From cee5d7873b82ea3504d4bfa68bc188610f8864ea Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Thu, 4 Feb 2010 10:40:18 +0000 Subject: [PATCH] Works on enhancement of project tasks Fix: security check --- htdocs/projet/contact.php | 21 +------------------- htdocs/projet/element.php | 3 +++ htdocs/projet/fiche.php | 21 +------------------- htdocs/projet/note.php | 24 ++-------------------- htdocs/projet/project.class.php | 35 +++++++++++++++++++++++++++++++++ htdocs/projet/tasks/fiche.php | 21 +------------------- 6 files changed, 43 insertions(+), 82 deletions(-) diff --git a/htdocs/projet/contact.php b/htdocs/projet/contact.php index e34769b1602..95ed37e6ad0 100644 --- a/htdocs/projet/contact.php +++ b/htdocs/projet/contact.php @@ -176,26 +176,7 @@ if ($id > 0 || ! empty($ref)) if ($project->societe->id > 0) $result=$project->societe->fetch($project->societe->id); // To verify role of users - $userAccess = 0; - if (!empty($project->user_author_id) && $project->user_author_id == $user->id) $userAccess=1; - else - { - foreach(array('internal','external') as $source) - { - $userRole = $project->liste_contact(4,$source); - $num=sizeof($userRole); - - $i = 0; - while ($i < $num) - { - if ($userRole[$i]['code'] == 'PROJECTLEADER' && $user->id == $userRole[$i]['id']) - { - $userAccess++; - } - $i++; - } - } - } + $userAccess = $project->restrictedProjectArea($user); $head = project_prepare_head($project); dol_fiche_head($head, 'contact', $langs->trans("Project"), 0, 'project'); diff --git a/htdocs/projet/element.php b/htdocs/projet/element.php index a387c694e63..8f1c919c3f1 100644 --- a/htdocs/projet/element.php +++ b/htdocs/projet/element.php @@ -69,6 +69,9 @@ $project = new Project($db); $project->fetch($_GET["id"],$_GET["ref"]); $project->societe->fetch($project->societe->id); +// To verify role of users +$userAccess = $project->restrictedProjectArea($user); + $head=project_prepare_head($project); dol_fiche_head($head, 'element', $langs->trans("Project"),0,'project'); diff --git a/htdocs/projet/fiche.php b/htdocs/projet/fiche.php index 2bd323cb298..de4a26f8f51 100644 --- a/htdocs/projet/fiche.php +++ b/htdocs/projet/fiche.php @@ -316,26 +316,7 @@ else if ($project->societe->id > 0) $result=$project->societe->fetch($project->societe->id); // To verify role of users - $userAccess = 0; - if (!empty($project->user_author_id) && $project->user_author_id == $user->id) $userAccess=1; - else - { - foreach(array('internal','external') as $source) - { - $userRole = $project->liste_contact(4,$source); - $num=sizeof($userRole); - - $i = 0; - while ($i < $num) - { - if ($userRole[$i]['code'] == 'PROJECTLEADER' && $user->id == $userRole[$i]['id']) - { - $userAccess++; - } - $i++; - } - } - } + $userAccess = $project->restrictedProjectArea($user); $head=project_prepare_head($project); dol_fiche_head($head, 'project', $langs->trans("Project"),0,'project'); diff --git a/htdocs/projet/note.php b/htdocs/projet/note.php index cefc733f78d..4dbf90d2bdc 100644 --- a/htdocs/projet/note.php +++ b/htdocs/projet/note.php @@ -100,33 +100,13 @@ if ($id > 0 || ! empty($ref)) $now=gmmktime(); $project = new Project($db); - $userstatic = new User($db); if ($project->fetch($id, $ref)) { if ($project->societe->id > 0) $result=$project->societe->fetch($project->societe->id); - + // To verify role of users - $userAccess = 0; - if (!empty($project->user_author_id) && $project->user_author_id == $user->id) $userAccess=1; - else - { - foreach(array('internal','external') as $source) - { - $userRole = $project->liste_contact(4,$source); - $num=sizeof($userRole); - - $i = 0; - while ($i < $num) - { - if ($userRole[$i]['code'] == 'PROJECTLEADER' && $user->id == $userRole[$i]['id']) - { - $userAccess++; - } - $i++; - } - } - } + $userAccess = $project->restrictedProjectArea($user); $head = project_prepare_head($project); dol_fiche_head($head, 'note', $langs->trans('Project'), 0, 'project'); diff --git a/htdocs/projet/project.class.php b/htdocs/projet/project.class.php index 90788e72702..76d7e12fb86 100644 --- a/htdocs/projet/project.class.php +++ b/htdocs/projet/project.class.php @@ -604,6 +604,41 @@ class Project extends CommonObject $xnbp++; } } + + /** + * \brief Check permissions + */ + function restrictedProjectArea($user) + { + // To verify role of users + $userAccess = 0; + if (!empty($this->user_author_id) && $this->user_author_id == $user->id) + { + $userAccess = 1; + } + else + { + foreach(array('internal','external') as $source) + { + $userRole = $this->liste_contact(4,$source); + $num=sizeof($userRole); + + $i = 0; + while ($i < $num) + { + if ($userRole[$i]['code'] == 'PROJECTLEADER' && $user->id == $userRole[$i]['id']) + { + $userAccess++; + } + $i++; + } + } + } + + if (!$userAccess && !$this->public) accessforbidden('',0); + + return $userAccess; + } } ?> diff --git a/htdocs/projet/tasks/fiche.php b/htdocs/projet/tasks/fiche.php index 19546dcee8a..d4356f455ea 100644 --- a/htdocs/projet/tasks/fiche.php +++ b/htdocs/projet/tasks/fiche.php @@ -119,26 +119,7 @@ if ($id > 0 || ! empty($ref)) if ($project->societe->id > 0) $result=$project->societe->fetch($project->societe->id); // To verify role of users - $userAccess = 0; - if (!empty($project->user_author_id) && $project->user_author_id == $user->id) $userAccess=1; - else - { - foreach(array('internal','external') as $source) - { - $userRole = $project->liste_contact(4,$source); - $num=sizeof($userRole); - - $i = 0; - while ($i < $num) - { - if ($userRole[$i]['code'] == 'PROJECTLEADER' && $user->id == $userRole[$i]['id']) - { - $userAccess++; - } - $i++; - } - } - } + $userAccess = $project->restrictedProjectArea($user); } if ($_GET["action"] == 'create' && $user->rights->projet->task->creer && $userAccess)