From 96416735dfb0ba68864b122b02683d2c39e77285 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 2 Jan 2013 18:43:59 +0100
Subject: [PATCH] Fix: [ bug #618 ] External accounts can access confidential
informations (a lot)
---
htdocs/adherents/card_subscriptions.php | 2 +-
htdocs/adherents/cotisations.php | 4 +-
htdocs/adherents/index.php | 4 +-
htdocs/adherents/liste.php | 4 +-
htdocs/adherents/stats/byproperties.php | 7 +--
htdocs/adherents/stats/geo.php | 3 +-
htdocs/adherents/stats/index.php | 2 +
htdocs/admin/modules.php | 11 ++--
htdocs/admin/perms.php | 4 ++
htdocs/comm/mailing/index.php | 4 +-
htdocs/comm/mailing/liste.php | 10 +---
htdocs/compta/deplacement/stats/index.php | 6 +-
htdocs/compta/journal/index.php | 68 ----------------------
htdocs/compta/journal/purchasesjournal.php | 9 ++-
htdocs/compta/journal/sellsjournal.php | 9 ++-
htdocs/compta/resultat/bilan.php | 6 +-
htdocs/compta/resultat/clientfourn.php | 4 +-
htdocs/compta/resultat/compteres.php | 15 +++--
htdocs/compta/resultat/index.php | 5 +-
htdocs/compta/stats/cabyuser.php | 7 ++-
htdocs/compta/stats/casoc.php | 6 +-
htdocs/compta/stats/index.php | 21 +++----
htdocs/contrat/index.php | 2 +-
htdocs/core/class/conf.class.php | 7 ++-
htdocs/core/lib/admin.lib.php | 32 ++++++++++
htdocs/core/lib/functions.lib.php | 5 +-
htdocs/core/lib/security.lib.php | 19 ++++--
htdocs/exports/index.php | 4 +-
htdocs/imports/import.php | 1 -
htdocs/langs/en_US/admin.lang | 1 +
htdocs/langs/fr_FR/admin.lang | 1 +
htdocs/product/stock/fiche-valo.php | 2 +
htdocs/product/stock/fiche.php | 4 ++
htdocs/product/stock/index.php | 4 +-
htdocs/product/stock/info.php | 4 ++
htdocs/product/stock/liste.php | 4 +-
htdocs/product/stock/mouvement.php | 3 +-
htdocs/product/stock/valo.php | 4 +-
htdocs/user/perms.php | 14 +++--
39 files changed, 168 insertions(+), 154 deletions(-)
delete mode 100755 htdocs/compta/journal/index.php
diff --git a/htdocs/adherents/card_subscriptions.php b/htdocs/adherents/card_subscriptions.php
index e13a5bbef61..568837befd2 100644
--- a/htdocs/adherents/card_subscriptions.php
+++ b/htdocs/adherents/card_subscriptions.php
@@ -46,7 +46,7 @@ $rowid=GETPOST('rowid','int');
$typeid=GETPOST('typeid','int');
// Security check
-$result=restrictedArea($user,'adherent',$rowid);
+$result=restrictedArea($user,'adherent',$rowid,'','cotisation');
$object = new Adherent($db);
$extrafields = new ExtraFields($db);
diff --git a/htdocs/adherents/cotisations.php b/htdocs/adherents/cotisations.php
index 1b4fabaf47e..dfba0935953 100644
--- a/htdocs/adherents/cotisations.php
+++ b/htdocs/adherents/cotisations.php
@@ -46,8 +46,8 @@ if (! $sortfield) { $sortfield="c.dateadh"; }
$msg='';
$date_select=isset($_GET["date_select"])?$_GET["date_select"]:$_POST["date_select"];
-if (! $user->rights->adherent->cotisation->lire)
-accessforbidden();
+// Security check
+$result=restrictedArea($user,'adherent','','','cotisation');
/*
diff --git a/htdocs/adherents/index.php b/htdocs/adherents/index.php
index 60d7243c5fd..af2676a7d31 100644
--- a/htdocs/adherents/index.php
+++ b/htdocs/adherents/index.php
@@ -28,10 +28,12 @@ require '../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/adherents/class/adherent.class.php';
require_once DOL_DOCUMENT_ROOT.'/adherents/class/adherent_type.class.php';
-
$langs->load("companies");
$langs->load("members");
+// Security check
+$result=restrictedArea($user,'adherent');
+
/*
* View
diff --git a/htdocs/adherents/liste.php b/htdocs/adherents/liste.php
index 592881b2b72..5e26c9e35ab 100644
--- a/htdocs/adherents/liste.php
+++ b/htdocs/adherents/liste.php
@@ -31,6 +31,9 @@ require_once DOL_DOCUMENT_ROOT.'/adherents/class/adherent_type.class.php';
$langs->load("members");
$langs->load("companies");
+// Security check
+$result=restrictedArea($user,'adherent');
+
$action=GETPOST("action");
$filter=GETPOST("filter");
$statut=GETPOST("statut");
@@ -70,7 +73,6 @@ if (GETPOST("button_removefilter"))
}
-
/*
* View
*/
