From 9b548e41259741921d327fb2f5dc548d856f914a Mon Sep 17 00:00:00 2001 From: Gauthier PC portable 024 Date: Thu, 15 Dec 2022 16:08:44 +0100 Subject: [PATCH 1/7] FIX : "read" right of hrm evaluations must allow to see only user evaluations and those of subordinates, readall is another right + several fixes --- htdocs/core/modules/modHRM.class.php | 8 ++++++++ htdocs/hrm/class/evaluation.class.php | 6 ++++-- htdocs/hrm/evaluation_card.php | 2 +- htdocs/hrm/evaluation_list.php | 8 +++++++- htdocs/langs/en_US/admin.lang | 13 +++++++------ htdocs/langs/fr_FR/admin.lang | 11 ++++++----- 6 files changed, 33 insertions(+), 15 deletions(-) diff --git a/htdocs/core/modules/modHRM.class.php b/htdocs/core/modules/modHRM.class.php index 7df3bcc6dcf..b35c8736fd8 100644 --- a/htdocs/core/modules/modHRM.class.php +++ b/htdocs/core/modules/modHRM.class.php @@ -265,6 +265,14 @@ class modHRM extends DolibarrModules $this->rights[$r][4] = 'write_personal_information'; $this->rights[$r][5] = 'write'; // In php code, permission will be checked by test if ($user->rights->hrm->write_personal_information->write) $r++; + + // Evaluation + $this->rights[$r][0] = 4033; // Permission id (must not be already used) + $this->rights[$r][1] = 'Read all evaluations'; // Permission label + $this->rights[$r][3] = 0; // Permission by default for new user (0/1) + $this->rights[$r][4] = 'evaluation'; + $this->rights[$r][5] = 'readall'; // In php code, permission will be checked by test if ($user->rights->hrm->evaluation->read) + $r++; } /** diff --git a/htdocs/hrm/class/evaluation.class.php b/htdocs/hrm/class/evaluation.class.php index 77403631725..5dfab9b9b10 100644 --- a/htdocs/hrm/class/evaluation.class.php +++ b/htdocs/hrm/class/evaluation.class.php @@ -118,7 +118,7 @@ class Evaluation extends CommonObject 'import_key' => array('type'=>'varchar(14)', 'label'=>'ImportId', 'enabled'=>'1', 'position'=>1000, 'notnull'=>-1, 'visible'=>-2,), 'status' => array('type'=>'smallint', 'label'=>'Status', 'enabled'=>'1', 'position'=>1000, 'notnull'=>1, 'default'=>0, 'visible'=>5, 'index'=>1, 'arrayofkeyval'=>array('0'=>'Draft', '1'=>'Validated', '6' => 'Closed'),), 'date_eval' => array('type'=>'date', 'label'=>'DateEval', 'enabled'=>'1', 'position'=>502, 'notnull'=>1, 'visible'=>1,), - 'fk_user' => array('type'=>'integer:User:user/class/user.class.php', 'label'=>'User', 'enabled'=>'1', 'position'=>504, 'notnull'=>1, 'visible'=>1,), + 'fk_user' => array('type'=>'integer:User:user/class/user.class.php:0', 'label'=>'User', 'enabled'=>'1', 'position'=>504, 'notnull'=>1, 'visible'=>1,), 'fk_job' => array('type'=>'integer:Job:/hrm/class/job.class.php', 'label'=>'Job', 'enabled'=>'1', 'position'=>505, 'notnull'=>1, 'visible'=>1,), ); public $rowid; @@ -182,7 +182,7 @@ class Evaluation extends CommonObject */ public function __construct(DoliDB $db) { - global $conf, $langs; + global $conf, $langs, $user; $this->db = $db; @@ -193,6 +193,8 @@ class Evaluation extends CommonObject $this->fields['entity']['enabled'] = 0; } + if(empty($user->rights->hrm->evaluation->readall)) $this->fields['fk_user']['type'].= ':rowid IN('.implode(", ", $user->getAllChildIds(1)).')'; + $this->date_eval = dol_now(); // Unset fields that are disabled diff --git a/htdocs/hrm/evaluation_card.php b/htdocs/hrm/evaluation_card.php index 9c73d8c99b6..80110a3e8a0 100644 --- a/htdocs/hrm/evaluation_card.php +++ b/htdocs/hrm/evaluation_card.php @@ -82,7 +82,7 @@ include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be includ $permissiontoread = $user->rights->hrm->evaluation->read; $permissiontoadd = $user->rights->hrm->evaluation->write; // Used by the include of