From d699667722277461fb592815626c454108d82a53 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Sun, 1 Jul 2018 11:06:47 +0200 Subject: [PATCH] Fix: possibility to overload permissions (multicompany sharing) --- htdocs/comm/propal/card.php | 128 +++++++++++++++++++----------------- 1 file changed, 68 insertions(+), 60 deletions(-) diff --git a/htdocs/comm/propal/card.php b/htdocs/comm/propal/card.php index 817115d93af..4a6fa7f47f6 100644 --- a/htdocs/comm/propal/card.php +++ b/htdocs/comm/propal/card.php @@ -108,9 +108,21 @@ if ($id > 0 || ! empty($ref)) { // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('propalcard','globalcard')); -$permissionnote = $user->rights->propale->creer; // Used by the include of actions_setnotes.inc.php -$permissiondellink=$user->rights->propale->creer; // Used by the include of actions_dellink.inc.php -$permissiontoedit = $user->rights->propale->creer; // Used by the include of actions_lineupdown.inc.php +$usercanread = $user->rights->propal->lire; +$usercancreate = $user->rights->propal->creer; +$usercanclose = $user->rights->propal->cloturer; +$usercandelete = $user->rights->propal->supprimer; +$usercanvalidate = ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && $usercancreate) || (! empty($conf->global->MAIN_USE_ADVANCED_PERMS) && ! empty($user->rights->propal->propal_advance->validate))); +$usercansend = (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || $user->rights->propal->propal_advance->send); + +$usercancreateorder = $user->rights->commande->creer; +$usercancreateinvoice = $user->rights->facture->creer; +$usercancreatecontract = $user->rights->contrat->creer; +$usercancreateintervention = $user->rights->ficheinter->creer; + +$permissionnote = $usercancreate; // Used by the include of actions_setnotes.inc.php +$permissiondellink = $usercancreate; // Used by the include of actions_dellink.inc.php +$permissiontoedit = $usercancreate; // Used by the include of actions_lineupdown.inc.php /* @@ -140,7 +152,7 @@ if (empty($reshook)) include DOL_DOCUMENT_ROOT.'/core/actions_lineupdown.inc.php'; // Must be include, not include_once // Action clone object - if ($action == 'confirm_clone' && $confirm == 'yes') + if ($action == 'confirm_clone' && $confirm == 'yes' && $usercancreate) { if (! GETPOST('socid', 3)) { @@ -191,7 +203,7 @@ if (empty($reshook)) } // Delete proposal - else if ($action == 'confirm_delete' && $confirm == 'yes' && $user->rights->propal->supprimer) + else if ($action == 'confirm_delete' && $confirm == 'yes' && $usercandelete) { $result = $object->delete($user); if ($result > 0) { @@ -204,7 +216,7 @@ if (empty($reshook)) } // Remove line - else if ($action == 'confirm_deleteline' && $confirm == 'yes' && $user->rights->propal->creer) + else if ($action == 'confirm_deleteline' && $confirm == 'yes' && $usercancreate) { $result = $object->deleteline($lineid); // reorder lines @@ -228,10 +240,7 @@ if (empty($reshook)) } // Validation - else if ($action == 'confirm_validate' && $confirm == 'yes' && - ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && ! empty($user->rights->propal->creer)) - || (! empty($conf->global->MAIN_USE_ADVANCED_PERMS) && ! empty($user->rights->propal->propal_advance->validate))) - ) + else if ($action == 'confirm_validate' && $confirm == 'yes' && $usercanvalidate) { $result = $object->valid($user); if ($result >= 0) @@ -258,7 +267,7 @@ if (empty($reshook)) } } - else if ($action == 'setdate' && $user->rights->propal->creer) + else if ($action == 'setdate' && $usercancreate) { $datep = dol_mktime(12, 0, 0, $_POST['remonth'], $_POST['reday'], $_POST['reyear']); @@ -273,13 +282,13 @@ if (empty($reshook)) dol_print_error($db, $object->error); } } - else if ($action == 'setecheance' && $user->rights->propal->creer) + else if ($action == 'setecheance' && $usercancreate) { $result = $object->set_echeance($user, dol_mktime(12, 0, 0, $_POST['echmonth'], $_POST['echday'], $_POST['echyear'])); if ($result < 0) dol_print_error($db, $object->error); } - else if ($action == 'setdate_livraison' && $user->rights->propal->creer) + else if ($action == 'setdate_livraison' && $usercancreate) { $result = $object->set_date_livraison($user, dol_mktime(12, 0, 0, $_POST['date_livraisonmonth'], $_POST['date_livraisonday'], $_POST['date_livraisonyear'])); if ($result < 0) @@ -287,7 +296,7 @@ if (empty($reshook)) } // Positionne ref client - else if ($action == 'setref_client' && $user->rights->propal->creer) + else if ($action == 'setref_client' && $usercancreate) { $result = $object->set_ref_client($user, GETPOST('ref_client')); if ($result < 0) @@ -297,13 +306,13 @@ if (empty($reshook)) } // Set incoterm - elseif ($action == 'set_incoterms' && !empty($conf->incoterm->enabled)) + elseif ($action == 'set_incoterms' && !empty($conf->incoterm->enabled) && $usercancreate) { $result = $object->setIncoterms(GETPOST('incoterm_id', 'int'), GETPOST('location_incoterms', 'alpha')); } // Create proposal - else if ($action == 'add' && $user->rights->propal->creer) + else if ($action == 'add' && $usercancreate) { $object->socid = $socid; $object->fetch_thirdparty(); @@ -597,7 +606,7 @@ if (empty($reshook)) } // Classify billed - else if ($action == 'classifybilled' && $user->rights->propal->cloturer) + else if ($action == 'classifybilled' && $usercanclose) { $result=$object->cloture($user, 4, ''); if ($result < 0) @@ -608,7 +617,7 @@ if (empty($reshook)) } // Close proposal - else if ($action == 'setstatut' && $user->rights->propal->cloturer && ! GETPOST('cancel','alpha')) + else if ($action == 'setstatut' && $usercanclose && ! GETPOST('cancel','alpha')) { if (! (GETPOST('statut','int') > 0)) { setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("CloseAs")), null, 'errors'); @@ -628,7 +637,7 @@ if (empty($reshook)) } // Reopen proposal - else if ($action == 'confirm_reopen' && $user->rights->propal->cloturer && ! GETPOST('cancel','alpha')) + else if ($action == 'confirm_reopen' && $usercanclose && ! GETPOST('cancel','alpha')) { // prevent browser refresh from reopening proposal several times if ($object->statut == Propal::STATUS_SIGNED || $object->statut == Propal::STATUS_NOTSIGNED || $object->statut == Propal::STATUS_BILLED) @@ -653,7 +662,7 @@ if (empty($reshook)) // Go back to draft - if ($action == 'modif' && $user->rights->propal->creer) + if ($action == 'modif' && $usercancreate) { $object->set_draft($user); @@ -671,7 +680,7 @@ if (empty($reshook)) } } - else if ($action == "setabsolutediscount" && $user->rights->propal->creer) { + else if ($action == "setabsolutediscount" && $usercancreate) { if ($_POST["remise_id"]) { if ($object->id > 0) { $result = $object->insert_discount($_POST["remise_id"]); @@ -683,7 +692,7 @@ if (empty($reshook)) } // Add line - else if ($action == 'addline' && $user->rights->propal->creer) { + else if ($action == 'addline' && $usercancreate) { // Set if we used free entry or predefined product $predef=''; @@ -1046,7 +1055,7 @@ if (empty($reshook)) } // Update a line within proposal - else if ($action == 'updateligne' && $user->rights->propal->creer && GETPOST('save')) + else if ($action == 'updateligne' && $usercancreate && GETPOST('save')) { // Define info_bits $info_bits = 0; @@ -1183,62 +1192,62 @@ if (empty($reshook)) } } - else if ($action == 'updateligne' && $user->rights->propal->creer && GETPOST('cancel','alpha')) + else if ($action == 'updateligne' && $usercancreate && GETPOST('cancel','alpha')) { header('Location: ' . $_SERVER['PHP_SELF'] . '?id=' . $object->id); // Pour reaffichage de la fiche en cours d'edition exit(); } // Set project - else if ($action == 'classin' && $user->rights->propal->creer) { + else if ($action == 'classin' && $usercancreate) { $object->setProject(GETPOST('projectid','int')); } // Delai de livraison - else if ($action == 'setavailability' && $user->rights->propal->creer) { + else if ($action == 'setavailability' && $usercancreate) { $result = $object->set_availability($user, GETPOST('availability_id','int')); } // Origine de la propale - else if ($action == 'setdemandreason' && $user->rights->propal->creer) { + else if ($action == 'setdemandreason' && $usercancreate) { $result = $object->set_demand_reason($user, GETPOST('demand_reason_id','int')); } // Conditions de reglement - else if ($action == 'setconditions' && $user->rights->propal->creer) { + else if ($action == 'setconditions' && $usercancreate) { $result = $object->setPaymentTerms(GETPOST('cond_reglement_id', 'int')); } - else if ($action == 'setremisepercent' && $user->rights->propal->creer) { + else if ($action == 'setremisepercent' && $usercancreate) { $result = $object->set_remise_percent($user, $_POST['remise_percent']); } - else if ($action == 'setremiseabsolue' && $user->rights->propal->creer) { + else if ($action == 'setremiseabsolue' && $usercancreate) { $result = $object->set_remise_absolue($user, $_POST['remise_absolue']); } // Mode de reglement - else if ($action == 'setmode' && $user->rights->propal->creer) { + else if ($action == 'setmode' && $usercancreate) { $result = $object->setPaymentMethods(GETPOST('mode_reglement_id', 'int')); } // Multicurrency Code - else if ($action == 'setmulticurrencycode' && $user->rights->propal->creer) { + else if ($action == 'setmulticurrencycode' && $usercancreate) { $result = $object->setMulticurrencyCode(GETPOST('multicurrency_code', 'alpha')); } // Multicurrency rate - else if ($action == 'setmulticurrencyrate' && $user->rights->propal->creer) { + else if ($action == 'setmulticurrencyrate' && $usercancreate) { $result = $object->setMulticurrencyRate(price2num(GETPOST('multicurrency_tx'))); } // bank account - else if ($action == 'setbankaccount' && $user->rights->propal->creer) { + else if ($action == 'setbankaccount' && $usercancreate) { $result=$object->setBankAccount(GETPOST('fk_account', 'int')); } // shipping method - else if ($action == 'setshippingmethod' && $user->rights->propal->creer) { + else if ($action == 'setshippingmethod' && $usercancreate) { $result=$object->setShippingMethod(GETPOST('shipping_method_id', 'int')); } @@ -1261,7 +1270,7 @@ if (empty($reshook)) if ($error) $action = 'edit_extras'; } - if (! empty($conf->global->MAIN_DISABLE_CONTACTS_TAB) && $user->rights->propal->creer) + if (! empty($conf->global->MAIN_DISABLE_CONTACTS_TAB) && $usercancreate) { if ($action == 'addcontact') { @@ -1308,7 +1317,7 @@ if (empty($reshook)) // Actions to build doc $upload_dir = $conf->propal->multidir_output[$object->entity]; - $permissioncreate=$user->rights->propal->creer; + $permissioncreate=$usercancreate; include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php'; } @@ -1837,8 +1846,8 @@ if ($action == 'create') $morehtmlref='