diff --git a/htdocs/adherents/stats/byproperties.php b/htdocs/adherents/stats/byproperties.php
index dcc25501d84..12732ecdc47 100755
--- a/htdocs/adherents/stats/byproperties.php
+++ b/htdocs/adherents/stats/byproperties.php
@@ -35,11 +35,10 @@ $mode=GETPOST('mode')?GETPOST('mode'):'';
// Security check
if ($user->societe_id > 0)
{
- $action = '';
- $socid = $user->societe_id;
+ $action = '';
+ $socid = $user->societe_id;
}
-if (! $user->rights->adherent->cotisation->lire)
- accessforbidden();
+$result=restrictedArea($user,'adherent','','','cotisation');
$year = strftime("%Y", time());
$startyear=$year-2;
diff --git a/htdocs/adherents/stats/geo.php b/htdocs/adherents/stats/geo.php
index cdc731ecdca..d78ab4fe61f 100755
--- a/htdocs/adherents/stats/geo.php
+++ b/htdocs/adherents/stats/geo.php
@@ -37,8 +37,7 @@ if ($user->societe_id > 0)
$action = '';
$socid = $user->societe_id;
}
-if (! $user->rights->adherent->cotisation->lire)
-accessforbidden();
+$result=restrictedArea($user,'adherent','','','cotisation');
$year = strftime("%Y", time());
$startyear=$year-2;
diff --git a/htdocs/adherents/stats/index.php b/htdocs/adherents/stats/index.php
index 0d5da2773f9..82dc17506e9 100644
--- a/htdocs/adherents/stats/index.php
+++ b/htdocs/adherents/stats/index.php
@@ -33,12 +33,14 @@ $HEIGHT=200;
$userid=GETPOST('userid','int'); if ($userid < 0) $userid=0;
$socid=GETPOST('socid','int'); if ($socid < 0) $socid=0;
+
// Security check
if ($user->societe_id > 0)
{
$action = '';
$socid = $user->societe_id;
}
+$result=restrictedArea($user,'adherent','','','cotisation');
$year = strftime("%Y", time());
$startyear=$year-2;
diff --git a/htdocs/admin/modules.php b/htdocs/admin/modules.php
index 7a83d625831..dd96c83e797 100644
--- a/htdocs/admin/modules.php
+++ b/htdocs/admin/modules.php
@@ -206,9 +206,8 @@ if ($mode==='expdev') print $langs->trans("ModuleFamilyExperimental")."<br>
$nbofactivatedmodules=count($conf->modules);
print $langs->trans("TotalNumberOfActivatedModules",($nbofactivatedmodules-1));
if ($nbofactivatedmodules <= 1) print ' '.img_warning($langs->trans("YouMustEnableOneModule"));
-print '<br>'."\n";
+print '<br>'."\n";
-print "<br>\n";
$h = 0;
@@ -266,6 +265,11 @@ $head[$h][2] = 'marketplace';
$h++;
+// Show warning about external users
+print showModulesExludedForExternal($modules).'<br>'."\n";
+print "<br>\n";
+
+
dol_fiche_head($head, $mode, $langs->trans("Modules"));
$var=true;
@@ -495,9 +499,6 @@ else
dol_fiche_end();
-// Pour eviter bug mise en page IE
-print '<div class="tabsAction">';
-print '</div>';
llxFooter();
diff --git a/htdocs/admin/perms.php b/htdocs/admin/perms.php
index d01c3421b6b..28627537977 100644
--- a/htdocs/admin/perms.php
+++ b/htdocs/admin/perms.php
@@ -68,8 +68,12 @@ print_fiche_titre($langs->trans("SecuritySetup"),'','setup');
print $langs->trans("DefaultRightsDesc");
print " ".$langs->trans("OnlyActiveElementsAreShown")."<br>\n";
+
+// Show warning about external users
+print showModulesExludedForExternal($modules).'<br>'."\n";
print "<br>\n";
+
$head=security_prepare_head();
dol_fiche_head($head, 'default', $langs->trans("Security"));
diff --git a/htdocs/comm/mailing/index.php b/htdocs/comm/mailing/index.php
index f19458c0f03..35896917b86 100644
--- a/htdocs/comm/mailing/index.php
+++ b/htdocs/comm/mailing/index.php
@@ -30,7 +30,9 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
$langs->load("commercial");
$langs->load("orders");
-if (! $user->rights->mailing->lire || $user->societe_id > 0) accessforbidden();
+
+// Security check
+$result=restrictedArea($user,'mailing');
/*
diff --git a/htdocs/comm/mailing/liste.php b/htdocs/comm/mailing/liste.php
index 3ad2198f3dd..549b621b763 100644
--- a/htdocs/comm/mailing/liste.php
+++ b/htdocs/comm/mailing/liste.php
@@ -27,14 +27,8 @@ require_once DOL_DOCUMENT_ROOT.'/comm/mailing/class/mailing.class.php';
$langs->load("mails");
-if (!$user->rights->mailing->lire) accessforbidden();
-
-// Securite acces client
-if ($user->societe_id > 0)
-{
- $action = '';
- $socid = $user->societe_id;
-}
+// Security check
