lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix: possibility to overload permissions (multicompany sharing)

Browse Source
This commit is contained in:
Regis Houssin 2018-07-01 11:06:47 +02:00
parent 16b4d2aee7
commit d699667722
1 changed files with 68 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

128
htdocs/comm/propal/card.php
View File

@ -108,9 +108,21 @@ if ($id > 0 || ! empty($ref)) {
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
$hookmanager->initHooks(array('propalcard','globalcard'));
$permissionnote = $user->rights->propale->creer; // Used by the include of actions_setnotes.inc.php
$permissiondellink=$user->rights->propale->creer; // Used by the include of actions_dellink.inc.php
$permissiontoedit = $user->rights->propale->creer; // Used by the include of actions_lineupdown.inc.php
$usercanread = $user->rights->propal->lire;
$usercancreate = $user->rights->propal->creer;
$usercanclose = $user->rights->propal->cloturer;
$usercandelete = $user->rights->propal->supprimer;
$usercanvalidate = ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && $usercancreate) || (! empty($conf->global->MAIN_USE_ADVANCED_PERMS) && ! empty($user->rights->propal->propal_advance->validate)));
$usercansend = (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || $user->rights->propal->propal_advance->send);
$usercancreateorder = $user->rights->commande->creer;
$usercancreateinvoice = $user->rights->facture->creer;
$usercancreatecontract = $user->rights->contrat->creer;
$usercancreateintervention = $user->rights->ficheinter->creer;
$permissionnote = $usercancreate; // Used by the include of actions_setnotes.inc.php
$permissiondellink = $usercancreate; // Used by the include of actions_dellink.inc.php
$permissiontoedit = $usercancreate; // Used by the include of actions_lineupdown.inc.php
/*
@ -140,7 +152,7 @@ if (empty($reshook))
include DOL_DOCUMENT_ROOT.'/core/actions_lineupdown.inc.php'; // Must be include, not include_once
// Action clone object
if ($action == 'confirm_clone' && $confirm == 'yes')
if ($action == 'confirm_clone' && $confirm == 'yes' && $usercancreate)
{
if (! GETPOST('socid', 3))
{
@ -191,7 +203,7 @@ if (empty($reshook))
}
// Delete proposal
else if ($action == 'confirm_delete' && $confirm == 'yes' && $user->rights->propal->supprimer)
else if ($action == 'confirm_delete' && $confirm == 'yes' && $usercandelete)
{
$result = $object->delete($user);
if ($result > 0) {
@ -204,7 +216,7 @@ if (empty($reshook))
}
// Remove line
else if ($action == 'confirm_deleteline' && $confirm == 'yes' && $user->rights->propal->creer)
else if ($action == 'confirm_deleteline' && $confirm == 'yes' && $usercancreate)
{
$result = $object->deleteline($lineid);
// reorder lines
@ -228,10 +240,7 @@ if (empty($reshook))
}
// Validation
else if ($action == 'confirm_validate' && $confirm == 'yes' &&
((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && ! empty($user->rights->propal->creer))
|| (! empty($conf->global->MAIN_USE_ADVANCED_PERMS) && ! empty($user->rights->propal->propal_advance->validate)))
)
else if ($action == 'confirm_validate' && $confirm == 'yes' && $usercanvalidate)
{
$result = $object->valid($user);
if ($result >= 0)
@ -258,7 +267,7 @@ if (empty($reshook))
}
}
else if ($action == 'setdate' && $user->rights->propal->creer)
else if ($action == 'setdate' && $usercancreate)
{
$datep = dol_mktime(12, 0, 0, $_POST['remonth'], $_POST['reday'], $_POST['reyear']);