actions_addupdatedelete.inc.php and actions_lineupdown.inc.php -$permissiontovalidate = $user->rights->hrm->evaluation_advance->validate; +$permissiontovalidate = (!empty($conf->global->MAIN_USE_ADVANCED_PERMS) && $user->rights->hrm->evaluation_advance->validate) || (empty($conf->global->MAIN_USE_ADVANCED_PERMS) && $permissiontoadd); $permissiontoClose = $user->rights->hrm->evaluation->write; $permissiontodelete = $user->rights->hrm->evaluation->delete/* || ($permissiontoadd && isset($object->status) && $object->status == $object::STATUS_DRAFT)*/; $permissiondellink = $user->rights->hrm->evaluation->write; // Used by the include of actions_dellink.inc.php diff --git a/htdocs/hrm/evaluation_list.php b/htdocs/hrm/evaluation_list.php index cc584b2e8d4..fb940b9dbb9 100644 --- a/htdocs/hrm/evaluation_list.php +++ b/htdocs/hrm/evaluation_list.php @@ -131,6 +131,7 @@ $object->fields = dol_sort_array($object->fields, 'position'); $arrayfields = dol_sort_array($arrayfields, 'position'); $permissiontoread = $user->rights->hrm->evaluation->read; +$permissiontoreadall = $user->rights->hrm->evaluation->readall; $permissiontoadd = $user->rights->hrm->evaluation->write; $permissiontodelete = $user->rights->hrm->evaluation->delete; @@ -146,7 +147,7 @@ if ($user->socid > 0) accessforbidden(); //$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0); //restrictedArea($user, $object->element, $object->id, $object->table_element, '', 'fk_soc', 'rowid', $isdraft); //if (empty($conf->hrm->enabled)) accessforbidden(); -//if (!$permissiontoread) accessforbidden(); +if (!$permissiontoread) accessforbidden(); @@ -273,6 +274,11 @@ foreach ($search as $key => $val) { if ($search_all) { $sql .= natural_search(array_keys($fieldstosearchall), $search_all); } + +if(empty($permissiontoreadall)) { + $sql.= " AND t.fk_user IN(".implode(", ", $user->getAllChildIds(1)).") "; +} + //$sql.= dolSqlDateFilter("t.field", $search_xxxday, $search_xxxmonth, $search_xxxyear); // Add where from extra fields include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_list_search_sql.tpl.php'; diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang index 7dd27ff29ab..f53323759d8 100644 --- a/htdocs/langs/en_US/admin.lang +++ b/htdocs/langs/en_US/admin.lang @@ -969,13 +969,14 @@ Permission3301=Generate new modules Permission4001=Read skill/job/position Permission4002=Create/modify skill/job/position Permission4003=Delete skill/job/position -Permission4020=Read evaluations -Permission4021=Create/modify your evaluation -Permission4022=Validate evaluation -Permission4023=Delete evaluation -Permission4030=See comparison menu +Permission4021=Read evaluations (yours and your subordinates) +Permission4022=Create/modify evaluations +Permission4023=Validate evaluation +Permission4025=Delete evaluation +Permission4028=See comparison menu Permission4031=Read personal information Permission4032=Write personal information +Permission4033=Read all evaluations (even those of user not subordinates) Permission10001=Read website content Permission10002=Create/modify website content (html and javascript content) Permission10003=Create/modify website content (dynamic php code). Dangerous, must be reserved to restricted developers. @@ -2280,4 +2281,4 @@ INVOICE_ADD_SWISS_QR_CODE=Show the swiss QR-Bill code on invoices UrlSocialNetworksDesc=Url link of social network. Use {socialid} for the variable part that contains the social network ID. IfThisCategoryIsChildOfAnother=If this category is a child of another one NoName=No name -CIDLookupURL=The module brings an URL that can be used by an external tool to get the name of a thirdparty or contact from its phone number. URL