+$result=restrictedArea($user,'mailing');
$sortfield = GETPOST("sortfield",'alpha');
$sortorder = GETPOST("sortorder",'alpha');
diff --git a/htdocs/compta/deplacement/stats/index.php b/htdocs/compta/deplacement/stats/index.php
index 2ca118c47cf..e8e72eace88 100755
--- a/htdocs/compta/deplacement/stats/index.php
+++ b/htdocs/compta/deplacement/stats/index.php
@@ -34,12 +34,16 @@ $HEIGHT=200;
$userid=GETPOST('userid','int'); if ($userid < 0) $userid=0;
$socid=GETPOST('socid','int'); if ($socid < 0) $socid=0;
-// Securite acces client
+$id = GETPOST('id','int');
+
+// Security check
if ($user->societe_id > 0)
{
$action = '';
$socid = $user->societe_id;
}
+if ($user->societe_id) $socid=$user->societe_id;
+$result = restrictedArea($user, 'deplacement', $id,'');
$nowyear=strftime("%Y", dol_now());
$year = GETPOST('year')>0?GETPOST('year'):$nowyear;
diff --git a/htdocs/compta/journal/index.php b/htdocs/compta/journal/index.php
deleted file mode 100755
index 4b7e347204d..00000000000
--- a/htdocs/compta/journal/index.php
+++ /dev/null
@@ -1,68 +0,0 @@
-<?php
-/* Copyright (C) 2007-2010 Laurent Destailleur <eldy@users.sourceforge.net>
- * Copyright (C) 2007-2010 Jean Heimburger <jean@tiaris.info>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- */
-
-require '../../main.inc.php';
-
-
-$langs->load("companies");
-$langs->load("other");
-$langs->load("compta");
-
-// Protection if external user
-if ($user->societe_id > 0)
-{
- accessforbidden();
-}
-
-
-/*******************************************************************
-* ACTIONS
-*
-* Put here all code to do according to value of "action" parameter
-********************************************************************/
-
-
-/***************************************************
-* PAGE
-*
-* Put here all code to build page
-****************************************************/
-
-llxHeader('','MyPageName','');
-
-$form=new Form($db);
-
-
-// Put here content of your page
-// ...
-
-/***************************************************
-* LINKED OBJECT BLOCK
-*
-* Put here code to view linked object
-****************************************************/
-/*
-
-$somethingshown=$myobject->showLinkedObjectBlock();
-
-*/
-
-// End of page
-$db->close();
-llxFooter();
-?>
\ No newline at end of file
diff --git a/htdocs/compta/journal/purchasesjournal.php b/htdocs/compta/journal/purchasesjournal.php
index 826d40b00ec..529e70e550a 100755
--- a/htdocs/compta/journal/purchasesjournal.php
+++ b/htdocs/compta/journal/purchasesjournal.php
@@ -41,11 +41,10 @@ $date_endmonth=GETPOST('date_endmonth');
$date_endday=GETPOST('date_endday');
$date_endyear=GETPOST('date_endyear');
-// Protection if external user
-if ($user->societe_id > 0)
- accessforbidden();
-
-$result = restrictedArea($user, 'societe&facture');
+// Security check
+if ($user->societe_id > 0) $socid = $user->societe_id;
+if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat');
+if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport');
/*
diff --git a/htdocs/compta/journal/sellsjournal.php b/htdocs/compta/journal/sellsjournal.php
index e90ae2ef7e7..df18c41a697 100755
--- a/htdocs/compta/journal/sellsjournal.php
+++ b/htdocs/compta/journal/sellsjournal.php
@@ -42,11 +42,10 @@ $date_endmonth=GETPOST('date_endmonth');
$date_endday=GETPOST('date_endday');
$date_endyear=GETPOST('date_endyear');
-// Protection if external user
-if ($user->societe_id > 0)
- accessforbidden();
-
-$result = restrictedArea($user, 'societe&facture');
+// Security check
+if ($user->societe_id > 0) $socid = $user->societe_id;
+if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat');
+if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport');
/*
* Actions
diff --git a/htdocs/compta/resultat/bilan.php b/htdocs/compta/resultat/bilan.php
index fb8526d077c..524f10b79aa 100644
--- a/htdocs/compta/resultat/bilan.php
+++ b/htdocs/compta/resultat/bilan.php
@@ -25,7 +25,11 @@ require '../../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/compta/tva/class/tva.class.php';
