From d5bab315e3c83dbe6fe26aaec223ce292d37542c Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 27 Mar 2021 15:03:18 +0100 Subject: [PATCH] FIX #yogosha5738 --- htdocs/hrm/admin/admin_establishment.php | 15 ++++++++++----- htdocs/hrm/admin/admin_hrm.php | 13 ++++++++++--- htdocs/hrm/establishment/card.php | 12 ++++-------- htdocs/hrm/establishment/info.php | 11 +++++------ htdocs/hrm/index.html | 0 5 files changed, 29 insertions(+), 22 deletions(-) delete mode 100644 htdocs/hrm/index.html diff --git a/htdocs/hrm/admin/admin_establishment.php b/htdocs/hrm/admin/admin_establishment.php index 11e965dc1d3..2772137284b 100644 --- a/htdocs/hrm/admin/admin_establishment.php +++ b/htdocs/hrm/admin/admin_establishment.php @@ -27,13 +27,18 @@ require_once DOL_DOCUMENT_ROOT.'/hrm/class/establishment.class.php'; // Load translation files required by the page $langs->loadLangs(array('admin', 'hrm')); +$error = 0; + +$permissiontoread = $user->admin; $permissiontoadd = $user->admin; -if (!$user->admin) { - accessforbidden(); -} - -$error = 0; +// Security check - Protection if external user +//if ($user->socid > 0) accessforbidden(); +//if ($user->socid > 0) $socid = $user->socid; +//$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); +//restrictedArea($user, $object->element, $object->id, '', '', 'fk_soc', 'rowid', 0); +if (empty($conf->hrm->enabled)) accessforbidden(); +if (empty($permissiontoread)) accessforbidden(); /* diff --git a/htdocs/hrm/admin/admin_hrm.php b/htdocs/hrm/admin/admin_hrm.php index 09cccfed3db..d19b15e3499 100644 --- a/htdocs/hrm/admin/admin_hrm.php +++ b/htdocs/hrm/admin/admin_hrm.php @@ -34,9 +34,16 @@ $list = array( // 'HRM_EMAIL_EXTERNAL_SERVICE' // To prevent your public accountant for example ); -if (!$user->admin) { - accessforbidden(); -} +$permissiontoread = $user->admin; +$permissiontoadd = $user->admin; + +// Security check - Protection if external user +//if ($user->socid > 0) accessforbidden(); +//if ($user->socid > 0) $socid = $user->socid; +//$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); +//restrictedArea($user, $object->element, $object->id, '', '', 'fk_soc', 'rowid', 0); +if (empty($conf->hrm->enabled)) accessforbidden(); +if (empty($permissiontoread)) accessforbidden(); /* diff --git a/htdocs/hrm/establishment/card.php b/htdocs/hrm/establishment/card.php index b2f477b48e5..caec6191d0d 100644 --- a/htdocs/hrm/establishment/card.php +++ b/htdocs/hrm/establishment/card.php @@ -51,7 +51,8 @@ $object = new Establishment($db); // Load object include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be include, not include_once -$permissiontoadd = $user->rights->hrm->write; // Used by the include of actions_addupdatedelete.inc.php +$permissiontoread = $user->admin; +$permissiontoadd = $user->admin; // Used by the include of actions_addupdatedelete.inc.php $upload_dir = $conf->hrm->multidir_output[isset($object->entity) ? $object->entity : 1]; // Security check - Protection if external user @@ -59,13 +60,8 @@ $upload_dir = $conf->hrm->multidir_output[isset($object->entity) ? $object->enti //if ($user->socid > 0) $socid = $user->socid; //$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); //restrictedArea($user, $object->element, $object->id, '', '', 'fk_soc', 'rowid', 0); -//if (empty($conf->mymodule->enabled)) accessforbidden(); -//if (empty($permissiontoread)) accessforbidden(); - -// Security check -if (!$user->admin) { - accessforbidden(); -} +if (empty($conf->hrm->enabled)) accessforbidden(); +if (empty($permissiontoread)) accessforbidden(); /* diff --git a/htdocs/hrm/establishment/info.php b/htdocs/hrm/establishment/info.php index cff38ac7f42..517b76de93a 100644 --- a/htdocs/hrm/establishment/info.php +++ b/htdocs/hrm/establishment/info.php @@ -76,18 +76,17 @@ if ($id > 0 || !empty($ref)) { $upload_dir = $conf->hrm->multidir_output[$object->entity]."/".$object->id; } +$permissiontoread = $user->admin; $permissiontoadd = $user->rights->hrm->write; // Used by the include of actions_addupdatedelete.inc.php $upload_dir = $conf->hrm->multidir_output[isset($object->entity) ? $object->entity : 1]; // Security check - Protection if external user //if ($user->socid > 0) accessforbidden(); //if ($user->socid > 0) $socid = $user->socid; -//$result = restrictedArea($user, 'mymodule', $object->id); - -// Security check -if (!$user->admin) { - accessforbidden(); -} +//$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); +//restrictedArea($user, $object->element, $object->id, '', '', 'fk_soc', 'rowid', $isdraft); +if (empty($conf->hrm->enabled)) accessforbidden(); +if (empty($permissiontoread)) accessforbidden(); /* diff --git a/htdocs/hrm/index.html b/htdocs/hrm/index.html deleted file mode 100644 index e69de29bb2d..00000000000