Skip to content
Snippets Groups Projects
Commit 860611c1 authored by Regis Houssin's avatar Regis Houssin
Browse files

Works on enhancement of project tasks

Fix: security check
parent 5b661dba
No related branches found
No related tags found
No related merge requests found
...@@ -38,7 +38,7 @@ $taskid = isset($_GET["id"])?$_GET["id"]:''; ...@@ -38,7 +38,7 @@ $taskid = isset($_GET["id"])?$_GET["id"]:'';
// Security check // Security check
if ($user->societe_id) $socid=$user->societe_id; if ($user->societe_id) $socid=$user->societe_id;
//$result = restrictedArea($user, 'projet', $taskid, 'projet_task'); //$result = restrictedArea($user, 'projet', $taskid, 'projet_task');
if (!$user->rights->projet->task->lire) accessforbidden(); if (!$user->rights->projet->lire) accessforbidden();
/* /*
...@@ -46,7 +46,7 @@ if (!$user->rights->projet->task->lire) accessforbidden(); ...@@ -46,7 +46,7 @@ if (!$user->rights->projet->task->lire) accessforbidden();
*/ */
// Add new contact // Add new contact
if ($_POST["action"] == 'addcontact' && $user->rights->projet->task->creer) if ($_POST["action"] == 'addcontact' && $user->rights->projet->creer)
{ {
$result = 0; $result = 0;
...@@ -77,7 +77,7 @@ if ($_POST["action"] == 'addcontact' && $user->rights->projet->task->creer) ...@@ -77,7 +77,7 @@ if ($_POST["action"] == 'addcontact' && $user->rights->projet->task->creer)
} }
} }
// modification d'un contact. On enregistre le type // modification d'un contact. On enregistre le type
if ($_POST["action"] == 'updateline' && $user->rights->projet->task->creer) if ($_POST["action"] == 'updateline' && $user->rights->projet->creer)
{ {
$task = new Task($db); $task = new Task($db);
if ($task->fetch($taskid)) if ($task->fetch($taskid))
...@@ -103,7 +103,7 @@ if ($_POST["action"] == 'updateline' && $user->rights->projet->task->creer) ...@@ -103,7 +103,7 @@ if ($_POST["action"] == 'updateline' && $user->rights->projet->task->creer)
} }
// bascule du statut d'un contact // bascule du statut d'un contact
if ($_GET["action"] == 'swapstatut' && $user->rights->projet->task->creer) if ($_GET["action"] == 'swapstatut' && $user->rights->projet->creer)
{ {
$task = new Task($db); $task = new Task($db);
if ($task->fetch($taskid)) if ($task->fetch($taskid))
...@@ -129,7 +129,7 @@ if ($_GET["action"] == 'swapstatut' && $user->rights->projet->task->creer) ...@@ -129,7 +129,7 @@ if ($_GET["action"] == 'swapstatut' && $user->rights->projet->task->creer)
} }
// Efface un contact // Efface un contact
if ($_GET["action"] == 'deleteline' && $user->rights->projet->task->creer) if ($_GET["action"] == 'deleteline' && $user->rights->projet->creer)
{ {
$task = new Task($db); $task = new Task($db);
$task->fetch($taskid); $task->fetch($taskid);
...@@ -221,7 +221,7 @@ if ($id > 0 || ! empty($ref)) ...@@ -221,7 +221,7 @@ if ($id > 0 || ! empty($ref))
* Ajouter une ligne de contact * Ajouter une ligne de contact
* Non affiche en mode modification de ligne * Non affiche en mode modification de ligne
*/ */
if ($_GET["action"] != 'editline' && $user->rights->projet->task->creer) if ($_GET["action"] != 'editline' && $user->rights->projet->creer)
{ {
print '<tr class="liste_titre">'; print '<tr class="liste_titre">';
print '<td>'.$langs->trans("Source").'</td>'; print '<td>'.$langs->trans("Source").'</td>';
...@@ -377,7 +377,7 @@ if ($id > 0 || ! empty($ref)) ...@@ -377,7 +377,7 @@ if ($id > 0 || ! empty($ref))
// Icon update et delete // Icon update et delete
print '<td align="center" nowrap>'; print '<td align="center" nowrap>';
if ($user->rights->projet->task->creer) if ($user->rights->projet->creer)
{ {
print '&nbsp;'; print '&nbsp;';
print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$task->id.'&amp;action=deleteline&amp;lineid='.$tab[$i]['rowid'].'">'; print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$task->id.'&amp;action=deleteline&amp;lineid='.$tab[$i]['rowid'].'">';
......