to use is: \ No newline at end of file +CIDLookupURL=The module brings an URL that can be used by an external tool to get the name of a thirdparty or contact from its phone number. URL to use is: diff --git a/htdocs/langs/fr_FR/admin.lang b/htdocs/langs/fr_FR/admin.lang index ed427b72ff1..91b925bd4f7 100644 --- a/htdocs/langs/fr_FR/admin.lang +++ b/htdocs/langs/fr_FR/admin.lang @@ -971,13 +971,14 @@ Permission3301=Générer de nouveaux modules Permission4001=Lire compétence/emploi/poste Permission4002=Créer/modifier une compétence/un emploi/un poste Permission4003=Supprimer compétence/emploi/poste -Permission4020=Lire les évaluations -Permission4021=Créer/modifier votre évaluation -Permission4022=Valider l'évaluation -Permission4023=Supprimer l'évaluation -Permission4030=Voir menu de comparaison +Permission4021=Lire les évaluations (les vôtres et celles de vos subordonnés) +Permission4022=Créer/modifier les évaluations +Permission4023=Valider l'évaluation +Permission4025=Supprimer l'évaluation +Permission4028=Voir menu de comparaison Permission4031=Lire les informations personnelles Permission4032=Ecrire les informations personnelles +Permission4033=Lire toutes les évaluations (même celles des utilisateurs non subordonnés) Permission10001=Lire le contenu du site Permission10002=Créer/modifier le contenu du site Web (contenu HTML et JavaScript) Permission10003=Créer/modifier le contenu du site Web (code php dynamique). Dangereux, doit être réservé à un nombre restreint de développeurs. From c9bf5f85ea26fbfc0d78ada13041ac2eae7a529f Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Thu, 15 Dec 2022 15:24:52 +0000 Subject: [PATCH 2/7] Fixing style errors. --- htdocs/hrm/class/evaluation.class.php | 2 +- htdocs/hrm/evaluation_list.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/hrm/class/evaluation.class.php b/htdocs/hrm/class/evaluation.class.php index 5dfab9b9b10..6e8c4072a69 100644 --- a/htdocs/hrm/class/evaluation.class.php +++ b/htdocs/hrm/class/evaluation.class.php @@ -193,7 +193,7 @@ class Evaluation extends CommonObject $this->fields['entity']['enabled'] = 0; } - if(empty($user->rights->hrm->evaluation->readall)) $this->fields['fk_user']['type'].= ':rowid IN('.implode(", ", $user->getAllChildIds(1)).')'; + if (empty($user->rights->hrm->evaluation->readall)) $this->fields['fk_user']['type'].= ':rowid IN('.implode(", ", $user->getAllChildIds(1)).')'; $this->date_eval = dol_now(); diff --git a/htdocs/hrm/evaluation_list.php b/htdocs/hrm/evaluation_list.php index fb940b9dbb9..b2eeaf2c886 100644 --- a/htdocs/hrm/evaluation_list.php +++ b/htdocs/hrm/evaluation_list.php @@ -275,7 +275,7 @@ if ($search_all) { $sql .= natural_search(array_keys($fieldstosearchall), $search_all); } -if(empty($permissiontoreadall)) { +if (empty($permissiontoreadall)) { $sql.= " AND t.fk_user IN(".implode(", ", $user->getAllChildIds(1)).") "; } From 6a71e47d57204adb60299ad76ed2c72a32985700 Mon Sep 17 00:00:00 2001 From: Gauthier PC portable 024 Date: Thu, 15 Dec 2022 17:06:08 +0100 Subject: [PATCH 3/7] FIX : travis --- htdocs/hrm/class/evaluation.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/hrm/class/evaluation.class.php b/htdocs/hrm/class/evaluation.class.php index 5dfab9b9b10..9453211bfe6 100644 --- a/htdocs/hrm/class/evaluation.class.php +++ b/htdocs/hrm/class/evaluation.class.php @@ -193,7 +193,7 @@ class Evaluation extends CommonObject $this->fields['entity']['enabled'] = 0; } - if(empty($user->rights->hrm->evaluation->readall)) $this->fields['fk_user']['type'].= ':rowid IN('.implode(", ", $user->getAllChildIds(1)).')'; + if(empty($user->rights->hrm->evaluation->readall)) $this->fields['fk_user']['type'].= ':rowid IN('.$this->db->sanitize(implode(", ", $user->getAllChildIds(1))).')'; $this->date_eval = dol_now(); From 4b833d1c751e101449fc2e1184ad26e5e86840c8 Mon Sep 17 00:00:00 2001 From: Gauthier PC portable 024 Date: Thu, 15 Dec 2022 17:45:30 +0100 Subject: [PATCH 4/7] FIX : travis --- htdocs/hrm/evaluation_list.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/hrm/evaluation_list.php b/htdocs/hrm/evaluation_list.php index b2eeaf2c886..84080f930fa 100644 --- a/htdocs/hrm/evaluation_list.php +++ b/htdocs/hrm/evaluation_list.php @@ -276,7 +276,7 @@ if ($search_all) { } if (empty($permissiontoreadall)) { - $sql.= " AND t.fk_user IN(".implode(", ", $user->getAllChildIds(1)).") "; + $sql.= " AND t.fk_user IN(".$db->sanitize(implode(", ", $user->getAllChildIds(1))).") "; } //$sql.= dolSqlDateFilter("t.field", $search_xxxday, $search_xxxmonth, $search_xxxyear); From e444cbfbd42d47c72f5ad49f14ad05434bf51ef0 Mon Sep 17 00:00:00 2001 From: daraelmin Date: Sat, 17 Dec 2022 17:20:34 +0100 Subject: [PATCH 5/7] Fix Darkmode color of menu without link --- htdocs/theme/eldy/global.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/theme/eldy/global.inc.php b/htdocs/theme/eldy/global.inc.php index 6102e8584e8..e1d43513ff3 100644 --- a/htdocs/theme/eldy/global.inc.php +++ b/htdocs/theme/eldy/global.inc.php @@ -3164,7 +3164,7 @@ a.vmenu:link, a.vmenu:visited { a.vsmenu:link, a.vsmenu:visited, a.vsmenu:hover, a.vsmenu:active, span.vsmenu { font-family: ; text-align: ; - color: #202020; + color: var(--colortextbackvmenu); margin: 1px 1px 1px 6px; } span.vsmenudisabled, font.vsmenudisabled { From 5686ffd9fad283b41c28a7618caeabffea8055ff Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 22 Dec 2022 14:45:22 +0100 Subject: [PATCH 6/7] Update evaluation.class.php --- htdocs/hrm/class/evaluation.class.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/htdocs/hrm/class/evaluation.class.php b/htdocs/hrm/class/evaluation.class.php index c4b8bd46178..8ffa387baa7 100644 --- a/htdocs/hrm/class/evaluation.class.php +++ b/htdocs/hrm/class/evaluation.class.php @@ -189,11 +189,13 @@ class Evaluation extends CommonObject if (empty($conf->global->MAIN_SHOW_TECHNICAL_ID) && isset($this->fields['rowid'])) { $this->fields['rowid']['visible'] = 0; } - if (empty($conf->multicompany->enabled) && isset($this->fields['entity'])) { + if (isModEnabled('multicompany') && isset($this->fields['entity'])) { $this->fields['entity']['enabled'] = 0; } - if (empty($user->rights->hrm->evaluation->readall)) $this->fields['fk_user']['type'].= ':rowid IN('.$this->db->sanitize(implode(", ", $user->getAllChildIds(1))).')'; + if (empty($user->rights->hrm->evaluation->readall)) { + $this->fields['fk_user']['type'].= ':rowid IN('.$this->db->sanitize(implode(", ", $user->getAllChildIds(1))).')'; + } $this->date_eval = dol_now(); From bb1659fb70ac5452c1d9404728a46f742a6f2c0b Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 22 Dec 2022 14:45:56 +0100 Subject: [PATCH 7/7] Update evaluation.class.php --- htdocs/hrm/class/evaluation.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/hrm/class/evaluation.class.php b/htdocs/hrm/class/evaluation.class.php index 8ffa387baa7..0125e7f882c 100644 --- a/htdocs/hrm/class/evaluation.class.php +++ b/htdocs/hrm/class/evaluation.class.php @@ -189,7 +189,7 @@ class Evaluation extends CommonObject if (empty($conf->global->MAIN_SHOW_TECHNICAL_ID) && isset($this->fields['rowid'])) { $this->fields['rowid']['visible'] = 0; } - if (isModEnabled('multicompany') && isset($this->fields['entity'])) { + if (!isModEnabled('multicompany') && isset($this->fields['entity'])) { $this->fields['entity']['enabled'] = 0; }