'; // Ref customer - $morehtmlref.=$form->editfieldkey("RefCustomer", 'ref_client', $object->ref_client, $object, $user->rights->propal->creer, 'string', '', 0, 1); - $morehtmlref.=$form->editfieldval("RefCustomer", 'ref_client', $object->ref_client, $object, $user->rights->propal->creer, 'string', '', null, null, '', 1); + $morehtmlref.=$form->editfieldkey("RefCustomer", 'ref_client', $object->ref_client, $object, $usercancreate, 'string', '', 0, 1); + $morehtmlref.=$form->editfieldval("RefCustomer", 'ref_client', $object->ref_client, $object, $usercancreate, 'string', '', null, null, '', 1); // Thirdparty $morehtmlref.='
'.$langs->trans('ThirdParty') . ' : ' . $object->thirdparty->getNomUrl(1,'customer'); if (empty($conf->global->MAIN_DISABLE_OTHER_LINK) && $object->thirdparty->id > 0) $morehtmlref.=' ('.$langs->trans("OtherProposals").')'; @@ -1847,7 +1856,7 @@ if ($action == 'create') { $langs->load("projects"); $morehtmlref.='
'.$langs->trans('Project') . ' '; - if ($user->rights->propal->creer) + if ($usercancreate) { if ($action != 'classify') $morehtmlref.='' . img_edit($langs->transnoentitiesnoconv('SetProject')) . ' : '; @@ -1984,9 +1993,9 @@ if ($action == 'create') // Delivery date $langs->load('deliveries'); print ''; - print $form->editfieldkey($langs->trans('DeliveryDate'), 'date_livraison', $object->date_livraison, $object, $user->rights->propal->creer, 'datepicker'); + print $form->editfieldkey($langs->trans('DeliveryDate'), 'date_livraison', $object->date_livraison, $object, $usercancreate, 'datepicker'); print ''; - print $form->editfieldval($langs->trans('DeliveryDate'), 'date_livraison', $object->date_livraison, $object, $user->rights->propal->creer, 'datepicker'); + print $form->editfieldval($langs->trans('DeliveryDate'), 'date_livraison', $object->date_livraison, $object, $usercancreate, 'datepicker'); print ''; print ''; @@ -2016,7 +2025,7 @@ if ($action == 'create') print ''; - if ($action != 'editshippingmethod' && $user->rights->propal->creer) + if ($action != 'editshippingmethod' && $usercancreate) print ''; print '
'; print $langs->trans('SendingMethod'); print 'id.'">'.img_edit($langs->trans('SetShippingMode'),1).'
'; print ''; @@ -2128,7 +2137,7 @@ if ($action == 'create') print ''; - if ($action != 'editbankaccount' && $user->rights->propal->creer) + if ($action != 'editbankaccount' && $usercancreate) print ''; print '
'; print $langs->trans('BankAccount'); print 'id.'">'.img_edit($langs->trans('SetBankAccount'),1).'
'; print ''; @@ -2164,7 +2173,7 @@ if ($action == 'create') print '
'; print $langs->trans('IncotermLabel'); print ''; - if ($user->rights->propal->creer) print ''.img_edit().''; + if ($usercancreate) print ''.img_edit().''; else print ' '; print '
'; print ''; @@ -2293,7 +2302,7 @@ if ($action == 'create') $ret = $object->printObjectLines($action, $mysoc, $soc, $lineid, 1); // Form to add new line - if ($object->statut == Propal::STATUS_DRAFT && $user->rights->propal->creer && $action != 'selectlines') + if ($object->statut == Propal::STATUS_DRAFT && $usercancreate && $action != 'selectlines') { if ($action != 'editline') { @@ -2328,8 +2337,7 @@ if ($action == 'create') // Validate if ($object->statut == Propal::STATUS_DRAFT && $object->total_ttc >= 0 && count($object->lines) > 0) { - if ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && ! empty($user->rights->propal->creer)) - || (! empty($conf->global->MAIN_USE_ADVANCED_PERMS) && ! empty($user->rights->propal->propal_advance->validate))) + if ($usercanvalidate) { print '