require_once DOL_DOCUMENT_ROOT.'/compta/sociales/class/chargesociales.class.php';
-if (!$user->rights->compta->resultat->lire) accessforbidden();
+// Security check
+$socid = GETPOST('socid','int');
+if ($user->societe_id > 0) $socid = $user->societe_id;
+if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat');
+if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport');
/*
diff --git a/htdocs/compta/resultat/clientfourn.php b/htdocs/compta/resultat/clientfourn.php
index e4b9ddeadf8..2fa2d09a864 100644
--- a/htdocs/compta/resultat/clientfourn.php
+++ b/htdocs/compta/resultat/clientfourn.php
@@ -42,8 +42,8 @@ $date_endyear=GETPOST('date_endyear');
// Security check
$socid = GETPOST('socid','int');
if ($user->societe_id > 0) $socid = $user->societe_id;
-if (! $user->rights->compta->resultat->lire && ! $user->rights->accounting->comptarapport->lire)
- accessforbidden();
+if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat');
+if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport');
// Date range
$year=GETPOST("year");
diff --git a/htdocs/compta/resultat/compteres.php b/htdocs/compta/resultat/compteres.php
index 0e9a8db8595..74960f97de7 100644
--- a/htdocs/compta/resultat/compteres.php
+++ b/htdocs/compta/resultat/compteres.php
@@ -1,5 +1,5 @@
<?php
-/* Copyright (C) 2004-2008 Laurent Destailleur <eldy@users.sourceforge.net>
+/* Copyright (C) 2004-2012 Laurent Destailleur <eldy@users.sourceforge.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -15,17 +15,22 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-
require '../../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/compta/tva/class/tva.class.php';
require_once DOL_DOCUMENT_ROOT.'/compta/sociales/class/chargesociales.class.php';
-if (!$user->rights->compta->resultat->lire) accessforbidden();
+// Security check
+$socid = GETPOST('socid','int');
+if ($user->societe_id > 0) $socid = $user->societe_id;
+if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat');
+if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport');
+
+
/*
-* Views
-*/
+ * Views
+ */
llxHeader();
$year=$_GET["year"];
diff --git a/htdocs/compta/resultat/index.php b/htdocs/compta/resultat/index.php
index 9eb6016c585..4a100fe00dc 100644
--- a/htdocs/compta/resultat/index.php
+++ b/htdocs/compta/resultat/index.php
@@ -40,8 +40,9 @@ else {
// Security check
$socid = GETPOST('socid','int');
if ($user->societe_id > 0) $socid = $user->societe_id;
-if (! $user->rights->compta->resultat->lire && ! $user->rights->accounting->comptarapport->lire)
- accessforbidden();
+if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat');
+if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport');
+
// Define modecompta ('CREANCES-DETTES' or 'RECETTES-DEPENSES')
$modecompta=(GETPOST("modecompta")?GETPOST("modecompta"):$conf->global->COMPTA_MODE);
diff --git a/htdocs/compta/stats/cabyuser.php b/htdocs/compta/stats/cabyuser.php
index 1a01eba1c0e..4665c9b7758 100644
--- a/htdocs/compta/stats/cabyuser.php
+++ b/htdocs/compta/stats/cabyuser.php
@@ -27,11 +27,12 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/report.lib.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/tax.lib.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php';
+$socid = GETPOST('socid','int');
+
// Security check
-$socid = isset($_REQUEST["socid"])?$_REQUEST["socid"]:'';
if ($user->societe_id > 0) $socid = $user->societe_id;
-if (!$user->rights->compta->resultat->lire && !$user->rights->accounting->comptarapport->lire)
-accessforbidden();
+if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat');
+if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport');
// Define modecompta ('CREANCES-DETTES' or 'RECETTES-DEPENSES')
$modecompta = $conf->global->COMPTA_MODE;
diff --git a/htdocs/compta/stats/casoc.php b/htdocs/compta/stats/casoc.php
index 3e71698da1b..5a5c8211665 100644
--- a/htdocs/compta/stats/casoc.php
+++ b/htdocs/compta/stats/casoc.php