@ -273,13 +282,13 @@ if (empty($reshook))
dol_print_error($db, $object->error);
}
}
else if ($action == 'setecheance' && $user->rights->propal->creer)
else if ($action == 'setecheance' && $usercancreate)
{
$result = $object->set_echeance($user, dol_mktime(12, 0, 0, $_POST['echmonth'], $_POST['echday'], $_POST['echyear']));
if ($result < 0)
dol_print_error($db, $object->error);
}
else if ($action == 'setdate_livraison' && $user->rights->propal->creer)
else if ($action == 'setdate_livraison' && $usercancreate)
{
$result = $object->set_date_livraison($user, dol_mktime(12, 0, 0, $_POST['date_livraisonmonth'], $_POST['date_livraisonday'], $_POST['date_livraisonyear']));
if ($result < 0)
@ -287,7 +296,7 @@ if (empty($reshook))
}
// Positionne ref client
else if ($action == 'setref_client' && $user->rights->propal->creer)
else if ($action == 'setref_client' && $usercancreate)
{
$result = $object->set_ref_client($user, GETPOST('ref_client'));
if ($result < 0)
@ -297,13 +306,13 @@ if (empty($reshook))
}
// Set incoterm
elseif ($action == 'set_incoterms' && !empty($conf->incoterm->enabled))
elseif ($action == 'set_incoterms' && !empty($conf->incoterm->enabled) && $usercancreate)
{
$result = $object->setIncoterms(GETPOST('incoterm_id', 'int'), GETPOST('location_incoterms', 'alpha'));
}
// Create proposal
else if ($action == 'add' && $user->rights->propal->creer)
else if ($action == 'add' && $usercancreate)
{
$object->socid = $socid;
$object->fetch_thirdparty();
@ -597,7 +606,7 @@ if (empty($reshook))
}
// Classify billed
else if ($action == 'classifybilled' && $user->rights->propal->cloturer)
else if ($action == 'classifybilled' && $usercanclose)
{
$result=$object->cloture($user, 4, '');
if ($result < 0)
@ -608,7 +617,7 @@ if (empty($reshook))
}
// Close proposal
else if ($action == 'setstatut' && $user->rights->propal->cloturer && ! GETPOST('cancel','alpha'))
else if ($action == 'setstatut' && $usercanclose && ! GETPOST('cancel','alpha'))
{
if (! (GETPOST('statut','int') > 0)) {
setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("CloseAs")), null, 'errors');
@ -628,7 +637,7 @@ if (empty($reshook))
}
// Reopen proposal
else if ($action == 'confirm_reopen' && $user->rights->propal->cloturer && ! GETPOST('cancel','alpha'))
else if ($action == 'confirm_reopen' && $usercanclose && ! GETPOST('cancel','alpha'))
{
// prevent browser refresh from reopening proposal several times
if ($object->statut == Propal::STATUS_SIGNED || $object->statut == Propal::STATUS_NOTSIGNED || $object->statut == Propal::STATUS_BILLED)
@ -653,7 +662,7 @@ if (empty($reshook))
// Go back to draft
if ($action == 'modif' && $user->rights->propal->creer)
if ($action == 'modif' && $usercancreate)
{
$object->set_draft($user);
@ -671,7 +680,7 @@ if (empty($reshook))
}
}
else if ($action == "setabsolutediscount" && $user->rights->propal->creer) {
else if ($action == "setabsolutediscount" && $usercancreate) {
if ($_POST["remise_id"]) {
if ($object->id > 0) {
$result = $object->insert_discount($_POST["remise_id"]);
@ -683,7 +692,7 @@ if (empty($reshook))
}
// Add line
else if ($action == 'addline' && $user->rights->propal->creer) {
else if ($action == 'addline' && $usercancreate) {
// Set if we used free entry or predefined product
$predef='';
@ -1046,7 +1055,7 @@ if (empty($reshook))
}
// Update a line within proposal
else if ($action == 'updateligne' && $user->rights->propal->creer && GETPOST('save'))