...@@ -125,7 +125,7 @@ if ($id > 0 || ! empty($ref)) ...@@ -125,7 +125,7 @@ if ($id > 0 || ! empty($ref))
$userAccess = $project->restrictedProjectArea($user); $userAccess = $project->restrictedProjectArea($user);
} }
if ($_GET["action"] == 'create' && $user->rights->projet->task->creer && (empty($project->societe->id) || $userAccess)) if ($_GET["action"] == 'create' && $user->rights->projet->creer && (empty($project->societe->id) || $userAccess))
{ {
print_fiche_titre($langs->trans("NewTask")); print_fiche_titre($langs->trans("NewTask"));
...@@ -238,7 +238,7 @@ else ...@@ -238,7 +238,7 @@ else
*/ */
print '<div class="tabsAction">'; print '<div class="tabsAction">';
if ($user->rights->projet->task->creer) if ($user->rights->projet->creer)
{ {
if ($userAccess) if ($userAccess)
{ {
......
...@@ -92,7 +92,7 @@ print '</div>'; ...@@ -92,7 +92,7 @@ print '</div>';
/* /*
* Actions * Actions
*/ */
if ($user->rights->projet->task->creer) if ($user->rights->projet->creer)
{ {
print '<div class="tabsAction">'; print '<div class="tabsAction">';
print '<a class="butAction" href="'.DOL_URL_ROOT.'/projet/tasks/fiche.php?action=create">'.$langs->trans('AddTask').'</a>'; print '<a class="butAction" href="'.DOL_URL_ROOT.'/projet/tasks/fiche.php?action=create">'.$langs->trans('AddTask').'</a>';
......
...@@ -33,7 +33,7 @@ $id = isset($_GET["id"])?$_GET["id"]:''; ...@@ -33,7 +33,7 @@ $id = isset($_GET["id"])?$_GET["id"]:'';
// Security check // Security check
if ($user->societe_id) $socid=$user->societe_id; if ($user->societe_id) $socid=$user->societe_id;
if (!$user->rights->projet->task->lire) accessforbidden(); if (!$user->rights->projet->lire) accessforbidden();
//$result = restrictedArea($user, 'projet', $id, '', 'task'); // TODO ameliorer la verification //$result = restrictedArea($user, 'projet', $id, '', 'task'); // TODO ameliorer la verification
...@@ -42,7 +42,7 @@ if (!$user->rights->projet->task->lire) accessforbidden(); ...@@ -42,7 +42,7 @@ if (!$user->rights->projet->task->lire) accessforbidden();
/* Actions */ /* Actions */
/******************************************************************************/ /******************************************************************************/
if ($_POST["action"] == 'update_public' && $user->rights->projet->task->creer) if ($_POST["action"] == 'update_public' && $user->rights->projet->creer)
{ {
$task = new Task($db); $task = new Task($db);
$task->fetch($_GET['id']); $task->fetch($_GET['id']);
...@@ -61,7 +61,7 @@ if ($_POST["action"] == 'update_public' && $user->rights->projet->task->creer) ...@@ -61,7 +61,7 @@ if ($_POST["action"] == 'update_public' && $user->rights->projet->task->creer)
} }
} }
if ($_POST['action'] == 'update_private' && $user->rights->projet->task->creer) if ($_POST['action'] == 'update_private' && $user->rights->projet->creer)
{ {
$task = new Task($db); $task = new Task($db);
$task->fetch($_GET['id']); $task->fetch($_GET['id']);
...@@ -198,7 +198,7 @@ if ($id > 0 || ! empty($ref)) ...@@ -198,7 +198,7 @@ if ($id > 0 || ! empty($ref))
*/ */
print '<div class="tabsAction">'; print '<div class="tabsAction">';
if ($user->rights->projet->task->creer && $_GET['action'] <> 'edit') if ($user->rights->projet->creer && $_GET['action'] <> 'edit')
{ {
if ($userAccess) if ($userAccess)
{ {
......