@@ -39,10 +39,12 @@ $sortfield=isset($_GET["sortfield"])?$_GET["sortfield"]:$_POST["sortfield"];
if (! $sortorder) $sortorder="asc";
if (! $sortfield) $sortfield="nom";
+$socid = GETPOST('socid','int');
+
// Security check
-$socid = isset($_REQUEST["socid"])?$_REQUEST["socid"]:'';
if ($user->societe_id > 0) $socid = $user->societe_id;
-if (!$user->rights->compta->resultat->lire && !$user->rights->accounting->comptarapport->lire) accessforbidden();
+if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat');
+if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport');
// Date range
$year=GETPOST("year");
diff --git a/htdocs/compta/stats/index.php b/htdocs/compta/stats/index.php
index c66b840fda0..699465c5c60 100644
--- a/htdocs/compta/stats/index.php
+++ b/htdocs/compta/stats/index.php
@@ -25,27 +25,28 @@
require '../../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/report.lib.php';
-
$year_start=GETPOST("year_start");
$year_current = strftime("%Y",time());
$nbofyear=4;
if (! $year_start) {
- $year_start = $year_current - ($nbofyear-1);
- $year_end = $year_current;
+ $year_start = $year_current - ($nbofyear-1);
+ $year_end = $year_current;
}
else {
- $year_end=$year_start + ($nbofyear-1);
+ $year_end=$year_start + ($nbofyear-1);
}
-
$userid=GETPOST('userid','int');
-$socid=GETPOST('socid','int');
+$socid = GETPOST('socid','int');
+// Define modecompta ('CREANCES-DETTES' or 'RECETTES-DEPENSES')
+$modecompta = $conf->global->COMPTA_MODE;
+if ($_GET["modecompta"]) $modecompta=$_GET["modecompta"];
+
// Security check
if ($user->societe_id > 0) $socid = $user->societe_id;
-if (!$user->rights->compta->resultat->lire && !$user->rights->accounting->comptarapport->lire) accessforbidden();
+if (! empty($conf->comptabilite->enabled)) $result=restrictedArea($user,'compta','','','resultat');
+if (! empty($conf->accounting->enabled)) $result=restrictedArea($user,'accounting','','','comptarapport');
+
-// Define modecompta ('CREANCES-DETTES' or 'RECETTES-DEPENSES')
-$modecompta = $conf->global->COMPTA_MODE;
-if ($_GET["modecompta"]) $modecompta=$_GET["modecompta"];
/*
diff --git a/htdocs/contrat/index.php b/htdocs/contrat/index.php
index a63e3f320e2..95d534609da 100644
--- a/htdocs/contrat/index.php
+++ b/htdocs/contrat/index.php
@@ -233,7 +233,7 @@ if (! empty($conf->contrat->enabled) && $user->rights->contrat->lire)
$sql.= " AND c.entity IN (".getEntity('contract').")";
$sql.= " AND c.statut = 0";
if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
- if ($socid) $sql.= " AND s.fk_soc = ".$socid;
+ if ($socid) $sql.= " AND c.fk_soc = ".$socid;
$resql = $db->query($sql);
diff --git a/htdocs/core/class/conf.class.php b/htdocs/core/class/conf.class.php
index cdef1458b2c..d131db5e89b 100644
--- a/htdocs/core/class/conf.class.php
+++ b/htdocs/core/class/conf.class.php
@@ -386,7 +386,7 @@ class Conf
$this->mailing->email_from=$this->email_from;
if (! empty($this->global->MAILING_EMAIL_FROM)) $this->mailing->email_from=$this->global->MAILING_EMAIL_FROM;
- // Format for date (used by default when not found or searched in lang)
+ // Format for date (used by default when not found or not searched in lang)
$this->format_date_short="%d/%m/%Y"; // Format of day with PHP/C tags (strftime functions)
$this->format_date_short_java="dd/MM/yyyy"; // Format of day with Java tags
$this->format_hour_short="%H:%M";
@@ -406,7 +406,10 @@ class Conf
if (! isset($this->global->MAIN_MAX_DECIMALS_SHOWN)) $this->global->MAIN_MAX_DECIMALS_SHOWN=8;
// Default max file size for upload
- $this->maxfilesize = (! empty($this->global->MAIN_UPLOAD_DOC) ? $this->global->MAIN_UPLOAD_DOC * 1024 : 0);
+ $this->maxfilesize = (empty($this->global->MAIN_UPLOAD_DOC) ? 0 : $this->global->MAIN_UPLOAD_DOC * 1024);
+
+ // Define list of limited modules
+ if (! isset($this->global->MAIN_MODULES_FOR_EXTERNAL)) $this->global->MAIN_MODULES_FOR_EXTERNAL='facture,commande,contact,propal,projet,contrat,societe,ficheinter,expedition,agenda'; // '' means 'all'. Note that contact is added here as it should be a module later.
// Timeouts
if (empty($this->global->MAIN_USE_CONNECT_TIMEOUT)) $this->global->MAIN_USE_CONNECT_TIMEOUT=10;
diff --git a/htdocs/core/lib/admin.lib.php b/htdocs/core/lib/admin.lib.php
index 21d32e2cbbe..a60c3c63946 100644
--- a/htdocs/core/lib/admin.lib.php
+++ b/htdocs/core/lib/admin.lib.php
@@ -1133,6 +1133,38 @@ function form_constantes($tableau)
print '</table>';
}
+
+/**
+ * Show array with constants to edit
+ *
+ * @param array $modules Array of all modules
+ * @return string HTML string with warning
+ */
+function showModulesExludedForExternal($modules)
+{
+ global $conf,$langs;
+
+ $text=$langs->trans("OnlyFollowingModulesAreOpenedToExternalUsers");
+ $listofmodules=explode(',',$conf->global->MAIN_MODULES_FOR_EXTERNAL);
+ $i=0;
+ foreach($modules as $module)
+ {
+ $moduleconst=$module->const_name;
+ $modulename=strtolower($module->name);
+ //print 'modulename='.$modulename;
+
+ //if (empty($conf->global->$moduleconst)) continue;
+ if (! in_array($modulename,$listofmodules)) continue;
+
+ if ($i > 0) $text.=', ';
+ else $text.=' ';
+ $i++;
+ $text.=$langs->trans($module->name);
+ }
+ return img_picto($langs->trans('InfoAdmin'), 'star').' '.$text;
+}
+
+
/**
* Add document model used by doc generator
*
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index f5fde411c8f..988493874e2 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -2040,9 +2040,10 @@ function img_phone($alt = 'default', $option = 0)
*
* @param string $text Text info
* @param string $infoonimgalt Info is shown only on alt of star picto, otherwise it is show on output after the star picto
+ * @param int $nodiv No div
* @return string String with info text
*/
-function info_admin($text, $infoonimgalt = 0)
+function info_admin($text, $infoonimgalt = 0, $nodiv=0)
{
global $conf, $langs;
@@ -2051,7 +2052,7 @@ function info_admin($text, $infoonimgalt = 0)
return img_picto($text, 'star');
}
- return '<div class="info">'.img_picto($langs->trans('InfoAdmin'), 'star').' '.$text.'</div>';
+ return ($nodiv?'':'<div class="info">').img_picto($langs->trans('InfoAdmin'), 'star').' '.$text.($nodiv?'':'</div>');
}
diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
index 17c9bf7e249..76920f1fb88 100644
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -88,12 +88,12 @@ function dol_hash($chain,$type=0)
* If GETPOST('action') defined, we also check write and delete permission.
*
* @param User $user User to check
- * @param string $features Features to check (in most cases, it's module name. Examples: 'societe', 'contact', 'produit|service', ...)
+ * @param string $features Features to check (it must be module name. Examples: 'societe', 'contact', 'produit&service', ...)
* @param int $objectid Object ID if we want to check a particular record (optionnal) is linked to a owned thirdparty (optionnal).
