From fefb3fdde7a7785b2430624fd40eddbf99c5b412 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 8 Mar 2020 18:26:41 +0100 Subject: [PATCH] Fix permissions on restricArea for external modules --- htdocs/core/customreports.php | 23 ++++++++++++----------- htdocs/core/lib/security.lib.php | 9 +++++++-- 2 files changed, 19 insertions(+), 13 deletions(-) diff --git a/htdocs/core/customreports.php b/htdocs/core/customreports.php index c2df16814cf..a47fb4934de 100644 --- a/htdocs/core/customreports.php +++ b/htdocs/core/customreports.php @@ -85,16 +85,16 @@ $object = null; $ObjectClassName = ''; // Objects available by default $arrayoftype = array( - 'thirdparty' => array('label' => 'ThirdParties', 'ObjectClassName' => 'Societe', 'enabled' => $conf->societe->enabled, 'ClassPath' => DOL_DOCUMENT_ROOT."/societe/class/societe.class.php"), - 'contact' => array('label' => 'Contacts', 'ObjectClassName' => 'Contact', 'enabled' => $conf->societe->enabled, 'ClassPath' => DOL_DOCUMENT_ROOT."/contact/class/contact.class.php"), - 'contract' => array('label' => 'Contracts', 'ObjectClassName' => 'Contrat', 'enabled' => $conf->contrat->enabled, 'ClassPath' => DOL_DOCUMENT_ROOT."/contrat/class/contrat.class.php", 'langs'=>'contract'), - 'invoice' => array('label' => 'Invoices', 'ObjectClassName' => 'Facture', 'enabled' => $conf->facture->enabled, 'ClassPath' => DOL_DOCUMENT_ROOT."/compta/facture/class/facture.class.php"), - 'invoice_template'=>array('label' => 'PredefinedInvoices', 'ObjectClassName' => 'FactureRec', 'enabled' => $conf->facture->enabled, 'ClassPath' => DOL_DOCUMENT_ROOT."/compta/class/facturerec.class.php", 'langs'=>'bills'), + 'thirdparty' => array('label' => 'ThirdParties', 'ObjectClassName' => 'Societe', 'enabled' => $conf->societe->enabled, 'ClassPath' => "/societe/class/societe.class.php"), + 'contact' => array('label' => 'Contacts', 'ObjectClassName' => 'Contact', 'enabled' => $conf->societe->enabled, 'ClassPath' => "/contact/class/contact.class.php"), + 'contract' => array('label' => 'Contracts', 'ObjectClassName' => 'Contrat', 'enabled' => $conf->contrat->enabled, 'ClassPath' => "/contrat/class/contrat.class.php", 'langs'=>'contract'), + 'invoice' => array('label' => 'Invoices', 'ObjectClassName' => 'Facture', 'enabled' => $conf->facture->enabled, 'ClassPath' => "/compta/facture/class/facture.class.php"), + 'invoice_template'=>array('label' => 'PredefinedInvoices', 'ObjectClassName' => 'FactureRec', 'enabled' => $conf->facture->enabled, 'ClassPath' => "/compta/class/facturerec.class.php", 'langs'=>'bills'), 'bom' => array('label' => 'BOM', 'ObjectClassName' => 'Bom', 'enabled' => $conf->bom->enabled), - 'mo' => array('label' => 'MO', 'ObjectClassName' => 'Mo', 'enabled' => $conf->mrp->enabled, 'ClassPath' => DOL_DOCUMENT_ROOT."/mrp/class/mo.class.php"), + 'mo' => array('label' => 'MO', 'ObjectClassName' => 'Mo', 'enabled' => $conf->mrp->enabled, 'ClassPath' => "/mrp/class/mo.class.php"), 'ticket' => array('label' => 'Ticket', 'ObjectClassName' => 'Ticket', 'enabled' => $conf->ticket->enabled), - 'member' => array('label' => 'Adherent', 'ObjectClassName' => 'Adherent', 'enabled' => $conf->adherent->enabled, 'ClassPath' => DOL_DOCUMENT_ROOT."/adherents/class/adherent.class.php", 'langs'=>'members'), - 'cotisation' => array('label' => 'Subscriptions', 'ObjectClassName' => 'Subscription', 'enabled' => $conf->adherent->enabled, 'ClassPath' => DOL_DOCUMENT_ROOT."/adherents/class/subscription.class.php", 'langs'=>'members'), + 'member' => array('label' => 'Adherent', 'ObjectClassName' => 'Adherent', 'enabled' => $conf->adherent->enabled, 'ClassPath' => "/adherents/class/adherent.class.php", 'langs'=>'members'), + 'cotisation' => array('label' => 'Subscriptions', 'ObjectClassName' => 'Subscription', 'enabled' => $conf->adherent->enabled, 'ClassPath' => "/adherents/class/subscription.class.php", 'langs'=>'members'), ); // Complete $arrayoftype by external modules @@ -120,10 +120,10 @@ elseif (is_array($hookmanager->resArray)) { if ($objecttype) { try { - if ($arrayoftype[$objecttype]['ClassPath']) { - include_once $arrayoftype[$objecttype]['ClassPath']; + if (! empty($arrayoftype[$objecttype]['ClassPath'])) { + dol_include_once($arrayoftype[$objecttype]['ClassPath']); } else { - include_once DOL_DOCUMENT_ROOT."/".$objecttype."/class/".$objecttype.".class.php"; + dol_include_once("/".$objecttype."/class/".$objecttype.".class.php"); } $ObjectClassName = $arrayoftype[$objecttype]['ObjectClassName']; $object = new $ObjectClassName($db); @@ -140,6 +140,7 @@ if ($user->socid > 0) // Protection if external user //$socid = $user->socid; accessforbidden(); } + $result = restrictedArea($user, $object->element, 0, ''); // Fetch optionals attributes and labels diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index f4415b7aed5..83cf576f0bb 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -196,8 +196,13 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f // Get more permissions checks from hooks $parameters = array('features'=>$features, 'objectid'=>$objectid, 'idtype'=>$dbt_select); $reshook = $hookmanager->executeHooks('restrictedArea', $parameters); - if (!empty($hookmanager->resArray['result'])) return true; - if ($reshook > 0) return false; + + if (isset($hookmanager->resArray['result'])) { + if ($hookmanager->resArray['result'] == 0) accessforbidden(); // Module returns 0, so access forbidden + } + if ($reshook > 0) { // No other test done. + return 1; + } if ($dbt_select != 'rowid' && $dbt_select != 'id') $objectid = "'".$objectid."'";