From e0cf29b1225a79793687b51b93e798cbb9502886 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sat, 25 Feb 2023 15:32:29 +0100
Subject: [PATCH] Fix #yogosha14973

---
 htdocs/ecm/dir_add_card.php |  8 ++++++--
 htdocs/ecm/index.php        | 16 +++++++++++-----
 htdocs/ecm/index_auto.php   | 12 ++++++------
 htdocs/langs/en_US/ecm.lang |  2 +-
 4 files changed, 24 insertions(+), 14 deletions(-)
diff --git a/htdocs/ecm/dir_add_card.php b/htdocs/ecm/dir_add_card.php
index acdc6c2990a..5de525e17ea 100644
--- a/htdocs/ecm/dir_add_card.php
+++ b/htdocs/ecm/dir_add_card.php
@@ -94,13 +94,16 @@ if (!empty($section)) {
 
 // Permissions
 $permissiontoadd = 0;
+$permissiontodelete = 0;
 $permissiontoupload = 0;
 if ($module == 'ecm') {
 	$permissiontoadd = $user->rights->ecm->setup;
+	$permissiontodelete = $user->rights->ecm->setup;
 	$permissiontoupload = $user->rights->ecm->upload;
 }
 if ($module == 'medias') {
 	$permissiontoadd = ($user->rights->mailing->creer || $user->rights->website->write);
+	$permissiontodelete = ($user->rights->mailing->creer || $user->rights->website->write);
 	$permissiontoupload = ($user->rights->mailing->creer || $user->rights->website->write);
 }
 
@@ -189,7 +192,7 @@ if ($action == 'add' && $permissiontoadd) {
 			exit;
 		}
 	}
-} elseif ($action == 'confirm_deletesection' && $confirm == 'yes' && $permissiontoadd) {
+} elseif ($action == 'confirm_deletesection' && $confirm == 'yes' && $permissiontodelete) {
 	// Deleting file
 	$result = $ecmdir->delete($user);
 	setEventMessages($langs->trans("ECMSectionWasRemoved", $ecmdir->label), null, 'mesgs');
@@ -231,7 +234,8 @@ if ($action == 'create') {
 	print '<table class="border centpercent">';
 
 	// Label
-	print '<tr><td class="titlefieldcreate fieldrequired">'.$langs->trans("Label").'</td><td><input name="label" class="minwidth100" maxlength="32" value="'.(GETPOST("label", 'alpha') ? GETPOST("label", 'alpha') : $ecmdir->label).'" autofocus></td></tr>'."\n";
+	print '<tr><td class="titlefieldcreate fieldrequired">'.$langs->trans("Label").'</td><td>';
+	print '<input name="label" class="minwidth100" maxlength="32" value="'.GETPOST("label", 'alpha').'" autofocus></td></tr>'."\n";
 
 	print '<tr><td>'.$langs->trans("AddIn").'</td><td>';
 	print $formecm->selectAllSections((GETPOST("catParent", 'alpha') ? GETPOST("catParent", 'alpha') : $ecmdir->fk_parent), 'catParent', $module);
diff --git a/htdocs/ecm/index.php b/htdocs/ecm/index.php
index 9eb512bc96d..d6cf8a0993f 100644
--- a/htdocs/ecm/index.php
+++ b/htdocs/ecm/index.php
@@ -83,6 +83,12 @@ if ($user->socid) {
 }
 $result = restrictedArea($user, 'ecm', 0);
 
+$permissiontoread = $user->hasRight('ecm', 'read');
+$permissiontocreate = $user->hasRight('ecm', 'upload');
+$permissiontocreatedir = $user->hasRight('ecm', 'setup');
+$permissiontodelete = $user->hasRight('ecm', 'upload');
+$permissiontodeletedir = $user->hasRight('ecm', 'setup');
+
 
 /*
  *	Actions
@@ -93,7 +99,7 @@ $result = restrictedArea($user, 'ecm', 0);
 //include DOL_DOCUMENT_ROOT.'/core/actions_linkedfiles.inc.php';
 
 // Upload file (code similar but different than actions_linkedfiles.inc.php)
-if (GETPOST("sendit", 'alphanohtml') && !empty($conf->global->MAIN_UPLOAD_DOC)) {
+if (GETPOST("sendit", 'alphanohtml') && !empty($conf->global->MAIN_UPLOAD_DOC) && $permissiontocreate) {
 	// Define relativepath and upload_dir
 	$relativepath = '';
 	if ($ecmdir->id) {
@@ -130,7 +136,7 @@ if (GETPOST("sendit", 'alphanohtml') && !empty($conf->global->MAIN_UPLOAD_DOC))
 }
 
 // Remove file (code similar but different than actions_linkedfiles.inc.php)
-if ($action == 'confirm_deletefile') {
+if ($action == 'confirm_deletefile' && $permissiontodelete) {
 	if (GETPOST('confirm') == 'yes') {
 		// GETPOST('urlfile','alpha') is full relative URL from ecm root dir. Contains path of all sections.
 
@@ -152,7 +158,7 @@ if ($action == 'confirm_deletefile') {
 }
 
 // Add directory
-if ($action == 'add' && $user->rights->ecm->setup) {
+if ($action == 'add' && $permissiontocreatedir) {
 	$ecmdir->ref                = 'NOTUSEDYET';
 	$ecmdir->label              = GETPOST("label");
 	$ecmdir->description        = GETPOST("desc");
@@ -170,7 +176,7 @@ if ($action == 'add' && $user->rights->ecm->setup) {
 }
 
 // Remove directory
-if ($action == 'confirm_deletesection' && GETPOST('confirm', 'alpha') == 'yes') {
+if ($action == 'confirm_deletesection' && GETPOST('confirm', 'alpha') == 'yes' && $permissiontodeletedir) {
 	$result = $ecmdir->delete($user);
 	setEventMessages($langs->trans("ECMSectionWasRemoved", $ecmdir->label), null, 'mesgs');
 
@@ -180,7 +186,7 @@ if ($action == 'confirm_deletesection' && GETPOST('confirm', 'alpha') == 'yes')
 // Refresh directory view
 // This refresh list of dirs, not list of files (for preformance reason). List of files is refresh only if dir was not synchronized.
 // To refresh content of dir with cache, just open the dir in edit mode.
-if ($action == 'refreshmanual') {
+if ($action == 'refreshmanual' && $permissiontoread) {
 	$ecmdirtmp = new EcmDirectory($db);
 
 	// This part of code is same than into file ecm/ajax/ecmdatabase.php TODO Remove duplicate
diff --git a/htdocs/ecm/index_auto.php b/htdocs/ecm/index_auto.php
index 342d7d74129..628ef871ea5 100644
--- a/htdocs/ecm/index_auto.php
+++ b/htdocs/ecm/index_auto.php
@@ -34,12 +34,6 @@ require_once DOL_DOCUMENT_ROOT.'/ecm/class/ecmdirectory.class.php';
 // Load translation files required by the page
 $langs->loadLangs(array("ecm", "companies", "other", "users", "orders", "propal", "bills", "contracts"));
 
-// Security check
-if ($user->socid) {
-	$socid = $user->socid;
-}
-$result = restrictedArea($user, 'ecm', 0);
-
 // Get parameters
 $socid = GETPOST('socid', 'int');
 $action = GETPOST('action', 'aZ09');
@@ -87,6 +81,12 @@ $userstatic = new User($db);
 
 $error = 0;
 
+// Security check
+if ($user->socid) {
+	$socid = $user->socid;
+}
+$result = restrictedArea($user, 'ecm', 0);
+
 
 /*
  *	Actions
diff --git a/htdocs/langs/en_US/ecm.lang b/htdocs/langs/en_US/ecm.lang
index 5ced4ec5617..724e5aa59d7 100644
--- a/htdocs/langs/en_US/ecm.lang
+++ b/htdocs/langs/en_US/ecm.lang
@@ -19,7 +19,7 @@ ECMArea=DMS/ECM area
 ECMAreaDesc=The DMS/ECM (Document Management System / Electronic Content Management) area allows you to save, share and search quickly all kind of documents in Dolibarr.
 ECMAreaDesc2a=* Manual directories can be used to save documents not linked to a particular element.
 ECMAreaDesc2b=* Automatic directories are filled automatically when adding documents from the page of an element.
-ECMAreaDesc3=* Medias directories are files into the subdirectory <b>/medias</b> of documents directory, readable by everybody with no need to be logged and no need to have the file shared explicitely. It is used to store image files from emailing or website module.
+ECMAreaDesc3=* Medias directories are files into the subdirectory <b>/medias</b> of documents directory, readable by everybody with no need to be logged and no need to have the file shared explicitely. It is used to store image files for the emailing or website module for example.
 ECMSectionWasRemoved=Directory <b>%s</b> has been deleted.
 ECMSectionWasCreated=Directory <b>%s</b> has been created.
 ECMSearchByKeywords=Search by keywords

'.$langs->trans("Label").'	label).'" autofocus>
'.$langs->trans("Label").'	'; + print '
'.$langs->trans("AddIn").'	'; print $formecm->selectAllSections((GETPOST("catParent", 'alpha') ? GETPOST("catParent", 'alpha') : $ecmdir->fk_parent), 'catParent', $module); diff --git a/htdocs/ecm/index.php b/htdocs/ecm/index.php index 9eb512bc96d..d6cf8a0993f 100644 --- a/htdocs/ecm/index.php +++ b/htdocs/ecm/index.php @@ -83,6 +83,12 @@ if ($user->socid) { } $result = restrictedArea($user, 'ecm', 0); +$permissiontoread = $user->hasRight('ecm', 'read'); +$permissiontocreate = $user->hasRight('ecm', 'upload'); +$permissiontocreatedir = $user->hasRight('ecm', 'setup'); +$permissiontodelete = $user->hasRight('ecm', 'upload'); +$permissiontodeletedir = $user->hasRight('ecm', 'setup'); + /* * Actions @@ -93,7 +99,7 @@ $result = restrictedArea($user, 'ecm', 0); //include DOL_DOCUMENT_ROOT.'/core/actions_linkedfiles.inc.php'; // Upload file (code similar but different than actions_linkedfiles.inc.php) -if (GETPOST("sendit", 'alphanohtml') && !empty($conf->global->MAIN_UPLOAD_DOC)) { +if (GETPOST("sendit", 'alphanohtml') && !empty($conf->global->MAIN_UPLOAD_DOC) && $permissiontocreate) { // Define relativepath and upload_dir $relativepath = ''; if ($ecmdir->id) { @@ -130,7 +136,7 @@ if (GETPOST("sendit", 'alphanohtml') && !empty($conf->global->MAIN_UPLOAD_DOC)) } // Remove file (code similar but different than actions_linkedfiles.inc.php) -if ($action == 'confirm_deletefile') { +if ($action == 'confirm_deletefile' && $permissiontodelete) { if (GETPOST('confirm') == 'yes') { // GETPOST('urlfile','alpha') is full relative URL from ecm root dir. Contains path of all sections. @@ -152,7 +158,7 @@ if ($action == 'confirm_deletefile') { } // Add directory -if ($action == 'add' && $user->rights->ecm->setup) { +if ($action == 'add' && $permissiontocreatedir) { $ecmdir->ref = 'NOTUSEDYET'; $ecmdir->label = GETPOST("label"); $ecmdir->description = GETPOST("desc"); @@ -170,7 +176,7 @@ if ($action == 'add' && $user->rights->ecm->setup) { } // Remove directory -if ($action == 'confirm_deletesection' && GETPOST('confirm', 'alpha') == 'yes') { +if ($action == 'confirm_deletesection' && GETPOST('confirm', 'alpha') == 'yes' && $permissiontodeletedir) { $result = $ecmdir->delete($user); setEventMessages($langs->trans("ECMSectionWasRemoved", $ecmdir->label), null, 'mesgs'); @@ -180,7 +186,7 @@ if ($action == 'confirm_deletesection' && GETPOST('confirm', 'alpha') == 'yes') // Refresh directory view // This refresh list of dirs, not list of files (for preformance reason). List of files is refresh only if dir was not synchronized. // To refresh content of dir with cache, just open the dir in edit mode. -if ($action == 'refreshmanual') { +if ($action == 'refreshmanual' && $permissiontoread) { $ecmdirtmp = new EcmDirectory($db); // This part of code is same than into file ecm/ajax/ecmdatabase.php TODO Remove duplicate diff --git a/htdocs/ecm/index_auto.php b/htdocs/ecm/index_auto.php index 342d7d74129..628ef871ea5 100644 --- a/htdocs/ecm/index_auto.php +++ b/htdocs/ecm/index_auto.php @@ -34,12 +34,6 @@ require_once DOL_DOCUMENT_ROOT.'/ecm/class/ecmdirectory.class.php'; // Load translation files required by the page $langs->loadLangs(array("ecm", "companies", "other", "users", "orders", "propal", "bills", "contracts")); -// Security check -if ($user->socid) { - $socid = $user->socid; -} -$result = restrictedArea($user, 'ecm', 0); - // Get parameters $socid = GETPOST('socid', 'int'); $action = GETPOST('action', 'aZ09'); @@ -87,6 +81,12 @@ $userstatic = new User($db); $error = 0; +// Security check +if ($user->socid) { + $socid = $user->socid; +} +$result = restrictedArea($user, 'ecm', 0); + /* * Actions diff --git a/htdocs/langs/en_US/ecm.lang b/htdocs/langs/en_US/ecm.lang index 5ced4ec5617..724e5aa59d7 100644 --- a/htdocs/langs/en_US/ecm.lang +++ b/htdocs/langs/en_US/ecm.lang @@ -19,7 +19,7 @@ ECMArea=DMS/ECM area ECMAreaDesc=The DMS/ECM (Document Management System / Electronic Content Management) area allows you to save, share and search quickly all kind of documents in Dolibarr. ECMAreaDesc2a=* Manual directories can be used to save documents not linked to a particular element. ECMAreaDesc2b=* Automatic directories are filled automatically when adding documents from the page of an element. -ECMAreaDesc3=* Medias directories are files into the subdirectory /medias of documents directory, readable by everybody with no need to be logged and no need to have the file shared explicitely. It is used to store image files from emailing or website module. +ECMAreaDesc3=* Medias directories are files into the subdirectory /medias of documents directory, readable by everybody with no need to be logged and no need to have the file shared explicitely. It is used to store image files for the emailing or website module for example. ECMSectionWasRemoved=Directory %s has been deleted. ECMSectionWasCreated=Directory %s has been created. ECMSearchByKeywords=Search by keywords