From 65c9b69f7c62b7ccac09e7cbed40cd06639522a1 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis@dolibarr.fr>
Date: Tue, 10 Nov 2009 12:36:30 +0000
Subject: [PATCH] Fix: refining permissions to modify an action without the
 right to remove

---
 htdocs/comm/action/fiche.php                | 29 +++++++++++----------
 htdocs/includes/modules/modAgenda.class.php | 24 ++++++++++++++---
 htdocs/langs/en_US/admin.lang               |  8 +++---
 htdocs/langs/fr_FR/admin.lang               |  8 +++---
 4 files changed, 45 insertions(+), 24 deletions(-)

diff --git a/htdocs/comm/action/fiche.php b/htdocs/comm/action/fiche.php
index 0c348058288..0ff75aa3498 100644
--- a/htdocs/comm/action/fiche.php
+++ b/htdocs/comm/action/fiche.php
@@ -294,8 +294,8 @@ if ($_REQUEST["action"] == 'confirm_delete' && $_REQUEST["confirm"] == 'yes')
 	$actioncomm = new ActionComm($db);
 	$actioncomm->fetch($_GET["id"]);
 
-	if ($user->rights->agenda->myactions->create
-		|| $user->rights->agenda->allactions->create)
+	if ($user->rights->agenda->myactions->delete
+		|| $user->rights->agenda->allactions->delete)
 	{
 		$result=$actioncomm->delete();
 
@@ -313,7 +313,6 @@ if ($_REQUEST["action"] == 'confirm_delete' && $_REQUEST["confirm"] == 'yes')
 
 /*
  * Action mise a jour de l'action
- *
  */
 if ($_POST["action"] == 'update')
 {
@@ -441,11 +440,9 @@ llxHeader('',$langs->trans("Agenda"),$help_url);
 $html = new Form($db);
 $htmlactions = new FormActions($db);
 
-/* ************************************************************************** */
-/*                                                                            */
-/* Affichage fiche en mode creation                                           */
-/*                                                                            */
-/* ************************************************************************** */
+/*
+ * Affichage fiche en mode creation
+ */
 
 if ($_GET["action"] == 'create')
 {
@@ -861,7 +858,7 @@ if ($_GET["id"])
 		print $act->priority;
 		print '</td></tr>';
 
-		// Objet lie
+		// Linked object
 		if ($act->objet_url)
 		{
 			print '<tr><td>'.$langs->trans("LinkedObject").'</td>';
@@ -879,7 +876,7 @@ if ($_GET["id"])
 	print "</div>\n";
 
 
-	/**
+	/*
 	 * Barre d'actions
 	 *
 	 */
@@ -888,7 +885,9 @@ if ($_GET["id"])
 
 	if ($_GET["action"] != 'edit')
 	{
-		if ($user->rights->agenda->allactions->create)
+		if ($user->rights->agenda->allactions->modify || 
+		   (($act->author->id == $user->id && $user->rights->agenda->myactions->modify) ||
+		   ($act->usertodo->id == $user->id && $user->rights->agenda->myactions->modify)))
 		{
 			print '<a class="butAction" href="fiche.php?action=edit&id='.$act->id.'">'.$langs->trans("Modify").'</a>';
 		}
@@ -897,7 +896,9 @@ if ($_GET["id"])
 			print '<a class="butActionRefused" href="#" title="'.$langs->trans("NotAllowed").'">'.$langs->trans("Modify").'</a>';
 		}
 
-		if ($user->rights->agenda->allactions->create)
+		if ($user->rights->agenda->allactions->delete || 
+		   (($act->author->id == $user->id && $user->rights->agenda->myactions->delete) ||
+		   ($act->usertodo->id == $user->id && $user->rights->agenda->myactions->delete)))
 		{
 			print '<a class="butActionDelete" href="fiche.php?action=delete&id='.$act->id.'">'.$langs->trans("Delete").'</a>';
 		}
@@ -916,8 +917,8 @@ llxFooter('$Date$ - $Revision$');
 
 
 /**
- \brief      Ajoute une ligne de tableau a 2 colonnes pour avoir l'option synchro calendrier
- \return     int     Retourne le nombre de lignes ajoutees
+ *  \brief      Ajoute une ligne de tableau a 2 colonnes pour avoir l'option synchro calendrier
+ *  \return     int     Retourne le nombre de lignes ajoutees
  */
 function add_row_for_calendar_link()
 {
diff --git a/htdocs/includes/modules/modAgenda.class.php b/htdocs/includes/modules/modAgenda.class.php
index 2cc1b4c777a..27a72c57933 100644
--- a/htdocs/includes/modules/modAgenda.class.php
+++ b/htdocs/includes/modules/modAgenda.class.php
@@ -109,14 +109,22 @@ class modAgenda extends DolibarrModules
 		$r++;
 
