lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix: scurit sur onglet "interface utilisateur"

Browse Source
This commit is contained in:
Regis Houssin 2007-10-11 15:41:42 +00:00
parent 11381e8090
commit e2160b8275
1 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
htdocs/user/param_ihm.php
View File

@ -33,6 +33,20 @@ $langs->load("products");
$langs->load("admin");
$langs->load("users");
// Defini si peux lire/modifier permisssions
$canreadperms=($user->admin || $user->rights->user->user->lire);
if ($_GET["id"])
{
// $user est le user qui edite, $_GET["id"] est l'id de l'utilisateur edité
$caneditfield=( (($user->id == $_GET["id"]) && $user->rights->user->self->creer)
|| (($user->id != $_GET["id"]) && $user->rights->user->user->creer) );
}
if ($user->id <> $_GET["id"] && ! $canreadperms)
{
accessforbidden();
}
$id=isset($_GET["id"])?$_GET["id"]:$_POST["id"];
$dirtop = "../includes/menus/barre_top";
$dirleft = "../includes/menus/barre_left";
@ -54,7 +68,7 @@ $html = new Form($db);
/*
* Actions
*/
if ($_POST["action"] == 'update')
if ($_POST["action"] == 'update' && $caneditfield)
{
if ($_POST["cancel"])
{
@ -197,7 +211,7 @@ else
print '</div>';
print '<div class="tabsAction">';
if (($fuser->id == $user->id) || $user->admin) // Si utilisateur édité = utilisateur courant ou admin
if ($caneditfield || $user->admin) // Si utilisateur édité = utilisateur courant ayant les droits de créer ou admin
{
print '<a class="butAction" href="'.$_SERVER["PHP_SELF"].'?action=edit&amp;id='.$_GET["id"].'">'.$langs->trans("Edit").'</a>';
}