lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix permissions on restricArea for external modules

Browse Source
This commit is contained in:
Laurent Destailleur 2020-03-08 18:26:41 +01:00
parent 42d417d5d5
commit fefb3fdde7
2 changed files with 19 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
htdocs/core/customreports.php
View File

@ -85,16 +85,16 @@ $object = null;
$ObjectClassName = '';
// Objects available by default
$arrayoftype = array(
'thirdparty' => array('label' => 'ThirdParties', 'ObjectClassName' => 'Societe', 'enabled' => $conf->societe->enabled, 'ClassPath' => DOL_DOCUMENT_ROOT."/societe/class/societe.class.php"),
'contact' => array('label' => 'Contacts', 'ObjectClassName' => 'Contact', 'enabled' => $conf->societe->enabled, 'ClassPath' => DOL_DOCUMENT_ROOT."/contact/class/contact.class.php"),
'contract' => array('label' => 'Contracts', 'ObjectClassName' => 'Contrat', 'enabled' => $conf->contrat->enabled, 'ClassPath' => DOL_DOCUMENT_ROOT."/contrat/class/contrat.class.php", 'langs'=>'contract'),
'invoice' => array('label' => 'Invoices', 'ObjectClassName' => 'Facture', 'enabled' => $conf->facture->enabled, 'ClassPath' => DOL_DOCUMENT_ROOT."/compta/facture/class/facture.class.php"),
'invoice_template'=>array('label' => 'PredefinedInvoices', 'ObjectClassName' => 'FactureRec', 'enabled' => $conf->facture->enabled, 'ClassPath' => DOL_DOCUMENT_ROOT."/compta/class/facturerec.class.php", 'langs'=>'bills'),
'thirdparty' => array('label' => 'ThirdParties', 'ObjectClassName' => 'Societe', 'enabled' => $conf->societe->enabled, 'ClassPath' => "/societe/class/societe.class.php"),
'contact' => array('label' => 'Contacts', 'ObjectClassName' => 'Contact', 'enabled' => $conf->societe->enabled, 'ClassPath' => "/contact/class/contact.class.php"),
'contract' => array('label' => 'Contracts', 'ObjectClassName' => 'Contrat', 'enabled' => $conf->contrat->enabled, 'ClassPath' => "/contrat/class/contrat.class.php", 'langs'=>'contract'),
'invoice' => array('label' => 'Invoices', 'ObjectClassName' => 'Facture', 'enabled' => $conf->facture->enabled, 'ClassPath' => "/compta/facture/class/facture.class.php"),
'invoice_template'=>array('label' => 'PredefinedInvoices', 'ObjectClassName' => 'FactureRec', 'enabled' => $conf->facture->enabled, 'ClassPath' => "/compta/class/facturerec.class.php", 'langs'=>'bills'),
'bom' => array('label' => 'BOM', 'ObjectClassName' => 'Bom', 'enabled' => $conf->bom->enabled),
'mo' => array('label' => 'MO', 'ObjectClassName' => 'Mo', 'enabled' => $conf->mrp->enabled, 'ClassPath' => DOL_DOCUMENT_ROOT."/mrp/class/mo.class.php"),
'mo' => array('label' => 'MO', 'ObjectClassName' => 'Mo', 'enabled' => $conf->mrp->enabled, 'ClassPath' => "/mrp/class/mo.class.php"),
'ticket' => array('label' => 'Ticket', 'ObjectClassName' => 'Ticket', 'enabled' => $conf->ticket->enabled),
'member' => array('label' => 'Adherent', 'ObjectClassName' => 'Adherent', 'enabled' => $conf->adherent->enabled, 'ClassPath' => DOL_DOCUMENT_ROOT."/adherents/class/adherent.class.php", 'langs'=>'members'),
'cotisation' => array('label' => 'Subscriptions', 'ObjectClassName' => 'Subscription', 'enabled' => $conf->adherent->enabled, 'ClassPath' => DOL_DOCUMENT_ROOT."/adherents/class/subscription.class.php", 'langs'=>'members'),
'member' => array('label' => 'Adherent', 'ObjectClassName' => 'Adherent', 'enabled' => $conf->adherent->enabled, 'ClassPath' => "/adherents/class/adherent.class.php", 'langs'=>'members'),
'cotisation' => array('label' => 'Subscriptions', 'ObjectClassName' => 'Subscription', 'enabled' => $conf->adherent->enabled, 'ClassPath' => "/adherents/class/subscription.class.php", 'langs'=>'members'),
);
// Complete $arrayoftype by external modules
@ -120,10 +120,10 @@ elseif (is_array($hookmanager->resArray)) {
if ($objecttype) {
try {
if ($arrayoftype[$objecttype]['ClassPath']) {
include_once $arrayoftype[$objecttype]['ClassPath'];
if (! empty($arrayoftype[$objecttype]['ClassPath'])) {
dol_include_once($arrayoftype[$objecttype]['ClassPath']);
} else {
include_once DOL_DOCUMENT_ROOT."/".$objecttype."/class/".$objecttype.".class.php";
dol_include_once("/".$objecttype."/class/".$objecttype.".class.php");
}
$ObjectClassName = $arrayoftype[$objecttype]['ObjectClassName'];
$object = new $ObjectClassName($db);
@ -140,6 +140,7 @@ if ($user->socid > 0) // Protection if external user
//$socid = $user->socid;
accessforbidden();
}
$result = restrictedArea($user, $object->element, 0, '');
// Fetch optionals attributes and labels

9
htdocs/core/lib/security.lib.php
View File

@ -196,8 +196,13 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
// Get more permissions checks from hooks
$parameters = array('features'=>$features, 'objectid'=>$objectid, 'idtype'=>$dbt_select);
$reshook = $hookmanager->executeHooks('restrictedArea', $parameters);
if (!empty($hookmanager->resArray['result'])) return true;
if ($reshook > 0) return false;
if (isset($hookmanager->resArray['result'])) {
if ($hookmanager->resArray['result'] == 0) accessforbidden(); // Module returns 0, so access forbidden
}
if ($reshook > 0) { // No other test done.
return 1;
}
if ($dbt_select != 'rowid' && $dbt_select != 'id') $objectid = "'".$objectid."'";