 		$this->rights[$r][0] = 2402;
-		$this->rights[$r][1] = 'Create/modify/delete actions/tasks linked to his account';
+		$this->rights[$r][1] = 'Create/delete actions/tasks linked to his account';
 		$this->rights[$r][2] = 'w';
 		$this->rights[$r][3] = 0;
 		$this->rights[$r][4] = 'myactions';
 		$this->rights[$r][5] = 'create';
 		$r++;
-
+		
 		$this->rights[$r][0] = 2403;
+		$this->rights[$r][1] = 'Modify actions/tasks linked to his account';
+		$this->rights[$r][2] = 'w';
+		$this->rights[$r][3] = 0;
+		$this->rights[$r][4] = 'myactions';
+		$this->rights[$r][5] = 'modify';
+		$r++;
+
+		$this->rights[$r][0] = 2411;
 		$this->rights[$r][1] = 'Read actions/tasks of others';
 		$this->rights[$r][2] = 'r';
 		$this->rights[$r][3] = 0;
@@ -124,13 +132,21 @@ class modAgenda extends DolibarrModules
 		$this->rights[$r][5] = 'read';
 		$r++;
 
-		$this->rights[$r][0] = 2405;
-		$this->rights[$r][1] = 'Create/modify/delete actions/tasks of others';
+		$this->rights[$r][0] = 2412;
+		$this->rights[$r][1] = 'Create/delete actions/tasks of others';
 		$this->rights[$r][2] = 'w';
 		$this->rights[$r][3] = 0;
 		$this->rights[$r][4] = 'allactions';
 		$this->rights[$r][5] = 'create';
 		$r++;
+		
+		$this->rights[$r][0] = 2413;
+		$this->rights[$r][1] = 'Modify actions/tasks of others';
+		$this->rights[$r][2] = 'w';
+		$this->rights[$r][3] = 0;
+		$this->rights[$r][4] = 'allactions';
+		$this->rights[$r][5] = 'modify';
+		$r++;
 
 		// Main menu entries
 		$this->menu = array();			// List of menus to add
diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang
index d8a7bf616d9..348a5e34f50 100644
--- a/htdocs/langs/en_US/admin.lang
+++ b/htdocs/langs/en_US/admin.lang
@@ -548,9 +548,11 @@ Permission1251=Run mass imports of external data into database (data load)
 Permission1321=Export customer invoices, attributes and payments
 Permission1421=Export customer orders and attributes
 Permission2401=Read actions (events or tasks) linked to his account
-Permission2402=Create/modify/delete actions (events or tasks) linked to his account
-Permission2403=Read actions (events or tasks) of others
-Permission2405=Create/modify/delete actions (events or tasks) of others
+Permission2402=Create/delete actions (events or tasks) linked to his account
+Permission2403=Modify actions (events or tasks) linked to his account
+Permission2411=Read actions (events or tasks) of others
+Permission2412=Create/delete actions (events or tasks) of others
+Permission2413=Modify actions (events or tasks) of others
 Permission2500=Read documents
 Permission2501=Submit or delete documents
 Permission2515=Setup documents directories
diff --git a/htdocs/langs/fr_FR/admin.lang b/htdocs/langs/fr_FR/admin.lang
index 887e826f3ae..839b30c5550 100644
--- a/htdocs/langs/fr_FR/admin.lang
+++ b/htdocs/langs/fr_FR/admin.lang
@@ -548,9 +548,11 @@ Permission1251 = Lancer des imports de masse dans la base (chargement de donnée
 Permission1321 = Exporter les factures clients, attributs et règlements
 Permission1421 = Exporter les commandes clients et attributs
 Permission2401 = Lire les actions (évènements ou tâches) liées à son compte
-Permission2402 = Creer/modifier/supprimer les actions (évènements ou tâches) liées à son compte
-Permission2403 = Lire les actions (évènements ou tâches) des autres
-Permission2405 = Creer/modifier/supprimer les actions (évènements ou tâches) pour les autres
+Permission2402 = Creer/supprimer les actions (évènements ou tâches) liées à son compte
+Permission2403 = Modifier les actions (évènements ou tâches) liées à son compte
+Permission2411 = Lire les actions (évènements ou tâches) des autres
+Permission2412 = Creer/supprimer les actions (évènements ou tâches) pour les autres
+Permission2413 = Modifier les actions (évènements ou tâches) pour les autres
 Permission2500 = Consulter les documents
 Permission2501 = Soumettre ou supprimer des documents
 Permission2515 = Administrer les rubriques de documents
-- 
GitLab