Merge pull request #23237 from atm-gauthier/FIX_read_evaluation_of_user_and_subordinates_with_read_right

FIX : "read" right of hrm evaluations must allow to see only user eva…

htdocs/core/modules/modHRM.class.php

@@ -265,6 +265,14 @@ class modHRM extends DolibarrModules
 		$this->rights[$r][4] = 'write_personal_information';
 		$this->rights[$r][5] = 'write'; // In php code, permission will be checked by test if ($user->rights->hrm->write_personal_information->write)
 		$r++;
+
+		// Evaluation
+		$this->rights[$r][0] = 4033; // Permission id (must not be already used)
+		$this->rights[$r][1] = 'Read all evaluations'; // Permission label
+		$this->rights[$r][3] = 0; // Permission by default for new user (0/1)
+		$this->rights[$r][4] = 'evaluation';
+		$this->rights[$r][5] = 'readall'; // In php code, permission will be checked by test if ($user->rights->hrm->evaluation->read)
+		$r++;
 	}
 
 	/**

htdocs/hrm/class/evaluation.class.php

@@ -118,7 +118,7 @@ class Evaluation extends CommonObject
 		'import_key' => array('type'=>'varchar(14)', 'label'=>'ImportId', 'enabled'=>'1', 'position'=>1000, 'notnull'=>-1, 'visible'=>-2,),
 		'status' => array('type'=>'smallint', 'label'=>'Status', 'enabled'=>'1', 'position'=>1000, 'notnull'=>1, 'default'=>0, 'visible'=>5, 'index'=>1, 'arrayofkeyval'=>array('0'=>'Draft', '1'=>'Validated', '6' => 'Closed'),),
 		'date_eval' => array('type'=>'date', 'label'=>'DateEval', 'enabled'=>'1', 'position'=>502, 'notnull'=>1, 'visible'=>1,),
-		'fk_user' => array('type'=>'integer:User:user/class/user.class.php', 'label'=>'User', 'enabled'=>'1', 'position'=>504, 'notnull'=>1, 'visible'=>1,),
+		'fk_user' => array('type'=>'integer:User:user/class/user.class.php:0', 'label'=>'User', 'enabled'=>'1', 'position'=>504, 'notnull'=>1, 'visible'=>1,),
 		'fk_job' => array('type'=>'integer:Job:/hrm/class/job.class.php', 'label'=>'JobPosition', 'enabled'=>'1', 'position'=>505, 'notnull'=>1, 'visible'=>1,),
 	);
 	public $rowid;
@@ -182,7 +182,7 @@ class Evaluation extends CommonObject
 	 */
 	public function __construct(DoliDB $db)
 	{
-		global $conf, $langs;
+		global $conf, $langs, $user;
 
 		$this->db = $db;
 
@@ -193,6 +193,10 @@ class Evaluation extends CommonObject
 			$this->fields['entity']['enabled'] = 0;
 		}
 
+		if (empty($user->rights->hrm->evaluation->readall)) {
+			$this->fields['fk_user']['type'].= ':rowid IN('.$this->db->sanitize(implode(", ", $user->getAllChildIds(1))).')';
+		}
+
 		$this->date_eval = dol_now();
 
 		// Unset fields that are disabled

htdocs/hrm/evaluation_card.php

@@ -83,7 +83,7 @@ include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be includ
 // Permissions
 $permissiontoread = $user->rights->hrm->evaluation->read;
 $permissiontoadd = $user->rights->hrm->evaluation->write; // Used by the include of actions_addupdatedelete.inc.php and actions_lineupdown.inc.php
-$permissiontovalidate = $user->rights->hrm->evaluation_advance->validate;
+$permissiontovalidate = (!empty($conf->global->MAIN_USE_ADVANCED_PERMS) && $user->rights->hrm->evaluation_advance->validate) || (empty($conf->global->MAIN_USE_ADVANCED_PERMS) && $permissiontoadd);
 $permissiontoClose = $user->rights->hrm->evaluation->write;
 $permissiontodelete = $user->rights->hrm->evaluation->delete/* || ($permissiontoadd && isset($object->status) && $object->status == $object::STATUS_DRAFT)*/;
 $permissiondellink = $user->rights->hrm->evaluation->write; // Used by the include of actions_dellink.inc.php

htdocs/hrm/evaluation_list.php

@@ -133,9 +133,10 @@ $object->fields = dol_sort_array($object->fields, 'position');
 $arrayfields = dol_sort_array($arrayfields, 'position');
 
