||
if (!empty($user->rights->expensereport->lire) && in_array($object->fk_user_author, $childids)) $canread = 1;
|
||||
if (!$canread)
|
||||
{
|
||||
accessforbidden();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Actions
|
||||
|
||||
Loading…
Reference in New Issue
Block a user