lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix missing security check on payment

Browse Source
This commit is contained in:
Laurent Destailleur 2023-01-03 19:16:38 +01:00
parent 6580aa056a
commit e67c37f3ba
2 changed files with 13 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
htdocs/compta/payment_sc/card.php
View File

@ -46,8 +46,6 @@ $confirm = GETPOST('confirm', 'aZ09');
if ($user->socid) {
$socid = $user->socid;
}
// TODO ajouter regle pour restreindre acces paiement
//$result = restrictedArea($user, 'facture', $id,'');
$object = new PaymentSocialContribution($db);
if ($id > 0) {
@ -57,6 +55,8 @@ if ($id > 0) {
}
}
$result = restrictedArea($user, 'payment_sc', $id, '');
/*
* Actions
@ -77,7 +77,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes' && $user->hasRight('tax', '
}
}
if ($action == 'setdatep' && GETPOST('datepday') && $user->hasRight('tax', 'charges', 'creer')) {
/*if ($action == 'setdatep' && GETPOST('datepday') && $user->hasRight('tax', 'charges', 'creer')) {
$datepaye = dol_mktime(GETPOST('datephour', 'int'), GETPOST('datepmin', 'int'), GETPOST('datepsec', 'int'), GETPOST('datepmonth', 'int'), GETPOST('datepday', 'int'), GETPOST('datepyear', 'int'));
$res = $object->update_date($datepaye);
if ($res === 0) {
@ -85,7 +85,7 @@ if ($action == 'setdatep' && GETPOST('datepday') && $user->hasRight('tax', 'char
} else {
setEventMessages($langs->trans('PaymentDateUpdateFailed'), null, 'errors');
}
}
}*/
/*

9
htdocs/core/lib/security.lib.php
View File

@ -466,6 +466,11 @@ function restrictedArea(User $user, $features, $object = 0, $tableandshare = '',
$readok = 0;
$nbko++;
}
} elseif ($feature == 'payment_sc') {
if (empty($user->rights->tax->charges->lire)) {
$readok = 0;
$nbko++;
}
} elseif (!empty($feature2)) { // This is for permissions on 2 levels
$tmpreadok = 1;
foreach ($feature2 as $subfeature) {
@ -648,6 +653,10 @@ function restrictedArea(User $user, $features, $object = 0, $tableandshare = '',
if (!$user->rights->facture->paiement) {
$deleteok = 0;
}
} elseif ($feature == 'payment_sc') {
if (!$user->rights->tax->charges->creer) {
$deleteok = 0;
}
} elseif ($feature == 'banque') {
if (empty($user->rights->banque->modifier)) {
$deleteok = 0;