' . $langs->trans('Validate') . '
'; } @@ -2342,19 +2350,19 @@ if ($action == 'create') print '
' . $langs->trans("AddAction") . '
'; }*/ // Edit - if ($object->statut == Propal::STATUS_VALIDATED && $user->rights->propal->creer) { + if ($object->statut == Propal::STATUS_VALIDATED && $usercancreate) { print '
' . $langs->trans('Modify') . '
'; } // ReOpen - if (($object->statut == Propal::STATUS_SIGNED || $object->statut == Propal::STATUS_NOTSIGNED || $object->statut == Propal::STATUS_BILLED) && $user->rights->propal->cloturer) { + if (($object->statut == Propal::STATUS_SIGNED || $object->statut == Propal::STATUS_NOTSIGNED || $object->statut == Propal::STATUS_BILLED) && $usercanclose) { print '
global->MAIN_JUMP_TAG) ? '' : '#reopen') . '"'; print '>' . $langs->trans('ReOpen') . '
'; } // Send if ($object->statut == Propal::STATUS_VALIDATED || $object->statut == Propal::STATUS_SIGNED) { - if (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || $user->rights->propal->propal_advance->send) { + if ($usercansend) { print '
' . $langs->trans('SendMail') . '
'; } else print '
' . $langs->trans('SendMail') . '
'; @@ -2362,14 +2370,14 @@ if ($action == 'create') // Create an order if (! empty($conf->commande->enabled) && $object->statut == Propal::STATUS_SIGNED) { - if ($user->rights->commande->creer) { + if ($usercancreateorder) { print '
' . $langs->trans("AddOrder") . '
'; } } // Create an intervention if (! empty($conf->service->enabled) && ! empty($conf->ficheinter->enabled) && $object->statut == Propal::STATUS_SIGNED) { - if ($user->rights->ficheinter->creer) { + if ($usercancreateintervention) { $langs->load("interventions"); print '
' . $langs->trans("AddIntervention") . '
'; } @@ -2379,7 +2387,7 @@ if ($action == 'create') if ($conf->contrat->enabled && $object->statut == Propal::STATUS_SIGNED) { $langs->load("contracts"); - if ($user->rights->contrat->creer) { + if ($usercancreatecontract) { print '
' . $langs->trans('AddContract') . '
'; } } @@ -2387,7 +2395,7 @@ if ($action == 'create') // Create an invoice and classify billed if ($object->statut == Propal::STATUS_SIGNED) { - if (! empty($conf->facture->enabled) && $user->rights->facture->creer) + if (! empty($conf->facture->enabled) && $usercancreateinvoice) { print '
' . $langs->trans("AddBill") . '
'; } @@ -2400,18 +2408,18 @@ if ($action == 'create') } // Set accepted/refused - if ($object->statut == Propal::STATUS_VALIDATED && $user->rights->propal->cloturer) { + if ($object->statut == Propal::STATUS_VALIDATED && $usercanclose) { print '
global->MAIN_JUMP_TAG) ? '' : '#close') . '"'; print '>' . $langs->trans('SetAcceptedRefused') . '
'; } // Clone - if ($user->rights->propal->creer) { + if ($usercancreate) { print '
' . $langs->trans("ToClone") . '
'; } // Delete - if ($user->rights->propal->supprimer) { + if ($usercandelete) { print '
' . $langs->trans('Delete') . '
'; } @@ -2434,8 +2442,8 @@ if ($action == 'create') $filename = dol_sanitizeFileName($object->ref); $filedir = $conf->propal->multidir_output[$object->entity] . "/" . dol_sanitizeFileName($object->ref); $urlsource = $_SERVER["PHP_SELF"] . "?id=" . $object->id; - $genallowed = $user->rights->propal->lire; - $delallowed = $user->rights->propal->creer; + $genallowed = $usercanread; + $delallowed = $usercancreate; print $formfile->showdocuments('propal', $filename, $filedir, $urlsource, $genallowed, $delallowed, $object->modelpdf, 1, 0, 0, 28, 0, '', 0, '', $soc->default_lang, '', $object);