- * @param string $dbtablename 'TableName&SharedElement' with Tablename is table where object is stored, SharedElement is key to define where to check entity. Not used if objectid is null (optionnal)
+ * @param string $dbtablename 'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optionnal key to define where to check entity. Not used if objectid is null (optionnal)
* @param string $feature2 Feature to check, second level of permission (optionnal)
- * @param string $dbt_keyfield Field name for socid foreign key if not fk_soc (optionnal)
- * @param string $dbt_select Field name for select if not rowid (optionnal)
+ * @param string $dbt_keyfield Field name for socid foreign key if not fk_soc. Not used if objectid is null (optionnal)
+ * @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optionnal)
* @param Canvas $objcanvas Object canvas
* @return int Always 1, die process if not allowed
*/
@@ -122,11 +122,18 @@ function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature
$dbtablename=(! empty($params[0]) ? $params[0] : '');
$sharedelement=(! empty($params[1]) ? $params[1] : '');
- // Check read permission from module
- // TODO Replace "feature" param into caller by first level of permission
+ $listofmodules=explode(',',$conf->global->MAIN_MODULES_FOR_EXTERNAL);
+
+ // Check read permission from module
$readok=1;
foreach ($features as $feature)
{
+ if (! empty($user->societe_id) && ! empty($conf->global->MAIN_MODULES_FOR_EXTERNAL) && ! in_array($feature,$listofmodules)) // If limits on modules for external users, module must be into list of modules for external users
+ {
+ $readok=0;
+ continue;
+ }
+
if ($feature == 'societe')
{
if (! $user->rights->societe->lire && ! $user->rights->fournisseur->lire) $readok=0;
diff --git a/htdocs/exports/index.php b/htdocs/exports/index.php
index b4dcbd6cd9c..a0501a3418e 100644
--- a/htdocs/exports/index.php
+++ b/htdocs/exports/index.php
@@ -26,7 +26,9 @@ require_once DOL_DOCUMENT_ROOT.'/exports/class/export.class.php';
$langs->load("exports");
-if (! $user->rights->export->lire) accessforbidden();
+
+// Security check
+$result=restrictedArea($user,'export');
diff --git a/htdocs/imports/import.php b/htdocs/imports/import.php
index ad0369299e8..d70f63cebd7 100644
--- a/htdocs/imports/import.php
+++ b/htdocs/imports/import.php
@@ -36,7 +36,6 @@ $langs->load("exports");
$langs->load("errors");
// Security check
-if (! empty($user->societe_id)) $socid=$user->societe_id;
$result=restrictedArea($user, 'import');
$entitytoicon=array(
diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang
index 89d200d7731..4ec24bb0232 100644
--- a/htdocs/langs/en_US/admin.lang
+++ b/htdocs/langs/en_US/admin.lang
@@ -929,6 +929,7 @@ TotalNumberOfActivatedModules=Total number of activated feature modules: <b>%s</
YouMustEnableOneModule=You must at least enable 1 module
ClassNotFoundIntoPathWarning=Class %s not found into PHP path
YesInSummer=Yes in summer
+OnlyFollowingModulesAreOpenedToExternalUsers=Note, only following modules are opened to external users( whatever are permission of such users):
##### Module password generation
PasswordGenerationStandard=Return a password generated according to internal Dolibarr algorithm: 8 characters containing shared numbers and characters in lowercase.
diff --git a/htdocs/langs/fr_FR/admin.lang b/htdocs/langs/fr_FR/admin.lang
index cedc06496d9..adb0a063d5d 100644
--- a/htdocs/langs/fr_FR/admin.lang
+++ b/htdocs/langs/fr_FR/admin.lang
@@ -936,6 +936,7 @@ TranslationSetup=Translation setup
TranslationDesc=Le choix de la langue affichée à l'écran se modifie:<br>* Soit de manière globale depuis le menu <strong>Accueil - Configuration - Affichage</strong><br>* Soit de manière spécifique à l'utilisateur depuis l'onglet <strong>Interface utilisateur</strong> de sa fiche utilisateur (cliquer sur le login en haut de l'écran).
ClassNotFoundIntoPathWarning=La class %s n'a pas été trouvée dans le path PHP
YesInSummer=Oui en été
+OnlyFollowingModulesAreOpenedToExternalUsers=Remarque, seuls les modules suivants sont ouverts aux utilisateurs externes (quelquesoit les permissions de ces utilisateurs):
##### Module password generation= undefined
PasswordGenerationStandard= Renvoie un mot de passe généré selon algorithme interne Dolibarr: 8 caractères, chiffres et caractères en minuscules mélangés.
diff --git a/htdocs/product/stock/fiche-valo.php b/htdocs/product/stock/fiche-valo.php
index ef79496af20..976df224365 100644
--- a/htdocs/product/stock/fiche-valo.php
+++ b/htdocs/product/stock/fiche-valo.php
@@ -31,6 +31,8 @@ $langs->load("stocks");
$langs->load("companies");
$mesg = '';
+// Security check
+$result=restrictedArea($user,'stock');
/*
diff --git a/htdocs/product/stock/fiche.php b/htdocs/product/stock/fiche.php
index 2102de86d25..fbf597aee34 100644
--- a/htdocs/product/stock/fiche.php
+++ b/htdocs/product/stock/fiche.php
@@ -44,6 +44,10 @@ if (! $sortorder) $sortorder="DESC";
$mesg = '';
+// Security check
+$result=restrictedArea($user,'stock');
+
+
/*
* Actions
diff --git a/htdocs/product/stock/index.php b/htdocs/product/stock/index.php
index 9e65a8d41db..76732b5ac07 100644
--- a/htdocs/product/stock/index.php
+++ b/htdocs/product/stock/index.php
@@ -29,8 +29,8 @@ require_once DOL_DOCUMENT_ROOT.'/product/stock/class/entrepot.class.php';
$langs->load("stocks");
-if (!$user->rights->stock->lire)
- accessforbidden();
+// Security check
+$result=restrictedArea($user,'stock');
/*
diff --git a/htdocs/product/stock/info.php b/htdocs/product/stock/info.php
index 46e13daee1f..0dc4938ab2f 100644
--- a/htdocs/product/stock/info.php
+++ b/htdocs/product/stock/info.php
@@ -28,6 +28,10 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/stock.lib.php';
$langs->load("stocks");
+// Security check
+$result=restrictedArea($user,'stock');
+
+
/*
* View
*/
diff --git a/htdocs/product/stock/liste.php b/htdocs/product/stock/liste.php
index 29402b26066..b571f5bb3ff 100644
--- a/htdocs/product/stock/liste.php
+++ b/htdocs/product/stock/liste.php
@@ -28,8 +28,8 @@ require_once DOL_DOCUMENT_ROOT.'/product/stock/class/entrepot.class.php';
$langs->load("stocks");
-if (!$user->rights->stock->lire)
- accessforbidden();
+// Security check
+$result=restrictedArea($user,'stock');
$sref=isset($_GET["sref"])?$_GET["sref"]:$_POST["sref"];
$snom=isset($_GET["snom"])?$_GET["snom"]:$_POST["snom"];
diff --git a/htdocs/product/stock/mouvement.php b/htdocs/product/stock/mouvement.php
index 172f2211947..22c2d1baea6 100644
--- a/htdocs/product/stock/mouvement.php
+++ b/htdocs/product/stock/mouvement.php
@@ -35,7 +35,8 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php';
$langs->load("products");
$langs->load("stocks");
-if (!$user->rights->produit->lire) accessforbidden();
+// Security check
+$result=restrictedArea($user,'stock');
$id=GETPOST('id','int');
$product_id=GETPOST("product_id");
diff --git a/htdocs/product/stock/valo.php b/htdocs/product/stock/valo.php
index c6631ad078e..5addef0fbb7 100644
--- a/htdocs/product/stock/valo.php
+++ b/htdocs/product/stock/valo.php
@@ -28,8 +28,8 @@ require_once DOL_DOCUMENT_ROOT.'/product/stock/class/entrepot.class.php';
$langs->load("stocks");
-if (!$user->rights->stock->lire)
-accessforbidden();
+// Security check
+$result=restrictedArea($user,'stock');
$sref=isset($_GET["sref"])?$_GET["sref"]:$_POST["sref"];
$snom=isset($_GET["snom"])?$_GET["snom"]:$_POST["snom"];
diff --git a/htdocs/user/perms.php b/htdocs/user/perms.php
index 32de5b9d73c..15e6bd24801 100644
--- a/htdocs/user/perms.php
+++ b/htdocs/user/perms.php
@@ -27,7 +27,8 @@
require '../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/usergroups.lib.php';
-require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
+require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
+require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php';
$langs->load("users");
$langs->load("admin");
@@ -253,19 +254,22 @@ print $form->showrefnav($fuser,'id','',$user->rights->user->user->lire || $user-
print '</td>';
print '</tr>'."\n";
-// Nom
+// Lastname
print '<tr><td width="25%" valign="top">'.$langs->trans("Lastname").'</td>';
print '<td>'.$fuser->nom.'</td>';
print '</tr>'."\n";
-// Prenom
+// Firstname
print '<tr><td width="25%" valign="top">'.$langs->trans("Firstname").'</td>';
print '<td>'.$fuser->prenom.'</td>';
print '</tr>'."\n";
print '</table><br>';
-if ($user->admin) print info_admin($langs->trans("WarningOnlyPermissionOfActivatedModules"));
+if ($user->admin) print info_admin($langs->trans("WarningOnlyPermissionOfActivatedModules"), 0, 1).'<br>';
+// Show warning about external users
+print showModulesExludedForExternal($modules).'<br>'."\n";
+print "<br>\n";
// For multicompany transversal mode
if (! empty($conf->multicompany->enabled) && ! empty($conf->multicompany->transverse_mode))
@@ -366,7 +370,7 @@ if ($result)
print img_picto($langs->trans("Active"),'tick');
print '</td>';
}
-
+
else if (is_array($permsgroupbyentity[$entity]))
{
if (in_array($obj->id, $permsgroupbyentity[$entity])) // Permission own by group
--
GitLab