 // Permissions
-$permissiontoread   = $user->rights->hrm->evaluation->read;
-$permissiontoadd    = $user->rights->hrm->evaluation->write;
-$permissiontodelete = $user->rights->hrm->evaluation->delete;
+$permissiontoread    = $user->rights->hrm->evaluation->read;
+$permissiontoreadall = $user->rights->hrm->evaluation->readall;
+$permissiontoadd     = $user->rights->hrm->evaluation->write;
+$permissiontodelete  = $user->rights->hrm->evaluation->delete;
 
 // Security check
 if (empty($conf->hrm->enabled)) {
@@ -149,7 +150,7 @@ if ($user->socid > 0) accessforbidden();
 //$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0);
 //restrictedArea($user, $object->element, $object->id, $object->table_element, '', 'fk_soc', 'rowid', $isdraft);
 //if (empty($conf->hrm->enabled)) accessforbidden();
-//if (!$permissiontoread) accessforbidden();
+if (!$permissiontoread) accessforbidden();
 
 
 
@@ -276,6 +277,11 @@ foreach ($search as $key => $val) {
 if ($search_all) {
 	$sql .= natural_search(array_keys($fieldstosearchall), $search_all);
 }
+
+if (empty($permissiontoreadall)) {
+	$sql.= " AND t.fk_user IN(".$db->sanitize(implode(", ", $user->getAllChildIds(1))).") ";
+}
+
 //$sql.= dolSqlDateFilter("t.field", $search_xxxday, $search_xxxmonth, $search_xxxyear);
 // Add where from extra fields
 include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_list_search_sql.tpl.php';

htdocs/langs/en_US/admin.lang

@@ -974,13 +974,14 @@ Permission3301=Generate new modules
 Permission4001=Read skill/job/position
 Permission4002=Create/modify skill/job/position
 Permission4003=Delete skill/job/position
-Permission4020=Read evaluations
-Permission4021=Create/modify your evaluation
-Permission4022=Validate evaluation
-Permission4023=Delete evaluation
-Permission4030=See comparison menu
+Permission4021=Read evaluations (yours and your subordinates)
+Permission4022=Create/modify evaluations
+Permission4023=Validate evaluation
+Permission4025=Delete evaluation
+Permission4028=See comparison menu
 Permission4031=Read personal information
 Permission4032=Write personal information
+Permission4033=Read all evaluations (even those of user not subordinates)
 Permission10001=Read website content
 Permission10002=Create/modify website content (html and javascript content)
 Permission10003=Create/modify website content (dynamic php code). Dangerous, must be reserved to restricted developers.

htdocs/langs/fr_FR/admin.lang

@@ -971,13 +971,14 @@ Permission3301=Générer de nouveaux modules
 Permission4001=Lire compétence/emploi/poste
 Permission4002=Créer/modifier une compétence/un emploi/un poste
 Permission4003=Supprimer compétence/emploi/poste
-Permission4020=Lire les évaluations
-Permission4021=Créer/modifier votre évaluation
-Permission4022=Valider l'évaluation
-Permission4023=Supprimer l'évaluation
-Permission4030=Voir menu de comparaison
+Permission4021=Lire les évaluations (les vôtres et celles de vos subordonnés)
+Permission4022=Créer/modifier les évaluations
+Permission4023=Valider l'évaluation
+Permission4025=Supprimer l'évaluation
+Permission4028=Voir menu de comparaison
 Permission4031=Lire les informations personnelles
 Permission4032=Ecrire les informations personnelles
+Permission4033=Lire toutes les évaluations (même celles des utilisateurs non subordonnés)
 Permission10001=Lire le contenu du site
 Permission10002=Créer/modifier le contenu du site Web (contenu HTML et JavaScript)
 Permission10003=Créer/modifier le contenu du site Web (code php dynamique). Dangereux, doit être réservé à un nombre restreint de développeurs.