lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix #yogosha15050

Browse Source
This commit is contained in:
Laurent Destailleur 2023-02-25 16:36:48 +01:00
parent e0cf29b122
commit ed9db6c9dd
1 changed files with 54 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
htdocs/user/card.php
View File

@ -63,6 +63,9 @@ if (isModEnabled('stock')) {
require_once DOL_DOCUMENT_ROOT.'/product/class/html.formproduct.class.php';
}
// Load translation files required by page
$langs->loadLangs(array('users', 'companies', 'ldap', 'admin', 'hrm', 'stocks', 'other'));
$id = GETPOST('id', 'int');
$action = GETPOST('action', 'aZ09');
$mode = GETPOST('mode', 'alpha');
@ -77,42 +80,8 @@ $datestartvalidity = dol_mktime(0, 0, 0, GETPOST('datestartvaliditymonth', 'int'
$dateendvalidity = dol_mktime(0, 0, 0, GETPOST('dateendvaliditymonth', 'int'), GETPOST('dateendvalidityday', 'int'), GETPOST('dateendvalidityyear', 'int'));
$dateofbirth = dol_mktime(0, 0, 0, GETPOST('dateofbirthmonth', 'int'), GETPOST('dateofbirthday', 'int'), GETPOST('dateofbirthyear', 'int'));
// Define value to know what current user can do on users
$canadduser = (!empty($user->admin) || $user->hasRight("user", "user", "write"));
$canreaduser = (!empty($user->admin) || $user->hasRight("user", "user", "read"));
$canedituser = (!empty($user->admin) || $user->hasRight("user", "user", "write"));
$candisableuser = (!empty($user->admin) || $user->hasRight("user", "user", "delete"));
$canreadgroup = $canreaduser;
$caneditgroup = $canedituser;
if (!empty($conf->global->MAIN_USE_ADVANCED_PERMS)) {
$canreadgroup = (!empty($user->admin) || $user->hasRight("user", "group_advance", "read"));
$caneditgroup = (!empty($user->admin) || $user->hasRight("user", "group_advance", "write"));
}
$childids = $user->getAllChildIds(1); // For later, test on salary visibility
// Define value to know what current user can do on properties of edited user
if ($id > 0) {
// $user is the current logged user, $id is the user we want to edit
$caneditfield = ((($user->id == $id) && $user->hasRight("user", "self", "write")) || (($user->id != $id) && $user->hasRight("user", "user", "write")));
$caneditpassword = ((($user->id == $id) && $user->hasRight("user", "self", "password")) || (($user->id != $id) && $user->hasRight("user", "user", "password")));
}
// Security check
$socid = 0;
if ($user->socid > 0) {
$socid = $user->socid;
}
$feature2 = 'user';
$result = restrictedArea($user, 'user', $id, 'user', $feature2);
if ($user->id != $id && !$canreaduser) {
accessforbidden();
}
// Load translation files required by page
$langs->loadLangs(array('users', 'companies', 'ldap', 'admin', 'hrm', 'stocks', 'other'));
$object = new User($db);
$extrafields = new ExtraFields($db);
@ -129,6 +98,38 @@ $error = 0;
$acceptlocallinktomedia = (acceptLocalLinktoMedia() > 0 ? 1 : 0);
// Security check
$socid = 0;
if ($user->socid > 0) {
$socid = $user->socid;
}
$feature2 = 'user';
$result = restrictedArea($user, 'user', $id, 'user', $feature2);
// Define value to know what current user can do on users
$canadduser = (!empty($user->admin) || $user->hasRight("user", "user", "write"));
$canreaduser = (!empty($user->admin) || $user->hasRight("user", "user", "read"));
$canedituser = (!empty($user->admin) || $user->hasRight("user", "user", "write")); // edit other user
$candisableuser = (!empty($user->admin) || $user->hasRight("user", "user", "delete"));
$canreadgroup = $canreaduser;
$caneditgroup = $canedituser;
if (!empty($conf->global->MAIN_USE_ADVANCED_PERMS)) {
$canreadgroup = (!empty($user->admin) || $user->hasRight("user", "group_advance", "read"));
$caneditgroup = (!empty($user->admin) || $user->hasRight("user", "group_advance", "write"));
}
if ($user->id != $id && !$canreaduser) {
accessforbidden();
}
// Define value to know what current user can do on properties of edited user
if ($id > 0) {
// $user is the current logged user, $id is the user we want to edit