else if ($action == 'updateligne' && $usercancreate && GETPOST('save'))
{
// Define info_bits
$info_bits = 0;
@ -1183,62 +1192,62 @@ if (empty($reshook))
}
}
else if ($action == 'updateligne' && $user->rights->propal->creer && GETPOST('cancel','alpha'))
else if ($action == 'updateligne' && $usercancreate && GETPOST('cancel','alpha'))
{
header('Location: ' . $_SERVER['PHP_SELF'] . '?id=' . $object->id); // Pour reaffichage de la fiche en cours d'edition
exit();
}
// Set project
else if ($action == 'classin' && $user->rights->propal->creer) {
else if ($action == 'classin' && $usercancreate) {
$object->setProject(GETPOST('projectid','int'));
}
// Delai de livraison
else if ($action == 'setavailability' && $user->rights->propal->creer) {
else if ($action == 'setavailability' && $usercancreate) {
$result = $object->set_availability($user, GETPOST('availability_id','int'));
}
// Origine de la propale
else if ($action == 'setdemandreason' && $user->rights->propal->creer) {
else if ($action == 'setdemandreason' && $usercancreate) {
$result = $object->set_demand_reason($user, GETPOST('demand_reason_id','int'));
}
// Conditions de reglement
else if ($action == 'setconditions' && $user->rights->propal->creer) {
else if ($action == 'setconditions' && $usercancreate) {
$result = $object->setPaymentTerms(GETPOST('cond_reglement_id', 'int'));
}
else if ($action == 'setremisepercent' && $user->rights->propal->creer) {
else if ($action == 'setremisepercent' && $usercancreate) {
$result = $object->set_remise_percent($user, $_POST['remise_percent']);
}
else if ($action == 'setremiseabsolue' && $user->rights->propal->creer) {
else if ($action == 'setremiseabsolue' && $usercancreate) {
$result = $object->set_remise_absolue($user, $_POST['remise_absolue']);
}
// Mode de reglement
else if ($action == 'setmode' && $user->rights->propal->creer) {
else if ($action == 'setmode' && $usercancreate) {
$result = $object->setPaymentMethods(GETPOST('mode_reglement_id', 'int'));
}
// Multicurrency Code
else if ($action == 'setmulticurrencycode' && $user->rights->propal->creer) {
else if ($action == 'setmulticurrencycode' && $usercancreate) {
$result = $object->setMulticurrencyCode(GETPOST('multicurrency_code', 'alpha'));
}
// Multicurrency rate
else if ($action == 'setmulticurrencyrate' && $user->rights->propal->creer) {
else if ($action == 'setmulticurrencyrate' && $usercancreate) {
$result = $object->setMulticurrencyRate(price2num(GETPOST('multicurrency_tx')));
}
// bank account
else if ($action == 'setbankaccount' && $user->rights->propal->creer) {
else if ($action == 'setbankaccount' && $usercancreate) {
$result=$object->setBankAccount(GETPOST('fk_account', 'int'));
}
// shipping method
else if ($action == 'setshippingmethod' && $user->rights->propal->creer) {
else if ($action == 'setshippingmethod' && $usercancreate) {
$result=$object->setShippingMethod(GETPOST('shipping_method_id', 'int'));
}
@ -1261,7 +1270,7 @@ if (empty($reshook))
if ($error) $action = 'edit_extras';
}
if (! empty($conf->global->MAIN_DISABLE_CONTACTS_TAB) && $user->rights->propal->creer)
if (! empty($conf->global->MAIN_DISABLE_CONTACTS_TAB) && $usercancreate)
{
if ($action == 'addcontact')
{
@ -1308,7 +1317,7 @@ if (empty($reshook))
// Actions to build doc
$upload_dir = $conf->propal->multidir_output[$object->entity];
$permissioncreate=$user->rights->propal->creer;
$permissioncreate=$usercancreate;
include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php';
}
@ -1837,8 +1846,8 @@ if ($action == 'create')
$morehtmlref='<div class="refidno">';
// Ref customer
$morehtmlref.=$form->editfieldkey("RefCustomer", 'ref_client', $object->ref_client, $object, $user->rights->propal->creer, 'string', '', 0, 1);
$morehtmlref.=$form->editfieldval("RefCustomer", 'ref_client', $object->ref_client, $object, $user->rights->propal->creer, 'string', '', null, null, '', 1);
$morehtmlref.=$form->editfieldkey("RefCustomer", 'ref_client', $object->ref_client, $object, $usercancreate, 'string', '', 0, 1);
$morehtmlref.=$form->editfieldval("RefCustomer", 'ref_client', $object->ref_client, $object, $usercancreate, 'string', '', null, null, '', 1);
// Thirdparty
$morehtmlref.='<br>'.$langs->trans('ThirdParty') . ' : ' . $object->thirdparty->getNomUrl(1,'customer');
if (empty($conf->global->MAIN_DISABLE_OTHER_LINK) && $object->thirdparty->id > 0) $morehtmlref.=' (<a href="'.DOL_URL_ROOT.'/comm/propal/list.php?socid='.$object->thirdparty->id.'">'.$langs->trans("OtherProposals").'</a>)';
@ -1847,7 +1856,7 @@ if ($action == 'create')
{
$langs->load("projects");
$morehtmlref.='<br>'.$langs->trans('Project') . ' ';
if ($user->rights->propal->creer)
if ($usercancreate)
{
if ($action != 'classify')
$morehtmlref.='<a href="' . $_SERVER['PHP_SELF'] . '?action=classify&amp;id=' . $object->id . '">' . img_edit($langs->transnoentitiesnoconv('SetProject')) . '</a> : ';
@ -1984,9 +1993,9 @@ if ($action == 'create')
// Delivery date
$langs->load('deliveries');
print '<tr><td>';
print $form->editfieldkey($langs->trans('DeliveryDate'), 'date_livraison', $object->date_livraison, $object, $user->rights->propal->creer, 'datepicker');
print $form->editfieldkey($langs->trans('DeliveryDate'), 'date_livraison', $object->date_livraison, $object, $usercancreate, 'datepicker');
print '</td><td>';
print $form->editfieldval($langs->trans('DeliveryDate'), 'date_livraison', $object->date_livraison, $object, $user->rights->propal->creer, 'datepicker');
print $form->editfieldval($langs->trans('DeliveryDate'), 'date_livraison', $object->date_livraison, $object, $usercancreate, 'datepicker');
print '</td>';
print '</tr>';
@ -2016,7 +2025,7 @@ if ($action == 'create')
print '<table width="100%" class="nobordernopadding"><tr><td>';
print $langs->trans('SendingMethod');
print '</td>';
if ($action != 'editshippingmethod' && $user->rights->propal->creer)
if ($action != 'editshippingmethod' && $usercancreate)
print '<td align="right"><a href="'.$_SERVER["PHP_SELF"].'?action=editshippingmethod&amp;id='.$object->id.'">'.img_edit($langs->trans('SetShippingMode'),1).'</a></td>';
print '</tr></table>';
print '</td><td>';
@ -2128,7 +2137,7 @@ if ($action == 'create')
print '<table width="100%" class="nobordernopadding"><tr><td>';
print $langs->trans('BankAccount');
print '</td>';
if ($action != 'editbankaccount' && $user->rights->propal->creer)
if ($action != 'editbankaccount' && $usercancreate)
print '<td align="right"><a href="'.$_SERVER["PHP_SELF"].'?action=editbankaccount&amp;id='.$object->id.'">'.img_edit($langs->trans('SetBankAccount'),1).'</a></td>';
print '</tr></table>';
print '</td><td>';
@ -2164,7 +2173,7 @@ if ($action == 'create')
print '<table width="100%" class="nobordernopadding"><tr><td>';
print $langs->trans('IncotermLabel');
print '<td><td align="right">';
if ($user->rights->propal->creer) print '<a href="'.DOL_URL_ROOT.'/comm/propal/card.php?id='.$object->id.'&action=editincoterm">'.img_edit().'</a>';
if ($usercancreate) print '<a href="'.DOL_URL_ROOT.'/comm/propal/card.php?id='.$object->id.'&action=editincoterm">'.img_edit().'</a>';
else print '&nbsp;';
print '</td></tr></table>';
print '</td>';
@ -2293,7 +2302,7 @@ if ($action == 'create')
$ret = $object->printObjectLines($action, $mysoc, $soc, $lineid, 1);
// Form to add new line
if ($object->statut == Propal::STATUS_DRAFT && $user->rights->propal->creer && $action != 'selectlines')
if ($object->statut == Propal::STATUS_DRAFT && $usercancreate && $action != 'selectlines')
{
if ($action != 'editline')
{
@ -2328,8 +2337,7 @@ if ($action == 'create')
// Validate
if ($object->statut == Propal::STATUS_DRAFT && $object->total_ttc >= 0 && count($object->lines) > 0)
{
if ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && ! empty($user->rights->propal->creer))
|| (! empty($conf->global->MAIN_USE_ADVANCED_PERMS) && ! empty($user->rights->propal->propal_advance->validate)))
if ($usercanvalidate)
{
print '<div class="inline-block divButAction"><a class="butAction" href="' . $_SERVER["PHP_SELF"] . '?id=' . $object->id . '&amp;action=validate">' . $langs->trans('Validate') . '</a></div>';
}
@ -2342,19 +2350,19 @@ if ($action == 'create')
print '<div class="inline-block divButAction"><a class="butAction" href="' . DOL_URL_ROOT . '/comm/action/card.php?action=create&amp;origin=' . $object->element . '&amp;originid=' . $object->id . '&amp;socid=' . $object->socid . '">' . $langs->trans("AddAction") . '</a></div>';
}*/
// Edit
if ($object->statut == Propal::STATUS_VALIDATED && $user->rights->propal->creer) {
if ($object->statut == Propal::STATUS_VALIDATED && $usercancreate) {
print '<div class="inline-block divButAction"><a class="butAction" href="' . $_SERVER["PHP_SELF"] . '?id=' . $object->id . '&amp;action=modif">' . $langs->trans('Modify') . '</a></div>';
}
// ReOpen
if (($object->statut == Propal::STATUS_SIGNED || $object->statut == Propal::STATUS_NOTSIGNED || $object->statut == Propal::STATUS_BILLED) && $user->rights->propal->cloturer) {
if (($object->statut == Propal::STATUS_SIGNED || $object->statut == Propal::STATUS_NOTSIGNED || $object->statut == Propal::STATUS_BILLED) && $usercanclose) {
print '<div class="inline-block divButAction"><a class="butAction" href="' . $_SERVER["PHP_SELF"] . '?id=' . $object->id . '&amp;action=reopen' . (empty($conf->global->MAIN_JUMP_TAG) ? '' : '#reopen') . '"';
print '>' . $langs->trans('ReOpen') . '</a></div>';
}
// Send
if ($object->statut == Propal::STATUS_VALIDATED || $object->statut == Propal::STATUS_SIGNED) {
if (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || $user->rights->propal->propal_advance->send) {
if ($usercansend) {
print '<div class="inline-block divButAction"><a class="butAction" href="' . $_SERVER["PHP_SELF"] . '?id=' . $object->id . '&action=presend&mode=init#formmailbeforetitle">' . $langs->trans('SendMail') . '</a></div>';
} else
print '<div class="inline-block divButAction"><a class="butActionRefused" href="#">' . $langs->trans('SendMail') . '</a></div>';
@ -2362,14 +2370,14 @@ if ($action == 'create')
// Create an order
if (! empty($conf->commande->enabled) && $object->statut == Propal::STATUS_SIGNED) {
if ($user->rights->commande->creer) {
if ($usercancreateorder) {
