From 1fec3b56d908dd0982c595c268e8578cfea71dea Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 23 May 2012 14:34:44 +0200
Subject: [PATCH] Fix: Permissions to see project
Conflicts:
htdocs/projet/fiche.php
---
htdocs/core/lib/security.lib.php | 2 +-
htdocs/projet/class/project.class.php | 19 +++++++++++++------
htdocs/projet/contact.php | 26 ++++++++++++++------------
htdocs/projet/document.php | 17 ++++++++++-------
htdocs/projet/element.php | 13 +++++++++----
htdocs/projet/fiche.php | 15 +++++++--------
htdocs/projet/ganttview.php | 7 +++++++
htdocs/projet/note.php | 15 ++++++++++-----
htdocs/projet/tasks.php | 11 ++++++++---
9 files changed, 79 insertions(+), 46 deletions(-)
diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
index 75107f05a86..414d2c25709 100644
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -373,7 +373,7 @@ function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature
{
include_once(DOL_DOCUMENT_ROOT."/projet/class/project.class.php");
$projectstatic=new Project($db);
- $tmps=$projectstatic->getProjectsAuthorizedForUser($user,0,1,$user->societe_id);
+ $tmps=$projectstatic->getProjectsAuthorizedForUser($user,0,1,0);
$tmparray=explode(',',$tmps);
if (! in_array($objectid,$tmparray)) accessforbidden();
}
diff --git a/htdocs/projet/class/project.class.php b/htdocs/projet/class/project.class.php
index 0c80423b14f..112e0f9b030 100644
--- a/htdocs/projet/class/project.class.php
+++ b/htdocs/projet/class/project.class.php
@@ -791,12 +791,13 @@ class Project extends CommonObject
if ($mode == 'write' && $user->rights->projet->creer) $userAccess++;
if ($mode == 'delete' && $user->rights->projet->supprimer) $userAccess++;
}
- if ($source == 'external' && preg_match('/PROJECT/', $userRole[$nblinks]['code']) && $user->contact_id == $userRole[$nblinks]['id'])
+ // Permission are supported on users only. To have an external thirdparty contact to see a project, its user must allowed to contacts of projects.
+ /*if ($source == 'external' && preg_match('/PROJECT/', $userRole[$nblinks]['code']) && $user->contact_id == $userRole[$nblinks]['id'])
{
if ($mode == 'read' && $user->rights->projet->lire) $userAccess++;
if ($mode == 'write' && $user->rights->projet->creer) $userAccess++;
if ($mode == 'delete' && $user->rights->projet->supprimer) $userAccess++;
- }
+ }*/
$nblinks++;
}
}
@@ -840,18 +841,24 @@ class Project extends CommonObject
if ($mode == 0)
{
- $sql.= " AND ec.element_id = p.rowid AND ( p.public = 1";
+ $sql.= " AND ec.element_id = p.rowid";
+ $sql.= " AND ( p.public = 1";
//$sql.= " OR p.fk_user_creat = ".$user->id;
$sql.= " OR ( ctc.rowid = ec.fk_c_type_contact";
$sql.= " AND ctc.element = '" . $this->element . "'";
- $sql.= " AND ec.fk_socpeople = " . $user->contact_id . " ) )";
+ $sql.= " AND ( (ctc.source = 'internal' AND ec.fk_socpeople = ".$user->id.")";
+ //$sql.= " OR (ctc.source = 'external' AND ec.fk_socpeople = ".($user->contact_id?$user->contact_id:0).")"; // Permission are supported on users only. To have an external thirdparty contact to see a project, its user must allowed to contacts of projects.
+ $sql.= " )";
+ $sql.= " ))";
}
if ($mode == 1)
{
$sql.= " AND ec.element_id = p.rowid";
$sql.= " AND ctc.rowid = ec.fk_c_type_contact";
$sql.= " AND ctc.element = '" . $this->element . "'";
- $sql.= " AND ec.fk_socpeople = " . $user->contact_id;
+ $sql.= " AND ( (ctc.source = 'internal' AND ec.fk_socpeople = ".$user->id.")";
+ //$sql.= " OR (ctc.source = 'external' AND ec.fk_socpeople = ".($user->contact_id?$user->contact_id:0).")"; // Permission are supported on users only. To have an external thirdparty contact to see a project, its user must allowed to contacts of projects.
+ $sql.= " )";
}
if ($mode == 2)
{
@@ -1204,4 +1211,4 @@ class Project extends CommonObject
}
-?>
\ No newline at end of file
+?>
diff --git a/htdocs/projet/contact.php b/htdocs/projet/contact.php
index f1fe6eb5c55..6879a00ed80 100644
--- a/htdocs/projet/contact.php
+++ b/htdocs/projet/contact.php
@@ -1,5 +1,6 @@
<?php
-/* Copyright (C) 2010 Regis Houssin <regis@dolibarr.fr>
+/* Copyright (C) 2010 Regis Houssin <regis@dolibarr.fr>
+ * Copyright (C) 2012 Laurent Destailleur <eldy@users.sourceforge.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -31,14 +32,21 @@ $langs->load("projects");
$langs->load("companies");
$id = GETPOST('id','int');
-$ref= GETPOST('ref');
+$ref= GETPOST('ref','alpha');
$mine = $_REQUEST['mode']=='mine' ? 1 : 0;
//if (! $user->rights->projet->all->lire) $mine=1; // Special for projects
+$project = new Project($db);
+if ($ref)
+{
+ $project->fetch(0,$ref);
+ $id=$project->id;
+}
+
// Security check
$socid=0;
-if ($user->societe_id) $socid=$user->societe_id;
+if ($user->societe_id > 0) $socid=$user->societe_id;
$result = restrictedArea($user, 'projet', $id);
@@ -49,9 +57,7 @@ $result = restrictedArea($user, 'projet', $id);
// Add new contact
if ($_POST["action"] == 'addcontact' && $user->rights->projet->creer)
{
-
$result = 0;
- $project = new Project($db);
$result = $project->fetch($id);
if ($result > 0 && $id > 0)
@@ -81,7 +87,6 @@ if ($_POST["action"] == 'addcontact' && $user->rights->projet->creer)
// bascule du statut d'un contact
if ($_GET["action"] == 'swapstatut' && $user->rights->projet->creer)
{
- $project = new Project($db);
if ($project->fetch($id))
{
$result=$project->swapContactStatus(GETPOST('ligne'));
@@ -95,7 +100,6 @@ if ($_GET["action"] == 'swapstatut' && $user->rights->projet->creer)
// Efface un contact
if ($_GET["action"] == 'deleteline' && $user->rights->projet->creer)
{
- $project = new Project($db);
$project->fetch($id);
$result = $project->delete_contact($_GET["lineid"]);
@@ -133,8 +137,6 @@ dol_htmloutput_mesg($mesg);
if ($id > 0 || ! empty($ref))
{
- $project = new Project($db);
-
if ( $project->fetch($id,$ref) > 0)
{
if ($project->societe->id > 0) $result=$project->societe->fetch($project->societe->id);
@@ -211,14 +213,14 @@ if ($id > 0 || ! empty($ref))
$var = false;
- print '<form action="'.$_SERVER["PHP_SELF"].'?id='.$id.'" method="POST">';
+ print '<form action="'.$_SERVER["PHP_SELF"].'?id='.$project->id.'" method="POST">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="addcontact">';
print '<input type="hidden" name="source" value="internal">';
- print '<input type="hidden" name="id" value="'.$id.'">';
+ print '<input type="hidden" name="id" value="'.$project->id.'">';
// Ligne ajout pour contact interne
- print "<tr $bc[$var]>";
+ print "<tr ".$bc[$var].">";
print '<td nowrap="nowrap">';
print img_object('','user').' '.$langs->trans("Users");
diff --git a/htdocs/projet/document.php b/htdocs/projet/document.php
index 5bf9971b9d7..4568b376cd4 100644
--- a/htdocs/projet/document.php
+++ b/htdocs/projet/document.php
@@ -1,5 +1,6 @@
<?php
-/* Copyright (C) 2010 Regis Houssin <regis@dolibarr.fr>
+/* Copyright (C) 2010 Regis Houssin <regis@dolibarr.fr>
+ * Copyright (C) 2012 Laurent Destailleur <eldy@users.sourceforge.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -36,6 +37,14 @@ $mine = $_REQUEST['mode']=='mine' ? 1 : 0;
$id = GETPOST('id','int');
$ref= GETPOST('ref');
+$project = new Project($db);
+if (! $project->fetch($id,$ref) > 0)
+{
+ dol_print_error($db);
+ exit;
+}
+else $id=$project->id;
+
// Security check
$socid=0;
if ($user->societe_id > 0) $socid=$user->societe_id;
@@ -52,12 +61,6 @@ $pagenext = $page + 1;
if (! $sortorder) $sortorder="ASC";
if (! $sortfield) $sortfield="name";
-$project = new Project($db);
-if (! $project->fetch($id,$ref) > 0)
-{
- dol_print_error($db);
- exit;
-}
/*
diff --git a/htdocs/projet/element.php b/htdocs/projet/element.php
index 468ffcee2c4..d76c5e9f7b7 100644
--- a/htdocs/projet/element.php
+++ b/htdocs/projet/element.php
@@ -46,10 +46,8 @@ if ($conf->commande->enabled) $langs->load("orders");
if ($conf->propal->enabled) $langs->load("propal");
if ($conf->ficheinter->enabled) $langs->load("interventions");
-$projectid='';
-$ref='';
-if (isset($_GET["id"])) { $projectid=$_GET["id"]; }
-if (isset($_GET["ref"])) { $ref=$_GET["ref"]; }
+$projectid=GETPOST('id');
+$ref=GETPOST('ref');
if ($projectid == '' && $ref == '')
{
dol_print_error('','Bad parameter');
@@ -59,6 +57,13 @@ if ($projectid == '' && $ref == '')
$mine = $_REQUEST['mode']=='mine' ? 1 : 0;
//if (! $user->rights->projet->all->lire) $mine=1; // Special for projects
+$project = new Project($db);
+if ($ref)
+{
+ $project->fetch(0,$ref);
+ $projectid=$project->id;
+}
+
// Security check
$socid=0;
if ($user->societe_id > 0) $socid=$user->societe_id;
diff --git a/htdocs/projet/fiche.php b/htdocs/projet/fiche.php
index d4293bea9ef..88277d61d7c 100644
--- a/htdocs/projet/fiche.php
+++ b/htdocs/projet/fiche.php
@@ -43,6 +43,13 @@ if ($id == '' && $ref == '' && ($action != "create" && $action != "add" && $acti
$mine = GETPOST('mode')=='mine' ? 1 : 0;
//if (! $user->rights->projet->all->lire) $mine=1; // Special for projects
+$project = new Project($db);
+if ($ref)
+{
+ $project->fetch(0,$ref);
+ $id=$project->id;
+}
+
// Security check
$socid=0;
if ($user->societe_id > 0) $socid=$user->societe_id;
@@ -116,8 +123,6 @@ if ($action == 'add' && $user->rights->projet->creer)
$db->begin();
- $project = new Project($db);
-
$project->ref = GETPOST('ref','alpha');
$project->title = GETPOST('title','alpha');
$project->socid = GETPOST('socid','int');
@@ -184,7 +189,6 @@ if ($action == 'update' && ! $_POST["cancel"] && $user->rights->projet->creer)
}
if (! $error)
{
- $project = new Project($db);
$project->fetch($id);
$old_start_date = $project->date_start;
@@ -220,7 +224,6 @@ if ($action == 'update' && ! $_POST["cancel"] && $user->rights->projet->creer)
// Build doc
if ($action == 'builddoc' && $user->rights->projet->creer)
{
- $project = new Project($db);
$project->fetch($id);
if (GETPOST('model'))
{
@@ -249,7 +252,6 @@ if ($action == 'builddoc' && $user->rights->projet->creer)
if ($action == 'confirm_validate' && GETPOST('confirm') == 'yes')
{
- $project = new Project($db);
$project->fetch($id);
$result = $project->setValid($user);
@@ -261,7 +263,6 @@ if ($action == 'confirm_validate' && GETPOST('confirm') == 'yes')
if ($action == 'confirm_close' && GETPOST('confirm') == 'yes')
{
- $project = new Project($db);
$project->fetch($id);
$result = $project->setClose($user);
if ($result <= 0)
@@ -272,7 +273,6 @@ if ($action == 'confirm_close' && GETPOST('confirm') == 'yes')
if ($action == 'confirm_reopen' && GETPOST('confirm') == 'yes')
{
- $project = new Project($db);
$project->fetch($id);
$result = $project->setValid($user);
if ($result <= 0)
@@ -283,7 +283,6 @@ if ($action == 'confirm_reopen' && GETPOST('confirm') == 'yes')
if ($action == 'confirm_delete' && GETPOST("confirm") == "yes" && $user->rights->projet->supprimer)
{
- $project = new Project($db);
$project->fetch($id);
$result=$project->delete($user);
if ($result > 0)
diff --git a/htdocs/projet/ganttview.php b/htdocs/projet/ganttview.php
index 02d2d678215..d908c72962a 100644
--- a/htdocs/projet/ganttview.php
+++ b/htdocs/projet/ganttview.php
@@ -35,6 +35,13 @@ $ref=GETPOST('ref','alpha');
$mine = $_REQUEST['mode']=='mine' ? 1 : 0;
//if (! $user->rights->projet->all->lire) $mine=1; // Special for projects
+$object = new Project($db);
+if ($ref)
+{
+ $object->fetch(0,$ref);
+ $id=$object->id;
+}
+
// Security check
$socid=0;
if ($user->societe_id > 0) $socid=$user->societe_id;
diff --git a/htdocs/projet/note.php b/htdocs/projet/note.php
index 86f47072ffb..4f7dc5aaf94 100644
--- a/htdocs/projet/note.php
+++ b/htdocs/projet/note.php
@@ -1,5 +1,6 @@
<?php
-/* Copyright (C) 2010 Regis Houssin <regis@dolibarr.fr>
+/* Copyright (C) 2010 Regis Houssin <regis@dolibarr.fr>
+ * Copyright (C) 2012 Laurent Destailleur <eldy@users.sourceforge.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -34,6 +35,13 @@ $ref= GETPOST('ref');
$mine = $_REQUEST['mode']=='mine' ? 1 : 0;
//if (! $user->rights->projet->all->lire) $mine=1; // Special for projects
+$project = new Project($db);
+if ($ref)
+{
+ $project->fetch(0,$ref);
+ $id=$project->id;
+}
+
// Security check
$socid=0;
if ($user->societe_id > 0) $socid=$user->societe_id;
@@ -47,7 +55,6 @@ $result = restrictedArea($user, 'projet', $id);
if ($action == 'update_public' && $user->rights->projet->creer)
{
- $project = new Project($db);
$project->fetch($_GET['id']);
$db->begin();
@@ -66,7 +73,6 @@ if ($action == 'update_public' && $user->rights->projet->creer)
if ($action == 'update_private' && $user->rights->projet->creer)
{
- $project = new Project($db);
$project->fetch($_GET['id']);
$db->begin();
@@ -99,8 +105,7 @@ $now=dol_now();
if ($id > 0 || ! empty($ref))
{
- if ($mesg) print $mesg;
-
+ dol_htmloutput_mesg($mesg);
if ($project->fetch($id, $ref))
{
diff --git a/htdocs/projet/tasks.php b/htdocs/projet/tasks.php
index a65ff6b10b6..7f78bc18c7e 100644
--- a/htdocs/projet/tasks.php
+++ b/htdocs/projet/tasks.php
@@ -42,11 +42,17 @@ $mode = GETPOST('mode', 'alpha');
$mine = ($mode == 'mine' ? 1 : 0);
//if (! $user->rights->projet->all->lire) $mine=1; // Special for projects
+$object = new Project($db);
+if ($ref)
+{
+ $object->fetch(0,$ref);
+ $id=$object->id;
+}
+
// Security check
$socid=0;
if ($user->societe_id > 0) $socid = $user->societe_id;
-//$result = restrictedArea($user, 'projet', $projectid);
-if (!$user->rights->projet->lire) accessforbidden();
+$result = restrictedArea($user, 'projet', $id);
$progress=GETPOST('progress', 'int');
$label=GETPOST('label', 'alpha');
@@ -54,7 +60,6 @@ $description=GETPOST('description', 'alpha');
$userAccess=0;
-$object = new Project($db);
/*
--
GitLab