...@@ -32,13 +32,13 @@ require_once(DOL_DOCUMENT_ROOT."/html.formother.class.php"); ...@@ -32,13 +32,13 @@ require_once(DOL_DOCUMENT_ROOT."/html.formother.class.php");
$taskid = (isset($_GET["id"])?$_GET["id"]:(isset($_POST["id"])?$_POST["id"]:'')); $taskid = (isset($_GET["id"])?$_GET["id"]:(isset($_POST["id"])?$_POST["id"]:''));
$taskref = (isset($_GET["ref"])?$_GET["ref"]:''); $taskref = (isset($_GET["ref"])?$_GET["ref"]:'');
if (!$user->rights->projet->task->lire) accessforbidden(); if (!$user->rights->projet->lire) accessforbidden();
/* /*
* Actions * Actions
*/ */
if ($_POST["action"] == 'update' && ! $_POST["cancel"] && $user->rights->projet->task->creer) if ($_POST["action"] == 'update' && ! $_POST["cancel"] && $user->rights->projet->creer)
{ {
$error=0; $error=0;
...@@ -74,7 +74,7 @@ if ($_POST["action"] == 'update' && ! $_POST["cancel"] && $user->rights->projet- ...@@ -74,7 +74,7 @@ if ($_POST["action"] == 'update' && ! $_POST["cancel"] && $user->rights->projet-
} }
} }
if ($_POST["action"] == 'confirm_delete' && $_POST["confirm"] == "yes" && $user->rights->projet->task->creer) if ($_POST["action"] == 'confirm_delete' && $_POST["confirm"] == "yes" && $user->rights->projet->creer)
{ {
$task = new Task($db); $task = new Task($db);
if ($task->fetch($_GET["id"]) >= 0 ) if ($task->fetch($_GET["id"]) >= 0 )
...@@ -125,7 +125,7 @@ if ($taskid) ...@@ -125,7 +125,7 @@ if ($taskid)
dol_fiche_head($head, 'task', $langs->trans("Task"),0,'projecttask'); dol_fiche_head($head, 'task', $langs->trans("Task"),0,'projecttask');
if ($_GET["action"] == 'edit' && $user->rights->projet->task->creer) if ($_GET["action"] == 'edit' && $user->rights->projet->creer)
{ {
print '<form method="POST" action="'.$_SERVER["PHP_SELF"].'">'; print '<form method="POST" action="'.$_SERVER["PHP_SELF"].'">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">'; print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
...@@ -252,7 +252,7 @@ if ($taskid) ...@@ -252,7 +252,7 @@ if ($taskid)
print '<div class="tabsAction">'; print '<div class="tabsAction">';
// Modify // Modify
if ($user->rights->projet->task->creer) if ($user->rights->projet->creer)
{ {
print '<a class="butAction" href="'.$_SERVER['PHP_SELF'].'?id='.$task->id.'&amp;action=edit">'.$langs->trans('Modify').'</a>'; print '<a class="butAction" href="'.$_SERVER['PHP_SELF'].'?id='.$task->id.'&amp;action=edit">'.$langs->trans('Modify').'</a>';
} }
...@@ -262,7 +262,7 @@ if ($taskid) ...@@ -262,7 +262,7 @@ if ($taskid)
} }
// Delete // Delete
if ($user->rights->projet->task->supprimer) if ($user->rights->projet->supprimer)
{ {
print '<a class="butActionDelete" href="'.$_SERVER['PHP_SELF'].'?id='.$task->id.'&amp;action=delete">'.$langs->trans('Delete').'</a>'; print '<a class="butActionDelete" href="'.$_SERVER['PHP_SELF'].'?id='.$task->id.'&amp;action=delete">'.$langs->trans('Delete').'</a>';
} }
......
...@@ -28,7 +28,7 @@ ...@@ -28,7 +28,7 @@
require("./pre.inc.php"); require("./pre.inc.php");
require_once(DOL_DOCUMENT_ROOT."/lib/project.lib.php"); require_once(DOL_DOCUMENT_ROOT."/lib/project.lib.php");
if (!$user->rights->projet->task->lire) accessforbidden(); if (!$user->rights->projet->lire) accessforbidden();
/* /*
* Actions * Actions
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment