diff --git a/htdocs/core/ajax/security.php b/htdocs/core/ajax/security.php index 7abf96879e58f..7c65176a28bb3 100644 --- a/htdocs/core/ajax/security.php +++ b/htdocs/core/ajax/security.php @@ -41,7 +41,7 @@ define('NOREQUIRETRAN', '1'); }*/ -// Load Dolibarr environment +// Load Dolibarr environment and check user is logged. require '../../main.inc.php'; $action = GETPOST('action'); @@ -50,18 +50,24 @@ // None. This is public component with no access and effect on data. +/* + * Action + */ + +// None + + /* * View */ -//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header. top_httphead(); //print ''."\n"; // Return a new generated password if ($action) { - if ($action == 'getrandompassword') { + if ($action == 'getrandompassword') { // Test on permission not required here. Endpoint can be called by anu logged user. require_once DOL_DOCUMENT_ROOT.'/core/lib/security2.lib.php'; $generic = GETPOST('generic') ? true : false; echo getRandomPassword($generic); diff --git a/htdocs/ecm/index_auto.php b/htdocs/ecm/index_auto.php index 881fe61dae43e..5d76d4a8d7fc2 100644 --- a/htdocs/ecm/index_auto.php +++ b/htdocs/ecm/index_auto.php @@ -93,6 +93,7 @@ $result = restrictedArea($user, 'ecm', 0); + /* * Actions */ @@ -102,9 +103,6 @@ $search_doc_ref = ''; } - - - // Add directory if ($action == 'add' && $user->hasRight('ecm', 'setup')) { $ecmdir->ref = 'NOTUSEDYET'; @@ -124,7 +122,7 @@ } // Remove file -if ($action == 'confirm_deletefile') { +if ($action == 'confirm_deletefile' && $user->hasRight('ecm', 'upload')) { if (GETPOST('confirm') == 'yes') { $langs->load("other"); if ($section) { @@ -155,7 +153,7 @@ } // Remove directory -if ($action == 'confirm_deletesection' && GETPOST('confirm') == 'yes') { +if ($action == 'confirm_deletesection' && GETPOST('confirm') == 'yes' && $user->hasRight('ecm', 'setup')) { $result = $ecmdir->delete($user); setEventMessages($langs->trans("ECMSectionWasRemoved", $ecmdir->label), null, 'mesgs'); @@ -165,7 +163,7 @@ // Refresh directory view // This refresh list of dirs, not list of files (for performance reason). List of files is refresh only if dir was not synchronized. // To refresh content of dir with cache, just open the dir in edit mode. -if ($action == 'refreshmanual') { +if ($action == 'refreshmanual' && $user->hasRight('ecm', 'read')) { $ecmdirtmp = new EcmDirectory($db); // This part of code is same than into file ecm/ajax/ecmdatabase.php TODO Remove duplicate diff --git a/htdocs/expensereport/card.php b/htdocs/expensereport/card.php index ac16d2a69a1ee..24bf8790ca28f 100644 --- a/htdocs/expensereport/card.php +++ b/htdocs/expensereport/card.php @@ -206,7 +206,7 @@ include DOL_DOCUMENT_ROOT.'/core/actions_linkedfiles.inc.php'; if (!empty(GETPOST('sendit', 'alpha'))) { // If we just submit a file - if ($action == 'updateline') { + if ($action == 'updateline') { // Test on permission not required here $action = 'editline'; // To avoid to make the updateline now } else { $action = ''; // To avoid to make the addline now @@ -220,7 +220,7 @@ include DOL_DOCUMENT_ROOT.'/core/actions_lineupdown.inc.php'; // Must be 'include', not 'include_once' // Action clone object - if ($action == 'confirm_clone' && $confirm == 'yes' && $user->hasRight('expensereport', 'creer')) { + if ($action == 'confirm_clone' && $confirm == 'yes' && $permissiontoadd) { if (1 == 0 && !GETPOST('clone_content', 'alpha') && !GETPOST('clone_receivers', 'alpha')) { setEventMessages($langs->trans("NoCloneOptionsSpecified"), null, 'errors'); } else { @@ -253,7 +253,7 @@ } } - if ($action == 'add' && $user->hasRight('expensereport', 'creer')) { + if ($action == 'add' && $permissiontoadd) { $error = 0; $object = new ExpenseReport($db); @@ -327,7 +327,7 @@ } } - if (($action == 'update' || $action == 'updateFromRefuse') && $user->hasRight('expensereport', 'creer')) { + if (($action == 'update' || $action == 'updateFromRefuse') && $permissiontoadd) { $object = new ExpenseReport($db); $object->fetch($id); @@ -352,7 +352,7 @@ } } - if ($action == 'update_extras' && $user->hasRight('expensereport', 'creer')) { + if ($action == 'update_extras' && $permissiontoadd) { $object->oldcopy = dol_clone($object, 2); // Fill array 'array_options' with data from update form @@ -375,7 +375,7 @@ } } - if ($action == "confirm_validate" && GETPOST("confirm", 'alpha') == "yes" && $id > 0 && $user->hasRight('expensereport', 'creer')) { + if ($action == "confirm_validate" && GETPOST("confirm", 'alpha') == "yes" && $id > 0 && $permissiontoadd) { $error = 0; $db->begin(); @@ -492,7 +492,7 @@ } } - if ($action == "confirm_save_from_refuse" && GETPOST("confirm", 'alpha') == "yes" && $id > 0 && $user->hasRight('expensereport', 'creer')) { + if ($action == "confirm_save_from_refuse" && GETPOST("confirm", 'alpha') == "yes" && $id > 0 && $permissiontoadd) { $object = new ExpenseReport($db); $object->fetch($id); $result = $object->set_save_from_refuse($user); @@ -1285,7 +1285,7 @@ } } - if ($action == "updateline" && $user->hasRight('expensereport', 'creer')) { + if ($action == "updateline" && $permissiontoadd) { $object = new ExpenseReport($db); $object->fetch($id); diff --git a/htdocs/fichinter/card.php b/htdocs/fichinter/card.php index b275bb9b93d5e..a35c46e1a8ecd 100644 --- a/htdocs/fichinter/card.php +++ b/htdocs/fichinter/card.php @@ -111,6 +111,7 @@ $permissionnote = $user->hasRight('ficheinter', 'creer'); // Used by the include of actions_setnotes.inc.php $permissiondellink = $user->hasRight('ficheinter', 'creer'); // Used by the include of actions_dellink.inc.php $permissiontodelete = (($object->statut == Fichinter::STATUS_DRAFT && $user->hasRight('ficheinter', 'creer')) || $user->hasRight('ficheinter', 'supprimer')); +$permissiontoadd = $user->hasRight('ficheinter', 'creer'); $usercancreate = $user->hasRight('ficheinter', 'creer'); @@ -154,7 +155,7 @@ include DOL_DOCUMENT_ROOT.'/core/actions_dellink.inc.php'; // Must be 'include', not 'include_once' // Action clone object - if ($action == 'confirm_clone' && $confirm == 'yes' && $user->hasRight('ficheinter', 'creer')) { + if ($action == 'confirm_clone' && $confirm == 'yes' && $permissiontoadd) { if (1 == 0 && !GETPOST('clone_content') && !GETPOST('clone_receivers')) { setEventMessages($langs->trans("NoCloneOptionsSpecified"), null, 'errors'); } else { @@ -175,7 +176,7 @@ } } - if ($action == 'confirm_validate' && $confirm == 'yes' && $user->hasRight('ficheinter', 'creer')) { + if ($action == 'confirm_validate' && $confirm == 'yes' && $permissiontoadd) { $result = $object->setValid($user); if ($result >= 0) { @@ -201,7 +202,7 @@ } else { $mesg = $object->error; } - } elseif ($action == 'confirm_sign' && $confirm == 'yes' && $user->hasRight('ficheinter', 'creer')) { + } elseif ($action == 'confirm_sign' && $confirm == 'yes' && $permissiontoadd) { $result = $object->setSignedStatus($user, GETPOSTINT('signed_status'), 0, 'FICHINTER_MODIFY'); if ($result >= 0) { if (!getDolGlobalString('MAIN_DISABLE_PDF_AUTOUPDATE')) { @@ -226,7 +227,7 @@ } else { $mesg = $object->error; } - } elseif ($action == 'confirm_unsign' && $confirm == 'yes' && $user->hasRight('ficheinter', 'creer')) { + } elseif ($action == 'confirm_unsign' && $confirm == 'yes' && $permissiontoadd) { $result = $object->setSignedStatus($user, $object::SIGNED_STATUSES['STATUS_NO_SIGNATURE'], 0, 'FICHINTER_MODIFY'); if ($result >= 0) { if (!getDolGlobalString('MAIN_DISABLE_PDF_AUTOUPDATE')) { @@ -251,7 +252,7 @@ } else { $mesg = $object->error; } - } elseif ($action == 'confirm_modify' && $confirm == 'yes' && $user->hasRight('ficheinter', 'creer')) { + } elseif ($action == 'confirm_modify' && $confirm == 'yes' && $permissiontoadd) { $result = $object->setDraft($user); if ($result >= 0) { if (!getDolGlobalString('MAIN_DISABLE_PDF_AUTOUPDATE')) { @@ -276,7 +277,7 @@ } else { $mesg = $object->error; } - } elseif ($action == 'confirm_done' && $confirm == 'yes' && $user->hasRight('ficheinter', 'creer')) { + } elseif ($action == 'confirm_done' && $confirm == 'yes' && $permissiontoadd) { $result = $object->setClose($user); if ($result >= 0) { @@ -302,7 +303,7 @@ } else { $mesg = $object->error; } - } elseif ($action == 'add' && $user->hasRight('ficheinter', 'creer')) { + } elseif ($action == 'add' && $permissiontoadd) { $selectedLines = GETPOST('toselect', 'array'); $object->socid = $socid; $object->duration = GETPOSTINT('duration'); @@ -522,7 +523,7 @@ $action = 'create'; $error++; } - } elseif ($action == 'update' && $user->hasRight('ficheinter', 'creer')) { + } elseif ($action == 'update' && $permissiontoadd) { $object->socid = $socid; $object->fk_project = GETPOSTINT('projectid'); $object->fk_contrat = GETPOSTINT('contratid'); @@ -535,19 +536,19 @@ if ($result < 0) { setEventMessages($object->error, $object->errors, 'errors'); } - } elseif ($action == 'classin' && $user->hasRight('ficheinter', 'creer')) { + } elseif ($action == 'classin' && $permissiontoadd) { // Set into a project $result = $object->setProject(GETPOSTINT('projectid')); if ($result < 0) { dol_print_error($db, $object->error); } - } elseif ($action == 'setcontract' && $user->hasRight('contrat', 'creer')) { + } elseif ($action == 'setcontract' && $permissiontoadd) { // Set into a contract $result = $object->set_contrat($user, GETPOSTINT('contratid')); if ($result < 0) { dol_print_error($db, $object->error); } - } elseif ($action == 'setref_client' && $user->hasRight('ficheinter', 'creer')) { + } elseif ($action == 'setref_client' && $permissiontoadd) { // Positionne ref client $result = $object->setRefClient($user, GETPOST('ref_client', 'alpha')); if ($result < 0) { @@ -561,12 +562,12 @@ header('Location: '.DOL_URL_ROOT.'/fichinter/list.php?leftmenu=ficheinter&restore_lastsearch_values=1'); exit; - } elseif ($action == 'setdescription' && $user->hasRight('ficheinter', 'creer')) { + } elseif ($action == 'setdescription' && $permissiontoadd) { $result = $object->set_description($user, GETPOST('description')); if ($result < 0) { dol_print_error($db, $object->error); } - } elseif ($action == "addline" && $user->hasRight('ficheinter', 'creer')) { + } elseif ($action == "addline" && $permissiontoadd) { // Add line if (!GETPOST('np_desc', 'restricthtml') && !getDolGlobalString('FICHINTER_EMPTY_LINE_DESC')) { $mesg = $langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Description")); @@ -627,7 +628,7 @@ $db->rollback(); } } - } elseif ($action == 'classifybilled' && $user->hasRight('ficheinter', 'creer')) { + } elseif ($action == 'classifybilled' && $permissiontoadd) { // Classify Billed $result = $object->setStatut(Fichinter::STATUS_BILLED); if ($result > 0) { @@ -636,7 +637,7 @@ } else { setEventMessages($object->error, $object->errors, 'errors'); } - } elseif ($action == 'classifyunbilled' && $user->hasRight('ficheinter', 'creer')) { + } elseif ($action == 'classifyunbilled' && $permissiontoadd) { // Classify unbilled $result = $object->setStatut(Fichinter::STATUS_VALIDATED); if ($result > 0) { @@ -645,7 +646,7 @@ } else { $mesg = $object->error; } - } elseif ($action == 'confirm_reopen' && $user->hasRight('ficheinter', 'creer')) { + } elseif ($action == 'confirm_reopen' && $permissiontoadd) { // Reopen $result = $object->setStatut(Fichinter::STATUS_VALIDATED); if ($result > 0) { @@ -654,7 +655,7 @@ } else { $mesg = $object->error; } - } elseif ($action == 'updateline' && $user->hasRight('ficheinter', 'creer') && GETPOST('save', 'alpha')) { + } elseif ($action == 'updateline' && $permissiontoadd && GETPOST('save', 'alpha')) { // Mise a jour d'une ligne d'intervention $objectline = new FichinterLigne($db); if ($objectline->fetch($lineid) <= 0) { @@ -708,7 +709,7 @@ header('Location: '.$_SERVER["PHP_SELF"].'?id='.$object->id); exit; - } elseif ($action == 'confirm_deleteline' && $confirm == 'yes' && $user->hasRight('ficheinter', 'creer')) { + } elseif ($action == 'confirm_deleteline' && $confirm == 'yes' && $permissiontoadd) { // Supprime une ligne d'intervention AVEC confirmation $objectline = new FichinterLigne($db); if ($objectline->fetch($lineid) <= 0) { @@ -738,7 +739,7 @@ if (!getDolGlobalString('MAIN_DISABLE_PDF_AUTOUPDATE')) { fichinter_create($db, $object, $object->model_pdf, $outputlangs); } - } elseif ($action == 'up' && $user->hasRight('ficheinter', 'creer')) { + } elseif ($action == 'up' && $permissiontoadd) { // Set position of lines $object->line_up($lineid); @@ -761,7 +762,7 @@ header('Location: '.$_SERVER["PHP_SELF"].'?id='.$object->id.'#'.$lineid); exit; - } elseif ($action == 'down' && $user->hasRight('ficheinter', 'creer')) { + } elseif ($action == 'down' && $permissiontoadd) { $object->line_down($lineid); // Define output language @@ -799,7 +800,7 @@ $permissiontoadd = $user->hasRight('ficheinter', 'creer'); include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php'; - if ($action == 'update_extras' && $user->hasRight('ficheinter', 'creer')) { + if ($action == 'update_extras' && $permissiontoadd) { $object->oldcopy = dol_clone($object, 2); $attribute_name = GETPOST('attribute', 'restricthtml'); @@ -823,8 +824,8 @@ } } - if (getDolGlobalString('MAIN_DISABLE_CONTACTS_TAB') && $user->hasRight('ficheinter', 'creer')) { - if ($action == 'addcontact') { + if (getDolGlobalString('MAIN_DISABLE_CONTACTS_TAB')) { + if ($action == 'addcontact' && $permissiontoadd) { if ($result > 0 && $id > 0) { $contactid = (GETPOSTINT('userid') ? GETPOSTINT('userid') : GETPOSTINT('contactid')); $typeid = (GETPOST('typecontact') ? GETPOST('typecontact') : GETPOST('type')); @@ -842,10 +843,10 @@ $mesg = $object->error; } } - } elseif ($action == 'swapstatut') { + } elseif ($action == 'swapstatut' && $permissiontoadd) { // bascule du statut d'un contact $result = $object->swapContactStatus(GETPOSTINT('ligne')); - } elseif ($action == 'deletecontact') { + } elseif ($action == 'deletecontact' && $permissiontoadd) { // Efface un contact $result = $object->delete_contact(GETPOSTINT('lineid')); diff --git a/htdocs/fourn/commande/card.php b/htdocs/fourn/commande/card.php index ec220f365701b..8df3a82fe01d7 100644 --- a/htdocs/fourn/commande/card.php +++ b/htdocs/fourn/commande/card.php @@ -340,7 +340,7 @@ } } - if ($action == 'reopen') { // no test on permission here, permission to use will depends on status + if ($action == 'reopen' && $permissiontoadd) { // no test on permission here, permission to use will depends on status if (in_array($object->statut, array(1, 2, 3, 4, 5, 6, 7, 9))) { if ($object->statut == 1) { $newstatus = 0; // Validated->Draft diff --git a/htdocs/fourn/facture/card.php b/htdocs/fourn/facture/card.php index 7b56665d6fbc6..b77d4e47e1504 100644 --- a/htdocs/fourn/facture/card.php +++ b/htdocs/fourn/facture/card.php @@ -2005,8 +2005,8 @@ } } - if (getDolGlobalString('MAIN_DISABLE_CONTACTS_TAB') && $usercancreate) { - if ($action == 'addcontact') { + if (getDolGlobalString('MAIN_DISABLE_CONTACTS_TAB')) { + if ($action == 'addcontact' && $usercancreate) { $result = $object->fetch($id); if ($result > 0 && $id > 0) { @@ -2026,14 +2026,14 @@ setEventMessages($object->error, $object->errors, 'errors'); } } - } elseif ($action == 'swapstatut') { + } elseif ($action == 'swapstatut' && $usercancreate) { // bascule du statut d'un contact if ($object->fetch($id)) { $result = $object->swapContactStatus(GETPOSTINT('ligne')); } else { dol_print_error($db); } - } elseif ($action == 'deletecontact') { + } elseif ($action == 'deletecontact' && $usercancreate) { // Efface un contact $object->fetch($id); $result = $object->delete_contact(GETPOSTINT("lineid")); diff --git a/htdocs/fourn/facture/rapport.php b/htdocs/fourn/facture/rapport.php index 4f272ba80232a..e4e5989e2a020 100644 --- a/htdocs/fourn/facture/rapport.php +++ b/htdocs/fourn/facture/rapport.php @@ -56,12 +56,15 @@ $year = date("Y"); } +$permissiontoread = ($user->hasRight("fournisseur", "facture", "lire") || $user->hasRight("supplier_invoice", "lire")); +$permissiontoadd = ($user->hasRight("fournisseur", "facture", "creer") || $user->hasRight("supplier_invoice", "creer")); + /* * Actions */ -if ($action == 'builddoc') { +if ($action == 'builddoc' && $permissiontoread) { $rap = new pdf_paiement_fourn($db); $outputlangs = $langs;