print '<div class="inline-block divButAction"><a class="butAction" href="' . DOL_URL_ROOT . '/commande/card.php?action=create&amp;origin=' . $object->element . '&amp;originid=' . $object->id . '&amp;socid=' . $object->socid . '">' . $langs->trans("AddOrder") . '</a></div>';
}
}
// Create an intervention
if (! empty($conf->service->enabled) && ! empty($conf->ficheinter->enabled) && $object->statut == Propal::STATUS_SIGNED) {
if ($user->rights->ficheinter->creer) {
if ($usercancreateintervention) {
$langs->load("interventions");
print '<div class="inline-block divButAction"><a class="butAction" href="' . DOL_URL_ROOT . '/fichinter/card.php?action=create&amp;origin=' . $object->element . '&amp;originid=' . $object->id . '&amp;socid=' . $object->socid . '">' . $langs->trans("AddIntervention") . '</a></div>';
}
@ -2379,7 +2387,7 @@ if ($action == 'create')
if ($conf->contrat->enabled && $object->statut == Propal::STATUS_SIGNED) {
$langs->load("contracts");
if ($user->rights->contrat->creer) {
if ($usercancreatecontract) {
print '<div class="inline-block divButAction"><a class="butAction" href="' . DOL_URL_ROOT . '/contrat/card.php?action=create&amp;origin=' . $object->element . '&amp;originid=' . $object->id . '&amp;socid=' . $object->socid . '">' . $langs->trans('AddContract') . '</a></div>';
}
}
@ -2387,7 +2395,7 @@ if ($action == 'create')
// Create an invoice and classify billed
if ($object->statut == Propal::STATUS_SIGNED)
{
if (! empty($conf->facture->enabled) && $user->rights->facture->creer)
if (! empty($conf->facture->enabled) && $usercancreateinvoice)
{
print '<div class="inline-block divButAction"><a class="butAction" href="' . DOL_URL_ROOT . '/compta/facture/card.php?action=create&amp;origin=' . $object->element . '&amp;originid=' . $object->id . '&amp;socid=' . $object->socid . '">' . $langs->trans("AddBill") . '</a></div>';
}
@ -2400,18 +2408,18 @@ if ($action == 'create')
}
// Set accepted/refused
if ($object->statut == Propal::STATUS_VALIDATED && $user->rights->propal->cloturer) {
if ($object->statut == Propal::STATUS_VALIDATED && $usercanclose) {
print '<div class="inline-block divButAction"><a class="butAction" href="' . $_SERVER["PHP_SELF"] . '?id=' . $object->id . '&amp;action=statut' . (empty($conf->global->MAIN_JUMP_TAG) ? '' : '#close') . '"';
print '>' . $langs->trans('SetAcceptedRefused') . '</a></div>';
}
// Clone
if ($user->rights->propal->creer) {
if ($usercancreate) {
print '<div class="inline-block divButAction"><a class="butAction" href="' . $_SERVER['PHP_SELF'] . '?id=' . $object->id . '&amp;socid=' . $object->socid . '&amp;action=clone&amp;object=' . $object->element . '">' . $langs->trans("ToClone") . '</a></div>';
}
// Delete
if ($user->rights->propal->supprimer) {
if ($usercandelete) {
print '<div class="inline-block divButAction"><a class="butActionDelete" href="' . $_SERVER["PHP_SELF"] . '?id=' . $object->id . '&amp;action=delete"';
print '>' . $langs->trans('Delete') . '</a></div>';
}
@ -2434,8 +2442,8 @@ if ($action == 'create')
$filename = dol_sanitizeFileName($object->ref);
$filedir = $conf->propal->multidir_output[$object->entity] . "/" . dol_sanitizeFileName($object->ref);
$urlsource = $_SERVER["PHP_SELF"] . "?id=" . $object->id;
$genallowed = $user->rights->propal->lire;
$delallowed = $user->rights->propal->creer;
$genallowed = $usercanread;
$delallowed = $usercancreate;
print $formfile->showdocuments('propal', $filename, $filedir, $urlsource, $genallowed, $delallowed, $object->modelpdf, 1, 0, 0, 28, 0, '', 0, '', $soc->default_lang, '', $object);