$canedituser = (($user->id == $id) && $user->hasRight("user", "self", "write")); // can edit myself
$caneditfield = ((($user->id == $id) && $user->hasRight("user", "self", "write")) || (($user->id != $id) && $user->hasRight("user", "user", "write")));
$caneditpassword = ((($user->id == $id) && $user->hasRight("user", "self", "password")) || (($user->id != $id) && $user->hasRight("user", "user", "password")));
}
/**
* Actions
@ -390,7 +391,7 @@ if (empty($reshook)) {
}
}
if ($action == 'update' && !$cancel) {
if ($action == 'update' && $canedituser) {
require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
if ($caneditfield) { // Case we can edit all field
@ -430,8 +431,12 @@ if (empty($reshook)) {
$object->national_registration_number = GETPOST("national_registration_number", 'alphanohtml');
}
$object->gender = GETPOST("gender", 'aZ09');
$object->pass = GETPOST("password", 'none'); // We can keep 'none' for password fields
$object->api_key = (GETPOST("api_key", 'alphanohtml')) ? GETPOST("api_key", 'alphanohtml') : $object->api_key;
if ($caneditpassword) {
$object->pass = GETPOST("password", 'none'); // We can keep 'none' for password fields
}
if ($caneditpassword || $user->hasRight("api", "apikey", "generate")) {
$object->api_key = (GETPOST("api_key", 'alphanohtml')) ? GETPOST("api_key", 'alphanohtml') : $object->api_key;
}
if (!empty($user->admin)) { // admin flag can only be set/unset by an admin user. A test is also done later when forging sql request
$object->admin = GETPOST("admin", "int");
}
@ -2074,7 +2079,7 @@ if ($action == 'create' || $action == 'adduserldap') {
print "</td></tr>\n";
}
} else {
print '<tr class="oddeven"><td colspan="3" class="opacitymedium">'.$langs->trans("None").'</td></tr>';
print '<tr class="oddeven"><td colspan="3"><span class="opacitymedium">'.$langs->trans("None").'</span></td></tr>';
}
print "</table>";
@ -2091,7 +2096,7 @@ if ($action == 'create' || $action == 'adduserldap') {
/*
* Card in edit mode
*/
if ($action == 'edit' && ($canedituser || $caneditfield || $caneditpassword || ($user->id == $object->id))) {
if ($action == 'edit' && ($canedituser || $caneditpassword)) {
print '<form action="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'" method="POST" name="updateuser" enctype="multipart/form-data">';
print '<input type="hidden" name="token" value="'.newToken().'">';
print '<input type="hidden" name="action" value="update">';
@ -2417,12 +2422,14 @@ if ($action == 'create' || $action == 'adduserldap') {
print "</td></tr>\n";
// API key
if (!empty($conf->api->enabled) && ($user->id == $id || $user->admin || $user->hasRight("api", "apikey", "generate"))) {
if (isModEnabled('api')) {
print '<tr><td>'.$langs->trans("ApiKey").'</td>';
print '<td>';
print '<input class="minwidth300" maxsize="32" type="text" id="api_key" name="api_key" value="'.$object->api_key.'" autocomplete="off">';
if (!empty($conf->use_javascript_ajax)) {
print '&nbsp;'.img_picto($langs->trans('Generate'), 'refresh', 'id="generate_api_key" class="linkobject"');
if ($caneditpassword || $user->hasRight("api", "apikey", "generate")) {
print '<input class="minwidth300" maxsize="32" type="text" id="api_key" name="api_key" value="'.$object->api_key.'" autocomplete="off">';
if (!empty($conf->use_javascript_ajax)) {
print '&nbsp;'.img_picto($langs->trans('Generate'), 'refresh', 'id="generate_api_key" class="linkobject"');
}
}
print '</td></tr>';
}
@ -2879,10 +2886,10 @@ if ($action == 'create' || $action == 'adduserldap') {
}
}
if (!empty($conf->api->enabled)) {
// Add button to autosuggest a key
include_once DOL_DOCUMENT_ROOT.'/core/lib/security2.lib.php';
print dolJSToSetRandomPassword('password', 'generate_password', 0);
// Add button to autosuggest a key
include_once DOL_DOCUMENT_ROOT.'/core/lib/security2.lib.php';
print dolJSToSetRandomPassword('password', 'generate_password', 0);
if (isModEnabled('api')) {
print dolJSToSetRandomPassword('api_key', 'generate_api_key', 1);
}